controller_credentials.yml
In these files we configure the base credentials for automation controller.
we will probably do this on a per environment basis. In this example, we will configure
the environments with external credentials from an external vault (hashicorp).
As you will see, the lookup credentials are environment specific and the credentials are defined
in the "all" and have no inputs defined. The inputs are now defined in the "controller_credential_input_sources.yml" files.
variables
The api understands the following structure for credentials:
{
"name": "",
"description": "",
"organization": null,
"credential_type": null,
"inputs": {},
"user": null,
"team": null
}
Below you will find some examples of the usage in configuration as code.
group_vars/all/controller_credentials.yml
Here we see an example of the configuration for a credential to access gitlab.
It is just an example, don't do this..
---
controller_credentials_all:
- name: ansible
description: The empty machine credential
crdential_type: Machine
organization: Default
- name: gitlab
description:
credential_type: Source Control
organization: Default
- name: Default_automation_hub_image_pull_secret
description:
credential_type: Container Registry
organization: Default
- name: Default_automation_hub_token_published
description:
credential_type: Ansible Galaxy/Automation Hub API Token
organization: Default
- name: Default_automation_hub_token_community
description:
credential_type: Ansible Galaxy/Automation Hub API Token
organization: Default
- name: Default_automation_hub_token_rh_certified
description:
credential_type: Ansible Galaxy/Automation Hub API Token
organization: Default
- name: Default_automation_hub_token_validated
description:
credential_type: Ansible Galaxy/Automation Hub API Token
organization: Default
But you can already see that the variable name used here has the "_all" extension, so the variable will not be overridden as this is not quite a inventory.
Why we do this, will become clear in a moment.
group_vars/dev/controller_credentials.yml
We configure the private hub credentials in development.
These will be used by all organizations.
---
controller_credentials_dev:
- name: Default_hashivault
description: HashiCorp Vault Secret Lookup example using token auth
organization: Default
credential_type: HashiCorp Vault Secret Lookup
inputs:
url: "{{ vault_url }}"
token: "{{ vault_token }}"
namespace: "dev/{{ org_name }}"
api_version: v1
default_auth_path: token
...
Here the variable has the "_dev" extension, so the variable will not be overridden.
group_vars/prod/controller_credentials.yml
As we do not configure extra credentials in prod, this file is an empty set.
---
controller_credentials_prod:
- name: Default_hashivault
description: HashiCorp Vault Secret Lookup example using token auth
organization: Default
credential_type: HashiCorp Vault Secret Lookup
inputs:
url: "{{ vault_url }}"
token: "{{ vault_token }}"
namespace: "prod/{{ org_name }}"
api_version: v1
default_auth_path: token
# For prod, you should add the tokens as in dev here
# Credentials are defined here, but in the credential_input_sources.yml you will find the inputs
...
Here the variable has the "_prod" extension, so the variable will not be overridden.
When we run a pipeline for a certain environment, the inventory structure will provide us with 2 variables:
- controller_credentials_all
- controller_credentials_
We will merge these 2 variables into 1: controller_credentials and feed this to the infra.aap_configuration.controller_credentials role.
In main.yml the merge of the variables is done by this piece of code:
- name: Set the controller vars
ansible.builtin.set_fact:
controller_credentials: >
{{ controller_credentials_all |
community.general.lists_mergeby(vars['controller_credentials_' + branch_name],
'name', recursive=true, list_merge='append') }}
This results in the controller_credentials variable the collection needs.
If you wil be using external credentials in all environements, you can define the lookup credential per environment and define the credentials and the input_sources in the "all". The content of the credential is then managed in the external vault (where it should be).