Red Hat SummitCustom credential types
As a system administrator, you can define a custom credential type in a standard format by using a YAML or JSON-like definition. You can define a custom credential type that works in ways similar to existing credential types.
For example, a custom credential type can inject an API token for a third-party web service into an environment variable, for your playbook or custom inventory script to consume.
Custom credentials support the following ways of injecting their authentication information:
- Environment variables
- Ansible extra variables
- File-based templating, which means generating
.inior.conffiles that contain credential values
You can attach one SSH and multiple cloud credentials to a job template. Each cloud credential must be of a different type. Only one of each type of credential is permitted. Vault credentials and machine credentials are separate entities.
- When creating a new credential type, you must avoid collisions in the
extra_vars,env, and file namespaces. - Environment variable or extra variable names must not start with
ANSIBLE_because they are reserved. - You must have System administrator (superuser) permissions to be able to create and edit a credential type (
CredentialType) and to be able to view theCredentialType.injectionfield.
Content sourcing from collections
automation controller supports sourcing content for projects from Ansible collections defined in requirements.yml files. This is done by configuring Ansible Galaxy credentials at the organization level to define content sources for collection installations.
A "managed" credential type of kind=galaxy represents a content source for fetching collections defined in requirements.yml when project updates are run. Examples of content sources are galaxy.ansible.com, console.redhat.com, or on-premise automation hub. This new credential type represents a URL and (optional) authentication details necessary to construct the environment variables when a project update runs ansible-galaxy collection install as described in the Ansible documentation, Configuring the ansible-galaxy client. It has fields that map directly to the configuration options exposed to the Ansible Galaxy CLI, for example, per-server.
An endpoint in the API reflects an ordered list of these credentials at the Organization level:
/api/v2/organizations/N/galaxy_credentials/When installations of automation controller migrate existing Galaxy-oriented setting values, post-upgrade proper credentials are created and attached to every Organization. After upgrading to the latest version, every organization that existed before upgrade now has a list of one or more "Galaxy" credentials associated with it.
Additionally, post-upgrade, these settings are not visible (or editable) from the /api/v2/settings/jobs/ endpoint.
Automation controller continues to fetch roles directly from public Galaxy even if galaxy.ansible.com is not the first credential in the list for the organization. The global Galaxy settings are no longer configured at the jobs level, but at the organization level in the user interface.
The organization’s Create organization and Edit organization windows have an optional Galaxy credentials lookup field for credentials of kind=galaxy.
It is important to specify the order of these credentials as order sets precedence for the sync and lookup of the content. For more information, see Creating an organization.
For more information about how to set up a project by using collections, see Using Collections with automation hub.
Backwards-compatible API considerations
When using the automation controller API, there are some considerations to remember regarding backwards compatibility between version 1 (api/v1/) and version 2 (api/v2/).
Support for version 2 of the API (api/v2/) means a one-to-many relationship for job templates to credentials (including multicloud support).
You can filter credentials the v2 API:
curl "https://controller.example.org/api/v2/credentials/?credential_type__namespace=aws"In the V2 Credential Type model, the relationships are defined as follows:
| Machine | SSH |
|---|---|
| Vault |
Vault |
| Network |
Sets environment variables, for example |
| SCM |
Source Control |
| Cloud |
EC2, AWS |
| Cloud |
Many others |
| Insights |
Insights |
| Galaxy |
galaxy.ansible.com, console.redhat.com |
| Galaxy |
on-premise automation hub |
Content verification
Automation controller uses GNU Privacy Guard (GPG) to verify content.
For more information, see The GNU Privacy Handbook.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}