Workshop Exercise 2.2 - Creating Custom Credentials for Kickstart Template
Table of Contents
- Objective
- Quick Review
- Step 1 - Reviewing Created Custom Credential Types
- Step 2 - Creating Credentials from Custom Credential Types
- Step 3 - Creating a Machine Credential
- Solutions
Objective
In this exercise, we’re going to leverage the custom credential types feature of Ansible Controller to securely store some information that’ll be templated into our kickstart file.
This gives us some additional functionality because:
- Sensitive information will be stored in Ansible Controller securely
- Multiple credentials can be built off the same credential to allow for provisioning differences between sites/geos/etc.
Quick Review
In the previous exercise, we set up our kickstart template with some variables. These variables relate to the following details:
For the user created during kickstart:
| Variable | Description |
|---|---|
| kickstart_user_username | The username of the user that will be created on the system |
| kickstart_user_password | The password of the user that will be created on the system |
For the ostree repo containing the location of where to pull the commit from:
| Variable | Description |
|---|---|
| ostree_repo_protocol | The protocol to use when accessing the repo (http/https) |
| ostree_repo_host | The host of the ostree repo |
| ostree_repo_port | The port to use when accessing the repo |
| ostree_repo_path | The path on the server where the repo can be accessed |
| ostree_os_name | The name of the OS in the repo |
| ostree_ref | The ref to pull and deploy |
For authenticating to the Ansible Controller API:
| Variable | Description |
|---|---|
| controller_host | Where Ansible Controller is running |
| controller_api_username | The username to use to authenticate to the Ansible Controller API |
| controller_api_password | The password to use to authenticate to the Ansible Controller API |
Optionally, if using wifi for physical devices:
| Variable | Description |
|---|---|
| wifi_network | The wireless network's SSID |
| wifi_password | The wireless network's password |
Step 1 - Reviewing Created Custom Credential Types
Under the Administration tab, select Credential Types to view the available custom credential types. There should be five available in total and three corresponding to the information above in the review section:
Select the Kickstart User credential type to view more information:
Custom credential types are composed to two main concepts: Inputs and Injectors.
- Inputs are how information is retrieved from the user when creating a credential from this credential type. Fields can be selection based or free-form text entry, and can be marked as secret so their value cannot be displayed again after entering it.
- Injectors are how the inputs are translated into actual Ansible variables for use during execution. Here, we’re injecting the entered information as extra variables, meaning they behave exactly like specifying
--extra-varson the command line.
Review all three types for familiarity.
Step 2 - Creating Credentials from Custom Credential Types
Custom credential types behave exactly like other credential types; meaning we simply need to create a new credential and select the type we want to use.
First, let’s create a credential for our kickstart user info. Under Resources, select Credentials, and click the Add button at the top of the page.
Enter the following information to create a new credential:
| Parameter | Value |
|---|---|
| Name | Kickstart User |
| Organization | (Your_Student_Organization) |
| Credential Type | Kickstart User |
| Kickstart User Username | ansible |
| Kickstart User Password | (a-password-of-your-choice) |
Once complete, click Save
Repeat the process for OSTree info by creating a new credential with the following details:
| Parameter | Value |
|---|---|
| Name | OSTree Info |
| Organization | (Your_Student_Organization) |
| Credential Type | OSTree Info |
| OSTree Repo Protocol | http |
| OSTree Repo Host | the-kickstart-host-from-student-page |
| OSTree Repo Port | 80 |
| OSTree Repo Path | rhde-image/repo |
| OSTree OS Name | rhel |
| OSTree Ref | rhel/8/x86_64/edge |
Remember to click Save.
To authenticate to the Ansible Controller API, create the following Credential:
| Parameter | Value |
|---|---|
| Name | Ansible Controller API Authentication Info |
| Organization | (Your_Student_Organization) |
| Credential Type | Ansible Controller API Authentication Info |
| Controller Host | the-controller-host-from-your-student-page |
| Controller API Username | your-student-username |
| Controller API Password | the-controller-password-from-your-student-page |
Remember to click Save.
Finally, if provisioning a physical device over wireless, create a final credential for wireless information:
| Parameter | Value |
|---|---|
| Name | Wireless Network Info |
| Organization | (Your_Student_Organization) |
| Credential Type | Wireless Network Connection Info |
| Wireless Network SSID | (provided-by-your-instructor) |
| Wireless Network Password | (provided-by-your-instructor) |
Remember to click Save.
Step 3 - Creating a Machine Credential
Finally, we’ll want to create one last credential that Ansible will use to authenticate to the device once it’s provisioned. This should match the credential inputs of the Kickstart User Info previously.
Enter the following information:
| Parameter | Value |
|---|---|
| Name | Device Credentials |
| Organization | (Your_Student_Organization) |
| Credential Type | Machine |
| Username | ansible |
| Password | kickstart-password-provided-above |
| Privilege Escalation Password | kickstart-password-provided-above |
We’ll attach these credentials to a job template in the next exercise.
Solutions
Kickstart User credential:
OSTree Info credential:
Ansible Controller API credential:
Wireless Network credential:
Machine credential:
Note
Some values may be different, depending on the lab environment. Refer any questions to the lab instructor.
Navigation
| Previous Exercise | Next Exercise |