env_vars.yml

This file describes your environments to the playbook, it is the heart of the configuration.
At the end of this page, the full file is listed, I will explain the variables and their content by using small parts of the file.

Organization definition

The name of the organization (as I use it) is comprised of the actual team's short name and the string "org_", so when a team like the linux team (lnx) must be enabled on rhaap, this part(lnx) will be added to almost everything, as per naming convention.
The organization_short_name (survey variable 1) will have the value lnx.
From this the organization_long_name is derrived:

organization_long_name: 'org_{{ organization_short_name }}'

This is used in many places in the code, where the name of the organization must be added in files or templates.

gitlab variables

The vaiables below describe your gitlab configuration:

gitlab_protocol: 'https://'
gitlab_url: 'gitlab.homelab/'
gitlab_group: 'cac_25'
gitlab_default_branch: dev
gitlab_validate_certs: false
gitlab_cac_pipeline: cac_25/pipeline_stage1.yml@common_code/pipelines:master
cac_project_name: rhaap_base
team_project_name: "rhaap_cac_{{ organization_long_name | lower }}"

Most variable names are self explanatory, so we will not explain them. But a few need some explanation:

gitlab_default_branch
In this variable the name of the default branch is configured, this is not always 'dev' as shown in the example above, it should be the name of the environment you use as the 'dev' environment.
In a DTAP setup this could be:
- 'blue' for Development
- 'pink' for Test
- 'orange' for Acceptance
- 'red' for production

So the branch naming should be consistent with your environment, this is essential for the pipeline.

gitlab_validate_certs
In my test setup, gitlab has a self-signed certificate, this should be set to true in an enterprise environment.

gitlab_cac_pipeline
This is the path where the CICD pipeline script is found, the syntax for gitlab is: "cac_25/pipeline_stage1.yml@common_code/pipelines:master"
The first part before the '@' is the path to the filename from the root of the target repository to use as the pipeline script (like .gitlab-ci.yml). The second part is the path to the repository form the root of the gitlab instance and the branch to read.

This repository that holds the pipeline should be at least read-only to everyone that has access to the gitlab server.
If the user running the pipeline can't read the file, the pipeline will not run.

cac_project_name
This is the repository name for the base configuration of your rhaap environment, the new organization will be added in the files here and the pipeline run will configure the rhaap base configuration for the new organization. This way of working ensures that the orgnization is also recreated when a full recovery is run.

team_project_name
This is the repository name for the new organizations configuration of your rhaap environment, some examples are added in the files here and the pipeline run will configure the controller for the new organization.

All projects are created under the gitlab_group, so it will always be clear where to find a configuration of rhaap.

LDAP variables

As documented earlier the AD/LDAP groups need to have a standard naming and path, this is why:

ldap_name: 'Auth LDAP container'
ldap:
  - name: 'Auth LDAP container'
    ldap_pre_str: 'cn=g-rhaap-'
    ldap_post_str: ',ou=groups,dc=homelab,dc=wf'


  - name: <2>
    ldap_pre_str: 'cn=g-rhaap-'
    ldap_post_str: ',ou=groups,dc=homelab,dc=wf'
  - name: <3>
    ldap_pre_str: 'cn=g-rhaap-'
    ldap_post_str: ',ou=groups,dc=homelab,dc=wf'
  - name: <4>
    ldap_pre_str: 'cn=g-rhaap-'
    ldap_post_str: ',ou=groups,dc=homelab,dc=wf'
  - name: <5>
    ldap_pre_str: 'cn=g-rhaap-'
    ldap_post_str: ',ou=groups,dc=homelab,dc=wf'

We can configure mapping for multiple AD/LDAP services, we can configure multiple mappings.
If your organization uses multiple LDAP/AD services, the LDAP_name should be changed to a survey variable to facillitate the choice for the organization's LDAP service. Then for each choice the variable set should be configured.

As we have the organization name in the group name in LDAP, we can fill the variables with standard strings that should be added to the organization name, to generate the full group name in LDAP:
- ldap_pre_str # the part that is concatenated in front of the organization name
- ldap_post_str # the part that is concatenated after the organization name

The code will use these parts to create the authentication_maps for the organization.

rhaap hosts

This part maps the environments to the real hostnames of the rhaap environments. This ensures the right branches are created for the right environments and the creation of the correct files in there.

aap_env:
  blue:
    rhaap_hostname: blue.homelab
  pink:
    rhaap_hostname: pink.homelab
  orange:
    rhaap_hostname: orange.homelab
  red:
    rhaap_hostname: red.homelab

global credentials

These are not used at the moment, they could be used, but the code to use them is removed as the use case has been shifted.
These are user in my version 2.4 config as code, that can be found on this site too.

For the moment it is best to delete these as they do not serve any purpose.

global_credentials_vars:
  all:
    credentials:
      - name: "{{ organization_short_name }}_gitlab"
        description: 'SCM credential'
        credential_type: Source Control
        encrypt: | # Vault this if used!
          -----BEGIN OPENSSH PRIVATE KEY-----
          -----END OPENSSH PRIVATE KEY-----
        username: AAP_user
  dev:
    credentials:
      - name: "{{ organization_short_name }}_ansible"
        description: 'Machine credential development'
        credential_type: Machine
        username: ansible
        encrypt: | # Vault this if used!
          -----BEGIN OPENSSH PRIVATE KEY-----
          -----END OPENSSH PRIVATE KEY-----
  test:
    credentials:
      - name: "{{ organization_short_name }}_ansible_test"
        description: 'Machine credential test'
        credential_type: Machine
        username: ansible
        encrypt: | # Vault this if used!
          -----BEGIN OPENSSH PRIVATE KEY-----
          -----END OPENSSH PRIVATE KEY-----

The full file

The complete file is listed below, all variables should be well validated before using this in your environment.

---
# put your vars in here and make sure the secret values in this file are ALWAYS vault encrypted
# the values in this file will be encrypted and used in the config files.
organization_long_name: 'org_{{ organization_short_name }}'
base_vault_secret: <the_vault_password_used_for_the_base_config>
gitlab_protocol: 'https://'
gitlab_url: 'gitlab.homelab/'
gitlab_group: 'cac_25'
gitlab_default_branch: blue
gitlab_validate_certs: false
gitlab_cac_pipeline: cac_25/pipeline_stage1.yml@common_code/pipelines:master
gateway_project_name: rhaap_base_step_1
controller_project_name: rhaap_base_step_2
team_project_name: "rhaap_cac_{{ organization_long_name | lower }}"
ldap_name: 'Auth LDAP container'
ldap:
  - name: 'Auth LDAP container'
    ldap_pre_str: 'cn=g-aap-'
    ldap_post_str: ',ou=groups,dc=homelab,dc=wf'
  - name: 2
    ldap_pre_str: 'cn=g-aap-'
    ldap_post_str: ',ou=groups,dc=homelab,dc=wf'
  - name: 3
    ldap_pre_str: 'cn=g-aap-'
    ldap_post_str: ',ou=groups,dc=homelab,dc=wf'
  - name: 4
    ldap_pre_str: 'cn=g-aap-'
    ldap_post_str: ',ou=groups,dc=homelab,dc=wf'
  - name: 5
    ldap_pre_str: 'cn=g-aap-'
    ldap_post_str: ',ou=groups,dc=homelab,dc=wf'
aap_env:
  blue:
    rhaap_hostname: blue.homelab
  pink:
    rhaap_hostname: pink.homelab
  orange:
    rhaap_hostname: orange.homelab
  red:
    rhaap_hostname: red.homelab

Back