Feature Overview

Using a kubeconfig file is a common way for providing access to a Kubernetes cluster. While the AAP controller has a K8s Bearer Token credential type, not all developers will have access to these a kubeconfig is more common. This feature would add a built-in kubeconfig credential type option to the AAP controller.

Background, and strategic fit

This is another small piece in Ansible supporting Red Hat's Hybrid Cloud Automation and OpenShift strategic initiatives. A kubeconfig is already supported for the kubernetes.core and redhat.openshift collections in addition to ACM/OCM work being done under the stolostron effort. Many have used it within AAP workflows by copy the kubeconfig file to controller and reading it off of the file system in their playbook. Not ideal, but it has worked. Given the distributed and containerized nature of AAP2 this becomes potentially more tricky.

Informed users of AAP will figure out they can create a custom credential type for kubeconfig. See "Create a custom credential type" in Roger Lopez's blog post for an example: https://www.ansible.com/blog/monitoring-red-hat-ansible-automation-platform-on-red-hat-openshift-the-easy-way.

This feature would eliminate the need for creating a custom credential type and provide a built-in ready-to-go option to users.

(Optional) Use Cases

• As an AAP administrator I can store a kubeconfig file as a credential in AAP controller for use with K8s automation jobs
• As an automation developer I can run K8s automation jobs that frictionlessly utilize a kubeconfig file from AAP's credential store to access the cluster

So AAP admins would be able to place a kubeconfig file in the credential store to provide access to a K8s cluster. An Ansible content developer could use create K8s automation jobs that utilize the kubeconfig file for accessing the cluster without direct access to the file were they could use it for other potentially unauthorized purposes.

Assumptions

The credential type will seamlessly work for the content in kubernetes.core, redhat.openshift and others similar content that can use a kubeconfig for access.

Out of Scope

• Generating, validating, updating and expiring a kubeconfig file credential.
• Any type of template of variables or input to the file credential.