Kerberos 
The Kerberos Credential configuration below is used for leveraging Kerberos as a connection type against managed nodes in Ansible Automation Platform.
The credential is designed to inject a krb5.conf file into a Job which can be pointed to by kerberos connection variables. This creates a flexible way to leverage kerberos without baking the configuration file directly into your Execution Environment. Leveraging a custom credential type allows one Execution Environment to be used with many different kerberos configurations (e.g. dev, test, prod).
This credential is designed to be used in conjunction with relevant Kerberos connection variables. I typically define the below variables at the inventory or group level, depending on the make-up of my inventory. Note that the credential does set ansible_user and ansible_password, so it could impact non-Kerberos setup machines in the set of target hosts. Use this credential on Job Templates intended to target only Kerberos hosts.
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore
ansible_port: 5986
ansible_winrm_kinit_env_vars:
- KRB5_CONFIG
Input Configuration
fields:
- id: username
type: string
label: Username
- id: password
type: string
label: Password
secret: true
- id: default_realm
type: string
label: Default Realm
- id: kdc
type: string
label: KDC
help_text: Optional KDC, use only if KDC DNS lookup not working
required:
- username
- password
- default_realm
Injector Configuration
env:
KRB5_CONFIG: !unsafe '{{ tower.filename }}'
file:
template: !unsafe |-
[libdefaults]
default_realm = {{ default_realm | upper }}
dns_canonicalize_hostname = fallback
dns_lookup_kdc = {% if kdc %}false{% else %}true{% endif %}
dns_lookup_realm = true
forwardable = true
rdns = false
#udp_preference_limit = 1
[realms]
{{ default_realm | upper }} = {
{% if kdc %}kdc = {{ kdc }}{% endif %}
}
[domain_realm]
{{ default_realm | lower }} = {{ default_realm | upper }}
extra_vars:
ansible_user: !unsafe '{{ username }}'
ansible_password: !unsafe '{{ password }}'
Deploy with Controller Configuration
# Task to be included in a playbook
- name: Create Kubernetes Credential Type
ansible.builtin.include_role:
name: infra.controller_configuration.credential_types
vars:
controller_credential_types:
- name: Kerberos
description: Credential to inject krb5 conf and supply username/password for generating a ticket
kind: cloud
inputs:
fields:
- id: username
type: string
label: Username
- id: password
type: string
label: Password
secret: true
- id: default_realm
type: string
label: Default Realm
- id: kdc
type: string
label: KDC
help_text: Optional KDC, use only if KDC DNS lookup not working
required:
- username
- password
- default_realm
injectors:
env:
KRB5_CONFIG: !unsafe '{{ tower.filename }}'
file:
template: !unsafe |-
[libdefaults]
default_realm = {{ default_realm | upper }}
dns_canonicalize_hostname = fallback
dns_lookup_kdc = {% if kdc %}false{% else %}true{% endif %}
dns_lookup_realm = true
forwardable = true
rdns = false
#udp_preference_limit = 1
[realms]
{{ default_realm | upper }} = {
{% if kdc %}kdc = {{ kdc }}{% endif %}
}
[domain_realm]
{{ default_realm | lower }} = {{ default_realm | upper }}
extra_vars:
ansible_user: !unsafe '{{ username }}'
ansible_password: !unsafe '{{ password }}'