Developing Advanced Automation with Red Hat Ansible Automation Platform
Navigate and describe the automation controller web UI, and successfully launch a job using a job template, project, credential, and inventory.
Automation controller provides a centralized location for organizations to run their Ansible Playbooks.
Several resources must exist before you can create a job template to test a playbook in automation controller.
Typically, these resources include:
A machine credential used to connect to the managed hosts.
A source control credential used to download and synchronize remote content, such as from a Git repository.
A project that specifies the location of content, such as playbooks.
An inventory with at least one host.
Although automation controller provides tremendous functionality, this course focuses on creating the basic resources needed to launch a job template. Detailed information about individual resources, including options and assigning permissions to those resources, is outside the scope of this course.
Automation controller accesses many resources that might require separate credentials. The following list briefly describes some credential types and their intended purpose. Descriptions of additional credential types and their intended purpose can be found in the reference links.
- Ansible Galaxy/Automation Hub API Token
Create the credentials resource so that automation controller can download content collections and roles from Ansible Galaxy, automation hub, and private automation hub.
After creating the credential, you must enable the credential for an organization. During this process, you can specify a precedence by ordering the credentials.
Note
If you install automation controller and private automation hub at the same time, then the installer creates automation controller credentials for the community, published, and Red Hat certified repositories available from private automation hub. The installer also enables these credentials for the
Defaultautomation controller organization.- Container Registry
Create this type of credential if you need to authenticate before you can pull down a container image from a container registry, such as
registry.redhat.ioor a private automation hub.
Note
If you install automation controller and private automation hub at the same time, then the installer creates an automation controller container registry credential for private automation hub.
- GitHub Personal Access Token
GitHub no longer supports password-based authentication to synchronize projects using the HTTPS protocol. To continue using HTTPS (rather than SSH), create and use a GitHub personal access token, and then create an automation controller credential that uses the personal access token.
- Machine
Automation controller can use this credential type to access and make changes to the managed hosts. This credential specifies a username and either a password or the content of the user's SSH private key. If the credential should allow privilege escalation, specify the privilege escalation username (typically
root) and specify a privilege escalation password if necessary.
Note
In organizations that mandate against storing passwords, you can configure automation controller to prompt for passwords when using the credential.
- Source Control
Automation controller can use this credential type to synchronize project resources from a remote repository. Specify a username and either a password or the user's SSH private key.
- Vault
Use vault credentials to decrypt files that have been encrypted with Ansible vault.
Navigate to → to list credentials. Automation controller displays the name and credential type for each credential.
Click the name of any credential to display credential details.
To create a new machine credential, navigate to → and click . Specify a name for the credential and choose the machine credential type. Specify additional settings and then click .
| Setting | Description |
|---|---|
| Username | Automation controller connects to the managed hosts as this user (similar to the remote_user setting in an ansible.cfg file). |
| Password | The password associated with the user. Enter the password, or prompt for the password when the credential is used. A password or SSH private key is required. Using a password does not work if a managed host prevents password-based authentication over SSH. |
| SSH Private Key | This is the associated private key for a public SSH key that has already been copied to the managed host. A password or SSH private key is required. |
| Private Key Passphrase | If the private SSH key is password protected, then enter the passphrase, or prompt for the passphrase when the credential is used. |
| Privilege Escalation Method | The method used for privilege escalation (the equivalent of the become_method setting in an ansible.cfg file). |
| Privilege Escalation Username | The user to become for tasks that require privilege escalation (the equivalent of the become_user setting in an ansible.cfg file). |
| Privilege Escalation Password | If the user requires a password for privilege escalation, then enter the password, or prompt for the password when the credential is used. |
To create a new source control credential, navigate to → and click . Specify a name for the credential and choose the source control credential type.
| Setting | Description |
|---|---|
| Username | Automation controller connects to the source control repository as this user. |
| Password | The password associated with the user. The source control repository might disable password-based authentication. In that case, use the SCM private key. |
| SCM Private Key | This is the associated private key for a public SSH key that has already been copied to the managed host. |
| Private Key Passphrase | If the private SCM key is password-protected, then enter the passphrase. |
Automation controller uses project resources to provide access to Ansible Playbooks. If a project uses source control, such as Git or Subversion, then automation controller synchronizes content from a remote repository.
Navigate to → to list existing projects. Click the icon to the left of any project name to expand project information. Synchronize projects that use source control from the page.
Use the column to assess if your project is current. For a Git repository, the revision string matches a commit hash.
To create a new project, navigate to → and click .
Projects can specify a default execution environment to use for job templates. If not specified, then the project defaults to the defined default execution environment for automation controller. Job templates can choose a different execution environment.
Choose a source control credential type, such as Git, specify additional settings, and then click .
| Setting | Description |
|---|---|
| Source Control URL | The URL used to clone the remote repository. |
| Source Control Branch/Tag/Commit | (Optional) A specific branch, tag, or commit for the repository. Use the option so that job templates can use a different branch, tag, or commit. |
| Source Control Credential | An existing credential that can be used to synchronize the remote repository. |
Automation controller automatically attempts to synchronize new projects. A project synchronization can fail for many reasons, including:
The project specifies an incorrect source control URL.
The project fails to specify, or specifies the wrong source control credential.
The source control credential specifies the wrong username, password, or SCM private key.
Similar to a local inventory file or directory, you can create inventory resources within automation controller.
Inventories can contain groups of hosts as well as ungrouped hosts.
You can configure variables that apply to the entire inventory (similar to the all group), to a specific group (similar to using the groups_vars directory), and to a specific host (similar to using the host_vars directory).
When creating a job template, you must specify an inventory resource to use.
This is similar to specifying the --inventory (-i) option to the ansible-navigator command.
Automation controller can contain many inventories, both static and dynamic. Inventories that contain dynamic content display the status of the most recent inventory synchronization attempt. Static inventories display in the column.
To create an inventory, navigate to → and click → . Specify a name for the inventory and click .
After creating the inventory, populate the inventory with groups and hosts. You can manually add the groups and hosts or you can automatically populate them by using an existing inventory file in the project repository.
To manually add a group, navigate to the tab and then click . Enter a name for the group and then click .
To manually add an ungrouped host, navigate to the tab for the inventory and click . Enter a name for the host (frequently the fully qualified domain name for the host) and then click . You can add an ungrouped host to a group at any time.
To manually add a host to a group, navigate to the tab for the inventory, click the group name, and then click the tab for the group. You can either associate an existing host within the inventory or add a new host to the group. When adding a new host, enter a name for the host (frequently the fully qualified domain name for the host) and then click .
The breadcrumb navigation displays the inventory name and the group name.
In the following example, the serverb.lab.example.com host is being added to the apac group in the Web Servers (Prod) inventory.
If a project already contains an inventory file, then you can use the file to automatically populate groups and hosts within automation controller.
Within an existing group, navigate to the tab and then click . Enter a name for the source and then select from the menu. Choose an existing project, select an inventory file that exists within the project, and then click .
Within an existing group, navigate to the tab and then click the icon for the source. A successful inventory synchronization creates the hosts and groups defined in the selected inventory file.
A job template is the equivalent of a specific way of running a playbook. Among other things, a job template includes an inventory and might specify variables to override, or tags to either use or skip.
The page lists existing templates. Expand template information by clicking the icon to the left of any template name. Initiate a new job run by clicking the icon.
To create a new job template, navigate to → and then click → . At a minimum, enter a name, select a project, and select a playbook. You can either choose an existing inventory or prompt for an inventory when the job template is launched. Job templates should specify necessary credentials, such as the machine credential that automation controller needs to connect to the managed hosts.
Important
Organizations that forbid storing credentials, such as passwords or passphrases, should configure job templates to prompt for credentials. Any job template that prompts for passwords (or other settings) must be run interactively.
Job templates include several additional optional fields.
Many of these options have corresponding command-line options that can be used when running a playbook with the ansible-navigator command.
You can specify these options as part of the job template, or be prompted for customizations when the job template is launched.
| Job template setting or option | Equivalent command-line option |
|---|---|
| Inventory |
--inventory (-i) |
| Execution Environment |
--execution-environment-image (--eei) |
| Variables |
--extra-vars (-e) |
| Forks |
--forks (-f) |
| Limit |
--limit (-l) |
| Verbosity |
--verbose (-v) |
| Job Tags |
--tags (-t) |
| Skip Tags |
--skip-tags
|
| Privilege Escalation |
--become (-b) |
When you launch a job template, automation controller uses an execution environment to run the playbook using all the supplied information. If you configured the job template to prompt for information, such as an inventory, credentials, or variables, then automation controller prompts you for this information. Similarly, if the credentials used by your job template prompt for passwords or passphrases, then automation controller prompts you for this information. Job templates that prompt for any information must be run interactively.
Navigate to → to review job output. In addition to the output of playbook runs, the page displays inventory synchronization jobs and source control update jobs. Each job contains a number to show the order in which automation controller ran the job.
Expand job information by clicking the icon to the left of any job name. Expanded details include who launched the job, which inventory was used, and which execution environment was used. Click a job name to see the full job output.
References
