Network Automation with Red Hat Ansible Automation Platform
Navigate and describe the automation controller web UI, and successfully launch a job using a job template, project, credential, and inventory.
Automation controller provides a centralized location for organizations to run their Ansible Playbooks.
You run playbooks by creating and then running job templates. Several resources must exist before you can create a job template.
Typically, the following resources are required:
A machine credential used to connect to the managed hosts.
A source control credential used to download and synchronize remote content, such as from a Git repository.
A project that specifies the location of content, such as playbooks.
An inventory with at least one host.
Although automation controller provides extensive functionality, this course focuses on creating the basic resources needed to launch a job template. Detailed information about individual resources, including options and assigning permissions to those resources, is outside the scope of this course.
Automation controller accesses many resources that might require separate credentials. The following list briefly describes some credential types and their intended purpose. Descriptions of additional credential types and their intended purpose can be found in the reference links.
- Ansible Galaxy/Ansible Automation Hub API Token
Create the credentials resource so that automation controller can download content collections and roles from Ansible Galaxy, Ansible automation hub, and private automation hub.
After creating the credential, you must enable the credential for an organization. During this process, you can specify a precedence by ordering the credentials.
Note
If you install automation controller and private automation hub at the same time, then the installer creates automation controller credentials for the community, published, and Red Hat certified repositories available from private automation hub. The installer also enables these credentials for the
Defaultautomation controller organization.- Container Registry
Create this type of credential if you need to authenticate before you can pull a container image from a container registry, such as
registry.redhat.ioor a private automation hub.
Note
If you install automation controller and private automation hub at the same time, then the installer creates an automation controller container registry credential for private automation hub.
- GitHub Personal Access Token
GitHub no longer supports password-based authentication to synchronize projects using the HTTPS protocol. To continue using HTTPS (rather than SSH), create and use a GitHub personal access token, and then create an automation controller credential that uses the personal access token.
- Machine
Automation controller can use this credential type to access and change the managed hosts. This credential specifies a username and either a password or the content of the user's SSH private key. If the credential should allow privilege escalation, specify the privilege escalation username (typically
root) and specify a privilege escalation password if necessary.
Note
In organizations that mandate against storing passwords, you can configure automation controller to prompt for passwords when using the credential.
- Source Control
Automation controller can use this credential type to synchronize project resources from a remote repository. Specify a username and either a password or the user's SSH private key.
- Vault
Use vault credentials to decrypt files that have been encrypted with Ansible vault.
Navigate to → to list credentials. Automation controller displays the name and credential type for each credential.
Click the name of any credential to display the credential details.
To create a machine credential, navigate to → and then click . Specify a name for the credential and choose the machine credential type. Specify any additional settings and then click .
| Setting | Description |
|---|---|
| Username | Automation controller connects to the managed hosts as this user (similar to the remote_user setting in an ansible.cfg file). |
| Password | The password associated with the user. Enter the password, or prompt for the password when the credential is used. A password or SSH private key is required. Using a password does not work if a managed host prevents password-based authentication over SSH. |
| SSH Private Key | This is the associated private key for a public SSH key that has already been copied to the managed host. A password or SSH private key is required. |
| Private Key Passphrase | If the private SSH key is password protected, then enter the passphrase, or prompt for the passphrase when the credential is used. |
| Privilege Escalation Method | The method used for privilege escalation (the same as the become_method setting in an ansible.cfg file or the ansible_become_method setting in an inventory file).
Use the enable method for network devices. |
| Privilege Escalation Username | The user to become for tasks that require privilege escalation (the same as the become_user setting in an ansible.cfg file). |
| Privilege Escalation Password | If the user requires a password for privilege escalation, then enter the password, or prompt for the password when the credential is used. |
To create a source control credential, navigate to → and click . Specify a name for the credential and choose the source control credential type.
| Setting | Description |
|---|---|
| Username | Automation controller connects to the source control repository as this user. |
| Password | The password associated with the user. The source control repository might disable password-based authentication. In that case, use the source code management (SCM) private key. |
| SCM Private Key | This is the associated private key for a public SSH key that has already been copied to the managed host. |
| Private Key Passphrase | If the SCM private key is password-protected, then enter the passphrase. |
Automation controller uses project resources to provide access to Ansible Playbooks. If a project uses source control, such as Git or Subversion, then automation controller synchronizes content from a remote repository.
Navigate to → to list existing projects. Click the icon to the left of any project name to expand project information. Synchronize projects that use source control from the page.
Use the column to assess if your project is current. For a Git repository, the revision string matches a commit hash.
To create a project, navigate to → and click .
Projects can specify a default execution environment to use for job templates. If not specified, then the project defaults to the defined default execution environment for automation controller. Job templates can choose a different execution environment.
Choose a source control credential type, such as Git, specify any additional settings, and then click .
| Setting | Description |
|---|---|
| Source Control URL | The URL used to clone the remote repository. |
| Source Control Branch/Tag/Commit | (Optional) A specific branch, tag, or commit for the repository. Use the option so that job templates can use a different branch, tag, or commit. |
| Source Control Credential | An existing credential that can be used to synchronize the remote repository. |
Automation controller automatically attempts to synchronize new projects. A project synchronization can fail for many reasons, including the following:
The project specifies an incorrect source control URL.
The project fails to specify, or specifies the wrong source control credential.
The source control credential specifies the wrong username, password, or SCM private key.
You can create inventory resources within automation controller, just as you can with a local inventory file or directory.
Inventories can contain groups of hosts as well as ungrouped hosts.
You can configure variables that apply to the entire inventory, to a specific inventory group, and to a specific inventory host.
When creating a job template, you must specify an inventory resource to use.
This is similar to specifying the --inventory (-i) option to the ansible-navigator command.
Automation controller can contain many inventories. Static inventories are inventories that you manually create and manage within automation controller. Static inventories display in the column. You can also create inventories that query an inventory source, such as an inventory defined in an automation controller project. Inventories that contain content from an inventory source display the status of the most recent inventory synchronization attempt.
To create an inventory, navigate to → and click → . Specify a name for the inventory and click .
After creating the inventory, populate the inventory with groups and hosts. You can manually add the groups and hosts or you can automatically populate them by using an existing inventory file in the project repository.
If a project already contains an inventory file, then you can use the file to automatically populate groups and hosts within automation controller.
Within an existing group, navigate to the tab and then click . Enter a name for the source and then choose from the menu. Choose an existing project, select an inventory file that exists within the project, and then click .
Within an existing group, navigate to the tab and then click the icon for the source. A successful inventory synchronization creates the hosts and groups defined in the selected inventory file.
A job template specifies the information that you need to run a playbook. A job template includes an inventory and might specify variables to override, or tags to either use or skip.
The page lists existing templates. Expand template information by clicking the icon to the left of any template name. Initiate a job run by clicking the icon.
To create a job template, navigate to → and then click → . You have to enter a name, select a project, and select a playbook. You can either choose an existing inventory or prompt for an inventory when the job template is launched. Job templates should specify necessary credentials, such as the machine credential that automation controller needs to connect to the managed hosts.
Important
Organizations that forbid storing credentials, such as passwords or passphrases, should configure job templates to prompt for credentials. Any job template that prompts for passwords (or other settings) must be run interactively.
Job templates include several additional optional fields.
Many of these options have corresponding command-line options that can be used when running a playbook with the ansible-navigator command.
You can specify these options as part of the job template, or be prompted for customizations when the job template is launched.
When you launch a job template, automation controller uses an execution environment to run the playbook using all the supplied information. If you configured the job template to prompt for information, such as an inventory, credentials, or variables, then automation controller prompts you for this information. Similarly, if the credentials used by your job template prompt for passwords or passphrases, then automation controller prompts you for this information. Job templates that prompt for any information must be run interactively.
Navigate to → to review job output. In addition to the output of playbook runs, the page displays inventory synchronization jobs and source control update jobs. Each job contains a number to show the order in which automation controller ran the job.
Expand job information by clicking the icon to the left of any job name. Expanded details include who launched the job, which inventory was used, and which execution environment was used. Click a job name to see the full job output.
References
