Skip to content

AAP-66424: Update CasC guide for Gateway-only authentication #5892

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jklech-work wants to merge 1 commit into
base: main
Choose a base branch
from
+28 −4
Open

AAP-66424: Update CasC guide for Gateway-only authentication #5892

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 28 additions & 4 deletions ...code/proc_setting-up-your-automation-environment-for-configuration-as-code.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,16 @@
[role="_abstract"]
Configuration as Code is a way of working where you define and manage the configuration of the {PlatformNameShort} itself using the version-controlled configuration files (such as YAML, or JSON), instead of clicking through the web UI.

[IMPORTANT]
====
Direct API access to individual service components ({ControllerName}, {HubName}, and {EDAName}) is not supported.
All CasC playbooks must authenticate through {Gateway}.
If you previously used {ControllerName} Personal Access Tokens (PATs), replace them with {Gateway} tokens.
Ensure that the `aap_hostname` variable in your playbooks points to your {Gateway} URL.

For more information about creating tokens, see link:{URLCentralAuth}/gw-token-based-authentication#proc-controller-apps-create-tokens[Adding tokens] in _{TitleCentralAuth}_.
====

As an Ansible content developer, you can use the Configuration as Code approach to apply settings on your {ControllerName} to get the following benefits:

* Predictable job behavior
Expand All @@ -21,7 +31,8 @@ As an Ansible content developer, you can use the Configuration as Code approach

* You have a Git account.
* Your {Gateway} instance is accessible.
* You built and registered your own {ExecEnvShort}. Alternatively, you have available the supported {ExecEnvShort} to run playbooks that use the `ansible.platform` collection. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.6/html/creating_and_using_execution_environments/index[Creating and using execution environments].
* You have a valid {Gateway} token or user credentials for {Gateway} authentication. Legacy {ControllerName} PATs are not supported.
* You built and registered your own {ExecEnvShort}. Alternatively, you have available the supported {ExecEnvShort} to run playbooks that use the `ansible.platform` collection. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/{PlatformVers}/html/creating_and_using_execution_environments/index[Creating and using execution environments].


.Procedure
Expand Down Expand Up @@ -82,6 +93,12 @@ role_for_user_in_team: "Auditor" # if your platform supports team-scoped roles
custom_role_name: "NetOps ReadOnly"
custom_role_description: "Read-only access to network objects"
----
+
[NOTE]
====
The `aap_hostname` variable must point to your {Gateway} URL, not to individual service endpoints such as {ControllerName} or {HubName}.
The `aap_username` and `aap_password` variables are your {Gateway} credentials.
====


. Compose the `/my_ansible_project/RBAC_settings.yml` playbook, which creates RBAC objects and assigns roles to those objects:
Expand Down Expand Up @@ -172,7 +189,7 @@ Refer to the `all.yml` file to see the expanded values of those variables. For d

. Push the variables and the playbook to your Git repository so that the {ControllerName} can later read in the correct data.
+
[subs="+quotes",subs="attributes+"]
[subs="+quotes,attributes+"]
....
git add .
git commit -m "Provide variables and RBAC_settings.yml playbook resources for {PlatformNameShort} project"
Expand Down Expand Up @@ -220,8 +237,7 @@ image::cac-create-job-template.png[Create job template]
+
[listing,options="nowrap"]
....
Vault password:
[WARNING]: Collection ansible.platform does not support Ansible version 2.15.13
Vault password:

PLAY [Create organization] *****************************************************

Expand Down Expand Up @@ -285,3 +301,11 @@ image::cac-user-exists.png[User with assigned role exists]
* Check that you see your created custom role, which was assigned the permissions as specified in your `RBAC_settings.yml` playbook:
+
image::cac-custom-role-exists.png[Custom role with assigned permissions exists]

[role="_additional-resources"]
.Additional resources

* link:{URLCentralAuth}/gw-token-based-authentication#proc-controller-apps-create-tokens[Adding tokens] in _{TitleCentralAuth}_ for creating OAuth 2 tokens through the {Gateway} UI.
* link:{URLCentralAuth}/gw-token-based-authentication#ref-controller-create-oauth2-token[create_oauth2_token] in _{TitleCentralAuth}_ for creating tokens from the command line.
* link:https://console.redhat.com/ansible/automation-hub/repo/published/ansible/platform/content/?showing=module[ansible.platform] collection on {HubNameStart} for module reference documentation.
* The `ansible.platform` collection replaces the service-specific `ansible.controller`, `ansible.hub`, and `ansible.eda` collections. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/{PlatformVers}/html/release_notes/aap-26#aap-2.6-deprecated-features[Deprecated features].