Managing Red Hat Certified and Ansible Galaxy collections in automation hub
Configure Automation Hub to deliver curated Red Hat Certified and Ansible Galaxy collections content to your users.
Abstract
Preface
You can sync automation hub to use the Red Hat Certified Collections available through your Ansible Automation Platform subscription or community collections available through Ansible Galaxy.
Your organization can access and curate into a unique set of collections from all Red Hat Certified content in the automation hub service hosted on console.redhat.com.
You can also configure private automation hub for signing and publishing Ansible content collections tailored to meet your organization’s unique needs.
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Chapter 1. Managing Red Hat Certified collections synclists in automation hub
You can use automation hub to distribute the relevant Red Hat Certified collections content to your users by creating synclists.
1.1. About Red Hat Certified collections synclists
A synclist is a curated group of Red Hat Certified collections that is assembled by your organization administrator that syncs to your local automation hub. Use synclists to manage only the content that you want and exclude unnecessary collections. You can design and manage your synclist from the content available as part of Red Hat Certified collections on console.redhat.com
Each synclist has its own unique repository URL you can use to designate as a remote source for content in automation hub and is securely accessed using an API token.
1.2. Creating a synclist of Red Hat Certified collections
You can create a synclist of curated Red Hat Certified collections in automation hub on console.redhat.com. Your synclist repository is located under
→ , which is updated whenever you choose to manage content within Red Hat Certified collections.By default, all Red Hat Certified collections are included in your initial organization synclist.
Prerequisites
- You have a valid Ansible Automation Platform subscription.
- You have Organization Administrator permissions for console.redhat.com.
Ensure that the following domain names are part of either the firewall or the proxy’s allowlist for successful connection and download of collections from automation hub or Galaxy server:
-
galaxy.ansible.com
-
cloud.redhat.com
-
console.redhat.com
-
sso.redhat.com
-
Automation hub resources are stored in Amazon Simple Storage. Add the following domain name to the allow list:
-
automation-hub-prd.s3.us-east-2.amazonaws.com
-
ansible-galaxy.s3.amazonaws.com
-
- SSL inspection is disabled either when using self signed certificates or for the Red Hat domains.
Procedure
- Log in to console.redhat.com.
- Navigate to → .
- Use the toggle switch on each collection to determine whether to exclude it from your synclist.
When you finish managing collections for your synclist, you can navigate to
→ to initiate the remote repository sync to your local automation hub. If your remote repository is already configured, you can manually sync Red Hat Certified collections to your local automation hub to update the collections content that you made available to local users.Chapter 2. Configuring automation hub remote repositories to sync content from Red Hat Certified and Ansible Galaxy collections
You can configure your local automation hub to sync with Red Hat Certified Collections hosted in your organization repository on console.redhat.com or to your choice of collections in Ansible Galaxy.
2.1. About remote repositories
You can configure your local automation hub to sync with Red Hat Certified Collections hosted in your organization repository on console.redhat.com and to your choice of collections in Ansible Galaxy by configuring remote repositories.
Each remote repository located in community and rh-certified about when the repo was last updated and when content was last synced. You can add new content to automation hub at any time using the Edit and Sync features included on the → page.
→ provides information for both2.2. Retrieving your Red Hat Certified Collections Sync URL and API token.
You can sync Red Hat certified collections curated by your organization from console.redhat.com to your local automation hub.
Prerequisites
- You have Organization Administrator permissions for console.redhat.com.
Procedure
- Log in to console.redhat.com as an Organization Administrator.
- Navigate to → .
- Locate the Sync URL and click the icon ( ). Paste the Sync URL in a file to use when configuring the rh-certified remote.
- Click the icon ( ) and click .
- On the Token management page, click .
- Click to copy the API token.
- Paste the API token into a file and store in a secure location.
The API token is a secret token used to protect your content. Store your API token in a secure location.
2.3. Configuring the rh-certified remote repository and synchronizing Red Hat Ansible Certified Content Collection.
You can edit the rh-certified remote repository to sync collections from automation hub hosted on cloud.redhat.com to your local automation hub. By default, your local automation hub rh-certified
repository includes the URL for the entire group of Red Hat Certified Collections available on cloud.redhat.com. To use only those collections specified by your organization, you must include a unique URL.
Prerequisites
- You have Modify Ansible repo content permissions. See Managing user access in Automation Hub for more information on permissions.
- You have retrieved the Sync URL and API Token from the automation hub hosted service on console.redhat.com.
- You have configured access to port 443. This is required for synchronizing certified collections. For more information, see the automation hub table in the Network ports and protocols chapter of the Red Hat Ansible Automation Platform Planning Guide.
Procedure
- Log in to your local automation hub.
- Navigate to .
- Click the Remotes tab.
- In the rh-certified remote, click and click .
- In the modal, paste the Sync URL and Token you acquired from cloud.redhat.com.
- Click .
The modal closes and returns you to the Repo Management page. You can now synchronize collections between your organization synclist on console.redhat.com and your private automation hub.
+ . Click
to synchronize collections.The Sync status notification updates to notify you of completion of Red Hat Certified collections sync.
Verification
You can confirm that your collections content has synced successfully by selecting Red Hat Certified from the collections content drop-down list.
2.4. Configuring the community remote repository and syncing Ansible Galaxy collections
You can edit the community remote repository to sync chosen collections from Ansible Galaxy to your local automation hub. By default, your local automation hub community
repository directs to https://galaxy.ansible.com/api/
.
Prerequisites
- You have Modify Ansible repo content permissions. See Managing user access in Automation Hub for more information on permissions.
-
You have a
requirements.yml
file that identifies those collections to sync from Ansible Galaxy. See example below.
Requirements.yml example
collections: # Install a collection from {Galaxy}. - name: community.aws version: 5.2.0 source: https://galaxy.ansible.com
Procedure
- Log in to your local automation hub.
- Navigate to .
- Click the Remotes tab.
- In the community remote, click the icon and click .
-
In the modal, click
requirements.yml
file on your local machine. and locate the - Click .
The modal closes and returns you to the Repo Management page. You can now sync collections identified in your requirements.yml
file from Ansible Galaxy to your local automation hub.
- Click to sync collections from Ansible Galaxy and automation hub.
The Sync status notification updates to notify you of completion or failure of Ansible Galaxy collections sync to your automation hub.
Verification
You can confirm successful sync by selecting Community from the collections content drop-down list.
Chapter 3. Collections and content signing in private automation hub
As an automation administrator for your organization, you can configure private automation hub for signing and publishing Ansible content collections from different groups within your organization.
For additional security, automation creators can configure Ansible-Galaxy CLI to verify these collections to ensure they have not been changed after they were uploaded to automation hub.
3.1. Configuring content signing on private automation hub
To successfully sign and publish Ansible Certified Content Collections, you must configure private automation hub for signing.
Prerequisites
- Your GnuPG key pairs have been securely set up and managed by your organization.
- Your public/private key pair has proper access for configuring content signing on private automation hub.
Procedure
Create a signing script that only accepts a filename.
NoteThis script will act as the signing service and must generate an ascii-armored detached
gpg
signature for that file using the key specified through thePULP_SIGNING_KEY_FINGERPRINT
environment variable.The script then prints out a JSON structure with the following format.
{"file": "filename", "signature": "filename.asc"}
All the file names are relative paths inside the current working directory. The file name must remain the same for the detached signature, as shown.
The following example shows a script that produces signatures for content:
#!/usr/bin/env bash FILE_PATH=$1 SIGNATURE_PATH="$1.asc" ADMIN_ID="$PULP_SIGNING_KEY_FINGERPRINT" PASSWORD="password" # Create a detached signature gpg --quiet --batch --pinentry-mode loopback --yes --passphrase \ $PASSWORD --homedir ~/.gnupg/ --detach-sign --default-key $ADMIN_ID \ --armor --output $SIGNATURE_PATH $FILE_PATH # Check the exit status STATUS=$? if [ $STATUS -eq 0 ]; then echo {\"file\": \"$FILE_PATH\", \"signature\": \"$SIGNATURE_PATH\"} else exit $STATUS fi
After you deploy a private automation hub with signing enabled to your Ansible Automation Platform cluster, new UI additions display when you interact with collections.
Review the Ansible Automation Platform installer inventory file for options that begins with
automationhub_*
.[all:vars] . . . automationhub_create_default_collection_signing_service = True automationhub_auto_sign_collections = True automationhub_require_content_approval = True automationhub_collection_signing_service_key = /abs/path/to/galaxy_signing_service.gpg automationhub_collection_signing_service_script = /abs/path/to/collection_signing.sh
The two new keys (automationhub_auto_sign_collections and automationhub_require_content_approval) indicate that the collections must be signed and require approval after they are uploaded to private automation hub.
3.2. Using content signing services in private automation hub
After you have configured content signing on your private automation hub, you can manually sign a new collection or replace an existing signature with a new one so that users who want to download a specific collection have the assurance that the collection is intended for them and has not been modified after certification.
Content signing on private automation hub provides solutions for the following scenarios:
- Your system does not have automatic signing configured and you must use a manual signing process to sign collections.
- The current signatures on the automatically configured collections are corrupted and must be replaced with new signatures.
- Additional signatures are required for previously signed content.
- You want to rotate signatures on your collections.
Procedure
- Log in to your private automation hub instance in the automation hub UI.
- In the left navigation, click → . The Approval dashboard is displayed with a list of collections.
- Click for each collection you want to sign.
- Verify that the collections you signed and approved manually are displayed in the Collections tab.
3.3. Configuring Ansible-Galaxy CLI to verify collections
You can configure Ansible-Galaxy CLI to verify collections. This ensures that collections you download are approved by your organization and have not been changed after they were uploaded to automation hub.
If a collection has been signed by automation hub, the server provides ASCII armored, GPG-detached signatures to verify the authenticity of MANIFEST.json
before using it to verify the collection’s contents. You must opt into signature verification by configuring a keyring for ansible-galaxy
or providing the path with the --keyring
option.
Prerequisites
- Signed collections are available in automation hub to verify signature.
- Certified collections can be signed by approved roles within your organization.
- Public key for verification has been added to the local system keyring.
Procedure
To import a public key into a non-default keyring for use with
ansible-galaxy
, run the following command.gpg --import --no-default-keyring --keyring ~/.ansible/pubring.kbx my-public-key.asc
NoteIn addition to any signatures provided by the automation hub, signature sources can also be provided in the requirements file and on the command line. Signature sources should be URIs.
Use the
--signature
option to verify the collection name provided on the CLI with an additional signature.ansible-galaxy collection install namespace.collection --signature https://examplehost.com/detached_signature.asc --signature file:///path/to/local/detached_signature.asc --keyring ~/.ansible/pubring.kbx
You can use this option multiple times to provide multiple signatures.
Confirm that the collections in a requirements file list any additional signature sources following the collection’s signatures key, as in the following example.
# requirements.yml collections: - name: ns.coll version: 1.0.0 signatures: - https://examplehost.com/detached_signature.asc - file:///path/to/local/detached_signature.asc ansible-galaxy collection verify -r requirements.yml --keyring ~/.ansible/pubring.kbx
When you install a collection from automation hub, the signatures provided by the server are saved along with the installed collections to verify the collection’s authenticity.
-
(Optional) If you need to verify the internal consistency of your collection again without querying the Ansible Galaxy server, run the same command you used previously using the
--offline
option.
Chapter 4. Conclusion
When you complete all of the previous procedures, you will have:
- created a synclist for Red Hat Certified collections content.
- synced that content to your local automation hub.
- designated community collections from Ansible Galaxy to distribute to your users.
- configured content signing on private automation hub.
- signed and approved collections for your organization’s specific needs.
- configured Ansible-Galaxy CLI to verify collections before signing them.
Users can now view and download collections content from your local automation hub.