Red Hat SummitChapter 2. Setting up automation mesh
Configure the Ansible Automation Platform installer to set up automation mesh for your Ansible environment. Perform additional tasks to customize your installation, such as importing a Certificate Authority (CA) certificate.
2.1. automation mesh Installation
For a VM-based install of Ansible Automation Platform you use the installation program to set up automation mesh or to upgrade to automation mesh. To provide Ansible Automation Platform with details about the nodes, groups, and peer relationships in your mesh network, you define them in an the inventory file in the installer bundle. For managed cloud, OpenShift, or operator environments, see Automation mesh for managed cloud or operator environments.
2.2. Editing the Red Hat Ansible Automation Platform installer inventory file
You can use the Red Hat Ansible Automation Platform installer inventory file to specify your installation scenario.
Procedure
Navigate to the installer:
[RPM installed package]
$ cd /opt/ansible-automation-platform/installer/[bundled installer]
$ cd ansible-automation-platform-setup-bundle-<latest-version>[online installer]
$ cd ansible-automation-platform-setup-<latest-version>
-
Open the
inventoryfile with a text editor. -
Edit
inventoryfile parameters to specify your installation scenario. For further information, see Editing the Red Hat Ansible Automation Platform installer inventory file
2.3. Running the Red Hat Ansible Automation Platform installer setup script
After you update the inventory file with required parameters, run the installer setup script.
Procedure
Run the
setup.shscript$ sudo ./setup.sh
If you are running the setup as a non-root user with sudo privileges, you can use the following command:
$ ANSIBLE_BECOME_METHOD='sudo'
ANSIBLE_BECOME=True ./setup.shInstallation of Red Hat Ansible Automation Platform will begin.
Additional resources
See Understanding privilege escalation for additional setup.sh script examples.
If you want to add additional nodes to your automation mesh after the initial setup, edit the inventory file to add the new node, then rerun the setup.sh script.
2.4. Importing a Certificate Authority (CA) certificate
A Certificate Authority (CA) verifies and signs individual node certificates in an automation mesh environment. You can provide your own CA by specifying the path to the certificate and the private RSA key file in the inventory file of your Red Hat Ansible Automation Platform installer.
The Ansible Automation Platform installation program generates a CA if you do not provide one.
Procedure
-
Open the
inventoryfile for editing. -
Add the
mesh_ca_keyfilevariable and specify the full path to the private RSA key (.key). -
Add the
mesh_ca_certfilevariable and specify the full path to the CA certificate file (.crt). - Save the changes to the inventory file.
Example
[all:vars]
mesh_ca_keyfile=/tmp/<mesh_CA>.key
mesh_ca_certfile=/tmp/<mesh_CA>.crt
With the CA files added to the inventory file, run the installation program to apply the CA. This process copies the CA to the to /etc/receptor/tls/ca/ directory on each control and execution node on your mesh network.
2.4.1. Using custom signed certificates in automation mesh
Learn how to replace the default automation mesh installer-provided certificates with custom,organization-specific certificates.
In the following procedure, replace <FQDN/IP Address> and <IP Address> with the Fully Qualified Domain Name (FQDN) or IP address of the node.
Procedure
Stop the receptor service on all automation controller and execution nodes.
# systemctl stop receptor- Generate a new Certificate Authority (CA) for your mesh network.
Replace "common ca" in the command below with the required common name.
# receptor --cert-init commonname="common ca" bits=4096 outcert=/etc/receptor/tls/ca/mesh-CA.crt outkey=/etc/receptor/tls/ca/mesh-CA.keyGenerate a self-signed certificate request for each Controller and Execution Node.
# receptor --cert-makereq commonname=<FQDN/IP Address> bits=4096 nodeid=<FQDN/IP Address> outreq=/etc/receptor/tls/<FQDN/IP Address>.csr outkey=/etc/receptor/tls/<FQDN/IP Address>.key ipaddress=<IP Address> ipaddress=<IP Address>Sign the newly created certificates with your CA. Make sure you adjust the
notafter=date to meet your organizational requirements. The example shown uses a date far in the future.# receptor --cert-signreq verify=yes cacert=/etc/receptor/tls/ca/mesh-CA.crt cakey=/etc/receptor/tls/ca/mesh-CA.key req=/etc/receptor/tls/<FQDN/IP Address>.csr outcert=/etc/receptor/tls/<FQDN/IP Address>.crt notafter="2034-07-29T20:48:02Z"-
Transfer the newly created and signed certificates to their nodes in the
/etc/receptor/tls/directory. -
The
mesh-CA.crtfile must be placed in/etc/receptor/tls/ca. Ensure that the permissions and ownership of the certificate files are set correctly.
- All files should be owned by receptor
All certificate files should have 0640 permissions.
# chown -R receptor: /etc/receptor; chmod 0640 /etc/receptor/tls/<FQDN/IP Address>.crt
Start the receptor service on all Controller and Execution nodes.
# systemctl start receptor- Verify the node status in the Ansible Automation Platform UI:
-
In the navigation panel, select
- Select the default instance group, then go to the Instances tab.
- Ensure that the status of all nodes is marked as Ready.
If any node is marked as Unavailable:
- Select the Unavailable node.
- Click .
- Refresh the page, and the node should now display as Ready.
2.4.2. Correcting multiple signed certificates
If /etc/receptor/tls/ca/mesh-CA.crt (for RPM-based installs) or $HOME/aap/receptor/etc/mesh-CA.crt (for containerized installs) contains more than 10 certificates, an error occurs.
Take the following steps on all automation controller and execution nodes within the Ansible Automation Platform environment.
For an RPM-based install
Procedure
Make a backup of the
mesh-CA.crtfilecp -p /etc/receptor/tls/ca/mesh-CA.crt /etc/receptor/tls/ca/mesh-CA.crt-$(date +%F)-
Delete everything past the first certificate within the
mesh-CA.crtfile, that is, keep only the first certificate that is present at the top of the file. Restart receptor
systemctl restart receptor
For a Containerized install
Make a backup of the
mesh-CA.crtfilecp -p $HOME/aap/receptor/etc/mesh-CA.crt $HOME/aap/receptor/etc/mesh-CA.crt-$(date +%F)-
Delete everything past the first certificate within the
mesh-CA.crtfile, that is, keep only the first certificate that is present at the top of the file. Restart receptor
systemctl --user restart receptor
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}