Update the deployment URL

Complete the necessary post-installation configuration, including updating the OAuth application and setting up initial Role-Based Access Control (RBAC). You can then access and sign in to the portal.

Add the deployment URL to the OAuth Application
Copy link

When you set up your OAuth application in Ansible Automation Platform before deploying Ansible automation portal, you added placeholder text for the Redirect URIs value.

About this task
Copy link

You must update this value using the URL from the deployed application so that you can run automation on Ansible automation portal from Ansible automation portal.

Procedure
Copy link

  1. Determine the Redirect URI from your OpenShift deployment:
    1. Open the URL for the deployment from the OpenShift console to display the sign-in page for Ansible automation portal.
      Open URL from OpenShift web console
    2. Copy the URL for the sign-in page for Ansible automation portal.
    3. To determine the Redirect URI value, append /api/auth/rhaap/handler/frame to the end of the deployment URL.

      For example, if the URL for the deployment is https://my-automation-portal-project.mycluster.com, then the Redirect URI value is https://my-automation-portal-project.mycluster.com/api/auth/rhaap/handler/frame.

  2. Update the Redirect URIs field in the OAuth application in Ansible Automation Platform:
    1. In a browser, open your instance of Ansible Automation Platform.
    2. Navigate to Access Management > OAuth Applications.
    3. In the list view, click the OAuth application you created.
    4. Replace the placeholder text in the Redirect URIs field with the value you determined from your OpenShift deployment.
    5. Click Save to apply the changes.

Configure custom SSL certificates for the Ansible automation portal
Copy link

If your Ansible Automation Platform instance uses custom or self-signed SSL certificates, configure the Ansible automation portal to trust those certificates to prevent authentication failures.

Before you begin
Copy link

  • You have administrator access to your Red Hat OpenShift Container Platform cluster.
  • You have the custom Certificate Authority (CA) certificate file used by your Ansible Automation Platform instance.
  • The Ansible automation portal is installed in your Red Hat OpenShift Container Platform cluster.

Procedure
Copy link

  1. Obtain the CA certificate file from your Ansible Automation Platform instance.

    If you do not have the CA certificate file, you can extract it from your Ansible Automation Platform server:

    $ openssl s_client -showcerts -connect <aap-hostname>:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > aap-ca-cert.pem

    Replace <aap-hostname> with your Ansible Automation Platform hostname.

  2. Log in to your Red Hat OpenShift Container Platform cluster with administrator privileges.
  3. Create a ConfigMap containing your custom CA certificate: 
    $ oc create configmap custom-ca-bundle \
  --from-file=ca-bundle.crt=aap-ca-cert.pem \
  -n <namespace>

    Replace <namespace> with the namespace where the Ansible automation portal is installed.

  4. Update your Ansible automation portal Helm chart values to mount the custom CA certificate.
    Important

    Helm replaces arrays entirely rather than merging them. You must include all chart-default volumes, volume mounts, and secrets in your override alongside your custom addition. If you specify only the CA certificate entries, the chart-default values are removed and the deployment fails.

    To inspect the current chart defaults, run:

    $ helm show values redhat-rhaap-portal-x.y.z.tgz

    Add the custom-ca volume, volume mount, and any extra secrets to your values file alongside the chart defaults:

    upstream:
  backstage:
    extraEnvVarsSecrets:
      # -- Chart default (do not remove) --
      - rhdh-secrets
    extraVolumes:
      # -- Chart defaults (do not remove) --
      - name: dynamic-plugins-root
        ephemeral:
          volumeClaimTemplate:
            spec:
              accessModes:
                - ReadWriteOnce
              resources:
                requests:
                  storage: 2Gi
      - name: audit-log-data
        persistentVolumeClaim:
          claimName: '{{ printf "%s-audit-log" .Release.Name }}'
      - name: dynamic-plugins
        configMap:
          defaultMode: 420
          name: '{{ printf "%s-dynamic-plugins" .Release.Name }}'
          optional: true
      - name: dynamic-plugins-npmrc
        secret:
          defaultMode: 420
          optional: true
          secretName: dynamic-plugins-npmrc
      - configMap:
          defaultMode: 420
          name: rbac-policy
        name: rbac-policy
      - name: npmcacache
        emptyDir: {}
      # -- Custom addition: AAP CA certificate --
      - name: custom-ca
        configMap:
          name: custom-ca-bundle
    extraVolumeMounts:
      # -- Chart defaults (do not remove) --
      - name: dynamic-plugins-root
        mountPath: /opt/app-root/src/dynamic-plugins-root
      - name: audit-log-data
        mountPath: /var/log/redhat-developer-hub/audit
      - mountPath: /opt/app-root/src/rbac
        name: rbac-policy
      # -- Custom addition: AAP CA certificate --
      - name: custom-ca
        mountPath: /etc/pki/ca-trust/source/anchors/
        readOnly: true
  5. Apply the updated configuration by upgrading the Ansible automation portal Helm chart: 
    $ helm upgrade <release-name> <chart-name> \
  -f values.yaml \
  -n <namespace>

    Replace <release-name> with your Helm release name and <chart-name> with the Ansible automation portal chart name.

  6. Wait for the Ansible automation portal pods to restart with the new configuration.

Results
Copy link

  1. Verify that the Ansible automation portal pods are running: 
    $ oc get pods -n <namespace>

    All Ansible automation portal pods should show a status of Running.

  2. Attempt to sign in to the Ansible automation portal using your Ansible Automation Platform credentials.

    If the SSL certificate configuration is correct, you can authenticate successfully without SSL verification errors.

  3. Check the Ansible automation portal logs for SSL-related errors: 
    $ oc logs -n <namespace> <pod-name> | grep -i ssl

    If you see no SSL verification errors, the custom CA certificate is trusted correctly.

If you continue to experience SSL verification errors after following this procedure:

  • Verify that the CA certificate file contains the complete certificate chain.
  • Ensure that the certificate file is in PEM format.
  • Confirm that the Ansible Automation Platform hostname in your configuration matches the hostname in the SSL certificate.
  • Check that the checkSSL parameter in your Helm values is set to true (the default). Setting it to false disables SSL verification entirely, which is not recommended for production environments.

Sign in to Ansible automation portal
Copy link

Log in to the deployed Ansible automation portal using your existing Ansible Automation Platform credentials. The portal uses these credentials for authentication.

Before you begin
Copy link

  • You have configured an OAuth application in Ansible Automation Platform for Ansible automation portal.
  • You have configured a user account in Ansible Automation Platform.

Procedure
Copy link

  1. In a browser, navigate to the URL for Ansible automation portal to open the sign-in page.
    Self-service sign-in page
  2. Click Sign In.
  3. The sign-in page for Ansible Automation Platform appears:
    Ansible Automation Platform sign-in page
  4. Enter your Ansible Automation Platform credentials and click Log in.
  5. The Ansible automation portal web console opens.

If you are using custom or self-signed SSL certificates and when attempting to log in to Ansible automation portal, it displays the error:

Login failed; caused by Error: Failed to send POST request: fetch failed

This error indicates that Ansible automation portal cannot verify the SSL certificate from your Ansible Automation Platform instance.

To resolve this issue, configure Ansible automation portal to trust your custom CA certificate.

Note

While you can disable SSL validation by setting checkSSL: false in the Helm chart configuration, this approach is not recommended for production environments as it reduces security. Instead, configure Ansible automation portal to trust your custom CA certificate.