Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 3. Pre-installation configuration

Before you can install self-service automation portal, you must configure OAuth authentication, generate tokens, and set up a project, secrets, and a plug-in registry in OpenShift Container Platform.

You must choose an organization in Ansible Automation Platform to use with self-service automation portal. If you have not set up an organization, use the following procedure to create one.

Procedure

  1. Open your Ansible Automation Platform instance in a browser and log in as an administrator.
  2. Navigate to Access Management Organizations.
  3. Click Create organization.
  4. Enter a unique Name and optionally provide a Description for your organization.
  5. Click Next to show the Review pane.
  6. Click Finish to create your organization.

3.2. Creating an OAuth application
Copy link

To use the Helm chart to deploy self-service automation portal, you must have set up an OAuth application on your Ansible Automation Platform instance. However, you cannot run automation on your Ansible Automation Platform instance until you have deployed your self-service automation portal Helm chart, because the OAuth configuration requires the URL for your deployment.

Create the OAuth Application on your Ansible Automation Platform instance, using a placeholder name for the deployment URL.

After deploying self-service automation portal, you must replace the placeholder value with a URL derived from your deployment URL in your OAuth application.

The steps below describe how to create an OAuth Application in the Ansible Automation Platform Platform console.

Procedure

  1. Open your Ansible Automation Platform instance in a browser and log in.
  2. Navigate to Access Management OAuth Applications.
  3. Click Create OAuth Application.

  4. Complete the fields in the form.

    • Name: Add a name for your application.
    • Organization: Choose the organization.
    • Authorization grant type: Choose Authorization code.
    • Client type: choose Confidential.

    • Redirect URIs: Add placeholder text for the deployment URL (for example https://example.com).

      Create OAuth application

  5. Click Create OAuth application.

    The Application information popup displays the clientId and clientSecret values.

  6. Copy the clientId and clientSecret values and save them.

    These values are used in an OpenShift secret for Ansible Automation Platform authentication.

Self-service automation portal uses Ansible Automation Platform or authentication and as an OAuth provider.

You must enable OAuth token creation in Ansible Automation Platform so that users can authenticate with the platform from self-service automation portal.

Note

Users who do not have permission to log in to Ansible Automation Platform cannot log in to Self-service portal, because Ansible Automation Platform provides the OAuth tokens. Therefore, a user who is removed from an external IdP (for example LDAP, SAML, Azure) can no longer log into Ansible Automation Platform or self-service automation portal. This prevents potential external token issues. For more information, refer to the Manage OAuth2 token creation for external users section ofAccess management and authentication.

Procedure

  1. In a browser, log in to your Ansible Automation Platform instance as a user with admin privileges.
  2. In the navigation pane, select Settings Platform gateway.
  3. Locate the Allow external users to create OAuth2 tokens setting.

  4. Enable Allow external users to create OAuth2 tokens if it is not already enabled:

    1. Click Edit platform gateway settings.

    2. Set Allow external users to create OAuth2 tokens to Enabled.

      Allow external users to create OAuth2 tokens setting
    3. Click Save platform gateway settings to save your updates and return to the Platform gateway settings page.
  5. In the Platform gateway settings page, verify that the Allow external users to create OAuth2 tokens setting is enabled.

You must create an API token in Ansible Automation Platform. The token is used in an OpenShift secret for Ansible Automation Platform authentication.

Procedure

  1. Log in to your instance of Ansible Automation Platform as a user with Ansible Automation Platform administrator privileges.
  2. Navigate to Access Management API Tokens to display the API Tokens page.
  3. Click Create API Token.
  4. Add a description and select your OAuth application.

  5. In the Scope menu, select Write.

    Create API Token dialog showing the Scope set to Write
  6. Click Create Token to generate the token.

  7. Save the new token.

    The token is used in an OpenShift secret that is fetched by the Helm chart.

3.5. Generating Git personal access tokens
Copy link

If you are linking external Source Control Management (SCM) systems to self-service automation portal, you must generate a Personal Access Token for authentication.

Self-service automation portal supports GitHub and GitLab SCMs.

For more information about Personal access tokens in GitHub, see Creating a personal access token (classic) in the GitHub Authentication guide.

Procedure

  1. In a browser, log in to GitHub.
  2. Click your profile picture and select Settings.
  3. Select Developer settings.
  4. Select Personal access tokens.
  5. Click Generate new token Generate new token(classic).

  6. In the Select scopes: section, enable the following:

    • repo
    • read:org
    • workflow (as needed)
  7. Click Generate token.
  8. Save the personal access token.

For details on creating a personal access token in Gitlab, see Create a personal access token in the Gitlab documentation.

Procedure

  1. In a browser, log in to Gitlab and click your avatar.
  2. Select Edit profile.
  3. Select Access tokens.
  4. Click Add new token.
  5. Provide a name and expiration date for the token.

  6. In the Scopes: section, select the following:

    • read_repository
    • api
  7. Click Create personal access token.
  8. Save the personal access token.

You must set up a project in OpenShift Container Platform for self-service automation portal. You can create the project from a terminal using the oc command. Alternatively, you can create the project in the OpenShift Container Platform console.

For more about OpenShift Container Platform projects, see the Building applications guide in the OpenShift Container Platform documentation.

You can use the OpenShift Container Platform web console to create a project in your cluster.

Procedure

  1. In a browser, log in to the OpenShift Container Platform web console.

  2. Creating a project varies slightly depending on which perspective you have on:

    1. From the Developer perspective: select Project then Create Project.
    2. From the Administrator perspective: select Home then Project then Create Project.

  3. In the Create Project dialog box, enter a unique name Name field.

    • Lowercase alphanumeric characters (a-z, 0-9) and the hyphen character (-) are permitted for project names.
    • The underscore (_) character is not permitted.

    • The maximum length for project names is 63 characters.

      1. Optional: display name and description for your project.
  4. Click Click to create the project.

You can run commands from your terminal to add a project to your cluster.

Prerequisites

  • You have the login details for your Openshift cluster.
  • You have installed the oc CLI tool.

Procedure

  1. In a terminal, log in to OpenShift Container Platform using your credentials: 

    oc login <OpenShift_API_URL> -u <username>

    The following example shows the output for a successful login: 

    $ oc login https://api.<my_cluster>.com:6443 -u kubeadmin
WARNING: Using insecure TLS client config. Setting this option is not supported!

Console URL: https://api.<my_cluster>.com:6443/console
Authentication required for https://api.<my_cluster>.com:6443 (openshift)
Username: kubeadmin
Password:
Login successful.

You have access to 22 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".

  2. Create a new project. Use a unique project name. 

    $ oc new-project <self-service-project-name>
    • Lowercase alphanumeric characters (a-z, 0-9) and the hyphen character (-) are permitted for project names.
    • The underscore (_) character is not permitted.

    • The maximum length for project names is 63 characters.

      Example: 

      $ oc new-project <my-project>

Now using project "my-project" on server "https://openshift.example.com:6443".

  3. Open your new project: 

    $ oc project <self-service-project-name>

3.7. Choose a plug-in delivery method
Copy link

Self-service automation portal supports two plug-in installation methods. Choose the method that fits your environment:

  • OCI container (recommended): self-service automation portal automatically pulls an Open Container Initiative (OCI) container from registry.redhat.io.
  • HTTP plug-in registry: Manually create an HTTP plug-in registry that contains the necessary self-service automation portal plug-ins.

3.7.1. OCI container delivery
Copy link

Use OCI container delivery to automatically pull an OCI container from registry.redhat.io that includes the self-service automation portal plug-ins. This is the recommended method for production deployments.

This method is the default for the Helm chart and is the recommended method for production deployments.

Prerequisites

  • You have a Red Hat account with access to registry.redhat.io.
  • You have credentials for registry.redhat.io.
  • You have access to the OpenShift project where you will install the Helm chart.
  • You have installed the OpenShift CLI (oc) and logged in to your cluster.
  • You have a registry service account token from the Red Hat Customer Portal.

Procedure

  1. Create an auth.json file on your local machine.

  2. Add the following structure to the auth.json file: 

    {
  "auths": {
    "registry.redhat.io": {
      "auth": "<base64-encoded-username-password>"
    }
  }
}

  3. Generate the base64-encoded authentication value: 

    printf '%s' '<username>:<password>' | base64 -w0
  4. Replace <base64-encoded-username-password> in the auth.json file with the output from the previous step.

  5. Create the authentication secret in the target OpenShift project. The secret name must match your Helm release name.

    If you install from the OpenShift catalog and you use the default release name redhat-rhaap-portal: 

    oc create secret generic redhat-rhaap-portal-dynamic-plugins-registry-auth \
  --from-file=auth.json=./auth.json

    If you use a custom release name: 

    oc create secret generic <release-name>-dynamic-plugins-registry-auth \
  --from-file=auth.json=./auth.json

Verification

  • Verify that the secret exists in the project: 

    oc get secret <release-name>-dynamic-plugins-registry-auth
    Important

    Create this secret in the same OpenShift project as the Helm release, and create it before you install or upgrade the Helm release.

OpenShift web console steps

You can create the dynamic-plugins-registry-auth secret in the OpenShift web console.

  1. In the OpenShift web console, select the OpenShift project where you will install the Helm release.
  2. In the Administrator view, click Workloads Secrets.
  3. Click Create Key/value secret.
  4. Set the secret name to <release-name>-dynamic-plugins-registry-auth.
  5. Add a key named auth.json and paste the contents of your auth.json file as the value.
  6. Click Create.

Helm chart configuration

When you configure the Helm chart, set redhat-developer-hub.global.pluginMode to match your chosen delivery method:

  • oci — OCI container delivery (recommended).
  • tarball — HTTP plug-in registry.

Verify that pluginMode is set to the correct value. If you omit this setting, the chart uses its built-in default. 

redhat-developer-hub:
  global:
    pluginMode: oci

If you need to change pluginMode after installing the Helm release, upgrade the Helm release.

OpenShift web console:

  1. In the Developer view, click Helm.
  2. Select the Helm release.
  3. Click Actions Upgrade.
  4. In the YAML view, set redhat-developer-hub.global.pluginMode to oci (OCI container delivery) or tarball (HTTP plug-in registry).
  5. Click Upgrade.

Command line:

  • Run the helm upgrade command with your updated values file: 

    helm upgrade <release-name> <chart> -n <project> -f <values.yaml>

Additional resources

3.7.2. HTTP plug-in registry
Copy link

The HTTP plug-in registry method hosts plug-in tarball files in a local OpenShift registry that the dynamic plug-in installer pulls during startup.

3.7.2.1. Log into OpenShift CLI
Copy link

To deploy a plug-in registry, you must install the OpenShift CLI (oc) locally and log in to your cluster.

See Installing OpenShift CLI in the OpenShift Container Platform documentation.

Procedure

  1. Log in to OpenShift Container Platform using your credentials: 

    oc login <OpenShift_API_URL> -u <username>

  2. Create a new project or switch to an existing project: 

    oc new-project <project-name>

    Or: 

    oc project <project-name>

To provide Ansible plug-ins to Red Hat Developer Hub, download the setup bundle and push the extracted files to a local Red Hat OpenShift registry.

By setting up a centralized httpd service, you can access these plug-in files through Helm chart configuration.

Procedure

  1. Create a directory on your local machine to store the plug-in files. 

    mkdir /path/to/<ansible-backstage-plugins-local-dir>

  2. Set an environment variable $DYNAMIC_PLUGIN_ROOT_DIR to represent the directory path. 

    export DYNAMIC_PLUGIN_ROOT_DIR=/path/to/<ansible-backstage-plugins-local-dir>
  3. Download the setup bundle. In a browser, navigate to the Red Hat Ansible Automation Platform Product Software downloads page. and select the Product Software tab.

  4. Click Download now next to Ansible self-service automation portal Setup Bundle to download the latest version of the plug-ins.

    The format of the filename is self-service-automation-portal-plugins-x.y.z.tar.gz.

    Substitute the Ansible plug-ins release version, for example 2.0.0, for x.y.z.

  5. Extract the contents to $DYNAMIC_PLUGIN_ROOT_DIR: 

    $ tar --exclude='*code*' -xzf self-service-automation-portal-plugins-x.y.z.tar.gz -C $DYNAMIC_PLUGIN_ROOT_DIR

  6. Verify that the extracted files are in the $DYNAMIC_PLUGIN_ROOT_DIR directory: 

    ls $DYNAMIC_PLUGIN_ROOT_DIR

    You should see the following files: 

    ansible-plugin-backstage-rhaap-dynamic-x.y.z.tgz
ansible-plugin-backstage-rhaap-dynamic-x.y.z.tgz.integrity
ansible-plugin-scaffolder-backend-module-backstage-rhaap-dynamic-x.y.z.tgz
ansible-plugin-scaffolder-backend-module-backstage-rhaap-dynamic-x.y.z.tgz.integrity

    The files with the .integrity file type contain the plug-in SHA value.

  7. Create an httpd service as part of your OpenShift project: 
oc new-build httpd --name=plugin-registry --binary
oc start-build plugin-registry --from-dir=$DYNAMIC_PLUGIN_ROOT_DIR --wait
oc new-app --image-stream=plugin-registry

Verification

  1. Run the following command to verify that the plug-in registry deployed correctly: 

    oc exec $(oc get pods -l deployment=plugin-registry -o jsonpath='{.items[0].metadata.name}') -- ls -l /opt/app-root/src
  2. Confirm that the required tarball files are in the plug-in registry.

Helm chart configuration When you configure the Helm chart, set redhat-developer-hub.global.pluginMode to tarball: 

redhat-developer-hub:
  global:
    pluginMode: tarball

Before installing the Helm chart, you must create a set of secrets in your OpenShift project. The self-service automation portal Helm chart fetches environment variables from OpenShift secrets.

You must create a secret in OpenShift Container Platform for Ansible Automation Platform authentication.

Procedure

  1. Log in to your OpenShift Container Platform instance.
  2. Open your OpenShift project for self-service automation portal in the Administrator view.
  3. Click Secrets in the side pane.
  4. Click Create to open the form for creating a new secret.
  5. Select the Key/Value option.

  6. Create a secret named secrets-rhaap-portal.

    Note

    The secret must use this exact name.

  7. Add the following key-value pairs to the secret.

    Note

    The secrets must use the exact key names specified below.

    • Key: aap-host-url

      Value needed: Ansible Automation Platform instance URL

    • Key: oauth-client-id

      Value needed: Ansible Automation Platform OAuth client ID

    • Key: oauth-client-secret

      Value needed: Ansible Automation Platform OAuth client secret value

    • Key: aap-token

      Value needed: Token for Ansible Automation Platform user authentication (must have read access).

  8. Click Create to create the secret.

3.8.2. Creating GitHub and Gitlab secrets
Copy link

Create an OpenShift secret to hold Personal Access Tokens for your external Source Control Management systems, such as GitHub or GitLab. This helps securely manage access credentials.

This procedure establishes the required secrets-scm Key/Value secret within your OpenShift Container Platform project to securely store the GitHub and/or GitLab Personal Access Tokens (PATs).

Procedure

  1. Log in to your OpenShift Container Platform instance.
  2. Open your OpenShift project for self-service automation portal.
  3. Click Secrets in the side pane.
  4. Click Create to open the form for creating a new secret.
  5. Select the Key/Value option.

  6. Create a secret named secrets-scm.

    Note

    The secret must use this exact name.

  7. Add the following key-value pairs to the secret. If you are only using one SCM, just add the key-value pair for that SCM.

    Note

    The secrets must use the exact key names specified below.

    • Key: github-token

      Value needed: Github Personal Access Token (PAT)

    • Key: gitlab-token

      Value needed: Gitlab Personal Access Token (PAT)

  8. Click Create to create the secret.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top