Chapter 1. Getting started with Ansible in Satellite

Procedure

1. Add the roles to a directory in an Ansible path on Satellite Server and all Capsule Servers from where you want to use the roles. If you want to use custom or third party Ansible roles, ensure to configure an external version control system to synchronize roles between Satellite Server and Capsule Servers.

2. On all Capsule Servers that you want to use to run Ansible roles on hosts, enable the Ansible plugin:

   # satellite-installer --enable-foreman-proxy-plugin-ansible

3. Distribute SSH keys to enable Capsules to connect to hosts using SSH. For more information, see Section 4.13, “Distributing SSH keys for remote execution”. Satellite runs Ansible roles the same way it runs remote execution jobs.
4. Import the Ansible roles into Satellite.
5. Proceed to Chapter 2, Using Ansible roles to automate repetitive tasks on clients.

Procedure

1. In the Satellite web UI, navigate to Configure > Ansible > Roles.
2. Click Import to select the Capsule from which you want to import.
3. Select the roles that you want to import.
4. Click Submit.

Procedure

1. In the Satellite web UI, navigate to Configure > Ansible > Variables.
2. Select the Ansible variable that you want to override and manage with Satellite.
3. In the Default Behavior area, select the Override checkbox.
4. In the Parameter Type field, select the value type for validation such as string or boolean. The types array and hash have further options for handling upon a variable match. For more information, see the Prioritize Attribute Order area below.
5. In the Default Value field, enter the default value that you want to use if there is no match for the variable.
6. Optional: If you do not want to display the value of the variable as plain text in the Satellite web UI, select the Hidden Value checkbox to display the content of the variable as asterisks. This is useful for sensitive values such as passwords or secret tokens.

7. Optional: Expand the Optional Input Validator area and specify conditions that will be used to validate concrete values of the variable:

   • Select Required if you want to enforce users to fill in this variable.

   • In the Validator Type field, select how the value will be validated:

     • list – The value will be validated against an enumeration of allowed values.
     • regex – The value will be validated against a regular expression pattern.

8. Optional: In the Prioritize Attribute Order area, specify the order of priority to match an override with a host by host attributes. Order at the top takes higher precedence. The first match wins.

   You can combine multiple attributes into a single matcher key using a comma as the AND operation. For example, the matcher key of hostgroup, environment would expect matchers such as hostgroup = "web servers" AND environment = production.

   If you use the parameter type array or hash, you can further set:

   • Merge Overrides – Merges members of the arrays/hashes instead of replacing the whole array or hash. If the hashes contain the same key, the value is overwritten by the value of the host.
   • Merge Default – Adds the default value to the array or hash.
   • Avoid Duplicates – Ensures that the values in the array or hash are unique.
9. Optional: Expand the Specify Matchers area and specify criteria for selecting hosts on which the variable overrides.
10. To save the override settings, click Submit.

Adding the variable to a host

1. In the Satellite web UI, navigate to Hosts > All Hosts and select the host that you want to use.
2. Click the Ansible tab, and in the Variables area, click the pencil icon to edit the value of the variable.
3. Click the tick icon to accept the value of the changed variable or the cross icon to cancel the change.

Adding the variable to a host group

1. In the Satellite web UI, navigate to Configure > Host Groups, and select the host group that you want to use.
2. Click the Parameters tab, and in the Host Group Parameters area, click Add Parameter.
3. In the Name field, add the Ansible variable name.
4. From the Type list, select the type of the variable for validation.
5. In the Value field, enter the value for the variable.

Adding the variable as a global parameter

1. In the Satellite web UI, navigate to Configure > Global Parameters, and click Create Parameter.
2. In the Name field, add the Ansible variable name.
3. From the Type list, select the type of the variable for validation.
4. In the Value field, enter the value for the variable.
5. Optional: If you do not want to display the Ansible variable in plain text, select the Hidden Values checkbox to display the content of the variable as asterisks in the Satellite web UI.

Procedure

1. Ensure that the following repository is enabled:

   • On Red Hat Enterprise Linux 10, 9, or 8, ensure that the AppStream repository is enabled:

     # subscription-manager repos --enable=rhel-10-for-x86_64-appstream-rpms
     # subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms
     # subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms

     You must enable an AppStream repository that is designated for your architecture. For more information, see RHEL 8 repositories.

   • On Red Hat Enterprise Linux 7, ensure that the Extras repository is enabled:

     # subscription-manager repos --enable=rhel-7-server-extras-rpms

2. Install the rhel-system-roles package:

   # satellite-maintain packages install rhel-system-roles

   The rhel-system-roles package downloads to /usr/share/ansible/roles/. You can view and make any modifications that you want to the files before you import.

3. In the Satellite web UI, navigate to Configure > Ansible > Roles.
4. Click the Capsule that contains the roles that you want to import.
5. From the list of Ansible roles, select the checkbox of the roles you want to import, and then click Update.

Procedure

1. In the Satellite web UI, navigate to Content > Products.
2. Select the required product name.
3. In the Products window, select the name of a product that you want to create a repository for.
4. Click the Repositories tab, and then click New Repository.

5. In the Name field, enter a name for the repository.

   The Label field is populated automatically based on the name.

6. From the Type list, select ansible collection.

7. In the Upstream URL field, enter the URL for the upstream collections repository.

   The URL can be any Ansible Galaxy endpoint. For example, https://console.redhat.com/api/automation-hub/.

8. Optional: In the Requirements.yml field, you can specify the list of collections you want to sync from the endpoint, as well as their versions.

   If you do not specify the list of collections, everything from the endpoint will be synced.

   ---
   collections:
   - name: my_namespace.my_collection
     version: 1.2.3

   For more information, see Installing roles and collections from the same requirements.yml file in the Galaxy User Guide.

9. Optional: Deselect Sync Dependencies if you do not want Satellite to resolve and synchronize dependencies. By default, Satellite synchronizes all required dependencies.

10. Authenticate:

    1. To sync Ansible collections from Private Automation Hub, enter your token in the Auth Token field.
    2. To sync Ansible collections from console.redhat.com, enter your token in the Auth Token field and enter your SSO URL in the Auth URL field.
    3. To sync Ansible collections from Satellite, leave both authentication fields blank.
11. Click Save.
12. Navigate to the Ansible Collections repository.
13. From the Select Action menu, select Sync Now.

Procedure

1. On the host, configure the ansible-galaxy client to use Satellite Server or Capsule Server as the Galaxy server. Add the required sections to an ansible.cfg file, for example:

   [galaxy]
   server_list = My_Library_Server, My_Promoted_CV_Server
   
   [galaxy_server.My_Library_Server]
   url = https://server.example.com/pulp_ansible/galaxy/My_Organization_Label/Library/custom/My_Product_Label/My_Repository_Label/api/
   
   [galaxy_server.My_Promoted_CV_Server]
   url = https://server.example.com/pulp_ansible/galaxy/My_Organization_Label/My_Lifecycle_Environment_Label/My_Content_View_Label/custom/My_Product_Label/My_Repository_Label/api/

   Replace server.example.com with the fully qualified domain name of your Satellite Server or Capsule Server.

2. Install an Ansible Collection from your Galaxy server. For example:

   # ansible-galaxy collection install My_Namespace.My_Collection \
   --server My_Library_Server

Procedure

1. If you customized /etc/ansible/ansible.cfg, copy your configuration from /etc/ansible/ansible.cfg to /usr/share/foreman-proxy/.ansible.cfg.

2. Encrypt the sensitive file using the ansible-vault command:

   # ansible-vault encrypt /etc/ansible/roles/Role_Name/vars/main.yml

   Note that ansible-vault changes the file permissions to 600.

3. Change the group and permissions of the encrypted file to ensure that the foreman-proxy user can read it:

   # chgrp foreman-proxy /etc/ansible/roles/Role_Name/vars/main.yml
   # chmod 0640 /etc/ansible/roles/Role_Name/vars/main.yml

4. Create the /usr/share/foreman-proxy/.ansible_vault_password file and enter the Vault password into it.

5. Change the user and permissions of the .ansible_vault_password file to ensure that only the foreman-proxy user can read it:

   # chown foreman-proxy:foreman-proxy /usr/share/foreman-proxy/.ansible_vault_password
   # chmod 0400 /usr/share/foreman-proxy/.ansible_vault_password

6. Add the path of the Vault password file to the [defaults] section in /usr/share/foreman-proxy/.ansible.cfg:

   [defaults]
   vault_password_file = /usr/share/foreman-proxy/.ansible_vault_password

   The path to the Vault password file must be absolute.