{{tag>Brouillon AAP Ansible CA}}

= Notes Ansible Tower - Ansible Automation Platform

Voir aussi :
* event-driven platform for runbook automation / IFTTT (if this, then that)
  * [[https://en.m.wikipedia.org/wiki/StackStorm|StackStorm]] 
* https://en.m.wikipedia.org/wiki/Infrastructure_as_code#Tools

Vocabulaire / Concepts
* https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html
* https://docs.ansible.com/automation-controller/latest/pdf/
* https://access.redhat.com/documentation/en-us/reference_architectures/2022/pdf/ansible_automation_platform_1.2_to_2_migration_guide/reference_architectures-2022-ansible_automation_platform_1.2_to_2_migration_guide-en-us.pdf

Cycle de vie :
* https://access.redhat.com/support/policy/updates/ansible-automation-platform

Recherche doc RedHat :
* https://access.redhat.com/taxonomy/products/red-hat-ansible-automation-platform
* https://access.redhat.com/taxonomy/products/red-hat-ansible-automation-hub

Voir :
* https://legacy-controller-docs.ansible.com/automation-controller/latest/html/


=== Ansible Engine

Correspond à Ansible et est installé par :
<code bash>
sudo yum install ansible
</code>

=== Control node

Control node
* control plane 
* execution plane

Dans AAP v1 le "control plane" et l'"execution plane" étaient ensemble sur le "control node"

mesh node types :
''node_type=hybrid'' par défaut ou ''node_type=control''

node_type :
  * control (WebUI & API)
  * execution (ansible-playbook)
  * hybrid (Execution + control)
  * hop (sorte de proxy ssh entre le Controller et les Execution Nodes ; ne peut pas être un Execution Node)

=== Execution Node (Ansible Automation Engine)

The machine that runs Ansible 
Linux Mac BSD ...
Python 3.8 ou +

=== Hop nodes / Execution nodes

mesh node types
''node_type=hop''
ou ''node_type=execution''

=== Ansible Mesh / Receptor

Voir : 
* https://github.com/ansible/receptor
* https://github.com/ansible/receptor/tree/devel/tools/examples/simple-network
* https://www.ansible.com/blog/peeling-back-the-layers-and-understanding-automation-mesh
* https://receptor.readthedocs.io/en/latest/index.html [[https://receptor.readthedocs.io/_/downloads/en/latest/pdf/|PDF]]
* https://malfunceddie.github.io/article/awx-hop-nodes/hopnodes/
* https://access.redhat.com/documentation/en-us/red_hat_ansible_automation_platform/2.1/html-single/red_hat_ansible_automation_platform_automation_mesh_guide/index
* https://www.ansible.com/blog/peeling-back-the-layers-and-understanding-automation-mesh
* https://www.ansible.com/blog/whats-new-in-ansible-automation-platform-2.1-automation-mesh


receptor_listener_port

27199/tcp

| Automation Controller | Execution Node |
| ESTABLISHED 27199	| LISTEN 27199   |

work-signing keys


Control node receptor
<code yaml>
- work-signing:
    privatekey: /etc/receptor/work_private_key.pem
    tokenexpiration: 1m

- work-verification:
    publickey: /etc/receptor/work_public_key.pem
</code>

Execution Node
<code yaml>
- work-verification:
    publickey: /etc/receptor/work_public_key.pem
</code>

To create the keys, just do openssl commands, you can see them evokes in the plays here
https://github.com/ansible/awx/blob/a86740c3c9eaf9a551e850341d8adec5a3962dd5/tools/docker-compose/ansible/roles/sources/tasks/main.yml#L84



=== Ansible Execution Environment

Sorte de pyenv contenant Ansible, les collections et plugins

=== Managed host

Les cibles
<code bash>
ansible myhost --become -m raw -a "yum install -y python2"
</code>

Prereq Python 2 (version 2.6 or later) or Python 3 (version 3.5 or later)

Automation Hub / Galaxy

jfrog-artifactory :
  * https://jfrog.com/help/r/jfrog-artifactory-documentation/ansible-repositories
  * https://jfrog.com/blog/manage-ansible-collections-with-jfrog-artifactory/


=== Hop node

Anciennement "Isolated Nodes"

Voir :
* https://developers.redhat.com/blog/2017/12/20/understanding-ansible-tower-isolated-nodes#

Alternative à ssh-proxy\\
The only prerequisite is that there is SSH connectivity from the Tower Cluster to the Isolated Node

Exemple de conf :
<code ini>
[isolated_group_restrictedzone:vars]
controller=tower

[isolated_group_nc]
cary.remote.office controller=tower
</code>

Isolated instances are not supported in conjunction with running Ansible Tower in OpenShift.

=== Ansible Automation Hub

Voir [[https://github.com/ansible/galaxy_ng|Galaxy NG]]

(Private) Automation Hub




== Config

<code bash>
tower-cli setting modify ALLOW_JINJA_IN_EXTRA_VARS always
</code>

== Logs

Voir : https://github.com/ansible/awx/issues/11330

extra_vars des jobs dans les logs (à tester)
<code yaml>
- hosts: localhost
  gather_facts: false
  tasks:
    - shell: "echo {{ inventory_hostname }}"
</code>

ou

 The first idea was to add extra_vars to every job events, but it would work just as well to be able to add a short string label (prompt on launch) when launching a job template. This should not cause a performance issue.

Add extra_vars to every job event sent over job_events #11330


=== Rechercher par date / heures


GT
<code ->
env TZ=Europe/Paris date --rfc-3339=second -d '2023-08-23 21:50'
2023-08-23 21:50:00+02:00
</code>

LT
<code ->
env TZ=Europe/Paris date --rfc-3339=second -d '2023-08-24 00:20'
2023-08-24 00:20:00+02:00
</code>


== Développement / Intégration 


===  Ansible Navigator

* TUI or CLI to execute playbook
* Supports Execution Environments

=== Ansible Builder

* creates Execution Environment
* takes in input text/yaml files describing the EE to produce


Voir : 
* https://thedatabaseme.de/2022/09/09/self-build-awx-execution-environment/

=== Autres

GPG Signing
* https://www.youtube.com/watch?v=O1me0dBr9_w
* https://www.youtube.com/watch?v=sXHSUsw5yEQ




Connaitre la version
<code bash>
cat /etc/ansible-automation-platform/VERSION
</code>


La config de la connexion à la DB est ici : \\
''/etc/tower/conf.d/postgres.py''


== Autres

<code bash>
#ansible-config init --disabled -t all > ansible.cfg
ansible-navigator config init --disabled -t all > ansible.cfg
</code>

Voir la configuration
<code bash>
ansible-config dump --only-changed -t all
</code>

<code bash>
#ansible-config view | grep -B 2 -A 2 'inventory plugins'
ansible-navigator config view | grep -B 2 -A 2 'inventory plugins'
</code>

<code ->
    [root@ansible-1 ~]# awx-manage list_instances
    [tower capacity=51]
        ansible-1 capacity=17 version=3.7.1 heartbeat="2020-08-27 09:06:21"
        ansible-2 capacity=17 version=3.7.1 heartbeat="2020-08-27 09:05:58"
        ansible-3 capacity=17 version=3.7.1 heartbeat="2020-08-27 09:06:00"
</code>

https://goetzrieger.github.io/ansible-tower-advanced/2-clustering/
		
<code bash>		
#!/bin/bash
awx -f human inventory create --name "Example Inventory" --organization "Default"
awx -f human host create --name "node1" \
    --inventory "Example Inventory"
awx -f human host create --name "node2" \
    --inventory "Example Inventory"
awx -f human credential create --name "Example Credentials" \
    --organization "Default" \
    --credential_type "Machine" \
    --inputs '{"username": "ec2-user", "ssh_key_data": "@~/.ssh/aws-private.pem"}'
awx -f human project create --name="Apache" \
    --scm_type=git \
    --scm_url="https://github.com/goetzrieger/ansible-labs-playbooks.git" \
    --organization "Default" \
    --scm_clean=true --scm_delete_on_update=true --scm_update_on_launch=true \
    --wait
awx -f human job_templates create  \
    --name="Install Apache" \
    --inventory="Example Inventory" \
    --project=Apache \
    --playbook=apache_install.yml \
    --become_enabled="yes"
awx -f human job_template associate --name "Install Apache" \
    --credential "Example Credentials"
</code>
	
Source : https://goetzrieger.github.io/ansible-tower-advanced/4-awx-cli-exercises/



== Autres

=== Credentials


<code bash>
sudo awx-python -m pip install safeguardcredentialtype
sudo awx-manage setup_managed_credential_types
sudo automation-controller-service restart
</code>

Source : https://pypi.org/project/safeguardcredentialtype/

Voir aussi : ''M(awx.awx.credential_input_source)''