Automatically sync collections with RedHat
As you probably know, the token used for synchronization with the RedHat collections is only valid for 30 days if you don't use it. So you need to sync your collections to the redhat automation hub at least once every 29 days. We wouldn't be automation techs if we didn't automate this too... On the redHat site, there is a solution with a curl command, but it doesn't conform to ansible best practices. So we need a playbook that we can schedule in the controller and that is neatly implemented with a credential.
To be able to do this in all environments, we need the following:
1. A credential type to store the token
2. A credential in each controller
3. A project in git with the playbook
4. A project and job template in controller and a schedule for this
Credential type
Add the credential type definition below to the base config for controller:
(As you read the config as code, you will find its allready in there)
controller_credential_types_all:
- name: automation_hub
description: automation hub
kind: cloud
inputs:
fields:
- id: verify_ssl
type: boolean
label: Verify SSL
- id: hostname
type: string
label: Hostname
- id: username
type: string
label: Username
- id: password
type: string
label: Password
secret: true
- id: token
type: string
label: Token
secret: true
required:
- hostname
injectors:
approx:
AH_PASSWORD: !unsafe "{{ password }}"
AH_USERNAME: !unsafe "{{ username }}"
AH_HOST: !unsafe "{{ hostname }}"
AH_API_TOKEN: !unsafe "{{ token }}"
AH_VERIFY_SSL: !unsafe "{{ verify_ssl }}"
extra_vars:
ah_password: !unsafe "{{ password }}"
ah_username: !unsafe "{{ username }}"
ah_host: !unsafe "{{ hostname }}"
ah_token: !unsafe "{{ token }}"
ah_validate_certs: !unsafe "{{ verify_ssl }}"
This will add the credential type to the automation controller in each environment.
Add the credential to all controller environments Ensure that the newly created credential_type-based credential is added to all controller environments. So in the group_vars/all/credentials.yaml:
- name: automation_hub_sync_token
description: ""
credential_type: automation_hub
organization: "<Org_name>"
inputs:
hostname: '<automation_hub_url>'
token: "{{ ahub_token }}"
verify_ssl: false
Use the variable "{{ ahub_token }}" here, as indicated, and it will be filled correctly in the controller (provided you follow the guides on this site). How this works is explained in the configuration of the controller.
Create the GIT project
Create a project in GIT and make sure the following playbook is in this repository along with a relevant README.md.
---
- name: Sync collections on private hub
hosts: localhost
tasks:
- name: Sync content rh-certified
ansible.builtin.uri:
url: "https://{{ ah_host }}/api/galaxy/content/rh-certified/v3/sync/"
method: POST
headers:
Authorization: "Token {{ ah_token }}"
validate_certs: "{{ ah_validate_certs }}"
return_content: true
register: sync_rhcertified
- name: Debug output
ansible.builtin.debug:
var: sync_rhcertified
- name: Sync content community
ansible.builtin.uri:
url: "https://{{ ah_host }}/api/galaxy/content/community/v3/sync/"
method: POST
headers:
Authorization: "Token {{ ah_token }}"
validate_certs: "{{ ah_validate_certs }}"
return_content: true
register: sync_community
- name: Debug output
ansible.builtin.debug:
var: sync_community
To make sure that this playbook doesn't require any external inventory, we create a hosts.yml in the repository, which we can populate with the names of the automation hubs.
dev:
host: <automation_hub_host_url_dev>
test:
host: <automation_hub_host_url_test>
Controller configuration
Everything we've created so far is now coming together in this part of the configuration, we'll now create the schedule in the controller, after which we can safely forget what we've done and be sure that the token will never expire. We will add these to the organization in the controller that will also house the admins (superusers), for the sake of convenience we will call it the MGT organization. First, we need to add the project:
group_vars/all/projects.yaml:
- name: MGT_sync_automation_hub
description: "Sync the automation hub weekly"
organization: ORG_MGT
scm_type: git
scm_url: git@gitlab.homelab:sync_ahub_galaxy.git
scm_credential: MGT-Gitlab
scm_branch: main
scm_clean: false
scm_delete_on_update: false
scm_update_on_launch: true
scm_update_cache_timeout: 0
allow_override: false
timeout: 0
Before we can create the job template, we need to create an inventory, because a job template must be linked to an inventory in the controller. group_vars/all/inventories.yaml:
controller_inventories_all:
- name: MGT_inventory_ahub_sync
description: MGT single purpose inventory
organization: ORG_MGT
group_vars/all/inventory_sources.yaml:
controller_inventory_sources_all:
- name: MGT_inventory_ahub_sync
description:
organization: ORG_MGT
source: scm
source_project: MGT_sync_automation_hub
source_path: hosts.yml
inventory: MGT_inventory_ahub_sync
update_on_launch: true
overwrite_vars: true
overwrite: true
Now we can add the job template to the configuration:
group_vars/dev/templates.yaml:
- name: MGT_sync_automationhub
description: Sync automation hub automaticly
organization: ORG_MGT
project: MGT_sync_automation_hub
inventory: MGT_inventory_ahub_sync
playbook: main.yml
job_type: run
fact_caching_enabled: false
credentials:
- automation_hub_sync_token
concurrent_jobs_enabled: false
ask_scm_branch_on_launch: false
ask_tags_on_launch: false
ask_verbosity_on_launch: false
ask_variabelen_on_launch: false
extra_vars:
execution_environment: Default execution environment
survey_enabled: false
survey_spec: {}
And finally, take care of the scheduling of the job template we just created, so we can
forget about it:
group_vars/dev/schedules.yaml:
controller_schedules_dev:
- name: MGT Sync Private Hub
description: Sync Private hub repos
unified_job_template: MGT_sync_automationhub
rrule: "DTSTART:20231212T110000Z RRULE:FREQ=DAILY; INTERVAL=1; BYDAY=TU,TH"
The rule in this example ensures that the synchronization of the collections is done twice a week, on Tuesdays and Thursdays. The start time is in the past, so the schedule will be executed on the next Tuesday or Thursday at 11:00 AM, as that is the time specified for this.
This way your galaxy token will never expire.