TPA and Ansible Tower/Ansible Automation Platform v23
TPA supports deployments via RedHat Ansible Automation Platform (AAP).
The support, as detailed below, works by allowing you to run deploy
and upgrade steps on AAP. Before you can run deploy or upgrades
(later), you will need to run configuration (configure command) and
provisioning (provision command) on a separate standalone machine that
has tpa packages installed. Once you have run configure and
provision on this standalone machine with suitable options, you can
then import the resulting cluster directory on AAP. Support is limited
to bare-metal platforms.
AAP initial setup
Before TPA can use AAP to deploy clusters, you need to perform this initial setup.
Add TPA Execution Environment image (admin)
Starting with version 2.4, AAP uses container images to run Ansible playbooks. These containers, called Execution Environments (EE), bundle dependencies required by playbooks to run successfully. As a consequence, this means that in order to, resolve and use all required TPA dependencies, you will need an EE that includes TPA so your AAP can use it when running deployments and upgrades.
Get an EE
See Build an EE for TPA for instructions on building your own image.
EDB customers can reach out to EDB Support for help with EE.
As an AAP admin, create an entry in your available EE list that points to your TPA enabled EE image.
Create the EDB_SUBSCRIPTION_TOKEN credential type (admin)
As an AAP admin, create the custom credential type
EDB_SUBSCRIPTION_TOKENto hold your EDB subscription access token:
Go to the Credentials Type page in the AAP UI.
Set the Name field to
EDB_SUBSCRIPTION_TOKEN.Paste the following into the Input Configuration field:
fields: - id: tpa_edb_sub_token type: string label: EDB_SUBSCRIPTION_TOKEN secret: true required: - tpa_edb_sub_token
Paste the following into the Injector Configuration field:
env: EDB_SUBSCRIPTION_TOKEN: '{{ tpa_edb_sub_token }}'
Save the changes.
Create a credential using the newly added type
EDB_SUBSCRIPTION_TOKEN.
Setting up a cluster
Perform the initial steps on a workstation with the tpaexec packages installed.
On the TPA workstation
Configure
Run the tpaexec configure command, including these options:
--platform bare, --use-ansible-tower, --tower-git-repository
[tpa]$ tpaexec configure <clustername> \ --platform bare \ --use-ansible-tower https://aac.example.com \ --tower-git-repository ssh://git@git.example.com/example \ --hostnames-from <hostnamefile> \ --architecture PGD-Always-ON \ --pgd-proxy-routing local \ --postgresql 16
--use-ansible-tower expects the AAP address as a parameter even if it
isn't used at the time. --tower-git-repository is used to import the
cluster data into AAP. TPA creates its own branch using cluster_name
as the branch name, which allows you to use the same repository for all
of your clusters. All other options to tpaexec configure, as described
in Configuration, are still valid.
config.yml modification
config.yml includes the top-level dictionary ansible_tower, which
causes tpaexec provision to treat the cluster as an AAP-enabled
cluster.
Edit config.yml to ensure that ansible_host and
{private,public}_ip are defined for each node and ansible_host is
set to a value that AAP can resolve. Make any further changes or
additions that you may need. See Cluster
configuration for more details.
To generate inventory and other related files, run tpaexec provision.
On the AAP UI
Project
Add a project in AAP using the git repository as the source. Set the default EE of the project to use the TPA EE image.
Project options
To ensure changes are correctly synced before running a job, we strongly recommend using Update Revision on Launch.
Allow Branch Override is required when trying to use multiple inventories with a single project.
Inventory
Add an empty inventory. Use the project as an external source to
populate it using inventory/00-cluster_name as the inventory file.
Inventory options
To ensure changes are correctly synced, we strongly recommend using Overwrite local groups and hosts from remote inventory source.
We also recommend using Overwrite local variables from remote inventory source when not setting additional variables outside TPA's control in AAP.
Credentials
Create a vault credential. You can retrieve the vault password using
tpaexec show-vault <cluster_dir> on the TPA workstation.
To connect to your inventory nodes by way of SSH during deployment, make sure the machine credential is available in AAP.
Template creation
To create a template:
Create a template that uses your project and your inventory.
Include these required credentials:
- Vault credential
EDB_SUBSCRIPTION_TOKENcredential- Machine credential
Set two additional variables:
tpa_dir: /opt/EDB/TPA cluster_dir: /runner/project
Select
deploy.ymlas the playbook.To deploy your cluster, run a job based on the new template.
Use one project for multiple inventory
TPA uses a different branch name for each of your clusters in the associated git repository. This approach allows the use of a single project for multiple clusters.
Set Allow branch override option
In the AAP project, enable the Allow branch override option.
Define multiple inventories
TPA uses a different branch name for each of your clusters in the git repository. You can generate multiple inventories using the same project as the source by overriding the branch for each inventory.
Define credentials per inventory
Ensure vault passwords are set accordingly per inventory since these differ on each TPA cluster.
Update TPA on AAP
Updating TPA on AAP involves some extra steps.
Update TPA workstation package
Update your TPA workstation package as any OS package depending on your OS. See Installation.
Use EE image with same version tag
Modify the EE image in AAP to use the same version tag as the workstation package version used.
Run tpaexec relink on your cluster directory
Ensure that any cluster using AAP is up to date by running tpaexec
relink <cluster_dir> --force. An example of when you need to do this is
after you have upgraded your TPA installation to a new version. Be sure
to push any change committed by the relink command:
$ git status On branch cluster_name Your branch is ahead of 'tower/cluster_name' by 1 commit. (use "git push" to publish your local commits) ... $ git push tower
Sync project and inventories
If they aren't set to use Update revision on job launch and Update on launch, sync the project in the AAP UI and related inventories, respectively.
Build an EE for TPA
Prerequisites
In order to build your own EE image, we recommend using
ansible-builder.
You need:
dockerorpodmanansible-builderandansible-navigatorpython toolkits- TPA source code checked out at tag
vA.B.Cfrom TPA repo wherevA.B.Cis the TPA version you want to use.
Environment file
ansible-builder uses an environment file to help generate a working EE
image.
Here is a template example of such an environment file for TPA:
execution-environment.yml
version: 3 images: base_image: name: 'registry.redhat.io/ansible-automation-platform-24/ee-minimal-rhel9:latest' dependencies: python: << TPA_REPO_CLONE_FOLDER >>/requirements-aap.txt galaxy: << TPA_REPO_CLONE_FOLDER >>/collections/requirements.yml options: package_manager_path: /usr/bin/microdnf additional_build_steps: append_final: - RUN mkdir -p /opt/EDB/TPA - COPY << TPA_REPO_CLONE_FOLDER >> /opt/EDB/TPA - ENV PYTHONPATH="${PYTHONPATH:+${PYTHONPATH}:}/opt/EDB/TPA/lib"
Base image
Base image used here requires access to registry.redhat.io (should
be provided alongside AAP license). This image already comes with
most of the requirements for AAP 2.4 such as python 3.9.*,
ansible-core==2.15.*, and ansible-runner which simplify the
task.
Different base image may require more additional_build_steps. See
ansible-builder
for advanced usage.
EE build command
The following command should build the EE image for you:
ansible-builder build \ --file=execution-environment.yml \ --container-runtime=<docker/podman> \ --tag=<your-registry>/<your-namespace>/tpa-ee:vA.B.C \ --verbosity 2