Custom Domain for Ansible Automation Platform on Azure
Table of Contents
Overview
The Ansible Automation Platform on Azure generates URLs under the ansiblecloud.redhat.com domain to access the components of the platform. Customers may want to use a branded or company domain to access their deployments. This article describes the process to add that domain to their deployment. The addition of a custom domain does not replace the auto-generated URLs for the managed application. The auto-generated URLs will continue to function after enabling the custom domain.
NOTE: If the custom domain is not publicly resolvable, the customer is responsible for making sure their private DNS is accessible to the VNet in the managed resource group. There are many ways to do this and customer dependent. Some known working solutions are to use an Azure Private DNS Zones or an Azure DNS Private Resolver.
Certificate Configuration Options
A customer has the ability to choose their configuration option based on their deployment type and needs.
| Deployment Type | Certificate Configuration |
|---|---|
| Private | * Customer Provided Certificate |
| Public | * Customer Provided Certificate * Let’s Encrypt Certificate (issued by cert-manager) |
Customer Provided Certificate Configuration
In addition to the custom domain, customers can provide a TLS certificate/secret to enable a custom domain for either private or public deployments. Follow your enterprise guidelines to create a SSL certificate signed by your preferred certificate authority.
Follow this process to configure a custom domain using a customer provided certificate to your private/public deployment:
- Plan your customization by identifying the domain or subdomain that you want to use. You will need to be able to add DNS records which are accessible across your environment. You will use the same domain for all URLs in the deployment. (e.g. aap.example.com)
- Identify the IP address of your managed application. A DNS lookup can be used on any of the URLs for the managed application to identify the IP address.
- Create three DNS A records using the following hostnames pointing to the IP address identified in step #2:
- controller (e.g. controller.aap.example.com)
- hub (e.g. hub.aap.example.com)
- sso (e.g. sso.aap.example.com)
- landing (e.g. landing.aap.example.com)
- When creating the certificate, make sure that all the domains (controller, hub, sso and landing) are located in the SAN (Subject Alternative Name) parameter so the certificate can be valid for all of them
- Open a support ticket requesting a custom URL configuration to your public deployment. Supply the following information:
- Company Name
- Managed Application Name
- Custom domain (e.g. aap.example.com)
- Certificate/Secret (issued by customer) Note that the SSL key cannot have a pass phrase.
- Add the controller custom domain to the CSRF Trusted Origins List in the Automation Controller UI:
- Settings -> Miscellaneous System -> CSRF Trusted Origins List
- It's important to include the URL with the scheme (https://), e.g.: https://controller.aap.example.com
- The site reliability team will apply the configuration to your private managed application and verify functionality.
Let’s encrypt Certificate Configuration (issued by cert-manager)
For public deployments apart from the Customer Provided Certificate, customers also have the option to use the Let’s encrypt where the cert-manager (managed by Red Hat) will issue needed certificates. Follow this process to configure a custom domain using a customer provided certificate to your public deployment:
- Plan your customization by identifying the domain or subdomain that you want to use. You will need to be able to add DNS records which are publicly accessible. You will use the same domain for all URLs in the deployment. (e.g. aap.example.com)
- Identify the IP address of your managed application. A DNS lookup can be used on any of the URLs for the managed application to identify the IP address.
- Create three DNS A records using the following hostnames pointing to the IP address identified in step #2:
- controller (e.g. controller.aap.example.com)
- hub (e.g. hub.aap.example.com)
- sso (e.g. sso.aap.example.com)
- landing (e.g. landing.aap.example.com)
- Open a support ticket requesting a custom URL configuration to your public deployment. Supply the following information:
- Company Name
- Managed Application Name
- Custom domain (e.g. aap.example.com)
- Add the controller custom domain to the CSRF Trusted Origins List in the Automation Controller UI:
- Settings -> Miscellaneous System -> CSRF Trusted Origins List
- It's important to include the URL with the scheme (https://), e.g.: https://controller.aap.example.com
- The site reliability team will apply the configuration to your private managed application and verify functionality.
Comments