Chapter 6. Additional configurations
The following chapter describes Ansible Automation Platform configuration steps that you can perform once your deployment is complete on GCP.
6.1. Changing the default administrator password
The default administrator password for Ansible Automation Platform is generated randomly when Ansible Automation Platform from GCP Marketplace is deployed. Follow these steps to change the administrator password for both automation controller and automation hub.
Procedure
Navigate to the GCP Secrets Manager Console.
-
Locate and open the secret for the Ansible Automation Platform deployment with the name
<deployment_name>-aap-admin. - Select NEW VERSION to add a new version.
- Enter a password secret value.
- Check Disable all past versions checkbox.
- Click ADD NEW VERSION.
-
Locate and open the secret for the Ansible Automation Platform deployment with the name
Change the running Ansible Automation Platform VM instances to use the new administrator password.
- Navigate to the GCP VM Instances console.
- Identify and delete one automation controller VM instance and one automation hub VM instance for the Ansible Automation Platform deployment.
- Wait for the automation controller and automation hub Instance groups to create new VM instances.
- The new administrator password can be used when the new automation controller and automation hub VM instances reach a Running Instance State.
6.2. Replacing automation controller and automation hub VM instances SSL/TLS certificate and key
By default, VM instances are secured with a self-signed SSL/TLS certificate with a validity period of ten years. When the certificate expires or you want VM instances to use your own certificate, you are required to replace the SSL/TLS certificate and key.
Procedure
Navigate to the GCP Secrets Manager Console.
-
Locate and open the secret for the Ansible Automation Platform deployment with the name
<deployment_name>-pulp_cert. - Select NEW VERSION to add a new version.
- Enter new SSL/TLS certificate value.
- Check Disable all past versions checkbox.
- Click ADD NEW VERSION.
-
Locate and open the secret for the Ansible Automation Platform deployment with the name
Navigate to the GCP Secrets Manager Console.
-
Locate and open the secret for the Ansible Automation Platform deployment with the name
<deployment_name>-pulp_key. - Select NEW VERSION to add a new version.
- Enter new SSL/TLS key value.
- Check Disable all past versions checkbox.
- Click ADD NEW VERSION.
-
Locate and open the secret for the Ansible Automation Platform deployment with the name
Change the running Ansible Automation Platform VM instances to use the new SSL/TLS certificate and key.
- Navigate to the GCP VM Instances console.
- Identify and delete all automation controller and automation hub VM instances for the Ansible Automation Platform deployment.
- Wait for the automation controller and automation hub Instance groups to create new VM instances.
- The new certificate is in use when the new automation controller and automation hub VM instances reach a Running Instance State.
6.3. Securing internal communication with SSL
Ansible Automation Platform from GCP Marketplace is deployed with two internal application load balancers, one each in front of the hub and controller instances. These internal load balancers must be configured with SSL certificates after deployment completes.
Securing traffic through these internal load balancers is different than securing traffic through external load balancers in previous steps. This process ensures HTTP traffic is encrypted even when the traffic is localized to private GCP VPCs. The same procedure can be followed for both the automation controller and automation hub load balancers.
To modify both the automation controller and automation hub load balancers, which have the name format <DEPLOYMENT_NAME>-aap-<cntrlr/hub>-int-lb.
Procedure
Generate the automation controller or automation hub certificate with the following command:
$ openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 365
- In the GCP console, navigate to the Load Balancing page.
- In the search bar, enter the name of your deployment to filter down to your load balancers.
-
Click
<DEPLOYMENT_NAME>-aap-<cntrlr/hub>-int-lb. - Click Edit.
- Click Frontend configuration.
Click ADD FRONTEND IP AND PORT. Use the following values:
- Protocol: HTTPS (includes HTTP/2).
- Subnetwork: Select the available aap-subnet.
- Port: 443
-
IP Address:
<DEPLOYMENT_NAME>-aap<cntrlr/hub>-intl-lb-ip
If you have already added your certificate, select it.
- If you have not added your certificate, click CREATE A NEW CERTIFICATE.
- Provide a name for your certificate.
-
Using your previously generated certificate, copy
cert.pemcontents and paste it under Certificate. -
Using your previously generated certificate key, copy
key.pemcontents and paste it under Private Key. - Click Create.
- Click Done.
Optional: To delete the HTTP Frontend configuration.
- Open the Load balancer instance.
- Click Frontend Configuration The configurations appear on the left side of the UI.
- Scroll to the configuration you want to delete.
- Click the trashcan icon to delete the configuration.
- Click Update, and confirm the update.
6.4. Security considerations
To configure Red Hat Single Sign-On with an identity provider that can enable Multi factor Authentication (MFA), follow the steps here for connecting enterprise authentication to Ansible Automation Platform.
Securing infrastructure services is an important step in any cloud deployment. Follow the implementation and security suggestions from GCP documentation for services used as part of an Ansible Automation Platform from GCP Marketplace deployment.