 My name is Reshan Bhatti and I'm a part of consulting services team based out in Germany. So we implement all these Red Hat Enterprise products at the customer side. And my colleague Moritz, he couldn't join today's session because he's implementing AP somewhere at the customer side. But his heart is in the session. And now I think let's begin with the agenda. So today I would really want to keep this session and the slides very interactive with you all. And at the end of the after this presentation, I would really like you all to go and play along with the demo which I've created for you. So you could install it on your local laptops or you could just pin up three VMs on any cloud and then install AP, play along with it. So today we'll be covering what exactly is an Ansible Automation Platform, some of the good practices and security implementation for your Ansible Automation Platform, as well as for the hosts which you are trying to automate. So we'll be covering both the things. And then of course configuration as code because code is important and you cannot do anything manually. I have prepared a small basic demo and I will try to show you some analytics around it. But before we move on to Ansible Automation Platform, are we all aware what exactly Ansible does? Yes, no, maybe? Perfect. So I would just say in our lives, automation is incorporated on a daily basis. Earlier we used to set up certain alarms and now we have Alexa. Earlier we used to wipe and mop our houses on our own. Now we have robots who are doing it. Similarly Ansible is an open source tool which would automate your entire infrastructure and your ideal departments. And Ansible Automation Platform, it's a box of goodies which comes along with a set of toolkit which helps you to automate multiple tasks and resources together in your infrastructure team. So the first part is let's say for example, what exactly would you want to do with the operations side? You would have a UI which would be provided by your automation controller and your automation hub which we are going to see later. But that contains your own execution environments, your collections, etc. To support that we would need the Ansible content creation. So how are you going to create your Ansible playbooks? We have certain Ansible content creation tools, Ansible build up, etc. From which you could create your execution environments, you could create your playbooks, test them, and whatnot. And finally, when you have all that in place, you would need to visualize what is running perfectly, what is failing, and you would need a beautiful analytical page to identify and to view all the tasks. So that's what is all provided by this AD platform. So now we are going to deep dive into some basics of automation controller which we just saw and some of the objects of it. So automation controller as you see, it's just a web UI based tune where you perform all the operations. So where you define all your playbooks and it comes with a role based access mechanism. So whatever object you would want to give, that's very easy. Second, it also has an API. So if you want to call an API to create something or to modify any object, that's also even possible. Plus, it's like if you want to see centralized auditing logs, who did what? That's really important in ID. Who messed up my environment? How can we resolve it? That's also even possible with this. And you could do a lot of things with this. I'm just having some other basics. Now this project, just imagine that you have a set of objects or building blocks which you would define with your automation controller. So your projects, let's say for example if you have created and it will playbooks and boards based on it. You would just use an SCM extension to import all this code in your automation platform controller. That's just the building block. And if you see this image, especially this config as code, def code, repository project code, we would be creating it in the remote cell. Inventories. So for example, you want to start your own IT company or you have your own startup. Now you would want to do certain tasks on your servers on which your application is running. Those particular servers would be added or they are known as the inventory. So they are the actual posts on which all this automation would be applied on. They are logically grouped and again it's all secure because you could define commissions who can access your inventory. For this demo, we have again created another project based only on inventory. So let's say for example if I have 1000 of posts which I want to automate, I need to group them logically. And I need to tell them okay, my development environment has 50 posts, my testing environment has 100 posts and so on. Then job templates. So job templates I would call it as like it's a glue or it's again an object which has everything. So whatever project you define or whatever playbooks, whatever your execution environments, credentials, they all stick to this job template. And the best part is it's reusable. So you create this job template once, it runs your playbook and then you are done. So you could reuse this job template again and again for your multiple automation tasks. Workflows. So to make it simple, it's just the combination of all your job templates. So it looks like a pipeline but it's not. It's a job template. So these are some of the basic terminologies which we use in automation controller. And trust me, by now you're already one step closer to being an alien spot. So let's talk about some of the good practices and security implementation for this entire platform. And so to begin with, what exactly is wrong with this picture? Any guesses? Exactly. And so when we start developing a lot of things, at the latest stage our codes start to get messy. But if we start with an organized way or organized way of writing code, it's much more easier to understand and it's much more easier to manage it. So that's one of the good practices that you need to organize everything. You need to organize your roles. You need to organize your inventories, your playbooks in a proper way. That's the basic step in my opinion to implement a good practice in your team or in your organization. Another example is you need to create simple playbooks and inventories. So if you see, that's my playbook and it's just a few roles which I've defined. I have not written any complex logic over here. I have not defined any tasks to agree or do over certain goals to automate. I've just kept it simple. All the logic resides in the roles itself. Similarly, if you look at my inventory, I have managed and I've labeled it according to my requirements. So all contains all of my roles. My dev has my host one. I have my prod with host team. And if I want to club them all, I have a child host which would contain my dev and test host. That's how you manage your inventories. Another important thing is like infra as code. We have heard about this term a lot. But when we go to customers and we see that it's still not implemented properly. The versioning of infrastructure as code is not done properly yet. That's where we feel like there's a huge scope where developers, where all the IT guys, operation guys need to collaborate together to build it properly. So in this example, if you see, let's assume you're like Ansible Playbook developer or infrastructure developer. You would just do exactly same things as you do if you were a Java developer or if you were a Python developer. You would commit or create your Ansible Playbook code in the development branch. You would use the best tool set which are available as VS for extensions, ID extensions or as anything else. And then you would just do a proper peer review, approve it. Then that code gets run to your validation branch. You can call it testing branch, whatever. And then it gets merged to your exact production running system. Now, when you talk about security, integrating with LDAP based systems, I think that's again a necessity. Because every enterprise we talk about or any company, be it a startup or a medium size company, all of them, they're using certain LDAP mechanisms in their companies or LDAP servers. And with automation platform, you can seamlessly integrate all of it. So we have done integrations for multiple companies and it's pretty easy if it comes to automation platform. Then let's talk about, okay, any ideas viewing this, what are we talking about? It definitely doesn't have gold in it. So exactly, exactly. So this can be unique to use vaults and credentials in your controller. You cannot just put on simple passwords in your Git repo. That's not recommended and it's not a good practice at all. So what you do is you integrate with multiple enterprise vaults which are available in the market or open source vault. That is up to you. And then you store all your secret data in those vaults. Automation controller connects to that vault to fetch the value. That's what, again, makes it more secure. And again, using vaults and secret management is one of our good practices if you're using answerable automation platform. Okay, so this is the server hardening. So if you have worked on Linux, I'm pretty sure you must have hardened your servers, made a lot of changes in the services, default services which comes with the server or Linux server. And you must have disabled the root login. You need to be always updated to all these packages and you need to have SSL Taylor certificates, auditing, etc. Now, a question to all of you. When we were doing all of these manually or using certain shell scripts or any of the additional tools, how much time it would take to set up all of these? Any while guesses? Oh, long time is really long. But of course, yes. In the demo which we are going to have today, I would just automate all of this in the workflow which we just saw and we would see how much time it took. Then one of the best practices which we're talking about, this is configuration as code. So to give you a brief example, I've created three repositories. My first repository is where all my Ansible code is present. It's like it has all my roles to disable the root login, update packages, etc. My second repository is the inventory on which host all this job templates would actually run. And my third repository is my configuration as code, which would download my AP, configure it as per my wishes, as per the best or good security practices, and then it would make all the automations which we have defined in the playbooks repo to all your hosts. By this approach, we are not just configuring our Ansible automation platform, but we are telling the Ansible automation platform that perform all these tasks on all my hosts. So it's all in one. And for this demo, I've used two organizations, org storage, org unix. We have defined role-based access controls over here. So the teams which are over here, the storage admins and the storage developers. Storage admins have the admin access to all the objects which you see, which we just talked about. And the unix, the admins have all the accesses. Developers have the execute permissions and the operation teams can just use it. So they cannot modify or edit any of the current job template or any other project. So, well, that's my favorite line from Linus Towals. And we have seen a lot of presentations. Let's talk about code, how exactly it works. So, okay. So this is my Git repo, which is defining my automation controller. What you need is just three VMs. On this laptop, what I did is I just I'm using a tool called as UTM and I created three rail machines. One for my controller, one for my automation hub and one for my DB. I've just installed plain rail on these three machines. There's nothing else. And when I run my playbook, which is called as install configure, this downloads the AAP from the Red Hat console. It installs it and then it configures it. I need to define just my inventory file. This is my inventory. So the first part which you see over here, it asks for what automation controller host you have. So I've defined my controller host. I have defined my automation hub. These can be plain IPs of your local VMs if you're running it on your local machine. And then my database, that's all. Now if you see it already installed my automation platform, this is how it looks like. And the password is incorrect. So let me just grab the password. So that's my dashboard. This is all we were talking about. What exactly is automation controller? That's my dashboard. And these on the left-hand plane, if you see, these are all the resources which we discussed briefly. So we discussed about templates, credentials, projects. Now by default, this controller has a lot of things which it comes on. So I can define certain settings. So by default, when you install an automation controller, you would see that there are, there is a list of 100 modules which comes along with it, which includes shell and other things also. But when I was installing this, I changed this setting while installation. Over here, if you see this repository, all, this is like the generic settings or generic objects which I want in my automation controller. So over here, in my settings.yaml, I have just provided these two commands to make my automation platform more secure. I do not want a user to use an ad hoc command, shell, and then reach out to my machines and create some issues for me. Then I have whatever settings I want, which you see in my controller over here. These all can be configured via these playbooks or via these settings. It's all there. Then if you see, I just have the basic users over here, admin and student, which comes by default. I want to create certain new ad users to it through my configuration code. And if you see over here, okay, it's running, let's delete it. Well, deleting it at the production is not a good practice, but let's see. Okay, so all is gone. And now from my terminal, I would be running this particular command before running this. Let me show you some more things. So Ansible playbook, I have defined which vault to use by default, whatever credentials I've used. I have vaulted them using the default Ansible vault and all those vaulted values are stored in Git. So everything is secure. Then I am passing on my inventory to which inventory and which host it should connect to. I'm passing my limit to Dev environment, which we just saw in the inventory. And then the playbook name, it's going to ask me password because that password I used to create the vaulted files and my environment variable. So as soon as I run it, now it would start creating everything from scratch. So if I just put time over here, let's see, let's see how much time it takes to create. And then we would come back to the controller. But up until now, did you guys understood some of the basic concepts of AAP? Any queries or any queries until now? Okay, cool. So now if you see, this gives me the logging. It tells me that it's adding the credential type. It's configuring my controller credentials. It's adding my credentials. And if I show you here, it has already started adding my credentials. So now I have all the credentials which are defined in my config code. I'm not doing anything manually over here. If I look at the projects, these are the SCM projects which got here. And if you see they're still running, they would get their revision. Now it's adding inventory, inventory sources. So with this configuration code, you can literally do 100% of the things. You can define whatever you need. You could define your hosts. You could define your organizations, which you talk, org storage, org Unix. Then we saw teams and all of it is present here. So in my all, I have my... Okay, it's in my development environment. So that's my development environment. And this is how I've structured it. That I would need certain teams only which are a part of my development environment. I would need certain teams who are a part of production environment. So that's how you could separate or segregate this. So if you go and look at my dev environment, I have defined certain teams over here. So Team Unix, Admin, Defconn. So I have four teams defined over here. And now if you see, it has created them. It has not only created it, it has linked these teams to my organization also. That my first two teams are a part of storage organization. Another two teams are a part of Unix organization. Okay, this has finished. Let's look at our timer. So two minutes, 23 seconds. And now if I come here, this is the job templates we were talking about that you could reuse them. And it had created a workflow template for me. So let me just show you. Okay, this is running. It has created this entire set of rules for me which I have defined in my workflows.aml file. It has linked all these job templates and the slide which we just saw that you could have multiple job templates linked to each other as a workflow template. And then this is how it's working. So disabling the root passwords, updating all the packages, if I deep dive into it. So this is the first task. It's configuring my web server. This is configuring my services. This is disabling the root login. Let's look at the output. So output says okay. These are dummy tasks, but if you see at the output, it ran on my Defcon host, which I have defined in my inventory, and then it just displays the messages of now. But let me show you some more things. So, and this is how I have defined my workflow in my code. So I've put down my first job template, which has a success node, failure node. You can also have approval nodes over here. You could do a lot of things with the code itself. So within just two minutes and a few seconds or let's say three minutes, I was able to harden my host by using this particular config code repository. Now that there's a third part, we talked about analytics in the beginning. So if you see over here, that's my analytics console, which is like console.radat.com. It gives me a brief view of what job templates run, how many of them failed, if I am saving some money, which is really important by the way. So if I come here, look at my organization statistics, it loads something about the organizations and then it tells you what all clusters I have. So you could get all of it over here. This is what Ansible Automation platform is all about. You get everything in a single package. And now for you, if we go back to our slides, talk about the analytics part. As next steps, I have provided all the links to this GitHub repo, which are available for you guys. I just want you to try it out, play along with it and give us your feedback. What do you think about it? That's all we need. This entire PDF is linked to the session. So if you want to download it, feel free to do that. And now it's time for Q&A. Any question, guys? Q&A So the question for the audience is, how we are configuring this entire thing? Is there a module available in the market? So there is a module which is available, controller module. And I can show that to you in the code also. So if you come here and if you look at the playbooks over here, the playbook which we ran was controller config to configure everything. So it uses the controller configuration module over here. So that's there. Yeah, but developers tend to use... Sorry. Okay guys, any other questions? So the question is, where can we run Ansible Automation Platform on Kubernetes or directly on relvm? You could either deploy it on your relvm. So I told you that I used UTM as my virtualization manager tool. And I just created VMs, rel 8 VMs, 8.6 VMs and I installed it over there. I mean, I didn't install it. The configuration has code installed it. If you want Kubernetes, there is an operator which is available also through which code install your AAP platform. So that's also possible. For the Kubernetes installation, I need to check for the... So in the OpenShift view, if you are an OpenShift admin and if you look at the operators, there should be an AAP operator available over there which you can install. But for the exact documentation, I think I can get back to you with that exact documentation link for this. Okay. Yep. Okay. So the question is like if there is a recommended practice to install AAP. So AAP, the default recommendations like the required ones are that it needs a rel server. And so it depends completely on the organization where you would want to install AAP. If you would say, okay, we need OpenShift, use that. If you say we need to install it on the VMs, go for it. So I think... Okay. Yeah. Yeah. Yeah. It needs rel system. And I think no more questions or... Okay. Then if there are no more questions, I would request you to let me know your constructive feedback on this and give it out a try. If you feel or if you need any assistance, feel free to ping me. I'm available on GChat or on LinkedIn. Feel free to do that. So that's it from my side, guys. Thank you for attending.