The purpose of this Ansible collection is to automate the deployment of the Red Hat Trusted Profile Analyzer (RHTPA) service on Red Hat Enterprise Linux (RHEL).
IMPORTANT: Deploying RHTPA by using Ansible is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs), might not be functionally complete, and Red Hat does not recommend to use them for production. These features give early access to upcoming product features, enabling customers to test functionality and give feedback during the development process. See the support scope for Red Hat Technology Preview features for more details.
The RHTPA service is the downstream redistribution of the Trustification project.
The automation contained within this Git repository installs and configures the components of RHTPA to run on a single RHEL server by using a standalone containerized deployment. A Kubernetes-based manifest creates containers that uses podman kube play.
The RHTPA Ansible collection deploys the following RHTPA components:
An NGINX front end places an entrypoint to the RHTPA UI.
- 24 vCPU
- 48 GB RAM
- 100 GB of free disk space
- Ansible 2.16.0 or greater.
- Python 3.10.0 or greater.
- Red Hat Enterprise Linux 9.3 or greater for the x86_64 architecture.
- Installation and configuration of Ansible on a control node to perform the automation.
- External services:
- An OpenID Connect (OIDC) provider.
- Simple Queue Service (SQS).
- A new PostgreSQL database.
- AWS Simple Storage Service (S3) or an S3-compatible service, for example, MinIO.
Create the following topic names before installing RHTPA:
bombastic-failed-default
bombastic-indexed-default
bombastic-stored-default
vexination-failed-default
vexination-indexed-default
vexination-stored-default
v11y-failed-default
v11y-indexed-default
v11y-stored-default
Configure these topic names in the roles/tpa_single_node/vars/main.yml file.
Create a PostgreSQL database and configure your database credentials in the environment variables.
You can use other database configurations in the roles/tpa_single_node/vars/main.yml file.
PostgreSQL SSL mode is enabled by default.
To disable SSL, you can change the following line in the roles/tpa_single_node/vars/main.yml file: tpa_single_node_pg_ssl_mode: disable.
Create the following unversioned S3 bucket names before installing RHTPA:
bombastic-default
vexination-default
v11y-default
Configure these S3 bucket names in the roles/tpa_single_node/vars/main.yml file.
The following steps guide you on how to configure, and provision RHTPA to run on Red Hat Enterprise Linux.
On the controller node, export the following environment variables replacing the placeholders with your relevant information:
export TPA_SINGLE_NODE_REGISTRY_USERNAME=<Your Red Hat image registry username>
export TPA_SINGLE_NODE_REGISTRY_PASSWORD=<Your Red Hat image registry password>
export TPA_PG_HOST=<POSTGRES HOST IP>
export TPA_PG_ADMIN=<DB ADMIN>
export TPA_PG_ADMIN_PASSWORD=<DB ADMIN PASSWORD>
export TPA_PG_USER=<DB USER>
export TPA_PG_USER_PASSWORD=<DB PASSWORD>
export TPA_STORAGE_ACCESS_KEY=<Storage Access Key>
export TPA_STORAGE_SECRET_KEY=<Storage Secret Key>
export TPA_OIDC_ISSUER_URL=<AWS Cognito or Keycloak Issuer URL. Incase of Keycloak endpoint auth/realms/chicken is needed>
export TPA_OIDC_FRONTEND_ID=<OIDC Frontend Id>
export TPA_OIDC_PROVIDER_CLIENT_ID=<OIDC Walker Id>
export TPA_OIDC_PROVIDER_CLIENT_SECRET=<OIDC Walker Secret>
export TPA_EVENT_ACCESS_KEY_ID=<Kafka Username or AWS SQS Access Key>
export TPA_EVENT_SECRET_ACCESS_KEY=<Kafka User Password or AWS SQS Secret Key>
Choose between AWS S3 or an S3-compatible service, and update the roles/tpa_single_node/defaults/main.yml file accordingly.
Choose between Keycloak or AWS Cognito, and update the roles/tpa_single_node/defaults/main.yml file accordingly.
In case of MinIO, create environmental variable for storage endpoint:
export TPA_STORAGE_ENDPOINT=<MinIO storage URL >
For Kafka events, create an environment variable pointing to the bootstrap server:
export TPA_EVENT_BOOTSTRAP_SERVER=<Kafka Bootstrap Server>
If you use AWS Cognito as your OIDC provider, then create an environment variable pointing to the Cognito domain:
export TPA_OIDC_COGNITO_DOMAIN=<AWS Cognito Domain>
To deploy RHTPA on a Red Hat Enterprise Linux version 9.3 or later do the following:
Update the content of the inventory.ini file in the project:
[trustification]
<IP_TARGET_MACHINE>
[trustification:vars]
ansible_user=<username>
ansible_ssh_pass=<ssh_password>
ansible_private_key_file=<path to private key>
Configure if needed the ansible.cfg file in the project:
[defaults]
inventory = ./inventory.ini
host_key_checking =
Copy your certificate files into the certs/ directory with the following names:
trust-cert.crt
trust-cert.key
rootCA.crt
Optionally, you can update the variable tpa_single_node_certificates_dir in the roles/tpa_single_node/vars/main.yml file with the certs/ directory.
You can also give the specific certificate names for the associated variables:
tpa_single_node_root_ca
tpa_single_node_trust_cert_tls_crt_path
tpa_single_node_trust_cert_tls_key_path
tpa_single_node_nginx_tls_crt_path
tpa_single_node_nginx_tls_key_path
Update the roles/tpa_single_node/vars/main.yml file with the appropriate values for each service.
Storage Service:
- Update the Storage type, either
s3orminio. - Update the S3 or MinIO bucket names.
- Update the AWS region for AWS S3 or keep
us-west-1for MinIO. - In case of MinIO, update the MinIO storage end point
tpa_single_node_storage_endpoint.
SQS Service:
- Update the Event bus type, either
kafkaorsqs. - Update the topics for each events.
- In case of Kafka, update the fields
tpa_single_node_kafka_security_protocolandtpa_single_node_kafka_auth_mechanism. - In case of AWS SQS, update the AWS SQS region
tpa_single_node_sqs_region.
Refer to roles/tpa_single_node/vars/main_example_aws.yml and roles/tpa_single_node/vars/main_example_nonaws.yml for more details.
Option 1 : Install RHTPA by using the Ansible Galaxy command-line tool.
ansible-galaxy collection install redhat.trusted_profile_analyzer
Option 2 : Include the collection in a requirements.yml file by using this format:
collections:
- name: redhat.trusted_profile_analyzerThen install RHTPA with the ansible-galaxy collection install -r requirements.yml command.
Option 3 : Run the Ansible playbook.
export ANSIBLE_ROLES_PATH="roles/" ;
ansible-playbook -i inventory.ini play.yml -vv
NOTE: If you install any collection from Ansible Galaxy, upgrading the Ansible package is not automatically done.
To upgrade the collection to the latest available version, run the following command:
ansible-galaxy collection install redhat.trusted_profile_analyzer --upgrade
You can also install a specific version of the collection. For example, if you need to rollback to an earlier version.
ansible-galaxy collection install redhat.trusted_profile_analyzer:==1.2.2
Install the required Ansible collections by executing the following
ansible-galaxy collection install -r requirements.yml
Support tickets for RedHat Trusted Profile Analyzer can be opened at https://access.redhat.com/support/cases/#/case/new?product=Red%20Hat%20Trusted%20Profile%20Analyzer.
You can read the latest release notes here.
You can find more information about Red Hat Trusted Profile Analyzer here.
Any and all feedback is welcome. Submit an Issue or Pull Request as needed.
You can find license information within the LICENSE file.