How To Create Ansible Tower Provider via API?

automate

#1

Hello guys.

I’m trying to create an Ansible Tower provider via API, using this JSON body (via /api/providers?provider_class=provider):

‘{
“type”:“ManageIQ::Providers::AnsibleTower::Provider”,
“name”:“Ansible Tower”,
“url”:“FQDN”,
“credentials” : {
“userid” : “admin”,
“password” : “password”
}
}’

POST runs OK, but I’m having problems refreshing my provider because of verify_ssl: [on] is activated by default (Verify Peer Certificate is checked by default), so that causes an Unreachable Status of Ansible Tower Provider.

Do you know if it’s possible to add Ansible Tower with an attribute like verify_ssl: off (Verify Peer Certificate unchecked) or something like that?

Thanks in advance.


#2

I’m taking a total guess, but based upon my knowledge of Ruby auth. methods, I’d try one of these :

{
    "type": "ManageIQ::Providers::AnsibleTower::Provider",
    "name": "Ansible Tower",
    "url": "FQDN",
    "credentials": {
        "userid": "admin",
        "password": "password",
        "ssl": {
            "verify": "false"
        }
    }
}

Or

{
    "type": "ManageIQ::Providers::AnsibleTower::Provider",
    "name": "Ansible Tower",
    "url": "FQDN",
    "credentials": {
        "userid": "admin",
        "password": "password"
    },
    "ssl": {
        "verify": "false"
    }
}

Give it a shot and let us know?


#3

I can create a provider but it ends up in error.

Manually created providers show up as Valid.

I’m not clear on the difference between ManageIQ::Providers::AnsibleTower::Provider and ManageIQ::Providers::AnsibleTower::AutomationManager


#4

[completely untested, just guessing from the code]

https://github.com/ManageIQ/manageiq-providers-ansible_tower/blob/91a6b13b622/app/models/manageiq/providers/ansible_tower/shared/automation_manager.rb#L5-L12 => I don’t know what’s AutomationManager either :slight_smile: but its .connect just uses the Provider’s .connect.

It seems all the .connect calls in that repo are without args, so options[:verify_ssl] is unset.
self.verify_ssl comes from manageiq/app/models/provider.rb, it’s delegated to default endpoint.
=> So you need to set "verify_ssl": 0 on the Endpoint.

https://github.com/ManageIQ/manageiq-api/blob/master/spec/requests/providers_spec.rb doesn’t give examples of passing verify_ssl but it does give of examples of a few other Endpoint fields (eg. security_protocol).

=> Try just specifying "verify_ssl": 0 at top level, near type and url.

Hmm, it’s missing from ENDPOINT_ATTRS in https://github.com/ManageIQ/manageiq-api/blob/3c0d8dd6b/app/controllers/api/providers_controller.rb#L9 — however I believe passing it at top level has worked for a long time, I think it just calls Provider#verify_ssl= which is delegated to default Endpoint.

P.S. You want to disable verification because your Tower has a self-signed certificate? That’s not best security…
Ideally you’d give ManageIQ the internal CA certificate that generated Tower’s cert. I assume that’s already doable by adding it to the machine’s CA bundle — consider this option!
Just opened https://github.com/ManageIQ/manageiq-providers-ansible_tower/issues/40 for adding way to configure that per-provider.