Enabling Red Hat Ansible Tower to manage policies

If you want to use Red Hat® Ansible® Tower to check and enforce policies against CIS Benchmarks, you must create an Ansible Tower secret to enable IBM Cloud Pak® for Multicloud Management to use Ansible Tower.

Note: Only Red Hat® Enterprise Linux® 7 VMs are supported.

Configuring Ansible Tower

Before creating your Ansible Tower secret, ensure that you Ansible Tower is configured to accept tags from IBM Cloud Pak for Multicloud Management. Ansible inventories are retrieved and assigned to groups by the IBM® Management VM operator. For example, consider the following tags in IBM Cloud Pak for Multicloud Management:

   vmSelector:
     tags:
       env: prod
       OS: rhel7

These tags get treated as a logical AND in IBM Cloud Pak for Multicloud Management. Ansible Tower flags colons as bad characters, so you must add the following environment variable to prevent deprecation warning messages:

"ANSIBLE_TRANSFORM_INVALID_GROUP_CHARS": "ignore"

These tags get mapped to groups in your Ansible Tower inventory, so in this case, all accessible inventories would have both env:prod and OS:rhel7 as group names in order to be selected.

Creating Ansible Tower secrets

When you install IBM Cloud Pak for Multicloud Management, by default, you install the IBM® Management Ansible Tower for Hybrid GRC operator. There are no parameters that you can update during initial installation. For more information about installation, see Installing the IBM Cloud Pak for Multicloud Management.

After you complete installation, you can create and deploy an Ansible Tower secret custom resource definition to connect your Ansible Tower and IBM Cloud Pak for Multicloud Management implementations.

To create the secret, you must obtain the Ansible Tower API token, the Ansible Tower URL, the Ansible Tower API token, and the Ansible Tower job template in base64 encoded format:

1. Run the following command to encode your Ansible Tower URL:

   echo -n <Ansible-Tower-URL> | base64 -w 0
   

2. Run the following command to encode your Ansible Tower API token:

   echo -n token | base64 -w 0
   

3. Run the following command to encode your Ansible Tower job template name:

   echo -n '{"rhel7":"RHEL7_CIS_Playbook"}' | base64 -w 0
   

   Note: The template name is RHEL7_CIS_Playbook.

4. Build your tower-secret.yaml file using the preceding parameters:

   apiVersion: v1
   kind: Secret
   metadata:
     name: tower-secret
   type: Opaque
   data:
     tower_url: <Ansible Tower URL>
     tower_api_token: <Ansible Tower API token>
     tower_job_templates: <Ansible Tower job template>
   

5. Run the following command to create your secret:

   oc -n kube-system create -f tower-secret.yaml
   

6. Run the following command to retrieve the full name of your deployed Ansible operator:

   oc -n kube-system get csv|grep ibm-management-vmpolicy-ansible
   

   The command results in the following output, where vxxxxx is suffix of the operator name that you need to edit:

   ibm-management-vmpolicy-ansible.vxxxxx         IBM Management Ansible for Hybrid GRC               xxxxx   ibm-management-vmpolicy-ansible.xxx         Succeeded
   

7. Replace the EXECUTION_PATH in the Ansible operator. By default, the operator uses ansible-engine. To use Ansible Tower, the value of EXECUTION_PATH must be ansible-tower. Run the following command to edit the operator CSV file:

   oc -n kube-system edit csv ibm-management-vmpolicy-ansible.vxxxxx
   

   Replace the value of EXECUTION_PATH to ansible-tower:

   - name: EXECUTION_PATH
     value: ansible-tower
   

You can now use Ansible Tower to manage your policies.