AAP 2.6 Private Automation Hub: Manage Collections and EE Images at Scale

What Is Private Automation Hub?

Private Automation Hub is the content management component of AAP 2.6. It serves as your organization's internal repository for: • Certified Ansible Collections — Red Hat tested and supported content • Validated Collections — partner-tested content • Custom Collections — internally developed automation content • Execution Environment images — container images for job execution • Content signing — GPG signature verification for supply chain security

Think of it as your private Ansible Galaxy plus a container registry, with enterprise features like approval workflows, access control, and content signing.

See also: Ansible Private Automation Hub: Host & Manage Collections (Guide)

Hub Architecture in AAP 2.6

Private Automation Hub runs as a service behind Platform Gateway:

Users/Controllers → Platform Gateway → Automation Hub
                                          ├── Collection Repository
                                          ├── EE Container Registry
                                          ├── Content Signing Service
                                          └── PostgreSQL (metadata)

In the enterprise topology, Hub deploys with redundancy:

| Component | Count | Purpose | |-----------|-------|---------| | Hub web | 1 | Web interface | | Hub API | 1 | REST API | | Hub content | 2 | Content serving | | Hub worker | 2 | Background tasks (sync, signing) | | Hub Redis | 1 | Task queue and caching |

Setting Up Collection Remotes

Remotes define where Hub pulls collections from. Configure remotes to sync certified, validated, and community content.

Certified Content Remote

- name: Configure certified content remote
  ansible.platform.collection_remote:
    hub_host: "{{ gateway_url }}"
    hub_username: "{{ hub_user }}"
    hub_password: "{{ hub_pass }}"
    name: "rh-certified"
    url: "https://console.redhat.com/api/automation-hub/content/published/"
    auth_url: "https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token"
    token: "{{ rh_api_token }}"
    tls_validation: true
    state: present

Community Content Remote (Filtered)

- name: Configure filtered community remote
  ansible.platform.collection_remote:
    hub_host: "{{ gateway_url }}"
    hub_username: "{{ hub_user }}"
    hub_password: "{{ hub_pass }}"
    name: "community-curated"
    url: "https://galaxy.ansible.com/api/"
    requirements:
      - name: community.general
        version: ">=10.0.0"
      - name: community.crypto
        version: ">=3.0.0"
      - name: community.postgresql
      - name: community.docker
      - name: community.kubernetes
    state: present

Sync Collections

- name: Sync certified collections
  ansible.platform.collection_repository_sync:
    hub_host: "{{ gateway_url }}"
    hub_username: "{{ hub_user }}"
    hub_password: "{{ hub_pass }}"
    name: "rh-certified"
    state: present

See also: Ansible Automation Platform 2.6 Architecture and Components: Complete Guide

Publishing Custom Collections

Build and Upload

# Build the collection
cd my_namespace/my_collection/
ansible-galaxy collection build
# Upload to Private Hub
ansible-galaxy collection publish \
  my_namespace-my_collection-1.0.0.tar.gz \
  --server https://hub.example.com/api/galaxy/content/inbound-custom/ \
  --token "$HUB_TOKEN"

Collection Approval Workflow

By default, uploaded collections land in a staging repository and require approval before appearing in the published repository: Developer uploads collection to Hub Collection appears in Approval dashboard Reviewer inspects the collection (version, changelog, dependencies) Reviewer clicks Approve or Reject Approved collections move to the published repository Controllers can now pull the collection

# Approve a collection via API
- name: Approve collection
  ansible.platform.collection_repository:
    hub_host: "{{ gateway_url }}"
    hub_username: "{{ hub_user }}"
    hub_password: "{{ hub_pass }}"
    name: "published"
    namespace: "internal"
    collection_name: "network_tools"
    collection_version: "2.1.0"
    state: present

Content Signing

Content signing ensures collections haven't been tampered with between Hub and execution:

Configure Signing Service

# Register a GPG signing service
- name: Configure collection signing
  ansible.platform.signing_service:
    hub_host: "{{ gateway_url }}"
    hub_username: "{{ hub_user }}"
    hub_password: "{{ hub_pass }}"
    name: "ansible-content-signing"
    public_key: "{{ lookup('file', '/path/to/public-key.gpg') }}"
    script: "/path/to/signing-script.sh"
    state: present

Signing Script Example

#!/bin/bash
# signing-script.sh
# Called by Hub with the file to sign as argument
FILE_PATH=$1
ADMIN_ID="automation-team@example.com"
gpg --batch --yes --homedir /var/lib/pulp/.gnupg \
    --detach-sign --default-key "$ADMIN_ID" \
    --armor --output "${FILE_PATH}.asc" \
    "$FILE_PATH"
echo "Signed: ${FILE_PATH}"

Verify Signatures in ansible.cfg

[galaxy]
server_list = private_hub
[galaxy_server.private_hub]
url=https://hub.example.com/api/galaxy/content/published/
token={{ hub_token }}
# Enable signature verification
gpg_keyring=/etc/ansible/trustedkeys.gpg

See also: AAP 2.6 Execution Environments: Build, Manage, and Deploy Custom EEs

Managing Execution Environment Images

Hub also serves as a container registry for Execution Environments:

Push EE Images

# Login to Hub's container registry
podman login hub.example.com
# Tag and push
podman tag ee-network:1.0 hub.example.com/ee-network:1.0
podman push hub.example.com/ee-network:1.0

Configure Controller to Pull from Hub

- name: Register EE from Hub
  ansible.platform.execution_environment:
    controller_host: "{{ gateway_url }}"
    controller_username: "{{ controller_user }}"
    controller_password: "{{ controller_pass }}"
    name: "Network Automation EE"
    image: "hub.example.com/ee-network:1.0"
    credential: "Private Hub Registry"
    pull: "missing"
    state: present

Container Registry Credentials

- name: Create Hub registry credential
  ansible.platform.credential:
    controller_host: "{{ gateway_url }}"
    controller_username: "{{ controller_user }}"
    controller_password: "{{ controller_pass }}"
    name: "Private Hub Registry"
    credential_type: "Container Registry"
    inputs:
      host: "hub.example.com"
      username: "{{ hub_user }}"
      password: "{{ hub_pass }}"
      verify_ssl: true
    state: present

Air-Gapped Deployments

For disconnected environments, Hub is essential — it's the only way to get collections and EE images to execution nodes.

Syncing Content for Air-Gap

On a connected machine:

# Download collections
ansible-galaxy collection download \
  -r requirements.yml \
  -p ./collections-offline/
# Save EE images
podman save -o ee-network.tar hub.example.com/ee-network:1.0
podman save -o ee-cloud.tar hub.example.com/ee-cloud:1.0

Transfer files to the air-gapped network, then:

# Upload collections to air-gapped Hub
for tarball in collections-offline/*.tar.gz; do
  ansible-galaxy collection publish "$tarball" \
    --server https://hub-airgap.internal/api/galaxy/content/inbound-custom/ \
    --token "$HUB_TOKEN"
done
# Load and push EE images
podman load -i ee-network.tar
podman tag hub.example.com/ee-network:1.0 hub-airgap.internal/ee-network:1.0
podman push hub-airgap.internal/ee-network:1.0

Configuring ansible-core to Use Hub

ansible.cfg for Multiple Repositories

[galaxy]
server_list = certified_hub, validated_hub, community_hub
[galaxy_server.certified_hub]
url=https://hub.example.com/api/galaxy/content/rh-certified/
token={{ hub_token }}
[galaxy_server.validated_hub]
url=https://hub.example.com/api/galaxy/content/validated/
token={{ hub_token }}
[galaxy_server.community_hub]
url=https://hub.example.com/api/galaxy/content/community/
token={{ hub_token }}

Environment Variables

export ANSIBLE_GALAXY_SERVER_LIST="certified_hub,validated_hub"
export ANSIBLE_GALAXY_SERVER_CERTIFIED_HUB_URL="https://hub.example.com/api/galaxy/content/rh-certified/"
export ANSIBLE_GALAXY_SERVER_CERTIFIED_HUB_TOKEN="$HUB_TOKEN"

Namespaces and Access Control

Organize collections by team using namespaces:

# Create a namespace for the network team
- name: Create network namespace
  ansible.platform.namespace:
    hub_host: "{{ gateway_url }}"
    hub_username: "{{ hub_user }}"
    hub_password: "{{ hub_pass }}"
    name: "network_team"
    description: "Network automation collections"
    company: "Example Corp - Network Operations"
    groups:
      - name: "network-admins"
        object_permissions:
          - "change_namespace"
          - "upload_to_namespace"
    state: present

High Availability

In the enterprise topology, Hub deploys with redundancy: • 2 Hub VMs with colocated Redis • Shared storage for collection artifacts (NFS, S3, or shared filesystem) • External database for metadata • Load balancer via Platform Gateway

For OpenShift deployments, Hub uses S3-compatible object storage (required because ReadWriteMany storage isn't default in OpenShift):

# Operator deployment with S3 storage
apiVersion: aap.ansible.com/v1alpha1
kind: AnsibleAutomationPlatform
metadata:
  name: aap
spec:
  hub:
    storage_type: 's3'
    object_storage_s3_secret: 'hub-s3-credentials'

FAQ

What is the difference between Automation Hub and Ansible Galaxy?

Ansible Galaxy is the public community repository. Private Automation Hub is your internal enterprise repository with access control, approval workflows, content signing, and EE image hosting. Hub can sync content from Galaxy but adds governance and security layers.

Can I run Hub without the rest of AAP?

No. In AAP 2.6, all components deploy together behind Platform Gateway. Hub requires Platform Gateway for authentication and routing. If you just need a private Galaxy server without AAP, consider Galaxy NG (the upstream project).

How do I migrate from a standalone Galaxy NG to Private Hub?

Export collections from Galaxy NG using ansible-galaxy collection download, then upload to Private Hub. EE images can be transferred using podman save / podman load. Namespace and permission configuration must be recreated.

Does Hub support Helm charts or other artifact types?

No. Hub is purpose-built for Ansible content: collections and EE container images. For Helm charts, use a general-purpose OCI registry or Helm repository.

How much storage does Hub need?

Depends on the number of collections and EE images. A typical enterprise deployment with 50 collections and 10 EE images uses 10-20 GB. Red Hat's tested topology allocates 60 GB per VM. Monitor growth and plan for EE image updates, which can be 500 MB - 1.5 GB each.

Conclusion

Private Automation Hub is the supply chain security layer of AAP 2.6. It ensures every collection and EE image used in your automation is curated, approved, signed, and served from a trusted internal source. For enterprise teams — especially those with compliance requirements or air-gapped environments — Hub is non-negotiable.

Related Articles

• AAP 2.6 Architecture and Components: Complete Guide • AAP 2.6 Execution Environments: Build, Manage, and Deploy Custom EEs • AAP 2.6 New Collections and Integrations • AAP 2.6 Security Best Practices • AAP 2.6 Configuration as Code with ansible.platform

See also

• Ansible Automation Hub: Publish & Manage Collections (Complete Guide)