AAP 2.6 Private Automation Hub: Manage Collections and EE Images at Scale
By Luca Berton · Published 2024-01-01 · Category: database-automation
Deploy and manage Private Automation Hub in AAP 2.6 for certified collections, custom content, execution environment images, content signing, and approval workflows. Complete guide for air-gapped and enterprise environments.
What Is Private Automation Hub?
Private Automation Hub is the content management component of AAP 2.6. It serves as your organization's internal repository for: • Certified Ansible Collections — Red Hat tested and supported content • Validated Collections — partner-tested content • Custom Collections — internally developed automation content • Execution Environment images — container images for job execution • Content signing — GPG signature verification for supply chain security
Think of it as your private Ansible Galaxy plus a container registry, with enterprise features like approval workflows, access control, and content signing.
Hub Architecture in AAP 2.6
Private Automation Hub runs as a service behind Platform Gateway:
In the enterprise topology, Hub deploys with redundancy:
| Component | Count | Purpose | |-----------|-------|---------| | Hub web | 1 | Web interface | | Hub API | 1 | REST API | | Hub content | 2 | Content serving | | Hub worker | 2 | Background tasks (sync, signing) | | Hub Redis | 1 | Task queue and caching |
Setting Up Collection Remotes
Remotes define where Hub pulls collections from. Configure remotes to sync certified, validated, and community content.
Certified Content Remote
Community Content Remote (Filtered)
Sync Collections
Publishing Custom Collections
Build and Upload
Collection Approval Workflow
By default, uploaded collections land in a staging repository and require approval before appearing in the published repository: Developer uploads collection to Hub Collection appears in Approval dashboard Reviewer inspects the collection (version, changelog, dependencies) Reviewer clicks Approve or Reject Approved collections move to the published repository Controllers can now pull the collection
Content Signing
Content signing ensures collections haven't been tampered with between Hub and execution:
Configure Signing Service
Signing Script Example
Verify Signatures in ansible.cfg
Managing Execution Environment Images
Hub also serves as a container registry for Execution Environments:
Push EE Images
Configure Controller to Pull from Hub
Container Registry Credentials
Air-Gapped Deployments
For disconnected environments, Hub is essential — it's the only way to get collections and EE images to execution nodes.
Syncing Content for Air-Gap
On a connected machine:
Transfer files to the air-gapped network, then:
Configuring ansible-core to Use Hub
ansible.cfg for Multiple Repositories
Environment Variables
Namespaces and Access Control
Organize collections by team using namespaces:
High Availability
In the enterprise topology, Hub deploys with redundancy: • 2 Hub VMs with colocated Redis • Shared storage for collection artifacts (NFS, S3, or shared filesystem) • External database for metadata • Load balancer via Platform Gateway
For OpenShift deployments, Hub uses S3-compatible object storage (required because ReadWriteMany storage isn't default in OpenShift):
FAQ
What is the difference between Automation Hub and Ansible Galaxy?
Ansible Galaxy is the public community repository. Private Automation Hub is your internal enterprise repository with access control, approval workflows, content signing, and EE image hosting. Hub can sync content from Galaxy but adds governance and security layers.
Can I run Hub without the rest of AAP?
No. In AAP 2.6, all components deploy together behind Platform Gateway. Hub requires Platform Gateway for authentication and routing. If you just need a private Galaxy server without AAP, consider Galaxy NG (the upstream project).
How do I migrate from a standalone Galaxy NG to Private Hub?
Export collections from Galaxy NG using ansible-galaxy collection download, then upload to Private Hub. EE images can be transferred using podman save / podman load. Namespace and permission configuration must be recreated.
Does Hub support Helm charts or other artifact types?
No. Hub is purpose-built for Ansible content: collections and EE container images. For Helm charts, use a general-purpose OCI registry or Helm repository.
How much storage does Hub need?
Depends on the number of collections and EE images. A typical enterprise deployment with 50 collections and 10 EE images uses 10-20 GB. Red Hat's tested topology allocates 60 GB per VM. Monitor growth and plan for EE image updates, which can be 500 MB - 1.5 GB each.
Conclusion
Private Automation Hub is the supply chain security layer of AAP 2.6. It ensures every collection and EE image used in your automation is curated, approved, signed, and served from a trusted internal source. For enterprise teams — especially those with compliance requirements or air-gapped environments — Hub is non-negotiable.
Related Articles • AAP 2.6 Architecture and Components: Complete Guide • AAP 2.6 Execution Environments: Build, Manage, and Deploy Custom EEs • AAP 2.6 New Collections and Integrations • AAP 2.6 Security Best Practices • AAP 2.6 Configuration as Code with ansible.platform
Category: database-automation