CT-Ops
Automation Integration Settings
Global CT-Ops settings for CT-Automation and legacy Ansible automation providers.
The Automation integration settings page controls optional automation
providers for the current CT-Ops instance. Open it from Settings ->
Integrations -> Automation at /settings/integrations/automation.
These settings affect the host Tools Ansible Ping control and the CT-Automation Jobs workspace. Host-level pages can use these integrations only after the relevant provider is enabled and healthy here.
Access and scope
Only instance administrators can open and change this page. The settings apply to the current CT-Ops instance.
The page has three relevant areas:
| Area | What it controls |
|---|---|
| CT-Automation service connection | Connection details for a separately deployed CT-Automation API used by projects, credentials, job templates, launches, events, and run summaries. |
| Ansible automation | Instance opt-in for the legacy Ansible provider used by host and group Ansible ping tasks. |
| Ansible SSH credentials | Private-key SSH profiles that Ansible ping tasks can use. This card appears only when Ansible automation is enabled. |
CT-Automation service connection
Use this card when CT-Ops should call a separately deployed CT-Automation API. It does not start or deploy CT-Automation.
| Field or control | Default | Validation | What it does |
|---|---|---|---|
| Status badge | Derived from current health | Read-only | Shows Healthy, Unavailable, or Disabled. |
| Enable CT-Automation connection | Current stored connection state | Boolean | Enables or disables the saved CT-Automation connection. |
| Connection name | Existing name, or CT-Ops default | Required, up to 120 characters | Human-readable label for the connection. |
| CT-Automation URL | Existing URL | Required absolute http or https URL, up to 2,048 characters | Base URL CT-Ops uses for CT-Automation API requests. |
| Service token ID | Existing token ID or ct-automation | Required, up to 120 characters | Token identifier sent with signed CT-Automation requests. |
| Service token secret | Blank | Required for first save when HMAC auth is active; leave blank to keep an existing secret | Secret used to sign CT-Automation service requests. CT-Ops never returns the stored secret to browser code. |
| TLS mode | Existing mode | One of the supported options | Tells CT-Ops how to treat the CT-Automation server certificate. |
| Timeout (ms) | Existing timeout | Whole number from 1,000 through 120,000 | Request timeout for CT-Automation API calls. |
| Save connection | Enabled unless a save is in progress | Server-side validation and admin access | Persists the connection and shows Saved after success. |
| Refresh status | Always available | Reloads the page | Rechecks the stored connection health and displayed version information. |
Supported TLS modes:
| TLS mode | When to use it |
|---|---|
| Public CA | The CT-Automation URL uses a certificate trusted by normal public CAs. |
| Private CA | The deployment uses an internal CA trusted by the CT-Ops service environment. |
| Pinned certificate | The deployment pins a specific certificate fingerprint. |
| Insecure HTTP | Only for explicitly accepted HTTP connections or non-production testing. HTTP module URLs require this mode. |
Ansible automation
The Ansible automation card controls the legacy Ansible provider used by host and group Ansible ping tasks. CT-Ops does not start the Ansible API container from its Docker Compose stack; configure this only when a separately managed legacy Ansible API is reachable from the CT-Ops web service.
| Field or control | Default | Validation | What it does |
|---|---|---|---|
| Status badge | Derived from provider state and health | Read-only | Shows Healthy, Restart required, or Disabled. |
| Enable Ansible provider | Off unless the instance metadata enables the Ansible feature and provider | Boolean; disabled when the feature is not admin-configurable | Stores the instance opt-in. Enabling sets the provider to ansible; disabling clears it to none. |
| Status message | Derived from stored state and health | Read-only | Shows whether Ansible is disabled, unavailable, or healthy. When available, it also displays the Ansible version. |
| Refresh status | Always available | Reloads the page | Rechecks Ansible API health. |
Host Ansible Ping is available only when this provider is enabled, the
stored provider is ansible, and the Ansible API health check succeeds.
Ansible module connection
This card appears when Enable Ansible provider is on. Use it to pair CT-Ops with the Ansible API using initial credentials from the Ansible service environment. CT-Ops stores the generated service secret, not the initial password.
| Field or control | Default | Validation | What it does |
|---|---|---|---|
| Ansible API URL | Existing Ansible connection URL | Required absolute http or https URL, up to 2,048 characters | Base URL used for Ansible API pairing and health checks. |
| Initial username | ctops | Required, up to 120 characters | Initial pairing username configured on the Ansible API. |
| Initial password | Blank | Required, up to 1,024 characters | Initial pairing password configured on the Ansible API. |
| Pair connection | Enabled unless pairing is in progress | Server-side validation and admin access | Pairs with the Ansible API and stores the generated service-token connection. Re-pairing rotates the generated service secret. |
The paired connection uses HMAC service-token authentication, a 5,000 ms
timeout, and a TLS mode inferred from the URL: https uses Public CA and
http uses Insecure HTTP.
Ansible SSH credentials
This card appears when Enable Ansible provider is on. It stores private-key SSH profiles for Ansible ping runs. The Host Tools Run Ansible Ping dialog lists these profiles by name and username.
| Field or control | Default | Validation | What it does |
|---|---|---|---|
| Profile name | Blank | Required, up to 120 characters | Operator-facing credential label. |
| SSH username | Blank | Required, up to 120 characters | Username Ansible uses for SSH. |
| Private key | Blank | Required, up to 100,000 characters, must be a valid SSH private key | Private key used by Ansible for SSH. It is encrypted at rest and is not sent back to browser code after save. |
| Save credential | Enabled unless saving is in progress | Server-side validation and admin access | Creates the credential profile and adds it to the list. |
| Credential row | Existing profile | Read-only | Shows saved profile name and username. |
| Delete button | Existing profile | Admin access | Deletes the credential profile. Host Ansible Ping runs cannot use it after deletion. |
Operator guidance
Enable the legacy Ansible provider only when you have a reachable Ansible API and a clear operational need for Ansible ping checks. Create narrowly scoped SSH credential profiles, rotate them regularly, and delete profiles that no longer map to an approved host access path.
Use Refresh status after changing module deployment, DNS, TLS, firewall, or service-token configuration. If the Host Tools Ansible Ping button is missing, confirm that the target host is Linux, the current user can run host tasks, this page shows Ansible as enabled and healthy, and at least one SSH credential profile exists.