CT-Ops

Automation Integration Settings

Global CT-Ops settings for CT-Automation and legacy Ansible automation providers.

The Automation integration settings page controls optional automation providers for the current CT-Ops instance. Open it from Settings -> Integrations -> Automation at /settings/integrations/automation.

These settings affect the host Tools Ansible Ping control and the CT-Automation Jobs workspace. Host-level pages can use these integrations only after the relevant provider is enabled and healthy here.

Access and scope

Only instance administrators can open and change this page. The settings apply to the current CT-Ops instance.

The page has three relevant areas:

AreaWhat it controls
CT-Automation service connectionConnection details for a separately deployed CT-Automation API used by projects, credentials, job templates, launches, events, and run summaries.
Ansible automationInstance opt-in for the legacy Ansible provider used by host and group Ansible ping tasks.
Ansible SSH credentialsPrivate-key SSH profiles that Ansible ping tasks can use. This card appears only when Ansible automation is enabled.

CT-Automation service connection

Use this card when CT-Ops should call a separately deployed CT-Automation API. It does not start or deploy CT-Automation.

Field or controlDefaultValidationWhat it does
Status badgeDerived from current healthRead-onlyShows Healthy, Unavailable, or Disabled.
Enable CT-Automation connectionCurrent stored connection stateBooleanEnables or disables the saved CT-Automation connection.
Connection nameExisting name, or CT-Ops defaultRequired, up to 120 charactersHuman-readable label for the connection.
CT-Automation URLExisting URLRequired absolute http or https URL, up to 2,048 charactersBase URL CT-Ops uses for CT-Automation API requests.
Service token IDExisting token ID or ct-automationRequired, up to 120 charactersToken identifier sent with signed CT-Automation requests.
Service token secretBlankRequired for first save when HMAC auth is active; leave blank to keep an existing secretSecret used to sign CT-Automation service requests. CT-Ops never returns the stored secret to browser code.
TLS modeExisting modeOne of the supported optionsTells CT-Ops how to treat the CT-Automation server certificate.
Timeout (ms)Existing timeoutWhole number from 1,000 through 120,000Request timeout for CT-Automation API calls.
Save connectionEnabled unless a save is in progressServer-side validation and admin accessPersists the connection and shows Saved after success.
Refresh statusAlways availableReloads the pageRechecks the stored connection health and displayed version information.

Supported TLS modes:

TLS modeWhen to use it
Public CAThe CT-Automation URL uses a certificate trusted by normal public CAs.
Private CAThe deployment uses an internal CA trusted by the CT-Ops service environment.
Pinned certificateThe deployment pins a specific certificate fingerprint.
Insecure HTTPOnly for explicitly accepted HTTP connections or non-production testing. HTTP module URLs require this mode.

Ansible automation

The Ansible automation card controls the legacy Ansible provider used by host and group Ansible ping tasks. CT-Ops does not start the Ansible API container from its Docker Compose stack; configure this only when a separately managed legacy Ansible API is reachable from the CT-Ops web service.

Field or controlDefaultValidationWhat it does
Status badgeDerived from provider state and healthRead-onlyShows Healthy, Restart required, or Disabled.
Enable Ansible providerOff unless the instance metadata enables the Ansible feature and providerBoolean; disabled when the feature is not admin-configurableStores the instance opt-in. Enabling sets the provider to ansible; disabling clears it to none.
Status messageDerived from stored state and healthRead-onlyShows whether Ansible is disabled, unavailable, or healthy. When available, it also displays the Ansible version.
Refresh statusAlways availableReloads the pageRechecks Ansible API health.

Host Ansible Ping is available only when this provider is enabled, the stored provider is ansible, and the Ansible API health check succeeds.

Ansible module connection

This card appears when Enable Ansible provider is on. Use it to pair CT-Ops with the Ansible API using initial credentials from the Ansible service environment. CT-Ops stores the generated service secret, not the initial password.

Field or controlDefaultValidationWhat it does
Ansible API URLExisting Ansible connection URLRequired absolute http or https URL, up to 2,048 charactersBase URL used for Ansible API pairing and health checks.
Initial usernamectopsRequired, up to 120 charactersInitial pairing username configured on the Ansible API.
Initial passwordBlankRequired, up to 1,024 charactersInitial pairing password configured on the Ansible API.
Pair connectionEnabled unless pairing is in progressServer-side validation and admin accessPairs with the Ansible API and stores the generated service-token connection. Re-pairing rotates the generated service secret.

The paired connection uses HMAC service-token authentication, a 5,000 ms timeout, and a TLS mode inferred from the URL: https uses Public CA and http uses Insecure HTTP.

Ansible SSH credentials

This card appears when Enable Ansible provider is on. It stores private-key SSH profiles for Ansible ping runs. The Host Tools Run Ansible Ping dialog lists these profiles by name and username.

Field or controlDefaultValidationWhat it does
Profile nameBlankRequired, up to 120 charactersOperator-facing credential label.
SSH usernameBlankRequired, up to 120 charactersUsername Ansible uses for SSH.
Private keyBlankRequired, up to 100,000 characters, must be a valid SSH private keyPrivate key used by Ansible for SSH. It is encrypted at rest and is not sent back to browser code after save.
Save credentialEnabled unless saving is in progressServer-side validation and admin accessCreates the credential profile and adds it to the list.
Credential rowExisting profileRead-onlyShows saved profile name and username.
Delete buttonExisting profileAdmin accessDeletes the credential profile. Host Ansible Ping runs cannot use it after deletion.

Operator guidance

Enable the legacy Ansible provider only when you have a reachable Ansible API and a clear operational need for Ansible ping checks. Create narrowly scoped SSH credential profiles, rotate them regularly, and delete profiles that no longer map to an approved host access path.

Use Refresh status after changing module deployment, DNS, TLS, firewall, or service-token configuration. If the Host Tools Ansible Ping button is missing, confirm that the target host is Linux, the current user can run host tasks, this page shows Ansible as enabled and healthy, and at least one SSH credential profile exists.