AWX modernization: Moving forward

Thanks for your input, Eddie.

So if I understand correctly, it would still be possible to use a custom authentication layer through backend configuration, but no longer through the UI as it exists today.

That would be quite a significant change, especially for something like onboarding a new team: it would no longer be possible to add the LDAP mapping on the fly as with the legacy version. Instead, it would require updating the configuration and rolling out the AWX web and task pods again.

Please correct me if I am misunderstanding your point.

Could you go into some detail how you built it? Did you follow some of the steps described here: Documentation for running AWX from the devel branch · Issue #16117 · ansible/awx · GitHub or did you follow another path?

Hello,

I’ve been able to make it working with ldap and keycloak auth.

If i’ve forgot nothing, here was all i’ve done :

in the awx repo folder :

from django-ansible-base/docs/Installation.md at devel · ansible/django-ansible-base · GitHub

curl -s https://raw.githubusercontent.com/ansible/django-ansible-base/refs/heads/devel/requirements/requirements_authentication.in >> requirements/requirements_dev.txt

upgrade social-auth-core to avoid issue with IAT by having JWT_LEEWAY option

sed -i 's/^social-auth-core.*/social-auth-core>=4.7/' requirements/requirements_dev.txt
cat >> awx/settings/settings.py << 'EOF'
OIDC_LEEWAY = 60
JWT_LEEWAY = 60
EOF

From django-ansible-base/docs/Installation.md at devel · ansible/django-ansible-base · GitHub

sed -i "/INSTALLED_APPS = \[/a\\    'ansible_base.authentication'," awx/settings/defaults.py

some things are going to failed if still none

sed -i "s/SYSTEM_USERNAME = None/SYSTEM_USERNAME = 'awx'/" awx/settings/defaults.py

Add the possibility to have keycloak button in homepage

sed -i "/^from awx.main.views import handle_400/a\\
\\
from django.http import JsonResponse\\
from django.views import View\\
from ansible_base.authentication.views import UIAuth\\
\\
class AwxAuthView(View):\\
    def get(self, request):\\
        response = UIAuth.as_view()(request)\\
        data = response.data\\
        result = {}\\
        for sso in data.get('ssos', []):\\
            result[sso['type']] = {\\
                'login_url': sso['login_url']\\
            }\\
        return JsonResponse(result)" awx/urls.py

add openldap-devel in dnf in tools/ansible/roles/dockerfile/templates/Dockerfile.j2 to be able to build library for django-ansible-base auth.

sed -i 's/    xmlsec1-openssl-devel/    xmlsec1-openssl-devel \\\n    openldap-devel/' tools/ansible/roles/dockerfile/templates/Dockerfile.j2

Start building

eval "$(ssh-agent -s)"
git pull && nvm use 18 && make clean/ui ui && make ui/src/build && make docker-compose-build && make docker-compose

Once build and started, do some configuration from inside awx-manage shell_plus within docker :

from ansible_base.authentication.models import Authenticator
Authenticator.objects.filter(name="LDAP").delete()
Authenticator.objects.create(
    name="LDAP",
    enabled=True,
    type="ansible_base.authentication.authenticator_plugins.ldap",
    configuration={
        "SERVER_URI": ["ldaps://ldap_server"],
        "BIND_DN": "CN=account,OU=xxx,DC=xxx,DC=xxx,DC=xxx",
        "BIND_PASSWORD": "account_password",
    "START_TLS": False,
    "CONNECTION_OPTIONS": {
        "OPT_REFERRALS": 0,
        "OPT_NETWORK_TIMEOUT": 30,
        "OPT_X_TLS_REQUIRE_CERT": 0,
		"OPT_X_TLS_NEWCTX": 0
    },
    "USER_SEARCH": [
        "DC=xxx,DC=xxx,DC=xxx",
        "SCOPE_SUBTREE",
        "(cn=%(user)s)"
    ],
    "USER_DN_TEMPLATE": "",
    "USER_ATTR_MAP": {
        "email": "mail",
        "last_name": "sn",
        "first_name": "givenName"
    },
    "GROUP_SEARCH": [
        "DC=xxx,DC=xxx,DC=xxx",
        "SCOPE_SUBTREE",
        "(objectClass=group)"
    ],
    "GROUP_TYPE": "PosixGroupType",
    "GROUP_TYPE_PARAMS": {},
    "USER_FLAGS_BY_GROUP": {},
    "ORGANIZATION_MAP": {},
    "TEAM_MAP": {},
    }
)

Authenticator.objects.filter(name="Keycloak").delete()
Authenticator.objects.create(
    name="Keycloak",
    enabled=True,
    type="ansible_base.authentication.authenticator_plugins.keycloak",
    configuration={
		"AUDIENCE": "name_of_your_client",
        "ACCESS_TOKEN_URL": "https://keycloak/realms/my_realm/protocol/openid-connect/token",
        "AUTHORIZATION_URL": "https://keycloak/realms/my_realm/protocol/openid-connect/auth",
        "REVOKE_TOKEN_URL": "https://keycloak/realms/my_realm/protocol/openid-connect/revoke",
        "USERINFO_URL": "https://keycloak/realms/my_realm/protocol/openid-connect/userinfo",
		"PUBLIC_KEY": "public_key_of_your_realm",
        "KEY": "name_of_your_client",
        "SECRET": "secret_of_your_realm_or_client_i_forgot",

        # Mapping des attributs utilisateur
        "USERNAME_KEY": "preferred_username",  # must match username in LDAP
        "USER_ATTR_MAP": {
            "first_name": "given_name",
            "last_name": "family_name",
            "email": "email"
        },
    }
)

if you want to sync user between ldap and keycloak, launch this in awx-manage shell_plus :

ldap_auth = Authenticator.objects.get(name="LDAP")
keycloak_auth = Authenticator.objects.get(name="Keycloak")

keycloak_auth.auto_migrate_users_from.add(ldap_auth)
keycloak_auth.save()  
ldap_auth.auto_migrate_users_from.add(keycloak_auth)
ldap_auth.save()  

feel free to change a param inside the file awx/settings/defaults.py to force a reload of the AWX. check the log for error and try the logins !

NB : i haven’t tested anything after that.

How about refactoring AWX so that you don’t have to have a PhD in managing Kubernetes? I have a hundred other things to support without having to know Kubernetes to install and managed this thing. It’s way over complicated. How about a package that installs the whole thing without taking two days to get it all configured and running. And the idea that you need a Kubernetes cluster is nuts.

Hello,

There was no K8s implication in what was done :
It require linux and docker knowledge to understand how to build the docker image to make it run in local ( and play within it ).
It also require dev knowledge to :

• Dig into the django-ansible-base code to understand how to configure the authenticator backend.
• Change the ui code to get possibility to have the SSO button.

But i agree that this refactoring is not going well by seeing the lack of documentation and the absence of UI update since almost two year and is clearly outdated.

I also don’t understand how that non monolitic thing is going to be provided to users ( for exemple : knowing that SSO is actually almost mandatory in enterprise and is not included in the awx:devel image by default and thus require to build the image with it seems clearly strange to me. )

I also hope that they’ll provide another way to deploy it on K8S than the operator that require special access to the cluster…

Good luck with it !

It’s been almost 30 days now, again. Can you clarify as to how ‘soon’ soon will be?

‘soon’ is subjective, for a user it means in 5mins, for a dev in a few days, for a corporation … they measure in quarters

Hello everyone,

First, I want to express my appreciation for the continuous work the team puts into AWX. Recently, while deep-diving into the latest versions and adapting our deployments, I made several observations regarding the architectural direction AWX is taking.

I am writing this post to share these findings and, hopefully, get some clarification from the Red Hat / IBM team regarding the roadmap, as there seems to be a lack of transparency regarding whether some of these changes are intentional strategic decisions or simply byproducts of an ongoing, incomplete refactoring.

Here are the main points I’ve noticed:

1. SSO / Authentication and the Platform Gateway It appears the awx.sso package has been removed (2024-12-10). This makes sense when looking at the AAP 2.5 architecture, where the new Platform Gateway handles login and RBAC, subsequently passing a token via header to the Automation Controller. However, AWX is no longer able to handle this connection/SSO part on its own, and to my knowledge, there is no open-source equivalent to the Platform Gateway available for the community. Our current workaround: We had to implement a custom Django-side mechanism to restore this functionality. The drawback: The configuration is mounted via Kubernetes secrets, which forces us to restart the pods to apply any changes.

2. Intentional removal of Credential Plugins for AWX I noticed that external credential plugins have been explicitly disabled for AWX. Looking at the source code, this seems to be a deliberate restriction rather than a bug:

credential_plugins = {ep.name: ep for ep in entry_points(group='awx_plugins.credentials')}
if detect_server_product_name() == 'AWX':
    credential_plugins = {}

(Source: awx/main/models/credential.py#L730) Could someone explain the reasoning behind this specific restriction for the upstream open-source project?

3. UI Revamp Inconsistencies While I understand that the new UI is undergoing a major overhaul, the current state feels quite imperfect. Certain sections seem to have simply vanished—for instance, managing credentials on organizations. Furthermore, the Settings management page renders very strangely (broken layouts/missing titles), making it difficult to use.

4. Custom Assets and Nginx Configuration The handling of custom assets (like custom logos) seems to have been removed from the default Nginx configuration. To get custom branding to work again, users now have to manually inject a custom location block into the Nginx configuration.

Conclusion & Questions: Are these points an assumed and intentional direction for the project, or are we just in the middle of an incomplete major refactoring?

While points #3 and #4 leave some room for doubt and could just be “work in progress,” points #1 and #2 strongly suggest a deliberate stripping of standalone capabilities in the open-source version compared to AAP.

Could someone from Red Hat or IBM please provide some clarity on the long-term vision for AWX standalone?

Thank you in advance for your time and insights!

Hi @mbutton77 Thanks for taking the time to write all that out and ask those questions. I realize this might not be the in-depth response that you’d like to hear but I do just want to acknowledge the fact that your voice, along with everyone else in the community, is being heard.

Please be aware that it’s an incredibly busy time right now. A lot of folks are in crunch mode for Red Hat Summit on top of other deadlines and competing priorities.

We are committed to providing more updates about AWX. There will be more news shortly (not measured in quarters). Thanks again for your patience.

Hi everyone,

For those of us wondering about the future direction of AWX, I think this is the session we need to keep an eye on at the upcoming Red Hat Summit:

Ansible Collab opening session: Collaborating for success

Automation is about collaboration, and Ansible has always been the catalyst that brings contributors, partners, and practitioners together.
This opening session is a look back at what the engineering team has built—the technical decisions, community contributions, and architectural work that have shaped Red Hat Ansible's ability to span datacenter, cloud, edge, and AI environments.
You'll hear directly from engineers on what's been done and why it matters. 
Context is everything: Understanding the engineering behind recent capabilities helps practitioners and contributors engage more effectively—whether that means writing better automation, contributing upstream, or building integrations that take full advantage of the platform.

Key takeaways include:
* A behind-the-scenes look at the engineering work that has driven recent Ansible development.
* Why specific technical decisions were made and how community collaboration shaped them.
* How understanding what's been built helps you create better automation today.

Speakers:
* Matthew Jones, Distinguished Engineer, Red Hat
* Kevin Myers, Senior Director, Ansible Engineering, Red Hat

Source:

Disclaimer: The abstract doesn’t explicitly name AWX or promise a clear roadmap. However, since it’s the “Ansible Collab opening session” and the engineers will be discussing upstream community contributions and technical/architectural decisions, it feels like the most likely place to read between the lines (or hear directly!) about what’s next for the upstream project.

We’ll almost certainly know where we stand once the Red Hat Summit wraps up.

Please also note that @thedoubl3j has shared an update on AWX modernization with this post: AWX modernization: Ansible UI

Hi,

I am pleasantly surprised by the last update and will spin up a dev environment next week to try the updated ui.

Am I wrong that this was one of the last steps of the modernization? Because that would mean that calver tagged released could be coming soon? One could argue that modernization is a continuous process but it would be nice to return to tagged releases even if they are just the “daily build” of the day.

To my knowledge there is no public plan available what still needs to be done. So any details about a roadmap would be appreciated.

Hi everyone. @thedoubl3j has shared another update with AWX modernization: Ansible Jewel

Great to see that information regarding the refactoring is appearing! Thanks a lot to everyone involved, looking forward to using the refactored version of AWX, though that might still be a little bit away.

Just an FYI that there is a devel image pushed to ghcr at: Package awx_devel · GitHub

I happened to chat with someone else recently who wasn’t aware of that image so thought I’d share it here.

Thanks for keeping us updated!

Am I correct that if you want to test the latest devel through awx-operator you have to use ghcr.io/ansible/awx:devel?
Of course the just announced jewel layer will not be there, though for testing the other parts, it should have everything, right?

I’ve spent some hours and a lot of tokens getting awx devel to run with the ui and jewel.

Currently I got the UI and Jewel working but running a playbook just fails.

Pro:

The gui looks nice and i think i am getting the hang with jewel. Although I did get a red subscription banner the gui

Cons:
So the fact I needed an llm and got it not working in a working state at the end left me with a sour taste. This is not the zen of ansible and keeping it simple.

I think a full docker-compose that runs jewel/ui/controller you can “just take and compose up” would go a long way

A lot a updated documentation in one place would be appreciated. Reading 3 repo’s and trying to ducktape it together is not a fun developer experience.

Agree with the lack of official build artifacts and a usable deployment method for both jewel and ansible-ui.

Side note: For jewel and the UI for it, when you run make docker-compose-build it creates a docker_compose.yml in tools/generated that you could use to create your own. Do note however that since the platform-ui image (quay.io/ansible/platform-ui) is not public you have to run the make target with HEADLESS=1 i.e. make docker-compose-build HEADLESS=1

The platform-ui image is required by the Dockerfile (in tools/generated) to copy the latest build, so you should be able to modify it so that it copies in your npm build of the ui. then you could remove the HEADLESS switch to add the ui as part of the make target.