Ansible Automation Architect @ Red Hat

3 minute read

Ansible Automation Platform Container Groups

AAP Container Groups is just like Instance Groups. However, the playbooks will be executed in a pod running in your OpenShift or Kubernetes environment. You can find the details at Container and Instance Groups

What if you want to test this out but don’t have access to an OpenShift or Kubernetes environment? Here is an example how I set one up using the free Red Hat OpenShift sandbox to create a Container Group in my AAP environment.

Create an OpenShift service account

Login to https://developers.redhat.com to sign up for a sandbox instance. Once the instance is up, login with you developer credential. You should see two projects/namespaces. Let’s use the -dev project. We will create a service account aap-sa and a role aap-sa-role. They will be binded with rolebinding aap-sa-role-binding to the echong-2-dev project. Save the following to file aap-sa.yml.

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: aap-sa
  namespace: echong-2-dev
spec:
  serviceAccountName: aap-sa
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: aap-sa-role
  namespace: echong-2-dev
rules:
- apiGroups:
  - ""
  resources:
  - pods/exec
  - pods/attach
  - pods
  - secrets
  verbs:
  - get
  - list
  - watch
  - create
  - delete
  - update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: aap-sa-rolebinding
  namespace: echong-2-dev
subjects:
  - kind: ServiceAccount
    name: aap-sa
    namespace: echong-2-dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: aap-sa-role

Create this service account and role by running

oc apply -f aap-sa.yml -n echong-2-dev

Two tokens will be generated with the service account. Obtain the token string by running

oc sa get-token aap-sa

Save the token string for the next step.

Create an AAP Credential

On AAP controller, create a OpenShift or Kubernetes API Bearer Token type credential. Enter the OpenShift Sandbox endpoint and the Service Account token string from previous step. AAP Credential

Create an AAP Container Group

On AAP controller, create a Container Group under the Instance Groups menu. Use the OpenShift credential created in previous step. Select Customize pod specification to make some additional modification. AAP Container Group

The default settings will try to pull the execution environment from your Automation Hub and use the default namespace. Remove the image line which is actually not used. The image is determined by the execution environment specified in the template. Change the namespace to one of the projects created for you in the sandbox. Add the service account created in step above.

apiVersion: v1
kind: Pod
metadata:
  namespace: echong-2-dev
spec:
  serviceAccount: aap-sa
  containers:
    - name: worker
      args:
        - ansible-runner
        - worker
        - '--private-data-dir=/runner'

That’s it. Launch a playbook against an inventory that is reachable on the internet, since the execution environment is running in the cloud. Make sure the job/workflow template is using the container group we created as Instance Group. We still need to specify an execution environment that is publicly accessible. Try to use Default execution environment which is pointing to registry.redhat.io.

Custom Execution Environment

What if the default execution environment is not enough and we need to run it with a custom EE from a private repo on Quay.io?

First update the Custom pod spec for the Container Group to include an imagePullSecrets.

apiVersion: v1
kind: Pod
metadata:
  namespace: echong-2-dev
spec:
  serviceAccount: aap-sa
  imagePullSecrets: 
    - name: echong-aap-test-quay.io
  containers:
    - name: worker
      args:
        - ansible-runner
        - worker
        - '--private-data-dir=/runner'

Next create this imagePullSecrets on the OpenShift Sandbox using a robot account generated for the repo on Quay.io.

oc create secret docker-registry \
--docker-server=quay.io \
--docker-username=<robot account name> \
--docker-password=<robot account token> \
echong-aap-test-quay.io -n echong-2-dev

Create a new Execution Environment to point to the custom image on Quay.io accesible from this robot account. AAP Custom Execution Environment

Last step is to update the Job Template using the OpenShift Sandbox Container Group to use this execution environment. Now lauch the template and a new pod will be deployed on the Sandbox and using your customer execution environment from Quay.io.

P.S. While writing this, Ansible blog @ ansible.com/blog pusblished a similar article. Please check that out too!

Leave a comment

You may also enjoy

Automation Hub Private Repository

1 minute read

Background We want to allow users to create they own collection under company namespace, but not sharing with the rest of the Hub users

Use Kerberos for AAP PostgreSQL Connection

2 minute read

We have Red Hat Identity Management (IdM) setup in the lab to provide Kerberos authentication. This how-to will demonstrate setting up AAP to connect to its...