How to setup an OpenShift container group with AAP
Ansible Automation Platform Container Groups
AAP Container Groups is just like Instance Groups. However, the playbooks will be executed in a pod running in your OpenShift or Kubernetes environment. You can find the details at Container and Instance Groups
What if you want to test this out but don’t have access to an OpenShift or Kubernetes environment? Here is an example how I set one up using the free Red Hat OpenShift sandbox to create a Container Group in my AAP environment.
Create an OpenShift service account
https://developers.redhat.com to sign up for a sandbox instance. Once the instance is up, login with you developer credential. You should see two projects/namespaces. Let’s use the
-dev project. We will create a service account
aap-sa and a role
aap-sa-role. They will be binded with rolebinding
aap-sa-role-binding to the
echong-2-dev project. Save the following to file
--- apiVersion: v1 kind: ServiceAccount metadata: name: aap-sa namespace: echong-2-dev spec: serviceAccountName: aap-sa --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: aap-sa-role namespace: echong-2-dev rules: - apiGroups: - "" resources: - pods/exec - pods/attach - pods - secrets verbs: - get - list - watch - create - delete - update --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: aap-sa-rolebinding namespace: echong-2-dev subjects: - kind: ServiceAccount name: aap-sa namespace: echong-2-dev roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: aap-sa-role
Create this service account and role by running
oc apply -f aap-sa.yml -n echong-2-dev
Two tokens will be generated with the service account. Obtain the token string by running
oc sa get-token aap-sa
Save the token string for the next step.
Create an AAP Credential
On AAP controller, create a
OpenShift or Kubernetes API Bearer Token type credential. Enter the OpenShift Sandbox endpoint and the Service Account token string from previous step.
Create an AAP Container Group
On AAP controller, create a
Container Group under the
Instance Groups menu. Use the OpenShift credential created in previous step. Select
Customize pod specification to make some additional modification.
The default settings will try to pull the execution environment from your Automation Hub and use the
default namespace. Remove the
image line which is actually not used. The image is determined by the execution environment specified in the template. Change the namespace to one of the projects created for you in the sandbox. Add the service account created in step above.
apiVersion: v1 kind: Pod metadata: namespace: echong-2-dev spec: serviceAccount: aap-sa containers: - name: worker args: - ansible-runner - worker - '--private-data-dir=/runner'
That’s it. Launch a playbook against an inventory that is reachable on the internet, since the execution environment is running in the cloud. Make sure the job/workflow template is using the container group we created as
Instance Group. We still need to specify an execution environment that is publicly accessible. Try to use
Default execution environment which is pointing to
Custom Execution Environment
What if the default execution environment is not enough and we need to run it with a custom EE from a private repo on Quay.io?
First update the
Custom pod spec for the Container Group to include an
apiVersion: v1 kind: Pod metadata: namespace: echong-2-dev spec: serviceAccount: aap-sa imagePullSecrets: - name: echong-aap-test-quay.io containers: - name: worker args: - ansible-runner - worker - '--private-data-dir=/runner'
Next create this
imagePullSecrets on the OpenShift Sandbox using a robot account generated for the repo on Quay.io.
oc create secret docker-registry \ --docker-server=quay.io \ --docker-username=<robot account name> \ --docker-password=<robot account token> \ echong-aap-test-quay.io -n echong-2-dev
Create a new Execution Environment to point to the custom image on Quay.io accesible from this robot account.
Last step is to update the Job Template using the OpenShift Sandbox Container Group to use this execution environment. Now lauch the template and a new pod will be deployed on the Sandbox and using your customer execution environment from Quay.io.
P.S. While writing this, Ansible blog @ ansible.com/blog pusblished a similar article. Please check that out too!
Leave a comment