controller_instance_groups.yml
In these files we configure the instance_groups for automation controller.
Instance groups can add additional security when used correctly. When a team needs access to a sertain number of systems and nothing else, you can use instance groups. First create a executor node/pod and make sure this node can only reach the nodes this team needs access to. Then create a instance_group containing this pod/node.
Then Assign this instance group to the teams in the organization and the team is confined to this instance group. In this example config, the mgt team in development has a separate instance_group assigned.
We will probably do this on each environment separately, as the hostnames differ.
variables
The api understands the folowing structure to define instance groups in rhaap:
{
"name": "",
"max_concurrent_jobs": 0,
"max_forks": 0,
"is_container_group": false,
"credential": null,
"policy_instance_percentage": 0,
"policy_instance_minimum": 0,
"policy_instance_list": [],
"pod_spec_override": ""
}
Below there is a very simple example for the usage of this.
group_vars/all/controller_instance_groups.yml
Here we see an empty set for all.
---
controller_instance_groups_all: []
...
But you can already see that the variable name used here has the "_all" extension, so the variable will not be overridden as this is not quite a inventory.
Why we do this, will become clear in a moment.
group_vars/dev/controller_instance_groups.yml
As we configure one extra instance_groups in development, this file is not an empty set.
Just as an example, we create an instance group that uses the default.
---
controller_instance_groups_dev:
- name: ig_mgt
instances:
- rhaap25.homelab
state: present
- name: MGT_instance_group_openshift
is_container_group: true
pod_spec_override: |
apiVersion: v1
kind: Pod
metadata:
namespace: <name>
labels:
<labels>
spec:
containers:
- name: worker
args:
- /bin/sh
- -c
- |
sleep 600 && ansible-runner worker --private-data-dir=/runner
resources:
requests:
cpu: 150m
memory: 100Mi
...
...
Here the variable has the "_dev" extension, so the variable will not be overridden.
group_vars/prod/controller_instance_groups.yml
As we do not configure extra instance_groups in prod, this file is an empty set.
---
controller_instance_groups_prod: []
# No extra config exists
...
Here the variable has the "_prod" extension, so the variable will not be overridden.
When we run a pipeline for a certain environment, the inventory structure will provide us with 2 variables:
- controller_instance_groups_all
- controller_instance_groups_
We will merge these 2 variables into 1: controller_instance_groups and feed this to the infra.aap_configuration.controller_instance_groups role.
In main.yml the merge of the variables is done by this piece of code:
- name: Set the controller vars
ansible.builtin.set_fact:
controller_instance_groups: >
{{ controller_instance_groups_all |
community.general.lists_mergeby(vars['controller_instance_groups_' + branch_name],
'name', recursive=true, list_merge='append') }}
This results in the controller_instance_groups variable the collection needs.