controller_instance_groups.yml
In these files we configure the instance_groups for automation controller.
Instance groups can add additional security when used correctly. When a team needs access to a sertain number of systems and nothing else, you can use instance groups. First create a executor node/pod and make sure this node can only reach the nodes this team needs access to. Then create a instance_group containing this pod/node.
Then Assign this instance group to the teams in the organization and the team is confined to this instance group. In this example config, the mgt team in development has a separate instance_group assigned.
We will probably do this on each environment separately, as the hostnames differ.
The infra.aap_configuration collection expects the vaules in the variable: controller_instance_groups.
As we intend to configure everything just once, we spit the set of vars into the environments and join the lists in the main.yml, before calling the collection.
If there are no instance_groups defined, do not add this file.
If you do, ensure the file is present in all branches, with the correct content, described below.
variables
The api understands the folowing structure to define instance groups in rhaap:
{
"name": "",
"max_concurrent_jobs": 0,
"max_forks": 0,
"is_container_group": false,
"credential": null,
"policy_instance_percentage": 0,
"policy_instance_minimum": 0,
"policy_instance_list": [],
"pod_spec_override": ""
}
Below there is a very simple example for the usage of this.
group_vars/all/controller_instance_groups.yml
Here we see an empty set for all.
---
controller_instance_groups_all: []
...
But you can already see that the variable name used here has the "_all" extension, so the variable will not be overridden as this is not quite a inventory.
Why we do this, will become clear in a moment.
group_vars/dev/controller_instance_groups.yml
As we configure one extra instance_groups in development, this file is not an empty set.
Just as an example, we create an instance group that uses the default.
---
controller_instance_groups_dev:
- name: ig_mgt
instances:
- rhaap25.homelab
state: present
- name: MGT_instance_group_openshift
is_container_group: true
pod_spec_override: |
apiVersion: v1
kind: Pod
metadata:
namespace: <name>
labels:
<labels>
spec:
containers:
- name: worker
args:
- /bin/sh
- -c
- |
sleep 600 && ansible-runner worker --private-data-dir=/runner
resources:
requests:
cpu: 150m
memory: 100Mi
...
...
Here the variable has the "_dev" extension, so the variable will not be overridden.
group_vars/prod/controller_instance_groups.yml
As we do not configure extra instance_groups in prod, this file is an empty set.
---
controller_instance_groups_prod: []
# No extra config exists
...
Here the variable has the "_prod" extension, so the variable will not be overridden.
When we run a pipeline for a certain environment, the inventory structure will provide us with 2 variables:
- controller_instance_groups_all
- controller_instance_groups_
We will merge these 2 variables into 1: controller_instance_groups and feed this to the infra.aap_configuration.controller_instance_groups role.
In main.yml the merge of the variables is done by this piece of code:
- name: Set the controller vars
ansible.builtin.set_fact:
controller_instance_groups: >
{{ controller_instance_groups_all |
community.general.lists_mergeby(vars['controller_instance_groups_' + branch_name],
'name', recursive=true, list_merge='append') }}
This results in the controller_instance_groups variable the collection needs.