#5476 How to bring an external ansible repo into Fedora Infra
Closed: Fixed 3 years ago Opened 3 years ago by maxamillion.

Currently OSBS is deployed using in-house OpenShift playbooks which are relatively simple compared to upstream openshift-ansible[0] playbooks, however moving forward we need to address the need for a multi-node OpenShift cluster in order to properly scale out OSBS. The upstream openshift-ansible playbooks handle the deployment of everything in multi-node scenarios (including the overlay SDN) and there are plans to include upgrade procedures as well[1], the OpenShift ops/dev team as well as greater contributor community is very rapidly revving these playbooks and I don't think it's realistic to maintain our own in-house version for the multi-node scenario. I would like to request from the Infrastructure Team some kind of policy or procedure in which outside repos can be "imported" into the Fedora Infrastructure environment such that hey can be executed via the rbac playbook tool. I was thinking of point in time snapshots that can be rebased on their upstream sources periodically. These can either live in Fedora's ansible repo (maybe in a third-party dir or something?) or not, I'm not entirely sure how to accomplish this but would like to instead pose the question to the group.

Thank you,
-AdamM

[0] - https://github.com/openshift/openshift-ansible
[1] - https://github.com/openshift/openshift-ansible/issues/2293


This has been tabled for now, nirik said he would look into it.

So, here's what I think we should do:

  • Modify the batcave role to include checking out the external git repo(s) we want in /srv/web/infra/<name>/ with a specific known hash.

  • Adjust our ansible config to add those repos to our role_path so it looks for roles there.

Then we run our playbooks as usual, but they can include the external roles.

We would need to make sure that the external repos we use don't conflict with variables or things we have in our main ansible repo and we would need to change the git checkout hash anytime we wanted to 'sync up' with upstream changes.

Does that sound l ike a reasonable plan? If so I can look at adding the openshift-ansible repo after freeze, or as a Freeze break if needed.

So, here's what I think we should do:

Modify the batcave role to include checking out the external git repo(s) we want in /srv/web/infra/<name>/ with a specific known hash.

Adjust our ansible config to add those repos to our role_path so it looks for roles there.

Then we run our playbooks as usual, but they can include the external roles.
We would need to make sure that the external repos we use don't conflict with variables or things we have in our main ansible repo and we would need to change the git checkout hash anytime we wanted to 'sync up' with upstream changes.
Does that sound l ike a reasonable plan? If so I can look at adding the openshift-ansible repo after freeze, or as a Freeze break if needed.

Sounds good, where would I need to "register" an external repo with a git url and hash value?

So, here's what a proposed patch would look like:

diff --git a/roles/ansible-server/templates/ansible.cfg.j2 b/roles/ansible-server/templates/ansible.cfg.j2
index 642ce05..7242eab 100644
--- a/roles/ansible-server/templates/ansible.cfg.j2
+++ b/roles/ansible-server/templates/ansible.cfg.j2
@@ -37,7 +37,7 @@ display_args_to_stdout = True
 gathering = smart

 # additional paths to search for roles in, colon separated
-roles_path    = {{ ansible_base }}/ansible/roles
+roles_path    = {{ ansible_base }}/ansible/roles:{{ ansible_base }}/openshift-ansible/roles

 # uncomment this to disable SSH key host checking
 #host_key_checking = False
diff --git a/roles/batcave/tasks/main.yml b/roles/batcave/tasks/main.yml
index 78fbd92..16cf5ab 100644
--- a/roles/batcave/tasks/main.yml
+++ b/roles/batcave/tasks/main.yml
@@ -438,3 +438,15 @@
   - selinux
   - httpd
   - httpd/website
+
+#
+# We setup some external ansible repos here to use for complex applications we deploy
+#
+- name: local clone of 
+  git: >
+      refspec=c8683028b1c8228a531fac5f1753ff2698b316fc
+      dest=/srv/web/infra/openshift-ansible
+      repo=https://github.com/openshift/openshift-ansible
+  tags:
+  - config
+  - batcave

If that looks right to you we can land it after freeze and work on any role overlaps.

This makes sense to me, how would I actually do the import of the openshift-ansible repo though? I don't think I have permissions on {{ ansible_base }}, should that be some sort of request ticket filed?

Also, would the roles in {{ ansible_base }}/roles take precedent in the event there's overlap? (I'm hoping this is the default behavior so that an import of an external repo doesn't cause a failure of Fedora Infra playbooks)

The import would be done when the batcave playbook runs after that patch is applied. ie, ansible would checkout the git repo with that hash at that location.
{{ ansible_base }} is /srv/web/infra/ :grin:

yes, it should look in the path in that order for a role matching rolename.

So, we just need to apply this, then check for any overlap in variables or role names or whatever.

This has been pushed out now.

@kevin changed the status to Closed

3 years ago

Login to comment on this ticket.

Metadata