GitOps Pipeline for an Execution Environment (EE) with Ansible Collections
Categories:
Projects: c2platform/rws/ansible-gis,
c2platform/ansible-collection-core,
c2platform/ansible-collection-mw,
c2platform/rws/ansible-execution-environment,
c2platform/ansible-collection-mgmt
Introduction
When using the Ansible Automation Platform (AAP), there are three strategies for managing Ansible collections:
- Include collections in the EE.
- Pull collections using
requirements.yml1. - A combination of both.
Each approach has its pros and cons. A significant downside of using an EE is
that the EE and its version are defined externally in AAP, preventing a pure
GitOps approach. This how-to guide describes how to use an AAP Workflow and an
Ansible Job Template to configure AAP to use a specific EE version before other
Job Templates run. The Job Template utilizes the Ansible role
c2platform.mgmt.awx to manage the EE version. Red Hat recommends using only
the EE for performance reasons2
Collection Strategies
Only use the requirements.yml file
This is easy and flexible, suitable at the start of a project when many updates are made to collections. The downside is longer job times as collections are fetched each time.
---
collections:
- name: c2platform.core
version: 1.0.21
- name: https://gitlab.com/c2platform/rws/ansible-collection-wincore.git
type: git
version: master
Show Diagram
Only use the EE
Jobs run faster on AWX. The downside is the need to release new versions of the collection and EE and manually configure the new EE version in AWX3.
Show Diagram
Use both the EE and the requirements.yml**
Add community collections to the EE and use requirements.yml for frequently
updated collections.
A downside to adding collections to the EE is that it complicates a DTAP promotion model setup in Git. This can be overcome by setting up a workflow in AWX that configures the correct EE version.
Prerequisites
- Ensure
gsd-awx1is up and running. Refer to Setup the Automation Controller (AWX) using Ansible. - Configure SSH connections if running Ansible plays without Vagrant. Refer to Using Ansible without Vagrant.
Change the EE
This section demonstrates how to change the EE in AAP in a workflow job so that the new EE becomes available to jobs that run after that job.
This section demonstrates how to change the EE in AAP in a workflow job so that the new EE becomes available to jobs that run after that job.
- In the
ansible-gisproject, switch to thedevelopmentbranch and editgroup_vars/awx/awx.yml. Definegs_ee_imagesas follows:Remove or disable the line withgs_ee_images: default: registry.gitlab.com/c2platform/rws/ansible-execution-environment:0.1.18 development: quay.io/ansible/awx-ee:24.4.0development, commit, and push back to the development branch. - Navigate to https://awx.c2platform.org/#/execution_environments
. Verify that
quay.io/ansible/awx-ee:24.4.0is the EE. - Navigate to https://awx.c2platform.org/#/templates
and click on the Visualizer link of
gsd-awx-collections-workflow. This shows a workflow with five nodes. - Launch the workflow.
- When the workflow completes, verify that
gsd-collections1showsquay.io/ansible/awx-ee:24.4.0andgsd-collections2showsregistry.gitlab.com/c2platform/rws/ansible-execution-environment:0.1.18.
This demonstrates that we can include the EE in our DTAP promotion model
similarly to how we use the requirements.yml file by setting up a workflow
that includes a job like gsd-awx-ee to manage the EE for the environment.
Promote the EE
This section shows how we can promote changes, including the EE, from development to test.
- Create the configuration in AWX for the
testenvironment using nodegst-awx14:export PLAY=plays/mgmt/awx_config.yml ansible-playbook $PLAY -i hosts.ini --limit=gst-awx1Note:
Running Ansible commands directly will only work if you set up the necessary SSH configuration for it. Refer to Using Ansible without Vagrant for more information. - Using the AWX web interface, launch
gst-awx-collections-workflow. - After completion, verify no difference between collections in
gst-collections1andgst-collections2. - In the
developmentbranch, change the default image to0.1.19. Commit and push.gs_ee_images: default: registry.gitlab.com/c2platform/rws/ansible-execution-environment:0.1.19 development: quay.io/ansible/awx-ee:24.4.0 - Merge changes to the
testbranch and launchgst-awx-collections-workflow. - After completion, verify differences between outputs of
gst-collections1andgst-collections2.
Review
In the Ansible Inventory project c2platform/rws/ansible-gis:
- The play
plays/mgmt/awx.yml, which shows Ansible roles utilized to create thegsd-awx1node. - Files inside
group_vars/awx. These files contain configuration. - The file
Vagrantfile.yml, which defines the Vagrant LXD machine.
The Ansible role c2platform.mgmt.awx in the Ansible Management Collection
c2platform/ansible-collection-mgmt. This role uses
modules from the awx.awx collection to configure AWX (job templates,
workflows).
The Ansible roles c2platform.mw.microk8s and c2platform.mw.kubernetes in the
Ansible Middleware collection c2platform/ansible-collection-mw. The first role
creates a Kubernetes instance; the second installs AWX on the cluster.
Tips
If you are experimenting or developing with AWX configuration, you can use tags to speed up provisioning:
export PLAY=plays/mgmt/awx_config.yml
ansible-playbook $PLAY -i hosts.ini --limit=gsd-awx1 --tags secrets,awx_workflow_job_template,awx_workflow_job_template_node
You can also use tags when using Vagrant:
export PLAY=plays/mgmt/awx_config.yml
TAGS=secrets,awx_workflow_job_template,awx_workflow_job_template_node vagrant provision gsd-awx1
Notes
The requirements file should be stored in the folder
collections, as is the case in theansible-gisproject. ↩︎There is no official source for this position. This is communicated by a Red Hat consultant to RWS after issues were raised about the time it takes to fetch Ansible collections from Galaxy and Ansible Automation Hub at the RWS site. ↩︎
At least this is the current setup of the project. It is possible to change the GitLab CI/CD pipeline for the EE to release a
latestversion based not on released Galaxy collections but by directly pulling collections from the Git repository master branch. Using webhooks, changes to collections would trigger the pipeline to produce a newlatestversion. In AWX, this latest version can then be configured for use. ↩︎The node
gst-awx1is not a normal Vagrant machine; it is only an alias forgsd-awx1. Inhosts.ini, we define it as a separate node inside thetestenvironment so that we can create AWX configuration for this environment. For this reason, we also cannot managegst-awx1using Vagrant; it doesn’t exist for Vagrant but only for Ansible. ↩︎
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.