configure ansible tower to use execution container group

Author: Jakub Veverka

GCP_VM_Create.yml

@@ -9,36 +9,36 @@
     region: "europe-west3"
 
   tasks:
-   - name: create a disk
-     gcp_compute_disk:
-         name: "{{ vm_disk_name | default('ansible-tower-test-disk', true) }}"
-         size_gb: 50
-         source_image: 'projects/ubuntu-os-cloud/global/images/family/ubuntu-1604-lts'
-         zone: "{{ zone }}"
-         project: "{{ gcp_project }}"
-         state: present
-     register: disk
-   - name: create a address
-     gcp_compute_address:
-         name: "{{ vm_address_name | default('ansible-tower-test-address', true) }}"
-         region: "{{ region }}"
-         project: "{{ gcp_project }}"
-         state: present
-     register: address
-   - name: create a instance
-     gcp_compute_instance:
-         state: present
-         name: "{{ vm_name | default('ansible-tower-test', true) }}"
-         machine_type: n1-standard-1
-         disks:
-           - auto_delete: true
-             boot: true
-             source: "{{ disk }}"
-         network_interfaces:
-             - network: null # use default
-               access_configs:
-                 - name: 'External NAT'
-                   nat_ip: "{{ address }}"
-                   type: 'ONE_TO_ONE_NAT'
-         zone: "{{ zone }}"
-         project: "{{ gcp_project }}"
+  - name: create a disk
+    gcp_compute_disk:
+        name: "{{ vm_disk_name | default('ansible-tower-test-disk', true) }}"
+        size_gb: 50
+        source_image: 'projects/ubuntu-os-cloud/global/images/family/ubuntu-1604-lts'
+        zone: "{{ zone }}"
+        project: "{{ gcp_project }}"
+        state: present
+    register: disk
+  - name: create a address
+    gcp_compute_address:
+        name: "{{ vm_address_name | default('ansible-tower-test-address', true) }}"
+        region: "{{ region }}"
+        project: "{{ gcp_project }}"
+        state: present
+    register: address
+  - name: create a instance
+    gcp_compute_instance:
+        state: present
+        name: "{{ vm_name | default('ansible-tower-test', true) }}"
+        machine_type: n1-standard-1
+        disks:
+          - auto_delete: true
+            boot: true
+            source: "{{ disk }}"
+        network_interfaces:
+            - network: null # use default
+              access_configs:
+                - name: 'External NAT'
+                  nat_ip: "{{ address }}"
+                  type: 'ONE_TO_ONE_NAT'
+        zone: "{{ zone }}"
+        project: "{{ gcp_project }}"

GCP_VM_Delete.yml

@@ -5,8 +5,6 @@
   gather_facts: no
   vars:
     gcp_project: ceenter
-    scopes:
-      - https://www.googleapis.com/auth/compute
     zone: "europe-west3-a"
     region: "europe-west3"
 
@@ -17,3 +15,9 @@
       name: "{{ vm_name | default('ansible-tower-test', true) }}"
       zone: "{{ zone }}"
       project: "{{ gcp_project }}"
+  - name: delete an address
+    gcp_compute_address:
+        name: "{{ vm_address_name | default('ansible-tower-test-address', true) }}"
+        region: "{{ region }}"
+        project: "{{ gcp_project }}"
+        state: absent

README.md

@@ -51,7 +51,9 @@ Download [GCP credentials](https://docs.ansible.com/ansible/latest/scenario_guid
 ansible-playbook GCP_VM_Create.yml
 ```
 
-## Ansible Tower Setup
+## Ansible Tower
+
+### Tower setup
 
 Create Credential:
 - GCP connection
@@ -68,3 +70,30 @@ Create Job Templates:
 Authenticate Ansible Tower to Automation-hub:
 - Retrieve token at https://cloud.redhat.com/ansible/automation-hub/token
 - Update token in Ansible Tower: https://www.ansible.com/blog/installing-and-using-collections-on-ansible-tower
+
+### OpenShift setup
+
+Additional Container Group on OpenShift
+- `oc create -f ocp-setup/role-pod-manager.yml`
+- `oc create -f ocp-setup/sa-tower-container-group.yml`
+- `oc create -f ocp-setup/rb-tower-container-group.yml`
+
+Download serviceaccount credentials, e.g. from ui download serviceaccount kubeconfig.
+
+Customize Pod Spec on Instance Group
+```yaml
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  namespace: tower
+spec:
+  containers:
+    - image: quay.io/jveverka/ansible-runner-google:1.4.6
+      tty: true
+      stdin: true
+      imagePullPolicy: Always
+      args:
+        - sleep
+        - infinity
+```

ocp-setup/rb-tower-container-group.yml

@@ -0,0 +1,14 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tower-container-group
+  namespace: tower
+subjects:
+  - kind: ServiceAccount
+    name: tower-container-group
+    namespace: tower
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pod-manager

ocp-setup/role-pod-manager.yml

@@ -0,0 +1,26 @@
+---
+# Role for managing Pods, presumably by Ansible Tower
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pod-manager
+  namespace: tower
+rules:
+  - verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+    apiGroups:
+      - ''
+    resources:
+      - pods
+  - verbs:
+      - create
+    apiGroups:
+      - ''
+    resources:
+      - pods/exec

ocp-setup/sa-tower-container-group.yml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tower-container-group
+  namespace: tower