Configure Ansible Tower to use execution Container Group

mainly documentaiton of how to set OpenShift and Tower.
Custom container image had to be used because there gcp modules don't run on
default Ansible Tower instance group.

Author: Jakub Veverka

GCP_VM_Delete.yml

@@ -5,8 +5,6 @@
   gather_facts: no
   vars:
     gcp_project: ceenter
-    scopes:
-      - https://www.googleapis.com/auth/compute
     zone: "europe-west3-a"
     region: "europe-west3"
 
@@ -17,3 +15,9 @@
       name: "{{ vm_name | default('ansible-tower-test', true) }}"
       zone: "{{ zone }}"
       project: "{{ gcp_project }}"
+  - name: delete an address
+    gcp_compute_address:
+        name: "{{ vm_address_name | default('ansible-tower-test-address', true) }}"
+        region: "{{ region }}"
+        project: "{{ gcp_project }}"
+        state: absent

README.md

@@ -51,7 +51,9 @@ Download [GCP credentials](https://docs.ansible.com/ansible/latest/scenario_guid
 ansible-playbook GCP_VM_Create.yml
 ```
 
-## Ansible Tower Setup
+## Ansible Tower
+
+### Tower setup
 
 Create Credential:
 - GCP connection
@@ -68,3 +70,32 @@ Create Job Templates:
 Authenticate Ansible Tower to Automation-hub:
 - Retrieve token at https://cloud.redhat.com/ansible/automation-hub/token
 - Update token in Ansible Tower: https://www.ansible.com/blog/installing-and-using-collections-on-ansible-tower
+
+### OpenShift setup
+
+Additional Container Group on OpenShift
+- `oc create -n tower -f ocp-setup/role-pod-manager.yml`
+- `oc create -n tower -f ocp-setup/sa-tower-container-group.yml`
+- `oc create -n tower -f ocp-setup/rb-tower-container-group.yml`
+
+Download serviceaccount credentials, e.g. from ui download serviceaccount kubeconfig.
+
+Customize Pod Spec on Instance Group
+```yaml
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  namespace: tower
+spec:
+  containers:
+    - image: quay.io/ceenter/ansible-runner-google:1.4.6
+      tty: true
+      stdin: true
+      imagePullPolicy: Always
+      args:
+        - sleep
+        - infinity
+```
+
+Container image is build in [ansible-runner-images repository](https://github.com/ceenter/ansible-runner-images).

ocp-setup/rb-tower-container-group.yml

@@ -0,0 +1,13 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tower-container-group
+subjects:
+  - kind: ServiceAccount
+    name: tower-container-group
+    namespace: tower
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pod-manager

ocp-setup/role-pod-manager.yml

@@ -0,0 +1,25 @@
+---
+# Role for managing Pods, presumably by Ansible Tower
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pod-manager
+rules:
+  - verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+    apiGroups:
+      - ''
+    resources:
+      - pods
+  - verbs:
+      - create
+    apiGroups:
+      - ''
+    resources:
+      - pods/exec

ocp-setup/sa-tower-container-group.yml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tower-container-group