Coder Social home page Coder Social logo

ansible-role-openshift-provision's Introduction


An Ansible role for provisioning resources within OpenShift clusters.

This role provides comprehensive OpenShift cluster resource provisioning using a declarative variable structure with multi-level resource definition lookups and template automation.

The openshift-provision ansible role may be used directly or using a containerized deployment pattern provided by the openshift-provision-manager.

Project Goals

Management of OpenShift resources should be:

  • Agnostic - allow management of any resource or custom resource type should be managable to configure any desired state.

  • Easy - easy things should be easy...

  • Flexible - ... and hard things should be possible.

  • Compatible - compatible with tools already in development workflow such as OpenShift templates (Helm charts support is on the project roadmap).

  • Idempotent - possible to run the tool repeatedly without changing the state.

  • Robust - able to converge from any configuration state, even when the resource was managed by hand.

  • Reportable - able to produce accurate reports of what is changed.

  • Auditable - able to produce a report of differences of current state from desired state without changing anything.

  • Traceable - resources configured by the management system should be obvious (feature is on the roadmap).

  • Stateful - resources from previous processing should be tracked in a way to allow rollback and cleanup (feature is on the roadmap).


Whether looking to contribute or just looking for some info, you can find us on ...




ansible-galaxy install


OpenShift 3.4, 3.5, 3.7, 3.9, 3.10, 3.11, & 4.0 ansible 2.4+ with Python 2.7+

A host with the oc command to run from.


The openshift_provision role may be run from any host with the oc command and access to the cluster with appropriate privileges to provision the resources specified in the calling playbook. For provisioning base cluster configuration it is recommended to run openshift_provision from a master node immediately following OpenShift cluster installation. For provisioning application projects and resources it is recommended to use another host, authenticating with a service account token. Username with password login is supported with the openshift_login module. The host processing the openshift_provision role must have the oc command and the Python JMESPath module for supporting the json_query ansible filter.

If this role is called with a openshift_resource_definition file variable, it will read variables from the file specified.

Role Variables

  • oc_cmd_base - The base oc command. Defaults to "oc", but can be set to specify a different path or add custom options

  • openshift_clusters - List of openshift cluster definitions as described below. If a single cluster is being configured then openshift_provision may be used instead.

  • openshift_cluster_provision_post_tasks - List of ansible tasks files to include after processing provision for each cluster

  • openshift_cluster_provision_pre_tasks - List of ansible tasks files to include immediately before processing provision for each cluster

  • openshift_connection_certificate_authority - Path to file containing signing certificate for OpenShift server. This option may also be set within openshift_clusters as connection.certificate_authority

  • openshift_connection_insecure_skip_tls_verify - If set to "true" then disable SSL/TLS checks when connectiong to OpenShift server. This option may also be set within openshift_clusters as connection.insecure_skip_tls_verify

  • openshift_connection_server - Server URL for connecting to the OpenShift cluster. Should by of the form "". This option may also be set within openshift_clusters as connection.server

  • openshift_connection_token - OpenShift user token. This option may also be set within openshift_clusters as connection.token

  • openshift_login_username - Login username. Use of a connection token is preferred to providing a username and password. This option may also be set within openshift_clusters as login.username

  • openshift_login_password - Login password. Use of a connection token is preferred to providing a username and password. This option may also be set within openshift_clusters as login.password

  • openshift_provision - Variable for single cluster management, ignored if openshift_clusters is set.

  • openshift_provision_change_record - Local filename in which to record all changes between current state and configured state.

  • openshift_resource_path - Default list of directories to search for file paths in cluster and project cluster_resources and resources definitions. Default to playbook directory

openshift_provision or openshift_clusters[*]

Top level definition of how to manage a cluster:

  • connection - OpenShift connection parameters, defined to match oc command line including server, certificate_authority, insecure_skip_tls_verify, and token. If omitted then it is assumed the environment is already has a valid OpenShift command line login session

  • login - Credentials for login to the OpenShift cluster, username and password

  • openshift_host_env - String or array of strings specifying hostnames. The cluster resources will only be provisioned if this variable is not set or if openshift_master_cluster_public_hostname equals a value in openshift_host_env

  • change_record - Local filename in which to record all changes between current state and configured state. Defaults to openshift_provision_change_record

  • cluster_resources - List of OpenShift resource definitions, these should be cluster level resources. Resources may be specified by a file path or inline OpenShift resource definition. If a file path is used it will be found using the value of resource_path. If the filename ends in ".j2" then it will be processed as a Jinja2 template.

  • cluster_role_bindings - List of roles and assigned users and groups, described below

  • groups - List of OpenShift groups to create along with group membership, described below

  • helm_charts - Helm chart templates to deploy to the cluster. Note that helm charts can also be managed at the project level.

  • process_templates - Templates to process to create resources at the cluster level, described below

  • projects - List of projects to manage, described below:

  • provision_post_tasks - List of ansible tasks files to include after processing provision this cluster

  • provision_pre_tasks - List of ansible tasks files to include immediately before processing provision for this cluster

  • resource_path - List of paths to search for resource definitons specified by relative file path under cluster_resources and resources, defaults to value of openshift_resource_path

  • resources - List of OpenShift resource definitions, these should be project level resources that define the namespace. Normally project resources should appear within projects, but sometimes specific ordering of resource creation may be desired. Resources are defined in the same manner as cluster_resources

openshift_provision.cluster_resources or openshift_clusters[*].cluster_resources

Cluster resources are the first items processed in provisioning. This is a list of OpenShift resource definitions that are created/updated using the oc command. The default action is oc apply, but may be overridden by setting "metadata.annotations.openshift-provision/action" on the resource. Values for action may be:

  • apply - Use oc apply to create or update the resource

  • create - Use oc create to create the resource. If the resource already exists then no action is taken

  • delete - Use oc delete to delete the resource. If the resource does not exist then no action is taken

  • patch - Use oc patch to update the resource. If the resource does not exist then an error is thrown

  • replace - Use oc replace to update the resource. If the resource does not exist then it is created with oc create

Besides the field action all other fields follow OpenShift standards. All resources must define


List of cluster role assignments. Each entry is a dictionary containing:

  • role - Name of cluster role for which role bindings are managed. Required

  • users - List of user names that should be granted access to this cluster role. Optional

  • groups - List of group names that should be granted access to this cluster role. Optional

  • remove_unlisted - Boolean to indicate whether users or groups not listed should be removed from any current access to this cluster role. Optional, default "false"

  • remove_unlisted_users - Same as remove_unlisted, but specifically targeting users. Optional, default "false"

  • remove_unlisted_groups - Same as remove_unlisted, but specifically targeting groups. Optional, default "false"


List of OpenShift groups to manage

  • name - Group name. Required

  • members - List of user names that should belong to this group. Optional

  • remove_unlisted_members - Boolean to indicate whether unlisted users should be removed from this group. Optional, default "false"


List of templates to process to manage resources for the cluster. The result items list from the processed template is then parsed and each resource in that list is processed by openshift_provision.

  • file - Filename or URL to use for template source, mutually exclusive with name

  • name - Template name to process, mutually exclusive with file

  • namespace - Namespace in which the template specified in name is found, default is this project

  • parameters - Dictionary of parameters to pass to the template. Optional

  • action - Action to process template output, values for action are the same as described for above for openshift_clusters[*].cluster_resources.

  • patch_type - Patch type to use when action is "patch".


  • name - Project name string

  • admin_create - Boolean flag to indicate if projects should be created with oc adm new-project, otherwise oc new-project is used. Defaults to false.

  • annotations - Dictionary of project annotations

  • description - Project description string

  • display_name - Project display name string

  • imagestreams - Names of imagestreams to create in the project. This parameter is meant to allow for simple creation of imagestreams such as are created by oc create imagestream NAME. For more sophisticated imagestream creation a full definition may be provided within resources

  • helm_charts - Helm chart templates to deploy to the project namespace.

  • join_pod_network - Name of target project to which this project network should be joined for use with multi-tenant SDN

  • labels - Dictionary of project labels

  • multicast_enabled - Boolean value indicating whether multicast should be enabled in the annotations on this project's netnamespace

  • node_selector - Node selector to apply to the project namespace

  • process_templates - Templates to process to create resources within this project, described below

  • resource_path - List of paths to search for resource definitons specified by relative file path under resources, defaults to resource_path value at cluster level

  • resources - Definitions of OpenShift resources to create in project. Resources may be specified by a file path or inline OpenShift resource definition. If a file path is used it will be found using the value of resource_path. If the filename ends in ".j2" then it will be processed as a Jinja2 template.

  • role_bindings - Role bindings to apply to project to grant or revoke user and group access to roles, described below

  • service_accounts - List of service accounts to provision within this project. Each entry is a name of a service account to create. Service accounts may also be created with resources, which allows for specifying secrets and imagePullSecrets.


List of templates to process to manage resources within project. The result items list from the processed template is then parsed and each resource in that list is processed by openshift_provision.

  • name - Template name to process

  • namespace - Namespace in which the template is found, default is this project

  • parameters - Dictionary of parameters to pass to the template. Optional

  • action - Action to process template output, values for action are the same as described for above for cluster_resources.

  • patch_type - Patch type to use when action is "patch".


This is a list of OpenShift resource definitions that are created/updated in a project using the oc command. The default action is oc apply, but may be overridden by setting the annotation "openshift-provision/action" within the resource. Values for action are the same as described above for cluster_resources. The annotation "openshift-provision/patch-type" may be used with the "patch" action.


List of project role assignments. Each entry is a dictionary containing:

  • role - Names the role to be managed. This can be the name of a ClusterRole or the name of a namespace Role given as {{namespace}}/{{rolename}}. Required

  • users - List of user names that should be granted access to this project role. Optional

  • groups - List of group names that should be granted access to this project role. Optional

  • remove_unlisted - Boolean to indicate whether users or groups not listed should be removed from any current access to this project role. Optional, default "false"

  • remove_unlisted_users - Same as remove_unlisted, but specifically targeting users. Optional, default "false"

  • remove_unlisted_groups - Same as remove_unlisted, but specifically targeting groups. Optional, default "false"


Helm charts are supported as a means of templating resources into the cluster. Helm support is provided without tiller or helm lifecycle hooks. Only fetching and templating helm charts is supported. If full helm lifecycle management is required then openshift-provision may be leveraged to deploy tiller into the cluster.

The value of helm_charts should be a list of dictionaries where each dictionary contains:

  • name - template release name, Optional
  • action - provision action, Optional, default: 'apply'
  • chart - chart to template, may be local path or chart name
  • chart_values - values for chart processing
  • fetch - options used for helm fetch, Optional
    • chart - chart argument to helm fetch
    • ca_file - verify certificates of HTTPS-enabled servers using this CA bundle
    • cert_file - identify HTTPS client using this SSL certificate file
    • devel - boolean, use development versions
    • key_file - identify HTTPS client using this SSL key file
    • password - chart repository password
    • repo - chart repository url where to locate the requested chart
    • username - chart repository username
    • version - specific version of a chart. Without this, the latest version is fetched


List of OpenShift project resources to create. Declaration is the same as specified above for projects[*].resources with the addition that each entry here must specify metadata.namespace to specify the target project for the resource.

Example Playbook with Provisioning by Role Variables

- hosts: masters[0]
     - role: openshift-logging-elasticsearch-hostmount
       resource_definition: ocp-resouces/app.yml

Example resources file:

    server: https://openshift-master.libvirt:8443
    token: abcdefghijklmnopqrstuvwxyz0123456798...

  - apiVersion: v1
    kind: ClusterRole
      creationTimestamp: null
      name: network-joiner
    - apiGroups:
      - ""
      attributeRestrictions: null
      - netnamespaces
      - create
      - delete
      - get
      - list
      - update
    - apiGroups:
      - ""
      attributeRestrictions: null
      - namespaces
      - projects
      - get
      - list
    - apiGroups:
      - ""
      attributeRestrictions: null
      - clusternetworks
      - get
  - apiVersion: v1
    kind: ClusterResourceQuota
      creationTimestamp: null
      name: serviceaccount-app-jenkins
          limits.cpu: "10"
          limits.memory: 20Gi
          requests.cpu: "5"
          requests.memory: 20Gi
        labels: null
  - apiVersion: v1
    kind: PersistentVolume
      creationTimestamp: null
        foo: bar
      name: nfs-foo
      - ReadWriteMany
        storage: 10Gi
        path: /export/foo
      persistentVolumeReclaimPolicy: Retain

  - role: self-provisioner
    - system:serviceaccount:app-dev:jenkins
  - role: network-joiner
    - system:serviceaccount:app-dev:jenkins
    - app-admin
    remove_unlisted: true

  - name: app-admin
    remove_unlisted_members: true
    - alice
    - bob

  - name: app-dev
    description: Application Description
    display_name: Application Name
      application: appname
    node_selector: region=app

    - name: httpd-example
      namespace: openshift

    - apiVersion: v1
      kind: ResourceQuota
        name: compute
          requests.cpu: "10"
          requests.memory: "50Gi"
          limits.cpu: "20"
          limits.memory: "50Gi"
    - apiVersion: v1
      kind: LimitRange
        name: compute
        - type: Pod
            cpu: 50m
            memory: 4Mi
            cpu: "2"
            memory: 5Gi
        - type: Container
            cpu: 50m
            memory: 4Mi
            cpu: "2"
            memory: 5Gi
            cpu: "1"
            memory: 1Gi
            cpu: 200m
            memory: 1Gi

    - role: admin
      groups: app-admin
      remove_unlisted: true
    - role: edit
      - system:serviceaccount:app-dev:jenkins
      remove_unlisted_users: true
    - role: view
      - app-developer

    - jenkins

Example Playbook with Provisioning with openshift_provision Module

- hosts: localhost
  connection: local
  gather_facts: no
      server: "{{ openshift_connection_server }}"
      token: "{{ openshift_connection_token }}"
  - role: openshift-logging-elasticsearch-hostmount

  - name: Provision BuildConfig
      connection: "{{ openshift_connection }}"
      namespace: example-project
        apiVersion: v1
        kind: BuildConfig
          name: test-buildconfig
          nodeSelector: null
              kind: ImageStreamTag
              name: testbuild:latest
          postCommit: {}
          resources: {}
          runPolicy: Serial
            type: Git
                kind: ImageStreamTag
                name: httpd:2.4
                namespace: openshift
            type: Source
          triggers: []

Example with Provisioning with openshift_provision Module and Login

- hosts: localhost
  connection: local
  gather_facts: no
      server: "{{ openshift_connection_server }}"
      token: "{{ openshift_connection_token }}"
  - role: openshift-logging-elasticsearch-hostmount

  - name: Login to OpenShift Cluster
      username: username
      password: password
      server: https://openshift-master.libvirt
      insecure_skip_tls_verify: "true"
    register: openshift_login

  - name: Provision Resource
      connection: "{{ openshift_login.session }}"
        apiVersion: v1
        kind: PersistentVolumeClaim
          name: test-persistentvolumeclaim
            testlabel: bar
          - ReadWriteOnce
              storage: 1Gi



Author Information

Johnathan Kupferer ([email protected])

ansible-role-openshift-provision's People


jkupferer avatar mtritab avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

ansible-role-openshift-provision's Issues

Failed resources - creation retry

Hi there, have an issue with project resource creation queue. Typically, after operator creation (Prometheus in my case) I need to create Custom Resources and couldn't because of operator's readiness itself. Looks like oc create is too fast. I have to run Ansible job at least twice. So I've tried to reorder resources in project definition but it will not help in all the cases cause order is not the same as dependencies. So nice to have here (suppose project-resources.yml) some loop to retry of resource creation. Not sure if it should be immediate retry with some timeout or registering new 'failed' array and run it again after main loop.

OCP: 3.11.117
ansible 2.6.17
python version = 2.7.5
Ansible exception:
[short-server-name] fatal: [localhost]: FAILED! => {"changed": false, "cmd": "/home/jenkins/workspace/../local/bin311/oc --server= [|] --token=**** apply -f - -n xyz-monitoring", "msg": "error: unable to recognize \"STDIN\": no matches for kind \"Prometheus\" in version \"\"", "rc": 1, "stderr": "error: unable to recognize \"STDIN\": no matches for kind \"Prometheus\" in version \"\"\n", "stderr_lines": ["error: unable to recognize \"STDIN\": no matches for kind \"Prometheus\" in version \"\""], "stdout": "", "stdout_lines": []}

CronJobs are required to have annotations defined

The openshift-provision role fails if you try to manage a CronJob that does not have any annotations.

This was tested against an OpenShift 3.11 cluster, and the CronJob we were trying to manage was defined as a Jinja template.

Here is the error log into this issue:
Traceback (most recent call last):
    File "/tmp/ansible_phgzaB/", line 1536, in run_module
    File "/tmp/ansible_phgzaB/", line 1401, in provision
        patch = self.compare_resource(current_resource)
    File "/tmp/ansible_phgzaB/", line 1275, in compare_resource
        config = self.normalize_resource(compare_to)
    File "/tmp/ansible_phgzaB/", line 1145, in normalize_resource
    File "/tmp/ansible_phgzaB/", line 1196, in normalize_resource_CronJob
    File "/tmp/ansible_phgzaB/", line 501, in normalize_CronJob_V1beta1
    File "/tmp/ansible_phgzaB/", line 507, in normalize_CronJobSpec_V1beta1
    File "/tmp/ansible_phgzaB/", line 661, in normalize_JobTemplateSpec_V1beta1
    File "/tmp/ansible_phgzaB/", line 733, in normalize_ObjectMeta_V1
        'annotations': {}
    File "/tmp/ansible_phgzaB/", line 234, in set_dict_defaults
        if k not in d:
    TypeError: argument of type 'NoneType' is not iterable

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.