Ansible Operator Watches

The Watches file contains a list of mappings from custom resources, identified by it’s Group, Version, and Kind, to an Ansible Role or Playbook. The Operator expects this mapping file in a predefined location: /opt/ansible/watches.yaml These resources, as well as child resources (determined by owner references) will be monitored for updates and cached.

  • group: The group of the Custom Resource that you will be watching.
  • version: The version of the Custom Resource that you will be watching.
  • kind: The kind of the Custom Resource that you will be watching.
  • role (default): Specifies a role to be executed. This field is mutually exclusive with the “playbook” field. This field can be:
    • an absolute path to a role directory.
    • a relative path within one of the directories specified by ANSIBLE_ROLES_PATH environment variable or ansible-roles-path flag.
    • a relative path within the current working directory, which defaults to /opt/ansible/roles.
    • a fully qualified collection name of an installed Ansible collection. Ansible collections are installed to ~/.ansible/collections or /usr/share/ansible/collections by default. If they are installed elsewhere, use the ANSIBLE_COLLECTIONS_PATH environment variable or the ansible-collections-path flag
  • playbook: This is the playbook name that you have added to the container. This playbook is expected to be simply a way to call roles. This field is mutually exclusive with the “role” field. When running locally, the playbook is expected to be in the current project directory.
  • vars: This is an arbitrary map of key-value pairs. The contents will be passed as extra_vars to the playbook or role specified for this watch.
  • reconcilePeriod (optional): The reconciliation interval, how often the role/playbook is run, for a given CR.
  • manageStatus (optional): When true (default), the operator will manage the status of the CR generically. Set to false, the status of the CR is managed elsewhere, by the specified role/playbook or in a separate controller.
  • blacklist: A list of child resources (by GVK) that will not be watched or cached.

An example Watches file:

  1. ---
  2. # Simple example mapping Foo to the Foo role
  3. - version: v1alpha1
  4.   group: foo.example.com
  5.   kind: Foo
  6.   role: Foo
  8. # Simple example mapping Bar to a playbook
  9. - version: v1alpha1
  10.   group: bar.example.com
  11.   kind: Bar
  12.   playbook: playbook.yml
  14. # More complex example for our Baz kind
  15. # Here we will disable requeuing and be managing the CR status in the playbook,
  16. # and specify additional variables.
  17. - version: v1alpha1
  18.   group: baz.example.com
  19.   kind: Baz
  20.   playbook: baz.yml
  21.   reconcilePeriod: 0
  22.   manageStatus: False
  23.   vars:
  24.     foo: bar
  26. # ConfigMaps owned by a Memcached CR will not be watched or cached.
  27. - version: v1alpha1
  28.   group: cache.example.com
  29.   kind: Memcached
  30.   role: /opt/ansible/roles/memcached
  31.   blacklist:
  32.     - group: ""
  33.       version: v1
  34.       kind: ConfigMap
  36. # Example usage with a role from an installed Ansible collection
  37. - version: v1alpha1
  38.   group: bar.example.com
  39.   kind: Bar
  40.   role: myNamespace.myCollection.myRole

The advanced features can be enabled by adding them to your watches file per GVK. They can go below the group, version, kind and playbook or role.

Some features can be overridden per resource via an annotation on that CR. The options that are overridable will have the annotation specified below.

FeatureYaml KeyDescriptionAnnotation for overridedefaultDocumentation
Reconcile PeriodreconcilePeriodtime between reconcile runs for a particular CRansible.operator-sdk/reconcile-period1m
Manage StatusmanageStatusAllows the ansible operator to manage the conditions section of each resource’s status section.true
Watching Dependent ResourceswatchDependentResourcesAllows the ansible operator to dynamically watch resources that are created by ansibletruedependent watches
Watching Cluster-Scoped ResourceswatchClusterScopedResourcesAllows the ansible operator to watch cluster-scoped resources that are created by ansiblefalse
Max Runner ArtifactsmaxRunnerArtifactsManages the number of artifact directories that ansible runner will keep in the operator container for each individual resource.ansible.operator-sdk/max-runner-artifacts20
FinalizerfinalizerSets a finalizer on the CR and maps a deletion event to a playbook or rolefinalizers

Example

  1. ---
  2. - version: v1alpha1
  3.   group: app.example.com
  4.   kind: AppService
  5.   playbook: playbook.yml
  6.   maxRunnerArtifacts: 30
  7.   reconcilePeriod: 5s
  8.   manageStatus: False
  9.   watchDependentResources: False
  10.   finalizer:
  11.     name: finalizer.app.example.com
  12.     vars:
  13.       state: absent

Last modified March 23, 2020: Ansible doc org (#2704) (1739e10c)