Hybrid Cloud Patterns

Imperative actions on the cluster

Using kubernetes cronjobs to execute imperative actions

There is currently no way within argoCD to apply an imperative action against a cluster. So we have developed a way to declaratively apply changes to a cluster using kubernetes cronjob resources. Customers can use their ansible playbooks to take action against a cluster if necessary.

As a word of caution - the authors of the ansible playbooks and roles must ensure that the playbooks are idempotent because they get applied through cronjobs which are set to run every 10 minutes. Adding your playbooks to the pattern requires the following:

  1. move your ansible configurations to the appropriate directory under ansible in your forked repository
  2. define your job as a list (see example below)
    # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm
    # The default schedule is every 10 minutes: imperative.schedule
    # Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds
    # imagePullPolicy is set to always: imperative.imagePullPolicy
    # For additional overrides that apply to the jobs, please refer to the README located in
    # the top level of this repository.
    - name: regional-ca
      # ansible playbook to be run
      playbook: ansible/playbooks/on-hub-get-regional-ca.yml
      # per playbook timeout in seconds
      timeout: 234
      # verbosity: "-v"

Additional job customizations

Overrides have been implemented to allow for further customization, please refer to the list below for the available overrides.

    jobs: []
    # This image contains ansible + kubernetes.core by default and is used to run the jobs
    image: registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest
    namespace: "imperative"
    # configmap name in the namespace that will contain all helm values
    valuesConfigMap: "helm-values-configmap"
    cronJobName: "imperative-cronjob"
    jobName: "imperative-job"
    imagePullPolicy: Always
    # This is the maximum timeout of all the jobs (1h)
    activeDeadlineSeconds: 3600
    # By default we run this every 10minutes
    schedule: "*/10 * * * *"
    # Schedule used to trigger the vault unsealing (if explicitely enabled)
    # Set to run every 9 minutes in order for load-secrets to succeed within
    # a reasonable amount of time (it waits up to 15 mins)
    insecureUnsealVaultInsideClusterSchedule: "*/9 * * * *"
    # Increase ansible verbosity with '-v' or '-vv..'
    verbosity: ""
    serviceAccountCreate: true
    # service account to be used to run the cron pods
    serviceAccountName: imperative-sa
    clusterRoleName: imperative-cluster-role
    clusterRoleYaml: ""
    roleName: imperative-role
    roleYaml: ""
Copyright © 2022 Red Hat, Inc.