Today I seem to have hit a snag: there doesn’t seem to be a way to put groups into the Foreman-computed inventory. As Kubespray wants to exchange secrets inbetween etcd quorum members etc. it relies heavily on groups and on Ansible’s hostvars feature.
This comment in ansible_runner.rb makes it pretty clear that the idea of running Ansible with nontrivial inventory was bolted to the side at the time ansible-runner was adopted. This means that my use case seems unsupported as of now
this is very good idea and as promissed offline, we’ve discussed this internally and came up with few issues, that would need to get solved before we can use the global repository, the main issue is, that the Foreman permissions control what host can each user see, but the global inventory would expose all hosts to any user who can run Ansible jobs.
I believe we can get that solved as it still make sense to me to consume our own inventory, but we will need to solve this issue, for starters it could be optional an just for jobs run by admins as PoC.
That would probably make sense, then you’d manually enable whatever inventory you like on the smart-proxy and you’d be responsible to take care of the access rights, what wouldn’t be an issue in cases like yours I guess
I’m seeing a light at the end of the tunnel with this trick — I can edit the inventory file out of the Ansible template itself, and then call meta: refresh_inventory. This lets me piggy-back templating the inventory into the “main” job template, and thus (almost¹) obviates the need for any change in Foreman.
Here is an example playbook (that can be used as an Ansible job template):
- name: homemade inventory
hosts: localhost
connection: local
gather_facts: no
tasks:
- debug:
var: ansible_inventory_sources
- copy:
dest: "{{ ansible_inventory_sources[0] }}/hosts"
mode: "0644"
content: |
all:
hosts:
itsidevfsd0009.xaas.epfl.ch: {}
itsidevfsd0010.xaas.epfl.ch: {}
- meta: refresh_inventory
- name: Test new inventory
hosts: all
tasks:
- debug:
var: inventory_hostname
¹ I’m hitting a bug whence hosts: localhost causes a crash, because foreman-tasks-core in the smart proxy cannot publish_data_for a hostname that it doesn’t know about (here, localhost). Bug report and PR upcoming, perhaps this weekend.