vRealize Automation integrated with Ansible and Git

vRealize Automation integrated with Ansible and Git

Introduction

Many customers are leveraging configuration management tools like Ansible to do automated configuration management as well as application deployment in their infrastructure. vRealize Automation is perfectly suited to manage the underlying infrastructure layer and leverage Ansible on top for the application deployment and control.

There’s many good articles and blogs which explain in-depth how Ansible can be integrated with vRA like this one here http://www.vmtocloud.com/vra-ansible-integration-3-ways/

When I read these blogs I however had a more dynamic way in my mind for this type of integration. In a nutshell the idea has come up to place Ansible playbooks in a github repository, read them out through vRA and present them in a dropdown. Now the user should be able to select the proper playbook and deployment is automatically taking care about the actual installation through vRA and Ansible.

How does this sound?

vra-ansible-git-01.png

Disclaimer

I need to mention at this point that I am not an Ansible expert nor somebody who has in-depth experience in writing best practice orchestrator workflows. This document is all about creating a demo case which works and shows the potential, it’s not intended to provide full guidance for a productive deployment.

Ansible

Ansible installation

To do a proper Ansible deployment an Ansible server is required. In my case I used a simple CentOS VM where I installed Ansible. There’s a lot of documentation on how to setup an Ansible server in the web, so I’ll only explain the relevant bullet points here

  • Install Ansible with “yum install ansible”
  • Modify /etc/ansible/ansible.cfg
    • uncomment “disable host_key_checking”
    • This is to make sure that a new host does not need to be added to the known_hosts file for proper SSH communication

The Orchestrator workflow used for this demo will download playbooks to /root/ansible-playbook-downloads. It will then create a temporary inventory file with “ansible-<IP>” notation and execute “ansible-playbook -i /root/ansible-<IP> /root/ansible-playbook-downloads/<playbookfilename>” going forward.

I am aware that Ansible is leveraging /etc/ansible/hosts inventory in most of the productive cases. To ease deployment for this demo case I decided to use the “-i" option which allows to specify an inventory file containing the target server IPs. With some effort the scripts obviously can be changed to modify hosts file properly.

Ansible playbooks

In my demo the ansible playbooks are stored on my github respository. There’s rather simple playbooks used for the initial use cases:

ansible-httpd-playbook.yml

- hosts: all

  remote_user: root

tasks:

  - name: httpd is installed

yum: name=httpd state=installed

  - name: httpd is running and enabled

service: name=httpd state=started enabled=yes

ansible-mariadb-playbook.yml

- hosts: all

remote_user: root

tasks:

  - name: mariadb is installed

yum: name=mariadb-server state=installed

  - name: mariadb is running and enabled

service: name=mariadb state=started enabled=yes

SSH Key handling

Ansible is communicating through SSH protocol with its target hosts. For this it’s helpful having certificate-based authentication in place. For this demo I created an ssh-key on the Ansible server:

ssh-keygen -t rsa

After that the public key file /root/.ssh/authorized_keys file must be copied to the vRA/vRO server. If you don't want to change the defaults in the vRO workflow you should use the path mentioned here. Otherwise feel free to adapt it.

scp /root/.ssh/authorized_keys <vRO-host>:/etc/vco/app-server/data/authorized_keys

Login to the vRO server and set proper ownership:

chown vco:vco /etc/vco/app-server/data/authorized_keys

There’s an Orchestrator workflow in the package you are about to import below which includes a workflow that copies the above-mentioned file from Orchestrator server to the deployed target VM prior to executing the Ansible workflows.

Preparation in vRealize Orchestrator

Import Orchestrator Workflows

The Orchestrator workflows developed for this use case do leverage the guest script manager package for Orchestrator. Therefore, you have to download it in advance and import it into Orchestrator from this link:

https://code.vmware.com/samples/1317/guest-script-manager-package

Afterwards import the Orchestrator workflow package attached to this article. The package includes a high number of dependent workflows and actions which have to be imported or present before, but the most important one’s for this use case are:

  • Workflow “Copy SSH Key”
    Makes sure that the public SSH key is copied to the target VM enabling Ansible to start communication.
  • Workflow “Run Ansible Script on VM”
    Downloads the Ansible playbook from GIT and runs the proper Ansible commands on the server to execute a playbook on the target VM. It leverages a script configuration resource also provided with this Orchestrator package.
  • Action “getGITFilenamesbyREST”
    Reads filenames which includes yml in name from GIT repository.
  • Action “getGITDownloadURLbyREST”
    Retrieves GIT Download URL for filename provided.

Registration of GIT REST Host

The workflows and actions issue REST calls to the github server. As these processes use a HTTPS connection, the related certificates must be imported to vRealize Orchestrator. To do this you have to run the “Add a REST host” workflow once pointing it to the github server:

vra-ansible-git-14.png

vra-ansible-git-15.png

vra-ansible-git-16.png

vra-ansible-git-17.png

vra-ansible-git-18.png

Modification of Workflow Parameters

After successful import of the Orchestrator package you will find 2 new workflows in this directory.

vra-ansible-git-02.png

The attributes of both workflows must be tailored to the target environment.

vra-ansible-git-03.png

Most important values to change for “Copy SSH Key”:

  • password: root password of target VM (to copy SSH key)

vra-ansible-git-04.png

Most important values to change for “Run Ansible Script on VM”

  • vm: Select VM where ansible has been installed
  • vmPassword: insert root password for Ansible VM
  • queryString: Modify repository URL if a different repository should be used

Preparation in vRA

Add Subscriptions in vRA

Actually there’s 2 subscriptions required in vRA to execute the imported vRO workflows, see screenshots below. It’s important to specify subscription priority to make sure that the workflows are executed in the correct order. Make sure that the subscriptions are published after creation.

vra-ansible-git-05.png

vra-ansible-git-06.png

vra-ansible-git-07.png

vra-ansible-git-08.png

Add Custom properties in vRA

There’s custom properties required to control the deployment process and add the playbook selection in the blueprint request form.

Adding playbook selection in request form

Create a new property definition as per screenshot below. Make sure you reference the Action “getGITFilenamesbyREST” as external script action and add the properties as needed:

  • baseURL: https://api.github.com
  • httpMethod: GET
  • queryString: /repos/cferber/ansible-playbooks/contents (You can change this if different repository should be used. However you have to make sure it's changed accordingly in the attributes of the Orchestrator workflow above)

vra-ansible-git-09.png

Adding property group for running SSH Key workflow

vra-ansible-git-10.png

Adding property group for providing payload by EBS

vra-ansible-git-11.png

Adding property group for running Ansible workflow

vra-ansible-git-12.png

Prepare Linux Template in vRA

In this demo I did use a CentOS 7 template. A default installation of CentOS 7 should work straight away. I won’t explain how to create a CentOS 7 blueprint and publish it properly in this document, but this obviously will be required.

In addition it’s important to enable the property groups created above on the blueprint which makes sure that the workflows are executed at the right time in the provisioning process.

vra-ansible-git-13.png

Final test and caveats

Now as you have configured everything properly you should be able to request a CentOS VM. The field “Select Ansible Playbook” should appear in the request form and your yml ansible playbook files available on github repository will be listed for selection.

If the playbook has been selected and request has been issued, deployment of VM should start and finish with application installed as per playbook selection.

If anything goes wrong, you have to leverage your vRA and vRO troubleshooting skills 🙂 I won’t go into detail on how to do this here.

One caveat I found was that there might be a race condition when multiple deployments run at the same time where one workflow might fail at the point where guest manager tries to modify files simultaneously. Manual re-run would work then however.

This is something that certainly could be solved. For the demo I would recommend only starting one deployment at a time.

Have fun!

Attachments
com.vmware.custom.vra-ansible-git.package.zip
0 Kudos
Version history
Revision #:
1 of 1
Last update:
‎03-07-2018 06:55 AM
Updated by:
VMware Employee
 
View Article History