Chapter 7. Deploying the OpenShift Container Platform

This section provides the installation and configuration details for installing OpenShift Container Platform using Ansible Tower.

7.1. Clone and Modify Git Repo

In order to deploy the playbooks created for this reference architecture, some modifications of the conrent are required. Notably, a password file encrypted with ansible-vault needs to be copied to ./roles/passwords/main.yaml as outlined in the playbooks chapter. Environment specific changes should be made to the variables found under ./group_vars/.

If an organization has an existing git infrastructure (such as gitlab) they may chose to clone the public repository and maintain their changes internally. Otherwise, the repository can be forked on github to track hold the requisite changes.

In either case, the modified playbooks must be stored in a git repository that is accessible to Ansible Tower.

7.2. HPE OneView Modules

The HPE OneView Ansible modules are not a core module yet, so they are not included in a standard installation. They must be installed on the Ansible Tower server along with the required python packages.

First, install the HPE OneView SDK via pip:

pip install hpOneView

Then clone the modules and make them accessible to Ansible Tower:

git clone
cp oneview-ansible/library/* /usr/share/ansible/

7.3. Modified nsupdate Module

As mentioned in the Playbooks chapter, the set of playbooks require a modified nsupdate module to support one to many DNS creation. A pull request has been submitted to support these feature. For now, the modified module must be copied to the Ansible Tower server:

curl -o /usr/share/ansible/

7.4. Credentials

Ansible typically communicates to a target host via SSH, using a public key. Ansible Tower can store and encrypt these credentials to run playbooks.

An SSH key pair is generated:

ssh-keygen -f tower
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in tower.
Your public key has been saved in
The key fingerprint is:

And then stored in Ansible Tower by clicking the gear icon, then credentials and finally +ADD:

SSH key

Figure 17 SSH credentials

The password used to encrypt the password playbook is also stored under 'Vault Password'.

The public SSH key is deployed via Red Hat Satellite when a host is provisioned.

In some cases, the git repository may require login details, which can also be stored safely in Ansible Tower:

git key

Figure 18 git credentials

7.5. Projects

The locally maintained git repository is added to Ansible Tower:

hpe project

Figure 19 HPE Project

As well as the publically accessibly openshift-ansible playbooks:

openshift project

Figure 20 OpenShift Project

7.6. Inventories

The list of hosts and variables for this reference architecture can be entered via the web GUI, however for complex playbooks with a lot of variables, this can be cumbersome. Ansible Tower provides a handy CLI tool that can be used to import this data.

Before using the tool, the empty inventory must first be created in the web GUI:

new inventory

Figure 21 Ansible Tower Inventory

The host file and variables are copied to a directory on the Tower server:

├── ansible-hosts
└── group_vars
    ├── all
    ├── cns
    └── OSEv3

And then imported using tower-manage:

tower-manage inventory_import --source=./ocp/ --inventory-name="hpe-ocp-3.5" --overwrite --overwrite-vars

Unfortunately there is one issue with this approach. Due to a bug, Tower can not parse certain inventory lines, for example:

ocp-cns1.hpecloud.test openshift_node_labels="{'region': 'primary', 'zone': 'east'}"

openshift_node_labels is interpreted as a string rather than a dictionary. After importing the inventory, the variable must be formatted slightly different to parse correctly:

variable fix

Figure 22 OpenShift Node Labels

7.7. Templates

With credentials, projects and inventories in place, the job templates can be created in Ansible Tower. This is accomplished by clicking on Templates, then Add → Job Template in Ansible Tower:

cleanup template

Figure 23 Cleanup Template

provisioning template

Figure 24 Provisioning Template

common template

Figure 25 common Template

predeploy template

Figure 26 Cleanup Template

ocp template

Figure 27 OpenShift Template

cns template

Figure 28 Container-native storage Template

7.8. Workflow

The workflow to chain all the job templates together is then created by navigating to Templates, then Add → Workflow Job Template:

tower workflow

Figure 29 Ansible Tower Workflow

7.9. Launch Job

To launch the workflow, browse to Templates, find the newly created workflow and hit the rocket ship button:

tower launch

Figure 30 Launch Tower Workflow