- Imperative Actions on the cluster
There is currently no way within argoCD to apply an imperative action against a cluster. So we have developed a way to declaratively apply changes to a cluster using kubernetes cronjob resources. Customers can use their ansible playbooks to take action against a cluster if necessary.
As a word of caution - the authors of the ansible playbooks and roles must ensure that the playbooks are idempotent because they get applied through cronjobs which are set to run every 10 minutes. Adding your playbooks to the pattern requires the following:
- move your ansible configurations to the appropriate directory under ansible in your forked repository
- define your job as a list (see example below)
imperative: # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm # The default schedule is every 10 minutes: imperative.schedule # Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds # imagePullPolicy is set to always: imperative.imagePullPolicy # For additional overrides that apply to the jobs, please refer to the README located in # the top level of this repository. jobs: - name: regional-ca # ansible playbook to be run playbook: ansible/playbooks/on-hub-get-regional-ca.yml # per playbook timeout in seconds timeout: 234 # verbosity: "-v"
Overrides have been implemented to allow for further customization, please refer to the list below for the available overrides.
imperative: jobs:  # This image contains ansible + kubernetes.core by default and is used to run the jobs image: registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest namespace: "imperative" # configmap name in the namespace that will contain all helm values valuesConfigMap: "helm-values-configmap" cronJobName: "imperative-cronjob" jobName: "imperative-job" imagePullPolicy: Always # This is the maximum timeout of all the jobs (1h) activeDeadlineSeconds: 3600 # By default we run this every 10minutes schedule: "*/10 * * * *" # Schedule used to trigger the vault unsealing (if explicitely enabled) # Set to run every 9 minutes in order for load-secrets to succeed within # a reasonable amount of time (it waits up to 15 mins) insecureUnsealVaultInsideClusterSchedule: "*/9 * * * *" # Increase ansible verbosity with '-v' or '-vv..' verbosity: "" serviceAccountCreate: true # service account to be used to run the cron pods serviceAccountName: imperative-sa clusterRoleName: imperative-cluster-role clusterRoleYaml: "" roleName: imperative-role roleYaml: ""