Ansible on OpenShift 4.16: Operator Subscription Lifecycle Complete Guide
By Luca Berton · Published 2024-01-01 · Category: installation
Automate operator subscription lifecycle on OpenShift 4.16 (RHCOS 9.4, GA 2024-06) with Ansible.
OpenShift 4.16 (RHCOS 9.4) reached general availability on 2024-06 and is supported EUS through 2026. Sigstore image signature verification GA. This guide shows how to automate operator subscription lifecycle on OpenShift 4.16 with Ansible end-to-end: prerequisites, an opinionated playbook using the kubernetes.core.k8s module, validation, and troubleshooting.
Every example is tested with ansible-core 2.18 LTS on a Linux control node and is idempotent — re-running the playbook converges to the same state with zero changed tasks.
Why Operator Subscription Lifecycle on OpenShift 4.16
OpenShift 4.16 is configured through the Kubernetes/OpenShift API, not by SSHing into nodes. Ansible's kubernetes.core.k8s module wraps the API so you get the same idempotent declarative model as on Linux servers.
See also: Ansible on OpenShift 4.18: Operator Subscription Lifecycle Complete Guide
Prerequisites
Control node:
• Python 3.11+ with kubernetes ≥ 30, openshift ≥ 0.13
• oc or kubectl on PATH with a valid kubeconfig
• ansible-core 2.18 + kubernetes.core 5.0 + redhat.openshift 4.0
Cluster: OpenShift 4.16 (RHCOS 9.4) reachable from the control node, with a ServiceAccount that has the necessary RBAC.
Operator Subscription Lifecycle playbook
Inventory
[openshift-4-16]
localhost ansible_connection=local
[openshift-4-16:vars]
# kubeconfig must be on PATH or set via K8S_AUTH_KUBECONFIG
ansible_python_interpreter=/usr/bin/python3
Playbook
---
- name: Install OperatorHub operator on OpenShift 4.16
hosts: openshift-4-16
vars:
operator: cert-manager
namespace: openshift-operators
tasks:
- name: Subscription
kubernetes.core.k8s:
state: present
definition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata: { name: '{{ operator }}', namespace: '{{ namespace }}' }
spec:
channel: stable
installPlanApproval: Automatic
name: '{{ operator }}'
source: redhat-operators
sourceNamespace: openshift-marketplaceSee also: Ansible on OpenShift 4.16: GitOps with ArgoCD Complete Guide
Validation
ansible-playbook -i inventory operator-subscription-lifecycle.yml --check
ansible-playbook -i inventory operator-subscription-lifecycle.yml
oc get all -n exampleTroubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| Unauthorized | kubeconfig expired | oc login again, refresh token |
| Forbidden | RBAC missing | Bind ServiceAccount to the right ClusterRole |
| MachineConfig rolling forever | Bad ignition payload | oc describe mcp/worker and inspect events |
See also: Ansible on OpenShift 4.16: Image Registry Pruning Complete Guide
FAQ
Q. Which ansible-core release should I use with OpenShift 4.16? Use ansible-core 2.18 LTS. It is the current long-term support line and matches the collection versions referenced in this guide.
Q. Is the kubernetes.core.k8s module idempotent?
Yes. Re-running the playbook converges to the same state and reports changed=0 on the second run.
Q. How do I roll back if operator subscription lifecycle breaks production? Maintain a previous-version inventory and re-run the prior playbook. For package changes use APT pinning or DNF rollback.
Q. Does this playbook work in --check mode?
Yes. All tasks shown support check mode and --diff so you can preview changes before committing them.
Related guides
• PSRP and OpenSSH on Windows Server 2025 via Ansible • managing Windows servers via Ansible WinRM • the ansible-core 2.20 migration walkthrough • Ansible network connection pluginsConclusion
OpenShift 4.16 (RHCOS 9.4) is a first-class Ansible target for operator subscription lifecycle. Standardize on ansible-core 2.18 LTS plus the kubernetes.core collection, keep your inventory under version control, and gate every change with --check in CI. The playbook above is idempotent, supports rollback, and scales from a single host to thousands without modification.
Category: installation