search

ansible / ansible-builder

An Ansible execution environment builder
Other
287 stars 93 forks source link

Adding Galaxy requirements from private Git instance #649

Closed Deliveranc3 closed 6 months ago

Deliveranc3 commented 6 months ago

I'm looking for a way to add roles from a GitHub Enterprise instance which is not available on the internet and only accepts SSH pulls (i.e. no HTTP access)

Let's say I have the following requirements.yml:

roles:
  - src: git@github.example.com:my-org/ansible_role_coolstuff.git
    scm: git
    version: main

I can install this fine on my local machine with my SSH credentials. I've even been able to clone into Containers before using Secret mounts in my Containerfile. but I can't seem to make this work with ansible-builder. The current execution-environment.yml I'm using is:

---
version: 3

dependencies:
  ansible_core:
    package_pip: ansible-core==2.14.4
  ansible_runner:
    package_pip: ansible-runner
  galaxy: requirements.yml

images:
  base_image:
    name: docker.io/redhat/ubi9:latest

additional_build_steps:
  prepend_galaxy: |
    RUN --mount=type=secret,id=gitssh dnf install -y git \
    && mkdir -p ~/.ssh \
    && ssh-keyscan -t rsa github.example.com > ~/.ssh/known_hosts \
    && printf 'Host *\nIdentityFile /run/secrets/gitssh' > ~/.ssh/config

Based on the output from ansible-builder, it appears that ansible-galaxy is always run as its own RUN directive, and the secret mount doesn't appear to persist between RUN directives.

I was able to make this work by calling ansible-builder create, adding the --mount=type=secret,id=gitssh line to the Galaxy install command then building with podman build --secret id=gitssh,src=/home/me/.ssh/id_rsa .

Is there a better way to do this that doesn't involve the intermediary step of editing my Containerfile?

Shrews commented 6 months ago

ansible-builder doesn't currently support dealing with secrets, and the method you are currently using (doing ansible-builder create then manual Containerfile modification) seems to be the best alternative that I can see, at this time. Supporting secrets in a first-class manner is something we are considering in a future version, but it is not currently scheduled for any version just yet.