Injectors for Red Hat Satellite 6 within playbook job runs

[drewburr]

ISSUE TYPE

• Feature Idea

COMPONENT NAME

• API
• UI
• Installer

SUMMARY

It would be useful to be able to manage Satellite via playbook tasks. AWX currently does not include injectors for the Satellite 6 credential, meaning they are not usable in a playbook.

When creating a custom credential, these are the injectors used:

injectors:
      extra_vars:
        satellite_username: "{{ '{{ \"{{username}}\" }}'}}"
        satellite_password: "{{ '{{ \"{{password}}\" }}'}}"
        satellite_host: "{{ '{{ \"{{host}}\" }}'}}"

ADDITIONAL INFORMATION

[AlanCoding]

Satellite 6 injectors are here

https://github.com/ansible/awx/blob/87235082256e83a6531218771c7a502b91445f69/awx/main/tasks.py#L1903-L1937

However, your claim appears to be true - that these are not applied when such a credential is used in a playbook. These are only used for inventory updates.

The parameters user / url / password are set up in that existing injection logic for inventory updates. Of course, it is injected differently from what you offer here. It is modeled based on the example inventory configuration file at:

https://github.com/ansible/awx/blob/87235082256e83a6531218771c7a502b91445f69/awx/plugins/inventory/foreman.ini.example

We may be able to add your extra_vars injectors to the credential type without any ill-effects to inventory updates, because right now extra_vars injectors are ignored for inventory updates.

Soon, we are moving from the inventory scripts to inventory plugins, which means that the inventory import injection logic for this credential type will create a file that looks like this:

https://github.com/ansible/ansible/blob/572a2187abca5c4d70208040703b6b1bd6fc27f6/lib/ansible/plugins/inventory/foreman.py#L55-L60

That is still not injectable as a standard credential type configuration - nor does our standard credential type configuration give any ability to specify different injectors for inventory updates versus playbooks. As I have found with the other inventory plugins, however, it seems that different configuration files are needed for inventory vs. using corresponding modules in playbooks.

[AlanCoding]

@drewburr I'm looking, and I can't find what Ansible core modules those injectors could correspond to. There are foreman modules:

https://github.com/ansible/ansible/blob/17fbeeb2f0fea9605479cbb181b00bc444587ee4/lib/ansible/modules/remote_management/foreman/foreman.py

But that wouldn't take the same parameters. Searching the source code, https://github.com/ansible/ansible/search?q=satellite_host&unscoped_q=satellite_host, the only thing I can find is related to the inventory script, which is what we have hooked up now.

[ptoal]

Satellite creds are still a bit of a dogs breakfast, and it's been made more complicated by the new foreman/satellite modules that require user/password for each call, eg: https://theforeman.github.io/foreman-ansible-modules/master/modules/host_module.html#host-module

It would, IMO, be ideal if we could extend the Sat6 credential to include a mechanism that can be consumed by both the inventory plugin and the new modules: https://github.com/theforeman/foreman-ansible-modules, to provide a seamless experience.

[willtome]

https://github.com/theforeman/foreman-ansible-modules/pull/866 sets consistent env vars for Foreman collection. FOREMAN_SERVER FOREMAN_USER FOREMAN_PASSWORD

[wenottingham]

Is it intended to change those downstream? (I hope not.)

[AlanCoding]

the credential type does not inject environment variables right now. It only does anything for inventory.

https://github.com/ansible/awx/blob/dbdc856ed385389f0993ebc2da0a9febddb3bf49/awx/main/models/credential/__init__.py#L851

We can absolutely add them, and once the foreman collection makes a release where the inventory plugin accept the env vars, we can just replace what we have with injectors. That would be great.

However, the comments in the foreman PR are probably correct. We couldn't reuse the same doc fragment between plugins & modules for the AWX collection. That's a loaded topic, the fallback has to be set differently, because when the modules are ran on a remote machine, they don't get the environment variables from the host machine like the inventory plugin does. It's still possible, with some more work. The pattern is out there, and I agree this could be done, and make the credential work for modules in addition to the inventory plugin.

[evgeni]

follow up on this topic is in https://github.com/theforeman/foreman-ansible-modules/pull/943 with slightly differently named variables to match the module parameter naming.

@wenottingham so far we've been trying to brand things correctly downstream, so "maybe"? @sean797 might have a better answer here

[kbreit-insight]

Is there progress on this? I'm interested in the functionality.