meta_dependency_check seemingly not functional when run in Controller

l3acon commented 3 days ago

Summary

The ansible-galaxy collection verify command seems to require galaxy servers to be configured, which in Controller isn't possible unless it's syncing collections. I think this is a security measure, e.g. when trying to create a custom credential for galaxy Controller responds with Environment variable ANSIBLE_GALAXY_SERVER_AH_TOKEN may affect Ansible configuration so its use is not allowed in credentials.. That is, this works just fine from CLI ansible, but not in AAP Controller.

I am testing APD for use with AAP 2.5, after updating the collections it seems to mostly work, I just have to bypass the meta_dependency_check role by setting controller_dependency_check: false via extra_vars.

Issue Type

Bug Report

Ansible, Collection, Controller details

sh-4.4$ ansible-galaxy collection list

# /usr/share/ansible/collections/ansible_collections
Collection                          Version
----------------------------------- -------
amazon.aws                          8.1.0  
ansible.controller                  4.6.1  
ansible.netcommon                   7.0.0  
ansible.posix                       1.5.4  
ansible.utils                       5.0.0  
ansible.windows                     2.4.0  
chocolatey.chocolatey               1.5.1  
cisco.ios                           9.0.0  
cisco.iosxr                         10.0.0 
cisco.nxos                          9.0.0  
community.general                   9.2.0  
community.windows                   2.2.0  
containers.podman                   1.15.4 
infoblox.nios_modules               1.6.1  
infra.ah_configuration              2.0.6  
infra.controller_configuration      2.11.0 
kubernetes.core                     5.0.0  
redhat.insights                     1.3.0  
redhat.openshift                    4.0.0  
redhat.openshift_virtualization     1.5.0  
redhat.rhel_system_roles            1.23.0 
redhat.satellite                    4.0.0  
redhat_cop.controller_configuration 2.3.1

ansible installation method: OS Package and EE

OS / ENVIRONMENT

running AAP 2.5 via operator

Desired Behavior

infra.aap_configuration should be usable within AAP Controller, ideally without having to define controller_dependency_check: false

Actual Behavior

Dispatch role fails with error message:

msg: One of awx.awx or ansible.controller must be installed
_ansible_no_log: false
changed: false

When running via CLI (ansible-playbook or navigator) this is not an issue, simply define the AH credentials via environment variable.

STEPS TO REPRODUCE

The following steps are how I discovered this:

Follow APD README setup instructions
Make 2.5 modifications, see the related APD issue
Run setup without the role bypass (don't use controller_dependency_check: false in extra_vars)

A simpler workflow should be able to re-produce this behavior:

Include dispatch role
Configure JT in AAP Controller
Run, see that it returns the aforementioned error.

sean-m-sullivan commented 2 days ago

We've discussed an update along with our update to the entire collection, will keep this in mind, we still want to have checks, but realize the galaxy connection might not always be there

sean-m-sullivan commented 1 day ago

@l3acon Set the variable controller_dependency_check to false and it will disable this feature. We are disabling it by default in a future release.

redhat-cop / infra.aap_configuration