Building EEs with environment variables for Galaxy configuration

Ansible Builder version 3 schema allows users to perform complex scenarios such as specifying custom Galaxy configurations. You can use this approach to pass sensitive information, such as authentication tokens, into the EE build without leaking them into the final EE image.

In the example below, we will take a look at

  • Using Galaxy Server environment variables

---
version: 3

images:
  base_image:
    # Needs login
    name: registry.redhat.io/ansible-automation-platform-23/ee-minimal-rhel8:latest

dependencies:
  # No need to specify ansible-core or ansible-runner dependencies
  # because they are included in the base image.

  # Collections to be installed using Galaxy
  galaxy:
    collections:
      - ansible.utils

additional_build_steps:
  prepend_galaxy:
    # Environment variables used for Galaxy client configurations
    - ENV ANSIBLE_GALAXY_SERVER_LIST=automation_hub
    - ENV ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_URL=https://console.redhat.com/api/automation-hub/content/xxxxxxx-synclist/
    - ENV ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_AUTH_URL=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
    # define a custom build arg env passthru - we still also have to pass
    # `--build-arg ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN` to get it to pick it up from the env
    - ARG ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN

options:
  package_manager_path: /usr/bin/microdnf  # downstream images use non-standard package manager

You can provide environment variables such as ANSIBLE_GALAXY_SERVER_LIST, ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_URL and ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_AUTH_URL using the ENV directive. See configuring Galaxy client for more details.

For security reasons, we do not want to store sensitive information in this case ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN. You can use ARG directive to receive sensitive information from the user as input. –build-args can be used to provide this information while invoking the ansible-builder command.

See also

Execution Environment Definition version 3

The detailed documentation about EE definition version 3