Building EEs with environment variables and ansible.cfg

Ansible Builder version 3 schema allows users to perform complex scenarios such as specifying custom Galaxy configurations. You can use this approach to pass sensitive information, such as authentication tokens, into the EE build without leaking them into the final EE image.

In the example below, we will take a look at

  • Copying ansible.cfg file to an execution environment

  • Using Galaxy Server environment variables

---
version: 3

images:
  base_image:
    # Needs login
    name: registry.redhat.io/ansible-automation-platform-23/ee-minimal-rhel8:latest

dependencies:
  # Use Ansible Core 2.14
  ansible_core:
    package_pip: ansible-core==2.14.0
  # Runner
  ansible_runner:
    package_pip: ansible-runner==2.3.2
  # Collections to be installed using Galaxy
  galaxy:
    collections:
      - ansible.utils

additional_build_files:
  # copy arbitrary files next to this EE def into the build context- we can refer to them later.
  - src: files
    dest: configs

additional_build_steps:
  prepend_galaxy:
    # Copy ansible.cfg from build directory to EE
    - COPY _build/configs/ansible.cfg /etc/ansible/ansible.cfg
    # Environment variables used for Galaxy client configurations
    - ENV ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_URL=https://console.redhat.com/api/automation-hub/content/xxxxxxx-synclist/
    - ENV ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_AUTH_URL=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
    # define a custom build arg env passthru - we still also have to pass
    # `--build-arg ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN` to get it to pick it up from the env
    - ARG ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN

options:
  package_manager_path: /usr/bin/microdnf  # downstream images use non-standard package manager

[galaxy]
server_list = automation_hub

In this example, the additional_build_files section allows you to add ansible.cfg to the build context directory. Once this file is copied to the build context directory, it can be used in the build process. In order to use the file, we need to copy it from the build context directory using the COPY directive specified in the prepend_galaxy step of additional_build_steps section.

You can provide environment variables such as ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_URL and ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_AUTH_URL using the ENV directive. See configuring Galaxy client for more details.

For security reason, we do not want to store sensitive information in this case ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN. You can use ARG directive in order to receive the sensitive information from the user as an input. –build-args can be used to provide this information while invoking the ansible-builder command.

See also

Execution Environment Definition version 3

The detailed documentation about EE definition version 3