opseric's DevOps Blog -

Allowing ENV vars in Role/Collection Requirements

April 3, 2024

If you have a private, or a repo that requires authentication, like in the case of GitLab Enterprise. You may find it difficult to simply pull without any auth your roles or collections from a repository. To do this I struggled for a while, and then realized that we can make use of the envsubst command.

First step we will need to have a template lets call it galaxy_requirements.tpl:

1

2

3

4

5

6

7

8

9

10

---

collections:

- name: ericsysmin.system

source: "https://ansible-galaxy:${GITLAB_TOKEN}@\

gitlab.com/ericsysmin/ansible-collection-system.git"

type: git

- name: ericsysmin.databases

source: "https://ansible-galaxy:${GITLAB_TOKEN}@\

gitlab.com/ericsysmin/ansible-collection-databases.git"

type: git

As long as you pass the environment vars to envsubst then it will work, in this case I am going to export the var just for command line sake, but ideally you’d put these in your build tool, either github, gitlab, or jenkins as a sensitive environment parameter to the job so that it does not get printed out.

1	export GITLAB_TOKEN=mypassword

Now lets put that somewhere in our build repo, and then during the pipeline steps (github/gitlab/jenkins) you will run something like this to resolve the token and run the ansible-galaxy install.

1 2	envsubst < galaxy_requirements.tpl > galaxy_requirements.yml ansible-galaxy install -r galaxy_requirements.yml

Using these two commands will create a new file galaxy_requirements.yml which would have the following contents.

1

2

3

4

5

6

7

8

9

10

---

collections:

- name: ericsysmin.system

source: "https://ansible-galaxy:mypassword@\

gitlab.com/ericsysmin/ansible-collection-system.git"

type: git

- name: ericsysmin.databases

source: "https://ansible-galaxy:mypassword@\

gitlab.com/ericsysmin/ansible-collection-databases.git"

type: git

This prevents you from storing any type of credential within the repository violating any security policies you may have.

Using Ansible set_fact to generate lists of objects

Eric Anderson

March 26, 2024

In some cases you may want to create nearly identical objects from a list of values, or another dictionary.

This was a commonly needed ability at VMware on the NSX ALB (Avi) team as for many of our infra, and for our customers have a list of servers that we needed to build into a list of dictionaries as we require more than just a specific IP.

This is how to do it (these are tasks, not the entire playbook)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

---

- name: Generate a list for a dict

hosts: localhost

connection: local

vars:

pool_servers: "{{ pool_servers }}" # this is the input information ex. 192.168.1.1,192.168.1.2

tasks:

- name: Build server list

ansible.builtin.set_fact:

servers_list: "{{ servers_list | default([]) + [{'ip': {'addr': item, 'type': 'V4'}, 'enabled': 'true'}] }}"

loop: "{{ pool_servers.split(',') }}"

# each server_list item has ansible fact as server

- name: Print the server_list

ansible.builtin.debug:

var: servers_list

So lets review what we did.

We created the servers_list fact, we set the default value to be a blank list and then for each of the servers in pool_servers separated by , we loop adding the dict {'ip': {'addr': item, 'type': 'V4'}, 'enabled': 'true'} to the servers_list.

This can be applied to any kind of situation where you need to create a list of complicated objects.

The returned output would look like this.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

ansible-playbook list.yml -e 'pool_servers=192.168.1.1,192.168.1.2'

[WARNING]: No inventory was parsed, only implicit localhost is available

[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [Generate a list for a dict] *****************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************

ok: [localhost]

TASK [avinetworks.avisdk : Check ansible version] *************************************************************************

skipping: [localhost]

TASK [build server list] **************************************************************************************************

ok: [localhost] => (item=192.168.1.1)

ok: [localhost] => (item=192.168.1.2)

TASK [debug] **************************************************************************************************************

ok: [localhost] => {

"servers_list": [

{

"enabled": "true",

"ip": {

"addr": "192.168.1.1",

"type": "V4"

}

},

{

"enabled": "true",

"ip": {

"addr": "192.168.1.2",

"type": "V4"

}

]

}

PLAY RECAP **************************************************************************************************************

localhost : ok=3 changed=0 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0

Converting Python Google.Cloud Objects to JSON Parseable Dictionaries

Eric Anderson

March 5, 2024

Trying to write some python scripts to handle our infrastructure in GCP. I found that the Google Cloud Python SDK, does not easily convert into python using __dict__, and json.dumps() so I had to do some digging. It took a bit of time but found that we can use the Python proto library to handle conversion of the Google Cloud Objects to JSON. Here’s an example of listing GKE clusters.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

from google.cloud import container_v1

import proto

import json

def list_gke_clusters():

"""

Lists GKE clusters in the specified project.

Args:

project_id (str): Your GCP project ID.

Returns:

list: List of GKE clusters.

"""

project_id = 'myproject'

client = container_v1.ClusterManagerClient()

request = container_v1.ListClustersRequest(

parent=f'projects/{project_id}/locations/-')

# List clusters in the specified project

response = client.list_clusters(request=request)

return response.clusters

if __name__ == "__main__":

clusters = []

for cluster in list_gke_clusters():

if cluster.resource_labels['type'] == 'automation':

clusters.append(json.loads(proto.Message.to_json(cluster)))

for cluster in clusters:

print(cluster['zone'])

As you can see using proto.Message.to_json(object) allowed me to provide json parseable data. Just figured someone else can use this and I wanted to keep a note of it as the solution wasn’t something easily able to be found. Someone also found it works for other GCP objects.

Other methods were also discussed here: https://github.com/googleapis/python-vision/issues/70

Accessing Raw Files on Authenticated GitLab

Eric Anderson

February 13, 2024

Recently, I started working on more repositories on GitLab. One of the common items in my Ansible testing is the use of URL lookups in the templating of my Dockerfiles in Molecule. There’s a completely different method which requires the use of the GitLab API endpoints that require different formatting and token auth. The details for this can be found here: https://docs.gitlab.com/ee/api/repository_files.html#get-raw-file-from-repository

Searching around I did find that you can pass the token via the private_token parameter to the url.

Because you need to include the folder directory as an encoded value, I had to do lots of trial and error to figure out how to do complicated strings.

Formats like this, DO NOT WORK:

1	{{ lookup('url', 'https://gitlab.com/api/v4/projects/xxxxxx/repository/files/' ~ 'dockerfiles/{}/Dockerfile'.format(item.image)\|urlencode\|regex_replace('/','%2F') ~ '/raw?ref=main&private_token=' ~ lookup('ansible.builtin.env', 'GITLAB_TOKEN'), split_lines=False) }}

But after a series of attempts, THIS WORKS:

1

2

3

{% set file_path = 'dockerfiles/{}/Dockerfile'.format(item.image) %}

{% set encoded_path = file_path|urlencode|regex_replace('/','%2F') %}

{{ lookup('url', 'https://gitlab.com/api/v4/projects/xxxxxx/repository/files/' ~ encoded_path ~ '/raw?ref=main&private_token=' ~ lookup('ansible.builtin.env', 'GITLAB_TOKEN'), split_lines=False) }}

Some explanations of my findings urlencode filter did not work when used inline in the lookup, it made no changes to the file path. To separate, I had to split it out into a jinja set to set the var to a string that included the value using format() jinja filter, then take the result and create an encoded path to meet the encoded requirements of GitLab’s API.

Configuring Docker Desktop on WSL2

Eric Anderson

February 11, 2024

First steps, you’ll need to install and configure WSL2. To install WSL2 you can use the Microsoft Store or follow these instructions: https://learn.microsoft.com/en-us/windows/wsl/install

Then to install Docker to run on Windows and WSL2 you’ll need to follow these instructions: https://docs.docker.com/desktop/wsl/

During some testing and trying to simplify my WSL2 environment I stumbled upon an annoying issue that prevented me from running docker ps each time I attempted to run docker ps I’d receive the following error.

1	permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json": dial unix /var/run/docker.sock: connect: permission denied

To get around this issue you’ll need to run the following commands:

1

2

3

4

sudo adduser $USER docker

newgrp docker

sudo chown root:docker /var/run/docker.sock

sudo chmod g+w /var/run/docker.sock

Once those are ran you should be able to run docker without hitting permissions errors.

Those commands are adding/ensuring that the docker group exists and adding your existing user to the docker group. It then modifies the docker.sock to allow the docker group access to the socket.

Allowing ENV vars in Role/Collection Requirements

Share:

Using Ansible set_fact to generate lists of objects

Share:

Converting Python Google.Cloud Objects to JSON Parseable Dictionaries

Share:

Accessing Raw Files on Authenticated GitLab

Share:

Configuring Docker Desktop on WSL2

Share: