If you have a private, or a repo that requires authentication, like in the case of GitLab Enterprise. You may find it difficult to simply pull without any auth your roles or collections from a repository. To do this I struggled for a while, and then realized that we can make use of the envsubst command.
First step we will need to have a template lets call it galaxy_requirements.tpl:
|
1 2 3 4 5 6 7 8 9 10 |
--- collections: - name: ericsysmin.system source: "https://ansible-galaxy:${GITLAB_TOKEN}@\ gitlab.com/ericsysmin/ansible-collection-system.git" type: git - name: ericsysmin.databases source: "https://ansible-galaxy:${GITLAB_TOKEN}@\ gitlab.com/ericsysmin/ansible-collection-databases.git" type: git |
As long as you pass the environment vars to envsubst then it will work, in this case I am going to export the var just for command line sake, but ideally you’d put these in your build tool, either github, gitlab, or jenkins as a sensitive environment parameter to the job so that it does not get printed out.
|
1 |
export GITLAB_TOKEN=mypassword |
Now lets put that somewhere in our build repo, and then during the pipeline steps (github/gitlab/jenkins) you will run something like this to resolve the token and run the ansible-galaxy install.
|
1 2 |
envsubst < galaxy_requirements.tpl > galaxy_requirements.yml ansible-galaxy install -r galaxy_requirements.yml |
Using these two commands will create a new file galaxy_requirements.yml which would have the following contents.
|
1 2 3 4 5 6 7 8 9 10 |
--- collections: - name: ericsysmin.system source: "https://ansible-galaxy:mypassword@\ gitlab.com/ericsysmin/ansible-collection-system.git" type: git - name: ericsysmin.databases source: "https://ansible-galaxy:mypassword@\ gitlab.com/ericsysmin/ansible-collection-databases.git" type: git |
This prevents you from storing any type of credential within the repository violating any security policies you may have.