creating the pipeline image
To run the pipeline from a gitlab runner or other git service, we will need an image in which the collections that are needed are installed.
This image must be availlable to the runner of the git service to be fetched and run.
We use a docker image which we built using the following configuration:
We created a directory on a server (with docker installed) with the following content:
.
|-- Dockerfile
|-- files
| |-- ansible.cfg
| |-- ca.crt
| `-- requirements.yml
`-- pm_build.sh
The files in this structure are as follows:
ca.crt
The certificate for the CA if you have you own certificate setup like easy_rsa, if you use public certificates, this is not needed.
Dockerfile
The Dockerfile tells the docker build engine what to build and how, this process is well documented and I will just give you the files to build the image.
Tweak this at your convenience This works for me and results in an image of manageable size, all additions wil enlarge the image and eventually hurt performance, depending on your configuration.
# FROM registry.access.redhat.com/ubi9/python-311:latest
FROM registry.redhat.io/ansible-automation-platform-24/ansible-python-toolkit-rhel9:latest
USER root
COPY files/ca.crt /etc/pki/ca-trust/source/anchors/ca.crt
COPY files/requirements.yml /tmp/requirements.yml
COPY files/ansible.cfg /etc/ansible/ansible.cfg
RUN pip install ansible-core ansible-lint ansible-builder pyyaml && \
microdnf -y install podman && \
microdnf clean all
RUN ansible-galaxy collection install -r /tmp/requirements.yml
RUN /usr/bin/chmod 777 -R /opt/ && \
/usr/bin/update-ca-trust
pm_build.sh
This script does the hard work for me, ensures that the build is executed the same way every time.
As this is my personal environment the account information is in here, replace these before use or delete the script.
docker login -u {username} -p {password} registry.redhat.io
docker build -t cac-image .
docker tag cac-image {your-docker-registry-url}/cac-image:1.0
docker push {your-docker-registry-url}/cac-image:1.0
docker rmi cac-image
ansible.cfg
Assuming you first configured the rhaap service by hand, or have a previous installation, you configure the ansible.cfg to point to your functional environment. This ensures you can pull collections form there. The collections mentiond in the requirements.yml should be in this installation.
[galaxy]
server_list = community_repo, rh-certified_repo,published_repo
validate_certs=false
ignore_certs=true
galaxy_ignore_certs=true
[galaxy_server.community_repo]
url=https://{rhaap-fqdn}/api/galaxy/content/community
token={token}
[galaxy_server.rh-certified_repo]
url=https://{rhaap-fqdn}/api/galaxy/content/rh-certified
token={token}
[galaxy_server.published_repo]
url=https://{rhaap-fqdn}/api/galaxy
token={token}
requirements.yml
These are the collections we will need to run our pipeleines.
---
collections:
- ansible.controller
- ansible.eda
- ansible.hub
- ansible.platform
- infra.aap_configuration
- infra.ah_configuration
- infra.controller_configuration
- infra.eda_configuration
- community.general
...
Build the image, upload it into the registry and use it in the pipeline for the configuration as code.