Reputation: 19705
Using credentials for ansible-galaxy with private gitlab repo in a Jenkins Job
I have a set of roles that I need to install with ansible-galaxy.
- src: 'https://gitlab.private/role-openstack-net.git'
scm: 'git'
version: '1.0.0'
name: 'role-openstack-net'
- src: 'https://gitlab.private/role-openstack-subnet.git'
scm: 'git'
version: '1.0.0'
name: 'role-openstack-subnet'
In real case, I have about 20 roles.
All the roles are private, so when I run:
ansible-galaxy install -f -c -r galaxy.yml
it asks me for the user / pass for each role, which is kind of bothering
Manually, I do:
git config --global credential.helper store
I enter my credentials once, and then it remembers it for all
But how should I do in a Jenkins Job ?
I saw here there is a way of putting a token:
https://github.com/ansible/ansible/pull/34621
but it doesn't seem to be work.
Any idea ?
Upvotes: 16
Views: 16770
Answers (3)
Reputation: 1
Adding this comment in case anyone needs a solution in future, we use an SSH Agent in the Jenkins build 'Config' > 'Build Environment' to specify the ssh user/key stored in Jenkins credentials. This sets the environment up for ssh connections, making this much simpler.
Upvotes: 0
Reputation: 9353
There is currently no support for passing credential parameters into ansible-galaxy at run time.
It is possible to add the credentials into the requirements.yml, but generally adding credentials into code is not ideal due to the ease that others could one day exploit them.
The solution is to update requirements.yml at run time.
Create a Gitlab Personal Access Token by viewing your profile and updating the settings: https://private.gitlab/profile/personal_access_tokens
Use the secrets manager of your choice to set the variable PAT_TOKEN with the token at run time.
In your Jenkins script use sed to update requirements.yml before ansible-galaxy install
sed -i "s#https://gitlab.private/#https://oauth2:${PAT_TOKEN}@gitlab.private/#g" requirements.yml
If you were using Gitlab-ci instead of Jenkins, it is possible to use the existing ci token:
sed -i "s#https://gitlab.private/#https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.private/#g" requirements.yml
Upvotes: 10
Reputation: 129
In case of you have git installed, you can use this for gitlab:
git config --global credential.helper store
echo "https://gitlab-ci-token:${CI_JOB_TOKEN}@$mygitlab.com" >> ~/.git-credentials
chmod 600 ~/.git-credentials
CI_JOB_TOKEN is the token which the runner use to pull the code. You can use your own one (less secure)
Upvotes: 0
Related Questions
- ansible-galaxy fails to pull roles in gitlab-ci pipeline
- use jenkins github user credentials to access github api in my script
- I want to create jenkins credentials via ansible
- No credentials specified Fetching changes from the remote Git
- How to git pull with adding credentials SECURELY in bash or Jenkins pipeline
- Jenkins credentials - Gitlab API token
- Deployment with Ansible from Gitlab CI, dealing with passwords
- GitLab and Jenkins integration
- Local Jenkins can't authenticate remote Gitlab private repository
- Authentication with Jenkins and Git