Using credentials for ansible-galaxy with private gitlab repo in a Jenkins Job

Question

I have a set of roles that I need to install with ansible-galaxy.

- src: 'https://gitlab.private/role-openstack-net.git'
  scm: 'git'
  version: '1.0.0'
  name: 'role-openstack-net'

- src: 'https://gitlab.private/role-openstack-subnet.git'
  scm: 'git'
  version: '1.0.0'
  name: 'role-openstack-subnet'

In real case, I have about 20 roles.

All the roles are private, so when I run:

ansible-galaxy install -f -c -r galaxy.yml

it asks me for the user / pass for each role, which is kind of bothering

Manually, I do:

git config --global credential.helper store

I enter my credentials once, and then it remembers it for all

But how should I do in a Jenkins Job ?

I saw here there is a way of putting a token:

https://github.com/ansible/ansible/pull/34621

but it doesn't seem to be work.

Any idea ?

score 8 · Accepted Answer · edited Dec 15 '22 at 14:26

There is currently no support for passing credential parameters into ansible-galaxy at run time.

It is possible to add the credentials into the requirements.yml, but generally adding credentials into code is not ideal due to the ease that others could one day exploit them.

The solution is to update requirements.yml at run time.

Create a Gitlab Personal Access Token by viewing your profile and updating the settings: https://private.gitlab/profile/personal_access_tokens

Use the secrets manager of your choice to set the variable PAT_TOKEN with the token at run time.

In your Jenkins script use sed to update requirements.yml before ansible-galaxy install

sed -i "s#https://gitlab.private/#https://oauth2:${PAT_TOKEN}@gitlab.private/#g" requirements.yml

If you were using Gitlab-ci instead of Jenkins, it is possible to use the existing ci token:

sed -i "s#https://gitlab.private/#https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.private/#g" requirements.yml

score 0 · Answer 2 · answered Oct 28 '22 at 13:33

In case of you have git installed, you can use this for gitlab:

git config --global credential.helper store
echo "https://gitlab-ci-token:${CI_JOB_TOKEN}@$mygitlab.com" >>  ~/.git-credentials
chmod 600 ~/.git-credentials

CI_JOB_TOKEN is the token which the runner use to pull the code. You can use your own one (less secure)

Using credentials for ansible-galaxy with private gitlab repo in a Jenkins Job

2 Answers2