Fixes #35455 - Generate an environment file for ansible

This file will be sourced by smart_proxy_ansible before it starts
ansible-runner. This way, people can tweak their own ansible.cfg, but
the values we need will have a higher priority.

Author: adamruzicka

README.md

@@ -28,7 +28,7 @@ Part of the Foreman installer: <https://github.com/theforeman/foreman-installer>
 | 2.x            | 1.5 - 1.10     |                                                     |
 | 1.x            | 1.4 and older  |                                                     |
 
- * 24.x dropped management of ansible-runner repository, ansible-runner is now in the Foreman plugin repository. This requires Foreman 3.5.
+ * 24.x dropped management of ansible-runner repository, ansible-runner is now in the Foreman plugin repository. This requires Foreman 3.5. Ansible configuration is now done by deploying a file with environment variables that is sourced by smart_proxy_ansible and therefore is incompatible with versions older than 3.5.0.
  * 23.x dropped EL7 support. 3.1 and newer work on EL8.
  * 22.x renamed foreman_proxy::plugin::remote_execution::ssh to foreman_proxy::plugin::remote_execution::script as the feature within the plugin has changed from SSH to Script.
  * 20.x started to register as a Smart Proxy host. This requires Foreman 3.1. When using an older Foreman, set `$register_in_foreman` to false. This does require manual registration then.

manifests/plugin/ansible.pp

@@ -20,8 +20,6 @@
 #                      of the key, which is not possible from non-interactive
 #                      environments like Foreman Remote Execution or cron
 #
-# $stdout_callback:: Ansible's stdout_callback setting
-#
 # $roles_path:: Paths where we look for ansible roles.
 #
 # $ssh_args::          The ssh_args parameter in ansible.cfg under [ssh_connection]
@@ -40,7 +38,6 @@
   Stdlib::Absolutepath $ansible_dir = $foreman_proxy::plugin::ansible::params::ansible_dir,
   Optional[Stdlib::Absolutepath] $working_dir = $foreman_proxy::plugin::ansible::params::working_dir,
   Boolean $host_key_checking = $foreman_proxy::plugin::ansible::params::host_key_checking,
-  String $stdout_callback = $foreman_proxy::plugin::ansible::params::stdout_callback,
   Array[Stdlib::Absolutepath] $roles_path = $foreman_proxy::plugin::ansible::params::roles_path,
   String $ssh_args = $foreman_proxy::plugin::ansible::params::ssh_args,
   Boolean $install_runner = $foreman_proxy::plugin::ansible::params::install_runner,
@@ -53,17 +50,13 @@
   $foreman_ssl_key = pick($foreman_proxy::foreman_ssl_key, $foreman_proxy::ssl_key)
   $foreman_ssl_ca = pick($foreman_proxy::foreman_ssl_ca, $foreman_proxy::ssl_ca)
 
-  file { "${foreman_proxy::config_dir}/ansible.cfg":
+  file { "${foreman_proxy::config_dir}/ansible.env":
     ensure  => file,
-    content => template('foreman_proxy/plugin/ansible.cfg.erb'),
+    content => template('foreman_proxy/plugin/ansible.env.erb'),
     owner   => 'root',
     group   => $foreman_proxy::user,
     mode    => '0640',
   }
-  ~> file { "${foreman_proxy::dir}/.ansible.cfg":
-    ensure => link,
-    target => "${foreman_proxy::config_dir}/ansible.cfg",
-  }
 
   include foreman_proxy::plugin::dynflow
   if $install_runner {

manifests/plugin/ansible/params.pp

@@ -8,7 +8,6 @@
   $ansible_dir = $foreman_proxy::params::dir
   $working_dir = '/tmp'
   $host_key_checking = false
-  $stdout_callback = 'yaml'
   $roles_path = ['/etc/ansible/roles', '/usr/share/ansible/roles']
   $ssh_args = '-o ProxyCommand=none -C -o ControlMaster=auto -o ControlPersist=60s'
   $install_runner = true

spec/classes/foreman_proxy__plugin__ansible_spec.rb

@@ -29,23 +29,20 @@
             with_content(%r{:ansible_dir: /usr/share/foreman-proxy})
         end
 
-        it 'should configure ansible.cfg' do
+        it 'should configure ansible.env' do
           callback = facts[:os]['family'] == 'RedHat' ? 'theforeman.foreman.foreman' : 'foreman'
-          verify_exact_contents(catalogue, '/etc/foreman-proxy/ansible.cfg', [
-            '[defaults]',
-            "callback_whitelist = #{callback}",
-            'local_tmp = /tmp',
-            'host_key_checking = False',
-            'stdout_callback = yaml',
-            '[callback_foreman]',
-            'url = https://foo.example.com',
-            'ssl_key = /etc/puppetlabs/puppet/ssl/private_keys/foo.example.com.pem',
-            'ssl_cert = /etc/puppetlabs/puppet/ssl/certs/foo.example.com.pem',
-            'verify_certs = /etc/puppetlabs/puppet/ssl/certs/ca.pem',
-            'roles_path = /etc/ansible/roles:/usr/share/ansible/roles',
-            'collections_paths = /etc/ansible/collections:/usr/share/ansible/collections',
-            '[ssh_connection]',
-            'ssh_args = -o ProxyCommand=none -C -o ControlMaster=auto -o ControlPersist=60s',
+          verify_exact_contents(catalogue, '/etc/foreman-proxy/ansible.env', [
+            "export ANSIBLE_CALLBACK_WHITELIST=\"#{callback}\"",
+            "export ANSIBLE_CALLBACKS_ENABLED=\"#{callback}\"",
+            'export ANSIBLE_LOCAL_TEMP="/tmp"',
+            'export ANSIBLE_HOST_KEY_CHECKING="False"',
+            'export ANSIBLE_ROLES_PATH="/etc/ansible/roles:/usr/share/ansible/roles"',
+            'export ANSIBLE_COLLECTIONS_PATHS="/etc/ansible/collections:/usr/share/ansible/collections"',
+            'export FOREMAN_URL="https://foo.example.com"',
+            'export FOREMAN_SSL_KEY="/etc/puppetlabs/puppet/ssl/private_keys/foo.example.com.pem"',
+            'export FOREMAN_SSL_CERT="/etc/puppetlabs/puppet/ssl/certs/foo.example.com.pem"',
+            'export FOREMAN_SSL_VERIFY="/etc/puppetlabs/puppet/ssl/certs/ca.pem"',
+            'export ANSIBLE_SSH_ARGS="-o ProxyCommand=none -C -o ControlMaster=auto -o ControlPersist=60s"',
           ])
         end
       end
@@ -57,7 +54,6 @@
             ansible_dir: '/etc/ansible-test',
             working_dir: '/tmp/ansible',
             host_key_checking: true,
-            stdout_callback: 'debug',
           }
         end
 
@@ -79,23 +75,20 @@
             with_content(%r{:working_dir: /tmp/ansible})
         end
 
-        it 'should configure ansible.cfg' do
+        it 'should configure ansible.env' do
           callback = facts[:os]['family'] == 'RedHat' ? 'theforeman.foreman.foreman' : 'foreman'
-          verify_exact_contents(catalogue, '/etc/foreman-proxy/ansible.cfg', [
-            '[defaults]',
-            "callback_whitelist = #{callback}",
-            'local_tmp = /tmp/ansible',
-            'host_key_checking = True',
-            'stdout_callback = debug',
-            '[callback_foreman]',
-            'url = https://foo.example.com',
-            'ssl_key = /etc/puppetlabs/puppet/ssl/private_keys/foo.example.com.pem',
-            'ssl_cert = /etc/puppetlabs/puppet/ssl/certs/foo.example.com.pem',
-            'verify_certs = /etc/puppetlabs/puppet/ssl/certs/ca.pem',
-            'roles_path = /etc/ansible/roles:/usr/share/ansible/roles',
-            'collections_paths = /etc/ansible/collections:/usr/share/ansible/collections',
-            '[ssh_connection]',
-            'ssh_args = -o ProxyCommand=none -C -o ControlMaster=auto -o ControlPersist=60s',
+          verify_exact_contents(catalogue, '/etc/foreman-proxy/ansible.env', [
+            "export ANSIBLE_CALLBACK_WHITELIST=\"#{callback}\"",
+            "export ANSIBLE_CALLBACKS_ENABLED=\"#{callback}\"",
+            'export ANSIBLE_LOCAL_TEMP="/tmp/ansible"',
+            'export ANSIBLE_HOST_KEY_CHECKING="True"',
+            'export ANSIBLE_ROLES_PATH="/etc/ansible/roles:/usr/share/ansible/roles"',
+            'export ANSIBLE_COLLECTIONS_PATHS="/etc/ansible/collections:/usr/share/ansible/collections"',
+            'export FOREMAN_URL="https://foo.example.com"',
+            'export FOREMAN_SSL_KEY="/etc/puppetlabs/puppet/ssl/private_keys/foo.example.com.pem"',
+            'export FOREMAN_SSL_CERT="/etc/puppetlabs/puppet/ssl/certs/foo.example.com.pem"',
+            'export FOREMAN_SSL_VERIFY="/etc/puppetlabs/puppet/ssl/certs/ca.pem"',
+            'export ANSIBLE_SSH_ARGS="-o ProxyCommand=none -C -o ControlMaster=auto -o ControlPersist=60s"',
           ])
         end
       end

templates/plugin/ansible.cfg.erb

@@ -0,0 +1,13 @@
+export ANSIBLE_CALLBACK_WHITELIST="<%= @callback %>"
+export ANSIBLE_CALLBACKS_ENABLED="<%= @callback %>"
+export ANSIBLE_LOCAL_TEMP="<%= @working_dir %>"
+export ANSIBLE_HOST_KEY_CHECKING="<%= @host_key_checking ? 'True' : 'False' %>"
+export ANSIBLE_ROLES_PATH="<%= @roles_path.join(':') %>"
+export ANSIBLE_COLLECTIONS_PATHS="<%= @collections_paths.join(':') %>"
+
+export FOREMAN_URL="<%= @foreman_url %>"
+export FOREMAN_SSL_CERT="<%= @foreman_ssl_cert %>"
+export FOREMAN_SSL_KEY="<%= @foreman_ssl_key %>"
+export FOREMAN_SSL_VERIFY="<%= @foreman_ssl_ca %>"
+
+export ANSIBLE_SSH_ARGS="<%= @ssh_args %>"

templates/plugin/ansible.env.erb

@@ -6,3 +6,4 @@
 <% else -%>
 :working_dir: <%= scope.lookupvar("foreman_proxy::plugin::ansible::working_dir") %>
 <% end -%>
+:ansible_environment_file: <%= scope.lookupvar("foreman_proxy::config_dir") %>/ansible.env