Being new to Ansible collections I’m hoping I’ve missed something obvious here in my attempt to refactor some old Ansible roles into collections using private GitHub repositories.
I have GitHub setup with 2 linked accounts. I’ll call the main personal account GITHUB_AC_P. The personal account is linked to a child organizational account I’ll call GITHUB_AC_O. I can switch between these accounts in the GitHub web UI and use the following single entry in ~/.ssh/config to access both accounts with git clients:
Host GITHUB_AC_P.github.com
HostName github.com
User git
IdentityFile ~/.ssh/id_rsa_github_REDACTED_GITHUB_A
I first added Ansible Galaxy collection files to a new GitHub repository named ansible.common in account GITHUB_AC_O. I plan to reuse this collection in other Ansible Galaxy collections. It currently has a single role and the following galaxy.yml file:
namespace: REDACTED_NS
name: common
version: 0.0.1
description: "Common Ansible collection"
readme: README.md
authors:
- REDACTED_AUTHOR
The following command reports “installed successfully” and I see the collection in ~/.ansible/collections/ansible_collections/REDACTED_NS/common:
ansible-galaxy collection install git@GITHUB_AC_P.github.com:GITHUB_AC_O/ansible.common.git,main
I then created a second Ansible Galaxy collection in a new GitHub repository named ansible.harden_host. This is also in account GITHUB_AC_O. This currently has no roles and uses the following galaxy.yml file to reference the above common collection (the value of REDACTED_NS is the same in both galaxy.yml files):
namespace: REDACTED_NS
name: harden_host
version: 0.0.1
description: "Ansible collection to harden hosts"
readme: README.md
authors:
- REDACTED_AUTHOR
dependencies: {
REDACTED_NS.common: git@GITHUB_AC_P.github.com:GITHUB_AC_O/ansible.common.git,main
}
But when I run the following:
ansible-galaxy collection install --verbose git@GITHUB_AC_P.github.com:GITHUB_AC_O/ansible.harden_host.git,main
It fails with message:
Starting galaxy collection install process
Process install dependency map
ERROR! Unknown error when attempting to call Galaxy at 'https://galaxy.ansible.com/api/': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)>
Why is this trying to hit galaxy.ansible.com instead of my GitHub account?
When I add --ignore-certs and run the following:
ansible-galaxy collection install --ignore-certs git@GUTHUB_AC_P.github.com:GITHUB_AC_O/ansible.harden_host.git,main
It fails with this different message:
ERROR! Failed to find collection REDACTED_NS.common:git@GITHUB_AC_P.github.com:GITHUB_AC_O/ansible.common.git
I pasted the URI from this error (right of the colon) into a ansible-galaxy collection install command to verify there’s no typo in the URI. This worked fine.
The string REDACTED_NS does not equal the value of GITHUB_AC_P or GITHUB_AC_O.
If someone could please explain what’s wrong here and how the issue can be fixed that would be much appreciated.
Solved; it seems the answer was hiding in plain site in Ansible's Using collections document, which says to use the following form for git based dependencies:
dependencies: {'git@github.com:organization/repo_name.git': 'devel'}
The form I was using was for Galaxy servers, hence it was hitting galaxy.ansible.com (unless I overrode the default with e.g. --server localhost).
So the following form works (git repo followed by git reference):
namespace: REDACTED_NS
name: harden_host
version: 0.0.1
description: "Ansible collection to harden hosts"
readme: README.md
authors:
- REDACTED_AUTHOR
dependencies: {
'git@GITHUB_AC_P.github.com:GITHUB_AC_O/ansible.common.git': 'main'
}