Search code examples
githubsshansibleansible-galaxyansible-collections

Ansible Galaxy collection dependency SSH error with private GitHub repo


Being new to Ansible collections I’m hoping I’ve missed something obvious here in my attempt to refactor some old Ansible roles into collections using private GitHub repositories.

I have GitHub setup with 2 linked accounts. I’ll call the main personal account GITHUB_AC_P. The personal account is linked to a child organizational account I’ll call GITHUB_AC_O. I can switch between these accounts in the GitHub web UI and use the following single entry in ~/.ssh/config to access both accounts with git clients:

Host GITHUB_AC_P.github.com
  HostName github.com
  User git
  IdentityFile ~/.ssh/id_rsa_github_REDACTED_GITHUB_A

I first added Ansible Galaxy collection files to a new GitHub repository named ansible.common in account GITHUB_AC_O. I plan to reuse this collection in other Ansible Galaxy collections. It currently has a single role and the following galaxy.yml file:

namespace: REDACTED_NS
name: common
version: 0.0.1
description: "Common Ansible collection"
readme: README.md
authors:
  - REDACTED_AUTHOR

The following command reports “installed successfully” and I see the collection in ~/.ansible/collections/ansible_collections/REDACTED_NS/common:

ansible-galaxy collection install git@GITHUB_AC_P.github.com:GITHUB_AC_O/ansible.common.git,main

I then created a second Ansible Galaxy collection in a new GitHub repository named ansible.harden_host. This is also in account GITHUB_AC_O. This currently has no roles and uses the following galaxy.yml file to reference the above common collection (the value of REDACTED_NS is the same in both galaxy.yml files):

namespace: REDACTED_NS
name: harden_host
version: 0.0.1
description: "Ansible collection to harden hosts"
readme: README.md
authors:
  - REDACTED_AUTHOR
dependencies: {
  REDACTED_NS.common: git@GITHUB_AC_P.github.com:GITHUB_AC_O/ansible.common.git,main
}

But when I run the following:

ansible-galaxy collection install --verbose git@GITHUB_AC_P.github.com:GITHUB_AC_O/ansible.harden_host.git,main

It fails with message:

Starting galaxy collection install process
Process install dependency map
ERROR! Unknown error when attempting to call Galaxy at 'https://galaxy.ansible.com/api/': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)>

Why is this trying to hit galaxy.ansible.com instead of my GitHub account?

When I add --ignore-certs and run the following:

ansible-galaxy collection install --ignore-certs git@GUTHUB_AC_P.github.com:GITHUB_AC_O/ansible.harden_host.git,main

It fails with this different message:

ERROR! Failed to find collection REDACTED_NS.common:git@GITHUB_AC_P.github.com:GITHUB_AC_O/ansible.common.git

I pasted the URI from this error (right of the colon) into a ansible-galaxy collection install command to verify there’s no typo in the URI. This worked fine.

The string REDACTED_NS does not equal the value of GITHUB_AC_P or GITHUB_AC_O.

If someone could please explain what’s wrong here and how the issue can be fixed that would be much appreciated.


Solution

  • Solved; it seems the answer was hiding in plain site in Ansible's Using collections document, which says to use the following form for git based dependencies:

    dependencies: {'[email protected]:organization/repo_name.git': 'devel'}
    

    The form I was using was for Galaxy servers, hence it was hitting galaxy.ansible.com (unless I overrode the default with e.g. --server localhost).

    So the following form works (git repo followed by git reference):

    namespace: REDACTED_NS
    name: harden_host
    version: 0.0.1
    description: "Ansible collection to harden hosts"
    readme: README.md
    authors:
      - REDACTED_AUTHOR
    dependencies: {
      'git@GITHUB_AC_P.github.com:GITHUB_AC_O/ansible.common.git': 'main'
    }