Skip to content

Alpine-based multistage-build version of Ansible for reproducible usage in CI

License

Notifications You must be signed in to change notification settings

cytopia/docker-ansible

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Docker image for ansible

Tag Docker License

lint build nightly

All #awesome-ci Docker images

ansible-lint β€’ ansible β€’ awesome-ci β€’ bandit β€’ black β€’ checkmake β€’ eslint β€’ file-lint β€’ gofmt β€’ goimports β€’ golint β€’ jsonlint β€’ kubeval β€’ linkcheck β€’ mypy β€’ php-cs-fixer β€’ phpcbf β€’ phpcs β€’ phplint β€’ pycodestyle β€’ pydocstyle β€’ pylint β€’ terraform-docs β€’ terragrunt-fmt β€’ terragrunt β€’ yamlfmt β€’ yamllint

View Dockerfiles on GitHub.

Available Architectures: amd64, arm64

Tiny Alpine-based multistage-build dockerized version of Ansible[1] in many different flavours. It comes with Mitogen[2] to speed up your runs by up to 600%[3][4] (see Examples). The image is built nightly against multiple stable versions and pushed to Dockerhub.

🐳 Available Docker image versions

This repository provides many different Ansible flavours (each flavour also divided into different Ansible versions).

The following tree shows how the different flavours derive from each other (each child has all the tools and features of its parent plus its own additions).

       base                    #docker-tag:  :latest
         |                                   :<version>
         |
       tools                   #docker-tag:  :latest-tools
      /  |  \                                :<version>-tools
     /   |   \
infra  azure  aws              #docker-tag:  :latest-infra     :latest-azure     :latest-aws
               |                             :<version>-infra  :<version>-azure  :<version>-aws
               |
             awsk8s            #docker-tag:  :latest-awsk8s
              /  \                           :<version>-awsk8s
             /    \
        awskops  awshelm       #docker-tag   :latest-awskops     :latest-awshelm
                                             :<version>-awskops  :<version>-awshelm

<version> refers to the latest[1], patch-level version of Ansible. E.g.: 2.9, 2.10, 2.11, ...
[1]: latest as docker images are (re)built every night via CI against the latest available patch level version of Ansible

The following table shows a quick overview of provided libraries and tools for each flavour. For more details see further down below.

Flavour Based on Additional Python libs Additional binaries
base - cffi, cryptography, Jinja2, junit-xml, lxml, paramiko, PyYAML -
tools base dnspython, JMESPath, mitogen bash, git, gpg, jq, ssh, yq
infra tools docker, docker-compose, jsondiff, netaddr, pexpect, psycopg2, pyldap, pypsexec, pymongo, PyMySQL, pywinrm, smbprotocol rsync, sshpass
azure tools azure-* az
aws tools awscli, botocore, boto, boto3 aws, aws-iam-authenticator
awsk8s aws openshift kubectl, oc
awskops awsk8s - kops
awshelm awsk8s - helm

πŸ” Rolling releases

The following Docker image tags are rolling releases and are built and updated every night.

nightly

Ansible base

The following Ansible Docker images are as small as possible and only contain Ansible itself.

Docker Tag Git Ref Ansible Available Architectures
latest master latest amd64, arm64
2.13 master 2.13.x amd64, arm64
2.12 master 2.12.x amd64, arm64
2.11 master 2.11.x amd64, arm64
2.10 master 2.10.x amd64, arm64
2.9 master 2.9.x amd64, arm64
2.8 master 2.8.x amd64, arm64

Ansible tools

The following Ansible Docker images contain everything from Ansible base and additionally: bash, git, gpg, jq, ssh and dnspython and Ansible mitogen strategy plugin (see Examples).

Docker Tag Git Ref Ansible Available Architectures
latest-tools master latest amd64, arm64
2.13-tools master 2.13.x amd64, arm64
2.12-tools master 2.12.x amd64, arm64
2.11-tools master 2.11.x amd64, arm64
2.10-tools master 2.10.x amd64, arm64
2.9-tools master 2.9.x amd64, arm64
2.8-tools master 2.8.x amd64, arm64

Ansible azure

The following Ansible Docker images contain everything from Ansible tools and additionally: azure.

Docker Tag Git Ref Ansible Available Architectures
latest-azure master latest amd64, arm64
2.13-azure master 2.13.x amd64, arm64
2.12-azure master 2.12.x amd64, arm64
2.11-azure master 2.11.x amd64, arm64
2.10-azure master 2.10.x amd64, arm64
2.9-azure master 2.9.x amd64, arm64
2.8-azure master 2.8.x amd64, arm64

Ansible aws

The following Ansible Docker images contain everything from Ansible tools and additionally: aws-cli, boto, boto3 and botocore.

Docker Tag Git Ref Ansible Available Architectures
latest-aws master latest amd64, arm64
2.13-aws master 2.13.x amd64, arm64
2.12-aws master 2.12.x amd64, arm64
2.11-aws master 2.11.x amd64, arm64
2.10-aws master 2.10.x amd64, arm64
2.9-aws master 2.9.x amd64, arm64
2.8-aws master 2.8.x amd64, arm64

Ansible awsk8s

The following Ansible Docker images contain everything from Ansible aws and additionally: openshift and kubectl.

Docker Tag Git Ref Ansible Available Architectures
latest-awsk8s master latest amd64, arm64
2.13-awsk8s master 2.13.x amd64, arm64
2.12-awsk8s master 2.12.x amd64, arm64
2.11-awsk8s master 2.11.x amd64, arm64
2.10-awsk8s master 2.10.x amd64, arm64
2.9-awsk8s master 2.9.x amd64, arm64
2.8-awsk8s master 2.8.x amd64, arm64

Ansible awskops

The following Ansible Docker images contain everything from Ansible awsk8s and additionally: kops in its latest patch level version.

https://github.com/kubernetes/kops/releases

Docker Tag Git Ref Ansible Kops Available Architectures
latest-awskops1.25 master latest 1.25.x amd64, arm64
2.13-awskops1.25 master 2.13.x 1.25.x amd64, arm64
2.12-awskops1.25 master 2.12.x 1.25.x amd64, arm64
2.11-awskops1.25 master 2.11.x 1.25.x amd64, arm64
2.10-awskops1.25 master 2.10.x 1.25.x amd64, arm64
2.9-awskops1.25 master 2.9.x 1.25.x amd64, arm64
2.8-awskops1.25 master 2.8.x 1.25.x amd64, arm64
latest-awskops1.24 master latest 1.24.x amd64, arm64
2.13-awskops1.24 master 2.13.x 1.24.x amd64, arm64
2.12-awskops1.24 master 2.12.x 1.24.x amd64, arm64
2.11-awskops1.24 master 2.11.x 1.24.x amd64, arm64
2.10-awskops1.24 master 2.10.x 1.24.x amd64, arm64
2.9-awskops1.24 master 2.9.x 1.24.x amd64, arm64
2.8-awskops1.24 master 2.8.x 1.24.x amd64, arm64
latest-awskops1.23 master latest 1.23.x amd64, arm64
2.13-awskops1.23 master 2.13.x 1.23.x amd64, arm64
2.12-awskops1.23 master 2.12.x 1.23.x amd64, arm64
2.11-awskops1.23 master 2.11.x 1.23.x amd64, arm64
2.10-awskops1.23 master 2.10.x 1.23.x amd64, arm64
2.9-awskops1.23 master 2.9.x 1.23.x amd64, arm64
2.8-awskops1.23 master 2.8.x 1.23.x amd64, arm64
latest-awskops1.22 master latest 1.22.x amd64, arm64
2.13-awskops1.22 master 2.13.x 1.22.x amd64, arm64
2.12-awskops1.22 master 2.12.x 1.22.x amd64, arm64
2.11-awskops1.22 master 2.11.x 1.22.x amd64, arm64
2.10-awskops1.22 master 2.10.x 1.22.x amd64, arm64
2.9-awskops1.22 master 2.9.x 1.22.x amd64, arm64
2.8-awskops1.22 master 2.8.x 1.22.x amd64, arm64
latest-awskops1.21 master latest 1.21.x amd64, arm64
2.13-awskops1.21 master 2.13.x 1.21.x amd64, arm64
2.12-awskops1.21 master 2.12.x 1.21.x amd64, arm64
2.11-awskops1.21 master 2.11.x 1.21.x amd64, arm64
2.10-awskops1.21 master 2.10.x 1.21.x amd64, arm64
2.9-awskops1.21 master 2.9.x 1.21.x amd64, arm64
2.8-awskops1.21 master 2.8.x 1.21.x amd64, arm64
latest-awskops1.20 master latest 1.20.x amd64, arm64
2.13-awskops1.20 master 2.13.x 1.20.x amd64, arm64
2.12-awskops1.20 master 2.12.x 1.20.x amd64, arm64
2.11-awskops1.20 master 2.11.x 1.20.x amd64, arm64
2.10-awskops1.20 master 2.10.x 1.20.x amd64, arm64
2.9-awskops1.20 master 2.9.x 1.20.x amd64, arm64
2.8-awskops1.20 master 2.8.x 1.20.x amd64, arm64
latest-awskops1.19 master latest 1.19.x amd64, arm64
2.13-awskops1.19 master 2.13.x 1.19.x amd64, arm64
2.12-awskops1.19 master 2.12.x 1.19.x amd64, arm64
2.11-awskops1.19 master 2.11.x 1.19.x amd64, arm64
2.10-awskops1.19 master 2.10.x 1.19.x amd64, arm64
2.9-awskops1.19 master 2.9.x 1.19.x amd64, arm64
2.8-awskops1.19 master 2.8.x 1.19.x amd64, arm64

Ansible awshelm

The following Ansible Docker images contain everything from Ansible awsk8s and additionally: helm in its latest patch level version.

https://github.com/helm/helm/releases

Docker Tag Git Ref Ansible Helm Available Architectures
latest-awshelm3.11 master latest 3.11.x amd64, arm64
2.13-awshelm3.11 master 2.13.x 3.11.x amd64, arm64
2.12-awshelm3.11 master 2.12.x 3.11.x amd64, arm64
2.11-awshelm3.11 master 2.11.x 3.11.x amd64, arm64
2.10-awshelm3.11 master 2.10.x 3.11.x amd64, arm64
2.9-awshelm3.11 master 2.9.x 3.11.x amd64, arm64
2.8-awshelm3.11 master 2.8.x 3.11.x amd64, arm64
latest-awshelm3.10 master latest 3.10.x amd64, arm64
2.13-awshelm3.10 master 2.13.x 3.10.x amd64, arm64
2.12-awshelm3.10 master 2.12.x 3.10.x amd64, arm64
2.11-awshelm3.10 master 2.11.x 3.10.x amd64, arm64
2.10-awshelm3.10 master 2.10.x 3.10.x amd64, arm64
2.9-awshelm3.10 master 2.9.x 3.10.x amd64, arm64
2.8-awshelm3.10 master 2.8.x 3.10.x amd64, arm64
latest-awshelm3.9 master latest 3.9.x amd64, arm64
2.13-awshelm3.9 master 2.13.x 3.9.x amd64, arm64
2.12-awshelm3.9 master 2.12.x 3.9.x amd64, arm64
2.11-awshelm3.9 master 2.11.x 3.9.x amd64, arm64
2.10-awshelm3.9 master 2.10.x 3.9.x amd64, arm64
2.9-awshelm3.9 master 2.9.x 3.9.x amd64, arm64
2.8-awshelm3.9 master 2.8.x 3.9.x amd64, arm64
latest-awshelm3.8 master latest 3.8.x amd64, arm64
2.13-awshelm3.8 master 2.13.x 3.8.x amd64, arm64
2.12-awshelm3.8 master 2.12.x 3.8.x amd64, arm64
2.11-awshelm3.8 master 2.11.x 3.8.x amd64, arm64
2.10-awshelm3.8 master 2.10.x 3.8.x amd64, arm64
2.9-awshelm3.8 master 2.9.x 3.8.x amd64, arm64
2.8-awshelm3.8 master 2.8.x 3.8.x amd64, arm64
latest-awshelm3.7 master latest 3.7.x amd64, arm64
2.13-awshelm3.7 master 2.13.x 3.7.x amd64, arm64
2.12-awshelm3.7 master 2.12.x 3.7.x amd64, arm64
2.11-awshelm3.7 master 2.11.x 3.7.x amd64, arm64
2.10-awshelm3.7 master 2.10.x 3.7.x amd64, arm64
2.9-awshelm3.7 master 2.9.x 3.7.x amd64, arm64
2.8-awshelm3.7 master 2.8.x 3.7.x amd64, arm64
latest-awshelm3.6 master latest 3.6.x amd64, arm64
2.13-awshelm3.6 master 2.13.x 3.6.x amd64, arm64
2.12-awshelm3.6 master 2.12.x 3.6.x amd64, arm64
2.11-awshelm3.6 master 2.11.x 3.6.x amd64, arm64
2.10-awshelm3.6 master 2.10.x 3.6.x amd64, arm64
2.9-awshelm3.6 master 2.9.x 3.6.x amd64, arm64
2.8-awshelm3.6 master 2.8.x 3.6.x amd64, arm64
latest-awshelm3.5 master latest 3.5.x amd64, arm64
2.13-awshelm3.5 master 2.13.x 3.5.x amd64, arm64
2.12-awshelm3.5 master 2.12.x 3.5.x amd64, arm64
2.11-awshelm3.5 master 2.11.x 3.5.x amd64, arm64
2.10-awshelm3.5 master 2.10.x 3.5.x amd64, arm64
2.9-awshelm3.5 master 2.9.x 3.5.x amd64, arm64
2.8-awshelm3.5 master 2.8.x 3.5.x amd64, arm64
latest-awshelm3.4 master latest 3.4.x amd64, arm64
2.13-awshelm3.4 master 2.13.x 3.4.x amd64, arm64
2.12-awshelm3.4 master 2.12.x 3.4.x amd64, arm64
2.11-awshelm3.4 master 2.11.x 3.4.x amd64, arm64
2.10-awshelm3.4 master 2.10.x 3.4.x amd64, arm64
2.9-awshelm3.4 master 2.9.x 3.4.x amd64, arm64
2.8-awshelm3.4 master 2.8.x 3.4.x amd64, arm64
latest-awshelm3.3 master latest 3.3.x amd64, arm64
2.13-awshelm3.3 master 2.13.x 3.3.x amd64, arm64
2.12-awshelm3.3 master 2.12.x 3.3.x amd64, arm64
2.11-awshelm3.3 master 2.11.x 3.3.x amd64, arm64
2.10-awshelm3.3 master 2.10.x 3.3.x amd64, arm64
2.9-awshelm3.3 master 2.9.x 3.3.x amd64, arm64
2.8-awshelm3.3 master 2.8.x 3.3.x amd64, arm64
latest-awshelm3.2 master latest 3.2.x amd64, arm64
2.13-awshelm3.2 master 2.13.x 3.2.x amd64, arm64
2.12-awshelm3.2 master 2.12.x 3.2.x amd64, arm64
2.11-awshelm3.2 master 2.11.x 3.2.x amd64, arm64
2.10-awshelm3.2 master 2.10.x 3.2.x amd64, arm64
2.9-awshelm3.2 master 2.9.x 3.2.x amd64, arm64
2.8-awshelm3.2 master 2.8.x 3.2.x amd64, arm64
latest-awshelm3.1 master latest 3.1.x amd64, arm64
2.13-awshelm3.1 master 2.13.x 3.1.x amd64, arm64
2.12-awshelm3.1 master 2.12.x 3.1.x amd64, arm64
2.11-awshelm3.1 master 2.11.x 3.1.x amd64, arm64
2.10-awshelm3.1 master 2.10.x 3.1.x amd64, arm64
2.9-awshelm3.1 master 2.9.x 3.1.x amd64, arm64
2.8-awshelm3.1 master 2.8.x 3.1.x amd64, arm64
latest-awshelm3.0 master latest 3.0.x amd64, arm64
2.13-awshelm3.0 master 2.13.x 3.0.x amd64, arm64
2.12-awshelm3.0 master 2.12.x 3.0.x amd64, arm64
2.11-awshelm3.0 master 2.11.x 3.0.x amd64, arm64
2.10-awshelm3.0 master 2.10.x 3.0.x amd64, arm64
2.9-awshelm3.0 master 2.9.x 3.0.x amd64, arm64
2.8-awshelm3.0 master 2.8.x 3.0.x amd64, arm64
latest-awshelm2.16 master latest 2.16.x amd64, arm64
2.13-awshelm2.16 master 2.13.x 2.16.x amd64, arm64
2.12-awshelm2.16 master 2.12.x 2.16.x amd64, arm64
2.11-awshelm2.16 master 2.11.x 2.16.x amd64, arm64
2.10-awshelm2.16 master 2.10.x 2.16.x amd64, arm64
2.9-awshelm2.16 master 2.9.x 2.16.x amd64, arm64
2.8-awshelm2.16 master 2.8.x 2.16.x amd64, arm64

πŸ†• Point in time releases

The following Docker image tags are built once and can be used for reproducible builds. Its version never changes so you will have to update tags in your pipelines from time to time in order to stay up-to-date.

build

Docker Tag Git Ref Available Architectures
<docker-tag>-<tag> git: <tag> amd64, arm64
  • Where <docker-tag> refers to any of the tags listed in Rolling releases above.
  • Where <tag> refers to the chosen git tag from this repository.

πŸ”  Docker environment variables

Environment variables are available for all flavours except for Ansible base.

Variable Default Allowed values Description
USER `` ansible Set this to ansible to have everything run inside the container by the user ansible instead of root
UID 1000 integer If your local uid is not 1000 set it to your uid to syncronize file/dir permissions during mounting
GID 1000 integer If your local gid is not 1000 set it to your gid to syncronize file/dir permissions during mounting
INIT_GPG_KEY `` string If your gpg key requires a password you can initialize it during startup and cache the password (requires INIT_GPG_PASS as well)
INIT_GPG_PASS `` string If your gpg key requires a password you can initialize it during startup and cache the password (requires INIT_GPG_KEY as well)
INIT_GPG_CMD `` string A custom command which will initialize the GPG key password. This allows for interactive mode to enter your password manually during startup. (Mutually exclusive to INIT_GPG_KEY and INIT_GPG_PASS)

πŸ“‚ Docker mounts

The working directory inside the Docker container is /data/ and should be mounted locally to the root of your project where your Ansible playbooks are.

ℹ️ Examples

Run Ansible playbook

docker run --rm -v $(pwd):/data cytopia/ansible ansible-playbook playbook.yml

Run Ansible playbook with Mitogen

Mitogen updates Ansible’s slow and wasteful shell-centric implementation with pure-Python equivalents, invoked via highly efficient remote procedure calls to persistent interpreters tunnelled over SSH.

No changes are required to target hosts. The extension is considered stable and real-world use is encouraged.

Configuration (option 1)

ansible.cfg

[defaults]
strategy_plugins = /usr/lib/python3.10/site-packages/ansible_mitogen/plugins/strategy
strategy         = mitogen_linear

Configuratoin (option 2)

# Instead of hardcoding it via ansible.cfg,  you could also add the
# option on-the-fly via environment variables.
export ANSIBLE_STRATEGY_PLUGINS=/usr/lib/python3.10/site-packages/ansible_mitogen/plugins/strategy
export ANSIBLE_STRATEGY=mitogen_linear

Invocation

docker run --rm -v $(pwd):/data cytopia/ansible:latest-tools ansible-playbook playbook.yml

Further readings:

Run Ansible playbook with non-root user

# Use 'ansible' user inside Docker container
docker run --rm \
  -e USER=ansible \
  -v $(pwd):/data \
  cytopia/ansible:latest-tools ansible-playbook playbook.yml
# Use 'ansible' user inside Docker container
# Use custom uid/gid for 'ansible' user inside Docker container
docker run --rm \
  -e USER=ansible \
  -e MY_UID=1000 \
  -e MY_GID=1000 \
  -v $(pwd):/data \
  cytopia/ansible:latest-tools ansible-playbook playbook.yml

Run Ansible playbook with local ssh keys mounted

# Ensure to set same uid/gid as on your local system for Docker user
# to prevent permission issues during docker mounts
docker run --rm \
  -e USER=ansible \
  -e MY_UID=1000 \
  -e MY_GID=1000 \
  -v ${HOME}/.ssh/:/home/ansible/.ssh/ \
  -v ${SSH_AUTH_SOCK}:/ssh-agent --env SSH_AUTH_SOCK=/ssh-agent \
  -v $(pwd):/data \
  cytopia/ansible:latest-tools ansible-playbook playbook.yml

Run Ansible playbook with local password-less gpg keys mounted

# Ensure to set same uid/gid as on your local system for Docker user
# to prevent permission issues during docker mounts
docker run --rm \
  -e USER=ansible \
  -e MY_UID=1000 \
  -e MY_GID=1000 \
  -v ${HOME}/.gnupg/:/home/ansible/.gnupg/ \
  -v $(pwd):/data \
  cytopia/ansible:latest-tools ansible-playbook playbook.yml

Run Ansible playbook with local gpg keys mounted and automatically initialized

This is required in case your GPG key itself is encrypted with a password. Note that the password needs to be in single quotes.

# Ensure to set same uid/gid as on your local system for Docker user
# to prevent permission issues during docker mounts
docker run --rm \
  -e USER=ansible \
  -e MY_UID=1000 \
  -e MY_GID=1000 \
  -e [email protected] \
  -e INIT_GPG_PASS='my gpg password' \
  -v ${HOME}/.gnupg/:/home/ansible/.gnupg/ \
  -v $(pwd):/data \
  cytopia/ansible:latest-tools ansible-playbook playbook.yml

Alternatively you can also export your GPG key and password to the shell's environment:

# Ensure to write the password in single quotes
export MY_GPG_KEY='[email protected]'
export MY_GPG_PASS='my gpg password'
# Ensure to set same uid/gid as on your local system for Docker user
# to prevent permission issues during docker mounts
docker run --rm \
  -e USER=ansible \
  -e MY_UID=1000 \
  -e MY_GID=1000 \
  -e INIT_GPG_KEY=${MY_GPG_KEY} \
  -e INIT_GPG_PASS=${MY_GPG_PASS} \
  -v ${HOME}/.gnupg/:/home/ansible/.gnupg/ \
  -v $(pwd):/data \
  cytopia/ansible:latest-tools ansible-playbook playbook.yml

Run Ansible playbook with local gpg keys mounted and interactively interactively

The following will work with password-less and password-set GPG keys. In case it requires a password, it will ask for the password and you need to enter it.

# Ensure to set same uid/gid as on your local system for Docker user
# to prevent permission issues during docker mounts
docker run --rm \
  -e USER=ansible \
  -e MY_UID=1000 \
  -e MY_GID=1000 \
  -e INIT_GPG_CMD='echo test | gpg --encrypt -r [email protected] | gpg --decrypt --pinentry-mode loopback' \
  -v ${HOME}/.gnupg/:/home/ansible/.gnupg/ \
  -v $(pwd):/data \
  cytopia/ansible:latest-tools ansible-playbook playbook.yml

Run Ansible Galaxy

# Ensure to set same uid/gid as on your local system for Docker user
# to prevent permission issues during docker mounts
docker run --rm \
  -e USER=ansible \
  -e MY_UID=1000 \
  -e MY_GID=1000 \
  -v $(pwd):/data \
  cytopia/ansible:latest-tools ansible-galaxy install -r requirements.yml

Run Ansible playbook with AWS credentials

# Basic
docker run --rm \
  -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
  -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
  -v $(pwd):/data \
  cytopia/ansible:latest-aws ansible-playbook playbook.yml
# With AWS Session Token
docker run --rm \
  -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
  -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
  -e AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN \
  -v $(pwd):/data \
  cytopia/ansible:latest-aws ansible-playbook playbook.yml
# With ~/.aws/ config and credentials directories mounted (read/only)
# If you want to make explicit use of aws profiles, use this variant
# Ensure to set same uid/gid as on your local system for Docker user
# to prevent permission issues during docker mounts
docker run --rm \
  -e USER=ansible \
  -e MY_UID=1000 \
  -e MY_GID=1000 \
  -v ${HOME}/.aws/config:/home/ansible/.aws/config:ro \
  -v ${HOME}/.aws/credentials:/home/ansible/.aws/credentials:ro \
  -v $(pwd):/data \
  cytopia/ansible:latest-aws ansible-playbook playbook.yml

Run Ansible playbook against AWS with gpg vault initialization

# Ensure to set same uid/gid as on your local system for Docker user
# to prevent permission issues during docker mounts
docker run --rm \
  -e USER=ansible \
  -e MY_UID=1000 \
  -e MY_GID=1000 \
  -e [email protected] \
  -e INIT_GPG_PASS='my gpg password' \
  -v ${HOME}/.aws/config:/home/ansible/.aws/config:ro \
  -v ${HOME}/.aws/credentials:/home/ansible/.aws/credentials:ro \
  -v ${HOME}/.gnupg/:/home/ansible/.gnupg/ \
  -v $(pwd):/data \
  cytopia/ansible:latest-aws \
  ansible-playbook playbook.yml

As the command is getting pretty long, you could wrap it into a Makefile.

ifneq (,)
.error This Makefile requires GNU Make.
endif

.PHONY: dry run

CURRENT_DIR = $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
ANSIBLE = 2.8
UID = 1000
GID = 1000

# Ansible check mode uses mitogen_linear strategy for much faster roll-outs
dry:
ifndef GPG_PASS
	docker run --rm -it \
		-e ANSIBLE_STRATEGY_PLUGINS=/usr/lib/python3.10/site-packages/ansible_mitogen/plugins/strategy \
		-e ANSIBLE_STRATEGY=mitogen_linear \
		-e USER=ansible \
		-e MY_UID=$(UID) \
		-e MY_GID=$(GID) \
		-v $${HOME}/.aws/config:/home/ansible/.aws/config:ro \
		-v $${HOME}/.aws/credentials:/home/ansible/.aws/credentials:ro \
		-v $${HOME}/.gnupg/:/home/ansible/.gnupg/ \
		-v $(CURRENT_DIR):/data \
		cytopia/ansible:$(ANSIBLE)-aws \
		ansible-playbook playbook.yml --check
else
	docker run --rm -it \
		-e ANSIBLE_STRATEGY_PLUGINS=/usr/lib/python3.10/site-packages/ansible_mitogen/plugins/strategy \
		-e ANSIBLE_STRATEGY=mitogen_linear \
		-e USER=ansible \
		-e MY_UID=$(UID) \
		-e MY_GID=$(GID) \
		-e INIT_GPG_KEY=$${GPG_KEY} \
		-e INIT_GPG_PASS=$${GPG_PASS} \
		-v $${HOME}/.aws/config:/home/ansible/.aws/config:ro \
		-v $${HOME}/.aws/credentials:/home/ansible/.aws/credentials:ro \
		-v $${HOME}/.gnupg/:/home/ansible/.gnupg/ \
		-v $(CURRENT_DIR):/data \
		cytopia/ansible:$(ANSIBLE)-aws \
		ansible-playbook playbook.yml --check
endif

# Ansible real run uses default strategy
run:
ifndef GPG_PASS
	docker run --rm -it \
		-e USER=ansible \
		-e MY_UID=$(UID) \
		-e MY_GID=$(GID) \
		-v $${HOME}/.aws/config:/home/ansible/.aws/config:ro \
		-v $${HOME}/.aws/credentials:/home/ansible/.aws/credentials:ro \
		-v $${HOME}/.gnupg/:/home/ansible/.gnupg/ \
		-v $(CURRENT_DIR):/data \
		cytopia/ansible:$(ANSIBLE)-aws ansible-playbook playbook.yml
else
	docker run --rm -it \
		-e USER=ansible \
		-e MY_UID=$(UID) \
		-e MY_GID=$(GID) \
		-e INIT_GPG_KEY=$${GPG_KEY} \
		-e INIT_GPG_PASS=$${GPG_PASS} \
		-v $${HOME}/.aws/config:/home/ansible/.aws/config:ro \
		-v $${HOME}/.aws/credentials:/home/ansible/.aws/credentials:ro \
		-v $${HOME}/.gnupg/:/home/ansible/.gnupg/ \
		-v $(CURRENT_DIR):/data \
		cytopia/ansible:$(ANSIBLE)-aws \
		ansible-playbook playbook.yml
endif

Important:

THE GPG_KEY and GPG_PASS will not be echo'ed out by the Make command and you are advised to export those values via your shell's export command to the env in order to hide it.

If you still want to specify them on the command line via make dry GPG_KEY='pass' and your pass or key contains one or more $ characters then they must all be escaped with an additional $ in front. This is not necessary if you export them.

Example: If your password is test$5, then you must use make dry GPG_PASS='test$$5'.

Then you can call it easily:

# With GPG password from the env
export GPG_KEY='[email protected]'
export GPG_PASS='THE_GPG_PASSWORD_HERE'
make dry
make run

# With GPG password on the cli
make dry GPG_KEY='[email protected]' GPG_PASS='THE_GPG_PASSWORD_HERE'
make run GPG_KEY='[email protected]' GPG_PASS='THE_GPG_PASSWORD_HERE'

# Without GPG password
make dry
make run

# With different Ansible version
make dry ANSIBLE=2.6
make run ANSIBLE=2.6

# With different uid/gid
make dry UID=1001 GID=1001
make run UID=1001 GID=1001

πŸ’» Build locally

To build locally you require GNU Make to be installed. Instructions as shown below.

amd64 vs arm64

If you want to build the Ansible image for a different platform, use the ARCH make variable as shown below. This also applies to all other examples below.

# Build amd64 images (default)
make build
make build ARCH=linux/amd64

# Build arm64 images
make build ARCH=linux/arm64

Ansible base

# Build latest Ansible base
# image: cytopia/ansible:latest
make build

# Build Ansible 2.6 base
# image: cytopia/ansible:2.6
make build VERSION=2.6

Ansible tools

# Build latest Ansible tools
# image: cytopia/ansible:latest-tools
make build VERSION=latest STAGE=tools

# Build Ansible 2.6 tools
# image: cytopia/ansible:2.6-tools
make build VERSION=2.6 STAGE=tools

Ansible infra

# Build latest Ansible infra
# image: cytopia/ansible:latest-infra
make build VERSION=latest STAGE=infra

# Build Ansible 2.6 infra
# image: cytopia/ansible:2.6-infra
make build VERSION=2.6 STAGE=infra

Ansible azure

# Build latest Ansible azure
# image: cytopia/ansible:latest-azure
make build VERSION=latest STAGE=azure

# Build Ansible 2.6 azure
# image: cytopia/ansible:2.6-azure
make build VERSION=2.6 STAGE=azure

Ansible aws

# Build latest Ansible aws
# image: cytopia/ansible:latest-aws
make build VERSION=latest STAGE=aws

# Build Ansible 2.6 aws
# image: cytopia/ansible:2.6-aws
make build VERSION=2.6 STAGE=aws

Ansible awsk8s

# Build latest Ansible awsk8s
# image: cytopia/ansible:latest-awsk8s
make build VERSION=latest STAGE=awsk8s

# Build Ansible 2.6 awsk8s
# image: cytopia/ansible:2.6-awsk8s
make build VERSION=2.6 STAGE=awsk8s

Ansible awskops

# Build latest Ansible with Kops 1.8
# image: cytopia/ansible:latest-awskops1.8
make build VERSION=latest STAGE=awskops KOPS=1.8

# Build Ansible 2.6 with Kops 1.8
# image: cytopia/ansible:2.6-awskops1.8
make build VERSION=2.6 STAGE=awskops KOPS=1.8

Ansible awshelm

# Build latest Ansible with Helm 2.14
# image: cytopia/ansible:latest-awshelm2.14
make build VERSION=latest STAGE=awshelm HELM=2.14

πŸ”„ Related #awesome-ci projects

Docker images

Save yourself from installing lot's of dependencies and pick a dockerized version of your favourite linter below for reproducible local or remote CI tests:

GitHub DockerHub Type Description
awesome-ci aci-hub-img Basic Tools for git, file and static source code analysis
file-lint flint-hub-img Basic Baisc source code analysis
linkcheck linkcheck-hub-img Basic Search for URLs in files and validate their HTTP status code
ansible ansible-hub-img Ansible Multiple versions and flavours of Ansible
ansible-lint alint-hub-img Ansible Lint Ansible
gofmt gfmt-hub-img Go Format Go source code [1]
goimports gimp-hub-img Go Format Go source code [1]
golint glint-hub-img Go Lint Go code
eslint elint-hub-img Javascript Lint Javascript code
jsonlint jlint-hub-img JSON Lint JSON files [1]
kubeval kubeval-hub-img K8s Lint Kubernetes files
checkmake cm-hub-img Make Lint Makefiles
phpcbf pcbf-hub-img PHP PHP Code Beautifier and Fixer
phpcs pcs-hub-img PHP PHP Code Sniffer
phplint plint-hub-img PHP PHP Code Linter [1]
php-cs-fixer pcsf-hub-img PHP PHP Coding Standards Fixer
bandit bandit-hub-img Python A security linter from PyCQA
black black-hub-img Python The uncompromising Python code formatter
mypy mypy-hub-img Python Static source code analysis
pycodestyle pycs-hub-img Python Python style guide checker
pydocstyle pyds-hub-img Python Python docstyle checker
pylint pylint-hub-img Python Python source code, bug and quality checker
terraform-docs tfdocs-hub-img Terraform Terraform doc generator (TF 0.12 ready) [1]
terragrunt tg-hub-img Terraform Terragrunt and Terraform
terragrunt-fmt tgfmt-hub-img Terraform terraform fmt for Terragrunt files [1]
yamlfmt yfmt-hub-img Yaml Format Yaml files [1]
yamllint ylint-hub-img Yaml Lint Yaml files

[1] Uses a shell wrapper to add enhanced functionality not available by original project.

Makefiles

Visit cytopia/makefiles for dependency-less, seamless project integration and minimum required best-practice code linting for CI. The provided Makefiles will only require GNU Make and Docker itself removing the need to install anything else.

πŸ“„ License

MIT License

Copyright (c) 2019 cytopia