Skip to content

feat: replace hardcoded hub URLs with generic galaxy_servers list#556

Merged
cidrblock merged 1 commit intoansible:mainfrom
cidrblock:galaxy_servers
Mar 24, 2026
Merged

feat: replace hardcoded hub URLs with generic galaxy_servers list#556
cidrblock merged 1 commit intoansible:mainfrom
cidrblock:galaxy_servers

Conversation

@cidrblock
Copy link
Copy Markdown
Collaborator

@cidrblock cidrblock commented Mar 23, 2026

Summary

Replace the hardcoded automation_hub_url / private_hub_url fields in EEConfig with a generic galaxy_servers list, decoupling ansible.cfg generation and workflow token plumbing from is_official_ee status.

  • New GalaxyServer dataclass with id, url, auth_url, token_required — includes from_dict(), to_schema(), as_dict() with derived token_env_var
  • EEConfig.galaxy_servers replaces automation_hub_url / private_hub_url
  • Dynamic ansible.cfg generation from the server list, with token comments for each token_required server
  • Dynamic workflow token plumbing — token checks, env vars, and --build-arg flags are all generated from the galaxy_servers configuration
  • Behavioral change: ansible.cfg is only generated when galaxy_servers is explicitly provided (or raw ansible_cfg is supplied), even for official EE images
  • New docs/ee_scaffolding.md comprehensive guide covering all EEConfig options

Example CLI

ansible-creator init execution_env \
  --ee-config '{
    "name": "ee-network",
    "base_image": "registry.redhat.io/ansible-automation-platform-25/ee-minimal-rhel8:latest",
    "collections": [{"name": "cisco.ios"}, {"name": "ansible.netcommon"}],
    "galaxy_servers": [
      {
        "id": "automation_hub",
        "url": "https://console.redhat.com/api/automation-hub/content/published/",
        "auth_url": "https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token",
        "token_required": true
      },
      {"id": "galaxy", "url": "https://galaxy.ansible.com/"}
    ]
  }' my-ee-project

Resulting ansible.cfg

[galaxy]
server_list = automation_hub, galaxy

[galaxy_server.automation_hub]
url = https://console.redhat.com/api/automation-hub/content/published/
auth_url = https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
# Token: set ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN as a repository secret

[galaxy_server.galaxy]
url = https://galaxy.ansible.com/

Resulting execution-environment.yml (relevant section)

additional_build_steps:
  prepend_galaxy:
    - ARG ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN

Resulting ee-build.yml (relevant sections)

Token check step:

      - name: Check if galaxy server tokens are configured
        id: check-galaxy
        env:
          ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN }}
        run: |
          CONFIGURED=false
          if [[ -n "$ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN" ]]; then
            echo "::notice::ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN is configured"
            CONFIGURED=true
          else
            echo "::notice::No ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN secret configured"
          fi
          echo "configured=$CONFIGURED" >> "$GITHUB_OUTPUT"

Build step token injection:

          if [[ -n "$ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN" ]]; then
            EXTRA_ARGS+=(--build-arg ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN)
          fi

Behavioral change

ansible.cfg is no longer auto-generated for official EE images when no galaxy_servers are provided. Previously, using an official Red Hat EE base image would always produce a default ansible.cfg with hardcoded Automation Hub / Galaxy entries. Now, the ansible.cfg is only created when:

  1. galaxy_servers is explicitly provided, OR
  2. Raw ansible_cfg content is supplied

This makes the behavior explicit and consistent — Portal will pass the full galaxy_servers list via --ee-config JSON. A future --default-galaxy-servers CLI flag can restore the convenience for standalone CLI users.

Test plan

  • All 204 existing tests pass (52 EE-specific)
  • New tests for GalaxyServer dataclass (from_dict, as_dict, to_schema, validation)
  • End-to-end test: scaffolding with galaxy_servers verifies ansible.cfg, execution-environment.yml, and ee-build.yml
  • End-to-end test: no galaxy_servers produces no ansible.cfg even with official EE image
  • --no-overwrite test with galaxy_servers
  • Pre-commit (ruff, pylint, cspell, mypy, ansible-lint, pydoclint) all pass

Made with Cursor

@cidrblock cidrblock requested a review from a team as a code owner March 23, 2026 22:02
@github-actions github-actions bot added the feat label Mar 23, 2026
@cidrblock
feat: replace hardcoded hub URLs with generic galaxy_servers list
449daa9 
Decouple ansible.cfg generation and workflow token plumbing from
is_official_ee status by introducing a GalaxyServer dataclass and a
galaxy_servers list in EEConfig. This allows Portal (or any consumer)
to pass an arbitrary set of Galaxy servers — each with id, url,
auth_url, and token_required — instead of relying on hardcoded
automation_hub_url / private_hub_url fields.

Key changes:
- New GalaxyServer dataclass with from_dict(), to_schema(), as_dict()
- EEConfig.galaxy_servers replaces automation_hub_url / private_hub_url
- _render_ansible_cfg() dynamically generates [galaxy_server.<id>]
  sections with token comments
- ansible.cfg is only generated when galaxy_servers is provided (or
  raw ansible_cfg content is supplied), even for official EE images
- execution-environment.yml.j2 uses dynamic ARG loop from
  ee_galaxy_token_vars instead of hardcoded ARG directives
- ee-build.yml.j2 dynamically generates token checks, env vars, and
  --build-arg flags based on the galaxy_servers configuration
- Removed broken Automation Hub Token validation step from workflow
- New docs/ee_scaffolding.md comprehensive guide

Made-with: Cursor
@github-actions github-actions bot added feat and removed feat labels Mar 24, 2026
@cidrblock
Copy link
Copy Markdown
Collaborator Author

cidrblock commented Mar 24, 2026

+1 from nillashish

@cidrblock cidrblock merged commit cc95b4d into ansible:main Mar 24, 2026
17 checks passed
@cidrblock cidrblock mentioned this pull request Mar 24, 2026
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NilashishC NilashishC NilashishC approved these changes

Assignees

No one assigned

Labels

feat

Projects

🧰 devtools project board
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cidrblock @NilashishC