Build a disconnected AAP execution environment
When To Use This
Use this when the IdM execution environment must be built from mirrored or pre-staged dependencies.
Required Authority
AAP uses the resulting image. Dependency source and registry trust are site responsibilities.
Safety Boundary
This workflow is mutating. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.
Inputs
- Named target objects
- Credentials with the required IdM or platform authority
- A reviewed output path or downstream task
Steps
- Confirm the target objects and authority before running.
- Run the command or task with review-friendly output.
- Inspect the returned evidence before continuing to any mutating step.
ansible-playbook playbooks/aap-ee-build.yml
Example Execution Environment Build
This vars file renders and builds an execution environment that contains the collection and the IdM client dependencies needed by AAP jobs.
aap-ee-build-vars.yml
---
eigenstate_ee_render: true
eigenstate_ee_build: true
eigenstate_ee_smoke: true
eigenstate_ee_push: false
eigenstate_ee_register_controller: false
eigenstate_ee_output_dir: ./build/eigenstate-idm-ee
eigenstate_ee_image: localhost/eigenstate-idm-ee:dev
eigenstate_ee_base_image: registry.example.com/aap/ee-minimal-rhel9:latest
eigenstate_ee_collection_version: ">=1.18.1"
Run It
ansible-playbook playbooks/aap-ee-build.yml -e @aap-ee-build-vars.yml
Expected Evidence
The build playbook must first render a reviewable Ansible Builder context. A captured render run from this checkout produced these files before any image push or Controller registration step:
PLAY [Render eigenstate.ipa AAP execution environment build context] ***********
TASK [Create execution environment build context directory] ********************
changed: [localhost]
TASK [Render execution environment build context files] ************************
changed: [localhost] => (item=execution-environment.yml)
changed: [localhost] => (item=requirements.yml)
changed: [localhost] => (item=bindep.txt)
changed: [localhost] => (item=python-requirements.txt)
changed: [localhost] => (item=ansible.cfg.example)
changed: [localhost] => (item=README.md)
TASK [Show rendered execution environment file list] ***************************
ok: [localhost] => {
"eigenstate_ee_rendered_files": [
".../build/eigenstate-idm-ee/execution-environment.yml",
".../build/eigenstate-idm-ee/requirements.yml",
".../build/eigenstate-idm-ee/bindep.txt",
".../build/eigenstate-idm-ee/python-requirements.txt",
".../build/eigenstate-idm-ee/ansible.cfg.example",
".../build/eigenstate-idm-ee/README.md"
]
}
PLAY RECAP *********************************************************************
localhost : ok=4 changed=2 unreachable=0 failed=0 skipped=14 rescued=0 ignored=0
build/eigenstate-idm-ee/README.md
build/eigenstate-idm-ee/ansible.cfg.example
build/eigenstate-idm-ee/bindep.txt
build/eigenstate-idm-ee/execution-environment.yml
build/eigenstate-idm-ee/python-requirements.txt
build/eigenstate-idm-ee/requirements.yml
Troubleshooting
- Permission failure: verify the account and delegated authority.
- Unexpected empty result: verify target names and source records.
- Unsafe output: redact payloads and add
no_log: truewhere secret material is present.