Red Hat SummitUnderstand execution environment builder
Execution environment builder enables your teams to discover Ansible collections, create EE definitions, and build container images through Ansible automation portal.
How it works
Execution environment builder connects to your Git provider and private automation hub to accomplish three tasks:
- Content discovery — scans Git repositories and private automation hub for Ansible collections (
galaxy.ymlfiles). Populates the collection catalog that users browse when building an EE definition. - Saving EE definition files to a repository — creates a set of definition files and saves them to a Git repository (new repo or pull request) on behalf of users via OAuth.
- Automated image builds — triggers a CI/CD pipeline (GitHub Actions) to produce a container image from the saved definition files.
Configuration file
| Platform | Configuration file | Apply changes |
|---|---|---|
| OpenShift | Helm chart values file | helm upgrade |
| RHEL appliance | /etc/portal/configs/app-config/app-config.production.yaml |
See Apply configuration changes in Related links. |
Secrets
Sensitive values such as Git provider tokens, OAuth client secrets, and registry credentials are stored separately from the configuration file.
- OpenShift deployments: Store secrets with
oc create secret generic. Reference the secret name in your Helm chart values. - RHEL appliance deployments: Store secrets with
podman secret createusing theportal_prefix naming convention (for example,portal_github_oauth_client_id). Create a Quadlet drop-in file to map each secret to a container environment variable. For more information on referencing secrets in your service configuration, see the Configuring the automation portal RHEL appliance guide.
The portal-backup utility does not currently capture EE Builder secrets or custom Quadlet drop-in files. After configuring EE Builder secrets, store the secret values and the contents of ee-builder-secrets.conf in a secure external location (for example, a vault or password manager). After a portal-restore, you must recreate the Podman secrets and the drop-in file manually.
If you host execution environment wizard templates in a private Git repository or deploy in an air-gapped environment, complete the steps in Host execution environment wizard templates in a private Git repository before configuring discovery sources.
Prerequisites
Before configuring execution environment builder, decide which Git provider your organization uses and understand the authentication method for each capability.
GitHub
| Capability | Authentication method | What it does |
|---|---|---|
| Content discovery | GitHub App or PAT | Scans repositories forgalaxy.yml files to populate the collection catalog |
| Saving definition files to a repository | GitHub OAuth App | Creates EE definition files and saves them to a new repo or opens a pull request |
| Automated image builds | GitHub OAuth App + repository or organization secrets | Builds a container image using GitHub Actions and pushes to a registry |
GitLab
| Capability | Authentication method | What it does |
|---|---|---|
| Content discovery | PAT | Scans groups forgalaxy.yml files to populate the collection catalog |
| Saving definition files to a repository | GitLab OAuth App | Creates EE definition files and saves them to a new repo or opens a merge request |
Content discovery credentials (GitHub App or PAT) provide read-only access only. Any write operation (saving definition files, creating repositories) goes through the OAuth flow.
Security considerations
- OpenShift deployments: Store tokens and OAuth credentials in OpenShift secrets (
oc create secret generic), never in plain text or version control. - RHEL appliance deployments: Store tokens using Podman secrets (
podman secret create). - Use minimum required token permissions for your use case.
- Rotate PATs regularly according to your organization's security policy.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}