Ansible F5 imperative collection works with proxies, declarative collection doesn't
I have a case where most of the F5s in our environment are accessible from our
Ansible Tower environment controllers without going through an internal proxy.
However, a few F5s can only be accessed via an http/s forwarding proxy.
I have gotten F5's imperative (f5_modules) and declarative (f5_bigip) Ansible
collections to work fine without using a proxy as described at:
https://clouddocs.f5.com/products/orchestration/ansible/devel/
However, when using a proxy (by specifying them using the ansible 'environment'
parameter), I've only been able to get the imperative collection to work. I've
had no success getting the declarative collection to work through a proxy, which
is a bit ironic as the httpapi connection type indicates that 'use_proxy' is
true by default.
I've done testing on a test VM that I created with Ansible installed and have had
the same results as when using Ansible Tower. Some details of the test
configuration:
inventory file:
[f5_cluster]
cnb-ilb01-t001 ansible_host=10.9.254.23
cnb-ilb01-t002 ansible_host=10.9.254.24
vars.yml file:
---
ansible_ssh_user: "root"
ansible_ssh_pass: "{{ ansible_ssh_pass_vault }}"
proxy_env:
http_proxy: http://10.139.25.13:3128
https_proxy: http://10.139.25.13:3128
playbook (excerpt, showing only the first task):
- hosts: "{{ f5_cluster }}"
environment: "{{ proxy_env | default({}) }}"
collections: f5networks.f5_bigip
connection: httpapi
vars:
ansible_server: "{{ ansible_host }}"
ansible_user: "{{ ansible_ssh_user }}"
ansible_network_os: f5networks.f5_bigip.bigip
ansible_httpapi_password: "{{ ansible_ssh_pass }}"
ansible_httpapi_port: 443
ansible_httpapi_use_ssl: true
ansible_httpapi_use_proxy: true
ansible_httpapi_validate_certs: false
tasks:
- name: get failover state
bigip_device_info:
gather_subset:
- devices
register: f5_device_info
I've enabled debug logging:
export ANSIBLE_LOG_PATH=~/ansible.log
export ANSIBLE_DEBUG=True
and used '-vvvv' when running ansible-playbook and can see the ansible 'httpapi'
and F5 'f5_bigip' collections being used. However, it appears that proxy
environment variables are loaded (during the implicit 'gather_facts') after the
connection has been established:
<10.9.254.23> EXEC /bin/sh -c 'http_proxy=http://10.139.25.13:3128 https_proxy=http://10.139.25.13:3128 /usr/bin/python3 /home/osboxes/.ansible/tmp/ansible-local-67825q3anan16/ansible-tmp-1716235016.7934482-67834-4566673767345/AnsiballZ_setup.py && sleep 0'
And when the 'get failover state' task is run, it appears to be using the
session established during gather_facts:
<10.9.254.23> found existing local domain socket, using it!
and hence not still not using any proxy environment values.
I ran a tcpdump on the proxy host itself and no traffic is ever sent to the
proxy from the playbook. I have tried setting 'gather_facts: false', but
then I see no debug output even mentioning using a proxy.
I'm not sure if I'm doing something wrong (quite possible), if it's an f5_bigip
collection issue, or something with Ansible.
Has anyone had any success getting declarative (f5_bigip) collection to
work using a proxy? I've tried everything I can think of, but no luck.