diff --git a/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml index 9c21484e..6dd1a986 100644 --- a/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml +++ b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml @@ -10,6 +10,7 @@ spec: tower_hostname: example-tower.test tower_secret_key: aabbcc + tower_broadcast_websocket_secret: changeme tower_admin_user: test tower_admin_email: test@example.com diff --git a/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml index 9149854f..7ebcd12e 100644 --- a/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml +++ b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml @@ -10,6 +10,7 @@ spec: tower_hostname: example-tower.test tower_secret_key: aabbcc + tower_broadcast_websocket_secret: changeme tower_admin_user: test tower_admin_email: test@example.com diff --git a/roles/tower/defaults/main.yml b/roles/tower/defaults/main.yml index 1c24027d..96bbf74d 100644 --- a/roles/tower/defaults/main.yml +++ b/roles/tower/defaults/main.yml @@ -39,3 +39,7 @@ tower_postgres_storage_class: '' tower_postgres_data_path: '/var/lib/postgresql/data/pgdata' uwsgi_bash: "scl enable rh-postgresql10" + +tower_postgres_port: 5432 + +ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt" diff --git a/roles/tower/tasks/main.yml b/roles/tower/tasks/main.yml index 25d57ca4..01fe71bb 100644 --- a/roles/tower/tasks/main.yml +++ b/roles/tower/tasks/main.yml @@ -1,6 +1,7 @@ --- - name: Ensure configured Tower resources exist in the cluster. k8s: + apply: yes definition: "{{ lookup('template', item) | from_yaml_all | list }}" register: k8s_defs_result with_items: diff --git a/roles/tower/templates/credentials.py.j2 b/roles/tower/templates/credentials.py.j2 new file mode 100644 index 00000000..abb074d0 --- /dev/null +++ b/roles/tower/templates/credentials.py.j2 @@ -0,0 +1,16 @@ +DATABASES = { + 'default': { + 'ATOMIC_REQUESTS': True, + 'ENGINE': 'awx.main.db.profiled_pg', + 'NAME': "awx", + 'USER': "awx", + 'PASSWORD': "{{ tower_postgres_pass }}", + 'HOST': '{{ meta.name }}-postgres', + 'PORT': "{{ tower_postgres_port }}", + 'OPTIONS': { 'sslmode': '{{ pg_sslmode|default("prefer") }}', + 'sslrootcert': '{{ ca_trust_bundle }}', + }, + } +} + +BROADCAST_WEBSOCKET_SECRET = "{{ tower_broadcast_websocket_secret | b64encode }}" diff --git a/roles/tower/templates/environment.sh.j2 b/roles/tower/templates/environment.sh.j2 new file mode 100644 index 00000000..420c99bd --- /dev/null +++ b/roles/tower/templates/environment.sh.j2 @@ -0,0 +1,5 @@ +DATABASE_USER=awx +DATABASE_NAME=awx +DATABASE_HOST={{ meta.name }}-postgres +DATABASE_PORT={{ tower_postgres_port }} +DATABASE_PASSWORD={{ tower_postgres_pass }} diff --git a/roles/tower/templates/tower.yaml.j2 b/roles/tower/templates/tower.yaml.j2 index 00906fb5..e1724c02 100644 --- a/roles/tower/templates/tower.yaml.j2 +++ b/roles/tower/templates/tower.yaml.j2 @@ -3,11 +3,12 @@ apiVersion: v1 kind: Secret metadata: - name: '{{ meta.name }}-tower-secret' + name: '{{ meta.name }}-secrets' namespace: '{{ meta.namespace }}' data: secret_key: '{{ tower_secret_key | b64encode }}' - admin_password: '{{ tower_admin_password | b64encode }}' + credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}" + environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}" # Tower Deployment. --- @@ -59,14 +60,13 @@ spec: ports: - containerPort: 8052 volumeMounts: + - name: "{{ meta.name }}-application-credentials" + mountPath: "/etc/tower/conf.d/" + readOnly: true - name: {{ meta.name }}-secret-key mountPath: /etc/tower/SECRET_KEY subPath: SECRET_KEY readOnly: true - - name: {{ meta.name }}-environment - mountPath: /etc/tower/conf.d/environment.sh - subPath: environment.sh - readOnly: true - name: {{ meta.name }}-settings mountPath: /etc/tower/settings.py subPath: settings.py @@ -99,20 +99,14 @@ spec: {% endif %} command: - /usr/bin/launch_awx_task.sh - envFrom: - - configMapRef: - name: '{{ meta.name }}-tower-configmap' - - secretRef: - name: '{{ meta.name }}-tower-secret' volumeMounts: + - name: "{{ meta.name }}-application-credentials" + mountPath: "/etc/tower/conf.d/" + readOnly: true - name: {{ meta.name }}-secret-key mountPath: /etc/tower/SECRET_KEY subPath: SECRET_KEY readOnly: true - - name: {{ meta.name }}-environment - mountPath: /etc/tower/conf.d/environment.sh - subPath: environment.sh - readOnly: true - name: {{ meta.name }}-settings mountPath: /etc/tower/settings.py subPath: settings.py @@ -121,6 +115,10 @@ spec: mountPath: /usr/bin/launch_awx_task.sh subPath: launch_awx_task.sh readOnly: true + - name: {{ meta.name }}-supervisor-web-config + mountPath: "/supervisor.conf" + subPath: supervisor.conf + readOnly: true - name: {{ meta.name }}-supervisor-task-config mountPath: /supervisor_task.conf subPath: supervisor_task.conf @@ -129,23 +127,38 @@ spec: mountPath: "/var/run/redis" - name: {{ meta.name }}-memcached-socket mountPath: "/var/run/memcached" + env: + - name: SUPERVISOR_WEB_CONFIG_PATH + value: "/supervisor.conf" + - name: AWX_SKIP_MIGRATIONS + value: "1" + - name: MY_POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP resources: requests: memory: '{{ tower_task_mem_request }}' cpu: '{{ tower_task_cpu_request }}' volumes: + - name: "{{ meta.name }}-application-credentials" + secret: + secretName: "{{ meta.name }}-secrets" + items: + - key: credentials_py + path: 'credentials.py' + - key: environment_sh + path: 'environment.sh' - name: {{ meta.name }}-secret-key secret: - secretName: '{{ meta.name }}-tower-secret' + secretName: '{{ meta.name }}-secrets' items: - key: secret_key path: SECRET_KEY - - name: {{ meta.name }}-environment - configMap: - name: '{{ meta.name }}-tower-configmap' - items: - - key: environment - path: environment.sh - name: {{ meta.name }}-settings configMap: name: '{{ meta.name }}-tower-configmap'