From 1fc22749a5d93e43e1a37b7edeead6fb241d6d19 Mon Sep 17 00:00:00 2001 From: Julen Landa Alustiza Date: Wed, 2 Jun 2021 09:33:02 +0200 Subject: [PATCH] Use awx-manage register_default_execution_environments Signed-off-by: Julen Landa Alustiza --- README.md | 24 +++++++++ ansible/templates/crd.yml.j2 | 2 + deploy/awx-operator.yaml | 2 + deploy/crds/awx_v1beta1_crd.yaml | 2 + .../manifests/awx.ansible.com_awxs_crd.yaml | 3 ++ roles/installer/defaults/main.yml | 4 ++ roles/installer/tasks/initialize_django.yml | 54 +++++++++++++++++++ 7 files changed, 91 insertions(+) diff --git a/README.md b/README.md index 75d3d184..e319876c 100644 --- a/README.md +++ b/README.md @@ -556,6 +556,30 @@ In a scenario where custom volumes and volume mounts are required to either over Example configuration for ConfigMap +#### Default execution environments from private registries + +In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments. + +The secret should be formated as follows: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: -ee-pull-credentials + namespace: +stringData: + url: + username: + password: + ssl_verify: +type: Opaque +``` + +##### Control plane ee from private registry +The first default execution environment will be deployed as part of the control plane. In order to use a private image for this you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. + ```yaml --- apiVersion: v1 diff --git a/ansible/templates/crd.yml.j2 b/ansible/templates/crd.yml.j2 index 99a8c0fa..1f6e313e 100644 --- a/ansible/templates/crd.yml.j2 +++ b/ansible/templates/crd.yml.j2 @@ -151,6 +151,8 @@ spec: type: string control_plane_ee_image: description: Registry path to the Execution Environment container image to use on control plane pods + ee_pull_credentials_secret: + description: Secret where pull credentials for registered ees can be found type: string image_pull_policy: description: The image pull policy diff --git a/deploy/awx-operator.yaml b/deploy/awx-operator.yaml index 23580fcf..bea2b6a8 100644 --- a/deploy/awx-operator.yaml +++ b/deploy/awx-operator.yaml @@ -153,6 +153,8 @@ spec: type: string control_plane_ee_image: description: Registry path to the Execution Environment container image to use on control plane pods + ee_pull_credentials_secret: + description: Secret where pull credentials for registered ees can be found type: string image_pull_policy: description: The image pull policy diff --git a/deploy/crds/awx_v1beta1_crd.yaml b/deploy/crds/awx_v1beta1_crd.yaml index 99a8c0fa..1f6e313e 100644 --- a/deploy/crds/awx_v1beta1_crd.yaml +++ b/deploy/crds/awx_v1beta1_crd.yaml @@ -151,6 +151,8 @@ spec: type: string control_plane_ee_image: description: Registry path to the Execution Environment container image to use on control plane pods + ee_pull_credentials_secret: + description: Secret where pull credentials for registered ees can be found type: string image_pull_policy: description: The image pull policy diff --git a/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml b/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml index fededf3f..9b765f10 100644 --- a/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml +++ b/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml @@ -64,6 +64,9 @@ spec: type: string type: object type: array + ee_pull_credentials_secret: + description: Secret where pull credentials for registered ees can be found + type: string extra_settings: description: Extra settings to specify for the API items: diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index 15775363..d0591849 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -93,6 +93,10 @@ postgres_configuration_secret: '' old_postgres_configuration_secret: '' +# Secret to lookup that provides default execution environment pull credentials +# +ee_pull_credentials_secret: '' + # Add extra volumes to the AWX pod. Specify as literal block. E.g.: # extra_volumes: | # - name: my-volume diff --git a/roles/installer/tasks/initialize_django.yml b/roles/installer/tasks/initialize_django.yml index 9b9c05e7..94a4c777 100644 --- a/roles/installer/tasks/initialize_django.yml +++ b/roles/installer/tasks/initialize_django.yml @@ -72,3 +72,57 @@ command: >- bash -c "awx-manage unregister_queue --queuename=tower" when: "'[tower capacity=' in legacy_queue.stdout" + +- name: Check for specified default execution environment pull credentials + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ ee_pull_credentials_secret }}' + register: _custom_execution_environments_pull_credentials + when: ee_pull_credentials_secret | length + +- name: Check for default execution environment pull credentials + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ meta.name }}-ee-pull-credentials' + register: _default_execution_environments_pull_credentials + +- name: Set admin password secret + set_fact: + _execution_environments_pull_credentials: >- + {{ _custom_execution_environments_pull_credentials["resources"] | default([]) | length + | ternary(_custom_execution_environments_pull_credentials, _default_execution_environments_pull_credentials) }} +- name: Register default execution environments (without authentication) + k8s_exec: + namespace: "{{ meta.namespace }}" + pod: "{{ tower_pod_name }}" + container: "{{ meta.name }}-task" + command: >- + bash -c "awx-manage register_default_execution_environments" + register: ree + changed_when: "'changed: True' in ree.stdout" + when: not _execution_environments_pull_credentials['resources'] | default([]) | length + +- block: + - name: Store default execution environment pull credentials + set_fact: + default_execution_environment_pull_credentials_user: "{{ _execution_environments_pull_credentials['resources'][0]['data']['username'] | b64decode }}" + default_execution_environment_pull_credentials_pass: "{{ _execution_environments_pull_credentials['resources'][0]['data']['password'] | b64decode }}" + default_execution_environment_pull_credentials_url: "{{ _execution_environments_pull_credentials['resources'][0]['data']['url'] | b64decode }}" + default_execution_environment_pull_credentials_url_verify: >- + {{ _execution_environments_pull_credentials['resources'][0]['data']['ssl_verify'] | default("True"|b64encode) | b64decode }} + - name: Register default execution environments (with authentication) + k8s_exec: + namespace: "{{ meta.namespace }}" + pod: "{{ tower_pod_name }}" + container: "{{ meta.name }}-task" + command: >- + bash -c "awx-manage register_default_execution_environments + --registry-username='{{ default_execution_environment_pull_credentials_user }}' + --registry-password='{{ default_execution_environment_pull_credentials_pass }}' + --registry-url='{{ default_execution_environment_pull_credentials_url }}' + --verify-ssl='{{ default_execution_environment_pull_credentials_url_verify }}'" + register: ree + changed_when: "'changed: True' in ree.stdout" + when: _execution_environments_pull_credentials['resources'] | default([]) | length