From f642f01de6c3177038c9c0b728bcc4cf28ee6ace Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Tue, 12 Nov 2019 12:20:38 -0600 Subject: [PATCH 1/5] Issue #5: Add k8s_exec module from Ansible PR. --- roles/tower/library/k8s_exec.py | 128 ++++++++++++++++++++++++++++++++ 1 file changed, 128 insertions(+) create mode 100644 roles/tower/library/k8s_exec.py diff --git a/roles/tower/library/k8s_exec.py b/roles/tower/library/k8s_exec.py new file mode 100644 index 00000000..a1a6dee9 --- /dev/null +++ b/roles/tower/library/k8s_exec.py @@ -0,0 +1,128 @@ +#!/usr/bin/python +# See: https://github.com/ansible/ansible/pull/55029 + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community'} + +DOCUMENTATION = ''' +module: k8s_exec +short_description: Execute command in Pod +version_added: "2.10" +author: "Tristan de Cacqueray (@tristanC)" +description: + - Use the Kubernetes Python client to execute command on K8s pods. +extends_documentation_fragment: + - k8s_auth_options +requirements: + - "python >= 2.7" + - "openshift == 0.4.3" + - "PyYAML >= 3.11" +options: + proxy: + description: + - The URL of an HTTP proxy to use for the connection. Can also be specified via K8S_AUTH_PROXY environment variable. + - Please note that this module does not pick up typical proxy settings from the environment (e.g. HTTP_PROXY). + type: str + namespace: + description: + - The pod namespace name + type: str + required: yes + pod: + description: + - The pod name + type: str + required: yes + command: + description: + - The command to execute + type: str + required: yes +''' + +EXAMPLES = ''' +- name: Execute a command + k8s_exec: + namespace: myproject + pod: zuul-scheduler + command: zuul-scheduler full-reconfigure +''' + +RETURN = ''' +result: + description: + - The command object + returned: success + type: complex + contains: + stdout: + description: The command stdout + type: str + stdout_lines: + description: The command stdout + type: str + stderr: + description: The command stderr + type: str + stderr_lines: + description: The command stderr + type: str +''' + +import copy +import shlex +from ansible.module_utils.k8s.common import KubernetesAnsibleModule +from ansible.module_utils.k8s.common import AUTH_ARG_SPEC + +try: + from kubernetes.client.apis import core_v1_api + from kubernetes.stream import stream +except ImportError: + # ImportError are managed by the common module already. + pass + + +class KubernetesExecCommand(KubernetesAnsibleModule): + @property + def argspec(self): + spec = copy.deepcopy(AUTH_ARG_SPEC) + spec['namespace'] = {'type': 'str'} + spec['pod'] = {'type': 'str'} + spec['command'] = {'type': 'str'} + return spec + + +def main(): + module = KubernetesExecCommand() + # Load kubernetes.client.Configuration + module.get_api_client() + api = core_v1_api.CoreV1Api() + resp = stream( + api.connect_get_namespaced_pod_exec, + module.params["pod"], + module.params["namespace"], + command=shlex.split(module.params["command"]), + stdout=True, + stderr=True, + stdin=False, + tty=False, + _preload_content=False) + stdout, stderr = [], [] + while resp.is_open(): + resp.update(timeout=1) + if resp.peek_stdout(): + stdout.append(resp.read_stdout()) + if resp.peek_stderr(): + stderr.append(resp.read_stderr()) + module.exit_json( + changed=True, stdout="".join(stdout), stderr="".join(stderr)) + + +if __name__ == '__main__': + main() From f24355c66ba641354c71c17f166a25378fbcf7ff Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Tue, 12 Nov 2019 17:38:45 -0600 Subject: [PATCH 2/5] Issue #5: More work towards getting k8s_exec module working in Operator. --- README.md | 1 + deploy/crds/tower_v1alpha1_tower_cr.yaml | 1 + deploy/role.yaml | 3 +- roles/tower/defaults/main.yml | 1 + roles/tower/library/k8s_exec.py | 16 +++++-- roles/tower/tasks/main.yml | 55 ++++++++++++++++++++++++ 6 files changed, 72 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 2316cf68..f4cbc584 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,7 @@ So instead of having to maintain a separate playbook, inventory, and installatio tower_secret_key: aabbcc tower_admin_user: test + tower_admin_email: test@example.com tower_admin_password: changeme After a few minutes, your new Tower instance will be accessible at `http://tower.mycompany.com/` (assuming your cluster has an Ingress controller configured). diff --git a/deploy/crds/tower_v1alpha1_tower_cr.yaml b/deploy/crds/tower_v1alpha1_tower_cr.yaml index 5ef2e375..50dcf5ab 100644 --- a/deploy/crds/tower_v1alpha1_tower_cr.yaml +++ b/deploy/crds/tower_v1alpha1_tower_cr.yaml @@ -8,6 +8,7 @@ spec: tower_secret_key: aabbcc tower_admin_user: test + tower_admin_email: test@example.com tower_admin_password: changeme # Use these for Ansible Tower. diff --git a/deploy/role.yaml b/deploy/role.yaml index 4a8553f4..73e9eff5 100644 --- a/deploy/role.yaml +++ b/deploy/role.yaml @@ -46,8 +46,9 @@ rules: - apiGroups: - "" resources: - - pods + - pods/exec verbs: + - create - get - apiGroups: - apps diff --git a/roles/tower/defaults/main.yml b/roles/tower/defaults/main.yml index bf139f29..7df25cef 100644 --- a/roles/tower/defaults/main.yml +++ b/roles/tower/defaults/main.yml @@ -3,6 +3,7 @@ tower_hostname: example-tower.test tower_secret_key: aabbcc tower_admin_user: test +tower_admin_email: test@example.com tower_admin_password: changeme # Use these image versions for Ansible Tower. diff --git a/roles/tower/library/k8s_exec.py b/roles/tower/library/k8s_exec.py index a1a6dee9..a7a9efe6 100644 --- a/roles/tower/library/k8s_exec.py +++ b/roles/tower/library/k8s_exec.py @@ -1,6 +1,3 @@ -#!/usr/bin/python -# See: https://github.com/ansible/ansible/pull/55029 - from __future__ import absolute_import, division, print_function __metaclass__ = type @@ -39,6 +36,11 @@ options: - The pod name type: str required: yes + container: + description: + - The name of the container in the pod to connect to. Defaults to only container if there is only one container in the pod. + type: str + required: no command: description: - The command to execute @@ -94,6 +96,7 @@ class KubernetesExecCommand(KubernetesAnsibleModule): spec = copy.deepcopy(AUTH_ARG_SPEC) spec['namespace'] = {'type': 'str'} spec['pod'] = {'type': 'str'} + spec['container'] = {'type': 'str'} spec['command'] = {'type': 'str'} return spec @@ -103,6 +106,11 @@ def main(): # Load kubernetes.client.Configuration module.get_api_client() api = core_v1_api.CoreV1Api() + + # hack because passing the container as None breaks things + optional_kwargs = {} + if module.params.get('container'): + optional_kwargs['container'] = module.params['container'] resp = stream( api.connect_get_namespaced_pod_exec, module.params["pod"], @@ -112,7 +120,7 @@ def main(): stderr=True, stdin=False, tty=False, - _preload_content=False) + _preload_content=False, **optional_kwargs) stdout, stderr = [], [] while resp.is_open(): resp.update(timeout=1) diff --git a/roles/tower/tasks/main.yml b/roles/tower/tasks/main.yml index 2b3f5e84..9ac065af 100644 --- a/roles/tower/tasks/main.yml +++ b/roles/tower/tasks/main.yml @@ -2,6 +2,7 @@ - name: Ensure configured Tower resources exist in the cluster. k8s: definition: "{{ lookup('template', item) | from_yaml_all | list }}" + register: k8s_defs_result with_items: - tower_memcached.yaml.j2 - tower_postgres.yaml.j2 @@ -9,3 +10,57 @@ - tower_config.yaml.j2 - tower.yaml.j2 - tower_task.yaml.j2 + +- name: Get the Tower web pod information. + # TODO: Change to k8s_info after Ansible 2.9.0 is available in Operator image. + k8s_facts: + kind: Pod + namespace: example-tower + label_selectors: + - app=tower + register: tower_pods + +- name: Set the tower pod name as a variable. + set_fact: + tower_pod_name: "{{ tower_pods['resources'][0]['metadata']['name'] }}" + +- name: Verify tower_pod_name is populated. + assert: + that: tower_pod_name != '' + fail_msg: "Could not find the tower pod's name." + +- name: Migrate the database if the K8s resources were updated. + k8s_exec: + namespace: '{{ meta.namespace }}' + pod: '{{ tower_pod_name }}' + command: awx-manage migrate --noinput + when: k8s_defs_result is changed + +- name: Check if there are any Tower super users defined. + k8s_exec: + namespace: '{{ meta.namespace }}' + pod: '{{ tower_pod_name }}' + command: > + echo 'from django.contrib.auth.models import User; + nsu = User.objects.filter(is_superuser=True).count(); + exit(0 if nsu > 0 else 1)' + | awx-manage shell + ignore_errors: yes + register: users_result + changed_when: users_result.rc > 0 + +- name: Create Tower super user via Django if it doesn't exist. + k8s_exec: + namespace: '{{ meta.namespace }}' + pod: '{{ tower_pod_name }}' + command: > + echo "from django.contrib.auth.models import User; + User.objects.create_superuser('{{ tower_admin_user }}', '{{ tower_admin_email }}', '{{ tower_admin_password }}')" + | awx-manage shell + when: users_result.rc > 0 + +# - name: Create the default organization if configured. +# k8s_exec: +# namespace: TODO +# pod: TODO +# command: TODO From 215483c68de8dc37deea1336bd90e42adaa84e2a Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Fri, 15 Nov 2019 13:40:10 -0600 Subject: [PATCH 3/5] Issue #5: Split CustomResource into one for AWX, one for Tower. --- ....yaml => tower_v1alpha1_tower_cr_awx.yaml} | 9 ++------ .../crds/tower_v1alpha1_tower_cr_tower.yaml | 23 +++++++++++++++++++ molecule/test-local/playbook.yml | 2 +- molecule/test-minikube/playbook.yml | 2 +- 4 files changed, 27 insertions(+), 9 deletions(-) rename deploy/crds/{tower_v1alpha1_tower_cr.yaml => tower_v1alpha1_tower_cr_awx.yaml} (59%) create mode 100644 deploy/crds/tower_v1alpha1_tower_cr_tower.yaml diff --git a/deploy/crds/tower_v1alpha1_tower_cr.yaml b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml similarity index 59% rename from deploy/crds/tower_v1alpha1_tower_cr.yaml rename to deploy/crds/tower_v1alpha1_tower_cr_awx.yaml index 50dcf5ab..e09e3a52 100644 --- a/deploy/crds/tower_v1alpha1_tower_cr.yaml +++ b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml @@ -11,13 +11,8 @@ spec: tower_admin_email: test@example.com tower_admin_password: changeme - # Use these for Ansible Tower. - tower_task_image: registry.access.redhat.com/ansible-tower-35/ansible-tower:3.5.3 - tower_web_image: registry.access.redhat.com/ansible-tower-35/ansible-tower:3.5.3 - - # Use these for Ansible AWX. - # tower_task_image: ansible/awx_task:9.0.1 - # tower_web_image: ansible/awx_web:9.0.1 + tower_task_image: ansible/awx_task:9.0.1 + tower_web_image: ansible/awx_web:9.0.1 tower_memcached_image: memcached:alpine diff --git a/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml new file mode 100644 index 00000000..3320a073 --- /dev/null +++ b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml @@ -0,0 +1,23 @@ +apiVersion: tower.ansible.com/v1alpha1 +kind: Tower +metadata: + name: example-tower + namespace: example-tower +spec: + tower_hostname: example-tower.test + tower_secret_key: aabbcc + + tower_admin_user: test + tower_admin_email: test@example.com + tower_admin_password: changeme + + tower_task_image: registry.access.redhat.com/ansible-tower-36/ansible-tower:3.6.0 + tower_web_image: registry.access.redhat.com/ansible-tower-36/ansible-tower:3.6.0 + + tower_memcached_image: memcached:alpine + + tower_rabbitmq_image: rabbitmq:3 + + tower_postgres_pass: awxpass + tower_postgres_image: postgres:9.6 + tower_postgres_storage_request: 8Gi diff --git a/molecule/test-local/playbook.yml b/molecule/test-local/playbook.yml index 51367183..bd13d1d9 100644 --- a/molecule/test-local/playbook.yml +++ b/molecule/test-local/playbook.yml @@ -26,7 +26,7 @@ deploy_dir: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/deploy" pull_policy: Never operator_image: tower.ansible.com/tower-operator:testing - custom_resource: "{{ lookup('file', '/'.join([deploy_dir, 'crds/tower_v1alpha1_tower_cr.yaml'])) | from_yaml }}" + custom_resource: "{{ lookup('file', '/'.join([deploy_dir, 'crds/tower_v1alpha1_tower_cr_awx.yaml'])) | from_yaml }}" tasks: diff --git a/molecule/test-minikube/playbook.yml b/molecule/test-minikube/playbook.yml index 38b88f55..b648f05c 100644 --- a/molecule/test-minikube/playbook.yml +++ b/molecule/test-minikube/playbook.yml @@ -34,7 +34,7 @@ deploy_dir: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/deploy" pull_policy: Never operator_image: tower.ansible.com/tower-operator:testing - custom_resource: "{{ lookup('file', '/'.join([deploy_dir, 'crds/tower_v1alpha1_tower_cr.yaml'])) | from_yaml }}" + custom_resource: "{{ lookup('file', '/'.join([deploy_dir, 'crds/tower_v1alpha1_tower_cr_awx.yaml'])) | from_yaml }}" tasks: - block: From 598482b309f5ed4647ae811779adf5931b89f694 Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Mon, 18 Nov 2019 15:20:26 -0600 Subject: [PATCH 4/5] Issue #5: Allow switching between running open source AWX and Ansible Tower. --- build/Dockerfile | 3 + deploy/crds/tower_v1alpha1_tower_cr_awx.yaml | 2 + .../crds/tower_v1alpha1_tower_cr_tower.yaml | 6 +- molecule/test-minikube/playbook.yml | 2 +- roles/tower/defaults/main.yml | 2 + roles/tower/library/k8s_exec.py | 136 ------------------ roles/tower/tasks/main.yml | 64 +++++---- roles/tower/templates/tower_config.yaml.j2 | 1 + roles/tower/templates/tower_task.yaml.j2 | 2 + 9 files changed, 52 insertions(+), 166 deletions(-) delete mode 100644 roles/tower/library/k8s_exec.py diff --git a/build/Dockerfile b/build/Dockerfile index 84b4b7e1..f4f04453 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,5 +1,8 @@ FROM quay.io/operator-framework/ansible-operator:v0.10.0 +# Install kubectl. +COPY --from=lachlanevenson/k8s-kubectl:v1.16.2 /usr/local/bin/kubectl /usr/local/bin/kubectl + COPY watches.yaml ${HOME}/watches.yaml COPY main.yml ${HOME}/main.yml diff --git a/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml index e09e3a52..fafd9d43 100644 --- a/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml +++ b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml @@ -14,6 +14,8 @@ spec: tower_task_image: ansible/awx_task:9.0.1 tower_web_image: ansible/awx_web:9.0.1 + tower_create_preload_data: true + tower_memcached_image: memcached:alpine tower_rabbitmq_image: rabbitmq:3 diff --git a/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml index 3320a073..bedb2bbc 100644 --- a/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml +++ b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml @@ -11,8 +11,10 @@ spec: tower_admin_email: test@example.com tower_admin_password: changeme - tower_task_image: registry.access.redhat.com/ansible-tower-36/ansible-tower:3.6.0 - tower_web_image: registry.access.redhat.com/ansible-tower-36/ansible-tower:3.6.0 + tower_task_image: quay.io/ansible-tower/ansible-tower:3.6.0 + tower_web_image: quay.io/ansible-tower/ansible-tower:3.6.0 + + tower_create_preload_data: true tower_memcached_image: memcached:alpine diff --git a/molecule/test-minikube/playbook.yml b/molecule/test-minikube/playbook.yml index b648f05c..0d9f0b89 100644 --- a/molecule/test-minikube/playbook.yml +++ b/molecule/test-minikube/playbook.yml @@ -34,7 +34,7 @@ deploy_dir: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/deploy" pull_policy: Never operator_image: tower.ansible.com/tower-operator:testing - custom_resource: "{{ lookup('file', '/'.join([deploy_dir, 'crds/tower_v1alpha1_tower_cr_awx.yaml'])) | from_yaml }}" + custom_resource: "{{ lookup('file', '/'.join([deploy_dir, 'crds/tower_v1alpha1_tower_cr_tower.yaml'])) | from_yaml }}" tasks: - block: diff --git a/roles/tower/defaults/main.yml b/roles/tower/defaults/main.yml index 7df25cef..48e6fd80 100644 --- a/roles/tower/defaults/main.yml +++ b/roles/tower/defaults/main.yml @@ -14,6 +14,8 @@ tower_web_image: registry.access.redhat.com/ansible-tower-35/ansible-tower:3.5.3 # tower_task_image: ansible/awx_task:9.0.1 # tower_web_image: ansible/awx_web:9.0.1 +tower_create_preload_data: true + tower_memcached_image: memcached:alpine tower_rabbitmq_image: rabbitmq:3 diff --git a/roles/tower/library/k8s_exec.py b/roles/tower/library/k8s_exec.py deleted file mode 100644 index a7a9efe6..00000000 --- a/roles/tower/library/k8s_exec.py +++ /dev/null @@ -1,136 +0,0 @@ -from __future__ import absolute_import, division, print_function - -__metaclass__ = type - - -ANSIBLE_METADATA = {'metadata_version': '1.1', - 'status': ['preview'], - 'supported_by': 'community'} - -DOCUMENTATION = ''' -module: k8s_exec -short_description: Execute command in Pod -version_added: "2.10" -author: "Tristan de Cacqueray (@tristanC)" -description: - - Use the Kubernetes Python client to execute command on K8s pods. -extends_documentation_fragment: - - k8s_auth_options -requirements: - - "python >= 2.7" - - "openshift == 0.4.3" - - "PyYAML >= 3.11" -options: - proxy: - description: - - The URL of an HTTP proxy to use for the connection. Can also be specified via K8S_AUTH_PROXY environment variable. - - Please note that this module does not pick up typical proxy settings from the environment (e.g. HTTP_PROXY). - type: str - namespace: - description: - - The pod namespace name - type: str - required: yes - pod: - description: - - The pod name - type: str - required: yes - container: - description: - - The name of the container in the pod to connect to. Defaults to only container if there is only one container in the pod. - type: str - required: no - command: - description: - - The command to execute - type: str - required: yes -''' - -EXAMPLES = ''' -- name: Execute a command - k8s_exec: - namespace: myproject - pod: zuul-scheduler - command: zuul-scheduler full-reconfigure -''' - -RETURN = ''' -result: - description: - - The command object - returned: success - type: complex - contains: - stdout: - description: The command stdout - type: str - stdout_lines: - description: The command stdout - type: str - stderr: - description: The command stderr - type: str - stderr_lines: - description: The command stderr - type: str -''' - -import copy -import shlex -from ansible.module_utils.k8s.common import KubernetesAnsibleModule -from ansible.module_utils.k8s.common import AUTH_ARG_SPEC - -try: - from kubernetes.client.apis import core_v1_api - from kubernetes.stream import stream -except ImportError: - # ImportError are managed by the common module already. - pass - - -class KubernetesExecCommand(KubernetesAnsibleModule): - @property - def argspec(self): - spec = copy.deepcopy(AUTH_ARG_SPEC) - spec['namespace'] = {'type': 'str'} - spec['pod'] = {'type': 'str'} - spec['container'] = {'type': 'str'} - spec['command'] = {'type': 'str'} - return spec - - -def main(): - module = KubernetesExecCommand() - # Load kubernetes.client.Configuration - module.get_api_client() - api = core_v1_api.CoreV1Api() - - # hack because passing the container as None breaks things - optional_kwargs = {} - if module.params.get('container'): - optional_kwargs['container'] = module.params['container'] - resp = stream( - api.connect_get_namespaced_pod_exec, - module.params["pod"], - module.params["namespace"], - command=shlex.split(module.params["command"]), - stdout=True, - stderr=True, - stdin=False, - tty=False, - _preload_content=False, **optional_kwargs) - stdout, stderr = [], [] - while resp.is_open(): - resp.update(timeout=1) - if resp.peek_stdout(): - stdout.append(resp.read_stdout()) - if resp.peek_stderr(): - stderr.append(resp.read_stderr()) - module.exit_json( - changed=True, stdout="".join(stdout), stderr="".join(stderr)) - - -if __name__ == '__main__': - main() diff --git a/roles/tower/tasks/main.yml b/roles/tower/tasks/main.yml index 9ac065af..c6d5a2df 100644 --- a/roles/tower/tasks/main.yml +++ b/roles/tower/tasks/main.yml @@ -15,7 +15,7 @@ # TODO: Change to k8s_info after Ansible 2.9.0 is available in Operator image. k8s_facts: kind: Pod - namespace: example-tower + namespace: '{{ meta.namespace }}' label_selectors: - app=tower register: tower_pods @@ -29,38 +29,48 @@ that: tower_pod_name != '' fail_msg: "Could not find the tower pod's name." +- name: Check if database is populated (auth_user table exists). + shell: >- + kubectl exec -n {{ meta.namespace }} {{ tower_pod_name }} -- bash -c + "echo 'from django.db import connection; + tbl = \"auth_user\" in connection.introspection.table_names(); + exit(0 if tbl else 1)' + | awx-manage shell" + ignore_errors: true + changed_when: false + register: database_check + when: k8s_defs_result is not changed + - name: Migrate the database if the K8s resources were updated. - k8s_exec: - namespace: '{{ meta.namespace }}' - pod: '{{ tower_pod_name }}' - command: awx-manage migrate --noinput - when: k8s_defs_result is changed + shell: >- + kubectl exec -n {{ meta.namespace }} {{ tower_pod_name }} -- bash -c + "awx-manage migrate --noinput" + when: (k8s_defs_result is changed) or (database_check is defined and database_check.rc != 0) - name: Check if there are any Tower super users defined. - k8s_exec: - namespace: '{{ meta.namespace }}' - pod: '{{ tower_pod_name }}' - command: > - echo 'from django.contrib.auth.models import User; - nsu = User.objects.filter(is_superuser=True).count(); - exit(0 if nsu > 0 else 1)' - | awx-manage shell - ignore_errors: yes + shell: >- + kubectl exec -n {{ meta.namespace }} {{ tower_pod_name }} -- bash -c + "echo 'from django.contrib.auth.models import User; + nsu = User.objects.filter(is_superuser=True).count(); + exit(0 if nsu > 0 else 1)' + | awx-manage shell" + ignore_errors: true + changed_when: false register: users_result changed_when: users_result.rc > 0 - name: Create Tower super user via Django if it doesn't exist. - k8s_exec: - namespace: '{{ meta.namespace }}' - pod: '{{ tower_pod_name }}' - command: > - echo "from django.contrib.auth.models import User; - User.objects.create_superuser('{{ tower_admin_user }}', '{{ tower_admin_email }}', '{{ tower_admin_password }}')" - | awx-manage shell + shell: >- + kubectl exec -n {{ meta.namespace }} {{ tower_pod_name }} -- bash -c + "echo \"from django.contrib.auth.models import User; + User.objects.create_superuser('{{ tower_admin_user }}', '{{ tower_admin_email }}', '{{ tower_admin_password }}')\" + | awx-manage shell" when: users_result.rc > 0 -# - name: Create the default organization if configured. -# k8s_exec: -# namespace: TODO -# pod: TODO -# command: TODO +- name: Create Tower super user via Django if it doesn't exist. + shell: >- + kubectl exec -n {{ meta.namespace }} {{ tower_pod_name }} -- bash -c + "awx-manage create_preload_data" + register: cdo + changed_when: "'added' in cdo.stdout" + when: tower_create_preload_data | bool diff --git a/roles/tower/templates/tower_config.yaml.j2 b/roles/tower/templates/tower_config.yaml.j2 index 650e2404..ee883ba1 100644 --- a/roles/tower/templates/tower_config.yaml.j2 +++ b/roles/tower/templates/tower_config.yaml.j2 @@ -18,6 +18,7 @@ data: MEMCACHED_PORT='11211' RABBITMQ_HOST='{{ meta.name }}-rabbitmq.{{ meta.namespace }}.svc.cluster.local' RABBITMQ_PORT='5672' + AWX_SKIP_MIGRATIONS=true settings: | import os diff --git a/roles/tower/templates/tower_task.yaml.j2 b/roles/tower/templates/tower_task.yaml.j2 index a9d3e51d..7f8dc34d 100644 --- a/roles/tower/templates/tower_task.yaml.j2 +++ b/roles/tower/templates/tower_task.yaml.j2 @@ -20,6 +20,8 @@ spec: containers: - image: '{{ tower_task_image }}' name: tower-task + command: + - /usr/bin/launch_awx_task.sh envFrom: - configMapRef: name: '{{ meta.name }}-tower-configmap' From 4712c6aee4120cd8cb03a2c2b3776b65483558d8 Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Mon, 18 Nov 2019 16:27:36 -0600 Subject: [PATCH 5/5] Issue #5: Add privileged context to task container - at least for now. --- molecule/test-local/playbook.yml | 4 ++-- molecule/test-minikube/playbook.yml | 4 ++-- roles/tower/templates/tower_task.yaml.j2 | 2 ++ 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/molecule/test-local/playbook.yml b/molecule/test-local/playbook.yml index bd13d1d9..ebfdf32d 100644 --- a/molecule/test-local/playbook.yml +++ b/molecule/test-local/playbook.yml @@ -72,7 +72,7 @@ namespace: '{{ custom_resource.metadata.namespace }}' definition: '{{ custom_resource }}' - - name: Wait 5m for reconciliation to run + - name: Wait 15m for reconciliation to run k8s_info: api_version: '{{ custom_resource.apiVersion }}' kind: '{{ custom_resource.kind }}' @@ -82,7 +82,7 @@ until: - "'Successful' in (cr | json_query('resources[].status.conditions[].reason'))" delay: 6 - retries: 50 + retries: 150 rescue: diff --git a/molecule/test-minikube/playbook.yml b/molecule/test-minikube/playbook.yml index 0d9f0b89..ae6a37c0 100644 --- a/molecule/test-minikube/playbook.yml +++ b/molecule/test-minikube/playbook.yml @@ -78,7 +78,7 @@ namespace: '{{ custom_resource.metadata.namespace }}' definition: '{{ custom_resource }}' - - name: Wait 5m for reconciliation to run + - name: Wait 15m for reconciliation to run k8s_info: api_version: '{{ custom_resource.apiVersion }}' kind: '{{ custom_resource.kind }}' @@ -88,7 +88,7 @@ until: - "'Successful' in (cr | json_query('resources[].status.conditions[].reason'))" delay: 6 - retries: 50 + retries: 150 rescue: diff --git a/roles/tower/templates/tower_task.yaml.j2 b/roles/tower/templates/tower_task.yaml.j2 index 7f8dc34d..6e3c3852 100644 --- a/roles/tower/templates/tower_task.yaml.j2 +++ b/roles/tower/templates/tower_task.yaml.j2 @@ -20,6 +20,8 @@ spec: containers: - image: '{{ tower_task_image }}' name: tower-task + securityContext: + privileged: true command: - /usr/bin/launch_awx_task.sh envFrom: