From d6196810bbc12ccfa9f2897e664e49d6d1bbe257 Mon Sep 17 00:00:00 2001 From: Shane McDonald Date: Sat, 30 May 2020 12:10:38 -0400 Subject: [PATCH 1/2] Get 3.7 booting and running jobs There's still some polishing that needs to happen, but this gets things running --- roles/tower/defaults/main.yml | 4 +-- roles/tower/tasks/main.yml | 16 +++++------ .../{tower_web.yaml.j2 => tower.yaml.j2} | 11 ++++---- roles/tower/templates/tower_config.yaml.j2 | 27 ++----------------- roles/tower/templates/tower_memcached.yaml.j2 | 17 ------------ roles/tower/templates/tower_redis.yaml.j2 | 16 ----------- 6 files changed, 17 insertions(+), 74 deletions(-) rename roles/tower/templates/{tower_web.yaml.j2 => tower.yaml.j2} (96%) delete mode 100644 roles/tower/templates/tower_memcached.yaml.j2 delete mode 100644 roles/tower/templates/tower_redis.yaml.j2 diff --git a/roles/tower/defaults/main.yml b/roles/tower/defaults/main.yml index 4b1e321c..1c24027d 100644 --- a/roles/tower/defaults/main.yml +++ b/roles/tower/defaults/main.yml @@ -19,7 +19,7 @@ tower_web_image: registry.redhat.io/ansible-tower-37/ansible-tower-rhel7:3.7.0 tower_create_preload_data: true -tower_task_replicas: "1" +tower_replicas: "1" tower_task_mem_request: 1Gi tower_task_cpu_request: 500m @@ -38,4 +38,4 @@ tower_postgres_storage_class: '' tower_postgres_data_path: '/var/lib/postgresql/data/pgdata' -uwsgi_bash: "bash -c" +uwsgi_bash: "scl enable rh-postgresql10" diff --git a/roles/tower/tasks/main.yml b/roles/tower/tasks/main.yml index 4c58dfba..25d57ca4 100644 --- a/roles/tower/tasks/main.yml +++ b/roles/tower/tasks/main.yml @@ -4,13 +4,11 @@ definition: "{{ lookup('template', item) | from_yaml_all | list }}" register: k8s_defs_result with_items: - - tower_memcached.yaml.j2 - tower_postgres.yaml.j2 - tower_config.yaml.j2 - - tower_redis.yaml.j2 - launch_awx.yaml.j2 - supervisor.yaml.j2 - - tower_web.yaml.j2 + - tower.yaml.j2 - name: Get the Tower pod information. k8s_info: @@ -53,16 +51,16 @@ - include_tasks: initialize.yml -- name: Scale the tower_task deployment to 0 replicas after migration. +- name: Scale the tower deployment to 0 replicas after migration. k8s: - definition: "{{ lookup('template', 'tower_task.yaml.j2') | from_yaml_all | list }}" + definition: "{{ lookup('template', 'tower.yaml.j2') | from_yaml_all | list }}" vars: - tower_task_replicas: "0" + tower_replicas: "0" when: migrate_result and migrate_result.changed -- name: Scale the tower_task deployment back to 1 replica after migration. +- name: Scale the tower deployment back to 1 replica after migration. k8s: - definition: "{{ lookup('template', 'tower_task.yaml.j2') | from_yaml_all | list }}" + definition: "{{ lookup('template', 'tower.yaml.j2') | from_yaml_all | list }}" vars: - tower_task_replicas: "1" + tower_replicas: "1" when: migrate_result and migrate_result.changed diff --git a/roles/tower/templates/tower_web.yaml.j2 b/roles/tower/templates/tower.yaml.j2 similarity index 96% rename from roles/tower/templates/tower_web.yaml.j2 rename to roles/tower/templates/tower.yaml.j2 index 670824aa..00906fb5 100644 --- a/roles/tower/templates/tower_web.yaml.j2 +++ b/roles/tower/templates/tower.yaml.j2 @@ -14,12 +14,12 @@ data: apiVersion: apps/v1 kind: Deployment metadata: - name: '{{ meta.name }}-tower-web' + name: '{{ meta.name }}' namespace: '{{ meta.namespace }}' labels: app: tower spec: - replicas: 1 + replicas: {{ tower_replicas }} selector: matchLabels: app: tower @@ -44,17 +44,18 @@ spec: mountPath: "/var/run/memcached" - image: '{{ tower_redis_image }}' name: redis + args: ["redis-server", "/etc/redis.conf"] ports: - containerPort: 6379 volumeMounts: - name: {{ meta.name }}-redis-config - mountPath: "/usr/local/etc/redis/redis.conf" + mountPath: "/etc/redis.conf" subPath: redis.conf readOnly: true - name: {{ meta.name }}-redis-socket mountPath: "/var/run/redis" - image: '{{ tower_web_image }}' - name: tower + name: '{{ meta.name }}-web' ports: - containerPort: 8052 volumeMounts: @@ -91,7 +92,7 @@ spec: memory: '{{ tower_web_mem_request }}' cpu: '{{ tower_web_cpu_request }}' - image: '{{ tower_task_image }}' - name: tower-task + name: '{{ meta.name }}-task' {% if tower_task_privileged == true %} securityContext: privileged: true diff --git a/roles/tower/templates/tower_config.yaml.j2 b/roles/tower/templates/tower_config.yaml.j2 index 0c82a910..17e0d281 100644 --- a/roles/tower/templates/tower_config.yaml.j2 +++ b/roles/tower/templates/tower_config.yaml.j2 @@ -100,32 +100,9 @@ data: if os.getenv("DATABASE_SSLMODE", False): DATABASES['default']['OPTIONS'] = {'sslmode': os.getenv("DATABASE_SSLMODE")} - CACHES = { - 'default': { - 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', - 'LOCATION': '{}:{}'.format("{{ meta.name }}-memcached.{{ meta.namespace }}.svc.cluster.local", "11211") - }, - 'ephemeral': { - 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache', - }, - } - - BROKER_URL = 'redis://{}:{}/'.format( - '{{ meta.name }}-redis.{{ meta.namespace }}.svc.cluster.local', - '6379') - - CHANNEL_LAYERS = { - "default": { - "BACKEND": "channels_redis.core.RedisChannelLayer", - "CONFIG": { - "hosts": [BROKER_URL], - "capacity": 10000, - "group_expiry": 157784760, # 5 years - } - } - } - USE_X_FORWARDED_PORT = True + BROADCAST_WEBSOCKET_PORT = 8052 + BROADCAST_WEBSOCKET_PROTOCOL = 'http' nginx_conf: | worker_processes 1; diff --git a/roles/tower/templates/tower_memcached.yaml.j2 b/roles/tower/templates/tower_memcached.yaml.j2 deleted file mode 100644 index f442b5d5..00000000 --- a/roles/tower/templates/tower_memcached.yaml.j2 +++ /dev/null @@ -1,17 +0,0 @@ -# Memcached Service. ---- -apiVersion: v1 -kind: Service -metadata: - name: '{{ meta.name }}-memcached' - namespace: '{{ meta.namespace }}' - labels: - app: tower-memcached -spec: - clusterIP: None - ports: - - port: 11211 - protocol: TCP - targetPort: 11211 - selector: - app: tower-memcached diff --git a/roles/tower/templates/tower_redis.yaml.j2 b/roles/tower/templates/tower_redis.yaml.j2 deleted file mode 100644 index 1ad047e6..00000000 --- a/roles/tower/templates/tower_redis.yaml.j2 +++ /dev/null @@ -1,16 +0,0 @@ -# Redis Service. ---- -apiVersion: v1 -kind: Service -metadata: - name: '{{ meta.name }}-redis' - namespace: '{{ meta.namespace }}' - labels: - app: tower-redis -spec: - ports: - - port: 6379 - protocol: TCP - targetPort: 6379 - selector: - app: tower-redis From 0bb31f20153e83441f205b322591ac649db58c4e Mon Sep 17 00:00:00 2001 From: Shane McDonald Date: Sat, 30 May 2020 13:47:11 -0400 Subject: [PATCH 2/2] Move sensitive info out of environment, get websocket backplane working --- deploy/crds/tower_v1alpha1_tower_cr_awx.yaml | 1 + .../crds/tower_v1alpha1_tower_cr_tower.yaml | 1 + roles/tower/defaults/main.yml | 4 ++ roles/tower/tasks/main.yml | 1 + roles/tower/templates/credentials.py.j2 | 16 ++++++ roles/tower/templates/environment.sh.j2 | 5 ++ roles/tower/templates/tower.yaml.j2 | 57 ++++++++++++------- 7 files changed, 63 insertions(+), 22 deletions(-) create mode 100644 roles/tower/templates/credentials.py.j2 create mode 100644 roles/tower/templates/environment.sh.j2 diff --git a/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml index 9c21484e..6dd1a986 100644 --- a/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml +++ b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml @@ -10,6 +10,7 @@ spec: tower_hostname: example-tower.test tower_secret_key: aabbcc + tower_broadcast_websocket_secret: changeme tower_admin_user: test tower_admin_email: test@example.com diff --git a/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml index 9149854f..7ebcd12e 100644 --- a/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml +++ b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml @@ -10,6 +10,7 @@ spec: tower_hostname: example-tower.test tower_secret_key: aabbcc + tower_broadcast_websocket_secret: changeme tower_admin_user: test tower_admin_email: test@example.com diff --git a/roles/tower/defaults/main.yml b/roles/tower/defaults/main.yml index 1c24027d..96bbf74d 100644 --- a/roles/tower/defaults/main.yml +++ b/roles/tower/defaults/main.yml @@ -39,3 +39,7 @@ tower_postgres_storage_class: '' tower_postgres_data_path: '/var/lib/postgresql/data/pgdata' uwsgi_bash: "scl enable rh-postgresql10" + +tower_postgres_port: 5432 + +ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt" diff --git a/roles/tower/tasks/main.yml b/roles/tower/tasks/main.yml index 25d57ca4..01fe71bb 100644 --- a/roles/tower/tasks/main.yml +++ b/roles/tower/tasks/main.yml @@ -1,6 +1,7 @@ --- - name: Ensure configured Tower resources exist in the cluster. k8s: + apply: yes definition: "{{ lookup('template', item) | from_yaml_all | list }}" register: k8s_defs_result with_items: diff --git a/roles/tower/templates/credentials.py.j2 b/roles/tower/templates/credentials.py.j2 new file mode 100644 index 00000000..abb074d0 --- /dev/null +++ b/roles/tower/templates/credentials.py.j2 @@ -0,0 +1,16 @@ +DATABASES = { + 'default': { + 'ATOMIC_REQUESTS': True, + 'ENGINE': 'awx.main.db.profiled_pg', + 'NAME': "awx", + 'USER': "awx", + 'PASSWORD': "{{ tower_postgres_pass }}", + 'HOST': '{{ meta.name }}-postgres', + 'PORT': "{{ tower_postgres_port }}", + 'OPTIONS': { 'sslmode': '{{ pg_sslmode|default("prefer") }}', + 'sslrootcert': '{{ ca_trust_bundle }}', + }, + } +} + +BROADCAST_WEBSOCKET_SECRET = "{{ tower_broadcast_websocket_secret | b64encode }}" diff --git a/roles/tower/templates/environment.sh.j2 b/roles/tower/templates/environment.sh.j2 new file mode 100644 index 00000000..420c99bd --- /dev/null +++ b/roles/tower/templates/environment.sh.j2 @@ -0,0 +1,5 @@ +DATABASE_USER=awx +DATABASE_NAME=awx +DATABASE_HOST={{ meta.name }}-postgres +DATABASE_PORT={{ tower_postgres_port }} +DATABASE_PASSWORD={{ tower_postgres_pass }} diff --git a/roles/tower/templates/tower.yaml.j2 b/roles/tower/templates/tower.yaml.j2 index 00906fb5..e1724c02 100644 --- a/roles/tower/templates/tower.yaml.j2 +++ b/roles/tower/templates/tower.yaml.j2 @@ -3,11 +3,12 @@ apiVersion: v1 kind: Secret metadata: - name: '{{ meta.name }}-tower-secret' + name: '{{ meta.name }}-secrets' namespace: '{{ meta.namespace }}' data: secret_key: '{{ tower_secret_key | b64encode }}' - admin_password: '{{ tower_admin_password | b64encode }}' + credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}" + environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}" # Tower Deployment. --- @@ -59,14 +60,13 @@ spec: ports: - containerPort: 8052 volumeMounts: + - name: "{{ meta.name }}-application-credentials" + mountPath: "/etc/tower/conf.d/" + readOnly: true - name: {{ meta.name }}-secret-key mountPath: /etc/tower/SECRET_KEY subPath: SECRET_KEY readOnly: true - - name: {{ meta.name }}-environment - mountPath: /etc/tower/conf.d/environment.sh - subPath: environment.sh - readOnly: true - name: {{ meta.name }}-settings mountPath: /etc/tower/settings.py subPath: settings.py @@ -99,20 +99,14 @@ spec: {% endif %} command: - /usr/bin/launch_awx_task.sh - envFrom: - - configMapRef: - name: '{{ meta.name }}-tower-configmap' - - secretRef: - name: '{{ meta.name }}-tower-secret' volumeMounts: + - name: "{{ meta.name }}-application-credentials" + mountPath: "/etc/tower/conf.d/" + readOnly: true - name: {{ meta.name }}-secret-key mountPath: /etc/tower/SECRET_KEY subPath: SECRET_KEY readOnly: true - - name: {{ meta.name }}-environment - mountPath: /etc/tower/conf.d/environment.sh - subPath: environment.sh - readOnly: true - name: {{ meta.name }}-settings mountPath: /etc/tower/settings.py subPath: settings.py @@ -121,6 +115,10 @@ spec: mountPath: /usr/bin/launch_awx_task.sh subPath: launch_awx_task.sh readOnly: true + - name: {{ meta.name }}-supervisor-web-config + mountPath: "/supervisor.conf" + subPath: supervisor.conf + readOnly: true - name: {{ meta.name }}-supervisor-task-config mountPath: /supervisor_task.conf subPath: supervisor_task.conf @@ -129,23 +127,38 @@ spec: mountPath: "/var/run/redis" - name: {{ meta.name }}-memcached-socket mountPath: "/var/run/memcached" + env: + - name: SUPERVISOR_WEB_CONFIG_PATH + value: "/supervisor.conf" + - name: AWX_SKIP_MIGRATIONS + value: "1" + - name: MY_POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP resources: requests: memory: '{{ tower_task_mem_request }}' cpu: '{{ tower_task_cpu_request }}' volumes: + - name: "{{ meta.name }}-application-credentials" + secret: + secretName: "{{ meta.name }}-secrets" + items: + - key: credentials_py + path: 'credentials.py' + - key: environment_sh + path: 'environment.sh' - name: {{ meta.name }}-secret-key secret: - secretName: '{{ meta.name }}-tower-secret' + secretName: '{{ meta.name }}-secrets' items: - key: secret_key path: SECRET_KEY - - name: {{ meta.name }}-environment - configMap: - name: '{{ meta.name }}-tower-configmap' - items: - - key: environment - path: environment.sh - name: {{ meta.name }}-settings configMap: name: '{{ meta.name }}-tower-configmap'