Merge pull request #34 from tylerauerbeck/pgsql-openshift

Initial OpenShift functionality
2026-04-05 02:03:11 +00:00 · 2020-05-15 22:12:22 -05:00
parent 9ead6b6830 87258f5882
commit 840fdc2701
9 changed files with 79 additions and 2 deletions
--- a/README.md
+++ b/README.md
@@ -64,6 +64,33 @@ If you would like to deploy AWX (the open source upstream of Tower) into your cl
      tower_task_image: ansible/awx_task:9.2.0
      tower_web_image: ansible/awx_web:9.2.0

+### Ingress Types
+
+Depending on the cluster that you're running on, you may wish to use an `Ingress` to access your tower or you may wish to use a `Route` to access your tower. To toggle between these two options, you can add the following to your Tower custom resource:
+
+    ---
+    spec:
+      ...
+      tower_ingress_type: Route
+
+By default, this is configured to use `Ingress`.
+
+### Privileged Tasks
+
+Depending on the type of tasks that you'll be running, you may find that you need the tower task pod to run as `privileged`. This can open yourself up to a variety of security concerns, so you should be aware (and verify that you have the privileges) to do this if necessary. In order to toggle this feature, you can add the following to your Tower custom resource:
+
+    ---
+    spec:
+      ...
+      tower_task_privileged: true
+
+If you are attempting to do this on an OpenShift cluster, you will need to grant the `tower` ServiceAccount the `privileged` SCC, which can be done with:
+
+    oc adm policy add-scc-to-user privileged -z tower
+
+Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to familiarize yourself with the security concerns that accompany this action.
+
+
 ### Persistent storage for Postgres

 If you need to use a specific storage class for Postgres' storage, specify `tower_postgres_storage_class` in your Tower spec:
--- a/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml
+++ b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml
@@ -5,6 +5,9 @@ metadata:
  name: example-tower
  namespace: example-tower
 spec:
+  tower_ingress_type: ingress
+  tower_task_privileged: false
+
  tower_hostname: example-tower.test
  tower_secret_key: aabbcc

--- a/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml
+++ b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml
@@ -5,6 +5,9 @@ metadata:
  name: example-tower
  namespace: example-tower
 spec:
+  tower_ingress_type: ingress
+  tower_task_privileged: false
+
  tower_hostname: example-tower.test
  tower_secret_key: aabbcc

--- a/deploy/role.yaml
+++ b/deploy/role.yaml
@@ -5,6 +5,12 @@ metadata:
  creationTimestamp: null
  name: tower-operator
 rules:
+  - apiGroups:
+      - route.openshift.io
+    resources:
+      - routes
+    verbs:
+      - '*'
  - apiGroups:
      - ""
    resources:
--- a/deploy/tower-operator.yaml
+++ b/deploy/tower-operator.yaml
@@ -5,6 +5,12 @@ metadata:
  creationTimestamp: null
  name: tower-operator
 rules:
+  - apiGroups:
+      - route.openshift.io
+    resources:
+      - routes
+    verbs:
+      - '*'
  - apiGroups:
      - ""
    resources:
--- a/roles/tower/defaults/main.yml
+++ b/roles/tower/defaults/main.yml
@@ -1,4 +1,7 @@
 ---
+tower_task_privileged: false
+tower_ingress_type: ingress
+
 tower_hostname: example-tower.test
 tower_secret_key: aabbcc

@@ -32,3 +35,5 @@ tower_postgres_pass: awxpass
 tower_postgres_image: postgres:10
 tower_postgres_storage_request: 8Gi
 tower_postgres_storage_class: ''
+
+tower_postgres_data_path: '/var/lib/postgresql/data/pgdata'
--- a/roles/tower/templates/tower_postgres.yaml.j2
+++ b/roles/tower/templates/tower_postgres.yaml.j2
@@ -43,13 +43,15 @@ spec:
                secretKeyRef:
                  name: '{{ meta.name }}-postgres-pass'
                  key: password
+            - name: PGDATA
+              value: '{{ tower_postgres_data_path }}'
          ports:
            - containerPort: 3306
              name: postgres
          volumeMounts:
            - name: postgres
-              mountPath: /var/lib/postgresql/data
-              subPath: data
+              mountPath: '{{ tower_postgres_data_path | dirname }}'
+              subPath: '{{ tower_postgres_data_path | dirname | basename }}'
  volumeClaimTemplates:
    - metadata:
        name: postgres
--- a/roles/tower/templates/tower_task.yaml.j2
+++ b/roles/tower/templates/tower_task.yaml.j2
@@ -20,8 +20,10 @@ spec:
      containers:
      - image: '{{ tower_task_image }}'
        name: tower-task
+{% if tower_task_privileged == true %}
        securityContext:
          privileged: true
+{% endif %}
        command:
          - /usr/bin/launch_awx_task.sh
        envFrom:
--- a/roles/tower/templates/tower_web.yaml.j2
+++ b/roles/tower/templates/tower_web.yaml.j2
@@ -94,10 +94,12 @@ spec:
  - port: 80
    protocol: TCP
    targetPort: 8052
+    name: http
  selector:
    app: tower

 # Tower Ingress.
+{% if 'ingress' == tower_ingress_type %}
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
@@ -113,3 +115,24 @@ spec:
        backend:
          serviceName: '{{ meta.name }}-service'
          servicePort: 80
+{% endif %}
+
+{% if 'route' == tower_ingress_type %}
+---
+apiVersion: v1
+kind: Route
+metadata:
+  name: '{{ meta.name }}'
+  namespace: '{{ meta.namespace }}'
+spec:
+  port:
+    targetPort: http
+  tls:
+    insecureEdgeTerminationPolicy: Redirect
+    termination: edge
+  to:
+    kind: Service
+    name: {{ meta.name }}-service
+    weight: 100
+  wildcardPolicy: None
+{% endif %}