From 40726a804a1411e9258ce8071b1f1740d18fcae5 Mon Sep 17 00:00:00 2001 From: Tyler Auerbeck Date: Thu, 12 Mar 2020 00:19:58 -0400 Subject: [PATCH 1/5] Update templates to use new variable to allow postgres to run on OCP --- roles/tower/defaults/main.yml | 2 ++ roles/tower/templates/tower_postgres.yaml.j2 | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/tower/defaults/main.yml b/roles/tower/defaults/main.yml index 6ca7320a..e804e89d 100644 --- a/roles/tower/defaults/main.yml +++ b/roles/tower/defaults/main.yml @@ -32,3 +32,5 @@ tower_postgres_pass: awxpass tower_postgres_image: postgres:10 tower_postgres_storage_request: 8Gi tower_postgres_storage_class: '' + +tower_postgres_data_path: '/var/lib/postgresql/data/pgdata' diff --git a/roles/tower/templates/tower_postgres.yaml.j2 b/roles/tower/templates/tower_postgres.yaml.j2 index 6986e4df..acb0dcdc 100644 --- a/roles/tower/templates/tower_postgres.yaml.j2 +++ b/roles/tower/templates/tower_postgres.yaml.j2 @@ -43,13 +43,15 @@ spec: secretKeyRef: name: '{{ meta.name }}-postgres-pass' key: password + - name: PGDATA + value: '{{ tower_postgres_data_path }}' ports: - containerPort: 3306 name: postgres volumeMounts: - name: postgres - mountPath: /var/lib/postgresql/data - subPath: data + mountPath: '{{ tower_postgres_data_path | dirname }}' + subPath: '{{ tower_postgres_data_path | dirname | basename }}' volumeClaimTemplates: - metadata: name: postgres From 688a16ea662f34ad8ebb9f0359ae67d3105d6159 Mon Sep 17 00:00:00 2001 From: Tyler Auerbeck Date: Sun, 15 Mar 2020 16:56:12 -0400 Subject: [PATCH 2/5] tower_web.yaml: Don't apply ingress if host var is blank --- roles/tower/templates/tower_web.yaml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/tower/templates/tower_web.yaml.j2 b/roles/tower/templates/tower_web.yaml.j2 index 7813d07d..a423336f 100644 --- a/roles/tower/templates/tower_web.yaml.j2 +++ b/roles/tower/templates/tower_web.yaml.j2 @@ -98,6 +98,7 @@ spec: app: tower # Tower Ingress. +{% if tower_hostname != '' %} --- apiVersion: extensions/v1beta1 kind: Ingress @@ -113,3 +114,4 @@ spec: backend: serviceName: '{{ meta.name }}-service' servicePort: 80 +{% endif %} From 47a6a519d2018e9703d290f07c092314b2f8c47f Mon Sep 17 00:00:00 2001 From: Tyler Auerbeck Date: Mon, 23 Mar 2020 00:59:11 -0400 Subject: [PATCH 3/5] Add var for ingress type; Add var to enable/disable bubblewrap --- deploy/role.yaml | 8 ++++++++ deploy/tower-operator.yaml | 6 ++++++ roles/tower/defaults/main.yml | 3 +++ roles/tower/templates/tower_config.yaml.j2 | 4 ++++ roles/tower/templates/tower_task.yaml.j2 | 2 ++ roles/tower/templates/tower_web.yaml.j2 | 23 +++++++++++++++++++++- 6 files changed, 45 insertions(+), 1 deletion(-) diff --git a/deploy/role.yaml b/deploy/role.yaml index 7aadfa5b..7438d6d3 100644 --- a/deploy/role.yaml +++ b/deploy/role.yaml @@ -5,6 +5,14 @@ metadata: creationTimestamp: null name: tower-operator rules: + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - '*' + - apiGroups: + - "" - apiGroups: - "" resources: diff --git a/deploy/tower-operator.yaml b/deploy/tower-operator.yaml index a11677cb..4275e305 100644 --- a/deploy/tower-operator.yaml +++ b/deploy/tower-operator.yaml @@ -5,6 +5,12 @@ metadata: creationTimestamp: null name: tower-operator rules: + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - '*' - apiGroups: - "" resources: diff --git a/roles/tower/defaults/main.yml b/roles/tower/defaults/main.yml index e804e89d..667b74e1 100644 --- a/roles/tower/defaults/main.yml +++ b/roles/tower/defaults/main.yml @@ -1,4 +1,7 @@ --- +tower_multitenant: false +tower_ingress_type: ingress + tower_hostname: example-tower.test tower_secret_key: aabbcc diff --git a/roles/tower/templates/tower_config.yaml.j2 b/roles/tower/templates/tower_config.yaml.j2 index ee883ba1..ad88a4b4 100644 --- a/roles/tower/templates/tower_config.yaml.j2 +++ b/roles/tower/templates/tower_config.yaml.j2 @@ -40,7 +40,11 @@ data: INTERNAL_API_URL = 'http://127.0.0.1:8052' # Container environments don't like chroots +{% if tower_multitenant == true %} + AWX_PROOT_ENABLED = True +{% else %} AWX_PROOT_ENABLED = False +{% endif %} # Automatically deprovision pods that go offline AWX_AUTO_DEPROVISION_INSTANCES = True diff --git a/roles/tower/templates/tower_task.yaml.j2 b/roles/tower/templates/tower_task.yaml.j2 index f39192bd..ae841aae 100644 --- a/roles/tower/templates/tower_task.yaml.j2 +++ b/roles/tower/templates/tower_task.yaml.j2 @@ -20,8 +20,10 @@ spec: containers: - image: '{{ tower_task_image }}' name: tower-task +{% if tower_multitenant == true %} securityContext: privileged: true +{% endif %} command: - /usr/bin/launch_awx_task.sh envFrom: diff --git a/roles/tower/templates/tower_web.yaml.j2 b/roles/tower/templates/tower_web.yaml.j2 index a423336f..9105f38f 100644 --- a/roles/tower/templates/tower_web.yaml.j2 +++ b/roles/tower/templates/tower_web.yaml.j2 @@ -94,11 +94,12 @@ spec: - port: 80 protocol: TCP targetPort: 8052 + name: http selector: app: tower # Tower Ingress. -{% if tower_hostname != '' %} +{% if 'ingress' == tower_ingress_type %} --- apiVersion: extensions/v1beta1 kind: Ingress @@ -115,3 +116,23 @@ spec: serviceName: '{{ meta.name }}-service' servicePort: 80 {% endif %} + +{% if 'route' == tower_ingress_type %} +--- +apiVersion: v1 +kind: Route +metadata: + name: '{{ meta.name }}' + namespace: '{{ meta.namespace }}' +spec: + port: + targetPort: http + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + to: + kind: Service + name: {{ meta.name }}-service + weight: 100 + wildcardPolicy: None +{% endif %} From 25b970bd705b23452e29fff2eb09822c39f1fac4 Mon Sep 17 00:00:00 2001 From: Tyler Auerbeck Date: Mon, 23 Mar 2020 01:16:36 -0400 Subject: [PATCH 4/5] Cleanup role.yaml --- deploy/role.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/deploy/role.yaml b/deploy/role.yaml index 7438d6d3..8f5eebde 100644 --- a/deploy/role.yaml +++ b/deploy/role.yaml @@ -11,8 +11,6 @@ rules: - routes verbs: - '*' - - apiGroups: - - "" - apiGroups: - "" resources: From 87258f58825ebb6f8bfac51e1159dc64981d711d Mon Sep 17 00:00:00 2001 From: Tyler Auerbeck Date: Mon, 20 Apr 2020 12:13:14 -0400 Subject: [PATCH 5/5] Scale back AWX_PROOT_ENABLED changes; Add tower_ingress_type and tower_task_privileged to README --- README.md | 27 +++++++++++++++++++ deploy/crds/tower_v1alpha1_tower_cr_awx.yaml | 3 +++ .../crds/tower_v1alpha1_tower_cr_tower.yaml | 3 +++ roles/tower/defaults/main.yml | 2 +- roles/tower/templates/tower_config.yaml.j2 | 4 --- roles/tower/templates/tower_task.yaml.j2 | 2 +- 6 files changed, 35 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index c808637e..4cf9f5e0 100644 --- a/README.md +++ b/README.md @@ -64,6 +64,33 @@ If you would like to deploy AWX (the open source upstream of Tower) into your cl tower_task_image: ansible/awx_task:9.2.0 tower_web_image: ansible/awx_web:9.2.0 +### Ingress Types + +Depending on the cluster that you're running on, you may wish to use an `Ingress` to access your tower or you may wish to use a `Route` to access your tower. To toggle between these two options, you can add the following to your Tower custom resource: + + --- + spec: + ... + tower_ingress_type: Route + +By default, this is configured to use `Ingress`. + +### Privileged Tasks + +Depending on the type of tasks that you'll be running, you may find that you need the tower task pod to run as `privileged`. This can open yourself up to a variety of security concerns, so you should be aware (and verify that you have the privileges) to do this if necessary. In order to toggle this feature, you can add the following to your Tower custom resource: + + --- + spec: + ... + tower_task_privileged: true + +If you are attempting to do this on an OpenShift cluster, you will need to grant the `tower` ServiceAccount the `privileged` SCC, which can be done with: + + oc adm policy add-scc-to-user privileged -z tower + +Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to familiarize yourself with the security concerns that accompany this action. + + ### Persistent storage for Postgres If you need to use a specific storage class for Postgres' storage, specify `tower_postgres_storage_class` in your Tower spec: diff --git a/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml index 1f35fb52..68e5c3f7 100644 --- a/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml +++ b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml @@ -5,6 +5,9 @@ metadata: name: example-tower namespace: example-tower spec: + tower_ingress_type: ingress + tower_task_privileged: false + tower_hostname: example-tower.test tower_secret_key: aabbcc diff --git a/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml index 8d8ed527..95004099 100644 --- a/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml +++ b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml @@ -5,6 +5,9 @@ metadata: name: example-tower namespace: example-tower spec: + tower_ingress_type: ingress + tower_task_privileged: false + tower_hostname: example-tower.test tower_secret_key: aabbcc diff --git a/roles/tower/defaults/main.yml b/roles/tower/defaults/main.yml index 667b74e1..0a45958d 100644 --- a/roles/tower/defaults/main.yml +++ b/roles/tower/defaults/main.yml @@ -1,5 +1,5 @@ --- -tower_multitenant: false +tower_task_privileged: false tower_ingress_type: ingress tower_hostname: example-tower.test diff --git a/roles/tower/templates/tower_config.yaml.j2 b/roles/tower/templates/tower_config.yaml.j2 index ad88a4b4..ee883ba1 100644 --- a/roles/tower/templates/tower_config.yaml.j2 +++ b/roles/tower/templates/tower_config.yaml.j2 @@ -40,11 +40,7 @@ data: INTERNAL_API_URL = 'http://127.0.0.1:8052' # Container environments don't like chroots -{% if tower_multitenant == true %} - AWX_PROOT_ENABLED = True -{% else %} AWX_PROOT_ENABLED = False -{% endif %} # Automatically deprovision pods that go offline AWX_AUTO_DEPROVISION_INSTANCES = True diff --git a/roles/tower/templates/tower_task.yaml.j2 b/roles/tower/templates/tower_task.yaml.j2 index ae841aae..09685778 100644 --- a/roles/tower/templates/tower_task.yaml.j2 +++ b/roles/tower/templates/tower_task.yaml.j2 @@ -20,7 +20,7 @@ spec: containers: - image: '{{ tower_task_image }}' name: tower-task -{% if tower_multitenant == true %} +{% if tower_task_privileged == true %} securityContext: privileged: true {% endif %}