Scale back AWX_PROOT_ENABLED changes; Add tower_ingress_type and tower_task_privileged to README

2026-03-26 21:33:14 +00:00 · 2020-04-20 12:13:14 -04:00
parent 25b970bd70
commit 87258f5882
6 changed files with 35 additions and 6 deletions
--- a/README.md
+++ b/README.md
@@ -64,6 +64,33 @@ If you would like to deploy AWX (the open source upstream of Tower) into your cl
      tower_task_image: ansible/awx_task:9.2.0
      tower_web_image: ansible/awx_web:9.2.0

+### Ingress Types
+
+Depending on the cluster that you're running on, you may wish to use an `Ingress` to access your tower or you may wish to use a `Route` to access your tower. To toggle between these two options, you can add the following to your Tower custom resource:
+
+    ---
+    spec:
+      ...
+      tower_ingress_type: Route
+
+By default, this is configured to use `Ingress`.
+
+### Privileged Tasks
+
+Depending on the type of tasks that you'll be running, you may find that you need the tower task pod to run as `privileged`. This can open yourself up to a variety of security concerns, so you should be aware (and verify that you have the privileges) to do this if necessary. In order to toggle this feature, you can add the following to your Tower custom resource:
+
+    ---
+    spec:
+      ...
+      tower_task_privileged: true
+
+If you are attempting to do this on an OpenShift cluster, you will need to grant the `tower` ServiceAccount the `privileged` SCC, which can be done with:
+
+    oc adm policy add-scc-to-user privileged -z tower
+
+Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to familiarize yourself with the security concerns that accompany this action.
+
+
 ### Persistent storage for Postgres

 If you need to use a specific storage class for Postgres' storage, specify `tower_postgres_storage_class` in your Tower spec:
--- a/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml
+++ b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml
@@ -5,6 +5,9 @@ metadata:
  name: example-tower
  namespace: example-tower
 spec:
+  tower_ingress_type: ingress
+  tower_task_privileged: false
+
  tower_hostname: example-tower.test
  tower_secret_key: aabbcc

--- a/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml
+++ b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml
@@ -5,6 +5,9 @@ metadata:
  name: example-tower
  namespace: example-tower
 spec:
+  tower_ingress_type: ingress
+  tower_task_privileged: false
+
  tower_hostname: example-tower.test
  tower_secret_key: aabbcc

--- a/roles/tower/defaults/main.yml
+++ b/roles/tower/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-tower_multitenant: false
+tower_task_privileged: false
 tower_ingress_type: ingress

 tower_hostname: example-tower.test
--- a/roles/tower/templates/tower_config.yaml.j2
+++ b/roles/tower/templates/tower_config.yaml.j2
@@ -40,11 +40,7 @@ data:
    INTERNAL_API_URL = 'http://127.0.0.1:8052'
    
    # Container environments don't like chroots
-{% if tower_multitenant == true %}
-    AWX_PROOT_ENABLED = True
-{% else %}
    AWX_PROOT_ENABLED = False
-{% endif %}
    
    # Automatically deprovision pods that go offline
    AWX_AUTO_DEPROVISION_INSTANCES = True
--- a/roles/tower/templates/tower_task.yaml.j2
+++ b/roles/tower/templates/tower_task.yaml.j2
@@ -20,7 +20,7 @@ spec:
      containers:
      - image: '{{ tower_task_image }}'
        name: tower-task
-{% if tower_multitenant == true %}
+{% if tower_task_privileged == true %}
        securityContext:
          privileged: true
 {% endif %}