New deployment model

ansible/instantiate-awx-deployment.yml

@@ -20,7 +20,6 @@
           spec:
             tower_admin_user: test
             tower_admin_email: test@example.com
-            tower_broadcast_websocket_secret: changeme
             tower_ingress_type: "{{ tower_ingress_type | default(omit) }}"  # Either Route or Ingress
             tower_image: "{{ tower_image | default(omit) }}"
             development_mode: "{{ development_mode | default(omit) }}"

ansible/templates/role.yml.j2

@@ -14,15 +14,19 @@ rules:
       - '*'
   - apiGroups:
       - ""
+      - "rbac.authorization.k8s.io"
     resources:
       - pods
       - services
       - services/finalizers
+      - serviceaccounts
       - endpoints
       - persistentvolumeclaims
       - events
       - configmaps
       - secrets
+      - roles
+      - rolebindings
     verbs:
       - '*'
   - apiGroups:

deploy/awx-operator.yaml

@@ -16,15 +16,19 @@ rules:
       - '*'
   - apiGroups:
       - ""
+      - "rbac.authorization.k8s.io"
     resources:
       - pods
       - services
       - services/finalizers
+      - serviceaccounts
       - endpoints
       - persistentvolumeclaims
       - events
       - configmaps
       - secrets
+      - roles
+      - rolebindings
     verbs:
       - '*'
   - apiGroups:

deploy/crds/awx_v1beta1_cr.yaml

@@ -14,7 +14,7 @@ spec:
   tower_admin_user: test
   tower_admin_email: test@example.com
 
-  tower_image: ansible/awx:15.0.0
+  tower_image: quay.io/ansible/awx:execution-environments
 
   tower_create_preload_data: true
 

deploy/crds/awx_v1beta1_molecule.yaml

@@ -13,7 +13,7 @@ spec:
 
   tower_admin_email: test@example.com
 
-  tower_image: ansible/awx:15.0.0
+  tower_image: quay.io/ansible/awx:execution-environments
 
   tower_web_resource_requirements:
     requests:

roles/installer/defaults/main.yml

@@ -53,8 +53,9 @@ tower_extra_volumes: ''
 
 # Use these image versions for Ansible AWX.
 
-tower_image: ansible/awx:15.0.0
+tower_image: quay.io/ansible/awx:execution-environments
 tower_image_pull_policy: IfNotPresent
+default_ee: quay.io/ansible/awx-ee
 
 tower_create_preload_data: true
 

roles/installer/tasks/main.yml

@@ -29,6 +29,7 @@
   register: tower_deployment_result
   loop:
     - 'tower_app_credentials'
+    - 'tower_service_account'
     - 'tower_deployment'
     - 'tower_service'
     - 'tower_ingress'

roles/installer/templates/tower_config.yaml.j2

@@ -23,7 +23,9 @@ data:
     STATIC_ROOT = '/var/lib/awx/public/static'
     PROJECTS_ROOT = '/var/lib/awx/projects'
     JOBOUTPUT_ROOT = '/var/lib/awx/job_status'
-    
+
+    IS_K8S = True
+
     SECRET_KEY = get_secret()
     
     ALLOWED_HOSTS = ['*']
@@ -59,6 +61,7 @@ data:
         '()': 'logging.StreamHandler',
         'level': 'DEBUG',
         'formatter': 'simple',
+        'filters': ['guid'],
     }
     
     LOGGING['loggers']['django.request']['handlers'] = ['console']
@@ -208,3 +211,32 @@ data:
     unixsocketperm 777
     port 0
     bind 127.0.0.1
+  receptor_conf: |
+    ---
+    - log-level: debug
+
+    - control-service:
+        service: control
+        filename: /var/run/receptor/receptor.sock
+
+    - local-only:
+
+    - work-command:
+        worktype: local
+        command: ansible-runner
+        params: worker
+        allowruntimeparams: true
+
+    - work-kubernetes:
+        worktype: kubernetes-runtime-auth
+        authmethod: runtime
+        allowruntimeauth: true
+        allowruntimepod: true
+        allowruntimeparams: true
+
+    - work-kubernetes:
+        worktype: kubernetes-incluster-auth
+        authmethod: incluster
+        allowruntimeauth: true
+        allowruntimepod: true
+        allowruntimeparams: true

roles/installer/templates/tower_deployment.yaml.j2

@@ -17,6 +17,7 @@ spec:
       labels:
         app: '{{ deployment_type }}'
     spec:
+      serviceAccountName: '{{ meta.name }}'
       containers:
         - image: '{{ tower_redis_image }}'
           name: redis
@@ -28,6 +29,8 @@ spec:
               readOnly: true
             - name: {{ meta.name }}-redis-socket
               mountPath: "/var/run/redis"
+            - name: "{{ meta.name }}-redis-data"
+              mountPath: "/data"
         - image: '{{ tower_image }}'
           name: '{{ meta.name }}-web'
 {% if tower_web_command %}
@@ -78,9 +81,11 @@ spec:
 {% if tower_web_extra_volume_mounts -%}
             {{ tower_web_extra_volume_mounts | indent(width=12, indentfirst=True) }}
 {% endif %}
-{% if (development_mode | bool) or (tower_task_extra_env | bool) %}
           env:
-{% endif %}
+            - name: MY_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
 {% if development_mode | bool %}
             - name: AWX_KUBE_DEVEL
               value: "1"
@@ -122,6 +127,10 @@ spec:
               mountPath: "/var/run/awx-rsyslog"
             - name: rsyslog-dir
               mountPath: "/var/lib/awx/rsyslog"
+            - name: receptor-socket
+              mountPath: "/var/run/receptor"
+            - name: "{{ meta.name }}-projects"
+              mountPath: "/var/lib/awx/projects"
 {% if development_mode | bool %}
             - name: awx-devel
               mountPath: "/awx_devel"
@@ -142,6 +151,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
+            - name: MY_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
 {% if development_mode | bool %}
             - name: AWX_KUBE_DEVEL
               value: "1"
@@ -150,6 +163,26 @@ spec:
             {{ tower_task_extra_env | indent(width=12, indentfirst=True) }}
 {% endif %}
           resources: {{ tower_task_resource_requirements }}
+        - image: '{{ default_ee }}'
+          name: '{{ meta.name }}-ee'
+          imagePullPolicy: '{{ tower_image_pull_policy }}'
+          args: ['receptor', '--config', '/etc/receptor.conf']
+          volumeMounts:
+            - name: "{{ meta.name }}-receptor-config"
+              mountPath: "/etc/receptor.conf"
+              subPath: receptor.conf
+              readOnly: true
+            - name: receptor-socket
+              mountPath: "/var/run/receptor"
+            - name: "{{ meta.name }}-projects"
+              mountPath: "/var/lib/awx/projects"
+{% if development_mode | bool %}
+          env:
+            - name: SDB_NOTIFY_HOST
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+{% endif %}
       volumes:
 {% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
         - name: "{{ meta.name }}-nginx-certs"
@@ -195,12 +228,24 @@ spec:
                 path: redis.conf
         - name: {{ meta.name }}-redis-socket
           emptyDir: {}
+        - name: {{ meta.name }}-redis-data
+          emptyDir: {}
         - name: supervisor-socket
           emptyDir: {}
         - name: rsyslog-socket
           emptyDir: {}
+        - name: receptor-socket
+          emptyDir: {}
         - name: rsyslog-dir
           emptyDir: {}
+        - name: {{ meta.name }}-receptor-config
+          configMap:
+            name: {{ meta.name }}-awx-configmap
+            items:
+              - key: receptor_conf
+                path: receptor.conf
+        - name: "{{ meta.name }}-projects"
+          emptyDir: {}
 {% if development_mode | bool %}
         - name: awx-devel
           hostPath:

roles/installer/templates/tower_service_account.yaml.j2

@@ -0,0 +1,37 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: '{{ meta.name }}'
+  namespace: '{{ meta.namespace }}'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: '{{ meta.name }}'
+  namespace: '{{ meta.namespace }}'
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources: ["pods"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["pods/attach"]
+  verbs: ["create"]
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: '{{ meta.name }}'
+  namespace: '{{ meta.namespace }}'
+subjects:
+- kind: ServiceAccount
+  name: '{{ meta.name }}'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: '{{ meta.name }}'