diff --git a/ansible/instantiate-awx-deployment.yml b/ansible/instantiate-awx-deployment.yml index 39b9c621..a94c9d0d 100644 --- a/ansible/instantiate-awx-deployment.yml +++ b/ansible/instantiate-awx-deployment.yml @@ -20,7 +20,6 @@ spec: tower_admin_user: test tower_admin_email: test@example.com - tower_broadcast_websocket_secret: changeme tower_ingress_type: "{{ tower_ingress_type | default(omit) }}" # Either Route or Ingress tower_image: "{{ tower_image | default(omit) }}" development_mode: "{{ development_mode | default(omit) }}" diff --git a/ansible/templates/role.yml.j2 b/ansible/templates/role.yml.j2 index 3ddd7e3d..fb5aae94 100644 --- a/ansible/templates/role.yml.j2 +++ b/ansible/templates/role.yml.j2 @@ -14,15 +14,19 @@ rules: - '*' - apiGroups: - "" + - "rbac.authorization.k8s.io" resources: - pods - services - services/finalizers + - serviceaccounts - endpoints - persistentvolumeclaims - events - configmaps - secrets + - roles + - rolebindings verbs: - '*' - apiGroups: diff --git a/deploy/awx-operator.yaml b/deploy/awx-operator.yaml index fba7c2d0..e7c195ae 100644 --- a/deploy/awx-operator.yaml +++ b/deploy/awx-operator.yaml @@ -16,15 +16,19 @@ rules: - '*' - apiGroups: - "" + - "rbac.authorization.k8s.io" resources: - pods - services - services/finalizers + - serviceaccounts - endpoints - persistentvolumeclaims - events - configmaps - secrets + - roles + - rolebindings verbs: - '*' - apiGroups: diff --git a/deploy/crds/awx_v1beta1_cr.yaml b/deploy/crds/awx_v1beta1_cr.yaml index c242695b..e2102cbf 100644 --- a/deploy/crds/awx_v1beta1_cr.yaml +++ b/deploy/crds/awx_v1beta1_cr.yaml @@ -14,7 +14,7 @@ spec: tower_admin_user: test tower_admin_email: test@example.com - tower_image: ansible/awx:15.0.0 + tower_image: quay.io/ansible/awx:execution-environments tower_create_preload_data: true diff --git a/deploy/crds/awx_v1beta1_molecule.yaml b/deploy/crds/awx_v1beta1_molecule.yaml index 60cf6d1e..8719e7c0 100644 --- a/deploy/crds/awx_v1beta1_molecule.yaml +++ b/deploy/crds/awx_v1beta1_molecule.yaml @@ -13,7 +13,7 @@ spec: tower_admin_email: test@example.com - tower_image: ansible/awx:15.0.0 + tower_image: quay.io/ansible/awx:execution-environments tower_web_resource_requirements: requests: diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index d5e40abe..accf98b2 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -53,8 +53,9 @@ tower_extra_volumes: '' # Use these image versions for Ansible AWX. -tower_image: ansible/awx:15.0.0 +tower_image: quay.io/ansible/awx:execution-environments tower_image_pull_policy: IfNotPresent +default_ee: quay.io/ansible/awx-ee tower_create_preload_data: true diff --git a/roles/installer/tasks/main.yml b/roles/installer/tasks/main.yml index 727b1678..5848d4c1 100644 --- a/roles/installer/tasks/main.yml +++ b/roles/installer/tasks/main.yml @@ -29,6 +29,7 @@ register: tower_deployment_result loop: - 'tower_app_credentials' + - 'tower_service_account' - 'tower_deployment' - 'tower_service' - 'tower_ingress' diff --git a/roles/installer/templates/tower_config.yaml.j2 b/roles/installer/templates/tower_config.yaml.j2 index 82ec38fe..77209185 100644 --- a/roles/installer/templates/tower_config.yaml.j2 +++ b/roles/installer/templates/tower_config.yaml.j2 @@ -23,7 +23,9 @@ data: STATIC_ROOT = '/var/lib/awx/public/static' PROJECTS_ROOT = '/var/lib/awx/projects' JOBOUTPUT_ROOT = '/var/lib/awx/job_status' - + + IS_K8S = True + SECRET_KEY = get_secret() ALLOWED_HOSTS = ['*'] @@ -59,6 +61,7 @@ data: '()': 'logging.StreamHandler', 'level': 'DEBUG', 'formatter': 'simple', + 'filters': ['guid'], } LOGGING['loggers']['django.request']['handlers'] = ['console'] @@ -208,3 +211,32 @@ data: unixsocketperm 777 port 0 bind 127.0.0.1 + receptor_conf: | + --- + - log-level: debug + + - control-service: + service: control + filename: /var/run/receptor/receptor.sock + + - local-only: + + - work-command: + worktype: local + command: ansible-runner + params: worker + allowruntimeparams: true + + - work-kubernetes: + worktype: kubernetes-runtime-auth + authmethod: runtime + allowruntimeauth: true + allowruntimepod: true + allowruntimeparams: true + + - work-kubernetes: + worktype: kubernetes-incluster-auth + authmethod: incluster + allowruntimeauth: true + allowruntimepod: true + allowruntimeparams: true diff --git a/roles/installer/templates/tower_deployment.yaml.j2 b/roles/installer/templates/tower_deployment.yaml.j2 index 5b8caa62..b9e9485d 100644 --- a/roles/installer/templates/tower_deployment.yaml.j2 +++ b/roles/installer/templates/tower_deployment.yaml.j2 @@ -17,6 +17,7 @@ spec: labels: app: '{{ deployment_type }}' spec: + serviceAccountName: '{{ meta.name }}' containers: - image: '{{ tower_redis_image }}' name: redis @@ -28,6 +29,8 @@ spec: readOnly: true - name: {{ meta.name }}-redis-socket mountPath: "/var/run/redis" + - name: "{{ meta.name }}-redis-data" + mountPath: "/data" - image: '{{ tower_image }}' name: '{{ meta.name }}-web' {% if tower_web_command %} @@ -78,9 +81,11 @@ spec: {% if tower_web_extra_volume_mounts -%} {{ tower_web_extra_volume_mounts | indent(width=12, indentfirst=True) }} {% endif %} -{% if (development_mode | bool) or (tower_task_extra_env | bool) %} env: -{% endif %} + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace {% if development_mode | bool %} - name: AWX_KUBE_DEVEL value: "1" @@ -122,6 +127,10 @@ spec: mountPath: "/var/run/awx-rsyslog" - name: rsyslog-dir mountPath: "/var/lib/awx/rsyslog" + - name: receptor-socket + mountPath: "/var/run/receptor" + - name: "{{ meta.name }}-projects" + mountPath: "/var/lib/awx/projects" {% if development_mode | bool %} - name: awx-devel mountPath: "/awx_devel" @@ -142,6 +151,10 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace {% if development_mode | bool %} - name: AWX_KUBE_DEVEL value: "1" @@ -150,6 +163,26 @@ spec: {{ tower_task_extra_env | indent(width=12, indentfirst=True) }} {% endif %} resources: {{ tower_task_resource_requirements }} + - image: '{{ default_ee }}' + name: '{{ meta.name }}-ee' + imagePullPolicy: '{{ tower_image_pull_policy }}' + args: ['receptor', '--config', '/etc/receptor.conf'] + volumeMounts: + - name: "{{ meta.name }}-receptor-config" + mountPath: "/etc/receptor.conf" + subPath: receptor.conf + readOnly: true + - name: receptor-socket + mountPath: "/var/run/receptor" + - name: "{{ meta.name }}-projects" + mountPath: "/var/lib/awx/projects" +{% if development_mode | bool %} + env: + - name: SDB_NOTIFY_HOST + valueFrom: + fieldRef: + fieldPath: status.podIP +{% endif %} volumes: {% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %} - name: "{{ meta.name }}-nginx-certs" @@ -195,12 +228,24 @@ spec: path: redis.conf - name: {{ meta.name }}-redis-socket emptyDir: {} + - name: {{ meta.name }}-redis-data + emptyDir: {} - name: supervisor-socket emptyDir: {} - name: rsyslog-socket emptyDir: {} + - name: receptor-socket + emptyDir: {} - name: rsyslog-dir emptyDir: {} + - name: {{ meta.name }}-receptor-config + configMap: + name: {{ meta.name }}-awx-configmap + items: + - key: receptor_conf + path: receptor.conf + - name: "{{ meta.name }}-projects" + emptyDir: {} {% if development_mode | bool %} - name: awx-devel hostPath: diff --git a/roles/installer/templates/tower_service_account.yaml.j2 b/roles/installer/templates/tower_service_account.yaml.j2 new file mode 100644 index 00000000..00cca78d --- /dev/null +++ b/roles/installer/templates/tower_service_account.yaml.j2 @@ -0,0 +1,37 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: '{{ meta.name }}' + namespace: '{{ meta.namespace }}' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: '{{ meta.name }}' + namespace: '{{ meta.namespace }}' +rules: +- apiGroups: [""] # "" indicates the core API group + resources: ["pods"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["pods/log"] + verbs: ["get"] +- apiGroups: [""] + resources: ["pods/attach"] + verbs: ["create"] + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: '{{ meta.name }}' + namespace: '{{ meta.namespace }}' +subjects: +- kind: ServiceAccount + name: '{{ meta.name }}' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: '{{ meta.name }}'