mirror of
https://github.com/ansible/awx-operator.git
synced 2026-03-27 05:43:11 +00:00
Relocate receptor cert and key file location (#1442)
This commit is contained in:
Hao Liu
GitHub
@@ -16,11 +16,11 @@ data:
|
||||
import socket
|
||||
# Import all so that extra_settings works properly
|
||||
from django_auth_ldap.config import *
|
||||
|
||||
|
||||
def get_secret():
|
||||
if os.path.exists("/etc/tower/SECRET_KEY"):
|
||||
return open('/etc/tower/SECRET_KEY', 'rb').read().strip()
|
||||
|
||||
|
||||
ADMINS = ()
|
||||
STATIC_ROOT = '/var/lib/awx/public/static'
|
||||
STATIC_URL = '{{ (ingress_path + '/static/').replace('//', '/') }}'
|
||||
@@ -59,20 +59,20 @@ data:
|
||||
|
||||
# Container environments don't like chroots
|
||||
AWX_PROOT_ENABLED = False
|
||||
|
||||
|
||||
# Automatically deprovision pods that go offline
|
||||
AWX_AUTO_DEPROVISION_INSTANCES = True
|
||||
|
||||
|
||||
CLUSTER_HOST_ID = socket.gethostname()
|
||||
SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
|
||||
|
||||
|
||||
CSRF_COOKIE_SECURE = {{ csrf_cookie_secure | bool }}
|
||||
SESSION_COOKIE_SECURE = {{ session_cookie_secure | bool }}
|
||||
|
||||
|
||||
SERVER_EMAIL = 'root@localhost'
|
||||
DEFAULT_FROM_EMAIL = 'webmaster@localhost'
|
||||
EMAIL_SUBJECT_PREFIX = '[AWX] '
|
||||
|
||||
|
||||
EMAIL_HOST = 'localhost'
|
||||
EMAIL_PORT = 25
|
||||
EMAIL_HOST_USER = ''
|
||||
@@ -101,30 +101,30 @@ data:
|
||||
default_type application/octet-stream;
|
||||
server_tokens off;
|
||||
client_max_body_size 5M;
|
||||
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
|
||||
access_log /dev/stdout main;
|
||||
|
||||
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
#gzip on;
|
||||
|
||||
|
||||
upstream uwsgi {
|
||||
server 127.0.0.1:8050;
|
||||
}
|
||||
|
||||
|
||||
upstream daphne {
|
||||
server 127.0.0.1:8051;
|
||||
}
|
||||
|
||||
|
||||
|
||||
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
|
||||
server {
|
||||
@@ -163,30 +163,30 @@ data:
|
||||
# If you have a domain name, this is where to add it
|
||||
server_name _;
|
||||
keepalive_timeout 65;
|
||||
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
|
||||
|
||||
# Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
|
||||
add_header X-Frame-Options "DENY";
|
||||
# Protect against MIME content sniffing https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
||||
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
allow 127.0.0.1;
|
||||
deny all;
|
||||
}
|
||||
|
||||
|
||||
location {{ (ingress_path + '/static').replace('//', '/') }} {
|
||||
alias /var/lib/awx/public/static/;
|
||||
}
|
||||
|
||||
|
||||
location {{ (ingress_path + '/favicon.ico').replace('//', '/') }} {
|
||||
alias /var/lib/awx/public/static/media/favicon.ico;
|
||||
}
|
||||
|
||||
|
||||
location {{ (ingress_path + '/websocket').replace('//', '/') }} {
|
||||
# Pass request to the upstream alias
|
||||
proxy_pass http://daphne;
|
||||
@@ -208,7 +208,7 @@ data:
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
|
||||
|
||||
location {{ ingress_path }} {
|
||||
# Add trailing / if missing
|
||||
rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
|
||||
@@ -268,8 +268,8 @@ data:
|
||||
cert: /etc/receptor/tls/receptor.crt
|
||||
key: /etc/receptor/tls/receptor.key
|
||||
name: tlsclient
|
||||
rootcas: /etc/receptor/tls/ca/receptor-ca.crt
|
||||
rootcas: /etc/receptor/tls/ca/mesh-CA.crt
|
||||
mintls13: false
|
||||
- work-signing:
|
||||
privatekey: /etc/receptor/signing/work-private-key.pem
|
||||
privatekey: /etc/receptor/work_private_key.pem
|
||||
tokenexpiration: 1m
|
||||
|
||||
@@ -83,7 +83,7 @@ spec:
|
||||
- |
|
||||
hostname=$MY_POD_NAME
|
||||
receptor --cert-makereq bits=2048 commonname=$hostname dnsname=$hostname nodeid=$hostname outreq=/etc/receptor/tls/receptor.req outkey=/etc/receptor/tls/receptor.key
|
||||
receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/receptor-ca.crt cakey=/etc/receptor/tls/ca/receptor-ca.key outcert=/etc/receptor/tls/receptor.crt verify=yes
|
||||
receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/mesh-CA.crt cakey=/etc/receptor/tls/ca/mesh-CA.key outcert=/etc/receptor/tls/receptor.crt verify=yes
|
||||
{% if bundle_ca_crt %}
|
||||
mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
|
||||
update-ca-trust
|
||||
@@ -98,11 +98,11 @@ spec:
|
||||
fieldPath: metadata.name
|
||||
volumeMounts:
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
|
||||
mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
|
||||
mountPath: "/etc/receptor/tls/ca/mesh-CA.crt"
|
||||
subPath: "tls.crt"
|
||||
readOnly: true
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
|
||||
mountPath: "/etc/receptor/tls/ca/receptor-ca.key"
|
||||
mountPath: "/etc/receptor/tls/ca/mesh-CA.key"
|
||||
subPath: "tls.key"
|
||||
readOnly: true
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-tls"
|
||||
@@ -224,7 +224,7 @@ spec:
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-config"
|
||||
mountPath: "/etc/receptor/"
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
|
||||
mountPath: "/etc/receptor/signing/work-private-key.pem"
|
||||
mountPath: "/etc/receptor/work_private_key.pem"
|
||||
subPath: "work-private-key.pem"
|
||||
readOnly: true
|
||||
- name: receptor-socket
|
||||
@@ -305,11 +305,11 @@ spec:
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-config"
|
||||
mountPath: "/etc/receptor/"
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
|
||||
mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
|
||||
mountPath: "/etc/receptor/tls/ca/mesh-CA.crt"
|
||||
subPath: "tls.crt"
|
||||
readOnly: true
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
|
||||
mountPath: "/etc/receptor/signing/work-private-key.pem"
|
||||
mountPath: "/etc/receptor/work_private_key.pem"
|
||||
subPath: "work-private-key.pem"
|
||||
readOnly: true
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-tls"
|
||||
|
||||
@@ -210,15 +210,15 @@ spec:
|
||||
mountPath: "/var/lib/awx/projects"
|
||||
{% endif %}
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
|
||||
mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
|
||||
mountPath: "/etc/receptor/tls/ca/mesh-CA.crt"
|
||||
subPath: "tls.crt"
|
||||
readOnly: true
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
|
||||
mountPath: "/etc/receptor/tls/ca/receptor-ca.key"
|
||||
mountPath: "/etc/receptor/tls/ca/mesh-CA.key"
|
||||
subPath: "tls.key"
|
||||
readOnly: true
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
|
||||
mountPath: "/etc/receptor/signing/work-public-key.pem"
|
||||
mountPath: "/etc/receptor/work_public_key.pem"
|
||||
subPath: "work-public-key.pem"
|
||||
readOnly: true
|
||||
{% if development_mode | bool %}
|
||||
|
||||
Reference in New Issue
Block a user