diff --git a/roles/installer/templates/configmaps/config.yaml.j2 b/roles/installer/templates/configmaps/config.yaml.j2 index 459de0d3..d8c2bb21 100644 --- a/roles/installer/templates/configmaps/config.yaml.j2 +++ b/roles/installer/templates/configmaps/config.yaml.j2 @@ -16,11 +16,11 @@ data: import socket # Import all so that extra_settings works properly from django_auth_ldap.config import * - + def get_secret(): if os.path.exists("/etc/tower/SECRET_KEY"): return open('/etc/tower/SECRET_KEY', 'rb').read().strip() - + ADMINS = () STATIC_ROOT = '/var/lib/awx/public/static' STATIC_URL = '{{ (ingress_path + '/static/').replace('//', '/') }}' @@ -59,20 +59,20 @@ data: # Container environments don't like chroots AWX_PROOT_ENABLED = False - + # Automatically deprovision pods that go offline AWX_AUTO_DEPROVISION_INSTANCES = True - + CLUSTER_HOST_ID = socket.gethostname() SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000') - + CSRF_COOKIE_SECURE = {{ csrf_cookie_secure | bool }} SESSION_COOKIE_SECURE = {{ session_cookie_secure | bool }} - + SERVER_EMAIL = 'root@localhost' DEFAULT_FROM_EMAIL = 'webmaster@localhost' EMAIL_SUBJECT_PREFIX = '[AWX] ' - + EMAIL_HOST = 'localhost' EMAIL_PORT = 25 EMAIL_HOST_USER = '' @@ -101,30 +101,30 @@ data: default_type application/octet-stream; server_tokens off; client_max_body_size 5M; - + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; - + access_log /dev/stdout main; - + map $http_upgrade $connection_upgrade { default upgrade; '' close; } - + sendfile on; #tcp_nopush on; #gzip on; - + upstream uwsgi { server 127.0.0.1:8050; } - + upstream daphne { server 127.0.0.1:8051; } - + {% if route_tls_termination_mechanism | lower == 'passthrough' %} server { @@ -163,30 +163,30 @@ data: # If you have a domain name, this is where to add it server_name _; keepalive_timeout 65; - + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; - + # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) add_header X-Frame-Options "DENY"; # Protect against MIME content sniffing https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options add_header X-Content-Type-Options nosniff; - + location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; deny all; } - + location {{ (ingress_path + '/static').replace('//', '/') }} { alias /var/lib/awx/public/static/; } - + location {{ (ingress_path + '/favicon.ico').replace('//', '/') }} { alias /var/lib/awx/public/static/media/favicon.ico; } - + location {{ (ingress_path + '/websocket').replace('//', '/') }} { # Pass request to the upstream alias proxy_pass http://daphne; @@ -208,7 +208,7 @@ data: proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } - + location {{ ingress_path }} { # Add trailing / if missing rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent; @@ -268,8 +268,8 @@ data: cert: /etc/receptor/tls/receptor.crt key: /etc/receptor/tls/receptor.key name: tlsclient - rootcas: /etc/receptor/tls/ca/receptor-ca.crt + rootcas: /etc/receptor/tls/ca/mesh-CA.crt mintls13: false - work-signing: - privatekey: /etc/receptor/signing/work-private-key.pem + privatekey: /etc/receptor/work_private_key.pem tokenexpiration: 1m diff --git a/roles/installer/templates/deployments/task.yaml.j2 b/roles/installer/templates/deployments/task.yaml.j2 index 0d1b82d8..78a36896 100644 --- a/roles/installer/templates/deployments/task.yaml.j2 +++ b/roles/installer/templates/deployments/task.yaml.j2 @@ -83,7 +83,7 @@ spec: - | hostname=$MY_POD_NAME receptor --cert-makereq bits=2048 commonname=$hostname dnsname=$hostname nodeid=$hostname outreq=/etc/receptor/tls/receptor.req outkey=/etc/receptor/tls/receptor.key - receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/receptor-ca.crt cakey=/etc/receptor/tls/ca/receptor-ca.key outcert=/etc/receptor/tls/receptor.crt verify=yes + receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/mesh-CA.crt cakey=/etc/receptor/tls/ca/mesh-CA.key outcert=/etc/receptor/tls/receptor.crt verify=yes {% if bundle_ca_crt %} mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2} update-ca-trust @@ -98,11 +98,11 @@ spec: fieldPath: metadata.name volumeMounts: - name: "{{ ansible_operator_meta.name }}-receptor-ca" - mountPath: "/etc/receptor/tls/ca/receptor-ca.crt" + mountPath: "/etc/receptor/tls/ca/mesh-CA.crt" subPath: "tls.crt" readOnly: true - name: "{{ ansible_operator_meta.name }}-receptor-ca" - mountPath: "/etc/receptor/tls/ca/receptor-ca.key" + mountPath: "/etc/receptor/tls/ca/mesh-CA.key" subPath: "tls.key" readOnly: true - name: "{{ ansible_operator_meta.name }}-receptor-tls" @@ -224,7 +224,7 @@ spec: - name: "{{ ansible_operator_meta.name }}-receptor-config" mountPath: "/etc/receptor/" - name: "{{ ansible_operator_meta.name }}-receptor-work-signing" - mountPath: "/etc/receptor/signing/work-private-key.pem" + mountPath: "/etc/receptor/work_private_key.pem" subPath: "work-private-key.pem" readOnly: true - name: receptor-socket @@ -305,11 +305,11 @@ spec: - name: "{{ ansible_operator_meta.name }}-receptor-config" mountPath: "/etc/receptor/" - name: "{{ ansible_operator_meta.name }}-receptor-ca" - mountPath: "/etc/receptor/tls/ca/receptor-ca.crt" + mountPath: "/etc/receptor/tls/ca/mesh-CA.crt" subPath: "tls.crt" readOnly: true - name: "{{ ansible_operator_meta.name }}-receptor-work-signing" - mountPath: "/etc/receptor/signing/work-private-key.pem" + mountPath: "/etc/receptor/work_private_key.pem" subPath: "work-private-key.pem" readOnly: true - name: "{{ ansible_operator_meta.name }}-receptor-tls" diff --git a/roles/installer/templates/deployments/web.yaml.j2 b/roles/installer/templates/deployments/web.yaml.j2 index f102749d..ac3866ac 100644 --- a/roles/installer/templates/deployments/web.yaml.j2 +++ b/roles/installer/templates/deployments/web.yaml.j2 @@ -210,15 +210,15 @@ spec: mountPath: "/var/lib/awx/projects" {% endif %} - name: "{{ ansible_operator_meta.name }}-receptor-ca" - mountPath: "/etc/receptor/tls/ca/receptor-ca.crt" + mountPath: "/etc/receptor/tls/ca/mesh-CA.crt" subPath: "tls.crt" readOnly: true - name: "{{ ansible_operator_meta.name }}-receptor-ca" - mountPath: "/etc/receptor/tls/ca/receptor-ca.key" + mountPath: "/etc/receptor/tls/ca/mesh-CA.key" subPath: "tls.key" readOnly: true - name: "{{ ansible_operator_meta.name }}-receptor-work-signing" - mountPath: "/etc/receptor/signing/work-public-key.pem" + mountPath: "/etc/receptor/work_public_key.pem" subPath: "work-public-key.pem" readOnly: true {% if development_mode | bool %}