diff --git a/ansible/templates/role.yml.j2 b/ansible/templates/role.yml.j2 index 83441b01..3ddd7e3d 100644 --- a/ansible/templates/role.yml.j2 +++ b/ansible/templates/role.yml.j2 @@ -9,6 +9,7 @@ rules: - route.openshift.io resources: - routes + - routes/custom-host verbs: - '*' - apiGroups: diff --git a/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml b/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml index e88e44e5..39b20c14 100644 --- a/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml +++ b/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml @@ -108,6 +108,25 @@ spec: - urn:alm:descriptor:com.tectonic.ui:select:none - urn:alm:descriptor:com.tectonic.ui:select:Ingress - urn:alm:descriptor:com.tectonic.ui:select:Route + - displayName: Route DNS host + path: tower_route_host + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:com.tectonic.ui:label + - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:Route + - displayName: Route TLS termination mechanism + path: tower_route_tls_termination_mechanism + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:com.tectonic.ui:select:Edge + - urn:alm:descriptor:com.tectonic.ui:select:Passthrough + - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:Route + - displayName: Route TLS credential secret + path: tower_route_tls_secret + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:io.kubernetes:Secret + - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:Route - displayName: Image Pull Policy path: tower_image_pull_policy x-descriptors: @@ -162,6 +181,7 @@ spec: - route.openshift.io resources: - routes + - routes/custom-host verbs: - '*' - apiGroups: diff --git a/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml b/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml index 154c8890..8fddc73e 100644 --- a/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml +++ b/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml @@ -42,6 +42,18 @@ spec: - none - Ingress - Route + tower_route_host: + description: The DNS to use to points to the instance + type: string + tower_route_tls_termination_mechanism: + description: The secure TLS termination mechanism to use + type: string + enum: + - Edge + - Passthrough + tower_route_tls_secret: + description: Secret where the TLS related credentials are stored + type: string tower_image_pull_policy: description: The image pull policy type: string diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index f5ede761..b8576237 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -15,6 +15,21 @@ tower_ingress_annotations: '' # certificate and key. tower_ingress_tls_secret: '' +# The TLS termination mechanism to use to access +# the services. Supported mechanism are: edge, passthrough +# +tower_route_tls_termination_mechanism: edge + +# Secret to lookup that provide the TLS specific +# credentials to deploy +# +tower_route_tls_secret: '' + +# Host to create the root with. +# If not specific will default to -- +# +tower_route_host: '' + tower_hostname: '{{ deployment_type }}.example.com' tower_admin_user: admin diff --git a/roles/installer/tasks/load_route_tls_secret.yml b/roles/installer/tasks/load_route_tls_secret.yml new file mode 100644 index 00000000..03b50226 --- /dev/null +++ b/roles/installer/tasks/load_route_tls_secret.yml @@ -0,0 +1,17 @@ +--- +- name: Retrieve Route TLS Secret + community.kubernetes.k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ tower_route_tls_secret }}' + register: route_tls + +- name: Load Route TLS Secret content + set_fact: + tower_route_tls_key: '{{ route_tls["resources"][0]["data"]["tls.key"] | b64decode }}' + tower_route_tls_crt: '{{ route_tls["resources"][0]["data"]["tls.crt"] | b64decode }}' + +- name: Load Route TLS Secret content + set_fact: + tower_route_ca_crt: '{{ route_tls["resources"][0]["data"]["ca.crt"] | b64decode }}' + when: '"ca.crt" in route_tls["resources"][0]["data"]' diff --git a/roles/installer/tasks/main.yml b/roles/installer/tasks/main.yml index 473f57b3..85e8a87a 100644 --- a/roles/installer/tasks/main.yml +++ b/roles/installer/tasks/main.yml @@ -8,6 +8,12 @@ - name: Include database configuration tasks include_tasks: database_configuration.yml +- name: Load Route TLS certificate + include_tasks: load_route_tls_secret.yml + when: + - tower_ingress_type | lower == 'route' + - tower_route_tls_secret != '' + - name: Ensure configured instance resources exist in the cluster. k8s: apply: yes diff --git a/roles/installer/templates/tower.yaml.j2 b/roles/installer/templates/tower.yaml.j2 index bbc47300..64056f0e 100644 --- a/roles/installer/templates/tower.yaml.j2 +++ b/roles/installer/templates/tower.yaml.j2 @@ -267,11 +267,24 @@ metadata: name: '{{ meta.name }}' namespace: '{{ meta.namespace }}' spec: +{% if tower_route_host != '' %} + host: {{ tower_route_host }} +{% endif %} port: targetPort: http tls: insecureEdgeTerminationPolicy: Redirect - termination: edge + termination: {{ tower_route_tls_termination_mechanism | lower }} +{% if tower_route_tls_termination_mechanism | lower == 'edge' and tower_route_tls_secret != '' %} + key: |- +{{ tower_route_tls_key | indent(width=6, indentfirst=True) }} + certificate: |- +{{ tower_route_tls_crt | indent(width=6, indentfirst=True) }} +{% if tower_route_ca_crt is defined %} + caCertificate: |- +{{ tower_route_ca_crt | indent(width=6, indentfirst=True) }} +{% endif %} +{% endif %} to: kind: Service name: {{ meta.name }}-service