internet/awx-operator
3
0
Fork 0
mirror of https://github.com/ansible/awx-operator.git synced 2026-05-08 06:12:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

TLS: Enable customization of TLS behavior on route

Browse Source
This commit is contained in:
Yanis Guenane
2021-02-10 10:37:04 +01:00
parent 121c034e6c
commit c895ca0f6d
7 changed files with 85 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ansible/templates/role.yml.j2
View File

@@ -9,6 +9,7 @@ rules:
- route.openshift.io - route.openshift.io
resources: resources:
- routes - routes
- routes/custom-host
verbs: verbs:
- '*' - '*'
- apiGroups: - apiGroups:

20
deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml
View File

@@ -108,6 +108,25 @@ spec:
- urn:alm:descriptor:com.tectonic.ui:select:none - urn:alm:descriptor:com.tectonic.ui:select:none
- urn:alm:descriptor:com.tectonic.ui:select:Ingress - urn:alm:descriptor:com.tectonic.ui:select:Ingress
- urn:alm:descriptor:com.tectonic.ui:select:Route - urn:alm:descriptor:com.tectonic.ui:select:Route
- displayName: Route DNS host
path: tower_route_host
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:label
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:Route
- displayName: Route TLS termination mechanism
path: tower_route_tls_termination_mechanism
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:Edge
- urn:alm:descriptor:com.tectonic.ui:select:Passthrough
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:Route
- displayName: Route TLS credential secret
path: tower_route_tls_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:Route
- displayName: Image Pull Policy - displayName: Image Pull Policy
path: tower_image_pull_policy path: tower_image_pull_policy
x-descriptors: x-descriptors:
@@ -162,6 +181,7 @@ spec:
- route.openshift.io - route.openshift.io
resources: resources:
- routes - routes
- routes/custom-host
verbs: verbs:
- '*' - '*'
- apiGroups: - apiGroups:

12
deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml
View File

@@ -42,6 +42,18 @@ spec:
- none - none
- Ingress - Ingress
- Route - Route
tower_route_host:
description: The DNS to use to points to the instance
type: string
tower_route_tls_termination_mechanism:
description: The secure TLS termination mechanism to use
type: string
enum:
- Edge
- Passthrough
tower_route_tls_secret:
description: Secret where the TLS related credentials are stored
type: string
tower_image_pull_policy: tower_image_pull_policy:
description: The image pull policy description: The image pull policy
type: string type: string

15
roles/installer/defaults/main.yml
View File

@@ -15,6 +15,21 @@ tower_ingress_annotations: ''
# certificate and key. # certificate and key.
tower_ingress_tls_secret: '' tower_ingress_tls_secret: ''
# The TLS termination mechanism to use to access
# the services. Supported mechanism are: edge, passthrough
#
tower_route_tls_termination_mechanism: edge
# Secret to lookup that provide the TLS specific
# credentials to deploy
#
tower_route_tls_secret: ''
# Host to create the root with.
# If not specific will default to <instance-name>-<namespace>-<routerCanonicalHostname>
#
tower_route_host: ''
tower_hostname: '{{ deployment_type }}.example.com' tower_hostname: '{{ deployment_type }}.example.com'
tower_admin_user: admin tower_admin_user: admin

17
roles/installer/tasks/load_route_tls_secret.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: Retrieve Route TLS Secret
community.kubernetes.k8s_info:
kind: Secret
namespace: '{{ meta.namespace }}'
name: '{{ tower_route_tls_secret }}'
register: route_tls
- name: Load Route TLS Secret content
set_fact:
tower_route_tls_key: '{{ route_tls["resources"][0]["data"]["tls.key"] | b64decode }}'
tower_route_tls_crt: '{{ route_tls["resources"][0]["data"]["tls.crt"] | b64decode }}'
- name: Load Route TLS Secret content
set_fact:
tower_route_ca_crt: '{{ route_tls["resources"][0]["data"]["ca.crt"] | b64decode }}'
when: '"ca.crt" in route_tls["resources"][0]["data"]'

6
roles/installer/tasks/main.yml
View File

@@ -8,6 +8,12 @@
- name: Include database configuration tasks - name: Include database configuration tasks
include_tasks: database_configuration.yml include_tasks: database_configuration.yml
- name: Load Route TLS certificate
include_tasks: load_route_tls_secret.yml
when:
- tower_ingress_type | lower == 'route'
- tower_route_tls_secret != ''
- name: Ensure configured instance resources exist in the cluster. - name: Ensure configured instance resources exist in the cluster.
k8s: k8s:
apply: yes apply: yes

15
roles/installer/templates/tower.yaml.j2
View File

@@ -267,11 +267,24 @@ metadata:
name: '{{ meta.name }}' name: '{{ meta.name }}'
namespace: '{{ meta.namespace }}' namespace: '{{ meta.namespace }}'
spec: spec:
{% if tower_route_host != '' %}
host: {{ tower_route_host }}
{% endif %}
port: port:
targetPort: http targetPort: http
tls: tls:
insecureEdgeTerminationPolicy: Redirect insecureEdgeTerminationPolicy: Redirect
termination: edge termination: {{ tower_route_tls_termination_mechanism | lower }}
{% if tower_route_tls_termination_mechanism | lower == 'edge' and tower_route_tls_secret != '' %}
key: |-
{{ tower_route_tls_key | indent(width=6, indentfirst=True) }}
certificate: |-
{{ tower_route_tls_crt | indent(width=6, indentfirst=True) }}
{% if tower_route_ca_crt is defined %}
caCertificate: |-
{{ tower_route_ca_crt | indent(width=6, indentfirst=True) }}
{% endif %}
{% endif %}
to: to:
kind: Service kind: Service
name: {{ meta.name }}-service name: {{ meta.name }}-service