From e4510ff974c2f4e94a410808624c74c63f8dafa3 Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Tue, 26 May 2020 15:26:37 -0500 Subject: [PATCH 1/4] Issue #42: Upgrade to latest versions of Tower and AWX, switch RabbitMQ to Redis. --- README.md | 6 +- deploy/crds/tower_v1alpha1_tower_cr_awx.yaml | 8 ++- .../crds/tower_v1alpha1_tower_cr_tower.yaml | 8 ++- molecule/test-minikube/converge.yml | 3 +- roles/tower/defaults/main.yml | 12 ++-- roles/tower/tasks/main.yml | 2 +- roles/tower/templates/tower_config.yaml.j2 | 24 +++---- roles/tower/templates/tower_rabbitmq.yaml.j2 | 48 -------------- roles/tower/templates/tower_redis.yaml.j2 | 63 +++++++++++++++++++ 9 files changed, 99 insertions(+), 75 deletions(-) delete mode 100644 roles/tower/templates/tower_rabbitmq.yaml.j2 create mode 100644 roles/tower/templates/tower_redis.yaml.j2 diff --git a/README.md b/README.md index fad189f1..06d05fa3 100644 --- a/README.md +++ b/README.md @@ -61,8 +61,8 @@ If you would like to deploy AWX (the open source upstream of Tower) into your cl --- spec: ... - tower_task_image: ansible/awx_task:9.2.0 - tower_web_image: ansible/awx_web:9.2.0 + tower_task_image: ansible/awx_task:11.2.0 + tower_web_image: ansible/awx_web:11.2.0 ### Ingress Types @@ -124,7 +124,7 @@ This environment is meant for headless testing (e.g. in a CI environment, or whe #### Testing in Minikube - minikube start --memory 6g --cpus 4 + minikube start --memory 8g --cpus 4 minikube addons enable ingress molecule test -s test-minikube diff --git a/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml index 68e5c3f7..40775eba 100644 --- a/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml +++ b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml @@ -15,8 +15,8 @@ spec: tower_admin_email: test@example.com tower_admin_password: changeme - tower_task_image: ansible/awx_task:9.2.0 - tower_web_image: ansible/awx_web:9.2.0 + tower_task_image: ansible/awx_task:11.2.0 + tower_web_image: ansible/awx_web:11.2.0 tower_task_mem_request: 1Gi tower_task_cpu_request: 500m @@ -28,7 +28,9 @@ spec: tower_memcached_image: memcached:alpine - tower_rabbitmq_image: rabbitmq:3 + tower_redis_image: redis:latest + tower_redis_mem_request: 1Gi + tower_redis_cpu_request: 500m tower_postgres_pass: awxpass tower_postgres_image: postgres:10 diff --git a/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml index 6752d71b..943a856d 100644 --- a/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml +++ b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml @@ -15,8 +15,8 @@ spec: tower_admin_email: test@example.com tower_admin_password: changeme - tower_task_image: quay.io/ansible-tower/ansible-tower:3.6.4 - tower_web_image: quay.io/ansible-tower/ansible-tower:3.6.4 + tower_task_image: registry.redhat.io/ansible-tower-37/ansible-tower-rhel7:3.7.0 + tower_web_image: registry.redhat.io/ansible-tower-37/ansible-tower-rhel7:3.7.0 tower_task_mem_request: 1Gi tower_task_cpu_request: 500m @@ -28,7 +28,9 @@ spec: tower_memcached_image: memcached:alpine - tower_rabbitmq_image: rabbitmq:3 + tower_redis_image: redis:latest + tower_redis_mem_request: 1Gi + tower_redis_cpu_request: 500m tower_postgres_pass: awxpass tower_postgres_image: postgres:10 diff --git a/molecule/test-minikube/converge.yml b/molecule/test-minikube/converge.yml index dfd3c9de..a9736dde 100644 --- a/molecule/test-minikube/converge.yml +++ b/molecule/test-minikube/converge.yml @@ -34,7 +34,8 @@ deploy_dir: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/deploy" pull_policy: Never operator_image: tower.ansible.com/tower-operator:testing - custom_resource: "{{ lookup('file', '/'.join([deploy_dir, 'crds/tower_v1alpha1_tower_cr_tower.yaml'])) | from_yaml }}" + # Change this to _awx to test AWX, _tower to test Tower. + custom_resource: "{{ lookup('file', '/'.join([deploy_dir, 'crds/tower_v1alpha1_tower_cr_awx.yaml'])) | from_yaml }}" tasks: - block: diff --git a/roles/tower/defaults/main.yml b/roles/tower/defaults/main.yml index ec06b098..478b3f57 100644 --- a/roles/tower/defaults/main.yml +++ b/roles/tower/defaults/main.yml @@ -10,12 +10,12 @@ tower_admin_email: test@example.com tower_admin_password: changeme # Use these image versions for Ansible Tower. -tower_task_image: quay.io/ansible-tower/ansible-tower:3.6.4 -tower_web_image: quay.io/ansible-tower/ansible-tower:3.6.4 +tower_task_image: registry.redhat.io/ansible-tower-37/ansible-tower-rhel7:3.7.0 +tower_web_image: registry.redhat.io/ansible-tower-37/ansible-tower-rhel7:3.7.0 # Use these image versions for Ansible AWX. -# tower_task_image: ansible/awx_task:9.2.0 -# tower_web_image: ansible/awx_web:9.2.0 +# tower_task_image: ansible/awx_task:11.2.0 +# tower_web_image: ansible/awx_web:11.2.0 tower_create_preload_data: true @@ -29,7 +29,9 @@ tower_web_cpu_request: 1000m tower_memcached_image: memcached:alpine -tower_rabbitmq_image: rabbitmq:3 +tower_redis_image: redis:latest +tower_redis_mem_request: 1Gi +tower_redis_cpu_request: 500m tower_postgres_pass: awxpass tower_postgres_image: postgres:10 diff --git a/roles/tower/tasks/main.yml b/roles/tower/tasks/main.yml index 34f68e00..96cac97b 100644 --- a/roles/tower/tasks/main.yml +++ b/roles/tower/tasks/main.yml @@ -6,7 +6,7 @@ with_items: - tower_memcached.yaml.j2 - tower_postgres.yaml.j2 - - tower_rabbitmq.yaml.j2 + - tower_redis.yaml.j2 - tower_config.yaml.j2 - tower_web.yaml.j2 - tower_task.yaml.j2 diff --git a/roles/tower/templates/tower_config.yaml.j2 b/roles/tower/templates/tower_config.yaml.j2 index ee883ba1..5ba56646 100644 --- a/roles/tower/templates/tower_config.yaml.j2 +++ b/roles/tower/templates/tower_config.yaml.j2 @@ -16,8 +16,8 @@ data: DATABASE_PASSWORD={{ tower_postgres_pass | quote }} MEMCACHED_HOST='{{ meta.name }}-memcached.{{ meta.namespace }}.svc.cluster.local' MEMCACHED_PORT='11211' - RABBITMQ_HOST='{{ meta.name }}-rabbitmq.{{ meta.namespace }}.svc.cluster.local' - RABBITMQ_PORT='5672' + REDIS_HOST='{{ meta.name }}-redis.{{ meta.namespace }}.svc.cluster.local' + REDIS_PORT='6379' AWX_SKIP_MIGRATIONS=true settings: | @@ -110,21 +110,23 @@ data: }, } - BROKER_URL = 'amqp://{}:{}@{}:{}/{}'.format( - 'guest', - 'guest', - '{{ meta.name }}-rabbitmq.{{ meta.namespace }}.svc.cluster.local', - '5672', - 'awx') + BROKER_URL = 'redis://{}:{}/'.format( + '{{ meta.name }}-redis.{{ meta.namespace }}.svc.cluster.local', + '6379',) CHANNEL_LAYERS = { - 'default': {'BACKEND': 'asgi_amqp.AMQPChannelLayer', - 'ROUTING': 'awx.main.routing.channel_routing', - 'CONFIG': {'url': BROKER_URL}} + 'default': {'BACKEND': 'awx.main.channels.RedisGroupBroadcastChannelLayer', + 'CONFIG': {'hosts': [("{{ meta.name }}-redis.{{ meta.namespace }}.svc.cluster.local", 6379)]}} } USE_X_FORWARDED_PORT = True + redis_conf: | + unixsocket /var/run/redis/redis.sock + unixsocketperm 777 + port 0 + bind 127.0.0.1 + nginx_conf: | worker_processes 1; pid /tmp/nginx.pid; diff --git a/roles/tower/templates/tower_rabbitmq.yaml.j2 b/roles/tower/templates/tower_rabbitmq.yaml.j2 deleted file mode 100644 index 0aa4f5dd..00000000 --- a/roles/tower/templates/tower_rabbitmq.yaml.j2 +++ /dev/null @@ -1,48 +0,0 @@ -# RabbitMQ Deployment. ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: '{{ meta.name }}-rabbitmq' - namespace: '{{ meta.namespace }}' - labels: - app: tower-rabbitmq -spec: - replicas: 1 - selector: - matchLabels: - app: tower-rabbitmq - template: - metadata: - labels: - app: tower-rabbitmq - spec: - containers: - - image: '{{ tower_rabbitmq_image }}' - name: rabbitmq - env: - - name: RABBITMQ_DEFAULT_VHOST - value: awx - - name: RABBITMQ_NODE_PORT - value: '5672' - ports: - - containerPort: 15672 - - containerPort: 5672 - -# RabbitMQ Service. ---- -apiVersion: v1 -kind: Service -metadata: - name: '{{ meta.name }}-rabbitmq' - namespace: '{{ meta.namespace }}' - labels: - app: tower-rabbitmq -spec: - clusterIP: None - ports: - - port: 5672 - protocol: TCP - targetPort: 5672 - selector: - app: tower-rabbitmq diff --git a/roles/tower/templates/tower_redis.yaml.j2 b/roles/tower/templates/tower_redis.yaml.j2 new file mode 100644 index 00000000..64680c71 --- /dev/null +++ b/roles/tower/templates/tower_redis.yaml.j2 @@ -0,0 +1,63 @@ +# Redis Deployment. +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: '{{ meta.name }}-redis' + namespace: '{{ meta.namespace }}' + labels: + app: tower-redis +spec: + replicas: 1 + selector: + matchLabels: + app: tower-redis + template: + metadata: + labels: + app: tower-redis + spec: + containers: + - image: '{{ tower_redis_image }}' + name: redis + args: ["/usr/local/etc/redis/redis.conf"] + ports: + - containerPort: 6379 + volumeMounts: + - name: redis-config + mountPath: /usr/local/etc/redis/redis.conf + subPath: redis.conf + readOnly: true + - name: redis-socket + mountPath: "/var/run/redis" + resources: + requests: + memory: "{{ tower_redis_mem_request }}" + cpu: "{{ tower_redis_cpu_request }}" + volumes: + - name: redis-config + configMap: + name: "{{ meta.name }}-tower-configmap" + items: + - key: redis_conf + path: redis.conf + - name: redis-socket + emtpyDir: {} + +# Redis Service. +--- +apiVersion: v1 +kind: Service +metadata: + name: '{{ meta.name }}-redis' + namespace: '{{ meta.namespace }}' + labels: + app: tower-redis +spec: + clusterIP: None + ports: + - port: 6379 + protocol: TCP + targetPort: 6379 + selector: + app: tower-redis From aeecc940179b91599e15ab1c708742eb29221a78 Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Tue, 26 May 2020 16:13:14 -0500 Subject: [PATCH 2/4] Issue #42: Make sure redis is listening on TCP port. --- roles/tower/tasks/main.yml | 2 +- roles/tower/templates/tower_config.yaml.j2 | 6 ------ roles/tower/templates/tower_redis.yaml.j2 | 18 ------------------ 3 files changed, 1 insertion(+), 25 deletions(-) diff --git a/roles/tower/tasks/main.yml b/roles/tower/tasks/main.yml index 96cac97b..086b4771 100644 --- a/roles/tower/tasks/main.yml +++ b/roles/tower/tasks/main.yml @@ -6,8 +6,8 @@ with_items: - tower_memcached.yaml.j2 - tower_postgres.yaml.j2 - - tower_redis.yaml.j2 - tower_config.yaml.j2 + - tower_redis.yaml.j2 - tower_web.yaml.j2 - tower_task.yaml.j2 diff --git a/roles/tower/templates/tower_config.yaml.j2 b/roles/tower/templates/tower_config.yaml.j2 index 5ba56646..e1b501c9 100644 --- a/roles/tower/templates/tower_config.yaml.j2 +++ b/roles/tower/templates/tower_config.yaml.j2 @@ -121,12 +121,6 @@ data: USE_X_FORWARDED_PORT = True - redis_conf: | - unixsocket /var/run/redis/redis.sock - unixsocketperm 777 - port 0 - bind 127.0.0.1 - nginx_conf: | worker_processes 1; pid /tmp/nginx.pid; diff --git a/roles/tower/templates/tower_redis.yaml.j2 b/roles/tower/templates/tower_redis.yaml.j2 index 64680c71..f0aee393 100644 --- a/roles/tower/templates/tower_redis.yaml.j2 +++ b/roles/tower/templates/tower_redis.yaml.j2 @@ -20,29 +20,12 @@ spec: containers: - image: '{{ tower_redis_image }}' name: redis - args: ["/usr/local/etc/redis/redis.conf"] ports: - containerPort: 6379 - volumeMounts: - - name: redis-config - mountPath: /usr/local/etc/redis/redis.conf - subPath: redis.conf - readOnly: true - - name: redis-socket - mountPath: "/var/run/redis" resources: requests: memory: "{{ tower_redis_mem_request }}" cpu: "{{ tower_redis_cpu_request }}" - volumes: - - name: redis-config - configMap: - name: "{{ meta.name }}-tower-configmap" - items: - - key: redis_conf - path: redis.conf - - name: redis-socket - emtpyDir: {} # Redis Service. --- @@ -54,7 +37,6 @@ metadata: labels: app: tower-redis spec: - clusterIP: None ports: - port: 6379 protocol: TCP From 5b195cf8729f052485946683412d0e084ac548fc Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Tue, 26 May 2020 16:35:27 -0500 Subject: [PATCH 3/4] Issue #42: Use correct redis Django connection info. --- roles/tower/templates/tower_config.yaml.j2 | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/roles/tower/templates/tower_config.yaml.j2 b/roles/tower/templates/tower_config.yaml.j2 index e1b501c9..121c3a1b 100644 --- a/roles/tower/templates/tower_config.yaml.j2 +++ b/roles/tower/templates/tower_config.yaml.j2 @@ -112,11 +112,17 @@ data: BROKER_URL = 'redis://{}:{}/'.format( '{{ meta.name }}-redis.{{ meta.namespace }}.svc.cluster.local', - '6379',) + '6379') CHANNEL_LAYERS = { - 'default': {'BACKEND': 'awx.main.channels.RedisGroupBroadcastChannelLayer', - 'CONFIG': {'hosts': [("{{ meta.name }}-redis.{{ meta.namespace }}.svc.cluster.local", 6379)]}} + "default": { + "BACKEND": "channels_redis.core.RedisChannelLayer", + "CONFIG": { + "hosts": [BROKER_URL], + "capacity": 10000, + "group_expiry": 157784760, # 5 years + } + } } USE_X_FORWARDED_PORT = True From df73fd664ffda3ce65734ca0e280303c9fd92bbb Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Tue, 26 May 2020 16:50:51 -0500 Subject: [PATCH 4/4] Issue #42: Add note about registry auth, drop redis requests. --- README.md | 6 ++++++ deploy/crds/tower_v1alpha1_tower_cr_awx.yaml | 2 -- deploy/crds/tower_v1alpha1_tower_cr_tower.yaml | 2 -- roles/tower/defaults/main.yml | 2 -- roles/tower/templates/tower_redis.yaml.j2 | 4 ---- 5 files changed, 6 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 06d05fa3..20a01b6c 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,12 @@ Then you can create instances of Tower, for example: After a few minutes, your new Tower instance will be accessible at `http://tower.mycompany.com/` (assuming your cluster has an Ingress controller configured). Log in using the `tower_admin_` credentials configured in the `spec`, and supply a valid license to begin using Tower. +### Red Hat Registry Authentication + +To deploy Ansible Tower, images are pulled from the Red Hat Registry. Your Kubernetes or OpenShift cluster will have to have [Authentication Enabled for the Red Hat Registry](https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/configuring_clusters/install-config-configuring-red-hat-registry) for this to work, otherwise the Tower image will not be pulled. + +If you deploy Ansible AWX, images are available from public registries, so no authentication is required. + ### Deploy AWX instead of Tower If you would like to deploy AWX (the open source upstream of Tower) into your cluster instead of Tower, override the default variables in the Tower `spec` for the `tower_task_image` and `tower_web_image`, so the AWX container images are used instead: diff --git a/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml index 40775eba..9c21484e 100644 --- a/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml +++ b/deploy/crds/tower_v1alpha1_tower_cr_awx.yaml @@ -29,8 +29,6 @@ spec: tower_memcached_image: memcached:alpine tower_redis_image: redis:latest - tower_redis_mem_request: 1Gi - tower_redis_cpu_request: 500m tower_postgres_pass: awxpass tower_postgres_image: postgres:10 diff --git a/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml index 943a856d..9149854f 100644 --- a/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml +++ b/deploy/crds/tower_v1alpha1_tower_cr_tower.yaml @@ -29,8 +29,6 @@ spec: tower_memcached_image: memcached:alpine tower_redis_image: redis:latest - tower_redis_mem_request: 1Gi - tower_redis_cpu_request: 500m tower_postgres_pass: awxpass tower_postgres_image: postgres:10 diff --git a/roles/tower/defaults/main.yml b/roles/tower/defaults/main.yml index 478b3f57..a21548c8 100644 --- a/roles/tower/defaults/main.yml +++ b/roles/tower/defaults/main.yml @@ -30,8 +30,6 @@ tower_web_cpu_request: 1000m tower_memcached_image: memcached:alpine tower_redis_image: redis:latest -tower_redis_mem_request: 1Gi -tower_redis_cpu_request: 500m tower_postgres_pass: awxpass tower_postgres_image: postgres:10 diff --git a/roles/tower/templates/tower_redis.yaml.j2 b/roles/tower/templates/tower_redis.yaml.j2 index f0aee393..5c2df139 100644 --- a/roles/tower/templates/tower_redis.yaml.j2 +++ b/roles/tower/templates/tower_redis.yaml.j2 @@ -22,10 +22,6 @@ spec: name: redis ports: - containerPort: 6379 - resources: - requests: - memory: "{{ tower_redis_mem_request }}" - cpu: "{{ tower_redis_cpu_request }}" # Redis Service. ---