From ed7e2b2a28571b1fa8f4748baebb82f93ef97db7 Mon Sep 17 00:00:00 2001 From: Seth Foster Date: Tue, 27 Sep 2022 14:14:32 -0400 Subject: [PATCH] Add docs for adding execution nodes and custom CA --- README.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/README.md b/README.md index 779e7a47..4b4d2a71 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,8 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w * [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations) * [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project) * [Steps to upgrade](#steps-to-upgrade) + * [Add Execution Nodes](#adding-execution-nodes) + * [Custom Receptor CA](#custom-receptor-ca) * [Contributing](#contributing) * [Release Process](#release-process) * [Author](#author) @@ -1200,6 +1202,33 @@ Then install the new AWX Operator by following the instructions in [Basic Instal Once the new AWX Operator is up and running, your AWX deployment will also be upgraded. +### Adding Execution Nodes +Starting with AWX Operator v0.30.0 and AWX v21.7.0, standalone execution nodes can be added to your deployments. +See [AWX execution nodes docs](https://github.com/ansible/awx/blob/devel/docs/execution_nodes.md) for information about this feature. + +#### Custom Receptor CA +The control nodes on the K8S cluster will communicate with execution nodes via mutual TLS TCP connections, running via Receptor. +Execution nodes will verify incoming connections by ensuring the x509 certificate was issued by a trusted Certificate Authority (CA). + +A user may wish to provide their own CA for this validation. If no CA is provided, AWX Operator will automatically generate one using OpenSSL. + +Given custom `ca.crt` and `ca.key` stored locally, run the following, + +```bash +kubectl create secret tls awx-demo-receptor-ca \ + --cert=/path/to/ca.crt --key=/path/to/ca.key +``` + +The secret should be named `{AWX Custom Resource name}-receptor-ca`. In the above the AWX CR name is "awx-demo". Please replace "awx-demo" with your AWX Custom Resource name. + +If this secret is created after AWX is deployed, run the following to restart the deployment, + +```bash +kubectl rollout restart deployment awx-demo +``` + +**Important Note**, changing the receptor CA will break connections to any existing execution nodes. These nodes will enter an `unavailable` state, and jobs will not be able to run on them. Users will need to download and re-run the install bundle for each execution node. This will replace the TLS certificate files with those signed by the new CA. The execution nodes should then appear in a `ready` state after a few minutes. + ## Contributing Please visit [our contributing guidelines](https://github.com/ansible/awx-operator/blob/devel/CONTRIBUTING.md).