diff --git a/README.md b/README.md index 1b850376..025e5a6b 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w * [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx) * [Privileged Tasks](#privileged-tasks) * [Containers Resource Requirements](#containers-resource-requirements) - * [LDAP Certificate Authority](#ldap-certificate-authority) + * [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority) * [Persisting Projects Directory](#persisting-projects-directory) * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options) * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers) @@ -505,28 +505,36 @@ spec: effect: "NoSchedule" ``` -#### LDAP Certificate Authority +#### Trusting a Custom Certificate Authority -If the variable `ldap_cacert_secret` is provided, the operator will look for a the data field `ldap-ca.crt` in the specified secret. +In cases which you need to trust a custom Certificate Authority, there are few variables you can customize for the `awx-operator`. -| Name | Description | Default | -| -------------------------------- | --------------------------------------- | --------| -| ldap_cacert_secret | LDAP Certificate Authority secret name | '' | +Trusting a custom Certificate Authority allows the AWX to access network services configured with SSL certificates issued locally, such as cloning a project from from an internal Git server via HTTPS. It is common for these scenarios, experiencing the error [unable to verify the first certificate](https://github.com/ansible/awx-operator/issues/376). +| Name | Description | Default | +| -------------------------------- | ---------------------------------------- | --------| +| ldap_cacert_secret | LDAP Certificate Authority secret name | '' | +| bundle_cacert_secret | Certificate Authority secret name | '' | + +Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter. + Example of customization could be: ```yaml --- spec: ... - ldap_cacert_secret: -ldap-ca-cert + ldap_cacert_secret: -custom-certs + bundle_cacert_secret: -custom-certs ``` To create the secret, you can use the command below: ```sh -# kubectl create secret generic -ldap-ca-cert --from-file=ldap-ca.crt= +# kubectl create secret generic -custom-certs \ + --from-file=ldap-ca.crt= \ + --from-fle=bundle-ca.crt= ``` #### Persisting Projects Directory diff --git a/ansible/templates/crd.yml.j2 b/ansible/templates/crd.yml.j2 index 2a56eb10..9a23d393 100644 --- a/ansible/templates/crd.yml.j2 +++ b/ansible/templates/crd.yml.j2 @@ -285,6 +285,12 @@ spec: redis_image_version: description: Redis container image version to use type: string + init_container_image: + description: Registry path to the init container to use + type: string + init_container_image_version: + description: Init container image version to use + type: string postgres_image: description: Registry path to the PostgreSQL container to use type: string @@ -344,6 +350,9 @@ spec: ldap_cacert_secret: description: Secret where can be found the LDAP trusted Certificate Authority Bundle type: string + bundle_cacert_secret: + description: Secret where can be found the trusted Certificate Authority Bundle + type: string projects_persistence: description: Whether or not the /var/lib/projects directory will be persistent default: false diff --git a/deploy/awx-operator.yaml b/deploy/awx-operator.yaml index 50939d41..1888b7a7 100644 --- a/deploy/awx-operator.yaml +++ b/deploy/awx-operator.yaml @@ -287,6 +287,12 @@ spec: redis_image_version: description: Redis container image version to use type: string + init_container_image: + description: Registry path to the init container to use + type: string + init_container_image_version: + description: Init container image version to use + type: string postgres_image: description: Registry path to the PostgreSQL container to use type: string @@ -346,6 +352,9 @@ spec: ldap_cacert_secret: description: Secret where can be found the LDAP trusted Certificate Authority Bundle type: string + bundle_cacert_secret: + description: Secret where can be found the trusted Certificate Authority Bundle + type: string projects_persistence: description: Whether or not the /var/lib/projects directory will be persistent default: false diff --git a/deploy/crds/awx_v1beta1_crd.yaml b/deploy/crds/awx_v1beta1_crd.yaml index 2a56eb10..9a23d393 100644 --- a/deploy/crds/awx_v1beta1_crd.yaml +++ b/deploy/crds/awx_v1beta1_crd.yaml @@ -285,6 +285,12 @@ spec: redis_image_version: description: Redis container image version to use type: string + init_container_image: + description: Registry path to the init container to use + type: string + init_container_image_version: + description: Init container image version to use + type: string postgres_image: description: Registry path to the PostgreSQL container to use type: string @@ -344,6 +350,9 @@ spec: ldap_cacert_secret: description: Secret where can be found the LDAP trusted Certificate Authority Bundle type: string + bundle_cacert_secret: + description: Secret where can be found the trusted Certificate Authority Bundle + type: string projects_persistence: description: Whether or not the /var/lib/projects directory will be persistent default: false diff --git a/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml b/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml index ff0aed23..79d097f9 100644 --- a/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml +++ b/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml @@ -35,6 +35,9 @@ spec: broadcast_websocket_secret: description: Secret where the broadcast websocket secret can be found type: string + bundle_cacert_secret: + description: Secret where can be found the trusted Certificate Authority Bundle + type: string ca_trust_bundle: description: Path where the trusted CA bundle is available type: string @@ -149,6 +152,12 @@ spec: - Route - route type: string + init_container_image: + description: Registry path to the init container to use + type: string + init_container_image_version: + description: Initcontainer image version to use + type: string kind: description: Kind of the deployment type type: string diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index f9e9c58a..e14e673d 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -111,6 +111,8 @@ redis_image: docker.io/redis redis_image_version: latest postgres_image: postgres postgres_image_version: 12 +init_container_image: quay.io/centos/centos +init_container_image_version: 8 image_pull_policy: IfNotPresent image_pull_secret: '' @@ -206,6 +208,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt" # ldap_cacert_secret: '' +# Secret to lookup that provides the custom CA trusted bundle +bundle_cacert_secret: '' + # Whether secrets should be garbage collected # on teardown # diff --git a/roles/installer/tasks/load_bundle_cacert_secret.yml b/roles/installer/tasks/load_bundle_cacert_secret.yml new file mode 100644 index 00000000..686242ed --- /dev/null +++ b/roles/installer/tasks/load_bundle_cacert_secret.yml @@ -0,0 +1,12 @@ +--- +- name: Retrieve bundle Certificate Authority Secret + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ bundle_cacert_secret }}' + register: bundle_cacert + +- name: Load bundle Certificate Authority Secret content + set_fact: + bundle_ca_crt: '{{ bundle_cacert["resources"][0]["data"]["bundle-ca.crt"] | b64decode }}' + when: '"bundle-ca.crt" in bundle_cacert["resources"][0]["data"]' diff --git a/roles/installer/tasks/main.yml b/roles/installer/tasks/main.yml index 1e50f7dc..b072e255 100644 --- a/roles/installer/tasks/main.yml +++ b/roles/installer/tasks/main.yml @@ -25,6 +25,11 @@ when: - ldap_cacert_secret != '' +- name: Load bundle certificate authority certificate + include_tasks: load_bundle_cacert_secret.yml + when: + - bundle_cacert_secret != '' + - name: Include admin password configuration tasks include_tasks: admin_password_configuration.yml diff --git a/roles/installer/templates/deployment.yaml.j2 b/roles/installer/templates/deployment.yaml.j2 index 293fda1a..f4cef315 100644 --- a/roles/installer/templates/deployment.yaml.j2 +++ b/roles/installer/templates/deployment.yaml.j2 @@ -32,6 +32,25 @@ spec: {% if image_pull_secret %} imagePullSecrets: - name: {{ image_pull_secret }} +{% endif %} +{% if bundle_ca_crt %} + initContainers: + - name: init + image: '{{ init_container_image }}:{{ init_container_image_version }}' + imagePullPolicy: '{{ image_pull_policy }}' + command: + - /bin/sh + - -c + - | + mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2} + update-ca-trust + volumeMounts: + - name: "ca-trust-extracted" + mountPath: "/etc/pki/ca-trust/extracted" + - name: "{{ meta.name }}-bundle-cacert" + mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt + subPath: bundle-ca.crt + readOnly: true {% endif %} containers: - image: '{{ redis_image }}:{{ redis_image_version }}' @@ -62,6 +81,14 @@ spec: - containerPort: 8053 {% endif %} volumeMounts: +{% if bundle_ca_crt %} + - name: "ca-trust-extracted" + mountPath: "/etc/pki/ca-trust/extracted" + - name: "{{ meta.name }}-bundle-cacert" + mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt + subPath: bundle-ca.crt + readOnly: true +{% endif %} - name: "{{ meta.name }}-application-credentials" mountPath: "/etc/tower/conf.d/execution_environments.py" subPath: execution_environments.py @@ -141,6 +168,14 @@ spec: args: {{ task_args }} {% endif %} volumeMounts: +{% if bundle_ca_crt %} + - name: "ca-trust-extracted" + mountPath: "/etc/pki/ca-trust/extracted" + - name: "{{ meta.name }}-bundle-cacert" + mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt + subPath: bundle-ca.crt + readOnly: true +{% endif %} - name: "{{ meta.name }}-application-credentials" mountPath: "/etc/tower/conf.d/execution_environments.py" subPath: execution_environments.py @@ -211,6 +246,14 @@ spec: resources: {{ ee_resource_requirements }} args: ['receptor', '--config', '/etc/receptor.conf'] volumeMounts: +{% if bundle_ca_crt %} + - name: "ca-trust-extracted" + mountPath: "/etc/pki/ca-trust/extracted" + - name: "{{ meta.name }}-bundle-cacert" + mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt + subPath: bundle-ca.crt + readOnly: true +{% endif %} - name: "{{ meta.name }}-receptor-config" mountPath: "/etc/receptor.conf" subPath: receptor.conf @@ -241,6 +284,16 @@ spec: {{ tolerations | indent(width=8) }} {% endif %} volumes: +{% if bundle_ca_crt %} + - name: "ca-trust-extracted" + emptyDir: {} + - name: "{{ meta.name }}-bundle-cacert" + secret: + secretName: "{{ bundle_cacert_secret }}" + items: + - key: bundle-ca.crt + path: 'bundle-ca.crt' +{% endif %} {% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %} - name: "{{ meta.name }}-nginx-certs" secret: diff --git a/roles/installer/vars/main.yml b/roles/installer/vars/main.yml index fa8fd172..196f2f33 100644 --- a/roles/installer/vars/main.yml +++ b/roles/installer/vars/main.yml @@ -2,4 +2,5 @@ postgres_initdb_args: '--auth-host=scram-sha-256' postgres_host_auth_method: 'scram-sha-256' ldap_cacert_ca_crt: '' +bundle_ca_crt: '' projects_existing_claim: ''