internet/awx-operator
3
0
Fork 0
mirror of https://github.com/ansible/awx-operator.git synced 2026-03-26 21:33:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added ability to trust a custom bundle CA

Browse Source
This commit is contained in:
Marcelo Moreira de Mello
2021-06-11 00:23:34 -04:00
parent 1fb429b1ed
commit f2e43db37c
10 changed files with 128 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@@ -24,7 +24,7 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
* [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx) * [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
* [Privileged Tasks](#privileged-tasks) * [Privileged Tasks](#privileged-tasks)
* [Containers Resource Requirements](#containers-resource-requirements) * [Containers Resource Requirements](#containers-resource-requirements)
* [LDAP Certificate Authority](#ldap-certificate-authority) * [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
* [Persisting Projects Directory](#persisting-projects-directory) * [Persisting Projects Directory](#persisting-projects-directory)
* [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options) * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
* [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers) * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
@@ -505,28 +505,36 @@ spec:
effect: "NoSchedule" effect: "NoSchedule"
``` ```
#### LDAP Certificate Authority #### Trusting a Custom Certificate Authority
If the variable `ldap_cacert_secret` is provided, the operator will look for a the data field `ldap-ca.crt` in the specified secret. In cases which you need to trust a custom Certificate Authority, there are few variables you can customize for the `awx-operator`.
| Name | Description | Default | Trusting a custom Certificate Authority allows the AWX to access network services configured with SSL certificates issued locally, such as cloning a project from from an internal Git server via HTTPS. It is common for these scenarios, experiencing the error [unable to verify the first certificate](https://github.com/ansible/awx-operator/issues/376).
| -------------------------------- | --------------------------------------- | --------|
| ldap_cacert_secret | LDAP Certificate Authority secret name | '' |
| Name | Description | Default |
| -------------------------------- | ---------------------------------------- | --------|
| ldap_cacert_secret | LDAP Certificate Authority secret name | '' |
| bundle_cacert_secret | Certificate Authority secret name | '' |
Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter.
Example of customization could be: Example of customization could be:
```yaml ```yaml
--- ---
spec: spec:
... ...
ldap_cacert_secret: <resourcename>-ldap-ca-cert ldap_cacert_secret: <resourcename>-custom-certs
bundle_cacert_secret: <resourcename>-custom-certs
``` ```
To create the secret, you can use the command below: To create the secret, you can use the command below:
```sh ```sh
# kubectl create secret generic <resourcename>-ldap-ca-cert --from-file=ldap-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE> # kubectl create secret generic <resourcename>-custom-certs \
--from-file=ldap-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE> \
--from-fle=bundle-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
``` ```
#### Persisting Projects Directory #### Persisting Projects Directory

9
ansible/templates/crd.yml.j2
View File

@@ -285,6 +285,12 @@ spec:
redis_image_version: redis_image_version:
description: Redis container image version to use description: Redis container image version to use
type: string type: string
init_container_image:
description: Registry path to the init container to use
type: string
init_container_image_version:
description: Init container image version to use
type: string
postgres_image: postgres_image:
description: Registry path to the PostgreSQL container to use description: Registry path to the PostgreSQL container to use
type: string type: string
@@ -344,6 +350,9 @@ spec:
ldap_cacert_secret: ldap_cacert_secret:
description: Secret where can be found the LDAP trusted Certificate Authority Bundle description: Secret where can be found the LDAP trusted Certificate Authority Bundle
type: string type: string
bundle_cacert_secret:
description: Secret where can be found the trusted Certificate Authority Bundle
type: string
projects_persistence: projects_persistence:
description: Whether or not the /var/lib/projects directory will be persistent description: Whether or not the /var/lib/projects directory will be persistent
default: false default: false

9
deploy/awx-operator.yaml
View File

@@ -287,6 +287,12 @@ spec:
redis_image_version: redis_image_version:
description: Redis container image version to use description: Redis container image version to use
type: string type: string
init_container_image:
description: Registry path to the init container to use
type: string
init_container_image_version:
description: Init container image version to use
type: string
postgres_image: postgres_image:
description: Registry path to the PostgreSQL container to use description: Registry path to the PostgreSQL container to use
type: string type: string
@@ -346,6 +352,9 @@ spec:
ldap_cacert_secret: ldap_cacert_secret:
description: Secret where can be found the LDAP trusted Certificate Authority Bundle description: Secret where can be found the LDAP trusted Certificate Authority Bundle
type: string type: string
bundle_cacert_secret:
description: Secret where can be found the trusted Certificate Authority Bundle
type: string
projects_persistence: projects_persistence:
description: Whether or not the /var/lib/projects directory will be persistent description: Whether or not the /var/lib/projects directory will be persistent
default: false default: false

9
deploy/crds/awx_v1beta1_crd.yaml
View File

@@ -285,6 +285,12 @@ spec:
redis_image_version: redis_image_version:
description: Redis container image version to use description: Redis container image version to use
type: string type: string
init_container_image:
description: Registry path to the init container to use
type: string
init_container_image_version:
description: Init container image version to use
type: string
postgres_image: postgres_image:
description: Registry path to the PostgreSQL container to use description: Registry path to the PostgreSQL container to use
type: string type: string
@@ -344,6 +350,9 @@ spec:
ldap_cacert_secret: ldap_cacert_secret:
description: Secret where can be found the LDAP trusted Certificate Authority Bundle description: Secret where can be found the LDAP trusted Certificate Authority Bundle
type: string type: string
bundle_cacert_secret:
description: Secret where can be found the trusted Certificate Authority Bundle
type: string
projects_persistence: projects_persistence:
description: Whether or not the /var/lib/projects directory will be persistent description: Whether or not the /var/lib/projects directory will be persistent
default: false default: false

9
deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml
View File

@@ -35,6 +35,9 @@ spec:
broadcast_websocket_secret: broadcast_websocket_secret:
description: Secret where the broadcast websocket secret can be found description: Secret where the broadcast websocket secret can be found
type: string type: string
bundle_cacert_secret:
description: Secret where can be found the trusted Certificate Authority Bundle
type: string
ca_trust_bundle: ca_trust_bundle:
description: Path where the trusted CA bundle is available description: Path where the trusted CA bundle is available
type: string type: string
@@ -149,6 +152,12 @@ spec:
- Route - Route
- route - route
type: string type: string
init_container_image:
description: Registry path to the init container to use
type: string
init_container_image_version:
description: Initcontainer image version to use
type: string
kind: kind:
description: Kind of the deployment type description: Kind of the deployment type
type: string type: string

5
roles/installer/defaults/main.yml
View File

@@ -111,6 +111,8 @@ redis_image: docker.io/redis
redis_image_version: latest redis_image_version: latest
postgres_image: postgres postgres_image: postgres
postgres_image_version: 12 postgres_image_version: 12
init_container_image: quay.io/centos/centos
init_container_image_version: 8
image_pull_policy: IfNotPresent image_pull_policy: IfNotPresent
image_pull_secret: '' image_pull_secret: ''
@@ -206,6 +208,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
# #
ldap_cacert_secret: '' ldap_cacert_secret: ''
# Secret to lookup that provides the custom CA trusted bundle
bundle_cacert_secret: ''
# Whether secrets should be garbage collected # Whether secrets should be garbage collected
# on teardown # on teardown
# #

12
roles/installer/tasks/load_bundle_cacert_secret.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Retrieve bundle Certificate Authority Secret
k8s_info:
kind: Secret
namespace: '{{ meta.namespace }}'
name: '{{ bundle_cacert_secret }}'
register: bundle_cacert
- name: Load bundle Certificate Authority Secret content
set_fact:
bundle_ca_crt: '{{ bundle_cacert["resources"][0]["data"]["bundle-ca.crt"] | b64decode }}'
when: '"bundle-ca.crt" in bundle_cacert["resources"][0]["data"]'

5
roles/installer/tasks/main.yml
View File

@@ -25,6 +25,11 @@
when: when:
- ldap_cacert_secret != '' - ldap_cacert_secret != ''
- name: Load bundle certificate authority certificate
include_tasks: load_bundle_cacert_secret.yml
when:
- bundle_cacert_secret != ''
- name: Include admin password configuration tasks - name: Include admin password configuration tasks
include_tasks: admin_password_configuration.yml include_tasks: admin_password_configuration.yml

53
roles/installer/templates/deployment.yaml.j2
View File

@@ -32,6 +32,25 @@ spec:
{% if image_pull_secret %} {% if image_pull_secret %}
imagePullSecrets: imagePullSecrets:
- name: {{ image_pull_secret }} - name: {{ image_pull_secret }}
{% endif %}
{% if bundle_ca_crt %}
initContainers:
- name: init
image: '{{ init_container_image }}:{{ init_container_image_version }}'
imagePullPolicy: '{{ image_pull_policy }}'
command:
- /bin/sh
- -c
- |
mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
update-ca-trust
volumeMounts:
- name: "ca-trust-extracted"
mountPath: "/etc/pki/ca-trust/extracted"
- name: "{{ meta.name }}-bundle-cacert"
mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
subPath: bundle-ca.crt
readOnly: true
{% endif %} {% endif %}
containers: containers:
- image: '{{ redis_image }}:{{ redis_image_version }}' - image: '{{ redis_image }}:{{ redis_image_version }}'
@@ -62,6 +81,14 @@ spec:
- containerPort: 8053 - containerPort: 8053
{% endif %} {% endif %}
volumeMounts: volumeMounts:
{% if bundle_ca_crt %}
- name: "ca-trust-extracted"
mountPath: "/etc/pki/ca-trust/extracted"
- name: "{{ meta.name }}-bundle-cacert"
mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
subPath: bundle-ca.crt
readOnly: true
{% endif %}
- name: "{{ meta.name }}-application-credentials" - name: "{{ meta.name }}-application-credentials"
mountPath: "/etc/tower/conf.d/execution_environments.py" mountPath: "/etc/tower/conf.d/execution_environments.py"
subPath: execution_environments.py subPath: execution_environments.py
@@ -141,6 +168,14 @@ spec:
args: {{ task_args }} args: {{ task_args }}
{% endif %} {% endif %}
volumeMounts: volumeMounts:
{% if bundle_ca_crt %}
- name: "ca-trust-extracted"
mountPath: "/etc/pki/ca-trust/extracted"
- name: "{{ meta.name }}-bundle-cacert"
mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
subPath: bundle-ca.crt
readOnly: true
{% endif %}
- name: "{{ meta.name }}-application-credentials" - name: "{{ meta.name }}-application-credentials"
mountPath: "/etc/tower/conf.d/execution_environments.py" mountPath: "/etc/tower/conf.d/execution_environments.py"
subPath: execution_environments.py subPath: execution_environments.py
@@ -211,6 +246,14 @@ spec:
resources: {{ ee_resource_requirements }} resources: {{ ee_resource_requirements }}
args: ['receptor', '--config', '/etc/receptor.conf'] args: ['receptor', '--config', '/etc/receptor.conf']
volumeMounts: volumeMounts:
{% if bundle_ca_crt %}
- name: "ca-trust-extracted"
mountPath: "/etc/pki/ca-trust/extracted"
- name: "{{ meta.name }}-bundle-cacert"
mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
subPath: bundle-ca.crt
readOnly: true
{% endif %}
- name: "{{ meta.name }}-receptor-config" - name: "{{ meta.name }}-receptor-config"
mountPath: "/etc/receptor.conf" mountPath: "/etc/receptor.conf"
subPath: receptor.conf subPath: receptor.conf
@@ -241,6 +284,16 @@ spec:
{{ tolerations | indent(width=8) }} {{ tolerations | indent(width=8) }}
{% endif %} {% endif %}
volumes: volumes:
{% if bundle_ca_crt %}
- name: "ca-trust-extracted"
emptyDir: {}
- name: "{{ meta.name }}-bundle-cacert"
secret:
secretName: "{{ bundle_cacert_secret }}"
items:
- key: bundle-ca.crt
path: 'bundle-ca.crt'
{% endif %}
{% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %} {% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %}
- name: "{{ meta.name }}-nginx-certs" - name: "{{ meta.name }}-nginx-certs"
secret: secret:

1
roles/installer/vars/main.yml
View File

@@ -2,4 +2,5 @@
postgres_initdb_args: '--auth-host=scram-sha-256' postgres_initdb_args: '--auth-host=scram-sha-256'
postgres_host_auth_method: 'scram-sha-256' postgres_host_auth_method: 'scram-sha-256'
ldap_cacert_ca_crt: '' ldap_cacert_ca_crt: ''
bundle_ca_crt: ''
projects_existing_claim: '' projects_existing_claim: ''