mirror of
https://github.com/ansible/awx-operator.git
synced 2026-03-27 22:03:11 +00:00
Compare commits
1 Commits
2.3.0
...
fix-helm-r
| Author | SHA1 | Date | |
|---|---|---|---|
|
e11edb3fcc |
2
.github/workflows/ci.yaml
vendored
2
.github/workflows/ci.yaml
vendored
@@ -14,7 +14,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
name: molecule
|
||||
env:
|
||||
DOCKER_API_VERSION: "1.41"
|
||||
DOCKER_API_VERSION: "1.38"
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
|
||||
@@ -1220,8 +1220,6 @@ With`extra_settings`, you can pass multiple custom settings via the `awx-operato
|
||||
| -------------- | -------------- | ------- |
|
||||
| extra_settings | Extra settings | '' |
|
||||
|
||||
**Note:** Parameters configured in `extra_settings` are set as read-only settings in AWX. As a result, they cannot be changed in the UI after deployment. If you need to change the setting after the initial deployment, you need to change it on the AWX CR spec.
|
||||
|
||||
Example configuration of `extra_settings` parameter
|
||||
|
||||
```yaml
|
||||
|
||||
@@ -95,7 +95,7 @@
|
||||
|
||||
- name: Set url base swap in gitconfig
|
||||
command:
|
||||
cmd: "git config --local url.https://{{ gh_user }}:{{ gh_token }}@github.com/.insteadOf https://github.com/"
|
||||
cmd: "git config --global url.https://{{ gh_user }}:{{ gh_token }}@github.com/.insteadOf https://github.com/"
|
||||
args:
|
||||
chdir: "{{ temp_dir.path }}/"
|
||||
no_log: true
|
||||
|
||||
@@ -90,9 +90,6 @@ spec:
|
||||
postgres_image_version:
|
||||
description: PostgreSQL container image version to use
|
||||
type: string
|
||||
db_management_pod_node_selector:
|
||||
description: nodeSelector for the Postgres pods to backup
|
||||
type: string
|
||||
no_log:
|
||||
description: Configure no_log for no_log tasks
|
||||
type: boolean
|
||||
|
||||
@@ -94,9 +94,6 @@ spec:
|
||||
postgres_image_version:
|
||||
description: PostgreSQL container image version to use
|
||||
type: string
|
||||
db_management_pod_node_selector:
|
||||
description: nodeSelector for the Postgres pods to backup
|
||||
type: string
|
||||
no_log:
|
||||
description: Configure no_log for no_log tasks
|
||||
type: boolean
|
||||
|
||||
@@ -1489,28 +1489,6 @@ spec:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
init_container_resource_requirements:
|
||||
description: Resource requirements for the init container
|
||||
properties:
|
||||
requests:
|
||||
properties:
|
||||
cpu:
|
||||
type: string
|
||||
memory:
|
||||
type: string
|
||||
storage:
|
||||
type: string
|
||||
type: object
|
||||
limits:
|
||||
properties:
|
||||
cpu:
|
||||
type: string
|
||||
memory:
|
||||
type: string
|
||||
storage:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
service_account_annotations:
|
||||
description: ServiceAccount annotations
|
||||
type: string
|
||||
|
||||
@@ -15,7 +15,7 @@ spec:
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1
|
||||
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
|
||||
args:
|
||||
- "--secure-listen-address=0.0.0.0:8443"
|
||||
- "--upstream=http://127.0.0.1:8080/"
|
||||
|
||||
@@ -371,11 +371,6 @@ spec:
|
||||
path: postgres_storage_requirements
|
||||
x-descriptors:
|
||||
- urn:alm:descriptor:com.tectonic.ui:advanced
|
||||
- description: Init Container resource requirements
|
||||
path: init_container_resource_requirements
|
||||
x-descriptors:
|
||||
- urn:alm:descriptor:com.tectonic.ui:advanced
|
||||
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
|
||||
- displayName: Replicas
|
||||
path: replicas
|
||||
x-descriptors:
|
||||
|
||||
@@ -17,14 +17,6 @@ no_log: true
|
||||
# Variable to set when you want backups to be cleaned up when the CRD object is deleted
|
||||
clean_backup_on_delete: false
|
||||
|
||||
|
||||
# Add a nodeSelector for the Postgres pods to backup.
|
||||
# Specify as literal block. E.g.:
|
||||
# db_management_pod_node_selector: |
|
||||
# kubernetes.io/arch: amd64
|
||||
# kubernetes.io/os: linux
|
||||
db_management_pod_node_selector: ''
|
||||
|
||||
# Variable to signal that this role is being run as a finalizer
|
||||
finalizer_run: false
|
||||
|
||||
|
||||
@@ -20,10 +20,6 @@ spec:
|
||||
resources:
|
||||
{{ backup_resource_requirements | to_nice_yaml(indent=2) | indent(width=6, first=False) }}
|
||||
{%- endif %}
|
||||
{% if db_management_pod_node_selector %}
|
||||
nodeSelector:
|
||||
{{ db_management_pod_node_selector | indent(width=8) }}
|
||||
{% endif %}
|
||||
volumes:
|
||||
- name: {{ ansible_operator_meta.name }}-backup
|
||||
persistentVolumeClaim:
|
||||
|
||||
@@ -321,11 +321,6 @@ rsyslog_resource_requirements:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
|
||||
init_container_resource_requirements:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
|
||||
# Add extra environment variables to the AWX task/web containers. Specify as
|
||||
# literal block. E.g.:
|
||||
# task_extra_env: |
|
||||
|
||||
@@ -16,11 +16,11 @@ data:
|
||||
import socket
|
||||
# Import all so that extra_settings works properly
|
||||
from django_auth_ldap.config import *
|
||||
|
||||
|
||||
def get_secret():
|
||||
if os.path.exists("/etc/tower/SECRET_KEY"):
|
||||
return open('/etc/tower/SECRET_KEY', 'rb').read().strip()
|
||||
|
||||
|
||||
ADMINS = ()
|
||||
STATIC_ROOT = '/var/lib/awx/public/static'
|
||||
STATIC_URL = '{{ (ingress_path + '/static/').replace('//', '/') }}'
|
||||
@@ -59,20 +59,20 @@ data:
|
||||
|
||||
# Container environments don't like chroots
|
||||
AWX_PROOT_ENABLED = False
|
||||
|
||||
|
||||
# Automatically deprovision pods that go offline
|
||||
AWX_AUTO_DEPROVISION_INSTANCES = True
|
||||
|
||||
|
||||
CLUSTER_HOST_ID = socket.gethostname()
|
||||
SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
|
||||
|
||||
|
||||
CSRF_COOKIE_SECURE = {{ csrf_cookie_secure | bool }}
|
||||
SESSION_COOKIE_SECURE = {{ session_cookie_secure | bool }}
|
||||
|
||||
|
||||
SERVER_EMAIL = 'root@localhost'
|
||||
DEFAULT_FROM_EMAIL = 'webmaster@localhost'
|
||||
EMAIL_SUBJECT_PREFIX = '[AWX] '
|
||||
|
||||
|
||||
EMAIL_HOST = 'localhost'
|
||||
EMAIL_PORT = 25
|
||||
EMAIL_HOST_USER = ''
|
||||
@@ -101,30 +101,30 @@ data:
|
||||
default_type application/octet-stream;
|
||||
server_tokens off;
|
||||
client_max_body_size 5M;
|
||||
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
|
||||
access_log /dev/stdout main;
|
||||
|
||||
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
#gzip on;
|
||||
|
||||
|
||||
upstream uwsgi {
|
||||
server 127.0.0.1:8050;
|
||||
}
|
||||
|
||||
|
||||
upstream daphne {
|
||||
server 127.0.0.1:8051;
|
||||
}
|
||||
|
||||
|
||||
|
||||
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
|
||||
server {
|
||||
@@ -163,30 +163,30 @@ data:
|
||||
# If you have a domain name, this is where to add it
|
||||
server_name _;
|
||||
keepalive_timeout 65;
|
||||
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
|
||||
|
||||
# Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
|
||||
add_header X-Frame-Options "DENY";
|
||||
# Protect against MIME content sniffing https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
||||
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
allow 127.0.0.1;
|
||||
deny all;
|
||||
}
|
||||
|
||||
|
||||
location {{ (ingress_path + '/static').replace('//', '/') }} {
|
||||
alias /var/lib/awx/public/static/;
|
||||
}
|
||||
|
||||
|
||||
location {{ (ingress_path + '/favicon.ico').replace('//', '/') }} {
|
||||
alias /var/lib/awx/public/static/media/favicon.ico;
|
||||
}
|
||||
|
||||
|
||||
location {{ (ingress_path + '/websocket').replace('//', '/') }} {
|
||||
# Pass request to the upstream alias
|
||||
proxy_pass http://daphne;
|
||||
@@ -208,7 +208,7 @@ data:
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
|
||||
|
||||
location {{ ingress_path }} {
|
||||
# Add trailing / if missing
|
||||
rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
|
||||
@@ -268,8 +268,8 @@ data:
|
||||
cert: /etc/receptor/tls/receptor.crt
|
||||
key: /etc/receptor/tls/receptor.key
|
||||
name: tlsclient
|
||||
rootcas: /etc/receptor/tls/ca/mesh-CA.crt
|
||||
rootcas: /etc/receptor/tls/ca/receptor-ca.crt
|
||||
mintls13: false
|
||||
- work-signing:
|
||||
privatekey: /etc/receptor/work_private_key.pem
|
||||
privatekey: /etc/receptor/signing/work-private-key.pem
|
||||
tokenexpiration: 1m
|
||||
|
||||
@@ -76,14 +76,14 @@ spec:
|
||||
- name: init
|
||||
image: '{{ _init_container_image }}'
|
||||
imagePullPolicy: '{{ image_pull_policy }}'
|
||||
resources: {{ init_container_resource_requirements }}
|
||||
resources: {{ task_resource_requirements }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
hostname=$MY_POD_NAME
|
||||
receptor --cert-makereq bits=2048 commonname=$hostname dnsname=$hostname nodeid=$hostname outreq=/etc/receptor/tls/receptor.req outkey=/etc/receptor/tls/receptor.key
|
||||
receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/mesh-CA.crt cakey=/etc/receptor/tls/ca/mesh-CA.key outcert=/etc/receptor/tls/receptor.crt verify=yes
|
||||
receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/receptor-ca.crt cakey=/etc/receptor/tls/ca/receptor-ca.key outcert=/etc/receptor/tls/receptor.crt verify=yes
|
||||
{% if bundle_ca_crt %}
|
||||
mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
|
||||
update-ca-trust
|
||||
@@ -98,11 +98,11 @@ spec:
|
||||
fieldPath: metadata.name
|
||||
volumeMounts:
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
|
||||
mountPath: "/etc/receptor/tls/ca/mesh-CA.crt"
|
||||
mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
|
||||
subPath: "tls.crt"
|
||||
readOnly: true
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
|
||||
mountPath: "/etc/receptor/tls/ca/mesh-CA.key"
|
||||
mountPath: "/etc/receptor/tls/ca/receptor-ca.key"
|
||||
subPath: "tls.key"
|
||||
readOnly: true
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-tls"
|
||||
@@ -122,7 +122,7 @@ spec:
|
||||
- name: init-projects
|
||||
image: '{{ _init_projects_container_image }}'
|
||||
imagePullPolicy: '{{ image_pull_policy }}'
|
||||
resources: {{ init_container_resource_requirements }}
|
||||
resources: {{ task_resource_requirements }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
@@ -224,7 +224,7 @@ spec:
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-config"
|
||||
mountPath: "/etc/receptor/"
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
|
||||
mountPath: "/etc/receptor/work_private_key.pem"
|
||||
mountPath: "/etc/receptor/signing/work-private-key.pem"
|
||||
subPath: "work-private-key.pem"
|
||||
readOnly: true
|
||||
- name: receptor-socket
|
||||
@@ -305,11 +305,11 @@ spec:
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-config"
|
||||
mountPath: "/etc/receptor/"
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
|
||||
mountPath: "/etc/receptor/tls/ca/mesh-CA.crt"
|
||||
mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
|
||||
subPath: "tls.crt"
|
||||
readOnly: true
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
|
||||
mountPath: "/etc/receptor/work_private_key.pem"
|
||||
mountPath: "/etc/receptor/signing/work-private-key.pem"
|
||||
subPath: "work-private-key.pem"
|
||||
readOnly: true
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-tls"
|
||||
@@ -343,6 +343,7 @@ spec:
|
||||
{% if ee_extra_env -%}
|
||||
{{ ee_extra_env | indent(width=12, first=True) }}
|
||||
{% endif %}
|
||||
resources: {{ rsyslog_resource_requirements }}
|
||||
- image: '{{ _image }}'
|
||||
name: '{{ ansible_operator_meta.name }}-rsyslog'
|
||||
{% if rsyslog_command %}
|
||||
@@ -352,7 +353,6 @@ spec:
|
||||
args: {{ rsyslog_args }}
|
||||
{% endif %}
|
||||
imagePullPolicy: '{{ image_pull_policy }}'
|
||||
resources: {{ rsyslog_resource_requirements }}
|
||||
volumeMounts:
|
||||
- name: "{{ ansible_operator_meta.name }}-application-credentials"
|
||||
mountPath: "/etc/tower/conf.d/credentials.py"
|
||||
@@ -381,18 +381,6 @@ spec:
|
||||
{% if development_mode | bool %}
|
||||
- name: awx-devel
|
||||
mountPath: "/awx_devel"
|
||||
{% endif %}
|
||||
{% if termination_grace_period_seconds is defined %}
|
||||
- name: pre-stop-data
|
||||
mountPath: /var/lib/pre-stop
|
||||
- name: pre-stop-scripts
|
||||
mountPath: /var/lib/pre-stop/scripts
|
||||
lifecycle:
|
||||
preStop:
|
||||
exec:
|
||||
command:
|
||||
- bash
|
||||
- /var/lib/pre-stop/scripts/termination-waiter
|
||||
{% endif %}
|
||||
env:
|
||||
- name: SUPERVISOR_CONFIG_PATH
|
||||
|
||||
@@ -28,6 +28,7 @@ spec:
|
||||
annotations:
|
||||
{% for template in [
|
||||
"configmaps/config",
|
||||
"configmaps/pre_stop_scripts",
|
||||
"secrets/app_credentials",
|
||||
"storage/persistent",
|
||||
] %}
|
||||
@@ -77,7 +78,7 @@ spec:
|
||||
- name: init
|
||||
image: '{{ _init_container_image }}'
|
||||
imagePullPolicy: '{{ image_pull_policy }}'
|
||||
resources: {{ init_container_resource_requirements }}
|
||||
resources: {{ web_resource_requirements }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
@@ -106,7 +107,7 @@ spec:
|
||||
- name: init-projects
|
||||
image: '{{ _init_projects_container_image }}'
|
||||
imagePullPolicy: '{{ image_pull_policy }}'
|
||||
resources: {{ init_container_resource_requirements }}
|
||||
resources: {{ web_resource_requirements }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
@@ -209,15 +210,15 @@ spec:
|
||||
mountPath: "/var/lib/awx/projects"
|
||||
{% endif %}
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
|
||||
mountPath: "/etc/receptor/tls/ca/mesh-CA.crt"
|
||||
mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
|
||||
subPath: "tls.crt"
|
||||
readOnly: true
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
|
||||
mountPath: "/etc/receptor/tls/ca/mesh-CA.key"
|
||||
mountPath: "/etc/receptor/tls/ca/receptor-ca.key"
|
||||
subPath: "tls.key"
|
||||
readOnly: true
|
||||
- name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
|
||||
mountPath: "/etc/receptor/work_public_key.pem"
|
||||
mountPath: "/etc/receptor/signing/work-public-key.pem"
|
||||
subPath: "work-public-key.pem"
|
||||
readOnly: true
|
||||
{% if development_mode | bool %}
|
||||
@@ -276,6 +277,7 @@ spec:
|
||||
mountPath: "/var/run/redis"
|
||||
- name: rsyslog-socket
|
||||
mountPath: "/var/run/awx-rsyslog"
|
||||
resources: {{ rsyslog_resource_requirements }}
|
||||
{% if bundle_ca_crt %}
|
||||
- name: "ca-trust-extracted"
|
||||
mountPath: "/etc/pki/ca-trust/extracted"
|
||||
@@ -295,7 +297,6 @@ spec:
|
||||
- name: AWX_KUBE_DEVEL
|
||||
value: "1"
|
||||
{% endif %}
|
||||
resources: {{ rsyslog_resource_requirements }}
|
||||
{% if web_node_selector %}
|
||||
nodeSelector:
|
||||
{{ web_node_selector | indent(width=8) }}
|
||||
|
||||
@@ -17,14 +17,6 @@ cluster_name: 'cluster.local'
|
||||
# Set no_log settings on certain tasks
|
||||
no_log: true
|
||||
|
||||
# Add a nodeSelector for the Postgres pods to backup.
|
||||
# Specify as literal block. E.g.:
|
||||
# db_management_pod_node_selector: |
|
||||
# kubernetes.io/arch: amd64
|
||||
# kubernetes.io/os: linux
|
||||
db_management_pod_node_selector: ''
|
||||
|
||||
|
||||
# Default resource requirements
|
||||
restore_resource_requirements:
|
||||
limits:
|
||||
|
||||
@@ -20,10 +20,6 @@ spec:
|
||||
resources:
|
||||
{{ restore_resource_requirements | to_nice_yaml(indent=2) | indent(width=6, first=False) }}
|
||||
{%- endif %}
|
||||
{% if db_management_pod_node_selector %}
|
||||
nodeSelector:
|
||||
{{ db_management_pod_node_selector | indent(width=8) }}
|
||||
{% endif %}
|
||||
volumes:
|
||||
- name: {{ ansible_operator_meta.name }}-backup
|
||||
persistentVolumeClaim:
|
||||
|
||||
Reference in New Issue
Block a user