# AWX Web ConfigMap. --- apiVersion: v1 kind: ConfigMap metadata: name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap' namespace: '{{ ansible_operator_meta.namespace }}' labels: {{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=4) | trim }} data: environment: | AWX_SKIP_MIGRATIONS=true settings: | import os import socket # Import all so that extra_settings works properly try: # Some AWX setups may have no django_auth_ldap dependency. from django_auth_ldap.config import * except: pass def get_secret(): if os.path.exists("/etc/tower/SECRET_KEY"): return open('/etc/tower/SECRET_KEY', 'rb').read().strip() ADMINS = () STATIC_ROOT = '/var/lib/awx/public/static' STATIC_URL = '{{ (ingress_path + '/static/').replace('//', '/') }}' PROJECTS_ROOT = '/var/lib/awx/projects' JOBOUTPUT_ROOT = '/var/lib/awx/job_status' IS_K8S = True {% if "limits" in task_resource_requirements and "memory" in task_resource_requirements["limits"] %} # Set memory available based off of resource request/limit for the task pod SYSTEM_TASK_ABS_MEM = '{{ task_resource_requirements["limits"]["memory"] }}' {% endif %} {% if "limits" in task_resource_requirements and "cpu" in task_resource_requirements["limits"] %} # Set cpu available based off of resource request/limit for the task pod SYSTEM_TASK_ABS_CPU = '{{ task_resource_requirements["limits"]["cpu"] }}' {% endif %} {%- set cpu_limit = task_resource_requirements["limits"]["cpu"] if "limits" in task_resource_requirements and "cpu" in task_resource_requirements["limits"] -%} {%- if cpu_limit is defined -%} {%- set callback_receiver_cpu = cpu_limit | cpu_string_to_decimal -%} {%- if callback_receiver_cpu |int > 4 %} # Set callback receiver workers based off cpu limit, default workers are 4, but if we have more than 4 cpu we can set higher value for workers JOB_EVENT_WORKERS = {{ callback_receiver_cpu }} {%- endif -%} {%- endif %} SECRET_KEY = get_secret() ALLOWED_HOSTS = ['*'] INTERNAL_API_URL = 'http://127.0.0.1:8052' {% if api_urlpattern_prefix | length > 0 %} OPTIONAL_API_URLPATTERN_PREFIX = '{{ api_urlpattern_prefix }}' {% endif %} # Container environments don't like chroots AWX_PROOT_ENABLED = False # Automatically deprovision pods that go offline AWX_AUTO_DEPROVISION_INSTANCES = True CLUSTER_HOST_ID = socket.gethostname() SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000') CSRF_COOKIE_SECURE = {{ csrf_cookie_secure | bool }} SESSION_COOKIE_SECURE = {{ session_cookie_secure | bool }} SERVER_EMAIL = 'root@localhost' DEFAULT_FROM_EMAIL = 'webmaster@localhost' EMAIL_SUBJECT_PREFIX = '[AWX] ' EMAIL_HOST = 'localhost' EMAIL_PORT = 25 EMAIL_HOST_USER = '' EMAIL_HOST_PASSWORD = '' EMAIL_USE_TLS = False USE_X_FORWARDED_PORT = True BROADCAST_WEBSOCKET_PORT = 8052 BROADCAST_WEBSOCKET_PROTOCOL = 'http' RECEPTOR_LOG_LEVEL = '{{ receptor_log_level }}' {% for item in extra_settings | default([]) %} {{ item.setting }} = {{ item.value }} {% endfor %} nginx_conf: | worker_processes {{ nginx_worker_processes }}; worker_cpu_affinity {{ nginx_worker_cpu_affinity }}; pid /tmp/nginx.pid; events { worker_connections {% if nginx_worker_connections > 1024 %}{{ nginx_worker_connections }}{% else %}1024{% endif %}; } http { include /etc/nginx/mime.types; default_type application/octet-stream; server_tokens off; client_max_body_size 5M; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /dev/stdout main; map $http_upgrade $connection_upgrade { default upgrade; '' close; } sendfile on; #tcp_nopush on; #gzip on; upstream uwsgi { server 127.0.0.1:8050; } upstream daphne { server 127.0.0.1:8051; } {% if route_tls_termination_mechanism | lower == 'passthrough' %} server { listen 8052 default_server{% if nginx_listen_queue_size > 511 %} backlog={{ nginx_listen_queue_size }}{% endif %}; {% if not ipv6_disabled %} listen [::]:8052 default_server{% if nginx_listen_queue_size > 511 %} backlog={{ nginx_listen_queue_size }}{% endif %}; {% endif %} server_name _; # Redirect all HTTP links to the matching HTTPS page return 301 https://$host:8053$request_uri; } {% endif %} server { {% if route_tls_termination_mechanism | lower == 'passthrough' %} listen 8053 ssl{% if nginx_listen_queue_size > 511 %} backlog={{ nginx_listen_queue_size }}{% endif %}; {% if not ipv6_disabled %} listen [::]:8053 ssl{% if nginx_listen_queue_size > 511 %} backlog={{ nginx_listen_queue_size }}{% endif %}; {% endif %} ssl_certificate /etc/nginx/pki/web.crt; ssl_certificate_key /etc/nginx/pki/web.key; ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; ssl_ciphers PROFILE=SYSTEM; ssl_prefer_server_ciphers on; {% else %} listen 8052 default_server{% if nginx_listen_queue_size > 511 %} backlog={{ nginx_listen_queue_size }}{% endif %}; {% if not ipv6_disabled %} listen [::]:8052 default_server{% if nginx_listen_queue_size > 511 %} backlog={{ nginx_listen_queue_size }}{% endif %}; {% endif %} {% endif %} # If you have a domain name, this is where to add it server_name _; keepalive_timeout 65; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) add_header X-Frame-Options "DENY"; # Protect against MIME content sniffing https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options add_header X-Content-Type-Options nosniff; location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; deny all; } location {{ (ingress_path + '/static').replace('//', '/') }} { alias /var/lib/awx/public/static/; } location {{ (ingress_path + '/locales').replace('//', '/') }} { alias /var/lib/awx/public/static/awx/locales; } location {{ (ingress_path + '/favicon.ico').replace('//', '/') }} { alias /var/lib/awx/public/static/media/favicon.ico; } {% if api_urlpattern_prefix | length > 0 %} location ~ ^({{ (ingress_path + '/websocket/').replace('//', '/') }}|{{ (ingress_path + '/api/websocket/').replace('//', '/') }}|{{ (ingress_path + '/api/' + api_urlpattern_prefix + '/v2/websocket/').replace('//', '/') }}) { {% else %} location ~ ^({{ (ingress_path + '/websocket/').replace('//', '/') }}|{{ (ingress_path + '/api/websocket/').replace('//', '/') }}) { {% endif %} # Pass request to the upstream alias proxy_pass http://daphne; # Require http version 1.1 to allow for upgrade requests proxy_http_version 1.1; # We want proxy_buffering off for proxying to websockets. proxy_buffering off; # http://en.wikipedia.org/wiki/X-Forwarded-For proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # enable this if you use HTTPS: proxy_set_header X-Forwarded-Proto https; # pass the Host: header from the client for the sake of redirects proxy_set_header Host $http_host; # We've set the Host header, so we don't need Nginx to muddle # about with redirects proxy_redirect off; # Depending on the request value, set the Upgrade and # connection headers proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } location {{ ingress_path }} { # Add trailing / if missing rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent; uwsgi_read_timeout 125s; uwsgi_pass uwsgi; include /etc/nginx/uwsgi_params; include /etc/nginx/conf.d/*.conf; proxy_set_header X-Forwarded-Port 443; uwsgi_param HTTP_X_FORWARDED_PORT 443; add_header Strict-Transport-Security max-age=15768000; # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options nosniff; add_header Cache-Control "no-cache, no-store, must-revalidate"; add_header Expires "0"; add_header Pragma "no-cache"; } } } redis_conf: | unixsocket /var/run/redis/redis.sock unixsocketperm 777 port 0 bind 127.0.0.1 receptor_conf: | --- - log-level: {{ receptor_log_level }} - local-only: null - node: firewallrules: - action: reject tonode: HOSTNAME toservice: control - control-service: service: control filename: /var/run/receptor/receptor.sock permissions: '0660' - work-command: worktype: local command: ansible-runner params: worker allowruntimeparams: true - work-kubernetes: worktype: kubernetes-runtime-auth authmethod: runtime allowruntimeauth: true allowruntimepod: true allowruntimeparams: true - work-kubernetes: worktype: kubernetes-incluster-auth authmethod: incluster allowruntimeauth: true allowruntimepod: true allowruntimeparams: true - tls-client: cert: /etc/receptor/tls/receptor.crt key: /etc/receptor/tls/receptor.key name: tlsclient rootcas: /etc/receptor/tls/ca/mesh-CA.crt mintls13: false - work-signing: privatekey: /etc/receptor/work_private_key.pem tokenexpiration: 1m uwsgi_conf: | [uwsgi] socket = 127.0.0.1:8050 processes = {{ uwsgi_processes }} listen = {{ uwsgi_listen_queue_size }} master = true vacuum = true no-orphans = true lazy-apps = true manage-script-name = true master-fifo = /var/lib/awx/awxfifo max-requests = 1000 buffer-size = 32768 harakiri = 120 harakiri-graceful-timeout = 115 harakiri-graceful-signal = 6 py-call-osafterfork = true if-env = UWSGI_MOUNT_PATH mount = %(_)=awx.wsgi:application endif = if-not-env = UWSGI_MOUNT_PATH mount = /=awx.wsgi:application endif =