internet/awx-operator
3
0
Fork 0
mirror of https://github.com/ansible/awx-operator.git synced 2026-03-26 21:33:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6a2b42cdde8a4a5591bbd112e01772fb84aa5fa6
awx-operator/roles/installer/templates/configmaps/config.yaml.j2
Elijah DeLee 6a2b42cdde allow configuration of uwsgi timeout 
This is important when you have proxies in front of the service
that may have stricter timeouts, as you need at least as strict a
timeout at uwsgi to get meaningful traceback and see source of problem.
2025-02-19 14:38:54 -05:00

319 lines
11 KiB
Django/Jinja
Raw Blame History

# AWX Web ConfigMap.
---
apiVersion: v1
kind: ConfigMap
metadata:
name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap'
namespace: '{{ ansible_operator_meta.namespace }}'
labels:
{{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=4) | trim }}
data:
environment: |
AWX_SKIP_MIGRATIONS=true
settings: |
import os
import socket
# Import all so that extra_settings works properly
try:
# Some AWX setups may have no django_auth_ldap dependency.
from django_auth_ldap.config import *
except:
pass
def get_secret():
if os.path.exists("/etc/tower/SECRET_KEY"):
return open('/etc/tower/SECRET_KEY', 'rb').read().strip()
ADMINS = ()
STATIC_ROOT = '/var/lib/awx/public/static'
STATIC_URL = '{{ (ingress_path + '/static/').replace('//', '/') }}'
PROJECTS_ROOT = '/var/lib/awx/projects'
JOBOUTPUT_ROOT = '/var/lib/awx/job_status'
IS_K8S = True
{% if "limits" in task_resource_requirements and "memory" in task_resource_requirements["limits"] %}
# Set memory available based off of resource request/limit for the task pod
SYSTEM_TASK_ABS_MEM = '{{ task_resource_requirements["limits"]["memory"] }}'
{% endif %}
{% if "limits" in task_resource_requirements and "cpu" in task_resource_requirements["limits"] %}
# Set cpu available based off of resource request/limit for the task pod
SYSTEM_TASK_ABS_CPU = '{{ task_resource_requirements["limits"]["cpu"] }}'
{% endif %}
{%- set cpu_limit = task_resource_requirements["limits"]["cpu"] if "limits" in task_resource_requirements and "cpu" in task_resource_requirements["limits"] -%}
{%- if cpu_limit is defined -%}
{%- set callback_receiver_cpu = cpu_limit | cpu_string_to_decimal -%}
{%- if callback_receiver_cpu |int > 4 %}
# Set callback receiver workers based off cpu limit, default workers are 4, but if we have more than 4 cpu we can set higher value for workers
JOB_EVENT_WORKERS = {{ callback_receiver_cpu }}
{%- endif -%}
{%- endif %}
SECRET_KEY = get_secret()
ALLOWED_HOSTS = ['*']
INTERNAL_API_URL = 'http://127.0.0.1:8052'
{% if api_urlpattern_prefix | length > 0 %}
OPTIONAL_API_URLPATTERN_PREFIX = '{{ api_urlpattern_prefix }}'
{% endif %}
# Container environments don't like chroots
AWX_PROOT_ENABLED = False
# Automatically deprovision pods that go offline
AWX_AUTO_DEPROVISION_INSTANCES = True
CLUSTER_HOST_ID = socket.gethostname()
SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
CSRF_COOKIE_SECURE = {{ csrf_cookie_secure | bool }}
SESSION_COOKIE_SECURE = {{ session_cookie_secure | bool }}
SERVER_EMAIL = 'root@localhost'
DEFAULT_FROM_EMAIL = 'webmaster@localhost'
EMAIL_SUBJECT_PREFIX = '[AWX] '
EMAIL_HOST = 'localhost'
EMAIL_PORT = 25
EMAIL_HOST_USER = ''
EMAIL_HOST_PASSWORD = ''
EMAIL_USE_TLS = False
USE_X_FORWARDED_PORT = True
BROADCAST_WEBSOCKET_PORT = 8052
BROADCAST_WEBSOCKET_PROTOCOL = 'http'
RECEPTOR_LOG_LEVEL = '{{ receptor_log_level }}'
{% for item in extra_settings | default([]) %}
{{ item.setting }} = {{ item.value }}
{% endfor %}
nginx_conf: |
worker_processes {{ nginx_worker_processes }};
worker_cpu_affinity {{ nginx_worker_cpu_affinity }};
pid /tmp/nginx.pid;
events {
worker_connections {% if nginx_worker_connections > 1024 %}{{ nginx_worker_connections }}{% else %}1024{% endif %};
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_tokens off;
client_max_body_size 5M;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /dev/stdout main;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
sendfile on;
#tcp_nopush on;
#gzip on;
upstream uwsgi {
server 127.0.0.1:8050;
}
upstream daphne {
server 127.0.0.1:8051;
}
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
server {
listen 8052 default_server{% if nginx_listen_queue_size > 511 %} backlog={{ nginx_listen_queue_size }}{% endif %};
{% if not ipv6_disabled %}
listen [::]:8052 default_server{% if nginx_listen_queue_size > 511 %} backlog={{ nginx_listen_queue_size }}{% endif %};
{% endif %}
server_name _;
# Redirect all HTTP links to the matching HTTPS page
return 301 https://$host:8053$request_uri;
}
{% endif %}
server {
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
listen 8053 ssl{% if nginx_listen_queue_size > 511 %} backlog={{ nginx_listen_queue_size }}{% endif %};
{% if not ipv6_disabled %}
listen [::]:8053 ssl{% if nginx_listen_queue_size > 511 %} backlog={{ nginx_listen_queue_size }}{% endif %};
{% endif %}
ssl_certificate /etc/nginx/pki/web.crt;
ssl_certificate_key /etc/nginx/pki/web.key;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
{% else %}
listen 8052 default_server{% if nginx_listen_queue_size > 511 %} backlog={{ nginx_listen_queue_size }}{% endif %};
{% if not ipv6_disabled %}
listen [::]:8052 default_server{% if nginx_listen_queue_size > 511 %} backlog={{ nginx_listen_queue_size }}{% endif %};
{% endif %}
{% endif %}
# If you have a domain name, this is where to add it
server_name _;
keepalive_timeout 65;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
add_header X-Frame-Options "DENY";
# Protect against MIME content sniffing https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff;
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
location {{ (ingress_path + '/static').replace('//', '/') }} {
alias /var/lib/awx/public/static/;
}
location {{ (ingress_path + '/locales').replace('//', '/') }} {
alias /var/lib/awx/public/static/awx/locales;
}
location {{ (ingress_path + '/favicon.ico').replace('//', '/') }} {
alias /var/lib/awx/public/static/media/favicon.ico;
}
{% if api_urlpattern_prefix | length > 0 %}
location ~ ^({{ (ingress_path + '/websocket/').replace('//', '/') }}|{{ (ingress_path + '/api/websocket/').replace('//', '/') }}|{{ (ingress_path + '/api/' + api_urlpattern_prefix + '/v2/websocket/').replace('//', '/') }}) {
{% else %}
location ~ ^({{ (ingress_path + '/websocket/').replace('//', '/') }}|{{ (ingress_path + '/api/websocket/').replace('//', '/') }}) {
{% endif %}
# Pass request to the upstream alias
proxy_pass http://daphne;
# Require http version 1.1 to allow for upgrade requests
proxy_http_version 1.1;
# We want proxy_buffering off for proxying to websockets.
proxy_buffering off;
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if you use HTTPS:
proxy_set_header X-Forwarded-Proto https;
# pass the Host: header from the client for the sake of redirects
proxy_set_header Host $http_host;
# We've set the Host header, so we don't need Nginx to muddle
# about with redirects
proxy_redirect off;
# Depending on the request value, set the Upgrade and
# connection headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location {{ ingress_path }} {
# Add trailing / if missing
rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
uwsgi_read_timeout 125s;
uwsgi_pass uwsgi;
include /etc/nginx/uwsgi_params;
include /etc/nginx/conf.d/*.conf;
proxy_set_header X-Forwarded-Port 443;
uwsgi_param HTTP_X_FORWARDED_PORT 443;
add_header Strict-Transport-Security max-age=15768000;
# Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options nosniff;
add_header Cache-Control "no-cache, no-store, must-revalidate";
add_header Expires "0";
add_header Pragma "no-cache";
}
}
}
redis_conf: |
unixsocket /var/run/redis/redis.sock
unixsocketperm 777
port 0
bind 127.0.0.1
receptor_conf: |
---
- log-level: {{ receptor_log_level }}
- local-only: null
- node:
firewallrules:
- action: reject
tonode: HOSTNAME
toservice: control
- control-service:
service: control
filename: /var/run/receptor/receptor.sock
permissions: '0660'
- work-command:
worktype: local
command: ansible-runner
params: worker
allowruntimeparams: true
- work-kubernetes:
worktype: kubernetes-runtime-auth
authmethod: runtime
allowruntimeauth: true
allowruntimepod: true
allowruntimeparams: true
- work-kubernetes:
worktype: kubernetes-incluster-auth
authmethod: incluster
allowruntimeauth: true
allowruntimepod: true
allowruntimeparams: true
- tls-client:
cert: /etc/receptor/tls/receptor.crt
key: /etc/receptor/tls/receptor.key
name: tlsclient
rootcas: /etc/receptor/tls/ca/mesh-CA.crt
mintls13: false
- work-signing:
privatekey: /etc/receptor/work_private_key.pem
tokenexpiration: 1m
uwsgi_conf: |
[uwsgi]
socket = 127.0.0.1:8050
processes = {{ uwsgi_processes }}
listen = {{ uwsgi_listen_queue_size }}
master = true
vacuum = true
no-orphans = true
lazy-apps = true
manage-script-name = true
master-fifo = /var/lib/awx/awxfifo
max-requests = 1000
buffer-size = 32768
harakiri = {{ uwsgi_timeout|int }}
harakiri-graceful-timeout = {{ [(uwsgi_timeout|int - 2), 1] | max }}
harakiri-graceful-signal = 6
py-call-osafterfork = true
if-env = UWSGI_MOUNT_PATH
mount = %(_)=awx.wsgi:application
endif =
if-not-env = UWSGI_MOUNT_PATH
mount = /=awx.wsgi:application
endif =
Reference in New Issue View Git Blame Copy Permalink