Pass in private_data_dir when project update is on K8S

In OCP/K8S, projects run in the task pod's ee container. The private_data_dir is not extracted to /runner. Instead, the project update runs directly from the mounted in private_data_dir, e.g. /tmp/awx_1_abcd. When injecting a credential that uses extra vars, we pass the private_data_dir as as the container_root, so that the correct command line argument is generated, e.g. "-e /tmp/awx_1_abcd/env/extra_var_file". Signed-off-by: Seth Foster <fosterbseth@gmail.com>
2026-01-13 11:00:03 -03:30 · 2025-03-11 23:12:10 -04:00 · 2025-03-11 23:12:10 -04:00 · 0f0f5aa289
commit 0f0f5aa289
parent bc12fa2283
5 changed files with 12 additions and 8 deletions
--- a/awx/api/views/analytics.py
+++ b/awx/api/views/analytics.py
@ -10,7 +10,7 @@ from awx.api.generics import APIView, Response
 from awx.api.permissions import AnalyticsPermission
 from awx.api.versioning import reverse
 from awx.main.utils import get_awx_version
-from awx.main.utils.analytics_proxy import OIDCClient, DEFAULT_OIDC_ENDPOINT
+from awx.main.utils.analytics_proxy import OIDCClient, DEFAULT_OIDC_TOKEN_ENDPOINT
 from rest_framework import status

 from collections import OrderedDict
@ -205,7 +205,7 @@ class AnalyticsGenericView(APIView):
            try:
                rh_user = self._get_setting('REDHAT_USERNAME', None, ERROR_MISSING_USER)
                rh_password = self._get_setting('REDHAT_PASSWORD', None, ERROR_MISSING_PASSWORD)
-                client = OIDCClient(rh_user, rh_password, DEFAULT_OIDC_ENDPOINT, ['api.console'])
+                client = OIDCClient(rh_user, rh_password, DEFAULT_OIDC_TOKEN_ENDPOINT, ['api.console'])
                response = client.make_request(
                    method,
                    url,
--- a/awx/main/analytics/core.py
+++ b/awx/main/analytics/core.py
@ -22,7 +22,7 @@ from ansible_base.lib.utils.db import advisory_lock
 from awx.main.models import Job
 from awx.main.access import access_registry
 from awx.main.utils import get_awx_http_client_headers, set_environ, datetime_hook
-from awx.main.utils.analytics_proxy import OIDCClient, DEFAULT_OIDC_ENDPOINT
+from awx.main.utils.analytics_proxy import OIDCClient, DEFAULT_OIDC_TOKEN_ENDPOINT

 __all__ = ['register', 'gather', 'ship']

@ -379,7 +379,7 @@ def ship(path):
        with set_environ(**settings.AWX_TASK_ENV):
            if rh_user and rh_password:
                try:
-                    client = OIDCClient(rh_user, rh_password, DEFAULT_OIDC_ENDPOINT, ['api.console'])
+                    client = OIDCClient(rh_user, rh_password, DEFAULT_OIDC_TOKEN_ENDPOINT, ['api.console'])
                    response = client.make_request("POST", url, headers=s.headers, files=files, verify=settings.INSIGHTS_CERT_PATH, timeout=(31, 31))
                except requests.RequestException:
                    logger.error("Automation Analytics API request failed, trying base auth method")
--- a/awx/main/models/credential.py
+++ b/awx/main/models/credential.py
@ -550,10 +550,10 @@ class CredentialType(CommonModelNameNotUnique):
        # TODO: User "side-loaded" credential custom_injectors isn't supported
        ManagedCredentialType.registry[ns] = SimpleNamespace(namespace=ns, name=plugin.name, kind='external', inputs=plugin.inputs, backend=plugin.backend)

-    def inject_credential(self, credential, env, safe_env, args, private_data_dir):
+    def inject_credential(self, credential, env, safe_env, args, private_data_dir, container_root=None):
        from awx_plugins.interfaces._temporary_private_inject_api import inject_credential

-        inject_credential(self, credential, env, safe_env, args, private_data_dir)
+        inject_credential(self, credential, env, safe_env, args, private_data_dir, container_root=container_root)


 class CredentialTypeHelper:
--- a/awx/main/tasks/jobs.py
+++ b/awx/main/tasks/jobs.py
@ -522,9 +522,13 @@ class BaseTask(object):

            credentials = self.build_credentials_list(self.instance)

+            container_root = None
+            if settings.IS_K8S and isinstance(self.instance, ProjectUpdate):
+                container_root = private_data_dir
+
            for credential in credentials:
                if credential:
-                    credential.credential_type.inject_credential(credential, env, self.safe_cred_env, args, private_data_dir)
+                    credential.credential_type.inject_credential(credential, env, self.safe_cred_env, args, private_data_dir, container_root=container_root)

            self.runner_callback.safe_env.update(self.safe_cred_env)

--- a/awx/main/utils/analytics_proxy.py
+++ b/awx/main/utils/analytics_proxy.py
@ -10,7 +10,7 @@ from typing import Optional, Any

 import requests

-DEFAULT_OIDC_ENDPOINT = 'https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token'
+DEFAULT_OIDC_TOKEN_ENDPOINT = 'https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token'


 class TokenError(requests.RequestException):