From 119e80c717a683cfb61b8457fa15f524c1a4b030 Mon Sep 17 00:00:00 2001 From: Shane McDonald Date: Thu, 4 Mar 2021 18:28:49 -0500 Subject: [PATCH] Delete the old installer directory --- installer/dockerfile.yml | 6 - installer/install.yml | 6 - installer/inventory | 173 ------ .../check_vars/tasks/check_openshift.yml | 48 -- installer/roles/check_vars/tasks/main.yml | 10 - installer/roles/kubernetes/defaults/main.yml | 62 -- installer/roles/kubernetes/handlers/main.yml | 5 - installer/roles/kubernetes/tasks/backup.yml | 82 --- .../roles/kubernetes/tasks/kubernetes.yml | 23 - .../kubernetes/tasks/kubernetes_auth.yml | 3 - installer/roles/kubernetes/tasks/main.yml | 320 ---------- .../roles/kubernetes/tasks/openshift.yml | 76 --- .../roles/kubernetes/tasks/openshift_auth.yml | 56 -- installer/roles/kubernetes/tasks/rekey.yml | 72 --- installer/roles/kubernetes/tasks/restore.yml | 145 ----- .../kubernetes/templates/configmap.yml.j2 | 206 ------- .../kubernetes/templates/credentials.py.j2 | 16 - .../kubernetes/templates/deployment.yml.j2 | 556 ------------------ .../kubernetes/templates/environment.sh.j2 | 5 - .../templates/management-pod.yml.j2 | 106 ---- .../templates/postgres_root_ca.yml.j2 | 8 - .../templates/postgresql-persistent.yml.j2 | 176 ------ .../templates/postgresql-values.yml.j2 | 64 -- .../roles/kubernetes/templates/secret.yml.j2 | 11 - .../kubernetes/templates/supervisor.yml.j2 | 149 ----- installer/roles/kubernetes/vars/openshift.yml | 3 - 26 files changed, 2387 deletions(-) delete mode 100644 installer/dockerfile.yml delete mode 100644 installer/install.yml delete mode 100644 installer/inventory delete mode 100644 installer/roles/check_vars/tasks/check_openshift.yml delete mode 100644 installer/roles/check_vars/tasks/main.yml delete mode 100644 installer/roles/kubernetes/defaults/main.yml delete mode 100644 installer/roles/kubernetes/handlers/main.yml delete mode 100644 installer/roles/kubernetes/tasks/backup.yml delete mode 100644 installer/roles/kubernetes/tasks/kubernetes.yml delete mode 100644 installer/roles/kubernetes/tasks/kubernetes_auth.yml delete mode 100644 installer/roles/kubernetes/tasks/main.yml delete mode 100644 installer/roles/kubernetes/tasks/openshift.yml delete mode 100644 installer/roles/kubernetes/tasks/openshift_auth.yml delete mode 100644 installer/roles/kubernetes/tasks/rekey.yml delete mode 100644 installer/roles/kubernetes/tasks/restore.yml delete mode 100644 installer/roles/kubernetes/templates/configmap.yml.j2 delete mode 100644 installer/roles/kubernetes/templates/credentials.py.j2 delete mode 100644 installer/roles/kubernetes/templates/deployment.yml.j2 delete mode 100644 installer/roles/kubernetes/templates/environment.sh.j2 delete mode 100644 installer/roles/kubernetes/templates/management-pod.yml.j2 delete mode 100644 installer/roles/kubernetes/templates/postgres_root_ca.yml.j2 delete mode 100644 installer/roles/kubernetes/templates/postgresql-persistent.yml.j2 delete mode 100644 installer/roles/kubernetes/templates/postgresql-values.yml.j2 delete mode 100644 installer/roles/kubernetes/templates/secret.yml.j2 delete mode 100644 installer/roles/kubernetes/templates/supervisor.yml.j2 delete mode 100644 installer/roles/kubernetes/vars/openshift.yml diff --git a/installer/dockerfile.yml b/installer/dockerfile.yml deleted file mode 100644 index 9b6bfdf974..0000000000 --- a/installer/dockerfile.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Render AWX Dockerfile and sources - hosts: localhost - gather_facts: true - roles: - - {role: dockerfile} diff --git a/installer/install.yml b/installer/install.yml deleted file mode 100644 index a0c6d71f90..0000000000 --- a/installer/install.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Build and deploy AWX - hosts: all - roles: - - {role: check_vars} - - {role: kubernetes, when: "openshift_host is defined or kubernetes_context is defined"} diff --git a/installer/inventory b/installer/inventory deleted file mode 100644 index b9e7d22cfa..0000000000 --- a/installer/inventory +++ /dev/null @@ -1,173 +0,0 @@ -localhost ansible_connection=local ansible_python_interpreter="/usr/bin/env python3" - -[all:vars] - -# Remove these lines if you want to run a local image build -# Otherwise the setup playbook will install the official Ansible images. Versions may -# be selected based on: latest, 1, 1.0, 1.0.0, 1.0.0.123 -# by default the base will be used to search for ansible/awx -dockerhub_base=ansible - -# Openshift Install -# Will need to set -e openshift_password=developer -e docker_registry_password=$(oc whoami -t) -# or set -e openshift_token=TOKEN -# openshift_host=127.0.0.1:8443 -# openshift_project=awx -# openshift_user=developer -# openshift_skip_tls_verify=False -# openshift_pg_emptydir=True - -# Kubernetes Install -# kubernetes_context=test-cluster -# kubernetes_namespace=awx -# kubernetes_web_svc_type=NodePort -# Optional Kubernetes Variables -# pg_image_registry=docker.io -# pg_serviceaccount=awx -# pg_volume_capacity=5 -# pg_persistence_storageClass=StorageClassName -# pg_persistence_existingclaim=postgres_pvc -# pg_cpu_limit=1000 -# pg_mem_limit=2 - -# Kubernetes Ingress Configuration -# You can use the variables below to configure Kubernetes Ingress -# Set hostname -# kubernetes_ingress_hostname=awx.example.org -# Add annotations. The example below shows an annotation to be used with Traefik but other Ingress controllers are also supported -# kubernetes_ingress_annotations={'kubernetes.io/ingress.class': 'traefik', 'traefik.ingress.kubernetes.io/redirect-entry-point': 'https'} -# Specify a secret for TLS termination -# kubernetes_ingress_tls_secret=awx-cert - -# Kubernetes and Openshift Install Resource Requests -# These are the request and limit values for a pod's container for task/web/redis/management. -# The total amount of requested resources for a pod is the sum of all -# resources requested by all containers in the pod -# A cpu_request of 1500 is 1.5 cores for the container to start out with. -# A cpu_limit defines the maximum cores that that container can reserve. -# A mem_request of 2 is for 2 gigabytes of memory for the container -# A mem_limit defines the maximum memory that that container can reserve. -# Default values for these entries can be found in ./roles/kubernetes/defaults/main.yml -# task_cpu_request=1500 -# task_mem_request=2 -# task_cpu_limit=2000 -# task_mem_limit=4 -# web_cpu_limit=1000 -# web_mem_limit=2 -# redis_cpu_limit=1000 -# redis_mem_limit=3 -# management_cpu_limit=2000 -# management_mem_limit=2 - -# Common Docker parameters -awx_task_hostname=awx -awx_web_hostname=awxweb -# Local directory that is mounted in the awx_postgres docker container to place the db in -postgres_data_dir="~/.awx/pgdocker" -host_port=80 -host_port_ssl=443 -#ssl_certificate= -# Optional key file -#ssl_certificate_key= -docker_compose_dir="~/.awx/awxcompose" - -# Required for Openshift when building the image on your own -# Optional for Openshift if using Dockerhub or another prebuilt registry -# Required for Docker Compose Install if building the image on your own -# Optional for Docker Compose Install if using Dockerhub or another prebuilt registry -# Define if you want the image pushed to a registry. The container definition will also use these images -# docker_registry=172.30.1.1:5000 -# docker_registry_repository=awx -# docker_registry_username=developer - - -# Set pg_hostname if you have an external postgres server, otherwise -# a new postgres service will be created -# pg_hostname=postgresql -pg_username=awx -# pg_password should be random 10 character alphanumeric string, when postgresql is running on kubernetes -# NB: it's a limitation of the "official" postgres helm chart -pg_password=awxpass -pg_database=awx -pg_port=5432 -#pg_sslmode=require - -# If requiring SSL communication (e.g. pg_sslmode='verify-full') with Postgres -# and using a self-signed certificate or a certificate signed by a custom CA -# set pg_root_ca_file to a file containing the self-signed certificate or the -# root CA certificate chain. -# pg_root_ca_file='example_root_ca.crt' - -# The following variable is only required when using the provided -# containerized postgres deployment on OpenShift -# pg_admin_password=postgrespass - -# This will create or update a default admin (superuser) account in AWX, if not provided -# then these default values are used -admin_user=admin -# admin_password=password - -# Whether or not to create preload data for demonstration purposes -create_preload_data=True - -# AWX Secret key -# It's *very* important that this stay the same between upgrades or you will lose the ability to decrypt -# your credentials -secret_key=awxsecret - -# By default a broadcast websocket secret will be generated. -# If you would like to *rerun the playbook*, you need to set a unique password. -# Otherwise it would generate a new one every playbook run. -# broadcast_websocket_secret= - -# Build AWX with official logos -# Requires cloning awx-logos repo as a sibling of this project. -# Review the trademark guidelines at https://github.com/ansible/awx-logos/blob/master/TRADEMARKS.md -# awx_official=false - -# Proxy -#http_proxy=http://proxy:3128 -#https_proxy=http://proxy:3128 -#no_proxy=mycorp.org - -# Container networking configuration -# Set the awx_task and awx_web containers' search domain(s) -#awx_container_search_domains=example.com,ansible.com -# Alternate DNS servers -#awx_alternate_dns_servers="10.1.2.3,10.2.3.4" - -# AWX project data folder. If you need access to the location where AWX stores the projects -# it manages from the docker host, you can set this to turn it into a volume for the container. -#project_data_dir=/var/lib/awx/projects - -# AWX custom virtual environment folder. Only usable for local install. -#custom_venv_dir=/opt/my-envs/ - -# CA Trust directory. If you need to provide custom CA certificates, supplying -# this variable causes this directory on the host to be bind mounted over -# /etc/pki/ca-trust in the awx_task and awx_web containers. -# If you are deploying on openshift or kubernetes, set the variable to /etc/pki/ca-trust instead, -# as the awx_web and awx_task containers will not run the `update-ca-trust` command. -#ca_trust_dir=/etc/pki/ca-trust/source/anchors - -# Include /etc/nginx/awx_extra.conf -# Note the use of glob pattern for nginx -# which makes include "optional" - i.e. not fail -# if file is absent -#extra_nginx_include="/etc/nginx/awx_extra[.]conf" - -# Docker compose explicit subnet. Set to avoid overlapping your existing LAN networks. -#docker_compose_subnet="172.17.0.1/16" -# -# Allow for different docker logging drivers -# By Default; the logger will be json-file, however you can override -# that by uncommenting the docker_logger below. -# Be aware that journald may rate limit your log messages if you choose it. -# See: https://docs.docker.com/config/containers/logging/configure/ -# docker_logger=journald -# - -# Add extra hosts to docker compose file. This might be necessary to -# sneak in servernames. For example for DMZ self-signed CA certificates. -# Equivialent to using the --add-host parameter with "docker run". -#docker_compose_extra_hosts="otherserver.local:192.168.0.1,ldap-server.local:192.168.0.2" diff --git a/installer/roles/check_vars/tasks/check_openshift.yml b/installer/roles/check_vars/tasks/check_openshift.yml deleted file mode 100644 index a2bebf6b16..0000000000 --- a/installer/roles/check_vars/tasks/check_openshift.yml +++ /dev/null @@ -1,48 +0,0 @@ -# check_openshift.yml ---- -- name: openshift_project should be defined - assert: - that: - - openshift_project is defined and openshift_project != '' - msg: "Set the value of 'openshift_project' in the inventory file." - -- name: openshift_user should be defined - assert: - that: - - openshift_user is defined and openshift_user != '' - msg: "Set the value of 'openshift_user' in the inventory file." - -- name: openshift_password or openshift_token should be defined - assert: - that: - - (openshift_password is defined and openshift_password != '') or - (openshift_token is defined and openshift_token != '') - msg: "Set the value of 'openshift_password' or 'openshift_token' in the inventory file." - -- name: docker_registry should be defined if not using dockerhub - assert: - that: - - docker_registry is defined and docker_registry != '' - msg: "Set the value of 'docker_registry' in the inventory file." - when: dockerhub_base is not defined - -- name: docker_registry_repository should be defined if not using dockerhub - assert: - that: - - docker_registry_repository is defined and docker_registry_repository != '' - msg: "Set the value of 'docker_registry_repository' in the inventory file." - when: dockerhub_base is not defined - -- name: docker_registry_username should be defined if not using dockerhub - assert: - that: - - docker_registry_username is defined and docker_registry_username != '' - msg: "Set the value of 'docker_registry_username' in the inventory file." - when: dockerhub_base is not defined - -- name: docker_registry_password should be defined - assert: - that: - - docker_registry_password is defined and docker_registry_password != '' - msg: "Set the value of 'docker_registry_password' in the inventory file." - when: dockerhub_base is not defined diff --git a/installer/roles/check_vars/tasks/main.yml b/installer/roles/check_vars/tasks/main.yml deleted file mode 100644 index 9ac079e560..0000000000 --- a/installer/roles/check_vars/tasks/main.yml +++ /dev/null @@ -1,10 +0,0 @@ -# main.yml ---- -- name: admin_password should be defined - assert: - that: - - admin_password is defined and admin_password != '' - msg: "Set the value of 'admin_password' in the inventory file." - -- include_tasks: check_openshift.yml - when: openshift_host is defined and openshift_host != '' diff --git a/installer/roles/kubernetes/defaults/main.yml b/installer/roles/kubernetes/defaults/main.yml deleted file mode 100644 index 754ff86fe0..0000000000 --- a/installer/roles/kubernetes/defaults/main.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -dockerhub_version: "{{ lookup('file', playbook_dir + '/../VERSION') }}" -create_preload_data: true - -admin_user: 'admin' -admin_email: 'root@localhost' -admin_password: '' - -kubernetes_base_path: "{{ local_base_config_path|default('/tmp') }}/{{ kubernetes_deployment_name }}-config" - -kubernetes_awx_version: "{{ dockerhub_version }}" -kubernetes_awx_image: "ansible/awx" -kubernetes_web_svc_type: "NodePort" - -awx_psp_create: false -awx_psp_name: 'awx' -awx_psp_privileged: true - -web_mem_request: 1 -web_cpu_request: 500 -web_security_context_enabled: true -web_security_context_privileged: false - -task_mem_request: 2 -task_cpu_request: 1500 -task_security_context_enabled: true -task_security_context_privileged: true - -redis_mem_request: 2 -redis_cpu_request: 500 -redis_security_context_enabled: true -redis_security_context_privileged: false -redis_security_context_user: 1001 - -kubernetes_redis_image: "redis" -kubernetes_redis_image_tag: "latest" -kubernetes_redis_config_mount_path: "/usr/local/etc/redis/redis.conf" - -openshift_pg_emptydir: false -openshift_pg_pvc_name: postgresql - -kubernetes_deployment_name: awx -kubernetes_serviceaccount_name: awx - -kubernetes_deployment_replica_size: 1 - -postgress_activate_wait: 60 - -restore_backup_file: "./tower-openshift-backup-latest.tar.gz" - -insights_url_base: "https://example.org" -automation_analytics_url: "https://example.org" -insights_agent_mime: "application/example" - -custom_venvs_path: "/opt/custom-venvs" -custom_venvs_python: "python2" - -ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt" - -container_groups_image: "ansible/ansible-runner" - -uwsgi_bash: "bash -c" diff --git a/installer/roles/kubernetes/handlers/main.yml b/installer/roles/kubernetes/handlers/main.yml deleted file mode 100644 index 89b3fa701c..0000000000 --- a/installer/roles/kubernetes/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: remove-rmq_cert_tempdir - file: - state: absent - path: "{{ rmq_cert_tempdir.path }}" diff --git a/installer/roles/kubernetes/tasks/backup.yml b/installer/roles/kubernetes/tasks/backup.yml deleted file mode 100644 index d2d41bbbc1..0000000000 --- a/installer/roles/kubernetes/tasks/backup.yml +++ /dev/null @@ -1,82 +0,0 @@ ---- -- name: Determine the timestamp for the backup. - set_fact: - now: '{{ lookup("pipe", "date +%F-%T") }}' - -- include_tasks: openshift_auth.yml - when: openshift_host is defined - -- include_tasks: kubernetes_auth.yml - when: kubernetes_context is defined - -- name: Use kubectl or oc - set_fact: - kubectl_or_oc: "{{ openshift_oc_bin if openshift_oc_bin is defined else 'kubectl' }}" - -- name: Delete any existing management pod - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - delete pod ansible-tower-management --grace-period=0 --ignore-not-found - -- name: Template management pod - set_fact: - management_pod: "{{ lookup('template', 'management-pod.yml.j2') }}" - -- name: Create management pod - shell: | - echo {{ management_pod | quote }} | {{ kubectl_or_oc }} apply -f - - -- name: Wait for management pod to start - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - get pod ansible-tower-management -o jsonpath="{.status.phase}" - register: result - until: result.stdout == "Running" - retries: 60 - delay: 10 - -- name: Create directory for backup - file: - state: directory - path: "{{ playbook_dir }}/tower-openshift-backup-{{ now }}" - -- name: Precreate file for database dump - file: - path: "{{ playbook_dir }}/tower-openshift-backup-{{ now }}/tower.db" - state: touch - mode: 0600 - -- name: Dump database - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} exec ansible-tower-management -- \ - bash -c "PGPASSWORD={{ pg_password | quote }} \ - pg_dump --clean --create \ - --host='{{ pg_hostname | default('postgresql') }}' \ - --port={{ pg_port | default('5432') }} \ - --username='{{ pg_username }}' \ - --dbname='{{ pg_database }}'" > {{ playbook_dir }}/tower-openshift-backup-{{ now }}/tower.db - no_log: true - -- name: Copy inventory into backup directory - copy: - src: "{{ inventory_file }}" - dest: "{{ playbook_dir }}/tower-openshift-backup-{{ now }}/" - mode: 0600 - -- name: Delete management pod - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - delete pod ansible-tower-management --grace-period=0 --ignore-not-found - -- name: Create backup archive - archive: - path: "{{ playbook_dir }}/tower-openshift-backup-{{ now }}" - dest: "{{ item }}" - with_items: - - "{{ playbook_dir }}/tower-openshift-backup-{{ now }}.tar.gz" - - "{{ playbook_dir }}/tower-openshift-backup-latest.tar.gz" - -- name: Remove temporary backup directory - file: - path: "{{ playbook_dir }}/tower-openshift-backup-{{ now }}" - state: absent diff --git a/installer/roles/kubernetes/tasks/kubernetes.yml b/installer/roles/kubernetes/tasks/kubernetes.yml deleted file mode 100644 index 89370bed1f..0000000000 --- a/installer/roles/kubernetes/tasks/kubernetes.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: Get Namespace Detail - shell: "kubectl get namespace {{ kubernetes_namespace }}" - register: namespace_details - ignore_errors: true - -- name: Create AWX Kubernetes Project - shell: "kubectl create namespace {{ kubernetes_namespace }}" - when: namespace_details.rc != 0 - -- name: Set postgresql service name - set_fact: - postgresql_service_name: "{{ kubernetes_deployment_name }}-postgresql" - when: "pg_hostname is not defined or pg_hostname == ''" - -- name: Get Kubernetes API version - command: | - kubectl version -o json - register: kube_version - -- name: Extract server version from command output - set_fact: - kube_api_version: "{{ (kube_version.stdout | from_json).serverVersion.gitVersion[1:] }}" diff --git a/installer/roles/kubernetes/tasks/kubernetes_auth.yml b/installer/roles/kubernetes/tasks/kubernetes_auth.yml deleted file mode 100644 index 7f9d29456b..0000000000 --- a/installer/roles/kubernetes/tasks/kubernetes_auth.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: Set the Kubernetes Context - shell: "kubectl config use-context {{ kubernetes_context }}" diff --git a/installer/roles/kubernetes/tasks/main.yml b/installer/roles/kubernetes/tasks/main.yml deleted file mode 100644 index dc6639b56b..0000000000 --- a/installer/roles/kubernetes/tasks/main.yml +++ /dev/null @@ -1,320 +0,0 @@ ---- -- name: Generate broadcast websocket secret - set_fact: - broadcast_websocket_secret: "{{ lookup('password', '/dev/null length=128') }}" - run_once: true - no_log: true - when: broadcast_websocket_secret is not defined - -- fail: - msg: "Only set one of kubernetes_context or openshift_host" - when: openshift_host is defined and kubernetes_context is defined - -- include_tasks: "{{ tasks }}" - with_items: - - openshift_auth.yml - - openshift.yml - loop_control: - loop_var: tasks - when: openshift_host is defined - -- include_tasks: "{{ tasks }}" - with_items: - - kubernetes_auth.yml - - kubernetes.yml - loop_control: - loop_var: tasks - when: kubernetes_context is defined - -- name: Use kubectl or oc - set_fact: - kubectl_or_oc: "{{ openshift_oc_bin if openshift_oc_bin is defined else 'kubectl' }}" - -- set_fact: - deployment_object: "deployment" - -- name: Record deployment size - shell: | - {{ kubectl_or_oc }} get {{ deployment_object }} \ - {{ kubernetes_deployment_name }} \ - -n {{ kubernetes_namespace }} -o=jsonpath='{.status.replicas}' - register: deployment_details - ignore_errors: true - -- name: Set expected post-deployment Replicas value - set_fact: - kubernetes_deployment_replica_size: "{{ deployment_details.stdout | int }}" - when: deployment_details.rc == 0 - -- name: Delete existing Deployment (or StatefulSet) - shell: | - {{ kubectl_or_oc }} delete sts \ - {{ kubernetes_deployment_name }} -n {{ kubernetes_namespace }} --ignore-not-found - {{ kubectl_or_oc }} delete {{ deployment_object }} \ - {{ kubernetes_deployment_name }} -n {{ kubernetes_namespace }} --ignore-not-found - -- name: Get Postgres Service Detail - shell: "{{ kubectl_or_oc }} describe svc {{ postgresql_service_name }} -n {{ kubernetes_namespace }}" - register: postgres_svc_details - ignore_errors: true - when: "pg_hostname is not defined or pg_hostname == ''" - -- name: Deploy PostgreSQL (OpenShift) - block: - - name: Template PostgreSQL Deployment (OpenShift) - template: - src: postgresql-persistent.yml.j2 - dest: "{{ kubernetes_base_path }}/postgresql-persistent.yml" - mode: '0600' - - - name: Deploy and Activate Postgres (OpenShift) - shell: | - {{ openshift_oc_bin }} new-app --file={{ kubernetes_base_path }}/postgresql-persistent.yml \ - -e MEMORY_LIMIT={{ pg_memory_limit|default('512') }}Mi \ - -e DATABASE_SERVICE_NAME=postgresql \ - -e POSTGRESQL_MAX_CONNECTIONS={{ pg_max_connections|default(1024) }} \ - -e POSTGRESQL_USER={{ pg_username }} \ - -e POSTGRESQL_PASSWORD={{ pg_password | quote }} \ - -e POSTGRESQL_DATABASE={{ pg_database | quote }} \ - -e POSTGRESQL_VERSION=12 \ - -n {{ kubernetes_namespace }} - register: openshift_pg_activate - no_log: true - when: - - pg_hostname is not defined or pg_hostname == '' - - postgres_svc_details is defined and postgres_svc_details.rc != 0 - - openshift_host is defined - -- name: Deploy PostgreSQL (Kubernetes) - block: - - name: Create Temporary Values File (Kubernetes) - tempfile: - state: file - suffix: .yml - register: values_file - - - name: Populate Temporary Values File (Kubernetes) - template: - src: postgresql-values.yml.j2 - dest: "{{ values_file.path }}" - no_log: true - - - name: Deploy and Activate Postgres (Kubernetes) - shell: | - helm repo add stable https://charts.helm.sh/stable - helm repo update - helm upgrade {{ postgresql_service_name }} \ - --install \ - --namespace {{ kubernetes_namespace }} \ - --version="8.3.0" \ - --values {{ values_file.path }} \ - stable/postgresql - register: kubernetes_pg_activate - no_log: true - - - name: Remove tempfile - file: - path: "{{ values_file.path }}" - state: absent - when: - - pg_hostname is not defined or pg_hostname == '' - - postgres_svc_details is defined and postgres_svc_details.rc != 0 - - kubernetes_context is defined - -- name: Set postgresql hostname to helm package service (Kubernetes) - set_fact: - pg_hostname: "{{ postgresql_service_name }}" - when: - - pg_hostname is not defined or pg_hostname == '' - - kubernetes_context is defined - -- name: Wait for Postgres to activate - pause: - seconds: "{{ postgress_activate_wait }}" - when: openshift_pg_activate.changed or kubernetes_pg_activate.changed - -- name: Check postgres version and upgrade Postgres if necessary (Openshift) - block: - - name: Check if Postgres 10 is being used - shell: | - POD=$({{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - get pods -l=name=postgresql --field-selector status.phase=Running -o jsonpath="{.items[0].metadata.name}") - {{ kubectl_or_oc }} exec $POD -n {{ kubernetes_namespace }} -- bash -c "psql -tAc 'select version()'" - register: pg_version - - name: Upgrade postgres if necessary - block: - - name: Set new pg image - shell: | - IMAGE=registry.redhat.io/rhel-8/postgresql-12 - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} set image dc/postgresql postgresql=$IMAGE - - - name: Wait for change to take affect - pause: - seconds: 5 - - - name: Set env var for pg upgrade - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} set env dc/postgresql POSTGRESQL_UPGRADE=copy - - - name: Wait for change to take affect - pause: - seconds: 5 - - - name: Set env var for new pg version - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} set env dc/postgresql POSTGRESQL_VERSION=12 - - - name: Wait for Postgres to redeploy - pause: - seconds: "{{ postgress_activate_wait }}" - - - name: Wait for Postgres to finish upgrading - shell: | - POD=$({{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - get pods -l=name=postgresql -o jsonpath="{.items[0].metadata.name}") - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} logs $POD | grep 'Upgrade DONE' - register: pg_upgrade_logs - retries: 360 - delay: 10 - until: pg_upgrade_logs is success - - - name: Unset upgrade env var - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} set env dc/postgresql POSTGRESQL_UPGRADE- - - - name: Wait for Postgres to redeploy - pause: - seconds: "{{ postgress_activate_wait }}" - when: "pg_version is success and '10' in pg_version.stdout" - when: - - pg_hostname is not defined or pg_hostname == '' - - postgres_svc_details is defined and postgres_svc_details.rc != 0 - - openshift_host is defined - -- name: Set image names if using custom registry - block: - - name: Set awx image name - set_fact: - kubernetes_awx_image: "{{ docker_registry }}/{{ docker_registry_repository }}/{{ awx_image }}" - when: kubernetes_awx_image is not defined - when: docker_registry is defined - -- name: Determine Deployment api version - set_fact: - kubernetes_deployment_api_version: "{{ 'apps/v1' if kube_api_version is version('1.9', '>=') else 'apps/v1beta1' }}" - -- name: Use Custom Root CA file for PosgtreSQL SSL communication - block: - - name: Get Root CA file contents - set_fact: - postgres_root_ca_cert: "{{ lookup('file', pg_root_ca_file) }}" - no_log: true - - - name: Render Root CA template - set_fact: - postgres_root_ca: "{{ lookup('template', 'postgres_root_ca.yml.j2') }}" - no_log: true - - - name: Apply Root CA template - shell: | - echo {{ postgres_root_ca | quote }} | {{ kubectl_or_oc }} apply -f - - no_log: true - - - name: Set Root CA file name - set_fact: - postgres_root_ca_filename: 'postgres_root_ca.crt' - - - name: Set Root CA file location - set_fact: - ca_trust_bundle: '/etc/tower/{{ postgres_root_ca_filename }}' - when: - - pg_root_ca_file is defined - - pg_root_ca_file != '' - -- name: Render deployment templates - set_fact: - "{{ item }}": "{{ lookup('template', item + '.yml.j2') }}" - with_items: - - 'configmap' - - 'secret' - - 'deployment' - - 'supervisor' - no_log: true - -- name: Apply Deployment - shell: | - echo {{ item | quote }} | {{ kubectl_or_oc }} apply -f - - with_items: - - "{{ configmap }}" - - "{{ secret }}" - - "{{ deployment }}" - - "{{ supervisor }}" - no_log: true - -- name: Delete any existing management pod - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - delete pod ansible-tower-management --grace-period=0 --ignore-not-found - -- name: Template management pod - set_fact: - management_pod: "{{ lookup('template', 'management-pod.yml.j2') }}" - -- name: Create management pod - shell: | - echo {{ management_pod | quote }} | {{ kubectl_or_oc }} apply -f - - -- name: Wait for management pod to start - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - get pod ansible-tower-management -o jsonpath="{.status.phase}" - register: result - until: result.stdout == "Running" - retries: 60 - delay: 10 - -- name: Migrate database - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} exec ansible-tower-management -- \ - bash -c "awx-manage migrate --noinput" - -- name: Check for Tower Super users - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} exec ansible-tower-management -- \ - bash -c "echo 'from django.contrib.auth.models import User; nsu = User.objects.filter(is_superuser=True).count(); exit(0 if nsu > 0 else 1)' | awx-manage shell" - register: super_check - ignore_errors: true - changed_when: super_check.rc > 0 - -- name: create django super user if it does not exist - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} exec ansible-tower-management -- \ - bash -c "echo \"from django.contrib.auth.models import User; User.objects.create_superuser('{{ admin_user }}', '{{ admin_email }}', '{{ admin_password }}')\" | awx-manage shell" - no_log: true - when: super_check.rc > 0 - -- name: update django super user password - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} exec ansible-tower-management -- \ - bash -c "awx-manage update_password --username='{{ admin_user }}' --password='{{ admin_password }}'" - no_log: true - register: result - changed_when: "'Password updated' in result.stdout" - -- name: Create the default organization if it is needed. - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} exec ansible-tower-management -- \ - bash -c "awx-manage create_preload_data" - register: cdo - changed_when: "'added' in cdo.stdout" - when: create_preload_data | bool - -- name: Delete management pod - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - delete pod ansible-tower-management --grace-period=0 --ignore-not-found - -- name: Scale up deployment - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - scale {{ deployment_object }} {{ kubernetes_deployment_name }} --replicas={{ replicas | default(kubernetes_deployment_replica_size) }} diff --git a/installer/roles/kubernetes/tasks/openshift.yml b/installer/roles/kubernetes/tasks/openshift.yml deleted file mode 100644 index c85ab961ba..0000000000 --- a/installer/roles/kubernetes/tasks/openshift.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- -- name: Get Project Detail - shell: "{{ openshift_oc_bin }} get project {{ openshift_project }}" - register: project_details - ignore_errors: true - -- name: Create AWX Openshift Project - shell: "{{ openshift_oc_bin }} new-project {{ openshift_project }}" - when: project_details.rc != 0 - -- name: Ensure PostgreSQL PVC is available - block: - - name: Check PVC status - command: "{{ openshift_oc_bin }} get pvc {{ openshift_pg_pvc_name }} -n {{ openshift_project }} -o=jsonpath='{.status.phase}'" - register: pg_pvc_status - ignore_errors: true - - - name: Ensure PostgreSQL PVC is available - assert: - that: - - pg_pvc_status.stdout in ["Bound", "Pending"] - msg: "Ensure a PVC named '{{ openshift_pg_pvc_name }}' is available in the namespace '{{ openshift_project }}'." - when: - - pg_hostname is not defined or pg_hostname == '' - - openshift_pg_emptydir is defined and (openshift_pg_emptydir | bool) != true - -- name: Set postgresql service name - set_fact: - postgresql_service_name: "postgresql" - when: "pg_hostname is not defined or pg_hostname == ''" - -- name: Add privileged SCC to service account - shell: | - {{ openshift_oc_bin }} adm policy add-scc-to-user privileged system:serviceaccount:{{ openshift_project }}:awx - -# https://github.com/openshift/origin/issues/19182#issuecomment-378233606 -# If oc version ever grows a -o json option, remove the following tasks -# and go with the approach in kubernetes.yml. -- name: Get Kubernetes Config - command: | - {{ openshift_oc_bin }} config view -o json - register: kube_config_cmd - no_log: true - -- name: Convert kube config to dictionary - set_fact: - kube_config: "{{ kube_config_cmd.stdout | from_json }}" - no_log: true - -- name: Extract current context from kube config - set_fact: - current_kube_context: "{{ kube_config['current-context'] }}" - -- name: Find cluster for current context - set_fact: - kube_cluster: | - {{ (kube_config.contexts | - selectattr("name", "match", current_kube_context) | - list)[0].context.cluster }} - -- name: Find server for current context - set_fact: - kube_server: | - {{ (kube_config.clusters | - selectattr("name", "match", kube_cluster|trim) | - list)[0].cluster.server }} - -- name: Get kube version from api server - uri: - url: "{{ kube_server | trim }}/version" - validate_certs: false - register: kube_version - -- name: Extract server version from command output - set_fact: - kube_api_version: "{{ kube_version.json.gitVersion[1:] }}" diff --git a/installer/roles/kubernetes/tasks/openshift_auth.yml b/installer/roles/kubernetes/tasks/openshift_auth.yml deleted file mode 100644 index 1b53cda59a..0000000000 --- a/installer/roles/kubernetes/tasks/openshift_auth.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -- include_vars: openshift.yml - -- name: Set kubernetes_namespace - set_fact: - kubernetes_namespace: "{{ openshift_project }}" - -- name: Ensure workspace directories exist - file: - path: "{{ item }}" - state: directory - with_items: - - "{{ kubernetes_base_path }}" - - "{{ openshift_oc_config_file | dirname }}" - -- name: Authenticate with OpenShift via user and password - shell: | - {{ openshift_oc_bin }} login {{ openshift_host }} \ - -u {{ openshift_user }} \ - -p {{ openshift_password | quote }} \ - --insecure-skip-tls-verify={{ openshift_skip_tls_verify | default(false) | bool }} - when: - - openshift_user is defined - - openshift_password is defined - - openshift_token is not defined - register: openshift_auth_result - ignore_errors: true - no_log: true - -- name: OpenShift authentication failed on TLS verification - fail: - msg: "Failed to verify TLS, consider settings openshift_skip_tls_verify=True {{ openshift_auth_result.stderr | default('certificate does not match hostname') }}" - when: - - openshift_skip_tls_verify is not defined or not openshift_skip_tls_verify - - openshift_auth_result.rc is defined and openshift_auth_result.rc != 0 - - openshift_auth_result.stderr is defined and (openshift_auth_result.stderr | search("certificate that does not match its hostname")) - -- name: OpenShift authentication failed - fail: - msg: "{{ openshift_auth_result.stderr | default('Invalid credentials') }}" - when: openshift_auth_result.rc is defined and openshift_auth_result.rc != 0 - -- name: Authenticate with OpenShift via token - shell: | - {{ openshift_oc_bin }} login {{ openshift_host }} \ - --token {{ openshift_token }} \ - --insecure-skip-tls-verify={{ openshift_skip_tls_verify | default(false) | bool }} - when: openshift_token is defined - register: openshift_auth_result - ignore_errors: true - no_log: true - -- name: OpenShift authentication failed - fail: - msg: "{{ openshift_auth_result.stderr | default('Invalid token') }}" - when: openshift_auth_result.rc is defined and openshift_auth_result.rc != 0 diff --git a/installer/roles/kubernetes/tasks/rekey.yml b/installer/roles/kubernetes/tasks/rekey.yml deleted file mode 100644 index 91ed2828ed..0000000000 --- a/installer/roles/kubernetes/tasks/rekey.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- -- include_tasks: openshift_auth.yml - when: openshift_host is defined - -- include_tasks: kubernetes_auth.yml - when: kubernetes_context is defined - -- name: Use kubectl or oc - set_fact: - kubectl_or_oc: "{{ openshift_oc_bin if openshift_oc_bin is defined else 'kubectl' }}" - -- set_fact: - deployment_object: "deployment" - -- name: Record deployment size - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - get {{ deployment_object }} {{ kubernetes_deployment_name }} -o jsonpath="{.status.replicas}" - register: deployment_size - -- name: Scale deployment down - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - scale {{ deployment_object }} {{ kubernetes_deployment_name }} --replicas=0 - -- name: Wait for scale down - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} get pods \ - -o jsonpath='{.items[*].metadata.name}' \ - | tr -s '[[:space:]]' '\n' \ - | grep {{ kubernetes_deployment_name }} \ - | grep -v postgres | wc -l - register: tower_pods - until: (tower_pods.stdout | trim) == '0' - retries: 30 - -- name: Delete any existing management pod - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - delete pod ansible-tower-management --grace-period=0 --ignore-not-found - -- name: Template management pod - set_fact: - management_pod: "{{ lookup('template', 'management-pod.yml.j2') }}" - -- name: Create management pod - shell: | - echo {{ management_pod | quote }} | {{ kubectl_or_oc }} apply -f - - -- name: Wait for management pod to start - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - get pod ansible-tower-management -o jsonpath="{.status.phase}" - register: result - until: result.stdout == "Running" - retries: 60 - delay: 10 - -- name: generate a new SECRET_KEY - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - exec -i ansible-tower-management -- bash -c "awx-manage regenerate_secret_key" - register: new_key - -- name: print the new SECRET_KEY - debug: - msg: "{{ new_key.stdout }}" - -- name: Delete management pod - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - delete pod ansible-tower-management --grace-period=0 --ignore-not-found diff --git a/installer/roles/kubernetes/tasks/restore.yml b/installer/roles/kubernetes/tasks/restore.yml deleted file mode 100644 index 9d0358e751..0000000000 --- a/installer/roles/kubernetes/tasks/restore.yml +++ /dev/null @@ -1,145 +0,0 @@ ---- -- include_tasks: openshift_auth.yml - when: openshift_host is defined - -- include_tasks: kubernetes_auth.yml - when: kubernetes_context is defined - -- name: Use kubectl or oc - set_fact: - kubectl_or_oc: "{{ openshift_oc_bin if openshift_oc_bin is defined else 'kubectl' }}" - -- name: Remove any present restore directories - file: - state: absent - path: "{{ playbook_dir }}/tower-openshift-restore" - -- name: Create directory for restore data - file: - state: directory - path: "{{ playbook_dir }}/tower-openshift-restore" - -- name: Unarchive Tower backup - unarchive: - src: "{{ restore_backup_file }}" - dest: "{{ playbook_dir }}/tower-openshift-restore" - extra_opts: [--strip-components=1] - -- name: Verify if common.tar.gz exists - stat: - path: "{{ playbook_dir }}/tower-openshift-restore/common.tar.gz" - register: common_tarball - -- name: Unarchive Tower backup from common.tar.gz - unarchive: - src: "{{ playbook_dir }}/tower-openshift-restore/common.tar.gz" - dest: "{{ playbook_dir }}/tower-openshift-restore" - extra_opts: [--strip-components=1] - when: common_tarball.stat.exists - -- set_fact: - deployment_object: "deployment" - -- name: Record deployment size - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - get {{ deployment_object }} {{ kubernetes_deployment_name }} -o jsonpath="{.status.replicas}" - register: deployment_size - -- name: Scale deployment down - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - scale {{ deployment_object }} {{ kubernetes_deployment_name }} --replicas=0 - -- name: Delete management pod - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - delete pod ansible-tower-management --grace-period=0 --ignore-not-found - -- name: Wait for scale down - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} get pods \ - -o jsonpath='{.items[*].metadata.name}' \ - | tr -s '[[:space:]]' '\n' \ - | grep {{ kubernetes_deployment_name }} \ - | grep -v postgres | wc -l - register: tower_pods - until: (tower_pods.stdout | trim) == '0' - retries: 30 - -- name: Setup Management Pod & Restore (External DB) - block: - - name: Delete any existing management pod - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - delete pod ansible-tower-management --grace-period=0 --ignore-not-found - - - name: Template management pod - set_fact: - management_pod: "{{ lookup('template', 'management-pod.yml.j2') }}" - - - name: Create management pod - shell: | - echo {{ management_pod | quote }} | {{ kubectl_or_oc }} apply -f - - - - name: Wait for management pod to start - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - get pod ansible-tower-management -o jsonpath="{.status.phase}" - register: result - until: result.stdout == "Running" - retries: 60 - delay: 10 - - - name: Perform a PostgreSQL restore (for External Postgres) - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - exec -i ansible-tower-management -- bash -c "PGPASSWORD={{ pg_password | quote }} \ - psql \ - --host={{ pg_hostname | default('postgresql') }} \ - --port={{ pg_port | default('5432') }} \ - --username={{ pg_username }} \ - --dbname=template1" < {{ playbook_dir }}/tower-openshift-restore/tower.db - no_log: true - - - name: Delete management pod - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - delete pod ansible-tower-management --grace-period=0 --ignore-not-found - when: pg_hostname is defined or pg_hostname != '' - -- name: Restore (Containerized DB) - block: - - name: Temporarily grant createdb role - shell: | - POD=$({{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - get pods -l=name=postgresql --field-selector status.phase=Running -o jsonpath="{.items[0].metadata.name}") - {{ kubectl_or_oc }} exec $POD -n {{ kubernetes_namespace }} -- bash -c "\ - psql --dbname=template1 -c 'ALTER USER \"{{ pg_username }}\" CREATEDB;'" - - - name: Perform a PostgreSQL restore - shell: | - POD=$({{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - get pods -l=name=postgresql --field-selector status.phase=Running -o jsonpath="{.items[0].metadata.name}") - {{ kubectl_or_oc }} exec -i $POD -n {{ kubernetes_namespace }} -- bash -c "\ - psql --dbname=template1" < {{ playbook_dir }}/tower-openshift-restore/tower.db - no_log: true - - - name: Revoke createdb role - shell: | - POD=$({{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - get pods -l=name=postgresql --field-selector status.phase=Running -o jsonpath="{.items[0].metadata.name}") - {{ kubectl_or_oc }} exec $POD -n {{ kubernetes_namespace }} -- bash -c "\ - psql --dbname=template1 -c 'ALTER USER \"{{ pg_username }}\" NOCREATEDB;'" - when: pg_hostname is not defined or pg_hostname == '' - -- name: Remove restore directory - file: - state: absent - path: "{{ playbook_dir }}/tower-openshift-restore" - -- name: Scale deployment back up - shell: | - {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ - scale {{ deployment_object }} {{ kubernetes_deployment_name }} --replicas={{ deployment_size.stdout }} - when: deployment_size.stdout != '' diff --git a/installer/roles/kubernetes/templates/configmap.yml.j2 b/installer/roles/kubernetes/templates/configmap.yml.j2 deleted file mode 100644 index 2d7fd50aac..0000000000 --- a/installer/roles/kubernetes/templates/configmap.yml.j2 +++ /dev/null @@ -1,206 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ kubernetes_deployment_name }}-config - namespace: {{ kubernetes_namespace }} -data: - {{ kubernetes_deployment_name }}_nginx_conf: | - #user awx; - - worker_processes 1; - - pid /tmp/nginx.pid; - - events { - worker_connections 1024; - } - - http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - server_tokens off; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /dev/stdout main; - - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - sendfile on; - #tcp_nopush on; - #gzip on; - - upstream uwsgi { - server 127.0.0.1:8050; - } - - upstream daphne { - server 127.0.0.1:8051; - } - - {% if ssl_certificate is defined %} - server { - listen 8052 default_server; - server_name _; - - # Redirect all HTTP links to the matching HTTPS page - return 301 https://$host$request_uri; - } - {%endif %} - - server { - {% if ssl_certificate is defined %} - listen 8053 ssl; - - ssl_certificate /etc/nginx/awxweb.pem; - ssl_certificate_key /etc/nginx/awxweb.pem; - {% else %} - listen 8052 default_server; - {% endif %} - - # If you have a domain name, this is where to add it - server_name _; - keepalive_timeout 65; - - # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) - add_header Strict-Transport-Security max-age=15768000; - - # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) - add_header X-Frame-Options "DENY"; - - location /nginx_status { - stub_status on; - access_log off; - allow 127.0.0.1; - deny all; - } - - location /static/ { - alias /var/lib/awx/public/static/; - } - - location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; } - - location /websocket { - # Pass request to the upstream alias - proxy_pass http://daphne; - # Require http version 1.1 to allow for upgrade requests - proxy_http_version 1.1; - # We want proxy_buffering off for proxying to websockets. - proxy_buffering off; - # http://en.wikipedia.org/wiki/X-Forwarded-For - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # enable this if you use HTTPS: - proxy_set_header X-Forwarded-Proto https; - # pass the Host: header from the client for the sake of redirects - proxy_set_header Host $http_host; - # We've set the Host header, so we don't need Nginx to muddle - # about with redirects - proxy_redirect off; - # Depending on the request value, set the Upgrade and - # connection headers - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } - - location / { - # Add trailing / if missing - rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent; - uwsgi_read_timeout 120s; - uwsgi_pass uwsgi; - include /etc/nginx/uwsgi_params; - {%- if extra_nginx_include is defined %} - include {{ extra_nginx_include }}; - {%- endif %} - proxy_set_header X-Forwarded-Port 443; - uwsgi_param HTTP_X_FORWARDED_PORT 443; - } - } - } - - {{ kubernetes_deployment_name }}_settings: | - import os - import socket - ADMINS = () - - AWX_PROOT_ENABLED = True - - # Automatically deprovision pods that go offline - AWX_AUTO_DEPROVISION_INSTANCES = True - - SYSTEM_TASK_ABS_CPU = {{ ((task_cpu_request|int / 1000) * 4)|int }} - SYSTEM_TASK_ABS_MEM = {{ ((task_mem_request|int * 1024) / 100)|int }} - - INSIGHTS_URL_BASE = "{{ insights_url_base }}" - INSIGHTS_AGENT_MIME = "{{ insights_agent_mime }}" - AUTOMATION_ANALYTICS_URL = "{{ automation_analytics_url }}" - - #Autoprovisioning should replace this - CLUSTER_HOST_ID = socket.gethostname() - SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000') - - SESSION_COOKIE_SECURE = False - CSRF_COOKIE_SECURE = False - - REMOTE_HOST_HEADERS = ['HTTP_X_FORWARDED_FOR'] - - STATIC_ROOT = '/var/lib/awx/public/static' - PROJECTS_ROOT = '/var/lib/awx/projects' - AWX_ANSIBLE_COLLECTIONS_PATHS = '/var/lib/awx/vendor/awx_ansible_collections' - JOBOUTPUT_ROOT = '/var/lib/awx/job_status' - SECRET_KEY = open('/etc/tower/SECRET_KEY', 'rb').read().strip() - ALLOWED_HOSTS = ['*'] - SERVER_EMAIL = 'root@localhost' - DEFAULT_FROM_EMAIL = 'webmaster@localhost' - EMAIL_SUBJECT_PREFIX = '[AWX] ' - EMAIL_HOST = 'localhost' - EMAIL_PORT = 25 - EMAIL_HOST_USER = '' - EMAIL_HOST_PASSWORD = '' - EMAIL_USE_TLS = False - - LOGGING['handlers']['console'] = { - '()': 'logging.StreamHandler', - 'level': 'DEBUG', - 'formatter': 'simple', - 'filters': ['guid'], - } - - LOGGING['loggers']['django.request']['handlers'] = ['console'] - LOGGING['loggers']['rest_framework.request']['handlers'] = ['console'] - LOGGING['loggers']['awx']['handlers'] = ['console', 'external_logger'] - LOGGING['loggers']['awx.main.commands.run_callback_receiver']['handlers'] = ['console'] - LOGGING['loggers']['awx.main.commands.inventory_import']['handlers'] = ['console'] - LOGGING['loggers']['awx.main.tasks']['handlers'] = ['console', 'external_logger'] - LOGGING['loggers']['awx.main.scheduler']['handlers'] = ['console', 'external_logger'] - LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console'] - LOGGING['loggers']['social']['handlers'] = ['console'] - LOGGING['loggers']['system_tracking_migrations']['handlers'] = ['console'] - LOGGING['loggers']['rbac_migrations']['handlers'] = ['console'] - LOGGING['loggers']['awx.isolated.manager.playbooks']['handlers'] = ['console'] - LOGGING['handlers']['callback_receiver'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['fact_receiver'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['task_system'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['tower_warnings'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['rbac_migrations'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['system_tracking_migrations'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['management_playbooks'] = {'class': 'logging.NullHandler'} - - USE_X_FORWARDED_PORT = True - - AWX_CONTAINER_GROUP_DEFAULT_IMAGE = "{{ container_groups_image }}" - REDHAT_CANDLEPIN_HOST = "{{ candlepin_host | default(omit) }}" - REDHAT_CANDLEPIN_VERIFY = "{{ candlepin_verify | default(omit) }}" - BROADCAST_WEBSOCKET_PORT = 8052 - BROADCAST_WEBSOCKET_PROTOCOL = 'http' - - {{ kubernetes_deployment_name }}_redis_conf: | - unixsocket /var/run/redis/redis.sock - unixsocketperm 660 - port 0 - bind 127.0.0.1 diff --git a/installer/roles/kubernetes/templates/credentials.py.j2 b/installer/roles/kubernetes/templates/credentials.py.j2 deleted file mode 100644 index 74995988d8..0000000000 --- a/installer/roles/kubernetes/templates/credentials.py.j2 +++ /dev/null @@ -1,16 +0,0 @@ -DATABASES = { - 'default': { - 'ATOMIC_REQUESTS': True, - 'ENGINE': 'awx.main.db.profiled_pg', - 'NAME': "{{ pg_database }}", - 'USER': "{{ pg_username }}", - 'PASSWORD': "{{ pg_password }}", - 'HOST': "{{ pg_hostname|default('postgresql') }}", - 'PORT': "{{ pg_port }}", - 'OPTIONS': { 'sslmode': '{{ pg_sslmode|default("prefer") }}', - 'sslrootcert': '{{ ca_trust_bundle }}', - }, - } -} - -BROADCAST_WEBSOCKET_SECRET = "{{ broadcast_websocket_secret | b64encode }}" diff --git a/installer/roles/kubernetes/templates/deployment.yml.j2 b/installer/roles/kubernetes/templates/deployment.yml.j2 deleted file mode 100644 index da329d23de..0000000000 --- a/installer/roles/kubernetes/templates/deployment.yml.j2 +++ /dev/null @@ -1,556 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ kubernetes_serviceaccount_name }} - namespace: {{ kubernetes_namespace }} -{% if kubernetes_service_account_annotations is defined %} - annotations: -{% for key, value in kubernetes_service_account_annotations.items() %} - {{ key }}: "{{ value }}" -{% endfor %} -{% endif %} -{% if kubernetes_image_pull_secrets is defined %} -imagePullSecrets: - - name: "{{ kubernetes_image_pull_secrets }}" -{% endif %} - -{% if awx_psp_create is defined and awx_psp_create | bool %} ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ awx_psp_name }}-psp -spec: -{% if awx_psp_privileged is defined %} - privileged: {{ awx_psp_privileged }} - allowPrivilegeEscalation: {{ awx_psp_privileged }} -{% endif %} - requiredDropCapabilities: - - ALL - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - - 'persistentVolumeClaim' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: {{ kubernetes_namespace }} - name: {{ awx_psp_name }}-role -rules: -- apiGroups: - - policy - resources: - - podsecuritypolicies - resourceNames: - - {{ awx_psp_name }}-psp - verbs: - - use - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ awx_psp_name }}-role-binding - namespace: {{ kubernetes_namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ awx_psp_name }}-role -subjects: -- kind: ServiceAccount - name: {{ kubernetes_serviceaccount_name }} - namespace: {{ kubernetes_namespace }} -{% endif %} - ---- -apiVersion: {{ kubernetes_deployment_api_version }} -kind: Deployment -metadata: - name: {{ kubernetes_deployment_name }} - namespace: {{ kubernetes_namespace }} -{% if kubernetes_deployment_annotations is defined %} - annotations: -{% for key, value in kubernetes_deployment_annotations.items() %} - {{ key }}: "{{ value }}" -{% endfor %} -{% endif %} -{% if openshift_host is defined %} - labels: - app: {{ kubernetes_deployment_name }} -{% endif %} -spec: - replicas: 1 -{% if kubernetes_deployment_api_version == "apps/v1" %} - selector: - matchLabels: - app: {{ kubernetes_deployment_name }} -{% endif %} - template: - metadata: -{% if kubernetes_pod_annotations is defined %} - annotations: -{% for key, value in kubernetes_pod_annotations.items() %} - {{ key }}: "{{ value }}" -{% endfor %} -{% endif %} - labels: - name: {{ kubernetes_deployment_name }}-web-deploy - service: django - app: {{ kubernetes_deployment_name }} - spec: - serviceAccountName: {{ kubernetes_serviceaccount_name }} - terminationGracePeriodSeconds: 10 -{% if custom_venvs is defined %} -{% set trusted_hosts = "" %} - initContainers: - - image: 'centos:7' - name: init-custom-venvs -{% if http_proxy is defined or https_proxy is defined %} -{% set trusted_hosts = "--trusted-host pypi.org --trusted-host files.pythonhosted.org --trusted-host pypi.python.org" %} - env: -{% if http_proxy is defined %} - - name: http_proxy - value: {{ http_proxy }} -{% endif %} -{% if https_proxy is defined %} - - name: https_proxy - value: {{ https_proxy }} -{% endif %} -{% if no_proxy is defined %} - - name: no_proxy - value: {{ no_proxy }} -{% endif %} -{% endif %} - command: - - sh - - '-c' - - >- - yum install -y ansible curl python-setuptools epel-release \ - openssl openssl-devel gcc python-devel && - yum install -y python-virtualenv python36 python36-devel && - mkdir -p {{ custom_venvs_path }} && -{% for custom_venv in custom_venvs %} - virtualenv -p {{ custom_venv.python | default(custom_venvs_python) }} \ - {{ custom_venvs_path }}/{{ custom_venv.name }} && - source {{ custom_venvs_path }}/{{ custom_venv.name }}/bin/activate && - {{ custom_venvs_path }}/{{ custom_venv.name }}/bin/pip install {{ trusted_hosts }} -U pip && - {{ custom_venvs_path }}/{{ custom_venv.name }}/bin/pip install {{ trusted_hosts }} -U psutil \ - "ansible=={{ custom_venv.python_ansible_version }}" && -{% if custom_venv.python_modules is defined %} - {{ custom_venvs_path }}/{{ custom_venv.name }}/bin/pip install {{ trusted_hosts }} -U \ - {% for module in custom_venv.python_modules %}{{ module }} {% endfor %} && -{% endif %} - deactivate && -{% endfor %} - : - volumeMounts: - - name: custom-venvs - mountPath: {{ custom_venvs_path }} -{% endif %} - containers: - - name: {{ kubernetes_deployment_name }}-web -{% if web_security_context_enabled is defined and web_security_context_enabled | bool %} - securityContext: -{% if web_security_context_privileged is defined %} - privileged: {{ web_security_context_privileged }} -{% endif %} -{% endif %} - image: "{{ kubernetes_awx_image }}:{{ kubernetes_awx_version }}" - imagePullPolicy: Always - ports: - - containerPort: 8052 -{% if ca_trust_dir is defined %} - env: - - name: REQUESTS_CA_BUNDLE - value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -{% endif %} - volumeMounts: -{% if postgres_root_ca_cert is defined %} - - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert - mountPath: {{ ca_trust_bundle }} - subPath: {{ postgres_root_ca_filename }} - readOnly: true -{% endif %} - - name: supervisor-socket - mountPath: "/var/run/supervisor" - - name: rsyslog-socket - mountPath: "/var/run/awx-rsyslog" - - name: rsyslog-dir - mountPath: "/var/lib/awx/rsyslog" -{% if ca_trust_dir is defined %} - - name: {{ kubernetes_deployment_name }}-ca-trust-dir - mountPath: "{{ ca_trust_dir }}" - readOnly: true -{% endif %} -{% if project_data_dir is defined %} - - name: {{ kubernetes_deployment_name }}-project-data-dir - mountPath: "/var/lib/awx/projects" - readOnly: false -{% endif %} -{% if custom_venvs is defined %} - - name: custom-venvs - mountPath: {{ custom_venvs_path }} -{% endif %} - - name: {{ kubernetes_deployment_name }}-application-config - mountPath: "/etc/tower/settings.py" - subPath: settings.py - readOnly: true - - - name: {{ kubernetes_deployment_name }}-nginx-config - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - readOnly: true - - - name: "{{ kubernetes_deployment_name }}-application-credentials" - mountPath: "/etc/tower/conf.d/" - readOnly: true - - - name: {{ kubernetes_deployment_name }}-supervisor-web-config - mountPath: "/etc/supervisord.conf" - subPath: supervisor.conf - readOnly: true - - - name: {{ kubernetes_deployment_name }}-supervisor-task-config - mountPath: "/etc/supervisord_task.conf" - subPath: supervisor_task.conf - readOnly: true - - - name: {{ kubernetes_deployment_name }}-secret-key - mountPath: "/etc/tower/SECRET_KEY" - subPath: SECRET_KEY - readOnly: true - - - name: {{ kubernetes_deployment_name }}-redis-socket - mountPath: "/var/run/redis" - - resources: - requests: - memory: "{{ web_mem_request }}Gi" - cpu: "{{ web_cpu_request }}m" -{% if web_mem_limit is defined or web_cpu_limit is defined %} - limits: -{% endif %} -{% if web_mem_limit is defined %} - memory: "{{ web_mem_limit }}Gi" -{% endif %} -{% if web_cpu_limit is defined %} - cpu: "{{ web_cpu_limit }}m" -{% endif %} - - name: {{ kubernetes_deployment_name }}-task -{% if task_security_context_enabled is defined and task_security_context_enabled | bool %} - securityContext: -{% if task_security_context_privileged is defined %} - privileged: {{ task_security_context_privileged }} -{% endif %} -{% endif %} - image: "{{ kubernetes_awx_image }}:{{ kubernetes_awx_version }}" - command: - - /usr/bin/launch_awx_task.sh - imagePullPolicy: Always - volumeMounts: -{% if postgres_root_ca_cert is defined %} - - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert - mountPath: {{ ca_trust_bundle }} - subPath: {{ postgres_root_ca_filename }} - readOnly: true -{% endif %} - - name: supervisor-socket - mountPath: "/var/run/supervisor" - - name: rsyslog-socket - mountPath: "/var/run/awx-rsyslog" - - name: rsyslog-dir - mountPath: "/var/lib/awx/rsyslog" -{% if ca_trust_dir is defined %} - - name: {{ kubernetes_deployment_name }}-ca-trust-dir - mountPath: "{{ ca_trust_dir }}" - readOnly: true -{% endif %} -{% if custom_venvs is defined %} - - name: custom-venvs - mountPath: {{ custom_venvs_path }} -{% endif %} - - name: {{ kubernetes_deployment_name }}-application-config - mountPath: "/etc/tower/settings.py" - subPath: settings.py - readOnly: true - - - name: "{{ kubernetes_deployment_name }}-application-credentials" - mountPath: "/etc/tower/conf.d/" - readOnly: true - - - name: {{ kubernetes_deployment_name }}-supervisor-web-config - mountPath: "/etc/supervisord.conf" - subPath: supervisor.conf - readOnly: true - - - name: {{ kubernetes_deployment_name }}-supervisor-task-config - mountPath: "/etc/supervisord_task.conf" - subPath: supervisor_task.conf - readOnly: true - - - name: {{ kubernetes_deployment_name }}-secret-key - mountPath: "/etc/tower/SECRET_KEY" - subPath: SECRET_KEY - readOnly: true - - - name: {{ kubernetes_deployment_name }}-redis-socket - mountPath: "/var/run/redis" - env: - - name: SUPERVISOR_WEB_CONFIG_PATH - value: "/etc/supervisord.conf" - - name: AWX_SKIP_MIGRATIONS - value: "1" - - name: MY_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - - name: MY_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP -{% if ca_trust_dir is defined %} - - name: REQUESTS_CA_BUNDLE - value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -{% endif %} - resources: - requests: - memory: "{{ task_mem_request }}Gi" - cpu: "{{ task_cpu_request }}m" -{% if task_mem_limit is defined or task_cpu_limit is defined %} - limits: -{% endif %} -{% if task_mem_limit is defined %} - memory: "{{ task_mem_limit }}Gi" -{% endif %} -{% if task_cpu_limit is defined %} - cpu: "{{ task_cpu_limit }}m" -{% endif %} - - name: {{ kubernetes_deployment_name }}-redis -{% if redis_security_context_enabled is defined and redis_security_context_enabled | bool %} - securityContext: -{% if redis_security_context_privileged is defined %} - privileged: {{ redis_security_context_privileged }} -{% endif %} -{% if redis_security_context_user is defined %} - runAsUser: {{ redis_security_context_user }} -{% endif %} -{% endif %} - image: {{ kubernetes_redis_image }}:{{ kubernetes_redis_image_tag }} - imagePullPolicy: Always - args: ["redis-server", "{{ kubernetes_redis_config_mount_path }}"] - volumeMounts: - - name: {{ kubernetes_deployment_name }}-redis-config - mountPath: "{{ kubernetes_redis_config_mount_path }}" - subPath: redis.conf - readOnly: true - - - name: {{ kubernetes_deployment_name }}-redis-socket - mountPath: "/var/run/redis" - resources: - requests: - memory: "{{ redis_mem_request }}Gi" - cpu: "{{ redis_cpu_request }}m" -{% if redis_mem_limit is defined or redis_cpu_limit is defined %} - limits: -{% endif %} -{% if redis_mem_limit is defined %} - memory: "{{ redis_mem_limit }}Gi" -{% endif %} -{% if redis_cpu_limit is defined %} - cpu: "{{ redis_cpu_limit }}m" -{% endif %} -{% if tolerations is defined %} - tolerations: -{{ tolerations | to_nice_yaml(indent=2) | indent(width=8, indentfirst=True) }} -{% endif %} -{% if node_selector is defined %} - nodeSelector: -{{ node_selector | to_nice_yaml(indent=2) | indent(width=8, indentfirst=True) }} -{% endif %} -{% if affinity is defined %} - affinity: -{{ affinity | to_nice_yaml(indent=2) | indent(width=8, indentfirst=True) }} -{% endif %} - volumes: -{% if postgres_root_ca_cert is defined %} - - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert - configMap: - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert - items: - - key: postgres_root_ca.crt - path: postgres_root_ca.crt -{% endif %} - - name: supervisor-socket - emptyDir: {} - - name: rsyslog-socket - emptyDir: {} - - name: rsyslog-dir - emptyDir: {} -{% if ca_trust_dir is defined %} - - name: {{ kubernetes_deployment_name }}-ca-trust-dir - hostPath: - path: "{{ ca_trust_dir }}" - type: Directory -{% endif %} -{% if project_data_dir is defined %} - - name: {{ kubernetes_deployment_name }}-project-data-dir - hostPath: - path: "{{ project_data_dir }}" - type: Directory -{% endif %} -{% if custom_venvs is defined %} - - name: custom-venvs - emptyDir: {} -{% endif %} - - name: {{ kubernetes_deployment_name }}-application-config - configMap: - name: {{ kubernetes_deployment_name }}-config - items: - - key: {{ kubernetes_deployment_name }}_settings - path: settings.py - - - name: {{ kubernetes_deployment_name }}-nginx-config - configMap: - name: {{ kubernetes_deployment_name }}-config - items: - - key: {{ kubernetes_deployment_name }}_nginx_conf - path: nginx.conf - - - name: {{ kubernetes_deployment_name }}-redis-config - configMap: - name: {{ kubernetes_deployment_name }}-config - items: - - key: {{ kubernetes_deployment_name }}_redis_conf - path: redis.conf - - - name: "{{ kubernetes_deployment_name }}-application-credentials" - secret: - secretName: "{{ kubernetes_deployment_name }}-secrets" - items: - - key: credentials_py - path: 'credentials.py' - - key: environment_sh - path: 'environment.sh' - - - name: {{ kubernetes_deployment_name }}-supervisor-web-config - configMap: - name: {{ kubernetes_deployment_name }}-supervisor-config - items: - - key: supervisor-web-config - path: 'supervisor.conf' - - - name: {{ kubernetes_deployment_name }}-supervisor-task-config - configMap: - name: {{ kubernetes_deployment_name }}-supervisor-config - items: - - key: supervisor-task-config - path: 'supervisor_task.conf' - - - name: {{ kubernetes_deployment_name }}-secret-key - secret: - secretName: "{{ kubernetes_deployment_name }}-secrets" - items: - - key: secret_key - path: SECRET_KEY - - - name: {{ kubernetes_deployment_name }}-redis-socket - emptyDir: {} - ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ kubernetes_deployment_name }}-web-svc - namespace: {{ kubernetes_namespace }} - labels: - name: {{ kubernetes_deployment_name }}-web-svc -{% if kubernetes_service_annotations is defined %} - annotations: -{% for key, value in kubernetes_service_annotations.items() %} - {{ key }}: "{{ value }}" -{% endfor %} -{% endif %} -spec: - type: {{ kubernetes_web_svc_type }} - ports: - - name: http - port: 80 -{% if kubernetes_web_svc_type == "ClusterIP" %} - nodePort: null -{% endif %} - targetPort: 8052 - selector: - name: {{ kubernetes_deployment_name }}-web-deploy - -{% if kubernetes_context is defined %} ---- -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: {{ kubernetes_deployment_name }}-web-svc - namespace: {{ kubernetes_namespace }} -{% if kubernetes_ingress_annotations is defined %} - annotations: -{% for key, value in kubernetes_ingress_annotations.items() %} - {{ key }}: "{{ value }}" -{% endfor %} -{% endif %} - -spec: -{% if kubernetes_ingress_hostname is defined %} - rules: - - host: {{ kubernetes_ingress_hostname }} - http: - paths: - - path: / - backend: - serviceName: {{ kubernetes_deployment_name }}-web-svc - servicePort: 80 -{% else %} - backend: - serviceName: {{ kubernetes_deployment_name }}-web-svc - servicePort: 80 -{% endif %} -{% if kubernetes_ingress_tls_secret is defined %} - tls: - - hosts: - - {{ kubernetes_ingress_hostname }} - secretName: {{ kubernetes_ingress_tls_secret }} -{% endif %} -{% endif %} -{% if openshift_host is defined %} ---- -apiVersion: v1 -kind: Route -metadata: - name: {{ kubernetes_deployment_name }}-web-svc - namespace: {{ kubernetes_namespace }} -spec: - port: - targetPort: http - tls: - insecureEdgeTerminationPolicy: Redirect - termination: edge - to: - kind: Service - name: {{ kubernetes_deployment_name }}-web-svc - weight: 100 - wildcardPolicy: None -{% endif %} diff --git a/installer/roles/kubernetes/templates/environment.sh.j2 b/installer/roles/kubernetes/templates/environment.sh.j2 deleted file mode 100644 index 45fd3fba8e..0000000000 --- a/installer/roles/kubernetes/templates/environment.sh.j2 +++ /dev/null @@ -1,5 +0,0 @@ -DATABASE_USER={{ pg_username }} -DATABASE_NAME={{ pg_database }} -DATABASE_HOST={{ pg_hostname|default('postgresql') }} -DATABASE_PORT={{ pg_port|default('5432') }} -DATABASE_PASSWORD={{ pg_password | quote }} diff --git a/installer/roles/kubernetes/templates/management-pod.yml.j2 b/installer/roles/kubernetes/templates/management-pod.yml.j2 deleted file mode 100644 index 2a41853fa8..0000000000 --- a/installer/roles/kubernetes/templates/management-pod.yml.j2 +++ /dev/null @@ -1,106 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: ansible-tower-management - namespace: {{ kubernetes_namespace }} -{% if kubernetes_pod_annotations is defined %} - annotations: -{% for key, value in kubernetes_pod_annotations.items() %} - {{ key }}: {{ value | quote }} -{% endfor %} -{% endif %} -spec: -{% if kubernetes_image_pull_secrets is defined %} - imagePullSecrets: - - name: "{{ kubernetes_image_pull_secrets }}" -{% endif %} - containers: - - name: ansible-tower-management - image: "{{ kubernetes_awx_image }}:{{ kubernetes_awx_version }}" - imagePullPolicy: Always - command: ["sleep", "infinity"] - volumeMounts: -{% if ca_trust_dir is defined %} - - name: {{ kubernetes_deployment_name }}-ca-trust-dir - mountPath: "/etc/pki/ca-trust/source/anchors/" - readOnly: true - -{% endif %} - - name: {{ kubernetes_deployment_name }}-application-config - mountPath: "/etc/tower/settings.py" - subPath: settings.py - readOnly: true -{% if postgres_root_ca_cert is defined %} - - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert - mountPath: {{ ca_trust_bundle }} - subPath: {{ postgres_root_ca_filename }} - readOnly: true -{% endif %} - - name: "{{ kubernetes_deployment_name }}-application-credentials" - mountPath: "/etc/tower/conf.d/" - readOnly: true - - - name: {{ kubernetes_deployment_name }}-secret-key - mountPath: "/etc/tower/SECRET_KEY" - subPath: SECRET_KEY - readOnly: true - resources: -{% if management_mem_limit is defined or management_cpu_limit is defined %} - limits: -{% endif %} -{% if management_mem_limit is defined %} - memory: "{{ management_mem_limit }}Gi" -{% endif %} -{% if management_cpu_limit is defined %} - cpu: "{{ management_cpu_limit }}m" -{% endif %} -{% if tolerations is defined %} - tolerations: -{{ tolerations | to_nice_yaml(indent=2) | indent(width=4, indentfirst=True) }} -{% endif %} -{% if node_selector is defined %} - nodeSelector: -{{ node_selector | to_nice_yaml(indent=2) | indent(width=4, indentfirst=True) }} -{% endif %} -{% if affinity is defined %} - affinity: -{{ affinity | to_nice_yaml(indent=2) | indent(width=4, indentfirst=True) }} -{% endif %} - volumes: -{% if ca_trust_dir is defined %} - - name: {{ kubernetes_deployment_name }}-ca-trust-dir - hostPath: - path: "{{ ca_trust_dir }}" - type: Directory - -{% endif %} - - name: {{ kubernetes_deployment_name }}-application-config - configMap: - name: {{ kubernetes_deployment_name }}-config - items: - - key: {{ kubernetes_deployment_name }}_settings - path: settings.py -{% if postgres_root_ca_cert is defined %} - - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert - configMap: - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert - items: - - key: postgres_root_ca.crt - path: postgres_root_ca.crt -{% endif %} - - name: {{ kubernetes_deployment_name }}-secret-key - secret: - secretName: "{{ kubernetes_deployment_name }}-secrets" - items: - - key: secret_key - path: SECRET_KEY - - - name: "{{ kubernetes_deployment_name }}-application-credentials" - secret: - secretName: "{{ kubernetes_deployment_name }}-secrets" - items: - - key: credentials_py - path: 'credentials.py' - - restartPolicy: Never diff --git a/installer/roles/kubernetes/templates/postgres_root_ca.yml.j2 b/installer/roles/kubernetes/templates/postgres_root_ca.yml.j2 deleted file mode 100644 index 091bfff196..0000000000 --- a/installer/roles/kubernetes/templates/postgres_root_ca.yml.j2 +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert - namespace: {{ kubernetes_namespace }} -data: - postgres_root_ca.crt: | - {{ postgres_root_ca_cert | indent(width=4) }} diff --git a/installer/roles/kubernetes/templates/postgresql-persistent.yml.j2 b/installer/roles/kubernetes/templates/postgresql-persistent.yml.j2 deleted file mode 100644 index c688083cbb..0000000000 --- a/installer/roles/kubernetes/templates/postgresql-persistent.yml.j2 +++ /dev/null @@ -1,176 +0,0 @@ -apiVersion: v1 -kind: Template -labels: - template: postgresql-persistent-template -message: |- - The following service(s) have been created in your project: ${DATABASE_SERVICE_NAME}. - - Username: ${POSTGRESQL_USER} - Password: ${POSTGRESQL_PASSWORD} - Database Name: ${POSTGRESQL_DATABASE} - Connection URL: postgresql://${DATABASE_SERVICE_NAME}:5432/ - - For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/. -metadata: - annotations: - description: |- - PostgreSQL database service, with persistent storage. For more information about using this template, including OpenShift considerations, see https://github.com/sclorg/postgresql-container/. - - NOTE: Scaling to more than one replica is not supported. You must have persistent volumes available in your cluster to use this template. - iconClass: icon-postgresql - openshift.io/display-name: PostgreSQL (Persistent) - tags: database,postgresql - template.openshift.io/documentation-url: https://docs.openshift.org/latest/using_images/db_images/postgresql.html - template.openshift.io/long-description: This template provides a standalone - PostgreSQL server with a database created. The database is stored on persistent - storage. The database name, username, and password are chosen via parameters - when provisioning this service. - template.openshift.io/provider-display-name: Red Hat, Inc. - template.openshift.io/support-url: https://access.redhat.com - name: postgresql-persistent -objects: -- apiVersion: v1 - kind: Secret - metadata: - annotations: - template.openshift.io/expose-database_name: '{.data[''database-name'']}' - template.openshift.io/expose-password: '{.data[''database-password'']}' - template.openshift.io/expose-admin_password: '{.data[''database-admin-password'']}' - template.openshift.io/expose-username: '{.data[''database-user'']}' - name: ${DATABASE_SERVICE_NAME} - stringData: - database-name: ${POSTGRESQL_DATABASE} - database-password: ${POSTGRESQL_PASSWORD} - database-admin-password: ${POSTGRESQL_PASSWORD} - database-user: ${POSTGRESQL_USER} -- apiVersion: v1 - kind: Service - metadata: - annotations: - template.openshift.io/expose-uri: postgres://{.spec.clusterIP}:{.spec.ports[?(.name=="postgresql")].port} - name: ${DATABASE_SERVICE_NAME} - spec: - ports: - - name: postgresql - nodePort: 0 - port: 5432 - protocol: TCP - targetPort: 5432 - selector: - name: ${DATABASE_SERVICE_NAME} - sessionAffinity: None - type: ClusterIP - status: - loadBalancer: {} -- apiVersion: v1 - kind: DeploymentConfig - metadata: - annotations: - template.alpha.openshift.io/wait-for-ready: "true" - name: ${DATABASE_SERVICE_NAME} - spec: - replicas: 1 - selector: - name: ${DATABASE_SERVICE_NAME} - strategy: - type: Recreate - template: - metadata: - labels: - name: ${DATABASE_SERVICE_NAME} - spec: - containers: - - capabilities: {} - env: - - name: POSTGRESQL_USER - valueFrom: - secretKeyRef: - key: database-user - name: ${DATABASE_SERVICE_NAME} - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - key: database-password - name: ${DATABASE_SERVICE_NAME} - - name: POSTGRESQL_DATABASE - valueFrom: - secretKeyRef: - key: database-name - name: ${DATABASE_SERVICE_NAME} - - name: POSTGRESQL_MAX_CONNECTIONS - value: ${POSTGRESQL_MAX_CONNECTIONS} - image: registry.redhat.io/rhel8/postgresql-12 - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /usr/libexec/check-container - - --live - initialDelaySeconds: 120 - timeoutSeconds: 10 - name: postgresql - ports: - - containerPort: 5432 - protocol: TCP - readinessProbe: - exec: - command: - - /usr/libexec/check-container - initialDelaySeconds: 5 - timeoutSeconds: 1 - resources: - limits: - memory: ${MEMORY_LIMIT} - securityContext: - capabilities: {} - privileged: false - terminationMessagePath: /dev/termination-log - volumeMounts: - - mountPath: /var/lib/pgsql/data - name: ${DATABASE_SERVICE_NAME}-data - dnsPolicy: ClusterFirst - restartPolicy: Always - volumes: - - name: ${DATABASE_SERVICE_NAME}-data -{% if openshift_pg_emptydir | bool %} - emptyDir: {} -{% else %} - persistentVolumeClaim: - claimName: {{ openshift_pg_pvc_name }} -{% endif %} - triggers: - - type: ConfigChange - status: {} -parameters: -- description: Maximum amount of memory the container can use. - displayName: Memory Limit - name: MEMORY_LIMIT - required: true - value: 512Mi -- description: The OpenShift Namespace where the ImageStream resides. - displayName: Namespace - name: NAMESPACE - value: openshift -- description: The name of the OpenShift Service exposed for the database. - displayName: Database Service Name - name: DATABASE_SERVICE_NAME - required: true - value: postgresql -- description: Username for PostgreSQL user that will be used for accessing the - database. - displayName: PostgreSQL Connection Username - from: user[A-Z0-9]{3} - generate: expression - name: POSTGRESQL_USER - required: true -- description: Password for the PostgreSQL connection user. - displayName: PostgreSQL Connection Password - from: '[a-zA-Z0-9]{16}' - generate: expression - name: POSTGRESQL_PASSWORD - required: true -- description: Name of the PostgreSQL database accessed. - displayName: PostgreSQL Database Name - name: POSTGRESQL_DATABASE - required: true - value: sampledb diff --git a/installer/roles/kubernetes/templates/postgresql-values.yml.j2 b/installer/roles/kubernetes/templates/postgresql-values.yml.j2 deleted file mode 100644 index 4fca12a7b7..0000000000 --- a/installer/roles/kubernetes/templates/postgresql-values.yml.j2 +++ /dev/null @@ -1,64 +0,0 @@ -postgresqlUsername: {{ pg_username }} -postgresqlPassword: {{ pg_password }} -postgresqlDatabase: {{ pg_database }} -persistence: - size: {{ pg_volume_capacity|default('5') }}Gi -{% if pg_persistence_storageClass is defined %} - storageClass: {{ pg_persistence_storageClass }} -{% endif %} -{% if pg_persistence_existingclaim is defined %} - existingClaim: {{ pg_persistence_existingclaim }} -{% endif %} -{% if pg_cpu_limit is defined or pg_mem_limit is defined %} -resources: - limits: -{% if pg_cpu_limit is defined %} - cpu: {{ pg_cpu_limit | string }}m -{% endif %} -{% if pg_mem_limit is defined %} - memory: {{ pg_mem_limit | string }}Gi -{% endif %} -{% endif %} -{% if tolerations is defined or node_selector is defined or affinity is defined %} -master: -{% if tolerations is defined %} - tolerations: -{{ tolerations | to_nice_yaml(indent=2) | indent(width=4, indentfirst=True) }} -{% endif %} -{% if node_selector is defined %} - nodeSelector: -{{ node_selector | to_nice_yaml(indent=2) | indent(width=4, indentfirst=True) }} -{% endif %} -{% if affinity is defined %} - affinity: -{{ affinity | to_nice_yaml(indent=2) | indent(width=4, indentfirst=True) }} -{% endif %} -{% endif %} -image: -{% if pg_image_registry is defined %} -# The default bitnami image from the chart doesn't work on ARM - registry: {{ pg_image_registry }} -{% endif %} -{% if pg_image_registry is not defined %} - registry: docker.io/bitnami -{% endif %} - repository: postgresql - tag: '12.5.0' -volumePermissions: - image: -{% if pg_image_registry is defined %} - registry: {{ pg_image_registry }} -{% endif %} - # The default bitnami image from the chart doesn't work on ARM - repository: alpine - tag: '3' -{% if pg_image_registry is defined %} -metrics: - image: - registry: {{ pg_image_registry }} -{% endif %} -{% if pg_serviceaccount is defined %} -serviceAccount: - enabled: true - name: {{ pg_serviceaccount }} -{% endif %} diff --git a/installer/roles/kubernetes/templates/secret.yml.j2 b/installer/roles/kubernetes/templates/secret.yml.j2 deleted file mode 100644 index 989cb4485f..0000000000 --- a/installer/roles/kubernetes/templates/secret.yml.j2 +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - namespace: {{ kubernetes_namespace }} - name: "{{ kubernetes_deployment_name }}-secrets" -type: Opaque -data: - secret_key: "{{ secret_key | b64encode }}" - credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}" - environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}" diff --git a/installer/roles/kubernetes/templates/supervisor.yml.j2 b/installer/roles/kubernetes/templates/supervisor.yml.j2 deleted file mode 100644 index da93f29e5d..0000000000 --- a/installer/roles/kubernetes/templates/supervisor.yml.j2 +++ /dev/null @@ -1,149 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ kubernetes_deployment_name }}-supervisor-config - namespace: {{ kubernetes_namespace }} -data: - supervisor-web-config: | - [supervisord] - nodaemon = True - umask = 022 - logfile = /dev/stdout - logfile_maxbytes = 0 - pidfile = /var/run/supervisor/supervisor.web.pid - - [program:nginx] - command = nginx -g "daemon off;" - autostart = true - autorestart = true - stopwaitsecs = 5 - stdout_logfile=/dev/stdout - stdout_logfile_maxbytes=0 - stderr_logfile=/dev/stderr - stderr_logfile_maxbytes=0 - - [program:uwsgi] - command = {{ uwsgi_bash }} '/var/lib/awx/venv/awx/bin/uwsgi --socket 127.0.0.1:8050 --module=awx.wsgi:application --vacuum --processes=5 --harakiri=120 --no-orphans --master --max-requests=1000 --master-fifo=/var/lib/awx/awxfifo --lazy-apps -b 32768' - directory = /var/lib/awx - autostart = true - autorestart = true - stopwaitsecs = 15 - stopsignal = INT - stdout_logfile=/dev/stdout - stdout_logfile_maxbytes=0 - stderr_logfile=/dev/stderr - stderr_logfile_maxbytes=0 - - [program:daphne] - command = {{ uwsgi_bash }} '/var/lib/awx/venv/awx/bin/daphne -b 127.0.0.1 -p 8051 awx.asgi:channel_layer' - directory = /var/lib/awx - autostart = true - autorestart = true - stopwaitsecs = 5 - stdout_logfile=/dev/stdout - stdout_logfile_maxbytes=0 - stderr_logfile=/dev/stderr - stderr_logfile_maxbytes=0 - - [program:wsbroadcast] - command = awx-manage run_wsbroadcast - directory = /var/lib/awx - autostart = true - autorestart = true - stopwaitsecs = 5 - stdout_logfile=/dev/stdout - stdout_logfile_maxbytes=0 - stderr_logfile=/dev/stderr - stderr_logfile_maxbytes=0 - - [program:awx-rsyslogd] - command = rsyslogd -n -i /var/run/awx-rsyslog/rsyslog.pid -f /var/lib/awx/rsyslog/rsyslog.conf - autostart = true - autorestart = true - stopwaitsecs = 5 - startretries = 10 - stopsignal=TERM - stopasgroup=true - killasgroup=true - redirect_stderr=true - stdout_logfile=/dev/stderr - stdout_logfile_maxbytes=0 - - [group:tower-processes] - programs=nginx,uwsgi,daphne,wsbroadcast,awx-rsyslogd - priority=5 - - # TODO: Exit Handler - - [eventlistener:awx-config-watcher] - command=/usr/bin/config-watcher - stderr_logfile=/dev/stdout - stderr_logfile_maxbytes=0 - stdout_logfile=/dev/stdout - stdout_logfile_maxbytes=0 - events=TICK_60 - priority=0 - - [unix_http_server] - file=/var/run/supervisor/supervisor.web.sock - - [supervisorctl] - serverurl=unix:///var/run/supervisor/supervisor.web.sock ; use a unix:// URL for a unix socket - - [rpcinterface:supervisor] - supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface - - supervisor-task-config: | - [supervisord] - nodaemon = True - umask = 022 - logfile = /dev/stdout - logfile_maxbytes = 0 - pidfile = /var/run/supervisor/supervisor.pid - - [program:dispatcher] - command = awx-manage run_dispatcher - directory = /var/lib/awx - environment = LANGUAGE="en_US.UTF-8",LANG="en_US.UTF-8",LC_ALL="en_US.UTF-8",LC_CTYPE="en_US.UTF-8" - autostart = true - autorestart = true - stopwaitsecs = 5 - stdout_logfile=/dev/stdout - stdout_logfile_maxbytes=0 - stderr_logfile=/dev/stderr - stderr_logfile_maxbytes=0 - - [program:callback-receiver] - command = awx-manage run_callback_receiver - directory = /var/lib/awx - autostart = true - autorestart = true - stopwaitsecs = 5 - stdout_logfile=/dev/stdout - stdout_logfile_maxbytes=0 - stderr_logfile=/dev/stderr - stderr_logfile_maxbytes=0 - - [group:tower-processes] - programs=dispatcher,callback-receiver - priority=5 - - # TODO: Exit Handler - - [eventlistener:awx-config-watcher] - command=/usr/bin/config-watcher - stderr_logfile=/dev/stdout - stderr_logfile_maxbytes=0 - stdout_logfile=/dev/stdout - stdout_logfile_maxbytes=0 - events=TICK_60 - priority=0 - - [unix_http_server] - file=/var/run/supervisor/supervisor.sock - - [supervisorctl] - serverurl=unix:///var/run/supervisor/supervisor.sock ; use a unix:// URL for a unix socket - - [rpcinterface:supervisor] - supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface diff --git a/installer/roles/kubernetes/vars/openshift.yml b/installer/roles/kubernetes/vars/openshift.yml deleted file mode 100644 index 6e1fd30a3c..0000000000 --- a/installer/roles/kubernetes/vars/openshift.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -openshift_oc_config_file: "{{ kubernetes_base_path }}/.kube/config" -openshift_oc_bin: "oc --kubeconfig={{ openshift_oc_config_file }}"