diff --git a/installer/inventory b/installer/inventory index 2c3e47175f..16b6c088d6 100644 --- a/installer/inventory +++ b/installer/inventory @@ -55,12 +55,6 @@ postgres_data_dir=/tmp/pgdocker host_port=80 #ssl_certificate= -# Docker Compose Install -# use_docker_compose=false -# The docker_compose.yml file will be created in this directory -# The name of the directory (here "awx") will be the prefix of the docker containers -docker_compose_dir=/var/lib/awx - # Required for Openshift when building the image on your own # Optional for Openshift if using Dockerhub or another prebuilt registry # Required for Standalone Docker Install if building the image on your own diff --git a/installer/roles/image_build/files/launch_awx.sh b/installer/roles/image_build/files/launch_awx.sh index a8198eed09..50ef773884 100755 --- a/installer/roles/image_build/files/launch_awx.sh +++ b/installer/roles/image_build/files/launch_awx.sh @@ -5,10 +5,15 @@ if [ `id -u` -ge 500 ]; then rm /tmp/passwd fi +source /etc/tower/conf.d/environment.sh + ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$DATABASE_HOST port=$DATABASE_PORT" all ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$MEMCACHED_HOST port=11211" all ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$RABBITMQ_HOST port=5672" all ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m postgresql_db --become-user $DATABASE_USER -a "name=$DATABASE_NAME owner=$DATABASE_USER login_user=$DATABASE_USER login_host=$DATABASE_HOST login_password=$DATABASE_PASSWORD port=$DATABASE_PORT" all awx-manage collectstatic --noinput --clear + +unset $(cut -d = -f -1 /etc/tower/conf.d/environment.sh) + supervisord -c /supervisor.conf diff --git a/installer/roles/image_build/files/launch_awx_task.sh b/installer/roles/image_build/files/launch_awx_task.sh index b672e76f0b..3165c33043 100755 --- a/installer/roles/image_build/files/launch_awx_task.sh +++ b/installer/roles/image_build/files/launch_awx_task.sh @@ -5,6 +5,8 @@ if [ `id -u` -ge 500 ]; then rm /tmp/passwd fi +source /etc/tower/conf.d/environment.sh + ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$DATABASE_HOST port=$DATABASE_PORT" all ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$MEMCACHED_HOST port=11211" all ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$RABBITMQ_HOST port=5672" all @@ -24,4 +26,7 @@ fi echo 'from django.conf import settings; x = settings.AWX_TASK_ENV; x["HOME"] = "/var/lib/awx"; settings.AWX_TASK_ENV = x' | awx-manage shell awx-manage provision_instance --hostname=$(hostname) awx-manage register_queue --queuename=tower --instance_percent=100 + +unset $(cut -d = -f -1 /etc/tower/conf.d/environment.sh) + supervisord -c /supervisor_task.conf diff --git a/installer/roles/image_build/files/settings.py b/installer/roles/image_build/files/settings.py index 527c884496..d2d2077d76 100644 --- a/installer/roles/image_build/files/settings.py +++ b/installer/roles/image_build/files/settings.py @@ -6,7 +6,6 @@ import os def get_secret(): if os.path.exists("/etc/tower/SECRET_KEY"): return open('/etc/tower/SECRET_KEY', 'rb').read().strip() - return os.getenv("SECRET_KEY", "privateawx") ADMINS = () diff --git a/installer/roles/kubernetes/templates/deployment.yml.j2 b/installer/roles/kubernetes/templates/deployment.yml.j2 index 9f102f689b..78abff3926 100644 --- a/installer/roles/kubernetes/templates/deployment.yml.j2 +++ b/installer/roles/kubernetes/templates/deployment.yml.j2 @@ -145,27 +145,9 @@ spec: mountPath: "/etc/tower" readOnly: true - - name: "{{ kubernetes_deployment_name }}-confd" + - name: "{{ kubernetes_deployment_name }}-application-credentials" mountPath: "/etc/tower/conf.d/" readOnly: true - env: - - name: DATABASE_USER - value: {{ pg_username }} - - name: DATABASE_NAME - value: {{ pg_database }} - - name: DATABASE_HOST - value: {{ pg_hostname|default('postgresql') }} - - name: DATABASE_PORT - value: "{{ pg_port|default('5432') }}" - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: "{{ kubernetes_deployment_name }}-secrets" - key: pg_password - - name: MEMCACHED_HOST - value: {{ memcached_hostname|default('localhost') }} - - name: RABBITMQ_HOST - value: {{ rabbitmq_hostname|default('localhost') }} resources: requests: memory: "{{ web_mem_request }}Gi" @@ -191,36 +173,9 @@ spec: mountPath: "/etc/tower" readOnly: true - - name: "{{ kubernetes_deployment_name }}-confd" + - name: "{{ kubernetes_deployment_name }}-application-credentials" mountPath: "/etc/tower/conf.d/" readOnly: true - env: - - name: AWX_SKIP_MIGRATIONS - value: "1" - - name: DATABASE_USER - value: {{ pg_username }} - - name: DATABASE_NAME - value: {{ pg_database }} - - name: DATABASE_HOST - value: {{ pg_hostname|default('postgresql') }} - - name: DATABASE_PORT - value: "{{ pg_port|default('5432') }}" - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: "{{ kubernetes_deployment_name }}-secrets" - key: pg_password - - name: MEMCACHED_HOST - value: {{ memcached_hostname|default('localhost') }} - - name: RABBITMQ_HOST - value: {{ rabbitmq_hostname|default('localhost') }} - - name: AWX_ADMIN_USER - value: {{ admin_user }} - - name: AWX_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: "{{ kubernetes_deployment_name }}-secrets" - key: admin_password resources: requests: memory: "{{ task_mem_request }}Gi" @@ -312,12 +267,14 @@ spec: - key: secret_key path: SECRET_KEY - - name: "{{ kubernetes_deployment_name }}-confd" + - name: "{{ kubernetes_deployment_name }}-application-credentials" secret: secretName: "{{ kubernetes_deployment_name }}-secrets" items: - - key: confd_contents - path: 'secrets.py' + - key: credentials_py + path: 'credentials.py' + - key: environment_sh + path: 'environment.sh' - name: rabbitmq-config configMap: diff --git a/installer/roles/kubernetes/templates/environment.sh.j2 b/installer/roles/kubernetes/templates/environment.sh.j2 new file mode 100644 index 0000000000..1c7b79ff5c --- /dev/null +++ b/installer/roles/kubernetes/templates/environment.sh.j2 @@ -0,0 +1,7 @@ +DATABASE_USER={{ pg_username }} +DATABASE_NAME={{ pg_database }} +DATABASE_HOST={{ pg_hostname|default('postgresql') }} +DATABASE_PORT={{ pg_port|default('5432') }} +DATABASE_PASSWORD={{ pg_password }} +MEMCACHED_HOST={{ memcached_hostname|default('localhost') }} +RABBITMQ_HOST={{ rabbitmq_hostname|default('localhost') }} diff --git a/installer/roles/kubernetes/templates/management-pod.yml.j2 b/installer/roles/kubernetes/templates/management-pod.yml.j2 index c7fe44efb9..890d251062 100644 --- a/installer/roles/kubernetes/templates/management-pod.yml.j2 +++ b/installer/roles/kubernetes/templates/management-pod.yml.j2 @@ -14,7 +14,7 @@ spec: mountPath: "/etc/tower" readOnly: true - - name: "{{ kubernetes_deployment_name }}-confd" + - name: "{{ kubernetes_deployment_name }}-application-credentials" mountPath: "/etc/tower/conf.d/" readOnly: true resources: @@ -37,11 +37,11 @@ spec: - key: secret_key path: SECRET_KEY - - name: "{{ kubernetes_deployment_name }}-confd" + - name: "{{ kubernetes_deployment_name }}-application-credentials" secret: secretName: "{{ kubernetes_deployment_name }}-secrets" items: - - key: confd_contents - path: 'secrets.py' + - key: credentials_py + path: 'credentials.py' restartPolicy: Never diff --git a/installer/roles/kubernetes/templates/secret.yml.j2 b/installer/roles/kubernetes/templates/secret.yml.j2 index f85f75e295..ec71f1001f 100644 --- a/installer/roles/kubernetes/templates/secret.yml.j2 +++ b/installer/roles/kubernetes/templates/secret.yml.j2 @@ -10,4 +10,5 @@ data: pg_password: "{{ pg_password | b64encode }}" rabbitmq_password: "{{ rabbitmq_password | b64encode }}" rabbitmq_erlang_cookie: "{{ rabbitmq_erlang_cookie | b64encode }}" - confd_contents: "{{ lookup('template', 'credentials.py.j2') | b64encode }}" + credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}" + environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}" diff --git a/installer/roles/local_docker/defaults/main.yml b/installer/roles/local_docker/defaults/main.yml index 0fbea21553..8d4d015bff 100644 --- a/installer/roles/local_docker/defaults/main.yml +++ b/installer/roles/local_docker/defaults/main.yml @@ -10,4 +10,6 @@ rabbitmq_default_username: "guest" rabbitmq_default_password: "guest" postgresql_version: "9.6" -postgresql_image: "postgres:{{postgresql_version}}" \ No newline at end of file +postgresql_image: "postgres:{{postgresql_version}}" + +docker_compose_dir: "/var/lib/awx" diff --git a/installer/roles/local_docker/tasks/compose.yml b/installer/roles/local_docker/tasks/compose.yml index 5cfd210ee9..31167a7493 100644 --- a/installer/roles/local_docker/tasks/compose.yml +++ b/installer/roles/local_docker/tasks/compose.yml @@ -10,6 +10,21 @@ dest: "{{ docker_compose_dir }}/docker-compose.yml" register: awx_compose_config +- name: Render secrets file + template: + src: environment.sh.j2 + dest: "{{ docker_compose_dir }}/environment.sh" + +- name: Render application credentials + template: + src: credentials.py.j2 + dest: "{{ docker_compose_dir }}/credentials.py" + +- name: Render SECRET_KEY file + copy: + content: "{{ secret_key }}" + dest: "{{ docker_compose_dir }}/SECRET_KEY" + - name: Start the containers docker_service: project_src: "{{ docker_compose_dir }}" diff --git a/installer/roles/local_docker/tasks/main.yml b/installer/roles/local_docker/tasks/main.yml index 7022bd5995..647072b396 100644 --- a/installer/roles/local_docker/tasks/main.yml +++ b/installer/roles/local_docker/tasks/main.yml @@ -1,7 +1,2 @@ - import_tasks: set_image.yml - -- import_tasks: standalone.yml - when: not (use_docker_compose | default(False) | bool) - - import_tasks: compose.yml - when: use_docker_compose | default(False) | bool diff --git a/installer/roles/local_docker/tasks/standalone.yml b/installer/roles/local_docker/tasks/standalone.yml deleted file mode 100644 index fc08126e4b..0000000000 --- a/installer/roles/local_docker/tasks/standalone.yml +++ /dev/null @@ -1,164 +0,0 @@ ---- -- name: Activate postgres container - docker_container: - name: postgres - state: started - restart_policy: unless-stopped - image: "{{ postgresql_image }}" - volumes: - - "{{ postgres_data_dir }}:/var/lib/postgresql/data:Z" - env: - POSTGRES_USER: "{{ pg_username }}" - POSTGRES_PASSWORD: "{{ pg_password }}" - POSTGRES_DB: "{{ pg_database }}" - PGDATA: "/var/lib/postgresql/data/pgdata" - when: pg_hostname is not defined or pg_hostname == '' - register: postgres_container_activate - -- name: Activate rabbitmq container - docker_container: - name: rabbitmq - state: started - restart_policy: unless-stopped - image: "{{ rabbitmq_image }}" - env: - RABBITMQ_DEFAULT_VHOST: "{{ rabbitmq_default_vhost }}" - RABBITMQ_ERLANG_COOKIE: "{{ rabbitmq_erlang_cookie }}" - RABBITMQ_DEFAULT_USER: "{{ rabbitmq_default_username }}" - RABBITMQ_DEFAULT_PASS: "{{ rabbitmq_default_password }}" - register: rabbitmq_container_activate - -- name: Activate memcached container - docker_container: - name: memcached - state: started - restart_policy: unless-stopped - image: memcached:alpine - -- name: Wait for postgres and rabbitmq to activate - pause: - seconds: 15 - when: postgres_container_activate.changed or rabbitmq_container_activate.changed - -- name: Set properties without postgres for awx_web - set_fact: - pg_hostname_actual: "{{ pg_hostname }}" - awx_web_container_links: - - rabbitmq - - memcached - when: pg_hostname is defined - -- name: Set properties with postgres for awx_web - set_fact: - pg_hostname_actual: postgres - awx_web_container_links: - - rabbitmq - - memcached - - postgres - when: pg_hostname is not defined or pg_hostname == '' - -- name: Set properties without postgres for awx_task - set_fact: - pg_hostname_actual: "{{ pg_hostname }}" - awx_task_container_links: - - rabbitmq - - memcached - - awx_web:awxweb - when: pg_hostname is defined - -- name: Set properties with postgres for awx_task - set_fact: - pg_hostname_actual: postgres - awx_task_container_links: - - rabbitmq - - memcached - - awx_web:awxweb - - postgres - when: pg_hostname is not defined or pg_hostname == '' - -- name: Activate AWX Web Container - docker_container: - name: awx_web - state: started - restart_policy: unless-stopped - image: "{{ awx_web_docker_actual_image }}" - volumes: > - {{ - ([project_data_dir + ':/var/lib/awx/projects:z'] if project_data_dir is defined else []) - + ([ca_trust_dir + ':/etc/pki/ca-trust/source/anchors:ro'] if ca_trust_dir is defined else []) - + ([ssl_certificate + ':/etc/nginx/awxweb.pem:ro'] if ssl_certificate is defined else []) - }} - user: root - ports: - - "{{ host_port }}:8052" - links: "{{ awx_web_container_links|list }}" - hostname: "{{ awx_web_hostname }}" - dns_search_domains: "{{ awx_container_search_domains.split(',') if awx_container_search_domains is defined else omit }}" - dns_servers: "{{ awx_alternate_dns_servers.split(',') if awx_alternate_dns_servers is defined else omit }}" - env: - http_proxy: "{{ http_proxy | default('') }}" - https_proxy: "{{ https_proxy | default('') }}" - no_proxy: "{{ no_proxy | default('') }}" - SECRET_KEY: "{{ secret_key }}" - DATABASE_NAME: "{{ pg_database }}" - DATABASE_USER: "{{ pg_username }}" - DATABASE_PASSWORD: "{{ pg_password }}" - DATABASE_PORT: "{{ pg_port }}" - DATABASE_HOST: "{{ pg_hostname_actual }}" - DATABASE_SSLMODE: "{{ pg_sslmode | default(omit) }}" - RABBITMQ_USER: "{{ rabbitmq_default_username }}" - RABBITMQ_PASSWORD: "{{ rabbitmq_default_password }}" - RABBITMQ_HOST: "rabbitmq" - RABBITMQ_PORT: "{{ rabbitmq_port }}" - RABBITMQ_VHOST: "{{ rabbitmq_default_vhost }}" - MEMCACHED_HOST: "memcached" - MEMCACHED_PORT: "11211" - AWX_ADMIN_USER: "{{ admin_user|default('admin') }}" - AWX_ADMIN_PASSWORD: "{{ admin_password|default('password') }}" - register: awx_web_container - -- name: Update CA trust in awx_web container - command: docker exec awx_web '/usr/bin/update-ca-trust' - when: awx_web_container.changed - -- name: Activate AWX Task Container - docker_container: - name: awx_task - state: started - restart_policy: unless-stopped - image: "{{ awx_task_docker_actual_image }}" - volumes: > - {{ - ([project_data_dir + ':/var/lib/awx/projects:z'] if project_data_dir is defined else []) - + ([ca_trust_dir + ':/etc/pki/ca-trust/source/anchors:ro'] if ca_trust_dir is defined else []) - }} - links: "{{ awx_task_container_links|list }}" - user: root - hostname: "{{ awx_task_hostname }}" - dns_search_domains: "{{ awx_container_search_domains.split(',') if awx_container_search_domains is defined else omit }}" - dns_servers: "{{ awx_alternate_dns_servers.split(',') if awx_alternate_dns_servers is defined else omit }}" - env: - http_proxy: "{{ http_proxy | default('') }}" - https_proxy: "{{ https_proxy | default('') }}" - no_proxy: "{{ no_proxy | default('') }}" - SECRET_KEY: "{{ secret_key }}" - DATABASE_NAME: "{{ pg_database }}" - DATABASE_USER: "{{ pg_username }}" - DATABASE_PASSWORD: "{{ pg_password }}" - DATABASE_HOST: "{{ pg_hostname_actual }}" - DATABASE_PORT: "{{ pg_port }}" - DATABASE_SSLMODE: "{{ pg_sslmode | default(omit) }}" - RABBITMQ_USER: "{{ rabbitmq_default_username }}" - RABBITMQ_PASSWORD: "{{ rabbitmq_default_password }}" - RABBITMQ_HOST: "rabbitmq" - RABBITMQ_PORT: "{{ rabbitmq_port }}" - RABBITMQ_VHOST: "{{ rabbitmq_default_vhost }}" - MEMCACHED_HOST: "memcached" - MEMCACHED_PORT: "11211" - AWX_ADMIN_USER: "{{ admin_user|default('admin') }}" - AWX_ADMIN_PASSWORD: "{{ admin_password|default('password') }}" - register: awx_task_container - -- name: Update CA trust in awx_task container - command: docker exec awx_task '/usr/bin/update-ca-trust' - when: awx_task_container.changed diff --git a/installer/roles/local_docker/templates/credentials.py.j2 b/installer/roles/local_docker/templates/credentials.py.j2 new file mode 100644 index 0000000000..70c3f64bfa --- /dev/null +++ b/installer/roles/local_docker/templates/credentials.py.j2 @@ -0,0 +1,22 @@ +DATABASES = { + 'default': { + 'ATOMIC_REQUESTS': True, + 'ENGINE': 'django.db.backends.postgresql', + 'NAME': "{{ pg_database }}", + 'USER': "{{ pg_username }}", + 'PASSWORD': "{{ pg_password }}", + 'HOST': "{{ pg_hostname|default('postgres') }}", + 'PORT': "{{ pg_port }}", + } +} +BROKER_URL = 'amqp://{}:{}@{}:{}/{}'.format( + "{{ rabbitmq_user }}", + "{{ rabbitmq_password }}", + "localhost", + "5672", + "awx") +CHANNEL_LAYERS = { + 'default': {'BACKEND': 'asgi_amqp.AMQPChannelLayer', + 'ROUTING': 'awx.main.routing.channel_routing', + 'CONFIG': {'url': BROKER_URL}} +} diff --git a/installer/roles/local_docker/templates/docker-compose.yml.j2 b/installer/roles/local_docker/templates/docker-compose.yml.j2 index 5e227bf260..29354dafe5 100644 --- a/installer/roles/local_docker/templates/docker-compose.yml.j2 +++ b/installer/roles/local_docker/templates/docker-compose.yml.j2 @@ -15,9 +15,10 @@ services: hostname: {{ awx_web_hostname }} user: root restart: unless-stopped - {% if (project_data_dir is defined) or (ca_trust_dir is defined) %} volumes: - {% endif %} + - "{{ docker_compose_dir }}/SECRET_KEY:/etc/tower/SECRET_KEY" + - "{{ docker_compose_dir }}/environment.sh:/etc/tower/conf.d/environment.sh" + - "{{ docker_compose_dir }}/credentials.py:/etc/tower/conf.d/credentials.py" {% if project_data_dir is defined %} - "{{ project_data_dir +':/var/lib/awx/projects:rw' }}" {% endif %} @@ -46,21 +47,6 @@ services: http_proxy: {{ http_proxy | default('') }} https_proxy: {{ https_proxy | default('') }} no_proxy: {{ no_proxy | default('') }} - SECRET_KEY: {{ secret_key }} - DATABASE_NAME: {{ pg_database }} - DATABASE_USER: {{ pg_username }} - DATABASE_PASSWORD: {{ pg_password }} - DATABASE_PORT: {{ pg_port }} - DATABASE_HOST: {{ pg_hostname|default("postgres") }} - RABBITMQ_USER: guest - RABBITMQ_PASSWORD: guest - RABBITMQ_HOST: rabbitmq - RABBITMQ_PORT: 5672 - RABBITMQ_VHOST: awx - MEMCACHED_HOST: memcached - MEMCACHED_PORT: 11211 - AWX_ADMIN_USER: {{ admin_user|default('admin') }} - AWX_ADMIN_PASSWORD: {{ admin_password|default('password') }} task: image: {{ awx_task_docker_actual_image }} @@ -74,9 +60,10 @@ services: hostname: {{ awx_task_hostname }} user: root restart: unless-stopped - {% if (project_data_dir is defined) or (ca_trust_dir is defined) %} volumes: - {% endif %} + - "{{ docker_compose_dir }}/SECRET_KEY:/etc/tower/SECRET_KEY" + - "{{ docker_compose_dir }}/environment.sh:/etc/tower/conf.d/environment.sh" + - "{{ docker_compose_dir }}/credentials.py:/etc/tower/conf.d/credentials.py" {% if project_data_dir is defined %} - "{{ project_data_dir +':/var/lib/awx/projects:rw' }}" {% endif %} @@ -105,21 +92,6 @@ services: http_proxy: {{ http_proxy | default('') }} https_proxy: {{ https_proxy | default('') }} no_proxy: {{ no_proxy | default('') }} - SECRET_KEY: {{ secret_key }} - DATABASE_NAME: {{ pg_database }} - DATABASE_USER: {{ pg_username }} - DATABASE_PASSWORD: {{ pg_password }} - DATABASE_HOST: {{ pg_hostname|default("postgres") }} - DATABASE_PORT: {{ pg_port }} - RABBITMQ_USER: guest - RABBITMQ_PASSWORD: guest - RABBITMQ_HOST: rabbitmq - RABBITMQ_PORT: 5672 - RABBITMQ_VHOST: awx - MEMCACHED_HOST: memcached - MEMCACHED_PORT: 11211 - AWX_ADMIN_USER: {{ admin_user|default('admin') }} - AWX_ADMIN_PASSWORD: {{ admin_password|default('password') }} rabbitmq: image: {{ rabbitmq_image }} diff --git a/installer/roles/local_docker/templates/environment.sh.j2 b/installer/roles/local_docker/templates/environment.sh.j2 new file mode 100644 index 0000000000..4e58117a20 --- /dev/null +++ b/installer/roles/local_docker/templates/environment.sh.j2 @@ -0,0 +1,7 @@ +DATABASE_USER={{ pg_username }} +DATABASE_NAME={{ pg_database }} +DATABASE_HOST={{ pg_hostname|default('postgres') }} +DATABASE_PORT={{ pg_port|default('5432') }} +DATABASE_PASSWORD={{ pg_password }} +MEMCACHED_HOST={{ memcached_hostname|default('memcached') }} +RABBITMQ_HOST={{ rabbitmq_hostname|default('rabbitmq') }}