AWX dev environment changes for receptor work signing feature

-- Updated devel build to take most recent receptor binary -- Added signWork parameter when sedning job to receptor -- Modified docker-compose tasks to generate RSA key pair to use for work-signing -- Modified docker-compose templates and jinja templates for implementing work-sign -- Modified Firewall rules on the receptor jinja config Add firewall rules to dev env
2026-02-01 01:28:09 -03:30 · 2021-09-24 10:15:16 -07:00
parent a5485096ac
commit 24a6edef9e
8 changed files with 46 additions and 4 deletions
--- a/tools/docker-compose/ansible/roles/sources/defaults/main.yml
+++ b/tools/docker-compose/ansible/roles/sources/defaults/main.yml
@@ -8,3 +8,10 @@ pg_database: 'awx'
 control_plane_node_count: 1
 minikube_container_group: false
 receptor_socket_file: /var/run/awx-receptor/receptor.sock
+
+# Keys for signing work
+receptor_rsa_bits: 4096
+receptor_work_sign_reconfigure: false
+work_sign_key_dir: '../_sources/receptor'
+work_sign_private_keyfile: "{{ work_sign_key_dir }}/work_private_key.pem"
+work_sign_public_keyfile: "{{ work_sign_key_dir }}/work_public_key.pem"
--- a/tools/docker-compose/ansible/roles/sources/tasks/main.yml
+++ b/tools/docker-compose/ansible/roles/sources/tasks/main.yml
@@ -79,6 +79,16 @@
    awx_image_tag: "{{ lookup('file', playbook_dir + '/../../../VERSION') }}"
  when: awx_image_tag is not defined

+- name: Generate Private RSA key for signing work
+  command: openssl genrsa -out {{ work_sign_private_keyfile }} {{ receptor_rsa_bits }}
+  args:
+    creates: "{{ work_sign_private_keyfile }}"
+
+- name: Generate public RSA key for signing work
+  command: openssl rsa -in {{ work_sign_private_keyfile }} -out {{ work_sign_public_keyfile }} -outform PEM -pubout
+  args:
+    creates: "{{ work_sign_public_keyfile }}"
+
 - name: Render Docker-Compose
  template:
    src: docker-compose.yml.j2
--- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
@@ -37,6 +37,8 @@ services:
      - "../../docker-compose/_sources/local_settings.py:/etc/tower/conf.d/local_settings.py"
      - "../../docker-compose/_sources/SECRET_KEY:/etc/tower/SECRET_KEY"
      - "../../docker-compose/_sources/receptor/receptor-awx-{{ loop.index }}.conf:/etc/receptor/receptor.conf"
+      - "../../docker-compose/_sources/receptor/work_public_key.pem:/etc/receptor/work_public_key.pem"
+      - "../../docker-compose/_sources/receptor/work_private_key.pem:/etc/receptor/work_private_key.pem"
      # - "../../docker-compose/_sources/certs:/etc/receptor/certs"  # TODO: optionally generate certs
      - "/sys/fs/cgroup:/sys/fs/cgroup"
      - "~/.kube/config:/var/lib/awx/.kube/config"
@@ -96,7 +98,7 @@ services:
      - "awx_db:/var/lib/postgresql/data"
 {% if execution_node_count|int > 0 %}
  receptor-hop:
-    image: quay.io/project-receptor/receptor:latest
+    image: quay.io/ansible/receptor:devel
    user: root
    container_name: tools_receptor_hop
    hostname: receptor-hop
@@ -121,6 +123,7 @@ services:
    volumes:
      - "../../docker-compose/_sources/receptor/receptor-worker-{{ loop.index }}.conf:/etc/receptor/receptor.conf"
      - "/sys/fs/cgroup:/sys/fs/cgroup"
+      - "../../docker-compose/_sources/receptor/work_public_key.pem:/etc/receptor/work_public_key.pem"
    privileged: true
  {% endfor %}
 {% endif %}
--- a/tools/docker-compose/ansible/roles/sources/templates/receptor-awx.conf.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/receptor-awx.conf.j2
@@ -1,12 +1,23 @@
 ---
 - node:
    id: awx_{{ item }}
+    firewallrules:
+      - action: "reject"
+        tonode: awx_{{ item }}
+        toservice: "control"

 - log-level: info

 - tcp-listener:
    port: 2222

+- work-signing:
+    privatekey: /etc/receptor/work_private_key.pem
+    tokenexpiration: 1m
+
+- work-verification:
+    publickey: /etc/receptor/work_public_key.pem
+
 {% for i in range(item | int + 1, control_plane_node_count | int + 1) %}
 - tcp-peer:
    address: awx_{{ i }}:2222
@@ -29,6 +40,7 @@
    command: ansible-runner
    params: worker
    allowruntimeparams: true
+    verifysignature: true

 - work-kubernetes:
    worktype: kubernetes-runtime-auth
@@ -36,6 +48,7 @@
    allowruntimeauth: true
    allowruntimepod: true
    allowruntimeparams: true
+    verifysignature: true

 - work-kubernetes:
    worktype: kubernetes-incluster-auth
@@ -43,3 +56,4 @@
    allowruntimeauth: true
    allowruntimepod: true
    allowruntimeparams: true
+    verifysignature: true
--- a/tools/docker-compose/ansible/roles/sources/templates/receptor-worker.conf.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/receptor-worker.conf.j2
@@ -8,11 +8,15 @@
    address: tools_receptor_hop:5555
    redial: true

+- work-verification:
+    publickey: /etc/receptor/work_public_key.pem
+
 - work-command:
    worktype: ansible-runner
    command: ansible-runner
    params: worker
    allowruntimeparams: true
+    verifysignature: true

 - control-service:
    service: control