External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-13 20:37:39 -02:30
Code Issues Packages Projects Releases Wiki Activity

AWX dev environment changes for receptor work signing feature

Browse Source 
-- Updated devel build to take most recent receptor binary
-- Added signWork parameter when sedning job to receptor
-- Modified docker-compose tasks to generate RSA key pair to use for work-signing
-- Modified docker-compose templates and jinja templates for implementing work-sign
-- Modified Firewall rules on the receptor jinja config

Add firewall rules to dev env
This commit is contained in:
Amol Gautam
2021-09-24 10:15:16 -07:00
parent a5485096ac
commit 24a6edef9e
8 changed files with 46 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
View File

@@ -37,6 +37,8 @@ services:
- "../../docker-compose/_sources/local_settings.py:/etc/tower/conf.d/local_settings.py"
- "../../docker-compose/_sources/SECRET_KEY:/etc/tower/SECRET_KEY"
- "../../docker-compose/_sources/receptor/receptor-awx-{{ loop.index }}.conf:/etc/receptor/receptor.conf"
- "../../docker-compose/_sources/receptor/work_public_key.pem:/etc/receptor/work_public_key.pem"
- "../../docker-compose/_sources/receptor/work_private_key.pem:/etc/receptor/work_private_key.pem"
# - "../../docker-compose/_sources/certs:/etc/receptor/certs" # TODO: optionally generate certs
- "/sys/fs/cgroup:/sys/fs/cgroup"
- "~/.kube/config:/var/lib/awx/.kube/config"
@@ -96,7 +98,7 @@ services:
- "awx_db:/var/lib/postgresql/data"
{% if execution_node_count|int > 0 %}
receptor-hop:
image: quay.io/project-receptor/receptor:latest
image: quay.io/ansible/receptor:devel
user: root
container_name: tools_receptor_hop
hostname: receptor-hop
@@ -121,6 +123,7 @@ services:
volumes:
- "../../docker-compose/_sources/receptor/receptor-worker-{{ loop.index }}.conf:/etc/receptor/receptor.conf"
- "/sys/fs/cgroup:/sys/fs/cgroup"
- "../../docker-compose/_sources/receptor/work_public_key.pem:/etc/receptor/work_public_key.pem"
privileged: true
{% endfor %}
{% endif %}

14
tools/docker-compose/ansible/roles/sources/templates/receptor-awx.conf.j2
View File

@@ -1,12 +1,23 @@
---
- node:
id: awx_{{ item }}
firewallrules:
- action: "reject"
tonode: awx_{{ item }}
toservice: "control"
- log-level: info
- tcp-listener:
port: 2222
- work-signing:
privatekey: /etc/receptor/work_private_key.pem
tokenexpiration: 1m
- work-verification:
publickey: /etc/receptor/work_public_key.pem
{% for i in range(item | int + 1, control_plane_node_count | int + 1) %}
- tcp-peer:
address: awx_{{ i }}:2222
@@ -29,6 +40,7 @@
command: ansible-runner
params: worker
allowruntimeparams: true
verifysignature: true
- work-kubernetes:
worktype: kubernetes-runtime-auth
@@ -36,6 +48,7 @@
allowruntimeauth: true
allowruntimepod: true
allowruntimeparams: true
verifysignature: true
- work-kubernetes:
worktype: kubernetes-incluster-auth
@@ -43,3 +56,4 @@
allowruntimeauth: true
allowruntimepod: true
allowruntimeparams: true
verifysignature: true

4
tools/docker-compose/ansible/roles/sources/templates/receptor-worker.conf.j2
View File

@@ -8,11 +8,15 @@
address: tools_receptor_hop:5555
redial: true
- work-verification:
publickey: /etc/receptor/work_public_key.pem
- work-command:
worktype: ansible-runner
command: ansible-runner
params: worker
allowruntimeparams: true
verifysignature: true
- control-service:
service: control