AWX dev environment changes for receptor work signing feature

-- Updated devel build to take most recent receptor binary -- Added signWork parameter when sedning job to receptor -- Modified docker-compose tasks to generate RSA key pair to use for work-signing -- Modified docker-compose templates and jinja templates for implementing work-sign -- Modified Firewall rules on the receptor jinja config Add firewall rules to dev env
2026-05-21 15:57:52 -02:30 · 2021-09-24 10:15:16 -07:00
parent a5485096ac
commit 24a6edef9e
8 changed files with 46 additions and 4 deletions
--- a/tools/docker-compose/ansible/roles/sources/templates/receptor-awx.conf.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/receptor-awx.conf.j2
@@ -1,12 +1,23 @@
 ---
 - node:
    id: awx_{{ item }}
+    firewallrules:
+      - action: "reject"
+        tonode: awx_{{ item }}
+        toservice: "control"

 - log-level: info

 - tcp-listener:
    port: 2222

+- work-signing:
+    privatekey: /etc/receptor/work_private_key.pem
+    tokenexpiration: 1m
+
+- work-verification:
+    publickey: /etc/receptor/work_public_key.pem
+
 {% for i in range(item | int + 1, control_plane_node_count | int + 1) %}
 - tcp-peer:
    address: awx_{{ i }}:2222
@@ -29,6 +40,7 @@
    command: ansible-runner
    params: worker
    allowruntimeparams: true
+    verifysignature: true

 - work-kubernetes:
    worktype: kubernetes-runtime-auth
@@ -36,6 +48,7 @@
    allowruntimeauth: true
    allowruntimepod: true
    allowruntimeparams: true
+    verifysignature: true

 - work-kubernetes:
    worktype: kubernetes-incluster-auth
@@ -43,3 +56,4 @@
    allowruntimeauth: true
    allowruntimepod: true
    allowruntimeparams: true
+    verifysignature: true