External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-05 08:27:39 -02:30
Code Issues Packages Projects Releases Wiki Activity

AWX dev environment changes for receptor work signing feature

Browse Source 
-- Updated devel build to take most recent receptor binary
-- Added signWork parameter when sedning job to receptor
-- Modified docker-compose tasks to generate RSA key pair to use for work-signing
-- Modified docker-compose templates and jinja templates for implementing work-sign
-- Modified Firewall rules on the receptor jinja config

Add firewall rules to dev env
This commit is contained in:
Amol Gautam
2021-09-24 10:15:16 -07:00
parent a5485096ac
commit 24a6edef9e
8 changed files with 46 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
awx/main/tasks.py
View File

@@ -478,7 +478,10 @@ def inspect_execution_nodes(instance_list):
for ad in connections: for ad in connections:
hostname = ad['NodeID'] hostname = ad['NodeID']
commands = ad.get('WorkCommands') or [] commands = ad.get('WorkCommands') or []
if 'ansible-runner' not in commands: worktypes = []
for c in commands:
worktypes.append(c["WorkType"])
if 'ansible-runner' not in worktypes:
continue continue
changed = False changed = False
if hostname in node_lookup: if hostname in node_lookup:
@@ -3053,7 +3056,7 @@ class AWXReceptorJob:
use_stream_tls = get_conn_type(_kw['node'], receptor_ctl).name == "STREAMTLS" use_stream_tls = get_conn_type(_kw['node'], receptor_ctl).name == "STREAMTLS"
_kw['tlsclient'] = get_tls_client(use_stream_tls) _kw['tlsclient'] = get_tls_client(use_stream_tls)
result = receptor_ctl.submit_work(worktype=self.work_type, payload=sockout.makefile('rb'), params=self.receptor_params, **_kw) result = receptor_ctl.submit_work(worktype=self.work_type, payload=sockout.makefile('rb'), params=self.receptor_params, signwork=True, **_kw)
self.unit_id = result['unitid'] self.unit_id = result['unitid']
self.task.update_model(self.task.instance.pk, work_unit_id=result['unitid']) self.task.update_model(self.task.instance.pk, work_unit_id=result['unitid'])

1
awx/main/utils/receptor.py
View File

@@ -70,6 +70,7 @@ def worker_info(node_name, work_type='ansible-runner'):
kwargs = {} kwargs = {}
kwargs['tlsclient'] = get_tls_client(use_stream_tls) kwargs['tlsclient'] = get_tls_client(use_stream_tls)
kwargs['signwork'] = True
if work_type != 'local': if work_type != 'local':
kwargs['ttl'] = '20s' kwargs['ttl'] = '20s'
result = receptor_ctl.submit_work(worktype=work_type, payload='', params={"params": f"--worker-info"}, node=node_name, **kwargs) result = receptor_ctl.submit_work(worktype=work_type, payload='', params={"params": f"--worker-info"}, node=node_name, **kwargs)

2
tools/ansible/roles/dockerfile/templates/Dockerfile.j2
View File

@@ -166,7 +166,7 @@ COPY --from=builder /var/lib/awx /var/lib/awx
RUN ln -s /var/lib/awx/venv/awx/bin/awx-manage /usr/bin/awx-manage RUN ln -s /var/lib/awx/venv/awx/bin/awx-manage /usr/bin/awx-manage
{%if build_dev|bool %} {%if build_dev|bool %}
COPY --from=quay.io/project-receptor/receptor:1.0.0a2 /usr/bin/receptor /usr/bin/receptor COPY --from=quay.io/ansible/receptor:devel /usr/bin/receptor /usr/bin/receptor
RUN openssl req -nodes -newkey rsa:2048 -keyout /etc/nginx/nginx.key -out /etc/nginx/nginx.csr \ RUN openssl req -nodes -newkey rsa:2048 -keyout /etc/nginx/nginx.key -out /etc/nginx/nginx.csr \
-subj "/C=US/ST=North Carolina/L=Durham/O=Ansible/OU=AWX Development/CN=awx.localhost" && \ -subj "/C=US/ST=North Carolina/L=Durham/O=Ansible/OU=AWX Development/CN=awx.localhost" && \
openssl x509 -req -days 365 -in /etc/nginx/nginx.csr -signkey /etc/nginx/nginx.key -out /etc/nginx/nginx.crt && \ openssl x509 -req -days 365 -in /etc/nginx/nginx.csr -signkey /etc/nginx/nginx.key -out /etc/nginx/nginx.crt && \

7
tools/docker-compose/ansible/roles/sources/defaults/main.yml
View File

@@ -8,3 +8,10 @@ pg_database: 'awx'
control_plane_node_count: 1 control_plane_node_count: 1
minikube_container_group: false minikube_container_group: false
receptor_socket_file: /var/run/awx-receptor/receptor.sock receptor_socket_file: /var/run/awx-receptor/receptor.sock
# Keys for signing work
receptor_rsa_bits: 4096
receptor_work_sign_reconfigure: false
work_sign_key_dir: '../_sources/receptor'
work_sign_private_keyfile: "{{ work_sign_key_dir }}/work_private_key.pem"
work_sign_public_keyfile: "{{ work_sign_key_dir }}/work_public_key.pem"

10
tools/docker-compose/ansible/roles/sources/tasks/main.yml
View File

@@ -79,6 +79,16 @@
awx_image_tag: "{{ lookup('file', playbook_dir + '/../../../VERSION') }}" awx_image_tag: "{{ lookup('file', playbook_dir + '/../../../VERSION') }}"
when: awx_image_tag is not defined when: awx_image_tag is not defined
- name: Generate Private RSA key for signing work
command: openssl genrsa -out {{ work_sign_private_keyfile }} {{ receptor_rsa_bits }}
args:
creates: "{{ work_sign_private_keyfile }}"
- name: Generate public RSA key for signing work
command: openssl rsa -in {{ work_sign_private_keyfile }} -out {{ work_sign_public_keyfile }} -outform PEM -pubout
args:
creates: "{{ work_sign_public_keyfile }}"
- name: Render Docker-Compose - name: Render Docker-Compose
template: template:
src: docker-compose.yml.j2 src: docker-compose.yml.j2

5
tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
View File

@@ -37,6 +37,8 @@ services:
- "../../docker-compose/_sources/local_settings.py:/etc/tower/conf.d/local_settings.py" - "../../docker-compose/_sources/local_settings.py:/etc/tower/conf.d/local_settings.py"
- "../../docker-compose/_sources/SECRET_KEY:/etc/tower/SECRET_KEY" - "../../docker-compose/_sources/SECRET_KEY:/etc/tower/SECRET_KEY"
- "../../docker-compose/_sources/receptor/receptor-awx-{{ loop.index }}.conf:/etc/receptor/receptor.conf" - "../../docker-compose/_sources/receptor/receptor-awx-{{ loop.index }}.conf:/etc/receptor/receptor.conf"
- "../../docker-compose/_sources/receptor/work_public_key.pem:/etc/receptor/work_public_key.pem"
- "../../docker-compose/_sources/receptor/work_private_key.pem:/etc/receptor/work_private_key.pem"
# - "../../docker-compose/_sources/certs:/etc/receptor/certs" # TODO: optionally generate certs # - "../../docker-compose/_sources/certs:/etc/receptor/certs" # TODO: optionally generate certs
- "/sys/fs/cgroup:/sys/fs/cgroup" - "/sys/fs/cgroup:/sys/fs/cgroup"
- "~/.kube/config:/var/lib/awx/.kube/config" - "~/.kube/config:/var/lib/awx/.kube/config"
@@ -96,7 +98,7 @@ services:
- "awx_db:/var/lib/postgresql/data" - "awx_db:/var/lib/postgresql/data"
{% if execution_node_count|int > 0 %} {% if execution_node_count|int > 0 %}
receptor-hop: receptor-hop:
image: quay.io/project-receptor/receptor:latest image: quay.io/ansible/receptor:devel
user: root user: root
container_name: tools_receptor_hop container_name: tools_receptor_hop
hostname: receptor-hop hostname: receptor-hop
@@ -121,6 +123,7 @@ services:
volumes: volumes:
- "../../docker-compose/_sources/receptor/receptor-worker-{{ loop.index }}.conf:/etc/receptor/receptor.conf" - "../../docker-compose/_sources/receptor/receptor-worker-{{ loop.index }}.conf:/etc/receptor/receptor.conf"
- "/sys/fs/cgroup:/sys/fs/cgroup" - "/sys/fs/cgroup:/sys/fs/cgroup"
- "../../docker-compose/_sources/receptor/work_public_key.pem:/etc/receptor/work_public_key.pem"
privileged: true privileged: true
{% endfor %} {% endfor %}
{% endif %} {% endif %}

14
tools/docker-compose/ansible/roles/sources/templates/receptor-awx.conf.j2
View File

@@ -1,12 +1,23 @@
--- ---
- node: - node:
id: awx_{{ item }} id: awx_{{ item }}
firewallrules:
- action: "reject"
tonode: awx_{{ item }}
toservice: "control"
- log-level: info - log-level: info
- tcp-listener: - tcp-listener:
port: 2222 port: 2222
- work-signing:
privatekey: /etc/receptor/work_private_key.pem
tokenexpiration: 1m
- work-verification:
publickey: /etc/receptor/work_public_key.pem
{% for i in range(item | int + 1, control_plane_node_count | int + 1) %} {% for i in range(item | int + 1, control_plane_node_count | int + 1) %}
- tcp-peer: - tcp-peer:
address: awx_{{ i }}:2222 address: awx_{{ i }}:2222
@@ -29,6 +40,7 @@
command: ansible-runner command: ansible-runner
params: worker params: worker
allowruntimeparams: true allowruntimeparams: true
verifysignature: true
- work-kubernetes: - work-kubernetes:
worktype: kubernetes-runtime-auth worktype: kubernetes-runtime-auth
@@ -36,6 +48,7 @@
allowruntimeauth: true allowruntimeauth: true
allowruntimepod: true allowruntimepod: true
allowruntimeparams: true allowruntimeparams: true
verifysignature: true
- work-kubernetes: - work-kubernetes:
worktype: kubernetes-incluster-auth worktype: kubernetes-incluster-auth
@@ -43,3 +56,4 @@
allowruntimeauth: true allowruntimeauth: true
allowruntimepod: true allowruntimepod: true
allowruntimeparams: true allowruntimeparams: true
verifysignature: true

4
tools/docker-compose/ansible/roles/sources/templates/receptor-worker.conf.j2
View File

@@ -8,11 +8,15 @@
address: tools_receptor_hop:5555 address: tools_receptor_hop:5555
redial: true redial: true
- work-verification:
publickey: /etc/receptor/work_public_key.pem
- work-command: - work-command:
worktype: ansible-runner worktype: ansible-runner
command: ansible-runner command: ansible-runner
params: worker params: worker
allowruntimeparams: true allowruntimeparams: true
verifysignature: true
- control-service: - control-service:
service: control service: control