Do not set credentials via environment variables

2026-01-11 10:00:01 -03:30 · 2019-03-26 15:13:20 -04:00 · 2019-03-26 15:13:20 -04:00 · 2b6cf97157
commit 2b6cf97157
parent 07e5a00f14
13 changed files with 83 additions and 97 deletions
--- a/installer/inventory
+++ b/installer/inventory
@ -55,12 +55,6 @@ postgres_data_dir=/tmp/pgdocker
 host_port=80
 #ssl_certificate=

-# Docker Compose Install
-# use_docker_compose=false
-# The docker_compose.yml file will be created in this directory
-# The name of the directory (here "awx") will be the prefix of the docker containers
-docker_compose_dir=/var/lib/awx
-
 # Required for Openshift when building the image on your own
 # Optional for Openshift if using Dockerhub or another prebuilt registry
 # Required for Standalone Docker Install if building the image on your own
--- a/installer/roles/image_build/files/launch_awx.sh
+++ b/installer/roles/image_build/files/launch_awx.sh
@ -5,10 +5,15 @@ if [ `id -u` -ge 500 ]; then
    rm /tmp/passwd
 fi

+source /etc/tower/conf.d/environment.sh
+
 ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$DATABASE_HOST port=$DATABASE_PORT" all
 ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$MEMCACHED_HOST port=11211" all
 ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$RABBITMQ_HOST port=5672" all
 ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m postgresql_db --become-user $DATABASE_USER -a "name=$DATABASE_NAME owner=$DATABASE_USER login_user=$DATABASE_USER login_host=$DATABASE_HOST login_password=$DATABASE_PASSWORD port=$DATABASE_PORT" all

 awx-manage collectstatic --noinput --clear
+
+unset $(cut -d = -f -1 /etc/tower/conf.d/environment.sh)
+
 supervisord -c /supervisor.conf
--- a/installer/roles/image_build/files/launch_awx_task.sh
+++ b/installer/roles/image_build/files/launch_awx_task.sh
@ -5,6 +5,8 @@ if [ `id -u` -ge 500 ]; then
    rm /tmp/passwd
 fi

+source /etc/tower/conf.d/environment.sh
+
 ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$DATABASE_HOST port=$DATABASE_PORT" all
 ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$MEMCACHED_HOST port=11211" all
 ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$RABBITMQ_HOST port=5672" all
@ -24,4 +26,7 @@ fi
 echo 'from django.conf import settings; x = settings.AWX_TASK_ENV; x["HOME"] = "/var/lib/awx"; settings.AWX_TASK_ENV = x' | awx-manage shell
 awx-manage provision_instance --hostname=$(hostname)
 awx-manage register_queue --queuename=tower --instance_percent=100
+
+unset $(cut -d = -f -1 /etc/tower/conf.d/environment.sh)
+
 supervisord -c /supervisor_task.conf
--- a/installer/roles/image_build/files/settings.py
+++ b/installer/roles/image_build/files/settings.py
@ -6,7 +6,6 @@ import os
 def get_secret():
    if os.path.exists("/etc/tower/SECRET_KEY"):
        return open('/etc/tower/SECRET_KEY', 'rb').read().strip()
-    return os.getenv("SECRET_KEY", "privateawx")


 ADMINS = ()
--- a/installer/roles/kubernetes/templates/deployment.yml.j2
+++ b/installer/roles/kubernetes/templates/deployment.yml.j2
@ -145,27 +145,9 @@ spec:
              mountPath: "/etc/tower"
              readOnly: true

-            - name: "{{ kubernetes_deployment_name }}-confd"
+            - name: "{{ kubernetes_deployment_name }}-application-credentials"
              mountPath: "/etc/tower/conf.d/"
              readOnly: true
-          env:
-            - name: DATABASE_USER
-              value: {{ pg_username }}
-            - name: DATABASE_NAME
-              value: {{ pg_database }}
-            - name: DATABASE_HOST
-              value: {{ pg_hostname|default('postgresql') }}
-            - name: DATABASE_PORT
-              value: "{{ pg_port|default('5432') }}"
-            - name: DATABASE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ kubernetes_deployment_name }}-secrets"
-                  key: pg_password
-            - name: MEMCACHED_HOST
-              value: {{ memcached_hostname|default('localhost') }}
-            - name: RABBITMQ_HOST
-              value: {{ rabbitmq_hostname|default('localhost') }}
          resources:
            requests:
              memory: "{{ web_mem_request }}Gi"
@ -191,36 +173,9 @@ spec:
              mountPath: "/etc/tower"
              readOnly: true

-            - name: "{{ kubernetes_deployment_name }}-confd"
+            - name: "{{ kubernetes_deployment_name }}-application-credentials"
              mountPath: "/etc/tower/conf.d/"
              readOnly: true
-          env:
-            - name: AWX_SKIP_MIGRATIONS
-              value: "1"
-            - name: DATABASE_USER
-              value: {{ pg_username }}
-            - name: DATABASE_NAME
-              value: {{ pg_database }}
-            - name: DATABASE_HOST
-              value: {{ pg_hostname|default('postgresql') }}
-            - name: DATABASE_PORT
-              value: "{{ pg_port|default('5432') }}"
-            - name: DATABASE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ kubernetes_deployment_name }}-secrets"
-                  key: pg_password
-            - name: MEMCACHED_HOST
-              value: {{ memcached_hostname|default('localhost') }}
-            - name: RABBITMQ_HOST
-              value: {{ rabbitmq_hostname|default('localhost') }}
-            - name: AWX_ADMIN_USER
-              value: {{ admin_user }}
-            - name: AWX_ADMIN_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ kubernetes_deployment_name }}-secrets"
-                  key: admin_password
          resources:
            requests:
              memory: "{{ task_mem_request }}Gi"
@ -312,12 +267,14 @@ spec:
              - key: secret_key
                path: SECRET_KEY

-        - name: "{{ kubernetes_deployment_name }}-confd"
+        - name: "{{ kubernetes_deployment_name }}-application-credentials"
          secret:
            secretName: "{{ kubernetes_deployment_name }}-secrets"
            items:
-              - key: confd_contents
-                path: 'secrets.py'
+              - key: credentials_py
+                path: 'credentials.py'
+              - key: environment_sh
+                path: 'environment.sh'

        - name: rabbitmq-config
          configMap:
--- a/installer/roles/kubernetes/templates/environment.sh.j2
+++ b/installer/roles/kubernetes/templates/environment.sh.j2
@ -0,0 +1,7 @@
+DATABASE_USER={{ pg_username }}
+DATABASE_NAME={{ pg_database }}
+DATABASE_HOST={{ pg_hostname|default('postgresql') }}
+DATABASE_PORT={{ pg_port|default('5432') }}
+DATABASE_PASSWORD={{ pg_password }}
+MEMCACHED_HOST={{ memcached_hostname|default('localhost') }}
+RABBITMQ_HOST={{ rabbitmq_hostname|default('localhost') }}
--- a/installer/roles/kubernetes/templates/management-pod.yml.j2
+++ b/installer/roles/kubernetes/templates/management-pod.yml.j2
@ -14,7 +14,7 @@ spec:
          mountPath: "/etc/tower"
          readOnly: true

-        - name: "{{ kubernetes_deployment_name }}-confd"
+        - name: "{{ kubernetes_deployment_name }}-application-credentials"
          mountPath: "/etc/tower/conf.d/"
          readOnly: true
      resources:
@ -37,11 +37,11 @@ spec:
          - key: secret_key
            path: SECRET_KEY

-    - name: "{{ kubernetes_deployment_name }}-confd"
+    - name: "{{ kubernetes_deployment_name }}-application-credentials"
      secret:
        secretName: "{{ kubernetes_deployment_name }}-secrets"
        items:
-          - key: confd_contents
-            path: 'secrets.py'
+          - key: credentials_py
+            path: 'credentials.py'

  restartPolicy: Never
--- a/installer/roles/kubernetes/templates/secret.yml.j2
+++ b/installer/roles/kubernetes/templates/secret.yml.j2
@ -10,4 +10,5 @@ data:
  pg_password: "{{ pg_password | b64encode }}"
  rabbitmq_password: "{{ rabbitmq_password | b64encode }}"
  rabbitmq_erlang_cookie: "{{ rabbitmq_erlang_cookie | b64encode }}"
-  confd_contents: "{{ lookup('template', 'credentials.py.j2') | b64encode }}"
+  credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}"
+  environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}"
--- a/installer/roles/local_docker/defaults/main.yml
+++ b/installer/roles/local_docker/defaults/main.yml
@ -10,4 +10,6 @@ rabbitmq_default_username: "guest"
 rabbitmq_default_password: "guest"

 postgresql_version: "9.6"
-postgresql_image: "postgres:{{postgresql_version}}"
+postgresql_image: "postgres:{{postgresql_version}}"
+
+docker_compose_dir: "/var/lib/awx"
--- a/installer/roles/local_docker/tasks/compose.yml
+++ b/installer/roles/local_docker/tasks/compose.yml
@ -10,6 +10,21 @@
    dest: "{{ docker_compose_dir }}/docker-compose.yml"
  register: awx_compose_config

+- name: Render secrets file
+  template:
+    src: environment.sh.j2
+    dest: "{{ docker_compose_dir }}/environment.sh"
+
+- name: Render application credentials
+  template:
+    src: credentials.py.j2
+    dest: "{{ docker_compose_dir }}/credentials.py"
+
+- name: Render SECRET_KEY file
+  copy:
+    content: "{{ secret_key }}"
+    dest: "{{ docker_compose_dir }}/SECRET_KEY"
+
 - name: Start the containers
  docker_service:
    project_src: "{{ docker_compose_dir }}"
--- a/installer/roles/local_docker/templates/credentials.py.j2
+++ b/installer/roles/local_docker/templates/credentials.py.j2
@ -0,0 +1,22 @@
+DATABASES = {
+    'default': {
+        'ATOMIC_REQUESTS': True,
+        'ENGINE': 'django.db.backends.postgresql',
+        'NAME': "{{ pg_database }}",
+        'USER': "{{ pg_username }}",
+        'PASSWORD': "{{ pg_password }}",
+        'HOST': "{{ pg_hostname|default('postgres') }}",
+        'PORT': "{{ pg_port }}",
+    }
+}
+BROKER_URL = 'amqp://{}:{}@{}:{}/{}'.format(
+    "{{ rabbitmq_user }}",
+    "{{ rabbitmq_password }}",
+    "localhost",
+    "5672",
+    "awx")
+CHANNEL_LAYERS = {
+    'default': {'BACKEND': 'asgi_amqp.AMQPChannelLayer',
+                'ROUTING': 'awx.main.routing.channel_routing',
+                'CONFIG': {'url': BROKER_URL}}
+}
--- a/installer/roles/local_docker/templates/docker-compose.yml.j2
+++ b/installer/roles/local_docker/templates/docker-compose.yml.j2
@ -15,9 +15,10 @@ services:
    hostname: {{ awx_web_hostname }}
    user: root
    restart: unless-stopped
-    {% if (project_data_dir is defined) or (ca_trust_dir is defined) %}
    volumes:
-    {% endif %}
+      - "{{ docker_compose_dir }}/SECRET_KEY:/etc/tower/SECRET_KEY"
+      - "{{ docker_compose_dir }}/environment.sh:/etc/tower/conf.d/environment.sh"
+      - "{{ docker_compose_dir }}/credentials.py:/etc/tower/conf.d/credentials.py"
    {% if project_data_dir is defined %}
      - "{{ project_data_dir +':/var/lib/awx/projects:rw' }}"
    {% endif %}
@ -46,21 +47,6 @@ services:
      http_proxy: {{ http_proxy | default('') }}
      https_proxy: {{ https_proxy | default('') }}
      no_proxy: {{ no_proxy | default('') }}
-      SECRET_KEY: {{ secret_key }}
-      DATABASE_NAME: {{ pg_database }}
-      DATABASE_USER: {{ pg_username }}
-      DATABASE_PASSWORD: {{ pg_password }}
-      DATABASE_PORT: {{ pg_port }}
-      DATABASE_HOST: {{ pg_hostname|default("postgres") }}
-      RABBITMQ_USER: guest
-      RABBITMQ_PASSWORD: guest
-      RABBITMQ_HOST: rabbitmq
-      RABBITMQ_PORT: 5672
-      RABBITMQ_VHOST: awx
-      MEMCACHED_HOST: memcached
-      MEMCACHED_PORT: 11211
-      AWX_ADMIN_USER: {{ admin_user|default('admin') }}
-      AWX_ADMIN_PASSWORD: {{ admin_password|default('password') }}

  task:
    image: {{ awx_task_docker_actual_image }}
@ -74,9 +60,10 @@ services:
    hostname: {{ awx_task_hostname }}
    user: root
    restart: unless-stopped
-    {% if (project_data_dir is defined) or (ca_trust_dir is defined) %}
    volumes:
-    {% endif %}
+      - "{{ docker_compose_dir }}/SECRET_KEY:/etc/tower/SECRET_KEY"
+      - "{{ docker_compose_dir }}/environment.sh:/etc/tower/conf.d/environment.sh"
+      - "{{ docker_compose_dir }}/credentials.py:/etc/tower/conf.d/credentials.py"
    {% if project_data_dir is defined %}
      - "{{ project_data_dir +':/var/lib/awx/projects:rw' }}"
    {% endif %}
@ -105,21 +92,6 @@ services:
      http_proxy: {{ http_proxy | default('') }}
      https_proxy: {{ https_proxy | default('') }}
      no_proxy: {{ no_proxy | default('') }}
-      SECRET_KEY: {{ secret_key }}
-      DATABASE_NAME: {{ pg_database }}
-      DATABASE_USER: {{ pg_username }}
-      DATABASE_PASSWORD: {{ pg_password }}
-      DATABASE_HOST: {{ pg_hostname|default("postgres") }}
-      DATABASE_PORT: {{ pg_port }}
-      RABBITMQ_USER: guest
-      RABBITMQ_PASSWORD: guest
-      RABBITMQ_HOST: rabbitmq
-      RABBITMQ_PORT: 5672
-      RABBITMQ_VHOST: awx
-      MEMCACHED_HOST: memcached
-      MEMCACHED_PORT: 11211
-      AWX_ADMIN_USER: {{ admin_user|default('admin') }}
-      AWX_ADMIN_PASSWORD: {{ admin_password|default('password') }}

  rabbitmq:
    image: {{ rabbitmq_image }}
--- a/installer/roles/local_docker/templates/environment.sh.j2
+++ b/installer/roles/local_docker/templates/environment.sh.j2
@ -0,0 +1,7 @@
+DATABASE_USER={{ pg_username }}
+DATABASE_NAME={{ pg_database }}
+DATABASE_HOST={{ pg_hostname|default('postgres') }}
+DATABASE_PORT={{ pg_port|default('5432') }}
+DATABASE_PASSWORD={{ pg_password }}
+MEMCACHED_HOST={{ memcached_hostname|default('memcached') }}
+RABBITMQ_HOST={{ rabbitmq_hostname|default('rabbitmq') }}