From 2b6cf971573185a46950c5a8fa3f9de14ede38ae Mon Sep 17 00:00:00 2001 From: Shane McDonald Date: Tue, 26 Mar 2019 15:13:20 -0400 Subject: [PATCH] Do not set credentials via environment variables --- installer/inventory | 6 -- .../roles/image_build/files/launch_awx.sh | 5 ++ .../image_build/files/launch_awx_task.sh | 5 ++ installer/roles/image_build/files/settings.py | 1 - .../kubernetes/templates/deployment.yml.j2 | 57 +++---------------- .../kubernetes/templates/environment.sh.j2 | 7 +++ .../templates/management-pod.yml.j2 | 8 +-- .../roles/kubernetes/templates/secret.yml.j2 | 3 +- .../roles/local_docker/defaults/main.yml | 4 +- .../roles/local_docker/tasks/compose.yml | 15 +++++ .../local_docker/templates/credentials.py.j2 | 22 +++++++ .../templates/docker-compose.yml.j2 | 40 ++----------- .../local_docker/templates/environment.sh.j2 | 7 +++ 13 files changed, 83 insertions(+), 97 deletions(-) create mode 100644 installer/roles/kubernetes/templates/environment.sh.j2 create mode 100644 installer/roles/local_docker/templates/credentials.py.j2 create mode 100644 installer/roles/local_docker/templates/environment.sh.j2 diff --git a/installer/inventory b/installer/inventory index 2c3e47175f..16b6c088d6 100644 --- a/installer/inventory +++ b/installer/inventory @@ -55,12 +55,6 @@ postgres_data_dir=/tmp/pgdocker host_port=80 #ssl_certificate= -# Docker Compose Install -# use_docker_compose=false -# The docker_compose.yml file will be created in this directory -# The name of the directory (here "awx") will be the prefix of the docker containers -docker_compose_dir=/var/lib/awx - # Required for Openshift when building the image on your own # Optional for Openshift if using Dockerhub or another prebuilt registry # Required for Standalone Docker Install if building the image on your own diff --git a/installer/roles/image_build/files/launch_awx.sh b/installer/roles/image_build/files/launch_awx.sh index a8198eed09..50ef773884 100755 --- a/installer/roles/image_build/files/launch_awx.sh +++ b/installer/roles/image_build/files/launch_awx.sh @@ -5,10 +5,15 @@ if [ `id -u` -ge 500 ]; then rm /tmp/passwd fi +source /etc/tower/conf.d/environment.sh + ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$DATABASE_HOST port=$DATABASE_PORT" all ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$MEMCACHED_HOST port=11211" all ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$RABBITMQ_HOST port=5672" all ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m postgresql_db --become-user $DATABASE_USER -a "name=$DATABASE_NAME owner=$DATABASE_USER login_user=$DATABASE_USER login_host=$DATABASE_HOST login_password=$DATABASE_PASSWORD port=$DATABASE_PORT" all awx-manage collectstatic --noinput --clear + +unset $(cut -d = -f -1 /etc/tower/conf.d/environment.sh) + supervisord -c /supervisor.conf diff --git a/installer/roles/image_build/files/launch_awx_task.sh b/installer/roles/image_build/files/launch_awx_task.sh index b672e76f0b..3165c33043 100755 --- a/installer/roles/image_build/files/launch_awx_task.sh +++ b/installer/roles/image_build/files/launch_awx_task.sh @@ -5,6 +5,8 @@ if [ `id -u` -ge 500 ]; then rm /tmp/passwd fi +source /etc/tower/conf.d/environment.sh + ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$DATABASE_HOST port=$DATABASE_PORT" all ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$MEMCACHED_HOST port=11211" all ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$RABBITMQ_HOST port=5672" all @@ -24,4 +26,7 @@ fi echo 'from django.conf import settings; x = settings.AWX_TASK_ENV; x["HOME"] = "/var/lib/awx"; settings.AWX_TASK_ENV = x' | awx-manage shell awx-manage provision_instance --hostname=$(hostname) awx-manage register_queue --queuename=tower --instance_percent=100 + +unset $(cut -d = -f -1 /etc/tower/conf.d/environment.sh) + supervisord -c /supervisor_task.conf diff --git a/installer/roles/image_build/files/settings.py b/installer/roles/image_build/files/settings.py index 527c884496..d2d2077d76 100644 --- a/installer/roles/image_build/files/settings.py +++ b/installer/roles/image_build/files/settings.py @@ -6,7 +6,6 @@ import os def get_secret(): if os.path.exists("/etc/tower/SECRET_KEY"): return open('/etc/tower/SECRET_KEY', 'rb').read().strip() - return os.getenv("SECRET_KEY", "privateawx") ADMINS = () diff --git a/installer/roles/kubernetes/templates/deployment.yml.j2 b/installer/roles/kubernetes/templates/deployment.yml.j2 index 9f102f689b..78abff3926 100644 --- a/installer/roles/kubernetes/templates/deployment.yml.j2 +++ b/installer/roles/kubernetes/templates/deployment.yml.j2 @@ -145,27 +145,9 @@ spec: mountPath: "/etc/tower" readOnly: true - - name: "{{ kubernetes_deployment_name }}-confd" + - name: "{{ kubernetes_deployment_name }}-application-credentials" mountPath: "/etc/tower/conf.d/" readOnly: true - env: - - name: DATABASE_USER - value: {{ pg_username }} - - name: DATABASE_NAME - value: {{ pg_database }} - - name: DATABASE_HOST - value: {{ pg_hostname|default('postgresql') }} - - name: DATABASE_PORT - value: "{{ pg_port|default('5432') }}" - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: "{{ kubernetes_deployment_name }}-secrets" - key: pg_password - - name: MEMCACHED_HOST - value: {{ memcached_hostname|default('localhost') }} - - name: RABBITMQ_HOST - value: {{ rabbitmq_hostname|default('localhost') }} resources: requests: memory: "{{ web_mem_request }}Gi" @@ -191,36 +173,9 @@ spec: mountPath: "/etc/tower" readOnly: true - - name: "{{ kubernetes_deployment_name }}-confd" + - name: "{{ kubernetes_deployment_name }}-application-credentials" mountPath: "/etc/tower/conf.d/" readOnly: true - env: - - name: AWX_SKIP_MIGRATIONS - value: "1" - - name: DATABASE_USER - value: {{ pg_username }} - - name: DATABASE_NAME - value: {{ pg_database }} - - name: DATABASE_HOST - value: {{ pg_hostname|default('postgresql') }} - - name: DATABASE_PORT - value: "{{ pg_port|default('5432') }}" - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: "{{ kubernetes_deployment_name }}-secrets" - key: pg_password - - name: MEMCACHED_HOST - value: {{ memcached_hostname|default('localhost') }} - - name: RABBITMQ_HOST - value: {{ rabbitmq_hostname|default('localhost') }} - - name: AWX_ADMIN_USER - value: {{ admin_user }} - - name: AWX_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: "{{ kubernetes_deployment_name }}-secrets" - key: admin_password resources: requests: memory: "{{ task_mem_request }}Gi" @@ -312,12 +267,14 @@ spec: - key: secret_key path: SECRET_KEY - - name: "{{ kubernetes_deployment_name }}-confd" + - name: "{{ kubernetes_deployment_name }}-application-credentials" secret: secretName: "{{ kubernetes_deployment_name }}-secrets" items: - - key: confd_contents - path: 'secrets.py' + - key: credentials_py + path: 'credentials.py' + - key: environment_sh + path: 'environment.sh' - name: rabbitmq-config configMap: diff --git a/installer/roles/kubernetes/templates/environment.sh.j2 b/installer/roles/kubernetes/templates/environment.sh.j2 new file mode 100644 index 0000000000..1c7b79ff5c --- /dev/null +++ b/installer/roles/kubernetes/templates/environment.sh.j2 @@ -0,0 +1,7 @@ +DATABASE_USER={{ pg_username }} +DATABASE_NAME={{ pg_database }} +DATABASE_HOST={{ pg_hostname|default('postgresql') }} +DATABASE_PORT={{ pg_port|default('5432') }} +DATABASE_PASSWORD={{ pg_password }} +MEMCACHED_HOST={{ memcached_hostname|default('localhost') }} +RABBITMQ_HOST={{ rabbitmq_hostname|default('localhost') }} diff --git a/installer/roles/kubernetes/templates/management-pod.yml.j2 b/installer/roles/kubernetes/templates/management-pod.yml.j2 index c7fe44efb9..890d251062 100644 --- a/installer/roles/kubernetes/templates/management-pod.yml.j2 +++ b/installer/roles/kubernetes/templates/management-pod.yml.j2 @@ -14,7 +14,7 @@ spec: mountPath: "/etc/tower" readOnly: true - - name: "{{ kubernetes_deployment_name }}-confd" + - name: "{{ kubernetes_deployment_name }}-application-credentials" mountPath: "/etc/tower/conf.d/" readOnly: true resources: @@ -37,11 +37,11 @@ spec: - key: secret_key path: SECRET_KEY - - name: "{{ kubernetes_deployment_name }}-confd" + - name: "{{ kubernetes_deployment_name }}-application-credentials" secret: secretName: "{{ kubernetes_deployment_name }}-secrets" items: - - key: confd_contents - path: 'secrets.py' + - key: credentials_py + path: 'credentials.py' restartPolicy: Never diff --git a/installer/roles/kubernetes/templates/secret.yml.j2 b/installer/roles/kubernetes/templates/secret.yml.j2 index f85f75e295..ec71f1001f 100644 --- a/installer/roles/kubernetes/templates/secret.yml.j2 +++ b/installer/roles/kubernetes/templates/secret.yml.j2 @@ -10,4 +10,5 @@ data: pg_password: "{{ pg_password | b64encode }}" rabbitmq_password: "{{ rabbitmq_password | b64encode }}" rabbitmq_erlang_cookie: "{{ rabbitmq_erlang_cookie | b64encode }}" - confd_contents: "{{ lookup('template', 'credentials.py.j2') | b64encode }}" + credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}" + environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}" diff --git a/installer/roles/local_docker/defaults/main.yml b/installer/roles/local_docker/defaults/main.yml index 0fbea21553..8d4d015bff 100644 --- a/installer/roles/local_docker/defaults/main.yml +++ b/installer/roles/local_docker/defaults/main.yml @@ -10,4 +10,6 @@ rabbitmq_default_username: "guest" rabbitmq_default_password: "guest" postgresql_version: "9.6" -postgresql_image: "postgres:{{postgresql_version}}" \ No newline at end of file +postgresql_image: "postgres:{{postgresql_version}}" + +docker_compose_dir: "/var/lib/awx" diff --git a/installer/roles/local_docker/tasks/compose.yml b/installer/roles/local_docker/tasks/compose.yml index 5cfd210ee9..31167a7493 100644 --- a/installer/roles/local_docker/tasks/compose.yml +++ b/installer/roles/local_docker/tasks/compose.yml @@ -10,6 +10,21 @@ dest: "{{ docker_compose_dir }}/docker-compose.yml" register: awx_compose_config +- name: Render secrets file + template: + src: environment.sh.j2 + dest: "{{ docker_compose_dir }}/environment.sh" + +- name: Render application credentials + template: + src: credentials.py.j2 + dest: "{{ docker_compose_dir }}/credentials.py" + +- name: Render SECRET_KEY file + copy: + content: "{{ secret_key }}" + dest: "{{ docker_compose_dir }}/SECRET_KEY" + - name: Start the containers docker_service: project_src: "{{ docker_compose_dir }}" diff --git a/installer/roles/local_docker/templates/credentials.py.j2 b/installer/roles/local_docker/templates/credentials.py.j2 new file mode 100644 index 0000000000..70c3f64bfa --- /dev/null +++ b/installer/roles/local_docker/templates/credentials.py.j2 @@ -0,0 +1,22 @@ +DATABASES = { + 'default': { + 'ATOMIC_REQUESTS': True, + 'ENGINE': 'django.db.backends.postgresql', + 'NAME': "{{ pg_database }}", + 'USER': "{{ pg_username }}", + 'PASSWORD': "{{ pg_password }}", + 'HOST': "{{ pg_hostname|default('postgres') }}", + 'PORT': "{{ pg_port }}", + } +} +BROKER_URL = 'amqp://{}:{}@{}:{}/{}'.format( + "{{ rabbitmq_user }}", + "{{ rabbitmq_password }}", + "localhost", + "5672", + "awx") +CHANNEL_LAYERS = { + 'default': {'BACKEND': 'asgi_amqp.AMQPChannelLayer', + 'ROUTING': 'awx.main.routing.channel_routing', + 'CONFIG': {'url': BROKER_URL}} +} diff --git a/installer/roles/local_docker/templates/docker-compose.yml.j2 b/installer/roles/local_docker/templates/docker-compose.yml.j2 index 5e227bf260..29354dafe5 100644 --- a/installer/roles/local_docker/templates/docker-compose.yml.j2 +++ b/installer/roles/local_docker/templates/docker-compose.yml.j2 @@ -15,9 +15,10 @@ services: hostname: {{ awx_web_hostname }} user: root restart: unless-stopped - {% if (project_data_dir is defined) or (ca_trust_dir is defined) %} volumes: - {% endif %} + - "{{ docker_compose_dir }}/SECRET_KEY:/etc/tower/SECRET_KEY" + - "{{ docker_compose_dir }}/environment.sh:/etc/tower/conf.d/environment.sh" + - "{{ docker_compose_dir }}/credentials.py:/etc/tower/conf.d/credentials.py" {% if project_data_dir is defined %} - "{{ project_data_dir +':/var/lib/awx/projects:rw' }}" {% endif %} @@ -46,21 +47,6 @@ services: http_proxy: {{ http_proxy | default('') }} https_proxy: {{ https_proxy | default('') }} no_proxy: {{ no_proxy | default('') }} - SECRET_KEY: {{ secret_key }} - DATABASE_NAME: {{ pg_database }} - DATABASE_USER: {{ pg_username }} - DATABASE_PASSWORD: {{ pg_password }} - DATABASE_PORT: {{ pg_port }} - DATABASE_HOST: {{ pg_hostname|default("postgres") }} - RABBITMQ_USER: guest - RABBITMQ_PASSWORD: guest - RABBITMQ_HOST: rabbitmq - RABBITMQ_PORT: 5672 - RABBITMQ_VHOST: awx - MEMCACHED_HOST: memcached - MEMCACHED_PORT: 11211 - AWX_ADMIN_USER: {{ admin_user|default('admin') }} - AWX_ADMIN_PASSWORD: {{ admin_password|default('password') }} task: image: {{ awx_task_docker_actual_image }} @@ -74,9 +60,10 @@ services: hostname: {{ awx_task_hostname }} user: root restart: unless-stopped - {% if (project_data_dir is defined) or (ca_trust_dir is defined) %} volumes: - {% endif %} + - "{{ docker_compose_dir }}/SECRET_KEY:/etc/tower/SECRET_KEY" + - "{{ docker_compose_dir }}/environment.sh:/etc/tower/conf.d/environment.sh" + - "{{ docker_compose_dir }}/credentials.py:/etc/tower/conf.d/credentials.py" {% if project_data_dir is defined %} - "{{ project_data_dir +':/var/lib/awx/projects:rw' }}" {% endif %} @@ -105,21 +92,6 @@ services: http_proxy: {{ http_proxy | default('') }} https_proxy: {{ https_proxy | default('') }} no_proxy: {{ no_proxy | default('') }} - SECRET_KEY: {{ secret_key }} - DATABASE_NAME: {{ pg_database }} - DATABASE_USER: {{ pg_username }} - DATABASE_PASSWORD: {{ pg_password }} - DATABASE_HOST: {{ pg_hostname|default("postgres") }} - DATABASE_PORT: {{ pg_port }} - RABBITMQ_USER: guest - RABBITMQ_PASSWORD: guest - RABBITMQ_HOST: rabbitmq - RABBITMQ_PORT: 5672 - RABBITMQ_VHOST: awx - MEMCACHED_HOST: memcached - MEMCACHED_PORT: 11211 - AWX_ADMIN_USER: {{ admin_user|default('admin') }} - AWX_ADMIN_PASSWORD: {{ admin_password|default('password') }} rabbitmq: image: {{ rabbitmq_image }} diff --git a/installer/roles/local_docker/templates/environment.sh.j2 b/installer/roles/local_docker/templates/environment.sh.j2 new file mode 100644 index 0000000000..4e58117a20 --- /dev/null +++ b/installer/roles/local_docker/templates/environment.sh.j2 @@ -0,0 +1,7 @@ +DATABASE_USER={{ pg_username }} +DATABASE_NAME={{ pg_database }} +DATABASE_HOST={{ pg_hostname|default('postgres') }} +DATABASE_PORT={{ pg_port|default('5432') }} +DATABASE_PASSWORD={{ pg_password }} +MEMCACHED_HOST={{ memcached_hostname|default('memcached') }} +RABBITMQ_HOST={{ rabbitmq_hostname|default('rabbitmq') }}