External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-15 13:27:40 -02:30
Code Issues Packages Projects Releases Wiki Activity

Do not set credentials via environment variables

Browse Source
This commit is contained in:
Shane McDonald
2019-03-26 15:13:20 -04:00
parent 07e5a00f14
commit 2b6cf97157
13 changed files with 83 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
installer/roles/kubernetes/templates/deployment.yml.j2
View File

@@ -145,27 +145,9 @@ spec:
mountPath: "/etc/tower"
readOnly: true
- name: "{{ kubernetes_deployment_name }}-confd"
- name: "{{ kubernetes_deployment_name }}-application-credentials"
mountPath: "/etc/tower/conf.d/"
readOnly: true
env:
- name: DATABASE_USER
value: {{ pg_username }}
- name: DATABASE_NAME
value: {{ pg_database }}
- name: DATABASE_HOST
value: {{ pg_hostname|default('postgresql') }}
- name: DATABASE_PORT
value: "{{ pg_port|default('5432') }}"
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: "{{ kubernetes_deployment_name }}-secrets"
key: pg_password
- name: MEMCACHED_HOST
value: {{ memcached_hostname|default('localhost') }}
- name: RABBITMQ_HOST
value: {{ rabbitmq_hostname|default('localhost') }}
resources:
requests:
memory: "{{ web_mem_request }}Gi"
@@ -191,36 +173,9 @@ spec:
mountPath: "/etc/tower"
readOnly: true
- name: "{{ kubernetes_deployment_name }}-confd"
- name: "{{ kubernetes_deployment_name }}-application-credentials"
mountPath: "/etc/tower/conf.d/"
readOnly: true
env:
- name: AWX_SKIP_MIGRATIONS
value: "1"
- name: DATABASE_USER
value: {{ pg_username }}
- name: DATABASE_NAME
value: {{ pg_database }}
- name: DATABASE_HOST
value: {{ pg_hostname|default('postgresql') }}
- name: DATABASE_PORT
value: "{{ pg_port|default('5432') }}"
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: "{{ kubernetes_deployment_name }}-secrets"
key: pg_password
- name: MEMCACHED_HOST
value: {{ memcached_hostname|default('localhost') }}
- name: RABBITMQ_HOST
value: {{ rabbitmq_hostname|default('localhost') }}
- name: AWX_ADMIN_USER
value: {{ admin_user }}
- name: AWX_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: "{{ kubernetes_deployment_name }}-secrets"
key: admin_password
resources:
requests:
memory: "{{ task_mem_request }}Gi"
@@ -312,12 +267,14 @@ spec:
- key: secret_key
path: SECRET_KEY
- name: "{{ kubernetes_deployment_name }}-confd"
- name: "{{ kubernetes_deployment_name }}-application-credentials"
secret:
secretName: "{{ kubernetes_deployment_name }}-secrets"
items:
- key: confd_contents
path: 'secrets.py'
- key: credentials_py
path: 'credentials.py'
- key: environment_sh
path: 'environment.sh'
- name: rabbitmq-config
configMap:

7
installer/roles/kubernetes/templates/environment.sh.j2 Normal file
View File

@@ -0,0 +1,7 @@
DATABASE_USER={{ pg_username }}
DATABASE_NAME={{ pg_database }}
DATABASE_HOST={{ pg_hostname|default('postgresql') }}
DATABASE_PORT={{ pg_port|default('5432') }}
DATABASE_PASSWORD={{ pg_password }}
MEMCACHED_HOST={{ memcached_hostname|default('localhost') }}
RABBITMQ_HOST={{ rabbitmq_hostname|default('localhost') }}

8
installer/roles/kubernetes/templates/management-pod.yml.j2
View File

@@ -14,7 +14,7 @@ spec:
mountPath: "/etc/tower"
readOnly: true
- name: "{{ kubernetes_deployment_name }}-confd"
- name: "{{ kubernetes_deployment_name }}-application-credentials"
mountPath: "/etc/tower/conf.d/"
readOnly: true
resources:
@@ -37,11 +37,11 @@ spec:
- key: secret_key
path: SECRET_KEY
- name: "{{ kubernetes_deployment_name }}-confd"
- name: "{{ kubernetes_deployment_name }}-application-credentials"
secret:
secretName: "{{ kubernetes_deployment_name }}-secrets"
items:
- key: confd_contents
path: 'secrets.py'
- key: credentials_py
path: 'credentials.py'
restartPolicy: Never

3
installer/roles/kubernetes/templates/secret.yml.j2
View File

@@ -10,4 +10,5 @@ data:
pg_password: "{{ pg_password | b64encode }}"
rabbitmq_password: "{{ rabbitmq_password | b64encode }}"
rabbitmq_erlang_cookie: "{{ rabbitmq_erlang_cookie | b64encode }}"
confd_contents: "{{ lookup('template', 'credentials.py.j2') | b64encode }}"
credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}"
environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}"