External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-20 07:17:40 -02:30
Code Issues Packages Projects Releases Wiki Activity

Pull in downstream k8s installer changes

Browse Source 
- Secretification of secret stuff
- Backup / restore
This commit is contained in:
Shane McDonald
2018-08-14 12:22:43 -04:00
parent 2e6a7205e7
commit 2b9954c373
14 changed files with 537 additions and 151 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
installer/roles/kubernetes/templates/configmap.yml.j2
View File

@@ -10,8 +10,7 @@ data:
import socket
ADMINS = ()
# Container environments don't like chroots
AWX_PROOT_ENABLED = False
AWX_PROOT_ENABLED = True
# Automatically deprovision pods that go offline
AWX_AUTO_DEPROVISION_INSTANCES = True
@@ -51,10 +50,11 @@ data:
LOGGING['loggers']['django.request']['handlers'] = ['console']
LOGGING['loggers']['rest_framework.request']['handlers'] = ['console']
LOGGING['loggers']['awx']['handlers'] = ['console', 'external_logger']
LOGGING['loggers']['awx']['handlers'] = ['console']
LOGGING['loggers']['awx.main.commands.run_callback_receiver']['handlers'] = ['console']
LOGGING['loggers']['awx.main.tasks']['handlers'] = ['console', 'external_logger']
LOGGING['loggers']['awx.main.scheduler']['handlers'] = ['console', 'external_logger']
LOGGING['loggers']['awx.main.commands.inventory_import']['handlers'] = ['console']
LOGGING['loggers']['awx.main.tasks']['handlers'] = ['console']
LOGGING['loggers']['awx.main.scheduler']['handlers'] = ['console']
LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console']
LOGGING['loggers']['social']['handlers'] = ['console']
LOGGING['loggers']['system_tracking_migrations']['handlers'] = ['console']
@@ -68,28 +68,6 @@ data:
LOGGING['handlers']['system_tracking_migrations'] = {'class': 'logging.NullHandler'}
LOGGING['handlers']['management_playbooks'] = {'class': 'logging.NullHandler'}
DATABASES = {
'default': {
'ATOMIC_REQUESTS': True,
'ENGINE': 'django.db.backends.postgresql',
'NAME': "{{ pg_database }}",
'USER': "{{ pg_username }}",
'PASSWORD': "{{ pg_password }}",
'HOST': "{{ pg_hostname|default('postgresql') }}",
'PORT': "{{ pg_port }}",
}
}
BROKER_URL = 'amqp://{}:{}@{}:{}/{}'.format(
"awx",
"abcdefg",
"localhost",
"5672",
"awx")
CHANNEL_LAYERS = {
'default': {'BACKEND': 'asgi_amqp.AMQPChannelLayer',
'ROUTING': 'awx.main.routing.channel_routing',
'CONFIG': {'url': BROKER_URL}}
}
CACHES = {
'default': {
'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
@@ -99,3 +77,5 @@ data:
'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
},
}
USE_X_FORWARDED_PORT = True

22
installer/roles/kubernetes/templates/credentials.py.j2 Normal file
View File

@@ -0,0 +1,22 @@
DATABASES = {
'default': {
'ATOMIC_REQUESTS': True,
'ENGINE': 'django.db.backends.postgresql',
'NAME': "{{ pg_database }}",
'USER': "{{ pg_username }}",
'PASSWORD': "{{ pg_password }}",
'HOST': "{{ pg_hostname|default('postgresql') }}",
'PORT': "{{ pg_port }}",
}
}
BROKER_URL = 'amqp://{}:{}@{}:{}/{}'.format(
"{{ rabbitmq_user }}",
"{{ rabbitmq_password }}",
"localhost",
"5672",
"awx")
CHANNEL_LAYERS = {
'default': {'BACKEND': 'asgi_amqp.AMQPChannelLayer',
'ROUTING': 'awx.main.routing.channel_routing',
'CONFIG': {'url': BROKER_URL}}
}

86
installer/roles/kubernetes/templates/deployment.yml.j2
View File

@@ -1,3 +1,10 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: awx
namespace: {{ kubernetes_namespace }}
---
kind: Service
apiVersion: v1
@@ -31,8 +38,8 @@ data:
enabled_plugins: |
[rabbitmq_management,rabbitmq_peer_discovery_k8s].
rabbitmq.conf: |
default_user = awx
default_pass = abcdefg
default_user = {{ rabbitmq_user }}
default_pass = {{ rabbitmq_password }}
default_vhost = awx
## Clustering
@@ -47,13 +54,6 @@ data:
## enable guest user
loopback_users.guest = false
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: rabbitmq
namespace: {{ kubernetes_namespace }}
{% if kubernetes_context is defined %}
---
kind: Role
@@ -73,7 +73,7 @@ metadata:
namespace: {{ kubernetes_namespace }}
subjects:
- kind: ServiceAccount
name: rabbitmq
name: awx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -102,10 +102,10 @@ roleRef:
namespace: {{ kubernetes_namespace }}
subjects:
- kind: ServiceAccount
name: rabbitmq
name: awx
namespace: {{ kubernetes_namespace }}
userNames:
- system:serviceaccount:{{ kubernetes_namespace }}:rabbitmq
- system:serviceaccount:{{ kubernetes_namespace }}:awx
{% endif %}
---
@@ -128,10 +128,10 @@ spec:
service: django
app: rabbitmq
spec:
serviceAccountName: rabbitmq
serviceAccountName: awx
containers:
- name: {{ kubernetes_deployment_name }}-web
image: {{ kubernetes_web_image | default(dockerhub_web_image) }}
image: "{{ kubernetes_web_image }}:{{ kubernetes_web_version }}"
imagePullPolicy: Always
env:
- name: DATABASE_USER
@@ -143,7 +143,10 @@ spec:
- name: DATABASE_PORT
value: "{{ pg_port|default('5432') }}"
- name: DATABASE_PASSWORD
value: {{ pg_password }}
valueFrom:
secretKeyRef:
name: "{{ kubernetes_deployment_name }}-secrets"
key: pg_password
- name: MEMCACHED_HOST
value: {{ memcached_hostname|default('localhost') }}
- name: RABBITMQ_HOST
@@ -151,19 +154,35 @@ spec:
ports:
- containerPort: 8052
volumeMounts:
- mountPath: /etc/tower
name: {{ kubernetes_deployment_name }}-application-config
- name: {{ kubernetes_deployment_name }}-application-config
mountPath: "/etc/tower"
readOnly: true
- name: "{{ kubernetes_deployment_name }}-confd"
mountPath: "/etc/tower/conf.d/"
readOnly: true
resources:
requests:
memory: "{{ web_mem_request }}Gi"
cpu: "{{ web_cpu_request }}m"
- name: {{ kubernetes_deployment_name }}-celery
image: {{ kubernetes_task_image | default(dockerhub_task_image) }}
securityContext:
privileged: true
image: "{{ kubernetes_task_image }}:{{ kubernetes_task_version }}"
command:
- /usr/bin/launch_awx_task.sh
imagePullPolicy: Always
volumeMounts:
- mountPath: /etc/tower
name: {{ kubernetes_deployment_name }}-application-config
- name: {{ kubernetes_deployment_name }}-application-config
mountPath: "/etc/tower"
readOnly: true
- name: "{{ kubernetes_deployment_name }}-confd"
mountPath: "/etc/tower/conf.d/"
readOnly: true
env:
- name: AWX_SKIP_MIGRATIONS
value: "1"
- name: DATABASE_USER
value: {{ pg_username }}
- name: DATABASE_NAME
@@ -173,15 +192,21 @@ spec:
- name: DATABASE_PORT
value: "{{ pg_port|default('5432') }}"
- name: DATABASE_PASSWORD
value: {{ pg_password }}
valueFrom:
secretKeyRef:
name: "{{ kubernetes_deployment_name }}-secrets"
key: pg_password
- name: MEMCACHED_HOST
value: {{ memcached_hostname|default('localhost') }}
- name: RABBITMQ_HOST
value: {{ rabbitmq_hostname|default('localhost') }}
- name: AWX_ADMIN_USER
value: {{ default_admin_user|default('admin') }}
value: {{ admin_user }}
- name: AWX_ADMIN_PASSWORD
value: {{ default_admin_password|default('password') }}
valueFrom:
secretKeyRef:
name: "{{ kubernetes_deployment_name }}-secrets"
key: admin_password
resources:
requests:
memory: "{{ task_mem_request }}Gi"
@@ -215,10 +240,13 @@ spec:
value: "true"
- name: RABBITMQ_NODENAME
value: "rabbit@$(MY_POD_IP)"
- name: RABBITMQ_ERLANG_COOKIE
valueFrom:
secretKeyRef:
name: "{{ kubernetes_deployment_name }}-secrets"
key: rabbitmq_erlang_cookie
- name: K8S_SERVICE_NAME
value: "rabbitmq"
- name: RABBITMQ_ERLANG_COOKIE
value: "cookiemonster"
volumeMounts:
- name: rabbitmq-config
mountPath: /etc/rabbitmq
@@ -242,6 +270,14 @@ spec:
path: settings.py
- key: secret_key
path: SECRET_KEY
- name: "{{ kubernetes_deployment_name }}-confd"
secret:
secretName: "{{ kubernetes_deployment_name }}-secrets"
items:
- key: confd_contents
path: 'secrets.py'
- name: rabbitmq-config
configMap:
name: rabbitmq-config

37
installer/roles/kubernetes/templates/management-pod.yml.j2 Normal file
View File

@@ -0,0 +1,37 @@
---
apiVersion: v1
kind: Pod
metadata:
name: ansible-tower-management
namespace: {{ kubernetes_namespace }}
spec:
containers:
- name: ansible-tower-management
image: {{ kubernetes_task_image }}
command: ["sleep", "infinity"]
volumeMounts:
- name: {{ kubernetes_deployment_name }}-application-config
mountPath: "/etc/tower"
readOnly: true
- name: "{{ kubernetes_deployment_name }}-confd"
mountPath: "/etc/tower/conf.d/"
readOnly: true
volumes:
- name: {{ kubernetes_deployment_name }}-application-config
configMap:
name: {{ kubernetes_deployment_name }}-config
items:
- key: {{ kubernetes_deployment_name }}_settings
path: settings.py
- key: secret_key
path: SECRET_KEY
- name: "{{ kubernetes_deployment_name }}-confd"
secret:
secretName: "{{ kubernetes_deployment_name }}-secrets"
items:
- key: confd_contents
path: 'secrets.py'
restartPolicy: Never

32
installer/roles/kubernetes/templates/postgresql-persistent.yml.j2
View File

@@ -35,11 +35,13 @@ objects:
annotations:
template.openshift.io/expose-database_name: '{.data[''database-name'']}'
template.openshift.io/expose-password: '{.data[''database-password'']}'
template.openshift.io/expose-admin_password: '{.data[''database-admin-password'']}'
template.openshift.io/expose-username: '{.data[''database-user'']}'
name: ${DATABASE_SERVICE_NAME}
stringData:
database-name: ${POSTGRESQL_DATABASE}
database-password: ${POSTGRESQL_PASSWORD}
database-admin-password: ${POSTGRESQL_PASSWORD}
database-user: ${POSTGRESQL_USER}
- apiVersion: v1
kind: Service
@@ -90,6 +92,11 @@ objects:
secretKeyRef:
key: database-password
name: ${DATABASE_SERVICE_NAME}
- name: POSTGRESQL_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
key: database-admin-password
name: ${DATABASE_SERVICE_NAME}
- name: POSTGRESQL_DATABASE
valueFrom:
secretKeyRef:
@@ -97,7 +104,7 @@ objects:
name: ${DATABASE_SERVICE_NAME}
- name: POSTGRESQL_MAX_CONNECTIONS
value: ${POSTGRESQL_MAX_CONNECTIONS}
image: ' '
image: registry.access.redhat.com/rhscl/postgresql-96-rhel7
imagePullPolicy: IfNotPresent
livenessProbe:
initialDelaySeconds: 30
@@ -114,7 +121,7 @@ objects:
- /bin/sh
- -i
- -c
- psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE
- psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d template1
-c 'SELECT 1'
initialDelaySeconds: 5
timeoutSeconds: 1
@@ -139,16 +146,6 @@ objects:
claimName: {{ openshift_pg_pvc_name }}
{% endif %}
triggers:
- imageChangeParams:
automatic: true
containerNames:
- postgresql
from:
kind: ImageStreamTag
name: postgresql:${POSTGRESQL_VERSION}
namespace: ${NAMESPACE}
lastTriggeredImage: ""
type: ImageChange
- type: ConfigChange
status: {}
parameters:
@@ -179,13 +176,14 @@ parameters:
generate: expression
name: POSTGRESQL_PASSWORD
required: true
- description: Password for the PostgreSQL connection admin user.
displayName: PostgreSQL Connection Admin Password
from: '[a-zA-Z0-9]{16}'
generate: expression
name: POSTGRESQL_ADMIN_PASSWORD
required: true
- description: Name of the PostgreSQL database accessed.
displayName: PostgreSQL Database Name
name: POSTGRESQL_DATABASE
required: true
value: sampledb
- description: Version of PostgreSQL image to be used (9.2, 9.4, 9.5 or latest).
displayName: Version of PostgreSQL Image
name: POSTGRESQL_VERSION
required: true
value: "9.5"

13
installer/roles/kubernetes/templates/secret.yml.j2 Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: v1
kind: Secret
metadata:
namespace: {{ kubernetes_namespace }}
name: "{{ kubernetes_deployment_name }}-secrets"
type: Opaque
data:
admin_password: "{{ admin_password | b64encode }}"
pg_password: "{{ pg_password | b64encode }}"
rabbitmq_password: "{{ rabbitmq_password | b64encode }}"
rabbitmq_erlang_cookie: "{{ rabbitmq_erlang_cookie | b64encode }}"
confd_contents: "{{ lookup('template', 'credentials.py.j2') | b64encode }}"