Fixes ca_trust_dir mapping for k8s and openshift

Signed-off-by: Marcelo Moreira de Mello <tchello.mello@gmail.com>
2026-01-13 02:50:02 -03:30 · 2020-05-15 02:37:33 -04:00 · 2020-05-15 02:37:33 -04:00 · 736e7a33ac
commit 736e7a33ac
parent 30610f1a62
2 changed files with 13 additions and 2 deletions
--- a/installer/inventory
+++ b/installer/inventory
@ -145,6 +145,8 @@ secret_key=awxsecret
 # CA Trust directory. If you need to provide custom CA certificates, supplying
 # this variable causes this directory on the host to be bind mounted over
 # /etc/pki/ca-trust in the awx_task and awx_web containers.
+# If you are deploying on openshift or kubernetes, set the variable to /etc/pki/ca-trust instead,
+# as the awx_web and awx_task containers will not run the `update-ca-trust` command.
 #ca_trust_dir=/etc/pki/ca-trust/source/anchors

 # Include /etc/nginx/awx_extra.conf
--- a/installer/roles/kubernetes/templates/deployment.yml.j2
+++ b/installer/roles/kubernetes/templates/deployment.yml.j2
@ -93,6 +93,11 @@ spec:
          imagePullPolicy: Always
          ports:
            - containerPort: 8052
+{% if ca_trust_dir is defined %}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+{% endif %}
          volumeMounts:
            - name: supervisor-socket
              mountPath: "/var/run/supervisor"
@ -102,7 +107,7 @@ spec:
              mountPath: "/var/lib/awx/rsyslog"
 {% if ca_trust_dir is defined %}
            - name: {{ kubernetes_deployment_name }}-ca-trust-dir
-              mountPath: "/etc/pki/ca-trust/source/anchors/"
+              mountPath: "{{ ca_trust_dir }}"
              readOnly: true
 {% endif %}
 {% if project_data_dir is defined %}
@ -188,7 +193,7 @@ spec:
              mountPath: "/var/lib/awx/rsyslog"
 {% if ca_trust_dir is defined %}
            - name: {{ kubernetes_deployment_name }}-ca-trust-dir
-              mountPath: "/etc/pki/ca-trust/source/anchors/"
+              mountPath: "{{ ca_trust_dir }}"
              readOnly: true
 {% endif %}
 {% if custom_venvs is defined %}
@ -247,6 +252,10 @@ spec:
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
+{% if ca_trust_dir is defined %}
+            - name: REQUESTS_CA_BUNDLE
+              value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+{% endif %}
          resources:
            requests:
              memory: "{{ task_mem_request }}Gi"