diff --git a/installer/roles/kubernetes/defaults/main.yml b/installer/roles/kubernetes/defaults/main.yml index 3961bf1622..d0cdf1cec2 100644 --- a/installer/roles/kubernetes/defaults/main.yml +++ b/installer/roles/kubernetes/defaults/main.yml @@ -30,7 +30,7 @@ rabbitmq_cpu_request: 500 memcached_mem_request: 1 memcached_cpu_request: 500 -kubernetes_rabbitmq_version: "3.7.4" +kubernetes_rabbitmq_version: "3.7.15" kubernetes_rabbitmq_image: "ansible/awx_rabbitmq" kubernetes_memcached_version: "latest" @@ -45,7 +45,13 @@ kubernetes_deployment_replica_size: 1 postgress_activate_wait: 60 +restore_backup_file: "./tower-openshift-backup-latest.tar.gz" + insights_url_base: "https://example.org" custom_venvs_path: "/opt/custom-venvs" custom_venvs_python: "python2" + +ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt" +rabbitmq_use_ssl: False + diff --git a/installer/roles/kubernetes/tasks/backup.yml b/installer/roles/kubernetes/tasks/backup.yml index 692ea02b0d..a4b0c5cd9d 100644 --- a/installer/roles/kubernetes/tasks/backup.yml +++ b/installer/roles/kubernetes/tasks/backup.yml @@ -50,7 +50,7 @@ shell: | {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} exec ansible-tower-management -- \ bash -c "PGPASSWORD={{ pg_password | quote }} \ - pg_dump --clean --create \ + scl enable rh-postgresql10 -- pg_dump --clean --create \ --host='{{ pg_hostname | default('postgresql') }}' \ --port={{ pg_port | default('5432') }} \ --username='{{ pg_username }}' \ diff --git a/installer/roles/kubernetes/tasks/main.yml b/installer/roles/kubernetes/tasks/main.yml index 221180424d..61edfeee7b 100644 --- a/installer/roles/kubernetes/tasks/main.yml +++ b/installer/roles/kubernetes/tasks/main.yml @@ -113,6 +113,59 @@ seconds: "{{ postgress_activate_wait }}" when: openshift_pg_activate.changed or kubernetes_pg_activate.changed +- name: Check if Postgres 9.6 is being used + shell: | + POD=$({{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ + get pods -l=name=postgresql --field-selector status.phase=Running -o jsonpath="{.items[0].metadata.name}") + oc exec -ti $POD -n {{ kubernetes_namespace }} -- bash -c "psql -tAc 'select version()'" + register: pg_version + +- name: Upgrade Postgres if necessary + block: + - name: Set new pg image + shell: | + IMAGE=registry.access.redhat.com/rhscl/postgresql-10-rhel7 + {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} set image dc/postgresql postgresql=$IMAGE + + - name: Wait for change to take affect + pause: + seconds: 5 + + - name: Set env var for pg upgrade + shell: | + {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} set env dc/postgresql POSTGRESQL_UPGRADE=copy + + - name: Wait for change to take affect + pause: + seconds: 5 + + - name: Set env var for new pg version + shell: | + {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} set env dc/postgresql POSTGRESQL_VERSION=10 + + - name: Wait for Postgres to redeploy + pause: + seconds: "{{ postgress_activate_wait }}" + + - name: Wait for Postgres to finish upgrading + shell: | + POD=$({{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ + get pods -l=name=postgresql -o jsonpath="{.items[0].metadata.name}") + {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} logs $POD | grep 'Upgrade DONE' + register: pg_upgrade_logs + retries: 360 + delay: 10 + until: pg_upgrade_logs is success + + - name: Unset upgrade env var + shell: | + {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} set env dc/postgresql POSTGRESQL_UPGRADE- + + - name: Wait for Postgres to redeploy + pause: + seconds: "{{ postgress_activate_wait }}" + when: "pg_version is success and '9.6' in pg_version.stdout" + - name: Set image names if using custom registry block: - name: Set task image name @@ -126,6 +179,10 @@ when: kubernetes_web_image is not defined when: docker_registry is defined +- name: Generate SSL certificates for RabbitMQ, if needed + include_tasks: ssl_cert_gen.yml + when: "rabbitmq_use_ssl|default(False)|bool" + - name: Render deployment templates set_fact: "{{ item }}": "{{ lookup('template', item + '.yml.j2') }}" diff --git a/installer/roles/kubernetes/tasks/restore.yml b/installer/roles/kubernetes/tasks/restore.yml index 10f1292495..3acb394c57 100644 --- a/installer/roles/kubernetes/tasks/restore.yml +++ b/installer/roles/kubernetes/tasks/restore.yml @@ -21,7 +21,7 @@ - name: Unarchive Tower backup unarchive: - src: tower-openshift-backup-latest.tar.gz + src: "{{ restore_backup_file }}" dest: "{{ playbook_dir }}/tower-openshift-restore" extra_opts: [--strip-components=1] @@ -76,7 +76,7 @@ shell: | {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ exec -i ansible-tower-management -- bash -c "PGPASSWORD={{ pg_password | quote }} \ - psql \ + scl enable rh-postgresql10 -- psql \ --host={{ pg_hostname | default('postgresql') }} \ --port={{ pg_port | default('5432') }} \ --username=postgres \ @@ -88,7 +88,7 @@ shell: | {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ exec -i ansible-tower-management -- bash -c "PGPASSWORD={{ pg_password | quote }} \ - psql \ + scl enable rh-postgresql10 -- psql \ --host={{ pg_hostname | default('postgresql') }} \ --port={{ pg_port | default('5432') }} \ --username={{ pg_username }} \ @@ -99,7 +99,7 @@ shell: | {{ kubectl_or_oc }} -n {{ kubernetes_namespace }} \ exec -i ansible-tower-management -- bash -c "PGPASSWORD={{ pg_password | quote }} \ - psql \ + scl enable rh-postgresql10 -- psql \ --host={{ pg_hostname | default('postgresql') }} \ --port={{ pg_port | default('5432') }} \ --username=postgres \ diff --git a/installer/roles/kubernetes/templates/configmap.yml.j2 b/installer/roles/kubernetes/templates/configmap.yml.j2 index 0677721681..2468a80618 100644 --- a/installer/roles/kubernetes/templates/configmap.yml.j2 +++ b/installer/roles/kubernetes/templates/configmap.yml.j2 @@ -18,6 +18,8 @@ data: SYSTEM_TASK_ABS_MEM = {{ ((task_mem_request|int * 1024) / 100)|int }} INSIGHTS_URL_BASE = "{{ insights_url_base }}" + INSIGHTS_AGENT_MIME = "application/vnd.redhat.tower.analytics+tgz" + AUTOMATION_ANALYTICS_URL = 'https://cloud.redhat.com/api/ingress/v1/upload' #Autoprovisioning should replace this CLUSTER_HOST_ID = socket.gethostname() @@ -62,6 +64,7 @@ data: LOGGING['loggers']['rbac_migrations']['handlers'] = ['console'] LOGGING['loggers']['awx.isolated.manager.playbooks']['handlers'] = ['console'] LOGGING['handlers']['callback_receiver'] = {'class': 'logging.NullHandler'} + LOGGING['handlers']['fact_receiver'] = {'class': 'logging.NullHandler'} LOGGING['handlers']['task_system'] = {'class': 'logging.NullHandler'} LOGGING['handlers']['tower_warnings'] = {'class': 'logging.NullHandler'} LOGGING['handlers']['rbac_migrations'] = {'class': 'logging.NullHandler'} diff --git a/installer/roles/kubernetes/templates/credentials.py.j2 b/installer/roles/kubernetes/templates/credentials.py.j2 index 22678db7a3..f353796bb1 100644 --- a/installer/roles/kubernetes/templates/credentials.py.j2 +++ b/installer/roles/kubernetes/templates/credentials.py.j2 @@ -7,6 +7,9 @@ DATABASES = { 'PASSWORD': "{{ pg_password }}", 'HOST': "{{ pg_hostname|default('postgresql') }}", 'PORT': "{{ pg_port }}", + 'OPTIONS': { 'sslmode': '{{ pg_sslmode|default("prefer") }}', + 'sslrootcert': '{{ ca_trust_bundle }}', + }, } } BROKER_URL = 'amqp://{}:{}@{}:{}/{}'.format( diff --git a/installer/roles/kubernetes/templates/deployment.yml.j2 b/installer/roles/kubernetes/templates/deployment.yml.j2 index c53d1c62b5..b7a3f9cb10 100644 --- a/installer/roles/kubernetes/templates/deployment.yml.j2 +++ b/installer/roles/kubernetes/templates/deployment.yml.j2 @@ -61,6 +61,20 @@ data: queue_master_locator=min-masters ## enable guest user loopback_users.guest = false +{% if rabbitmq_use_ssl|default(False)|bool %} + ssl_options.cacertfile=/etc/pki/rabbitmq/ca.crt + ssl_options.certfile=/etc/pki/rabbitmq/server-combined.pem + ssl_options.verify=verify_peer +{% endif %} + rabbitmq-env.conf: | + NODENAME=${RABBITMQ_NODENAME} + USE_LONGNAME=true +{% if rabbitmq_use_ssl|default(False)|bool %} + ERL_SSL_PATH=$(erl -eval 'io:format("~p", [code:lib_dir(ssl, ebin)]),halt().' -noshell) + SSL_ADDITIONAL_ERL_ARGS="-pa '$ERL_SSL_PATH' -proto_dist inet_tls -ssl_dist_opt server_certfile /etc/pki/rabbitmq/server-combined.pem -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true" + SERVER_ADDITIONAL_ERL_ARGS="$SERVER_ADDITIONAL_ERL_ARGS $SSL_ADDITIONAL_ERL_ARGS" + CTL_ERL_ARGS="$SSL_ADDITIONAL_ERL_ARGS" +{% endif %} {% if kubernetes_context is defined %} --- @@ -156,7 +170,7 @@ spec: {{ custom_venvs_path }}/{{ custom_venv.name }}/bin/pip install -U \ {% for module in custom_venv.python_modules %}{{ module }} {% endfor %} && {% endif %} - deactivate && + deactivate && {% endfor %} : volumeMounts: @@ -307,6 +321,10 @@ spec: mountPath: /etc/rabbitmq - name: rabbitmq-healthchecks mountPath: /usr/local/bin/healthchecks +{% if rabbitmq_use_ssl|default(False)|bool %} + - name: "{{ kubernetes_deployment_name }}-rabbitmq-certs-vol" + mountPath: /etc/pki/rabbitmq +{% endif %} resources: requests: memory: "{{ rabbitmq_mem_request }}Gi" @@ -362,7 +380,7 @@ spec: type: Directory {% endif %} {% if custom_venvs is defined %} - - name: custom-venvs + - name: custom-venvs emptyDir: {} {% endif %} - name: {{ kubernetes_deployment_name }}-application-config @@ -398,6 +416,23 @@ spec: path: enabled_plugins - key: rabbitmq_definitions.json path: rabbitmq_definitions.json + - key: rabbitmq-env.conf + path: rabbitmq-env.conf + +{% if rabbitmq_use_ssl|default(False)|bool %} + - name: "{{ kubernetes_deployment_name }}-rabbitmq-certs-vol" + secret: + secretName: "{{ kubernetes_deployment_name }}-rabbitmq-certs" + items: + - key: rabbitmq_ssl_cert + path: 'server.crt' + - key: rabbitmq_ssl_key + path: 'server.key' + - key: rabbitmq_ssl_cacert + path: 'ca.crt' + - key: rabbitmq_ssl_combined + path: 'server-combined.pem' +{% endif %} - name: rabbitmq-healthchecks configMap: name: {{ kubernetes_deployment_name }}-healthchecks diff --git a/installer/roles/kubernetes/templates/environment.sh.j2 b/installer/roles/kubernetes/templates/environment.sh.j2 index cd1c34cb05..db5cd548da 100644 --- a/installer/roles/kubernetes/templates/environment.sh.j2 +++ b/installer/roles/kubernetes/templates/environment.sh.j2 @@ -2,8 +2,8 @@ DATABASE_USER={{ pg_username }} DATABASE_NAME={{ pg_database }} DATABASE_HOST={{ pg_hostname|default('postgresql') }} DATABASE_PORT={{ pg_port|default('5432') }} -DATABASE_PASSWORD={{ pg_password|default('awxpass') }} -DATABASE_ADMIN_PASSWORD={{ pg_admin_password|default('postgrespass') }} +DATABASE_PASSWORD={{ pg_password | quote }} +DATABASE_ADMIN_PASSWORD={{ pg_admin_password | quote }} MEMCACHED_HOST={{ memcached_hostname|default('localhost') }} MEMCACHED_PORT={{ memcached_port|default('11211') }} RABBITMQ_HOST={{ rabbitmq_hostname|default('localhost') }} diff --git a/installer/roles/kubernetes/templates/secret.yml.j2 b/installer/roles/kubernetes/templates/secret.yml.j2 index f57691666d..5c31cf45b1 100644 --- a/installer/roles/kubernetes/templates/secret.yml.j2 +++ b/installer/roles/kubernetes/templates/secret.yml.j2 @@ -13,3 +13,18 @@ data: rabbitmq_erlang_cookie: "{{ rabbitmq_erlang_cookie | b64encode }}" credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}" environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}" + +{% if rabbitmq_use_ssl|default(False)|bool %} +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ kubernetes_namespace }} + name: "{{ kubernetes_deployment_name }}-rabbitmq-certs" +type: Opaque +data: + rabbitmq_ssl_cert: "{{ lookup('file', rmq_cert_tempdir.path + '/server.crt') | b64encode }}" + rabbitmq_ssl_key: "{{ lookup('file', rmq_cert_tempdir.path + '/server.key') | b64encode }}" + rabbitmq_ssl_cacert: "{{ lookup('file', rmq_cert_tempdir.path + '/ca.crt') | b64encode }}" + rabbitmq_ssl_combined: "{{ lookup('file', rmq_cert_tempdir.path + '/server-combined.pem') | b64encode }}" +{% endif %}