Downstream k8s installer changes

installer/roles/kubernetes/templates/configmap.yml.j2

@@ -18,6 +18,8 @@ data:
     SYSTEM_TASK_ABS_MEM = {{ ((task_mem_request|int * 1024) / 100)|int }}
 
     INSIGHTS_URL_BASE = "{{ insights_url_base }}"
+    INSIGHTS_AGENT_MIME = "application/vnd.redhat.tower.analytics+tgz"
+    AUTOMATION_ANALYTICS_URL = 'https://cloud.redhat.com/api/ingress/v1/upload'
 
     #Autoprovisioning should replace this
     CLUSTER_HOST_ID = socket.gethostname()
@@ -62,6 +64,7 @@ data:
     LOGGING['loggers']['rbac_migrations']['handlers'] = ['console']
     LOGGING['loggers']['awx.isolated.manager.playbooks']['handlers'] = ['console']
     LOGGING['handlers']['callback_receiver'] = {'class': 'logging.NullHandler'}
+    LOGGING['handlers']['fact_receiver'] = {'class': 'logging.NullHandler'}
     LOGGING['handlers']['task_system'] = {'class': 'logging.NullHandler'}
     LOGGING['handlers']['tower_warnings'] = {'class': 'logging.NullHandler'}
     LOGGING['handlers']['rbac_migrations'] = {'class': 'logging.NullHandler'}

installer/roles/kubernetes/templates/credentials.py.j2

@@ -7,6 +7,9 @@ DATABASES = {
         'PASSWORD': "{{ pg_password }}",
         'HOST': "{{ pg_hostname|default('postgresql') }}",
         'PORT': "{{ pg_port }}",
+        'OPTIONS': { 'sslmode': '{{ pg_sslmode|default("prefer") }}',
+                     'sslrootcert': '{{ ca_trust_bundle }}',
+        },
     }
 }
 BROKER_URL = 'amqp://{}:{}@{}:{}/{}'.format(

installer/roles/kubernetes/templates/deployment.yml.j2

@@ -61,6 +61,20 @@ data:
       queue_master_locator=min-masters
       ## enable guest user
       loopback_users.guest = false
+{% if rabbitmq_use_ssl|default(False)|bool %}
+      ssl_options.cacertfile=/etc/pki/rabbitmq/ca.crt
+      ssl_options.certfile=/etc/pki/rabbitmq/server-combined.pem
+      ssl_options.verify=verify_peer
+{% endif %}
+  rabbitmq-env.conf: |
+      NODENAME=${RABBITMQ_NODENAME}
+      USE_LONGNAME=true
+{% if rabbitmq_use_ssl|default(False)|bool %}
+      ERL_SSL_PATH=$(erl -eval 'io:format("~p", [code:lib_dir(ssl, ebin)]),halt().' -noshell)
+      SSL_ADDITIONAL_ERL_ARGS="-pa '$ERL_SSL_PATH' -proto_dist inet_tls -ssl_dist_opt server_certfile /etc/pki/rabbitmq/server-combined.pem -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true"
+      SERVER_ADDITIONAL_ERL_ARGS="$SERVER_ADDITIONAL_ERL_ARGS $SSL_ADDITIONAL_ERL_ARGS"
+      CTL_ERL_ARGS="$SSL_ADDITIONAL_ERL_ARGS"
+{% endif %}
 
 {% if kubernetes_context is defined %}
 ---
@@ -156,7 +170,7 @@ spec:
               {{ custom_venvs_path }}/{{ custom_venv.name }}/bin/pip install -U \
                 {% for module in custom_venv.python_modules %}{{ module }} {% endfor %} &&
 {% endif %}
-              deactivate && 
+              deactivate &&
 {% endfor %}
               :
           volumeMounts:
@@ -307,6 +321,10 @@ spec:
               mountPath: /etc/rabbitmq
             - name: rabbitmq-healthchecks
               mountPath: /usr/local/bin/healthchecks
+{% if rabbitmq_use_ssl|default(False)|bool %}
+            - name: "{{ kubernetes_deployment_name }}-rabbitmq-certs-vol"
+              mountPath: /etc/pki/rabbitmq
+{% endif %}
           resources:
             requests:
               memory: "{{ rabbitmq_mem_request }}Gi"
@@ -362,7 +380,7 @@ spec:
             type: Directory
 {% endif %}
 {% if custom_venvs is defined %}
-        - name: custom-venvs 
+        - name: custom-venvs
           emptyDir: {}
 {% endif %}
         - name: {{ kubernetes_deployment_name }}-application-config
@@ -398,6 +416,23 @@ spec:
               path: enabled_plugins
             - key: rabbitmq_definitions.json
               path: rabbitmq_definitions.json
+            - key: rabbitmq-env.conf
+              path: rabbitmq-env.conf
+
+{% if rabbitmq_use_ssl|default(False)|bool %}
+        - name: "{{ kubernetes_deployment_name }}-rabbitmq-certs-vol"
+          secret:
+            secretName: "{{ kubernetes_deployment_name }}-rabbitmq-certs"
+            items:
+              - key: rabbitmq_ssl_cert
+                path: 'server.crt'
+              - key: rabbitmq_ssl_key
+                path: 'server.key'
+              - key: rabbitmq_ssl_cacert
+                path: 'ca.crt'
+              - key: rabbitmq_ssl_combined
+                path: 'server-combined.pem'
+{% endif %}
         - name: rabbitmq-healthchecks
           configMap:
             name: {{ kubernetes_deployment_name }}-healthchecks

installer/roles/kubernetes/templates/environment.sh.j2

@@ -2,8 +2,8 @@ DATABASE_USER={{ pg_username }}
 DATABASE_NAME={{ pg_database }}
 DATABASE_HOST={{ pg_hostname|default('postgresql') }}
 DATABASE_PORT={{ pg_port|default('5432') }}
-DATABASE_PASSWORD={{ pg_password|default('awxpass') }}
-DATABASE_ADMIN_PASSWORD={{ pg_admin_password|default('postgrespass') }}
+DATABASE_PASSWORD={{ pg_password | quote }}
+DATABASE_ADMIN_PASSWORD={{ pg_admin_password | quote }}
 MEMCACHED_HOST={{ memcached_hostname|default('localhost') }}
 MEMCACHED_PORT={{ memcached_port|default('11211') }}
 RABBITMQ_HOST={{ rabbitmq_hostname|default('localhost') }}

installer/roles/kubernetes/templates/secret.yml.j2

@@ -13,3 +13,18 @@ data:
   rabbitmq_erlang_cookie: "{{ rabbitmq_erlang_cookie | b64encode }}"
   credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}"
   environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}"
+
+{% if rabbitmq_use_ssl|default(False)|bool %}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: {{ kubernetes_namespace }}
+  name: "{{ kubernetes_deployment_name }}-rabbitmq-certs"
+type: Opaque
+data:
+  rabbitmq_ssl_cert: "{{ lookup('file', rmq_cert_tempdir.path + '/server.crt') | b64encode }}"
+  rabbitmq_ssl_key: "{{ lookup('file', rmq_cert_tempdir.path + '/server.key') | b64encode }}"
+  rabbitmq_ssl_cacert: "{{ lookup('file', rmq_cert_tempdir.path + '/ca.crt') | b64encode }}"
+  rabbitmq_ssl_combined: "{{ lookup('file', rmq_cert_tempdir.path + '/server-combined.pem') | b64encode }}"
+{% endif %}