External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-17 11:10:03 -03:30
Code Issues Packages Projects Releases Wiki Activity
Files
f1d2d79f00df1c50947bcd87fb8b1bebfbf05ffd
awx/installer/roles/kubernetes/templates/deployment.yml.j2
Nicolas G 23c386223c Add Kubernetes Deployment support for annotations 
Annotations are only supported for ingress and service accounts
This PR will allow you now to specify annotations for Kubernetes Deployment
 resources by defining `kubernetes_deployment_annotations` var list
2020-10-19 16:33:54 -04:00

583 lines
19 KiB
Django/Jinja
Raw Blame History

---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ kubernetes_serviceaccount_name }}
namespace: {{ kubernetes_namespace }}
{% if kubernetes_service_account_annotations is defined %}
annotations:
{% for key, value in kubernetes_service_account_annotations.items() %}
{{ key }}: {{ value }}
{% endfor %}
{% endif %}
{% if kubernetes_image_pull_secrets is defined %}
imagePullSecrets:
- name: "{{ kubernetes_image_pull_secrets }}"
{% endif %}
{% if awx_psp_create is defined and awx_psp_create | bool %}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ awx_psp_name }}-psp
spec:
{% if awx_psp_privileged is defined %}
privileged: {{ awx_psp_privileged }}
allowPrivilegeEscalation: {{ awx_psp_privileged }}
{% endif %}
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {{ kubernetes_namespace }}
name: {{ awx_psp_name }}-role
rules:
- apiGroups:
- policy
resources:
- podsecuritypolicies
resourceNames:
- {{ awx_psp_name }}-psp
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ awx_psp_name }}-role-binding
namespace: {{ kubernetes_namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ awx_psp_name }}-role
subjects:
- kind: ServiceAccount
name: {{ kubernetes_serviceaccount_name }}
namespace: {{ kubernetes_namespace }}
{% endif %}
---
apiVersion: {{ kubernetes_deployment_api_version }}
kind: Deployment
metadata:
name: {{ kubernetes_deployment_name }}
namespace: {{ kubernetes_namespace }}
{% if kubernetes_deployment_annotations is defined %}
annotations:
{% for key, value in kubernetes_deployment_annotations.items() %}
{{ key }}: {{ value }}
{% endfor %}
{% endif %}
{% if openshift_host is defined %}
labels:
app: {{ kubernetes_deployment_name }}
{% endif %}
spec:
replicas: 1
{% if kubernetes_deployment_api_version == "apps/v1" %}
selector:
matchLabels:
app: {{ kubernetes_deployment_name }}
{% endif %}
template:
metadata:
labels:
name: {{ kubernetes_deployment_name }}-web-deploy
service: django
app: {{ kubernetes_deployment_name }}
spec:
serviceAccountName: {{ kubernetes_serviceaccount_name }}
securityContext:
fsGroup: 0
terminationGracePeriodSeconds: 10
{% if custom_venvs is defined %}
{% set trusted_hosts = "" %}
initContainers:
- image: 'centos:7'
name: init-custom-venvs
{% if http_proxy is defined or https_proxy is defined %}
{% set trusted_hosts = "--trusted-host pypi.org --trusted-host files.pythonhosted.org --trusted-host pypi.python.org" %}
env:
{% if http_proxy is defined %}
- name: http_proxy
value: {{ http_proxy }}
{% endif %}
{% if https_proxy is defined %}
- name: https_proxy
value: {{ https_proxy }}
{% endif %}
{% if no_proxy is defined %}
- name: no_proxy
value: {{ no_proxy }}
{% endif %}
{% endif %}
command:
- sh
- '-c'
- >-
yum install -y ansible curl python-setuptools epel-release \
openssl openssl-devel gcc python-devel &&
yum install -y python-virtualenv python36 python36-devel &&
mkdir -p {{ custom_venvs_path }} &&
{% for custom_venv in custom_venvs %}
virtualenv -p {{ custom_venv.python | default(custom_venvs_python) }} \
{{ custom_venvs_path }}/{{ custom_venv.name }} &&
source {{ custom_venvs_path }}/{{ custom_venv.name }}/bin/activate &&
{{ custom_venvs_path }}/{{ custom_venv.name }}/bin/pip install {{ trusted_hosts }} -U psutil \
"ansible=={{ custom_venv.python_ansible_version }}" &&
{% if custom_venv.python_modules is defined %}
{{ custom_venvs_path }}/{{ custom_venv.name }}/bin/pip install {{ trusted_hosts }} -U \
{% for module in custom_venv.python_modules %}{{ module }} {% endfor %} &&
{% endif %}
deactivate &&
{% endfor %}
:
volumeMounts:
- name: custom-venvs
mountPath: {{ custom_venvs_path }}
{% endif %}
containers:
- name: {{ kubernetes_deployment_name }}-web
{% if web_security_context_enabled is defined and web_security_context_enabled | bool %}
securityContext:
{% if web_security_context_privileged is defined %}
privileged: {{ web_security_context_privileged }}
{% endif %}
{% endif %}
image: "{{ kubernetes_awx_image }}:{{ kubernetes_awx_version }}"
imagePullPolicy: Always
ports:
- containerPort: 8052
{% if ca_trust_dir is defined %}
env:
- name: REQUESTS_CA_BUNDLE
value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
{% endif %}
volumeMounts:
{% if postgres_root_ca_cert is defined %}
- name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
mountPath: {{ ca_trust_bundle }}
subPath: {{ postgres_root_ca_filename }}
readOnly: true
{% endif %}
- name: supervisor-socket
mountPath: "/var/run/supervisor"
- name: rsyslog-socket
mountPath: "/var/run/awx-rsyslog"
- name: rsyslog-dir
mountPath: "/var/lib/awx/rsyslog"
{% if ca_trust_dir is defined %}
- name: {{ kubernetes_deployment_name }}-ca-trust-dir
mountPath: "{{ ca_trust_dir }}"
readOnly: true
{% endif %}
{% if project_data_dir is defined %}
- name: {{ kubernetes_deployment_name }}-project-data-dir
mountPath: "/var/lib/awx/projects"
readOnly: false
{% endif %}
{% if custom_venvs is defined %}
- name: custom-venvs
mountPath: {{ custom_venvs_path }}
{% endif %}
- name: {{ kubernetes_deployment_name }}-application-config
mountPath: "/etc/tower/settings.py"
subPath: settings.py
readOnly: true
- name: {{ kubernetes_deployment_name }}-nginx-config
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
readOnly: true
- name: "{{ kubernetes_deployment_name }}-application-credentials"
mountPath: "/etc/tower/conf.d/"
readOnly: true
- name: {{ kubernetes_deployment_name }}-launch-awx-web
mountPath: "/usr/bin/launch_awx.sh"
subPath: "launch_awx.sh"
readOnly: true
- name: {{ kubernetes_deployment_name }}-launch-awx-task
mountPath: "/usr/bin/launch_awx_task.sh"
subPath: "launch_awx_task.sh"
readOnly: true
- name: {{ kubernetes_deployment_name }}-supervisor-web-config
mountPath: "/etc/supervisord.conf"
subPath: supervisor.conf
readOnly: true
- name: {{ kubernetes_deployment_name }}-supervisor-task-config
mountPath: "/etc/supervisord_task.conf"
subPath: supervisor_task.conf
readOnly: true
- name: {{ kubernetes_deployment_name }}-secret-key
mountPath: "/etc/tower/SECRET_KEY"
subPath: SECRET_KEY
readOnly: true
- name: {{ kubernetes_deployment_name }}-redis-socket
mountPath: "/var/run/redis"
resources:
requests:
memory: "{{ web_mem_request }}Gi"
cpu: "{{ web_cpu_request }}m"
{% if web_mem_limit is defined or web_cpu_limit is defined %}
limits:
{% endif %}
{% if web_mem_limit is defined %}
memory: "{{ web_mem_limit }}Gi"
{% endif %}
{% if web_cpu_limit is defined %}
cpu: "{{ web_cpu_limit }}m"
{% endif %}
- name: {{ kubernetes_deployment_name }}-task
{% if task_security_context_enabled is defined and task_security_context_enabled | bool %}
securityContext:
{% if task_security_context_privileged is defined %}
privileged: {{ task_security_context_privileged }}
{% endif %}
{% endif %}
image: "{{ kubernetes_awx_image }}:{{ kubernetes_awx_version }}"
command:
- /usr/bin/launch_awx_task.sh
imagePullPolicy: Always
volumeMounts:
{% if postgres_root_ca_cert is defined %}
- name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
mountPath: {{ ca_trust_bundle }}
subPath: {{ postgres_root_ca_filename }}
readOnly: true
{% endif %}
- name: supervisor-socket
mountPath: "/var/run/supervisor"
- name: rsyslog-socket
mountPath: "/var/run/awx-rsyslog"
- name: rsyslog-dir
mountPath: "/var/lib/awx/rsyslog"
{% if ca_trust_dir is defined %}
- name: {{ kubernetes_deployment_name }}-ca-trust-dir
mountPath: "{{ ca_trust_dir }}"
readOnly: true
{% endif %}
{% if custom_venvs is defined %}
- name: custom-venvs
mountPath: {{ custom_venvs_path }}
{% endif %}
- name: {{ kubernetes_deployment_name }}-application-config
mountPath: "/etc/tower/settings.py"
subPath: settings.py
readOnly: true
- name: "{{ kubernetes_deployment_name }}-application-credentials"
mountPath: "/etc/tower/conf.d/"
readOnly: true
- name: {{ kubernetes_deployment_name }}-launch-awx-web
mountPath: "/usr/bin/launch_awx.sh"
subPath: "launch_awx.sh"
readOnly: true
- name: {{ kubernetes_deployment_name }}-launch-awx-task
mountPath: "/usr/bin/launch_awx_task.sh"
subPath: "launch_awx_task.sh"
readOnly: true
- name: {{ kubernetes_deployment_name }}-supervisor-web-config
mountPath: "/etc/supervisord.conf"
subPath: supervisor.conf
readOnly: true
- name: {{ kubernetes_deployment_name }}-supervisor-task-config
mountPath: "/etc/supervisord_task.conf"
subPath: supervisor_task.conf
readOnly: true
- name: {{ kubernetes_deployment_name }}-secret-key
mountPath: "/etc/tower/SECRET_KEY"
subPath: SECRET_KEY
readOnly: true
- name: {{ kubernetes_deployment_name }}-redis-socket
mountPath: "/var/run/redis"
env:
- name: SUPERVISOR_WEB_CONFIG_PATH
value: "/etc/supervisord.conf"
- name: AWX_SKIP_MIGRATIONS
value: "1"
- name: MY_POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
- name: MY_POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{% if ca_trust_dir is defined %}
- name: REQUESTS_CA_BUNDLE
value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
{% endif %}
resources:
requests:
memory: "{{ task_mem_request }}Gi"
cpu: "{{ task_cpu_request }}m"
{% if task_mem_limit is defined or task_cpu_limit is defined %}
limits:
{% endif %}
{% if task_mem_limit is defined %}
memory: "{{ task_mem_limit }}Gi"
{% endif %}
{% if task_cpu_limit is defined %}
cpu: "{{ task_cpu_limit }}m"
{% endif %}
- name: {{ kubernetes_deployment_name }}-redis
{% if redis_security_context_enabled is defined and redis_security_context_enabled | bool %}
securityContext:
{% if redis_security_context_privileged is defined %}
privileged: {{ redis_security_context_privileged }}
{% endif %}
{% if redis_security_context_user is defined %}
runAsUser: {{ redis_security_context_user }}
{% endif %}
{% endif %}
image: {{ kubernetes_redis_image }}:{{ kubernetes_redis_image_tag }}
imagePullPolicy: Always
args: ["redis-server", "{{ kubernetes_redis_config_mount_path }}"]
volumeMounts:
- name: {{ kubernetes_deployment_name }}-redis-config
mountPath: "{{ kubernetes_redis_config_mount_path }}"
subPath: redis.conf
readOnly: true
- name: {{ kubernetes_deployment_name }}-redis-socket
mountPath: "/var/run/redis"
resources:
requests:
memory: "{{ redis_mem_request }}Gi"
cpu: "{{ redis_cpu_request }}m"
{% if redis_mem_limit is defined or redis_cpu_limit is defined %}
limits:
{% endif %}
{% if redis_mem_limit is defined %}
memory: "{{ redis_mem_limit }}Gi"
{% endif %}
{% if redis_cpu_limit is defined %}
cpu: "{{ redis_cpu_limit }}m"
{% endif %}
{% if tolerations is defined %}
tolerations:
{{ tolerations | to_nice_yaml(indent=2) | indent(width=8, indentfirst=True) }}
{% endif %}
{% if node_selector is defined %}
nodeSelector:
{{ node_selector | to_nice_yaml(indent=2) | indent(width=8, indentfirst=True) }}
{% endif %}
{% if affinity is defined %}
affinity:
{{ affinity | to_nice_yaml(indent=2) | indent(width=8, indentfirst=True) }}
{% endif %}
volumes:
{% if postgres_root_ca_cert is defined %}
- name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
configMap:
name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
items:
- key: postgres_root_ca.crt
path: postgres_root_ca.crt
{% endif %}
- name: supervisor-socket
emptyDir: {}
- name: rsyslog-socket
emptyDir: {}
- name: rsyslog-dir
emptyDir: {}
{% if ca_trust_dir is defined %}
- name: {{ kubernetes_deployment_name }}-ca-trust-dir
hostPath:
path: "{{ ca_trust_dir }}"
type: Directory
{% endif %}
{% if project_data_dir is defined %}
- name: {{ kubernetes_deployment_name }}-project-data-dir
hostPath:
path: "{{ project_data_dir }}"
type: Directory
{% endif %}
{% if custom_venvs is defined %}
- name: custom-venvs
emptyDir: {}
{% endif %}
- name: {{ kubernetes_deployment_name }}-application-config
configMap:
name: {{ kubernetes_deployment_name }}-config
items:
- key: {{ kubernetes_deployment_name }}_settings
path: settings.py
- name: {{ kubernetes_deployment_name }}-nginx-config
configMap:
name: {{ kubernetes_deployment_name }}-config
items:
- key: {{ kubernetes_deployment_name }}_nginx_conf
path: nginx.conf
- name: {{ kubernetes_deployment_name }}-redis-config
configMap:
name: {{ kubernetes_deployment_name }}-config
items:
- key: {{ kubernetes_deployment_name }}_redis_conf
path: redis.conf
- name: "{{ kubernetes_deployment_name }}-application-credentials"
secret:
secretName: "{{ kubernetes_deployment_name }}-secrets"
items:
- key: credentials_py
path: 'credentials.py'
- key: environment_sh
path: 'environment.sh'
- name: {{ kubernetes_deployment_name }}-launch-awx-web
configMap:
name: {{ kubernetes_deployment_name }}-launch-awx
items:
- key: launch-awx-web
path: 'launch_awx.sh'
defaultMode: 0755
- name: {{ kubernetes_deployment_name }}-launch-awx-task
configMap:
name: {{ kubernetes_deployment_name }}-launch-awx
items:
- key: launch-awx-task
path: 'launch_awx_task.sh'
defaultMode: 0755
- name: {{ kubernetes_deployment_name }}-supervisor-web-config
configMap:
name: {{ kubernetes_deployment_name }}-supervisor-config
items:
- key: supervisor-web-config
path: 'supervisor.conf'
- name: {{ kubernetes_deployment_name }}-supervisor-task-config
configMap:
name: {{ kubernetes_deployment_name }}-supervisor-config
items:
- key: supervisor-task-config
path: 'supervisor_task.conf'
- name: {{ kubernetes_deployment_name }}-secret-key
secret:
secretName: "{{ kubernetes_deployment_name }}-secrets"
items:
- key: secret_key
path: SECRET_KEY
- name: {{ kubernetes_deployment_name }}-redis-socket
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: {{ kubernetes_deployment_name }}-web-svc
namespace: {{ kubernetes_namespace }}
labels:
name: {{ kubernetes_deployment_name }}-web-svc
spec:
type: {{ kubernetes_web_svc_type }}
ports:
- name: http
port: 80
{% if kubernetes_web_svc_type == "ClusterIP" %}
nodePort: null
{% endif %}
targetPort: 8052
selector:
name: {{ kubernetes_deployment_name }}-web-deploy
{% if kubernetes_context is defined %}
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ kubernetes_deployment_name }}-web-svc
namespace: {{ kubernetes_namespace }}
{% if kubernetes_ingress_annotations is defined %}
annotations:
{% for key, value in kubernetes_ingress_annotations.items() %}
{{ key }}: {{ value }}
{% endfor %}
{% endif %}
spec:
{% if kubernetes_ingress_hostname is defined %}
{% if kubernetes_ingress_tls_secret is defined %}
tls:
- hosts:
- {{ kubernetes_ingress_hostname }}
secretName: {{ kubernetes_ingress_tls_secret }}
{% endif %}
rules:
- host: {{ kubernetes_ingress_hostname }}
http:
paths:
- path: /
backend:
serviceName: {{ kubernetes_deployment_name }}-web-svc
servicePort: 80
{% else %}
spec:
backend:
serviceName: {{ kubernetes_deployment_name }}-web-svc
servicePort: 80
{% endif %}
{% endif %}
{% if openshift_host is defined %}
---
apiVersion: v1
kind: Route
metadata:
name: {{ kubernetes_deployment_name }}-web-svc
namespace: {{ kubernetes_namespace }}
spec:
port:
targetPort: http
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge
to:
kind: Service
name: {{ kubernetes_deployment_name }}-web-svc
weight: 100
wildcardPolicy: None
{% endif %}
Reference in New Issue View Git Blame Copy Permalink