Initial OpenShift functionality #34
Initial OpenShift functionality #34
Conversation
@geerlingguy This looks to be passing initial tests and I'm able to verify that everything is up and running on my OpenShift cluster. Let me know if there's anything you would like to see before we call this one complete. |
roles/tower/defaults/main.yml
Outdated
@@ -1,4 +1,7 @@ | |||
--- | |||
tower_multitenant: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would rather set the default to true
, since many use cases (maybe the majority?) would have multi-tenancy as a default feature and have more than one user in the system.
Regardless, we need to document what this does (if true, it makes the tower/awx pod run with privileged: true
and AWX_PROOT_ENABLED
is true, and false is vice-versa), and link those docs to the Security docs page.
I do wonder why the docs for this setting were removed in 2.6.x...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like what you mentioned earlier in #15:
Or maybe provide a way to do both and just write up the docs that describe some of the benefits/risks of both?
Basically, default to the more secure deployment, and we can also add the Add privileged SCC to service account
task maybe... but allow the option for those who choose to turn off that extra security layer by changing the default from true
to false
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. I'll get this documented. I went with false as that actually looks what it is set to by default right now in the configmap template. So that will be a change from how the operator runs by default today.
@tylerauerbeck - Just checking in — I'm eager to get this merged (even though it may be a slightly breaking change for existing users), and hopefully make life in OCP clusters a little easier. Would you have time in the next couple weeks to work on these final tweaks? |
@geerlingguy Yepp, sorry for the delay. Just freeing up from a few other things this week. Should hopefully be able to get to this today/this weekend. I'll get those changes pushed and drop you a message here when it's ready. |
@geerlingguy So after taking a look back at this, I think I may have gotten a bit ahead of myself. We don't actually have to mess around with the On a side note, currently |
…r_task_privileged to README
@geerlingguy I think this is in pretty good shape now. Let me know if there's anything else you'd like to see before merging. |
Sounds good! |
I would be interested to try this out. |
@geerlingguy Is there anything else needed here before merging? |
@tylerauerbeck - Just a nudge from you! I want to bump the Tower version as well before building a new image version, but I hope to do that early next week. |
Resolves #15
This PR makes some small changes that allow for an easy deployment on OpenShift:
In tower role defaults:
tower_postgres_data_path
and set it to/var/lib/postgresql/data/pgdata
tower_ingress_type
variable to allow specifying either ingress or route. Defaults to ingress to maintain current functionalitytower_multitenant
variable to allow enabling/disabling bubblewrap functionality (i.e. enabling/disablingAWX_PROOT_ENABLED
in settings.py found in the configmap). Older 3.X documents seem to point to disabling this via this variable (https://docs.ansible.com/ansible-tower/3.1.3/html/administration/proot_func_variables.html), but it seems to have dissapeared from the 3.6.3 documentation. May just be an oversight as I still see it in use here. Settings this to false disables bubblewrap and removes theprivileged: true
securityContext from thetask
pod. Setting it to true sets this variable toTRUE
and then enables this securityContext. Would be good to mention in the README that enabling this would then require adding an SCC in order to run on OpenShift.In
tower_postgres.yaml.j2
:PGDATA
env variable and default it totower_postgres_data_path
.tower_postgres_data_path
. Now the mountPath is set to the parent directory of this variable (i.e./var/lib/postgresql/data
) which had been the default path before and thesubPath
is now set to name of the directoryIn
tower_web.yaml.j2
:tower_ingress_type
is set to ingress, it will create an ingress objecttower_ingress_type
is set to route, it will create a route object