mirror of
https://github.com/ansible/awx.git
synced 2024-10-27 00:55:06 +03:00
Add custom root ca certificate via configmap
Signed-off-by: Brant Evans <bevans@redhat.com>
This commit is contained in:
parent
31cd36b768
commit
512da5a01c
@ -91,6 +91,12 @@ pg_database=awx
|
||||
pg_port=5432
|
||||
#pg_sslmode=require
|
||||
|
||||
# If requiring SSL communication (e.g. pg_sslmode='verify-full') with Postgres
|
||||
# and using a self-signed certificate or a certificate signed by a custom CA
|
||||
# set pg_root_ca_file to a file containing the self-signed certificate or the
|
||||
# root CA certificate chain.
|
||||
# pg_root_ca_file='example_root_ca.crt'
|
||||
|
||||
# The following variable is only required when using the provided
|
||||
# containerized postgres deployment on OpenShift
|
||||
# pg_admin_password=postgrespass
|
||||
|
@ -201,6 +201,34 @@
|
||||
set_fact:
|
||||
kubernetes_deployment_api_version: "{{ 'apps/v1' if kube_api_version is version('1.9', '>=') else 'apps/v1beta1' }}"
|
||||
|
||||
- name: Use Custom Root CA file for PosgtreSQL SSL communication
|
||||
block:
|
||||
- name: Get Root CA file contents
|
||||
set_fact:
|
||||
postgres_root_ca_cert: "{{ lookup('file', pg_root_ca_file) }}"
|
||||
no_log: true
|
||||
|
||||
- name: Render Root CA template
|
||||
set_fact:
|
||||
postgres_root_ca: "{{ lookup('template', 'postgres_root_ca.yml.j2') }}"
|
||||
no_log: true
|
||||
|
||||
- name: Apply Root CA template
|
||||
shell: |
|
||||
echo {{ postgres_root_ca | quote }} | {{ kubectl_or_oc }} apply -f -
|
||||
no_log: true
|
||||
|
||||
- name: Set Root CA file name
|
||||
set_fact:
|
||||
postgres_root_ca_filename: 'postgres_root_ca.crt'
|
||||
|
||||
- name: Set Root CA file location
|
||||
set_fact:
|
||||
ca_trust_bundle: '/etc/tower/{{ postgres_root_ca_filename }}'
|
||||
when:
|
||||
- pg_root_ca_file is defined
|
||||
- pg_root_ca_file != ''
|
||||
|
||||
- name: Render deployment templates
|
||||
set_fact:
|
||||
"{{ item }}": "{{ lookup('template', item + '.yml.j2') }}"
|
||||
|
@ -171,6 +171,12 @@ spec:
|
||||
value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
|
||||
{% endif %}
|
||||
volumeMounts:
|
||||
{% if postgres_root_ca_cert is defined %}
|
||||
- name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
|
||||
mountPath: {{ ca_trust_bundle }}
|
||||
subPath: {{ postgres_root_ca_filename }}
|
||||
readOnly: true
|
||||
{% endif %}
|
||||
- name: supervisor-socket
|
||||
mountPath: "/var/run/supervisor"
|
||||
- name: rsyslog-socket
|
||||
@ -258,6 +264,12 @@ spec:
|
||||
- /usr/bin/launch_awx_task.sh
|
||||
imagePullPolicy: Always
|
||||
volumeMounts:
|
||||
{% if postgres_root_ca_cert is defined %}
|
||||
- name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
|
||||
mountPath: {{ ca_trust_bundle }}
|
||||
subPath: {{ postgres_root_ca_filename }}
|
||||
readOnly: true
|
||||
{% endif %}
|
||||
- name: supervisor-socket
|
||||
mountPath: "/var/run/supervisor"
|
||||
- name: rsyslog-socket
|
||||
@ -386,6 +398,14 @@ spec:
|
||||
{{ affinity | to_nice_yaml(indent=2) | indent(width=8, indentfirst=True) }}
|
||||
{% endif %}
|
||||
volumes:
|
||||
{% if postgres_root_ca_cert is defined %}
|
||||
- name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
|
||||
configMap:
|
||||
name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
|
||||
items:
|
||||
- key: postgres_root_ca.crt
|
||||
path: postgres_root_ca.crt
|
||||
{% endif %}
|
||||
- name: supervisor-socket
|
||||
emptyDir: {}
|
||||
- name: rsyslog-socket
|
||||
|
@ -25,7 +25,12 @@ spec:
|
||||
mountPath: "/etc/tower/settings.py"
|
||||
subPath: settings.py
|
||||
readOnly: true
|
||||
|
||||
{% if postgres_root_ca_cert is defined %}
|
||||
- name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
|
||||
mountPath: {{ ca_trust_bundle }}
|
||||
subPath: {{ postgres_root_ca_filename }}
|
||||
readOnly: true
|
||||
{% endif %}
|
||||
- name: "{{ kubernetes_deployment_name }}-application-credentials"
|
||||
mountPath: "/etc/tower/conf.d/"
|
||||
readOnly: true
|
||||
@ -70,7 +75,14 @@ spec:
|
||||
items:
|
||||
- key: {{ kubernetes_deployment_name }}_settings
|
||||
path: settings.py
|
||||
|
||||
{% if postgres_root_ca_cert is defined %}
|
||||
- name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
|
||||
configMap:
|
||||
name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
|
||||
items:
|
||||
- key: postgres_root_ca.crt
|
||||
path: postgres_root_ca.crt
|
||||
{% endif %}
|
||||
- name: {{ kubernetes_deployment_name }}-secret-key
|
||||
secret:
|
||||
secretName: "{{ kubernetes_deployment_name }}-secrets"
|
||||
|
@ -0,0 +1,8 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
|
||||
namespace: {{ kubernetes_namespace }}
|
||||
data:
|
||||
postgres_root_ca.crt: |
|
||||
{{ postgres_root_ca_cert | indent(width=4) }}
|
Loading…
Reference in New Issue
Block a user