Open mitnicki opened 1 year ago
skipreceptornamescheck
is only for when receptor service starts up. When connections are made, it will still do receptor name checking, even if this option is True.
Hello Seth,
thanks for clarifying things..
okay is there a possibility to disable tls namecheckings ? or to use a wildcard for the receptor nodes?
would be a great feature when it comes to rollouts of multiple receptor nodes into different environments with same image.
would be also great if you could advise me some hack into the container of receptor to disable that behavior.
Gesendet von Outlook für iOShttps://aka.ms/o0ukef
Von: Seth Foster @.> Gesendet: Wednesday, September 6, 2023 7:18:23 PM An: ansible/awx-operator @.> Cc: mitnicki @.>; Author @.> Betreff: Re: [ansible/awx-operator] Give ability to use skipreceptornamescheck (Issue #1551)
skipreceptornamescheck is only for when receptor service starts up. When connections are made, it will still do receptor name checking, even if this option is True.
— Reply to this email directly, view it on GitHubhttps://github.com/ansible/awx-operator/issues/1551#issuecomment-1708795546, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGDBO6O676QHIJK2C7CL63TXZCV57ANCNFSM6AAAAAA4LN5NQA. You are receiving this because you authored the thread.Message ID: @.***>
I think the only way around this is to disable TLS at the receptor level.
It would require a handful of changes:
tls: tls_server
under control-service
skipreceptornamescheck
on the tls_client and tls_server entries on the remote receptor.conf to prevent naming checking at startupdiff --git a/awx/main/tasks/receptor.py b/awx/main/tasks/receptor.py
index 32c8e325ad..76ce238a51 100644
--- a/awx/main/tasks/receptor.py
+++ b/awx/main/tasks/receptor.py
@@ -169,8 +169,9 @@ def run_until_complete(node, timing_data=None, **kwargs):
config_data = read_receptor_config()
receptor_ctl = get_receptor_ctl(config_data)
- use_stream_tls = getattr(get_conn_type(node, receptor_ctl), 'name', None) == "STREAMTLS"
- kwargs.setdefault('tlsclient', get_tls_client(config_data, use_stream_tls))
+ if settings.RECEPTOR_WORK_SUBMIT_USE_TLS:
+ use_stream_tls = getattr(get_conn_type(node, receptor_ctl), 'name', None) == "STREAMTLS"
+ kwargs.setdefault('tlsclient', get_tls_client(config_data, use_stream_tls))
kwargs.setdefault('ttl', '20s')
kwargs.setdefault('payload', '')
if work_signing_enabled(config_data):
@@ -335,8 +336,9 @@ class AWXReceptorJob:
work_submit_kw = dict(worktype=self.work_type, params=self.receptor_params, signwork=self.sign_work)
if self.work_type == 'ansible-runner':
work_submit_kw['node'] = self.task.instance.execution_node
- use_stream_tls = get_conn_type(work_submit_kw['node'], receptor_ctl).name == "STREAMTLS"
- work_submit_kw['tlsclient'] = get_tls_client(self.config_data, use_stream_tls)
+ if settings.RECEPTOR_WORK_SUBMIT_USE_TLS:
+ use_stream_tls = get_conn_type(work_submit_kw['node'], receptor_ctl).name == "STREAMTLS"
+ work_submit_kw['tlsclient'] = get_tls_client(self.config_data, use_stream_tls)
with concurrent.futures.ThreadPoolExecutor(max_workers=1) as executor:
transmitter_future = executor.submit(self.transmit, sockin)
@@ -705,6 +707,7 @@ def generate_config_data():
for instance in instances:
peer = {'tcp-peer': {'address': f'{instance.hostname}:{instance.listener_port}', 'tls': 'tlsclient'}}
receptor_config.append(peer)
+
should_update = should_update_config(instances)
return receptor_config, should_update
diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py
index 19a83cdbcc..b52907842e 100644
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@@ -967,6 +967,11 @@ RECEPTOR_RELEASE_WORK = True
# K8S only. Use receptor_log_level on AWX spec to set this properly
RECEPTOR_LOG_LEVEL = 'info'
+# Use TLS when submitting work receptor
+# Only disable if you need to prevent receptor node ID
+# verification for virtual receptor-level connections
+RECEPTOR_WORK_SUBMIT_USE_TLS = True
+
MIDDLEWARE = [
'django_guid.middleware.guid_middleware',
'awx.main.middleware.SettingsCacheMiddleware',
You would then set RECEPTOR_WORK_SUBMIT_USE_TLS
to False
If you hack this up and get it working, let me know
Please confirm the following
Feature Summary
It would be great if you give us the ability to use skipreceptornamescheck as an option for remote execution nodes (instances).
Usecase: we need to rollout multiple instances with just one certificate for encryption.
If there is a better solution for now or if this can be handled different - tell me pls