awx-web to use https using NodePort and SSL

[hairishhanda]

Please confirm the following

• [X] I agree to follow this project's code of conduct.
• [X] I have checked the current issues for duplicates.
• [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.

Feature type

Enhancement to Existing Feature

Feature Summary

Document Refrence - https://github.com/ansible/awx-operator/blob/devel/docs/user-guide/network-and-tls-configuration.md

There is not option to enable SSL for while using NodePort.

Select the relevant components

• [ ] UI
• [ ] API
• [ ] Docs
• [ ] Collection
• [ ] CLI
• [ ] Other

Steps to reproduce

apiVersion: v1 kind: Service metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","kind":"Service","metadata":{"labels":{"app.kubernetes.io/component":"awx","app.kubernetes.io/managed-by":"awx-operator","app.kubernetes.io/operator-version":"2.1.0","app.kubernetes.io/part-of":"awx"},"name":"awx-service","namespace":"awx"},"spec":{"ports":[{"name":"http","nodePort":30080,"port":80,"protocol":"TCP","targetPort":8052}],"selector":{"app.kubernetes.io/component":"awx","app.kubernetes.io/managed-by":"awx-operator","app.kubernetes.io/name":"awx-web"},"type":"NodePort"}}' labels: app.kubernetes.io/component: awx app.kubernetes.io/managed-by: awx-operator app.kubernetes.io/operator-version: 2.1.0 app.kubernetes.io/part-of: awx name: awx-service namespace: awx ownerReferences:

• apiVersion: awx.ansible.com/v1beta1 kind: AWX name: awx uid: 2affd367-98df-4c95-b973-d767e31ab7db resourceVersion: "1022059" uid: 5ed4466d-259b-4f95-92b8-c6c42e5ecb78 spec: clusterIP: 10.109.69.30 clusterIPs:
• 10.109.69.30 externalTrafficPolicy: Cluster internalTrafficPolicy: Cluster ipFamilies:
• IPv4 ipFamilyPolicy: SingleStack ports:
• name: http nodePort: 30080 port: 80 protocol: TCP targetPort: 8052 selector: app.kubernetes.io/component: awx app.kubernetes.io/managed-by: awx-operator app.kubernetes.io/name: awx-web sessionAffinity: None type: NodePort status: loadBalancer: {}

Current results

ports:

• name: http nodePort: 30080 port: 80 protocol: TCP targetPort: 8052 selector: app.kubernetes.io/component: awx app.kubernetes.io/managed-by: awx-operator app.kubernetes.io/name: awx-web sessionAffinity: None type: NodePort

Sugested feature result

HTTPS support with NodePort.

Additional information

No response

[fosterseth]

@rooftopcellist is there a limitation for TLS with nodeport?

[kurokobo]

Since Service is not for HTTP but for TCP/UDP, so there is no built-in feature to terminate TLS. Therefore, if we support HTTPS over NodePort, it is necessary to allow Nginx in awx-web pod to receive HTTPS directly.

[hairishhanda]

Since Service is not for HTTP but for TCP/UDP, so there is no built-in feature to terminate TLS. Therefore, if we support HTTPS over NodePort, it is necessary to allow Nginx in awx-web pod to receive HTTPS directly.

Hello, Is there any method to do this? or will it be introduced in future releases ?

[fosterseth]

@hairishhanda I added help wanted label. The best chance of this getting implemented soon is if a community member can open up a PR for it

[OndrejHome]

There is very ugly way (== that I do NOT recommend) for exposing the HTTPS from web container - modifying the nginx_conf in cm/<instance_name>-awx-configmap to use ssl on port 8052/tcp - problem is that you need to give it some certificate to work or miss-use some that is around if you don't care about security but just ability to use HTTPS.

Better approach is really a change in awx-operator. I have created the PR #1688 that is doing exactly that, so feel free to have a look if that would fit your use case. It works for me - my goal being need to use awx.awx ansible modules that insists on HTTPS.