bundle-ca.crt missing from automation-job worker container

[andrin55]

ISSUE TYPE

• Bug Report

SUMMARY

bundle-ca.crt is missing from /etc/pki/ca-trust/source/anchors/ in automation-job worker container. Therefore custom certificates are missing for the ansible modules. Custom certificates are working for the LDAP logon and GIT clone on AWX WebUI but not working using git module in a playbook task delegated to localhost.

ENVIRONMENT

• AWX version: AWX 19.2.2
• Operator version: 0.12.0
• Kubernetes version: 1.21.3
• AWX install method: microk8s

STEPS TO REPRODUCE

Add custom certificates: kubectl create secret generic awx-custom-certs --from-file=ldap-ca.crt=/root/example-ldap.crt --from-file=bundle-ca.crt=/root/example-ca-bundle.crt

Specify the certificates in the awx definition:

spec:
  ldap_cacert_secret: awx-custom-certs
  bundle_cacert_secret: awx-custom-certs

Check installed ca bundles via locally run ansible task within a playbook:

- name: "Local: check ca bundle"
  ansible.builtin.shell: 'trust list'
  run_once: true
  delegate_to: localhost

EXPECTED RESULTS

Custom installed certificate should be listed in stdout.

ACTUAL RESULTS

Custom certificates are missing.

ADDITIONAL INFORMATION

Custom certificates are present in all other AWX containers:

root@hostname:~ # kubectl exec -it awx-6cd9d957f4-zq44g -c awx-task -- bash
bash-4.4$ ls /etc/pki/ca-trust/source/anchors/
bundle-ca.crt
bash-4.4$ 

Whereas in the automation job worker container, the file is missing:

root@hostname:~ # kubectl exec -it automation-job-2263-wlcfd -- bash
bash-4.4$ ls /etc/pki/ca-trust/source/anchors/
bash-4.4$ 

[lumarel]

I'm also experiencing this with:

AWX version: 19.3.0
Operator version: 0.13.0

My current workaround is to create a custom EE where the certificate gets imported, but if this would work like with the core containers, this would help a lot!

[wenottingham]

https://github.com/ansible/awx/issues/10787