Closed tylerauerbeck closed 4 years ago
tylerauerbeck
commented
4 years ago @geerlingguy This looks to be passing initial tests and I'm able to verify that everything is up and running on my OpenShift cluster. Let me know if there's anything you would like to see before we call this one complete.
geerlingguy
commented
4 years ago @tylerauerbeck - Just checking in — I'm eager to get this merged (even though it may be a slightly breaking change for existing users), and hopefully make life in OCP clusters a little easier. Would you have time in the next couple weeks to work on these final tweaks?
tylerauerbeck
commented
4 years ago @geerlingguy Yepp, sorry for the delay. Just freeing up from a few other things this week. Should hopefully be able to get to this today/this weekend. I'll get those changes pushed and drop you a message here when it's ready.
tylerauerbeck
commented
4 years ago @geerlingguy So after taking a look back at this, I think I may have gotten a bit ahead of myself. We don't actually have to mess around with the AWX_PROOT_ENABLED flag at all. The issue deals strictly with the privileged: true security context for the task deployment. So for now, I'm going to revert things back to what they're set to now for AWX_PROOT_ENABLED and just have a setting for tower_task_privileged, which would then allow you to set the task to run as privileged if necessary (as it runs fine with my sample tests without it). Then I'll add to the docs for how you can go about enabling that and the concerns that go along with it.
On a side note, currently AWX_PROOT_ENABLED is set to false by default (and with the official installer it is set to true). I can see situations where you would probably want to either have that enabled or disabled, but I think this is probably suited better for a followup PR. Just wanted to leave something here so we don't forget about it.
tylerauerbeck
commented
4 years ago @geerlingguy I think this is in pretty good shape now. Let me know if there's anything else you'd like to see before merging.
geerlingguy
commented
4 years ago Sounds good!
kedark3
commented
4 years ago I would be interested to try this out.
tylerauerbeck
commented
4 years ago @geerlingguy Is there anything else needed here before merging?
geerlingguy
commented
4 years ago @tylerauerbeck - Just a nudge from you! I want to bump the Tower version as well before building a new image version, but I hope to do that early next week.
Resolves #15
This PR makes some small changes that allow for an easy deployment on OpenShift:
In tower role defaults:
tower_postgres_data_pathand set it to/var/lib/postgresql/data/pgdatatower_ingress_typevariable to allow specifying either ingress or route. Defaults to ingress to maintain current functionalitytower_multitenantvariable to allow enabling/disabling bubblewrap functionality (i.e. enabling/disablingAWX_PROOT_ENABLEDin settings.py found in the configmap). Older 3.X documents seem to point to disabling this via this variable (https://docs.ansible.com/ansible-tower/3.1.3/html/administration/proot_func_variables.html), but it seems to have dissapeared from the 3.6.3 documentation. May just be an oversight as I still see it in use here. Settings this to false disables bubblewrap and removes theprivileged: truesecurityContext from thetaskpod. Setting it to true sets this variable toTRUEand then enables this securityContext. Would be good to mention in the README that enabling this would then require adding an SCC in order to run on OpenShift.In
tower_postgres.yaml.j2:PGDATAenv variable and default it totower_postgres_data_path.tower_postgres_data_path. Now the mountPath is set to the parent directory of this variable (i.e./var/lib/postgresql/data) which had been the default path before and thesubPathis now set to name of the directoryIn
tower_web.yaml.j2:tower_ingress_typeis set to ingress, it will create an ingress objecttower_ingress_typeis set to route, it will create a route object