Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Bundle CA Cert volumeMount to migrations job pod #1800

Open
wants to merge 1 commit into
base: devel
Choose a base branch
from
Open

Add Bundle CA Cert volumeMount to migrations job pod #1800

wants to merge 1 commit into from

Conversation

rooftopcellist
Copy link
Member

SUMMARY

Fixes: #1782

The bundle ca cert needed to be mounted into the k8s migration job pod for ssl support.

ISSUE TYPE
  • Bug, Docs Fix or other nominal change

@rooftopcellist rooftopcellist mentioned this pull request Mar 28, 2024
Open
3 tasks
@akkaba23
Copy link

akkaba23 commented Apr 2, 2024
edited

I think the init container part is still missing

kind: Job
metadata:
  name: '{{ ansible_operator_meta.name }}-migration-{{ version }}'
  namespace: '{{ ansible_operator_meta.namespace }}'
  labels:
    {{ lookup("template", "../common/templates/labels/common.yaml.j2")  | indent(width=4) | trim }}
    {{ lookup("template", "../common/templates/labels/version.yaml.j2") | indent(width=4) | trim }}
spec:
  template:
    spec:
{% if bundle_ca_crt %}
      initContainers:
        - name: init
          image: '{{ _init_container_image }}'
          imagePullPolicy: '{{ image_pull_policy }}'
          resources: {{ init_container_resource_requirements }}
          command:
            - /bin/sh
            - -c
            - |
              mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
              update-ca-trust
          volumeMounts:
            - name: "ca-trust-extracted"
              mountPath: "/etc/pki/ca-trust/extracted"
            - name: "{{ ansible_operator_meta.name }}-bundle-cacert"
              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
              subPath: bundle-ca.crt
              readOnly: true
{% endif %}
      containers:
        - name: "migration-job"
          image: '{{ _image }}'
          command:
            - awx-manage
            - migrate
            - --noinput
          volumeMounts:
            - name: {{ ansible_operator_meta.name }}-application-credentials
              mountPath: "/etc/tower/conf.d/credentials.py"
              subPath: credentials.py
              readOnly: true
            - name: "{{ secret_key_secret_name }}"
              mountPath: /etc/tower/SECRET_KEY
              subPath: SECRET_KEY
              readOnly: true
            - name: {{ ansible_operator_meta.name }}-settings
              mountPath: "/etc/tower/settings.py"
              subPath: settings.py
              readOnly: true
{% if bundle_ca_crt %}
            - name: "ca-trust-extracted"
              mountPath: "/etc/pki/ca-trust/extracted"
            - name: "{{ ansible_operator_meta.name }}-bundle-cacert"
              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
              subPath: bundle-ca.crt
              readOnly: true
{% endif %}
{% if development_mode | bool %}
            - name: awx-devel
              mountPath: "/awx_devel"
{% endif %}
      serviceAccountName: '{{ ansible_operator_meta.name }}'
{% if image_pull_secret is defined %}
      imagePullSecrets:
        - name: {{ image_pull_secret }}
{% elif image_pull_secrets | length > 0 %}
      imagePullSecrets:
{% for secret in image_pull_secrets %}
        - name: {{ secret }}
{% endfor %}
{% endif %}
      volumes:
        - name: "{{ ansible_operator_meta.name }}-application-credentials"
          secret:
            secretName: "{{ ansible_operator_meta.name }}-app-credentials"
            items:
              - key: credentials.py
                path: 'credentials.py'
              - key: ldap.py
                path: 'ldap.py'
              - key: execution_environments.py
                path: 'execution_environments.py'
        - name: "{{ secret_key_secret_name }}"
          secret:
            secretName: '{{ secret_key_secret_name }}'
            items:
              - key: secret_key
                path: SECRET_KEY
        - name: {{ ansible_operator_meta.name }}-settings
          configMap:
            name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap'
            items:
              - key: settings
                path: settings.py
{% if bundle_ca_crt %}
        - name: "ca-trust-extracted"
          emptyDir: {}
        - name: "{{ ansible_operator_meta.name }}-bundle-cacert"
          secret:
            secretName: "{{ bundle_cacert_secret }}"
            items:
              - key: bundle-ca.crt
                path: 'bundle-ca.crt'
{% endif %}
{% if development_mode | bool %}
        - name: awx-devel
          hostPath:
            path: /awx_devel
{% endif %}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
      terminationGracePeriodSeconds: 30```

@fosterseth
Copy link
Member

I don't think we need a separate init container for this, but you are right that we are missing the command to update trust ca
@rooftopcellist does that sound right?

@JoelKle JoelKle mentioned this pull request Apr 30, 2024
Open
@JoelKle
Copy link
Contributor

JoelKle commented Apr 30, 2024

@rooftopcellist @fosterseth
I tried to open a new PR #1846 to fix this problem. Now also with a new init container that runs the update-ca-trust command.
Solved all migration problems with a custom CA in my environment.
Maybe it's helpful?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fosterseth fosterseth Awaiting requested review from fosterseth

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AWX database migration job fail when using custom CA certificate
4 participants
@rooftopcellist @akkaba23 @fosterseth @JoelKle