[ansible-project] Re: Howto to deploy kerberos (krb5.conf) info during awx operator install?
Hi,
Even if you get it working, this will not help. The configuration from the
containers is not related to the pod(s) launched when running a playbook.
You need to modify the default container group or create a new one. For
example, goto "Administration" -> "Instance Groups" and edit the "default"
group.
Change spec to something like this (maybe you need to change the name of
the configMap in volumes section):
apiVersion: v1
kind: Pod
metadata:
namespace: awxop
spec:
serviceAccountName: default
automountServiceAccountToken: false
containers:
- image: 'quay.io/ansible/awx-ee:latest'
name: worker
args:
- ansible-runner
- worker
- '--private-data-dir=/runner'
resources:
requests:
cpu: 250m
memory: 100Mi
volumeMounts:
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
volumes:
- name: krb5-conf
configMap:
name: awx-demo-extra-config
Regards
Sebastian
urs...@gmail.com schrieb am Dienstag, 14. Juni 2022 um 15:16:25 UTC+2:
> OK, I think I have part of an answer but I am not getting the syntax right
> for a successful Kubernetes deployment it looks like.
>
> Can somebody look this over and help me out in getting the yaml file
> syntax right, please?
>
> ###
> # part 1 my ‘kustomization.yaml' file #
> ###
> ---
> apiVersion: kustomize.config.k8s.io/v1beta1
> kind: Kustomization
> resources:
> # Find the latest tag here:
> https://github.com/ansible/awx-operator/releases
> - github.com/ansible/awx-operator/config/default?ref=0.22.0
> - awx-myorg_awx.yaml
>
> # Set the image tags to match the git version from above
> images:
> - name: quay.io/ansible/awx-operator
> newTag: 0.22.0
>
> # Specify a custom namespace in which to install AWX
> namespace: awx
>
> ###
> # part 2 my ‘awx-myorg_awx.yaml’ file #
> ###
> ---
> kind: ConfigMap
> apiVersion: v1
> metadata:
> name: awx-myorg
> namespace: awx
> data:
> krb5.conf: |-
> # To opt out of the system crypto-policies configuration of krb5,
> remove the
> # symlink at /etc/krb5.conf.d/crypto-policies which will not be
> recreated.
> # includedir /etc/krb5.conf.d/
> # my myorg krb5.conf file
> includedir /etc/krb5.conf.d/
>
> [libdefaults]
> default_realm = MYORG.DOM
>
> # The follodomg krb5.conf variables are only for MIT Kerberos.
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> # The follodomg encryption type specification will be used by MIT
> Kerberos
> # if uncommented. In general, the defaults in the MIT Kerberos code
> are
> # correct and overriding these specifications only serves to disable
> new
> # encryption types as they are added, creating interoperability
> problems.
> #
> # The only time when you might need to uncomment these lines and change
> # the enctypes is if you have local software that will break on ticket
> # caches containing ticket encryption types it doesn't know about
> (such as
> # old versions of Sun Java).
>
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
>
> # The follodomg libdefaults parameters are only for Heimdal Kerberos.
> fcc-mit-ticketflags = true
>
> [realms]
> MYORG.DOM = {
> kdc = dc1.myorg.dom
> kdc = dc2.myorg.dom
> admin_server = dc1.myorg.dom
> default_domain = MYORG.DOM
> }
> [domain_realm]
> .myorg.dom = MYORG.DOM
>
> ---
> apiVersion: awx.ansible.com/v1beta1
> kind: AWX
> metadata:
> name: awx-myorg
> spec:
> service_type: nodeport
> web_extra_volume_mounts: |
> - name: krb5-conf
> mountPath: /etc/krb5.conf
> subPath: krb5.conf
> task_extra_volume_mounts: |
> - name: krb5-conf
> mountPath: /etc/krb5.conf
> subPath: krb5.conf
> ee_extra_volume_mounts: |
> - name: krb5-conf
> mountPath: /etc/krb5.conf
> subPath: krb5.conf
> extra_volumes: |
> - name: krb5-conf
> configMap:
> defaultMode: 420
> items:
> - key: krb5.conf
> path: krb5.conf
> name: awx-myorg
>
>
> kustomize accepts this when I issue a
> VERSION=0.22.0 kustomize build . | kubectl apply -f -
>
> BUT it never finishes building the containers. Evan after a full hour it
> is still in building container state.
> Can somebody do the necessary edits to make the above apply and build the
> awx cluster successfully, please?
>
> Thanks in advance.
>
> Urs Rau
>
> On Monday, 13 June 2022 at 12:23:36 UTC+2 Urs Rau wrote:
>
>> I am deploying awx 21.1.0 using the 0.22.0
[ansible-project] Re: Howto to deploy kerberos (krb5.conf) info during awx operator install?
OK, I think I have part of an answer but I am not getting the syntax right
for a successful Kubernetes deployment it looks like.
Can somebody look this over and help me out in getting the yaml file syntax
right, please?
###
# part 1 my ‘kustomization.yaml' file #
###
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Find the latest tag here:
https://github.com/ansible/awx-operator/releases
- github.com/ansible/awx-operator/config/default?ref=0.22.0
- awx-myorg_awx.yaml
# Set the image tags to match the git version from above
images:
- name: quay.io/ansible/awx-operator
newTag: 0.22.0
# Specify a custom namespace in which to install AWX
namespace: awx
###
# part 2 my ‘awx-myorg_awx.yaml’ file #
###
---
kind: ConfigMap
apiVersion: v1
metadata:
name: awx-myorg
namespace: awx
data:
krb5.conf: |-
# To opt out of the system crypto-policies configuration of krb5,
remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be
recreated.
# includedir /etc/krb5.conf.d/
# my myorg krb5.conf file
includedir /etc/krb5.conf.d/
[libdefaults]
default_realm = MYORG.DOM
# The follodomg krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The follodomg encryption type specification will be used by MIT
Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability
problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such
as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The follodomg libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
MYORG.DOM = {
kdc = dc1.myorg.dom
kdc = dc2.myorg.dom
admin_server = dc1.myorg.dom
default_domain = MYORG.DOM
}
[domain_realm]
.myorg.dom = MYORG.DOM
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx-myorg
spec:
service_type: nodeport
web_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
task_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
ee_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
extra_volumes: |
- name: krb5-conf
configMap:
defaultMode: 420
items:
- key: krb5.conf
path: krb5.conf
name: awx-myorg
kustomize accepts this when I issue a
VERSION=0.22.0 kustomize build . | kubectl apply -f -
BUT it never finishes building the containers. Evan after a full hour it is
still in building container state.
Can somebody do the necessary edits to make the above apply and build the
awx cluster successfully, please?
Thanks in advance.
Urs Rau
On Monday, 13 June 2022 at 12:23:36 UTC+2 Urs Rau wrote:
> I am deploying awx 21.1.0 using the 0.22.0 operator into a minikube
> cluster doing what they call a ‘basic install’ by way of creating the
> documented kustomize.yml .
>
> *https://github.com/ansible/awx-operator#basic-install
> *
>
> But then my awx pods do not have the required kerberos realm info and both
> winrm and kerberos transports fail.
>
> How do I add the contents of my locally required krb5.conf file to all
> pods via the new operator install method?
>
> —
> Urs Rau
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/1cee30db-45e7-4123-9e23-760ee65be3den%40googlegroups.com.
