Howto to deploy kerberos (krb5.conf) info during awx operator install?
347 views
Skip to first unread message
Urs Rau
Jun 13, 2022, 6:23:36 AM6/13/22
to Ansible Project
I am deploying awx 21.1.0 using the 0.22.0 operator into a minikube cluster doing what they call a ‘basic install’ by way of creating the documented kustomize.yml .
But then my awx pods do not have the required kerberos realm info and both winrm and kerberos transports fail.
How do I add the contents of my locally required krb5.conf file to all pods via the new operator install method?
—
Urs Rau
Urs Rau
Jun 14, 2022, 9:16:25 AM6/14/22
to Ansible Project
OK, I think I have part of an answer but I am not getting the syntax right for a successful Kubernetes deployment it looks like.
Can somebody look this over and help me out in getting the yaml file syntax right, please?
#######################################
# part 1 my ‘kustomization.yaml' file #
#######################################
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Find the latest tag here: https://github.com/ansible/awx-operator/releases
- github.com/ansible/awx-operator/config/default?ref=0.22.0
- awx-myorg_awx.yaml
# Set the image tags to match the git version from above
images:
- name: quay.io/ansible/awx-operator
newTag: 0.22.0
# Specify a custom namespace in which to install AWX
namespace: awx
#######################################
# part 2 my ‘awx-myorg_awx.yaml’ file #
#######################################
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Find the latest tag here: https://github.com/ansible/awx-operator/releases
- github.com/ansible/awx-operator/config/default?ref=0.22.0
- awx-myorg_awx.yaml
# Set the image tags to match the git version from above
images:
- name: quay.io/ansible/awx-operator
newTag: 0.22.0
# Specify a custom namespace in which to install AWX
namespace: awx
#######################################
# part 2 my ‘awx-myorg_awx.yaml’ file #
#######################################
---
kind: ConfigMap
apiVersion: v1
metadata:
name: awx-myorg
namespace: awx
data:
krb5.conf: |-
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
# includedir /etc/krb5.conf.d/
# my myorg krb5.conf file
includedir /etc/krb5.conf.d/
[libdefaults]
default_realm = MYORG.DOM
# The follodomg krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The follodomg encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The follodomg libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
MYORG.DOM = {
kdc = dc1.myorg.dom
kdc = dc2.myorg.dom
admin_server = dc1.myorg.dom
default_domain = MYORG.DOM
}
[domain_realm]
.myorg.dom = MYORG.DOM
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx-myorg
spec:
service_type: nodeport
web_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
task_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
ee_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
extra_volumes: |
- name: krb5-conf
configMap:
defaultMode: 420
items:
- key: krb5.conf
path: krb5.conf
name: awx-myorg
kind: ConfigMap
apiVersion: v1
metadata:
name: awx-myorg
namespace: awx
data:
krb5.conf: |-
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
# includedir /etc/krb5.conf.d/
# my myorg krb5.conf file
includedir /etc/krb5.conf.d/
[libdefaults]
default_realm = MYORG.DOM
# The follodomg krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The follodomg encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The follodomg libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
MYORG.DOM = {
kdc = dc1.myorg.dom
kdc = dc2.myorg.dom
admin_server = dc1.myorg.dom
default_domain = MYORG.DOM
}
[domain_realm]
.myorg.dom = MYORG.DOM
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx-myorg
spec:
service_type: nodeport
web_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
task_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
ee_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
extra_volumes: |
- name: krb5-conf
configMap:
defaultMode: 420
items:
- key: krb5.conf
path: krb5.conf
name: awx-myorg
kustomize accepts this when I issue a
VERSION=0.22.0 kustomize build . | kubectl apply -f -
BUT it never finishes building the containers. Evan after a full hour it is still in building container state.
Can somebody do the necessary edits to make the above apply and build the awx cluster successfully, please?
Thanks in advance.
Urs Rau
Sebastian Jaekel
Jul 12, 2022, 5:38:14 AM7/12/22
to Ansible Project
Hi,
Even if you get it working, this will not help. The configuration from the containers is not related to the pod(s) launched when running a playbook. You need to modify the default container group or create a new one. For example, goto "Administration" -> "Instance Groups" and edit the "default" group.
Change spec to something like this (maybe you need to change the name of the configMap in volumes section):
apiVersion: v1
kind: Pod
metadata:
namespace: awxop
spec:
serviceAccountName: default
automountServiceAccountToken: false
containers:
- image: 'quay.io/ansible/awx-ee:latest'
name: worker
args:
- ansible-runner
- worker
- '--private-data-dir=/runner'
resources:
requests:
cpu: 250m
memory: 100Mi
volumeMounts:
kind: Pod
metadata:
namespace: awxop
spec:
serviceAccountName: default
automountServiceAccountToken: false
containers:
- image: 'quay.io/ansible/awx-ee:latest'
name: worker
args:
- ansible-runner
- worker
- '--private-data-dir=/runner'
resources:
requests:
cpu: 250m
memory: 100Mi
volumeMounts:
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
volumes:
- name: krb5-conf
configMap:
name: awx-demo-extra-config
- name: krb5-conf
configMap:
name: awx-demo-extra-config
Regards
Sebastian
Reply all
Reply to author
Forward
0 new messages