AWX on K3S using ldaps

56 views
Skip to first unread message

Teksupsm

unread,
Nov 20, 2022, 1:55:53 PM11/20/22
to AWX Project
Has anyone been able to get this working on K3S with LDAP authentication?  I have tried applying the secrets using my internal CA and while the certs are on the awx-web instance and I can in fact use them running openssl commands I am still getting cert errors when I try to authenticate. 

AWX Project

unread,
Dec 2, 2022, 1:53:04 PM12/2/22
to AWX Project
| I am still getting cert errors when I try to authenticate.

can you copy and paste the errors you are seeing? thanks!

AWX Team

Sean Marshall

unread,
Dec 2, 2022, 2:30:37 PM12/2/22
to awx-p...@googlegroups.com
I managed to get it working by including the entire cert chain in the ldaps certificate.

--
You received this message because you are subscribed to a topic in the Google Groups "AWX Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/awx-project/QZdBymWKSjA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/2c7c6977-3589-4e67-b4c5-88127d0f1091n%40googlegroups.com.

Lorenzo Tanganelli

unread,
Dec 7, 2022, 12:20:09 PM12/7/22
to AWX Project
Hi,
In my company we have simila issue also adding the cert chain and so on.
Issue probably is related on our internal CA that release us a SHA1 Cert, that in RH 9 is no more accepted.

Do you ahve same issue?

AWX Project

unread,
Dec 7, 2022, 2:36:22 PM12/7/22
to AWX Project
lorenzota, what problems are you experiencing exactly? any error messages that seem to be related?

AWX Team

Sean Marshall

unread,
Dec 9, 2022, 10:17:57 AM12/9/22
to awx-p...@googlegroups.com
Ours is working now but the certs are SHA256 so perhaps that is your issue.

Lorenzo Tanganelli

unread,
Dec 14, 2022, 7:13:17 AM12/14/22
to AWX Project

Hi team,

I confirm that issue is related to our CA that use SHA1 as CA Cert (not ask me why but this is). The AWX base image is Centos9Stream that by default not allow anymore SHA1, to enable it you need to run the  update-crypto-policies command.
So, in our case to work properly we have "override" the awx-web command and args via Helm with :

web_command:
     - /bin/bash
     - "-c"
web_args:
     - update-crypto-policies --set DEFAULT:SHA1; /usr/bin/launch_awx.sh

This becase update-crypto-policies need to be run befor launching the awx program,

For sure this is not a best practice, but for certain enviroment/use case, this is the only solution.

AWX Team, probably this will be documented somewhere...


Reply all
Reply to author
Forward
0 new messages