Howto to deploy kerberos (krb5.conf) info during awx operator install?
308 views
Skip to first unread message
urs...@gmail.com
Jun 13, 2022, 6:19:35 AM6/13/22
to AWX Project
I am deploying awx 21.1.0 using the 0.22.0 operator into a minikube cluster doing what they call a ‘basic install’ by way of creating the documented kustomize.yml .
But then my awx pods do not have the required kerberos realm info and both winrm and kerberos transports fail.
How do I add the contents of my locally required krb5.conf file to all pods via the new operator install method?
—
Urs Rau
Urs Rau
Jun 13, 2022, 7:13:40 AM6/13/22
to awx-p...@googlegroups.com
OK, I have part of the answer - I think. But I cannot get the yaml file syntax right so that customise and kubectl can actually apply it cleanly.
I guess I need to find the right metadata, apiversion and names etc. Can somebody help me create a working yaml file?
I think I need it in either one or possibly up to four yaml files, but I tried and I cannot satisfy the kustomize and kubectl syntax
# part 1 my ‘kustomization.yaml' file
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Find the latest tag here: https://github.com/ansible/awx-operator/releases
- awx-myorg_awx.yaml
- awx-myorg_mounts.yaml
- awx-myorg_krb5.yaml
# Set the image tags to match the git version from above
images:
- name: quay.io/ansible/awx-operator
newTag: 0.22.0
# Specify a custom namespace in which to install AWX
namespace: awx
# part 2 my ‘awx-myorg_awx.yaml’ file
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx-myorg
spec:
service_type: nodeport
# part 3 my ‘awx-myorg_mounts.yaml’ file
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx-myorg
namespace: awx
spec:
web_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
task_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
ee_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
extra_volumes: |
- name: krb5-conf
configMap:
defaultMode: 420
items:
- key: krb5.conf
path: krb5.conf
name: awx-myorg
# part 4 my ‘awx-myorg_krb5.yaml'
---
kind: ConfigMap
apiVersion: v1
metadata:
name: awx-myorg
namespace: awx
data:
krb5.conf: |-
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
# includedir /etc/krb5.conf.d/
# my myorg krb5.conf file
includedir /etc/krb5.conf.d/
[libdefaults]
default_realm = MYORG.DOM
# The follodomg krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The follodomg encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The follodomg libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
MYORG.DOM = {
kdc = dc1.myorg.dom
kdc = dc2.myorg.dom
admin_server = dc1.myorg.dom
default_domain = MYORG.DOM
}
[domain_realm]
.myorg.dom = MYORG.DOM
Is there a kind soul out there that cloud integrate those krb5.conf settings with these extra mounts into my deployment ? Thanks.
I am trying to follow the ‘basic install’ here https://github.com/ansible/awx-operator#basic-install but would like to also add my krb5 config into the crd s of the deployment.
Thanks for any help. Or alternative or better ways to achieve what I am after.
PS:
Sorry for this ‘duplicate’ post. I had not immediately realised that there is a awx-project google group and posted off topic to ansible-project google group first instead.
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/2db5cbcd-a2b2-462b-b508-582a2344b4fbn%40googlegroups.com.
Urs Rau
Jun 14, 2022, 10:14:43 AM6/14/22
to AWX Project
OK, I think I have part of an answer but I am not getting the syntax right for a successful Kubernetes deployment it looks like.
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Find the latest tag here: https://github.com/ansible/awx-operator/releases
- github.com/ansible/awx-operator/config/default?ref=0.22.0
- awx-myorg_awx.yaml
Can somebody look this over and help me out in getting the yaml file syntax right, please?
#######################################
# part 1 my ‘kustomization.yaml' file #
#######################################
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Find the latest tag here: https://github.com/ansible/awx-operator/releases
- github.com/ansible/awx-operator/config/default?ref=0.22.0
- awx-myorg_awx.yaml
# Set the image tags to match the git version from above
images:
- name: quay.io/ansible/awx-operator
newTag: 0.22.0
# Specify a custom namespace in which to install AWX
namespace: awx
images:
- name: quay.io/ansible/awx-operator
newTag: 0.22.0
# Specify a custom namespace in which to install AWX
namespace: awx
#######################################
# part 2 my ‘awx-myorg_awx.yaml’ file #
#######################################
# part 2 my ‘awx-myorg_awx.yaml’ file #
#######################################
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx-myorg
spec:
service_type: nodeport
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx-myorg
spec:
service_type: nodeport
web_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
task_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
ee_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
extra_volumes: |
- name: krb5-conf
configMap:
defaultMode: 420
items:
- key: krb5.conf
path: krb5.conf
name: awx-myorg
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
task_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
ee_extra_volume_mounts: |
- name: krb5-conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
extra_volumes: |
- name: krb5-conf
configMap:
defaultMode: 420
items:
- key: krb5.conf
path: krb5.conf
name: awx-myorg
kustomize accepts this when I issue a
VERSION=0.22.0 kustomize build . | kubectl apply -f -
BUT it never finishes building the containers. Even after a full hour it is still in building container state.
Can somebody do the necessary edits to make the above apply and build the awx cluster successfully, please?
Thanks in advance.
Urs Rau
Reply all
Reply to author
Forward
0 new messages