How to access AWX web interface on K8s
1,434 views
Skip to first unread message
Adrian Sebastian Dutu
Jan 22, 2019, 9:28:45 AM1/22/19
to AWX Project
I have deployed AWX on K8s. Everything is green.
I have the service and ingress below which were created by the install playbook. How do I access the web interface?
I am not very familiar with K8s but since I do not see any external endpoints defined, I guess that's the issue.
Ingress:
{
"kind": "Ingress",
"apiVersion": "extensions/v1beta1",
"metadata": {
"name": "awx-web-svc",
"namespace": "awx",
"selfLink": "/apis/extensions/v1beta1/namespaces/awx/ingresses/awx-web-svc",
"uid": "8cfcae6c-1e40-11e9-986d-001dd8b736ad",
"resourceVersion": "82353",
"generation": 1,
"creationTimestamp": "2019-01-22T12:23:40Z",
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"extensions/v1beta1\",\"kind\":\"Ingress\",\"metadata\":{\"annotations\":{},\"name\":\"awx-web-svc\",\"namespace\":\"awx\"},\"spec\":{\"backend\":{\"serviceName\":\"awx-web-svc\",\"servicePort\":80}}}\n"
}
},
"spec": {
"backend": {
"serviceName": "awx-web-svc",
"servicePort": 80
}
},
"status": {
"loadBalancer": {}
}
}
Service:
{
"kind": "Service",
"apiVersion": "v1",
"metadata": {
"name": "awx-web-svc",
"namespace": "awx",
"selfLink": "/api/v1/namespaces/awx/services/awx-web-svc",
"uid": "8cf4a886-1e40-11e9-986d-001dd8b736ad",
"resourceVersion": "82346",
"creationTimestamp": "2019-01-22T12:23:40Z",
"labels": {
"name": "awx-web-svc"
},
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Service\",\"metadata\":{\"annotations\":{},\"labels\":{\"name\":\"awx-web-svc\"},\"name\":\"awx-web-svc\",\"namespace\":\"awx\"},\"spec\":{\"ports\":[{\"name\":\"http\",\"port\":80,\"targetPort\":8052}],\"selector\":{\"name\":\"awx-web-deploy\"},\"type\":\"NodePort\"}}\n"
}
},
"spec": {
"ports": [
{
"name": "http",
"protocol": "TCP",
"port": 80,
"targetPort": 8052,
"nodePort": 32448
}
],
"selector": {
"name": "awx-web-deploy"
},
"clusterIP": "10.98.124.157",
"type": "NodePort",
"sessionAffinity": "None",
"externalTrafficPolicy": "Cluster"
},
"status": {
"loadBalancer": {}
}
}
Adrian Sebastian Dutu
Jan 22, 2019, 9:39:15 AM1/22/19
to AWX Project
If i start the proxy and try http://localhost:8001/api/v1/namespaces/awx/services/http:awx-web-svc:80/proxy/#/login the interface seems to load then throws and error: Failed to read /api. GET status: undefined
Matthew Jones
Jan 22, 2019, 9:40:22 AM1/22/19
to Adrian Sebastian Dutu, AWX Project
You have nodeport configured, though the selector is on the deploy container (nodeport 32448)
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/67065951-9ee0-496c-a350-b6ba556611b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Adrian Sebastian Dutu
Jan 22, 2019, 10:32:01 AM1/22/19
to AWX Project
Was I supposed to configure something else before installation? I did all the kubernetes configs that were mentioned on the install guide on github, so if that selector is wrong then something is wrong with the installer.
As mentioned earlier, if I try through the proxy with http://localhost:8001/api/v1/namespaces/awx/services/http:awx-web-svc:80/proxy/#/login, the awx logo shows in the chrome tab and the title of the tab is changed to Ansible-AWX so it looks like it tries to load it, but fails with error: Failed to read /api. GET status: undefinedawx-web logs show only 200s.
Is there a problem with the installation or am I connecting wrong?
Matthew Jones
Jan 22, 2019, 11:02:07 AM1/22/19
to Adrian Sebastian Dutu, AWX Project
Depending on what provider you are using for AWX you should be able to see what the ingress knows about the route to the service here as shown here:
Where/how did you install kubernetes?
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/2403527f-25a7-4d65-a45e-d419b5d06c89%40googlegroups.com.
Adrian Sebastian Dutu
Jan 22, 2019, 11:17:09 AM1/22/19
to AWX Project
Not using any cloud provider. On-premise private cloud. I checked that before and it's not picking up any address.
kubectl get svc --namespace awx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
awx-rmq-mgmt ClusterIP 10.101.80.192 <none> 15672/TCP 3h44m
awx-web-svc NodePort 10.98.124.157 <none> 80:32448/TCP 3h44m
rabbitmq NodePort 10.106.172.116 <none> 15672:30304/TCP,5672:31305/TCP 3h44m
kubectl get ing --namespace awx
NAME HOSTS ADDRESS PORTS AGE
awx-web-svc * 80 3h40m
Is it because i need to configure an ingress controller of my own? I do not have any installed.
That would make it accessible externally, but either way, it should work without the controller through the proxy, right? In the same way I'm accessing the k8s dashboard (which works fine): http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
Is it because i need to configure an ingress controller of my own? I do not have any installed.
That would make it accessible externally, but either way, it should work without the controller through the proxy, right? In the same way I'm accessing the k8s dashboard (which works fine): http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
Matthew Jones
Jan 22, 2019, 11:25:18 AM1/22/19
to Adrian Sebastian Dutu, AWX Project
You'll need to manage allocating address for the ingress controller on your own then, there are a lot of resources out there available for you to learn how this part of Kubernetes works. You *do* have the services exposed on a NodePort which you should be able to access externally
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/71abcb2e-4285-4ebd-9410-1a564784ed43%40googlegroups.com.
Uriel Mandujano
Jan 22, 2019, 12:24:26 PM1/22/19
to AWX Project
Not a long term solution but if you want confirmation that you're on the right path you should be able to test your connection directly to the service and verify AWX is up:
- Get the node name where the AWX pod is running
- kubectl get pod awx-pod-name -o jsonpath='{.spec.nodeName}'
- Get the port where the awx-web service is listening
- kubectl get service awx-web-svc -o jsonpath='{.spec.ports[0].nodePort}'
- Connect to the nodename:serviceport in a browser
PS. Maybe you need to provide the ingress spec a hostname?
Matthew Jones
Jan 22, 2019, 12:31:51 PM1/22/19
to Uriel Mandujano, AWX Project
FWIW, NodePort will expose that port on *all* Kubernetes nodes on the displayed port ... you don't have to specifically connect to the node running the service: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/79d82ce5-df5c-4b81-b269-c7683acf5515%40googlegroups.com.
Adrian Sebastian Dutu
Jan 24, 2019, 7:35:29 AM1/24/19
to AWX Project
Yes, now this works. I can access it on hostname:32448 but I need to figure out how to expose it on 80 since the end users won't be able to connect to 32448 due to FW.
Matthew Jones
Jan 24, 2019, 10:04:40 AM1/24/19
to Adrian Sebastian Dutu, AWX Project
Use a load balancer in front of this, I'd also strongly recommend https vs http
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/0e148824-bf41-4954-816e-bd352aeeb0ef%40googlegroups.com.
Adrian Sebastian Dutu
Jan 25, 2019, 7:16:09 AM1/25/19
to AWX Project
Is there any particular reason why you recommend https? I am exposing this as an internal tool only, behind an enterprise-grade firewall.
For the load balancer thing, wouldn't it be better to use a load-balancer type of service instead of going for ingress-controller?
For the load balancer thing, wouldn't it be better to use a load-balancer type of service instead of going for ingress-controller?
Matthew Jones
Jan 28, 2019, 11:45:02 AM1/28/19
to Adrian Sebastian Dutu, AWX Project
I think we'll see, as time goes on, more and more browsers respond natively or drop direct support for insecure connections. It's just good practice to get into generally.
As far as bridging connectins between the service and your external users via something like LoadBalancer. That's fine, but LoadBalancer generally requires something provided by your Cloud provider and it sounds like you might not be using a cloud provider to expose the services? This is why I like OpenShift as a solution a bit better because it has a concept of a Route built in, but Kubernetes will require you to bring some more detail about the system it's running on in order to wire into its Ingress interface.
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/1839ee68-ae71-4fa3-99b4-5d233762a23f%40googlegroups.com.
Ajitkumar Tanwade
Mar 24, 2020, 2:44:27 AM3/24/20
to AWX Project
Hi All,
Hope you are doing well
We are also facing the same issue on K8S. There is no address assigned to Ingress service. We are planning to run multiple AWX pods, may I know how should we enable the load balancer and ingress service for https access?
Regards,
Ajit
On Monday, January 28, 2019 at 10:15:02 PM UTC+5:30, Matthew Jones wrote:
I think we'll see, as time goes on, more and more browsers respond natively or drop direct support for insecure connections. It's just good practice to get into generally.As far as bridging connectins between the service and your external users via something like LoadBalancer. That's fine, but LoadBalancer generally requires something provided by your Cloud provider and it sounds like you might not be using a cloud provider to expose the services? This is why I like OpenShift as a solution a bit better because it has a concept of a Route built in, but Kubernetes will require you to bring some more detail about the system it's running on in order to wire into its Ingress interface.
On Fri, Jan 25, 2019 at 7:16 AM Adrian Sebastian Dutu <dutu.a...@gmail.com> wrote:
Is there any particular reason why you recommend https? I am exposing this as an internal tool only, behind an enterprise-grade firewall.--
For the load balancer thing, wouldn't it be better to use a load-balancer type of service instead of going for ingress-controller?
On Thursday, January 24, 2019 at 4:04:40 PM UTC+1, Matthew Jones wrote:Use a load balancer in front of this, I'd also strongly recommend https vs http
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-p...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages