From 421421ba0f93d0046273a56007fe3f5c60bca3e2 Mon Sep 17 00:00:00 2001 From: Nicole Rappe Date: Wed, 31 Jul 2024 21:37:45 -0600 Subject: [PATCH] Update Docker & Kubernetes/Servers/AWX/AWX Operator/Ansible AWX Operator.md --- .../AWX/AWX Operator/Ansible AWX Operator.md | 178 ++++++------------ 1 file changed, 54 insertions(+), 124 deletions(-) diff --git a/Docker & Kubernetes/Servers/AWX/AWX Operator/Ansible AWX Operator.md b/Docker & Kubernetes/Servers/AWX/AWX Operator/Ansible AWX Operator.md index 4d8de4c..e462e02 100644 --- a/Docker & Kubernetes/Servers/AWX/AWX Operator/Ansible AWX Operator.md +++ b/Docker & Kubernetes/Servers/AWX/AWX Operator/Ansible AWX Operator.md @@ -88,67 +88,6 @@ You will need to create these files all in the same directory using the content namespace: awx ``` -=== "add-kerberos-configmap.yml" - - ```jsx title="/awx/kustomization.yml" - apiVersion: apps/v1 - kind: Deployment - metadata: - name: awx - namespace: awx - spec: - template: - spec: - containers: - - name: awx - volumeMounts: - - name: krb5-config - mountPath: /etc/krb5.conf - subPath: krb5.conf - volumes: - - name: krb5-config - configMap: - name: krb5-config - --- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: awx-task - namespace: awx - spec: - template: - spec: - containers: - - name: awx-task - volumeMounts: - - name: krb5-config - mountPath: /etc/krb5.conf - subPath: krb5.conf - volumes: - - name: krb5-config - configMap: - name: krb5-config - --- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: awx-web - namespace: awx - spec: - template: - spec: - containers: - - name: awx-web - volumeMounts: - - name: krb5-config - mountPath: /etc/krb5.conf - subPath: krb5.conf - volumes: - - name: krb5-config - configMap: - name: krb5-config - ``` - ## Ensure the Kubernetes Cluster is Ready Check that the status of the cluster is ready by running the following commands, it should appear similar to the [Rancher RKE2 Example](https://docs.bunny-lab.io/Containers/Kubernetes/Rancher%20RKE2/Rancher%20RKE2%20Cluster/#install-helm-rancher-certmanager-jetstack-rancher-and-longhorn): ``` @@ -188,76 +127,67 @@ kubectl apply -k . ## Add Kerberos Authentication (Windows) You may find that you need to be able to remotely control domain-joined Windows devices using Kerberos. You need to go through some extra steps to set this up after you have successfully deployed AWX Operator into Kubernetes. -Add the following Kubernetes patch file to the `/awx` folder on the AWX Operator server. +### Create Kerberos Keytab File +Add the following file to the `/awx` folder on the AWX Operator server. -=== "krb5-configmap.yml" +```jsx title="/awx/krb5.conf" +[libdefaults] + default_realm = BUNNY-LAB.IO + dns_lookup_realm = false + dns_lookup_kdc = false - ```jsx title="/awx/krb5-configmap.yml" - apiVersion: v1 - kind: ConfigMap - metadata: - name: krb5-config - namespace: awx - data: - krb5.conf: | - [libdefaults] - default_realm = BUNNY-LAB.IO - dns_lookup_realm = false - dns_lookup_kdc = false +[realms] + BUNNY-LAB.IO = { + kdc = 192.168.3.25 + kdc = 192.168.3.26 + admin_server = 192.168.3.25 + } - [realms] - BUNNY-LAB.IO = { - kdc = 192.168.3.25 - kdc = 192.168.3.26 - admin_server = 192.168.3.25 - } - - [domain_realm] - .bunny-lab.io = BUNNY-LAB.IO - bunny-lab.io = BUNNY-LAB.IO - ``` - -=== "kerberos-patch.yml" - - ```jsx title="/awx/ingress.yml" - apiVersion: apps/v1 - kind: Deployment - metadata: - name: awx-task - namespace: awx - spec: - template: - spec: - containers: - - name: awx-task - volumeMounts: - - name: krb5-config - mountPath: /etc/krb5.conf - subPath: krb5.conf - volumes: - - name: krb5-config - configMap: - name: krb5-config - ``` - -Then run the following commands to apply the configmap to the Kubernetes cluster, then patch each container to add the file. +[domain_realm] + .bunny-lab.io = BUNNY-LAB.IO + bunny-lab.io = BUNNY-LAB.IO +``` +### Convert Keytab File into ConfigMap +Run the following command to apply the Kerberos Keytab file as a configmap into the Kubernetes cluster that we will later use AWX to make a custom Execution Environment with. ``` sh -# Apply the Kerberos ConfigMap into Kubernetes Cluster -kubectl apply -f /awx/krb5-configmap.yml +kubectl -n awx create configmap awx-kerberos-config --from-file=/awx/krb5.conf +``` -# Extract and apply patch for awx-task pod -kubectl patch deployment awx-task -n awx --patch "$(cat awx-task-patch.yml)" - -# Scale down to 0 -kubectl scale deployment awx-task -n awx --replicas=0 - -# Check to ensure it has scaled down to 0 by disappearing from this list. -kubectl get pods -n awx - -# Scale it back up to 1 -kubectl scale deployment awx-task -n awx --replicas=1 +### Create an AWX Container Group +At this point, we need to make a custom pod for the AWX Execution Environments that will use this Kerberos file. Reference information was found [here](https://github.com/kurokobo/awx-on-k3s/blob/main/tips/use-kerberos.md#create-container-group). +- Create Container Group with custom pod spec that mounts `krb5.conf` to allow Kerberos authentication to be used in this new Execution Environment (EE). +- Open AWX UI and click on "Instance Groups" under the "Administration" section, then press "Add > Add container group". +- Enter a descriptive name as you like (e.g. Kerberos EE) and click the toggle "Customize Pod Specification". +- Put the following YAML string in "Custom pod spec" then press the "Save" button +``` yml +apiVersion: v1 +kind: Pod +metadata: + namespace: awx +spec: + serviceAccountName: default + automountServiceAccountToken: false + containers: + - image: 'quay.io/ansible/awx-ee:latest' + name: worker + args: + - ansible-runner + - worker + - '--private-data-dir=/runner' + resources: + requests: + cpu: 250m + memory: 100Mi + volumeMounts: + - name: awx-kerberos-volume + mountPath: /etc/krb5.conf + subPath: krb5.conf + volumes: + - name: awx-kerberos-volume + configMap: + name: awx-kerberos-config ``` ## Access the AWX WebUI behind Ingress Controller