From 546297dbc576ad1734aad495cae30a702ec69ee6 Mon Sep 17 00:00:00 2001 From: Nicole Rappe Date: Wed, 31 Jul 2024 22:07:52 -0600 Subject: [PATCH] Update Docker & Kubernetes/Servers/AWX/AWX Operator/Ansible AWX Operator.md --- .../AWX/AWX Operator/Ansible AWX Operator.md | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/Docker & Kubernetes/Servers/AWX/AWX Operator/Ansible AWX Operator.md b/Docker & Kubernetes/Servers/AWX/AWX Operator/Ansible AWX Operator.md index 540251d..3dd2daa 100644 --- a/Docker & Kubernetes/Servers/AWX/AWX Operator/Ansible AWX Operator.md +++ b/Docker & Kubernetes/Servers/AWX/AWX Operator/Ansible AWX Operator.md @@ -124,9 +124,13 @@ kubectl apply -k . !!! warning "Be Patient - Wait 20 Minutes" The process may take a while to spin up AWX, postgresql, redis, and other workloads necessary for AWX to function. Depending on the speed of the server, it may take between 5 and 20 minutes for AWX to be ready to connect to. You can watch the progress via the CLI commands listed above, or directly on Rancher's WebUI at https://rancher.bunny-lab.io. -## Add Kerberos Execution Environment +## Kerberos Implementation You may find that you need to be able to remotely control domain-joined Windows devices using Kerberos. You need to go through some extra steps to set this up after you have successfully deployed AWX Operator into Kubernetes. +### Configure Windows Devices +You will need to prepare the Windows devices to allow them to be remotely controlled by Ansible playbooks. Run the following powershell script on all of the devices that will be managed by the Ansible AWX environment. +[WinRM Prerequisite Setup Script](https://docs.bunny-lab.io/Docker%20%26%20Kubernetes/Servers/AWX/AWX%20Operator/Enable%20Kerberos%20WinRM/) + ### Create Kerberos Keytab File Add the following file to the `/awx` folder on the AWX Operator server. @@ -190,6 +194,25 @@ spec: name: awx-kerberos-config ``` +### Job Template & Inventory Examples +At this point, you need to adjust your exist Job Template(s) that need to communicate via Kerberos to domain-joined Windows devices to use the "Instance Group" of "**Kerberos EE**" while keeping the same Execution Environment you have been using up until this point. This will change the Execution Environment to include the Kerberos Keytab file in the EE at playbook runtime. + +You will want to ensure your inventory file is configured to use Kerberos Authentication as well, so the following example is a starting point: +``` ini +virt-node-01 ansible_host=192.168.3.22 + +[virtualizationHosts] +virt-node-01 + +[virtualizationHosts:vars] +ansible_connection=winrm +ansible_port=5986 +ansible_winrm_transport=kerberos +ansible_winrm_scheme=https +ansible_winrm_server_cert_validation=ignore +ansible_winrm_kerberos_realm=BUNNY-LAB.IO +``` + ## Access the AWX WebUI behind Ingress Controller After you have deployed AWX into the cluster, it will not be immediately accessible to the host's network (such as your personal computer) unless you set up a DNS record pointing to it. In the example above, you would have an `A` or `CNAME` DNS record pointing to the internal IP address of the Rancher RKE2 Cluster host.