--- apiVersion: v1 kind: ServiceAccount metadata: name: {{ kubernetes_serviceaccount_name }} namespace: {{ kubernetes_namespace }} {% if kubernetes_service_account_annotations is defined %} annotations: {% for key, value in kubernetes_service_account_annotations.items() %} {{ key }}: "{{ value }}" {% endfor %} {% endif %} {% if kubernetes_image_pull_secrets is defined %} imagePullSecrets: - name: "{{ kubernetes_image_pull_secrets }}" {% endif %} {% if awx_psp_create is defined and awx_psp_create | bool %} --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ awx_psp_name }}-psp spec: {% if awx_psp_privileged is defined %} privileged: {{ awx_psp_privileged }} allowPrivilegeEscalation: {{ awx_psp_privileged }} {% endif %} requiredDropCapabilities: - ALL volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'MustRunAsNonRoot' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: {{ kubernetes_namespace }} name: {{ awx_psp_name }}-role rules: - apiGroups: - policy resources: - podsecuritypolicies resourceNames: - {{ awx_psp_name }}-psp verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ awx_psp_name }}-role-binding namespace: {{ kubernetes_namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ awx_psp_name }}-role subjects: - kind: ServiceAccount name: {{ kubernetes_serviceaccount_name }} namespace: {{ kubernetes_namespace }} {% endif %} --- apiVersion: {{ kubernetes_deployment_api_version }} kind: Deployment metadata: name: {{ kubernetes_deployment_name }} namespace: {{ kubernetes_namespace }} {% if kubernetes_deployment_annotations is defined %} annotations: {% for key, value in kubernetes_deployment_annotations.items() %} {{ key }}: "{{ value }}" {% endfor %} {% endif %} {% if openshift_host is defined %} labels: app: {{ kubernetes_deployment_name }} {% endif %} spec: replicas: 1 {% if kubernetes_deployment_api_version == "apps/v1" %} selector: matchLabels: app: {{ kubernetes_deployment_name }} {% endif %} template: metadata: {% if kubernetes_pod_annotations is defined %} annotations: {% for key, value in kubernetes_pod_annotations.items() %} {{ key }}: "{{ value }}" {% endfor %} {% endif %} labels: name: {{ kubernetes_deployment_name }}-web-deploy service: django app: {{ kubernetes_deployment_name }} spec: serviceAccountName: {{ kubernetes_serviceaccount_name }} terminationGracePeriodSeconds: 10 {% if custom_venvs is defined %} {% set trusted_hosts = "" %} initContainers: - image: 'centos:7' name: init-custom-venvs {% if http_proxy is defined or https_proxy is defined %} {% set trusted_hosts = "--trusted-host pypi.org --trusted-host files.pythonhosted.org --trusted-host pypi.python.org" %} env: {% if http_proxy is defined %} - name: http_proxy value: {{ http_proxy }} {% endif %} {% if https_proxy is defined %} - name: https_proxy value: {{ https_proxy }} {% endif %} {% if no_proxy is defined %} - name: no_proxy value: {{ no_proxy }} {% endif %} {% endif %} command: - sh - '-c' - >- yum install -y ansible curl python-setuptools epel-release \ openssl openssl-devel gcc python-devel && yum install -y python-virtualenv python36 python36-devel && mkdir -p {{ custom_venvs_path }} && {% for custom_venv in custom_venvs %} virtualenv -p {{ custom_venv.python | default(custom_venvs_python) }} \ {{ custom_venvs_path }}/{{ custom_venv.name }} && source {{ custom_venvs_path }}/{{ custom_venv.name }}/bin/activate && {{ custom_venvs_path }}/{{ custom_venv.name }}/bin/pip install {{ trusted_hosts }} -U psutil \ "ansible=={{ custom_venv.python_ansible_version }}" && {% if custom_venv.python_modules is defined %} {{ custom_venvs_path }}/{{ custom_venv.name }}/bin/pip install {{ trusted_hosts }} -U \ {% for module in custom_venv.python_modules %}{{ module }} {% endfor %} && {% endif %} deactivate && {% endfor %} : volumeMounts: - name: custom-venvs mountPath: {{ custom_venvs_path }} {% endif %} containers: - name: {{ kubernetes_deployment_name }}-web {% if web_security_context_enabled is defined and web_security_context_enabled | bool %} securityContext: {% if web_security_context_privileged is defined %} privileged: {{ web_security_context_privileged }} {% endif %} {% endif %} image: "{{ kubernetes_awx_image }}:{{ kubernetes_awx_version }}" imagePullPolicy: Always ports: - containerPort: 8052 {% if ca_trust_dir is defined %} env: - name: REQUESTS_CA_BUNDLE value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem {% endif %} volumeMounts: {% if postgres_root_ca_cert is defined %} - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert mountPath: {{ ca_trust_bundle }} subPath: {{ postgres_root_ca_filename }} readOnly: true {% endif %} - name: supervisor-socket mountPath: "/var/run/supervisor" - name: rsyslog-socket mountPath: "/var/run/awx-rsyslog" - name: rsyslog-dir mountPath: "/var/lib/awx/rsyslog" {% if ca_trust_dir is defined %} - name: {{ kubernetes_deployment_name }}-ca-trust-dir mountPath: "{{ ca_trust_dir }}" readOnly: true {% endif %} {% if project_data_dir is defined %} - name: {{ kubernetes_deployment_name }}-project-data-dir mountPath: "/var/lib/awx/projects" readOnly: false {% endif %} {% if custom_venvs is defined %} - name: custom-venvs mountPath: {{ custom_venvs_path }} {% endif %} - name: {{ kubernetes_deployment_name }}-application-config mountPath: "/etc/tower/settings.py" subPath: settings.py readOnly: true - name: {{ kubernetes_deployment_name }}-nginx-config mountPath: /etc/nginx/nginx.conf subPath: nginx.conf readOnly: true - name: "{{ kubernetes_deployment_name }}-application-credentials" mountPath: "/etc/tower/conf.d/" readOnly: true - name: {{ kubernetes_deployment_name }}-supervisor-web-config mountPath: "/etc/supervisord.conf" subPath: supervisor.conf readOnly: true - name: {{ kubernetes_deployment_name }}-supervisor-task-config mountPath: "/etc/supervisord_task.conf" subPath: supervisor_task.conf readOnly: true - name: {{ kubernetes_deployment_name }}-secret-key mountPath: "/etc/tower/SECRET_KEY" subPath: SECRET_KEY readOnly: true - name: {{ kubernetes_deployment_name }}-redis-socket mountPath: "/var/run/redis" resources: requests: memory: "{{ web_mem_request }}Gi" cpu: "{{ web_cpu_request }}m" {% if web_mem_limit is defined or web_cpu_limit is defined %} limits: {% endif %} {% if web_mem_limit is defined %} memory: "{{ web_mem_limit }}Gi" {% endif %} {% if web_cpu_limit is defined %} cpu: "{{ web_cpu_limit }}m" {% endif %} - name: {{ kubernetes_deployment_name }}-task {% if task_security_context_enabled is defined and task_security_context_enabled | bool %} securityContext: {% if task_security_context_privileged is defined %} privileged: {{ task_security_context_privileged }} {% endif %} {% endif %} image: "{{ kubernetes_awx_image }}:{{ kubernetes_awx_version }}" command: - /usr/bin/launch_awx_task.sh imagePullPolicy: Always volumeMounts: {% if postgres_root_ca_cert is defined %} - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert mountPath: {{ ca_trust_bundle }} subPath: {{ postgres_root_ca_filename }} readOnly: true {% endif %} - name: supervisor-socket mountPath: "/var/run/supervisor" - name: rsyslog-socket mountPath: "/var/run/awx-rsyslog" - name: rsyslog-dir mountPath: "/var/lib/awx/rsyslog" {% if ca_trust_dir is defined %} - name: {{ kubernetes_deployment_name }}-ca-trust-dir mountPath: "{{ ca_trust_dir }}" readOnly: true {% endif %} {% if custom_venvs is defined %} - name: custom-venvs mountPath: {{ custom_venvs_path }} {% endif %} - name: {{ kubernetes_deployment_name }}-application-config mountPath: "/etc/tower/settings.py" subPath: settings.py readOnly: true - name: "{{ kubernetes_deployment_name }}-application-credentials" mountPath: "/etc/tower/conf.d/" readOnly: true - name: {{ kubernetes_deployment_name }}-supervisor-web-config mountPath: "/etc/supervisord.conf" subPath: supervisor.conf readOnly: true - name: {{ kubernetes_deployment_name }}-supervisor-task-config mountPath: "/etc/supervisord_task.conf" subPath: supervisor_task.conf readOnly: true - name: {{ kubernetes_deployment_name }}-secret-key mountPath: "/etc/tower/SECRET_KEY" subPath: SECRET_KEY readOnly: true - name: {{ kubernetes_deployment_name }}-redis-socket mountPath: "/var/run/redis" env: - name: SUPERVISOR_WEB_CONFIG_PATH value: "/etc/supervisord.conf" - name: AWX_SKIP_MIGRATIONS value: "1" - name: MY_POD_UID valueFrom: fieldRef: fieldPath: metadata.uid - name: MY_POD_IP valueFrom: fieldRef: fieldPath: status.podIP {% if ca_trust_dir is defined %} - name: REQUESTS_CA_BUNDLE value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem {% endif %} resources: requests: memory: "{{ task_mem_request }}Gi" cpu: "{{ task_cpu_request }}m" {% if task_mem_limit is defined or task_cpu_limit is defined %} limits: {% endif %} {% if task_mem_limit is defined %} memory: "{{ task_mem_limit }}Gi" {% endif %} {% if task_cpu_limit is defined %} cpu: "{{ task_cpu_limit }}m" {% endif %} - name: {{ kubernetes_deployment_name }}-redis {% if redis_security_context_enabled is defined and redis_security_context_enabled | bool %} securityContext: {% if redis_security_context_privileged is defined %} privileged: {{ redis_security_context_privileged }} {% endif %} {% if redis_security_context_user is defined %} runAsUser: {{ redis_security_context_user }} {% endif %} {% endif %} image: {{ kubernetes_redis_image }}:{{ kubernetes_redis_image_tag }} imagePullPolicy: Always args: ["redis-server", "{{ kubernetes_redis_config_mount_path }}"] volumeMounts: - name: {{ kubernetes_deployment_name }}-redis-config mountPath: "{{ kubernetes_redis_config_mount_path }}" subPath: redis.conf readOnly: true - name: {{ kubernetes_deployment_name }}-redis-socket mountPath: "/var/run/redis" resources: requests: memory: "{{ redis_mem_request }}Gi" cpu: "{{ redis_cpu_request }}m" {% if redis_mem_limit is defined or redis_cpu_limit is defined %} limits: {% endif %} {% if redis_mem_limit is defined %} memory: "{{ redis_mem_limit }}Gi" {% endif %} {% if redis_cpu_limit is defined %} cpu: "{{ redis_cpu_limit }}m" {% endif %} {% if tolerations is defined %} tolerations: {{ tolerations | to_nice_yaml(indent=2) | indent(width=8, indentfirst=True) }} {% endif %} {% if node_selector is defined %} nodeSelector: {{ node_selector | to_nice_yaml(indent=2) | indent(width=8, indentfirst=True) }} {% endif %} {% if affinity is defined %} affinity: {{ affinity | to_nice_yaml(indent=2) | indent(width=8, indentfirst=True) }} {% endif %} volumes: {% if postgres_root_ca_cert is defined %} - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert configMap: name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert items: - key: postgres_root_ca.crt path: postgres_root_ca.crt {% endif %} - name: supervisor-socket emptyDir: {} - name: rsyslog-socket emptyDir: {} - name: rsyslog-dir emptyDir: {} {% if ca_trust_dir is defined %} - name: {{ kubernetes_deployment_name }}-ca-trust-dir hostPath: path: "{{ ca_trust_dir }}" type: Directory {% endif %} {% if project_data_dir is defined %} - name: {{ kubernetes_deployment_name }}-project-data-dir hostPath: path: "{{ project_data_dir }}" type: Directory {% endif %} {% if custom_venvs is defined %} - name: custom-venvs emptyDir: {} {% endif %} - name: {{ kubernetes_deployment_name }}-application-config configMap: name: {{ kubernetes_deployment_name }}-config items: - key: {{ kubernetes_deployment_name }}_settings path: settings.py - name: {{ kubernetes_deployment_name }}-nginx-config configMap: name: {{ kubernetes_deployment_name }}-config items: - key: {{ kubernetes_deployment_name }}_nginx_conf path: nginx.conf - name: {{ kubernetes_deployment_name }}-redis-config configMap: name: {{ kubernetes_deployment_name }}-config items: - key: {{ kubernetes_deployment_name }}_redis_conf path: redis.conf - name: "{{ kubernetes_deployment_name }}-application-credentials" secret: secretName: "{{ kubernetes_deployment_name }}-secrets" items: - key: credentials_py path: 'credentials.py' - key: environment_sh path: 'environment.sh' - name: {{ kubernetes_deployment_name }}-launch-awx-web configMap: name: {{ kubernetes_deployment_name }}-launch-awx items: - key: launch-awx-web path: 'launch_awx.sh' defaultMode: 0755 - name: {{ kubernetes_deployment_name }}-launch-awx-task configMap: name: {{ kubernetes_deployment_name }}-launch-awx items: - key: launch-awx-task path: 'launch_awx_task.sh' defaultMode: 0755 - name: {{ kubernetes_deployment_name }}-supervisor-web-config configMap: name: {{ kubernetes_deployment_name }}-supervisor-config items: - key: supervisor-web-config path: 'supervisor.conf' - name: {{ kubernetes_deployment_name }}-supervisor-task-config configMap: name: {{ kubernetes_deployment_name }}-supervisor-config items: - key: supervisor-task-config path: 'supervisor_task.conf' - name: {{ kubernetes_deployment_name }}-secret-key secret: secretName: "{{ kubernetes_deployment_name }}-secrets" items: - key: secret_key path: SECRET_KEY - name: {{ kubernetes_deployment_name }}-redis-socket emptyDir: {} --- apiVersion: v1 kind: Service metadata: name: {{ kubernetes_deployment_name }}-web-svc namespace: {{ kubernetes_namespace }} labels: name: {{ kubernetes_deployment_name }}-web-svc {% if kubernetes_service_annotations is defined %} annotations: {% for key, value in kubernetes_service_annotations.items() %} {{ key }}: "{{ value }}" {% endfor %} {% endif %} spec: type: {{ kubernetes_web_svc_type }} ports: - name: http port: 80 {% if kubernetes_web_svc_type == "ClusterIP" %} nodePort: null {% endif %} targetPort: 8052 selector: name: {{ kubernetes_deployment_name }}-web-deploy {% if kubernetes_context is defined %} --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: {{ kubernetes_deployment_name }}-web-svc namespace: {{ kubernetes_namespace }} {% if kubernetes_ingress_annotations is defined %} annotations: {% for key, value in kubernetes_ingress_annotations.items() %} {{ key }}: "{{ value }}" {% endfor %} {% endif %} spec: {% if kubernetes_ingress_hostname is defined %} rules: - host: {{ kubernetes_ingress_hostname }} http: paths: - path: / backend: serviceName: {{ kubernetes_deployment_name }}-web-svc servicePort: 80 {% else %} backend: serviceName: {{ kubernetes_deployment_name }}-web-svc servicePort: 80 {% endif %} {% if kubernetes_ingress_tls_secret is defined %} tls: - hosts: - {{ kubernetes_ingress_hostname }} secretName: {{ kubernetes_ingress_tls_secret }} {% endif %} {% endif %} {% if openshift_host is defined %} --- apiVersion: v1 kind: Route metadata: name: {{ kubernetes_deployment_name }}-web-svc namespace: {{ kubernetes_namespace }} spec: port: targetPort: http tls: insecureEdgeTerminationPolicy: Redirect termination: edge to: kind: Service name: {{ kubernetes_deployment_name }}-web-svc weight: 100 wildcardPolicy: None {% endif %}