{{/* # Copyright © 2019 Bell Canada # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. */}} apiVersion: v1 kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-init-mgnt namespace: {{ include "common.namespace" . }} data: entrypoint: | #/bin/sh awx-manage migrate --noinput if [[ `echo 'from django.contrib.auth.models import User; nsu = User.objects.filter(is_superuser=True).count(); exit(0 if nsu > 0 else 1)' | awx-manage shell` > 0 ]] then echo 'from django.contrib.auth.models import User; User.objects.create_superuser('{{ .Values.config.awxAdminUser }}', '{{ .Values.config.awxAdminEmail }}', '{{ .Values.config.awxAdminPassword }}')' | awx-manage shell awx-manage update_password --username='{{ .Values.config.awxAdminUser }}' --password='{{ .Values.config.awxAdminPassword }}' fi --- apiVersion: v1 kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-settings namespace: {{ include "common.namespace" . }} data: awx_settings: | import os import socket ADMINS = () AWX_PROOT_ENABLED = True # Automatically deprovision pods that go offline AWX_AUTO_DEPROVISION_INSTANCES = True SYSTEM_TASK_ABS_CPU = 6 SYSTEM_TASK_ABS_MEM = 20 INSIGHTS_URL_BASE = "https://example.org" #Autoprovisioning should replace this CLUSTER_HOST_ID = socket.gethostname() SYSTEM_UUID = '00000000-0000-0000-0000-000000000000' SESSION_COOKIE_SECURE = False CSRF_COOKIE_SECURE = False REMOTE_HOST_HEADERS = ['HTTP_X_FORWARDED_FOR'] STATIC_ROOT = '/var/lib/awx/public/static' PROJECTS_ROOT = '/var/lib/awx/projects' JOBOUTPUT_ROOT = '/var/lib/awx/job_status' SECRET_KEY = open('/etc/tower/SECRET_KEY', 'rb').read().strip() ALLOWED_HOSTS = ['*'] INTERNAL_API_URL = 'http://127.0.0.1:8052' SERVER_EMAIL = 'root@localhost' DEFAULT_FROM_EMAIL = 'webmaster@localhost' EMAIL_SUBJECT_PREFIX = '[AWX] ' EMAIL_HOST = 'localhost' EMAIL_PORT = 25 EMAIL_HOST_USER = '' EMAIL_HOST_PASSWORD = '' EMAIL_USE_TLS = False LOGGING['handlers']['console'] = { '()': 'logging.StreamHandler', 'level': 'DEBUG', 'formatter': 'simple', } LOGGING['loggers']['django.request']['handlers'] = ['console'] LOGGING['loggers']['rest_framework.request']['handlers'] = ['console'] LOGGING['loggers']['awx']['handlers'] = ['console'] LOGGING['loggers']['awx.main.commands.run_callback_receiver']['handlers'] = ['console'] LOGGING['loggers']['awx.main.commands.inventory_import']['handlers'] = ['console'] LOGGING['loggers']['awx.main.tasks']['handlers'] = ['console'] LOGGING['loggers']['awx.main.scheduler']['handlers'] = ['console'] LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console'] LOGGING['loggers']['social']['handlers'] = ['console'] LOGGING['loggers']['system_tracking_migrations']['handlers'] = ['console'] LOGGING['loggers']['rbac_migrations']['handlers'] = ['console'] LOGGING['loggers']['awx.isolated.manager.playbooks']['handlers'] = ['console'] LOGGING['handlers']['callback_receiver'] = {'class': 'logging.NullHandler'} LOGGING['handlers']['task_system'] = {'class': 'logging.NullHandler'} LOGGING['handlers']['tower_warnings'] = {'class': 'logging.NullHandler'} LOGGING['handlers']['rbac_migrations'] = {'class': 'logging.NullHandler'} LOGGING['handlers']['system_tracking_migrations'] = {'class': 'logging.NullHandler'} LOGGING['handlers']['management_playbooks'] = {'class': 'logging.NullHandler'} CACHES = { 'default': { 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', 'LOCATION': '{}:{}'.format("localhost", "11211") }, 'ephemeral': { 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache', }, } USE_X_FORWARDED_PORT = True --- apiVersion: v1 kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-rabbitmq namespace: {{ include "common.namespace" . }} data: enabled_plugins: | [rabbitmq_management,rabbitmq_peer_discovery_k8s]. rabbitmq.conf: | ## Clustering management.load_definitions = /etc/rabbitmq/rabbitmq_definitions.json cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s cluster_formation.k8s.host = kubernetes.default.svc cluster_formation.k8s.address_type = ip cluster_formation.node_cleanup.interval = 10 cluster_formation.node_cleanup.only_log_warning = false cluster_partition_handling = autoheal ## queue master locator queue_master_locator=min-masters ## enable guest user loopback_users.guest = false rabbitmq_definitions.json: | { "users":[{"name": "{{ .Values.config.rabbitmqUser }}", "password": "{{ .Values.config.rabbitmqPassword }}", "tags": ""}], "permissions":[ {"user":"{{ .Values.config.rabbitmqUser }}","vhost":"{{ .Values.config.rabbitmqVhost }}","configure":".*","write":".*","read":".*"} ], "vhosts":[{"name":"{{ .Values.config.rabbitmqVhost }}"}], "policies":[ {"vhost":"{{ .Values.config.rabbitmqVhost }}","name":"ha-all","pattern":".*","definition":{"ha-mode":"all","ha-sync-mode":"automatic"}} ] } --- apiVersion: v1 kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-nginx-conf namespace: {{ include "common.namespace" . }} labels: app.kubernetes.io/name: {{ include "common.name" . }} helm.sh/chart: {{ include "common.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} data: nginx.conf: | worker_processes 1; pid /tmp/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; server_tokens off; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /dev/stdout main; map $http_upgrade $connection_upgrade { default upgrade; '' close; } sendfile on; #tcp_nopush on; #gzip on; upstream uwsgi { server 127.0.0.1:8050; } upstream daphne { server 127.0.0.1:8051; } server { listen 8052 default_server; # If you have a domain name, this is where to add it server_name _; keepalive_timeout 65; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) add_header X-Frame-Options "DENY"; location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; deny all; } location /static/ { alias /var/lib/awx/public/static/; } location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; } location /websocket { # Pass request to the upstream alias proxy_pass http://daphne; # Require http version 1.1 to allow for upgrade requests proxy_http_version 1.1; # We want proxy_buffering off for proxying to websockets. proxy_buffering off; # http://en.wikipedia.org/wiki/X-Forwarded-For proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # enable this if you use HTTPS: proxy_set_header X-Forwarded-Proto https; # pass the Host: header from the client for the sake of redirects proxy_set_header Host $http_host; # We've set the Host header, so we don't need Nginx to muddle # about with redirects proxy_redirect off; # Depending on the request value, set the Upgrade and # connection headers proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } location / { # Add trailing / if missing rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent; uwsgi_read_timeout 120s; uwsgi_pass uwsgi; include /etc/nginx/uwsgi_params; proxy_set_header X-Forwarded-Port 443; } } }