From 927b2fd231e0cac3763ebc5a3e85540a03f87551 Mon Sep 17 00:00:00 2001 From: Benjamin Losson Date: Tue, 12 Apr 2022 17:08:33 +0200 Subject: [PATCH 1/2] adding extraEnv var --- awx/CHANGELOG.md | 5 ++ awx/Chart.yaml | 2 +- awx/README.md | 95 +++++++++++++++++++------------------- awx/templates/_helpers.tpl | 3 ++ awx/values.yaml | 1 + 5 files changed, 58 insertions(+), 48 deletions(-) diff --git a/awx/CHANGELOG.md b/awx/CHANGELOG.md index 22d0a31..36a8613 100644 --- a/awx/CHANGELOG.md +++ b/awx/CHANGELOG.md @@ -1,3 +1,8 @@ +2022-04-12 - 3.4.4 +--- + +* Addind extraEnv var to add env var to all awx containers + 2021-11-30 - 3.4.0 --- diff --git a/awx/Chart.yaml b/awx/Chart.yaml index 05b9b41..00b60f9 100644 --- a/awx/Chart.yaml +++ b/awx/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is the upstream project for Tower, a commercial derivative of AWX. name: awx -version: "3.4.3" +version: "3.4.4" keywords: - ansible - awx diff --git a/awx/README.md b/awx/README.md index 42c3701..bb4a8ad 100644 --- a/awx/README.md +++ b/awx/README.md @@ -1,59 +1,59 @@ - -# Ansible AWX - - - -![Version: 3.4.0](https://img.shields.io/badge/Version-3.4.0-informational?style=flat-square) ![AppVersion: 17.1.0](https://img.shields.io/badge/AppVersion-17.1.0-informational?style=flat-square) - -AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is the upstream project for Tower, a commercial derivative of AWX. - -**Homepage:** - -## Installation - -Add our repo: - -```bash -helm repo add adwerx https://adwerx.github.io/charts -``` - -Install the chart: - -```bash -helm install adwerx/awx -``` - + +# Ansible AWX + + + +![Version: 3.4.0](https://img.shields.io/badge/Version-3.4.0-informational?style=flat-square) ![AppVersion: 17.1.0](https://img.shields.io/badge/AppVersion-17.1.0-informational?style=flat-square) + +AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is the upstream project for Tower, a commercial derivative of AWX. + +**Homepage:** + +## Installation + +Add our repo: + +```bash +helm repo add adwerx https://adwerx.github.io/charts +``` + +Install the chart: + +```bash +helm install adwerx/awx +``` + ## Maintainers | Name | Email | Url | | ---- | ------ | --- | -| Josh Bielick | | https://github.com/jbielick | - +| Josh Bielick | | https://github.com/jbielick | + ## Source Code -* - +* + ## Requirements | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | postgresql | 10.5.0 | - -## Job Isolation and Security Context - -Ansible AWX task runners employ a legacy process isolation for playbook runs (jobs) via [bubblewrap](https://github.com/containers/bubblewrap). The purpose of this isolation is [to restrict access to shared AWX subsystems, which could be multi-tenant](https://github.com/ansible/awx/pull/7188#issuecomment-636069719)—access the AWX task pod has and could be exploited. If you are not using AWX in a multi-tenant fashion and trust users writing playbooks to have full access to a Pod in your cluster, you may choose to disable bubblewrap. If you'd like to retain bubblewrap isolation on playbook runs in a kubernetes deployment, you'll need to run the AWX task pods with a privileged security context (PR welcome). - -Per the AWX documentation, if you choose to turn off Job Isolation you can do so by following the instructions below: - -> **Disabling bubblewrap support:** -> To disable bubblewrap support for running jobs (playbook runs only), ensure you are logged in as the Admin user and click on the settings gear settings in the upper right-hand corner. Click on the “Configure Tower” box, then click on the “Jobs” tab. Scroll down until you see “Enable Job Isolation” and change the radio button selection to “off”. - -[More information on the future of playbook isolation here](https://github.com/ansible/awx/issues/7060) - +| https://charts.bitnami.com/bitnami | postgresql | 10.5.0 | + +## Job Isolation and Security Context + +Ansible AWX task runners employ a legacy process isolation for playbook runs (jobs) via [bubblewrap](https://github.com/containers/bubblewrap). The purpose of this isolation is [to restrict access to shared AWX subsystems, which could be multi-tenant](https://github.com/ansible/awx/pull/7188#issuecomment-636069719)—access the AWX task pod has and could be exploited. If you are not using AWX in a multi-tenant fashion and trust users writing playbooks to have full access to a Pod in your cluster, you may choose to disable bubblewrap. If you'd like to retain bubblewrap isolation on playbook runs in a kubernetes deployment, you'll need to run the AWX task pods with a privileged security context (PR welcome). + +Per the AWX documentation, if you choose to turn off Job Isolation you can do so by following the instructions below: + +> **Disabling bubblewrap support:** +> To disable bubblewrap support for running jobs (playbook runs only), ensure you are logged in as the Admin user and click on the settings gear settings in the upper right-hand corner. Click on the “Configure Tower” box, then click on the “Jobs” tab. Scroll down until you see “Enable Job Isolation” and change the radio button selection to “off”. + +[More information on the future of playbook isolation here](https://github.com/ansible/awx/issues/7060) + ## Values | Key | Type | Default | Description | @@ -66,6 +66,7 @@ Per the AWX documentation, if you choose to turn off Job Isolation you can do so | default_admin_user | string | `nil` | | | extraConfiguration | string | `"# INSIGHTS_URL_BASE = \"https://example.org\""` | | | extraVolumes | list | `[]` | | +| extraEnv | list | `[]` | | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"ansible/awx"` | | @@ -98,4 +99,4 @@ Per the AWX documentation, if you choose to turn off Job Isolation you can do so | tolerations | string | `nil` | | | web.extraVolumeMounts | list | `[]` | | | web.extraVolumes | list | `[]` | | -| web.resources | object | `{}` | | +| web.resources | object | `{}` | | diff --git a/awx/templates/_helpers.tpl b/awx/templates/_helpers.tpl index 39a548b..c703bd9 100644 --- a/awx/templates/_helpers.tpl +++ b/awx/templates/_helpers.tpl @@ -134,4 +134,7 @@ provides the container env definitions secretKeyRef: name: {{ include "awx.secretKeySecretName" . }} key: SECRET_KEY +{{- if .Values.extraEnv }} +{{ toYaml .Values.extraEnv}} +{{- end }} {{- end -}} diff --git a/awx/values.yaml b/awx/values.yaml index f2c8c99..4a1d4a7 100644 --- a/awx/values.yaml +++ b/awx/values.yaml @@ -11,6 +11,7 @@ image: tag: "17.1.0" pullPolicy: IfNotPresent extraVolumes: [] +extraEnv: [] nodeSelector: affinity: tolerations: From 6002f1138cab6587a570ba08c479f1bad2e9840c Mon Sep 17 00:00:00 2001 From: Benjamin Losson Date: Thu, 2 Jun 2022 14:42:32 +0200 Subject: [PATCH 2/2] removing unsued image --- awx/requirements.lock | 6 ------ awx/requirements.yaml | 5 ----- 2 files changed, 11 deletions(-) delete mode 100644 awx/requirements.lock delete mode 100644 awx/requirements.yaml diff --git a/awx/requirements.lock b/awx/requirements.lock deleted file mode 100644 index ef4a7fa..0000000 --- a/awx/requirements.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: postgresql - repository: https://charts.bitnami.com/bitnami - version: 10.5.0 -digest: sha256:34c95197cd12ff7e4a0d638c521a2313b1f5551edc6f690614de11886605b38b -generated: "2021-06-25T17:05:37.094846-04:00" diff --git a/awx/requirements.yaml b/awx/requirements.yaml deleted file mode 100644 index 9b7a993..0000000 --- a/awx/requirements.yaml +++ /dev/null @@ -1,5 +0,0 @@ -dependencies: - - name: postgresql - version: "10.5.0" - repository: https://charts.bitnami.com/bitnami - condition: postgresql.enabled