2 # Copyright © 2019 Bell Canada
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
20 name: {{ include "common.fullname" . }}-init-mgnt
21 namespace: {{ include "common.namespace" . }}
26 awx-manage migrate --noinput
27 if [[ `echo 'from django.contrib.auth.models import User; nsu = User.objects.filter(is_superuser=True).count(); exit(0 if nsu > 0 else 1)' | awx-manage shell` > 0 ]]
29 echo 'from django.contrib.auth.models import User; User.objects.create_superuser('{{ .Values.config.awxAdminUser }}', '{{ .Values.config.awxAdminEmail }}', '{{ .Values.config.awxAdminPassword }}')' | awx-manage shell
30 awx-manage update_password --username='{{ .Values.config.awxAdminUser }}' --password='{{ .Values.config.awxAdminPassword }}'
36 name: {{ include "common.fullname" . }}-settings
37 namespace: {{ include "common.namespace" . }}
44 AWX_PROOT_ENABLED = True
46 # Automatically deprovision pods that go offline
47 AWX_AUTO_DEPROVISION_INSTANCES = True
49 SYSTEM_TASK_ABS_CPU = 6
50 SYSTEM_TASK_ABS_MEM = 20
52 INSIGHTS_URL_BASE = "https://example.org"
54 #Autoprovisioning should replace this
55 CLUSTER_HOST_ID = socket.gethostname()
56 SYSTEM_UUID = '00000000-0000-0000-0000-000000000000'
58 SESSION_COOKIE_SECURE = False
59 CSRF_COOKIE_SECURE = False
61 REMOTE_HOST_HEADERS = ['HTTP_X_FORWARDED_FOR']
63 STATIC_ROOT = '/var/lib/awx/public/static'
64 PROJECTS_ROOT = '/var/lib/awx/projects'
65 JOBOUTPUT_ROOT = '/var/lib/awx/job_status'
66 SECRET_KEY = open('/etc/tower/SECRET_KEY', 'rb').read().strip()
68 INTERNAL_API_URL = 'http://127.0.0.1:8052'
69 SERVER_EMAIL = 'root@localhost'
70 DEFAULT_FROM_EMAIL = 'webmaster@localhost'
71 EMAIL_SUBJECT_PREFIX = '[AWX] '
72 EMAIL_HOST = 'localhost'
75 EMAIL_HOST_PASSWORD = ''
78 LOGGING['handlers']['console'] = {
79 '()': 'logging.StreamHandler',
81 'formatter': 'simple',
84 LOGGING['loggers']['django.request']['handlers'] = ['console']
85 LOGGING['loggers']['rest_framework.request']['handlers'] = ['console']
86 LOGGING['loggers']['awx']['handlers'] = ['console']
87 LOGGING['loggers']['awx.main.commands.run_callback_receiver']['handlers'] = ['console']
88 LOGGING['loggers']['awx.main.commands.inventory_import']['handlers'] = ['console']
89 LOGGING['loggers']['awx.main.tasks']['handlers'] = ['console']
90 LOGGING['loggers']['awx.main.scheduler']['handlers'] = ['console']
91 LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console']
92 LOGGING['loggers']['social']['handlers'] = ['console']
93 LOGGING['loggers']['system_tracking_migrations']['handlers'] = ['console']
94 LOGGING['loggers']['rbac_migrations']['handlers'] = ['console']
95 LOGGING['loggers']['awx.isolated.manager.playbooks']['handlers'] = ['console']
96 LOGGING['handlers']['callback_receiver'] = {'class': 'logging.NullHandler'}
97 LOGGING['handlers']['task_system'] = {'class': 'logging.NullHandler'}
98 LOGGING['handlers']['tower_warnings'] = {'class': 'logging.NullHandler'}
99 LOGGING['handlers']['rbac_migrations'] = {'class': 'logging.NullHandler'}
100 LOGGING['handlers']['system_tracking_migrations'] = {'class': 'logging.NullHandler'}
101 LOGGING['handlers']['management_playbooks'] = {'class': 'logging.NullHandler'}
105 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
106 'LOCATION': '{}:{}'.format("localhost", "11211")
109 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
113 USE_X_FORWARDED_PORT = True
118 name: {{ include "common.fullname" . }}-rabbitmq
119 namespace: {{ include "common.namespace" . }}
122 [rabbitmq_management,rabbitmq_peer_discovery_k8s].
125 management.load_definitions = /etc/rabbitmq/rabbitmq_definitions.json
126 cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s
127 cluster_formation.k8s.host = kubernetes.default.svc
128 cluster_formation.k8s.address_type = ip
129 cluster_formation.node_cleanup.interval = 10
130 cluster_formation.node_cleanup.only_log_warning = false
131 cluster_partition_handling = autoheal
132 ## queue master locator
133 queue_master_locator=min-masters
135 loopback_users.guest = false
136 rabbitmq_definitions.json: |
138 "users":[{"name": "{{ .Values.config.rabbitmqUser }}", "password": "{{ .Values.config.rabbitmqPassword }}", "tags": ""}],
140 {"user":"{{ .Values.config.rabbitmqUser }}","vhost":"{{ .Values.config.rabbitmqVhost }}","configure":".*","write":".*","read":".*"}
142 "vhosts":[{"name":"{{ .Values.config.rabbitmqVhost }}"}],
144 {"vhost":"{{ .Values.config.rabbitmqVhost }}","name":"ha-all","pattern":".*","definition":{"ha-mode":"all","ha-sync-mode":"automatic"}}
152 name: {{ include "common.fullname" . }}-nginx-conf
153 namespace: {{ include "common.namespace" . }}
155 app.kubernetes.io/name: {{ include "common.name" . }}
156 helm.sh/chart: {{ include "common.chart" . }}
157 app.kubernetes.io/instance: {{ .Release.Name }}
158 app.kubernetes.io/managed-by: {{ .Release.Service }}
164 worker_connections 1024;
167 include /etc/nginx/mime.types;
168 default_type application/octet-stream;
170 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
171 '$status $body_bytes_sent "$http_referer" '
172 '"$http_user_agent" "$http_x_forwarded_for"';
173 access_log /dev/stdout main;
174 map $http_upgrade $connection_upgrade {
182 server 127.0.0.1:8050;
185 server 127.0.0.1:8051;
188 listen 8052 default_server;
189 # If you have a domain name, this is where to add it
191 keepalive_timeout 65;
192 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
193 add_header Strict-Transport-Security max-age=15768000;
194 add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
195 add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
196 # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
197 add_header X-Frame-Options "DENY";
198 location /nginx_status {
205 alias /var/lib/awx/public/static/;
207 location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; }
208 location /websocket {
209 # Pass request to the upstream alias
210 proxy_pass http://daphne;
211 # Require http version 1.1 to allow for upgrade requests
212 proxy_http_version 1.1;
213 # We want proxy_buffering off for proxying to websockets.
215 # http://en.wikipedia.org/wiki/X-Forwarded-For
216 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
217 # enable this if you use HTTPS:
218 proxy_set_header X-Forwarded-Proto https;
219 # pass the Host: header from the client for the sake of redirects
220 proxy_set_header Host $http_host;
221 # We've set the Host header, so we don't need Nginx to muddle
222 # about with redirects
224 # Depending on the request value, set the Upgrade and
226 proxy_set_header Upgrade $http_upgrade;
227 proxy_set_header Connection $connection_upgrade;
230 # Add trailing / if missing
231 rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
232 uwsgi_read_timeout 120s;
234 include /etc/nginx/uwsgi_params;
235 proxy_set_header X-Forwarded-Port 443;