+++ /dev/null
-{{/*
-# Copyright © 2019 Bell Canada
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-*/}}
-
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-init-mgnt
- namespace: {{ include "common.namespace" . }}
-data:
- entrypoint: |
- #/bin/sh
-
- awx-manage migrate --noinput
- if [[ `echo 'from django.contrib.auth.models import User; nsu = User.objects.filter(is_superuser=True).count(); exit(0 if nsu > 0 else 1)' | awx-manage shell` > 0 ]]
- then
- echo 'from django.contrib.auth.models import User; User.objects.create_superuser('{{ .Values.config.awxAdminUser }}', '{{ .Values.config.awxAdminEmail }}', '{{ .Values.config.awxAdminPassword }}')' | awx-manage shell
- awx-manage update_password --username='{{ .Values.config.awxAdminUser }}' --password='{{ .Values.config.awxAdminPassword }}'
- fi
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-settings
- namespace: {{ include "common.namespace" . }}
-data:
- awx_settings: |
- import os
- import socket
- ADMINS = ()
-
- AWX_PROOT_ENABLED = True
-
- # Automatically deprovision pods that go offline
- AWX_AUTO_DEPROVISION_INSTANCES = True
-
- SYSTEM_TASK_ABS_CPU = 6
- SYSTEM_TASK_ABS_MEM = 20
-
- INSIGHTS_URL_BASE = "https://example.org"
-
- #Autoprovisioning should replace this
- CLUSTER_HOST_ID = socket.gethostname()
- SYSTEM_UUID = '00000000-0000-0000-0000-000000000000'
-
- SESSION_COOKIE_SECURE = False
- CSRF_COOKIE_SECURE = False
-
- REMOTE_HOST_HEADERS = ['HTTP_X_FORWARDED_FOR']
-
- STATIC_ROOT = '/var/lib/awx/public/static'
- PROJECTS_ROOT = '/var/lib/awx/projects'
- JOBOUTPUT_ROOT = '/var/lib/awx/job_status'
- SECRET_KEY = open('/etc/tower/SECRET_KEY', 'rb').read().strip()
- ALLOWED_HOSTS = ['*']
- INTERNAL_API_URL = 'http://127.0.0.1:8052'
- SERVER_EMAIL = 'root@localhost'
- DEFAULT_FROM_EMAIL = 'webmaster@localhost'
- EMAIL_SUBJECT_PREFIX = '[AWX] '
- EMAIL_HOST = 'localhost'
- EMAIL_PORT = 25
- EMAIL_HOST_USER = ''
- EMAIL_HOST_PASSWORD = ''
- EMAIL_USE_TLS = False
-
- LOGGING['handlers']['console'] = {
- '()': 'logging.StreamHandler',
- 'level': 'DEBUG',
- 'formatter': 'simple',
- }
-
- LOGGING['loggers']['django.request']['handlers'] = ['console']
- LOGGING['loggers']['rest_framework.request']['handlers'] = ['console']
- LOGGING['loggers']['awx']['handlers'] = ['console']
- LOGGING['loggers']['awx.main.commands.run_callback_receiver']['handlers'] = ['console']
- LOGGING['loggers']['awx.main.commands.inventory_import']['handlers'] = ['console']
- LOGGING['loggers']['awx.main.tasks']['handlers'] = ['console']
- LOGGING['loggers']['awx.main.scheduler']['handlers'] = ['console']
- LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console']
- LOGGING['loggers']['social']['handlers'] = ['console']
- LOGGING['loggers']['system_tracking_migrations']['handlers'] = ['console']
- LOGGING['loggers']['rbac_migrations']['handlers'] = ['console']
- LOGGING['loggers']['awx.isolated.manager.playbooks']['handlers'] = ['console']
- LOGGING['handlers']['callback_receiver'] = {'class': 'logging.NullHandler'}
- LOGGING['handlers']['task_system'] = {'class': 'logging.NullHandler'}
- LOGGING['handlers']['tower_warnings'] = {'class': 'logging.NullHandler'}
- LOGGING['handlers']['rbac_migrations'] = {'class': 'logging.NullHandler'}
- LOGGING['handlers']['system_tracking_migrations'] = {'class': 'logging.NullHandler'}
- LOGGING['handlers']['management_playbooks'] = {'class': 'logging.NullHandler'}
-
- CACHES = {
- 'default': {
- 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
- 'LOCATION': '{}:{}'.format("localhost", "11211")
- },
- 'ephemeral': {
- 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
- },
- }
-
- USE_X_FORWARDED_PORT = True
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-rabbitmq
- namespace: {{ include "common.namespace" . }}
-data:
- enabled_plugins: |
- [rabbitmq_management,rabbitmq_peer_discovery_k8s].
- rabbitmq.conf: |
- ## Clustering
- management.load_definitions = /etc/rabbitmq/rabbitmq_definitions.json
- cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s
- cluster_formation.k8s.host = kubernetes.default.svc
- cluster_formation.k8s.address_type = ip
- cluster_formation.node_cleanup.interval = 10
- cluster_formation.node_cleanup.only_log_warning = false
- cluster_partition_handling = autoheal
- ## queue master locator
- queue_master_locator=min-masters
- ## enable guest user
- loopback_users.guest = false
- rabbitmq_definitions.json: |
- {
- "users":[{"name": "{{ .Values.config.rabbitmqUser }}", "password": "{{ .Values.config.rabbitmqPassword }}", "tags": ""}],
- "permissions":[
- {"user":"{{ .Values.config.rabbitmqUser }}","vhost":"{{ .Values.config.rabbitmqVhost }}","configure":".*","write":".*","read":".*"}
- ],
- "vhosts":[{"name":"{{ .Values.config.rabbitmqVhost }}"}],
- "policies":[
- {"vhost":"{{ .Values.config.rabbitmqVhost }}","name":"ha-all","pattern":".*","definition":{"ha-mode":"all","ha-sync-mode":"automatic"}}
- ]
- }
----
-
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-nginx-conf
- namespace: {{ include "common.namespace" . }}
- labels:
- app.kubernetes.io/name: {{ include "common.name" . }}
- helm.sh/chart: {{ include "common.chart" . }}
- app.kubernetes.io/instance: {{ .Release.Name }}
- app.kubernetes.io/managed-by: {{ .Release.Service }}
-data:
- nginx.conf: |
- worker_processes 1;
- pid /tmp/nginx.pid;
- events {
- worker_connections 1024;
- }
- http {
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
- server_tokens off;
- log_format main '$remote_addr - $remote_user [$time_local] "$request" '
- '$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for"';
- access_log /dev/stdout main;
- map $http_upgrade $connection_upgrade {
- default upgrade;
- '' close;
- }
- sendfile on;
- #tcp_nopush on;
- #gzip on;
- upstream uwsgi {
- server 127.0.0.1:8050;
- }
- upstream daphne {
- server 127.0.0.1:8051;
- }
- server {
- listen 8052 default_server;
- # If you have a domain name, this is where to add it
- server_name _;
- keepalive_timeout 65;
- # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
- add_header Strict-Transport-Security max-age=15768000;
- add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
- add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
- # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
- add_header X-Frame-Options "DENY";
- location /nginx_status {
- stub_status on;
- access_log off;
- allow 127.0.0.1;
- deny all;
- }
- location /static/ {
- alias /var/lib/awx/public/static/;
- }
- location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; }
- location /websocket {
- # Pass request to the upstream alias
- proxy_pass http://daphne;
- # Require http version 1.1 to allow for upgrade requests
- proxy_http_version 1.1;
- # We want proxy_buffering off for proxying to websockets.
- proxy_buffering off;
- # http://en.wikipedia.org/wiki/X-Forwarded-For
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- # enable this if you use HTTPS:
- proxy_set_header X-Forwarded-Proto https;
- # pass the Host: header from the client for the sake of redirects
- proxy_set_header Host $http_host;
- # We've set the Host header, so we don't need Nginx to muddle
- # about with redirects
- proxy_redirect off;
- # Depending on the request value, set the Upgrade and
- # connection headers
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection $connection_upgrade;
- }
- location / {
- # Add trailing / if missing
- rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
- uwsgi_read_timeout 120s;
- uwsgi_pass uwsgi;
- include /etc/nginx/uwsgi_params;
- proxy_set_header X-Forwarded-Port 443;
- }
- }
- }
Code Review / oom.git / blobdiff