Difference between revisions of "Install AWX on K3S"

From Bitbull Wiki
Jump to navigation Jump to search
(Created page with "Since version 18, AWX, the comunity edition of ansible tower gets deployed by a kubernetes operator. This makes it easier to install and maintain the installation, but not all...")
 
 
(25 intermediate revisions by the same user not shown)
Line 1: Line 1:
Since version 18, AWX, the comunity edition of ansible tower gets deployed by a kubernetes operator.
+
Since version 18, AWX, the comunity edition of ansible tower gets deployed by a kubernetes operator.<br>
This makes it easier to install and maintain the installation, but not all of us are familiar with kubernetes and operators.
+
This makes it easier to install and maintain the installation, but not all of us are familiar with kubernetes and operators.<br>
So I share a short step by step guide on how to setup ansible awx in a "semi professional" way on a single k3s kubernetes node.
+
So I share a short step by step guide on how to setup ansible awx in a "semi professional" way on a single k3s kubernetes node.<br>
  
 
=VM Setup=
 
=VM Setup=
Line 14: Line 14:
 
==Prepare OS==
 
==Prepare OS==
 
  dnf -y upgrade
 
  dnf -y upgrade
  dnf -y install setroubleshoot-server curl lsof wget
+
  dnf -y install setroubleshoot-server curl lsof wget make
  
 
  sed -i  '/swap/d' /etc/fstab
 
  sed -i  '/swap/d' /etc/fstab
Line 23: Line 23:
 
  firewall-cmd --reload
 
  firewall-cmd --reload
 
  reboot
 
  reboot
 +
 +
  
  
 
=Setup K3S=
 
=Setup K3S=
  
export INSTALL_K3S_EXEC="--etcd-snapshot-schedule-cron='0 */12 * * *' --etcd-snapshot-retention=14"
+
  curl -sfL https://get.k3s.io | sh
  curl -sfL https://get.k3s.io | sh -
 
  
 
  cat /etc/systemd/system/k3s.service
 
  cat /etc/systemd/system/k3s.service
Line 36: Line 37:
 
  # all pods in running state? fine!
 
  # all pods in running state? fine!
 
  kubectl get pods --all-namespaces
 
  kubectl get pods --all-namespaces
 +
 +
# install kustomize
 +
cd /usr/local/sbin/
 +
curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"  | bash
  
 
=Deploy AWX=
 
=Deploy AWX=
==Deploy the AWX operator==
+
<pre>
kubectl config set-context --current --namespace=default
+
export NAMESPACE=awx
kubectl apply -f https://raw.githubusercontent.com/ansible/awx-operator/devel/deploy/awx-operator.yaml
+
kubectl create namespace $NAMESPACE
 +
kubectl config set-context --namespace=$NAMESPACE --current
  
===wait until image got pulled===
+
cd ; mkdir awx ; cd awx
kubectl get events -w --all-namespaces
+
vim kustomization.yaml
 +
------------
 +
---
 +
apiVersion: kustomize.config.k8s.io/v1beta1
 +
kind: Kustomization
 +
resources:
 +
  # Find the latest tag here: https://github.com/ansible/awx-operator/releases
 +
  - github.com/ansible/awx-operator/config/default?ref=0.20.0
 +
  - awx-bitbull.yml
  
===check for running operator pod===
+
# Set the image tags to match the git version from above
kubectl get pods
+
images:
 
+
  - name: quay.io/ansible/awx-operator
===optionally check the operators logs===
+
    newTag: 0.20.0
kubectl logs -f deployment.apps/awx-operator
 
  
==Deploy AWX Application==
+
# Specify a custom namespace in which to install AWX
- first we create a namespace for our setup
+
namespace: awx
kubectl create namespace awx
+
------------
kubectl config set-context --current --namespace=awx
 
  
* <tt>vim myawx.yml</tt>
+
vim awx-bitbull.yml
<pre>
+
------------
 
---
 
---
 
apiVersion: awx.ansible.com/v1beta1
 
apiVersion: awx.ansible.com/v1beta1
 
kind: AWX
 
kind: AWX
 
metadata:
 
metadata:
   name: awx
+
   name: bitbull
 
spec:
 
spec:
   tower_ingress_type: Ingress
+
   ingress_type: route
</pre>
+
  route_host: ansible.apps.bitbull.ch
 
+
  route_tls_termination_mechanism: Edge
 
+
------------
* <tt>kubectl apply -f myawx.yml</tt>
 
 
 
===wait until images got pulled===
 
kubectl get events -w --all-namespaces
 
 
 
kubectl logs -f deployment.apps/awx-operator -n default
 
 
 
* Wait for operator to finish the deployment of awx
 
<pre>
 
PLAY RECAP *********************************************************************
 
localhost: ok=42 changed=0 unreachable=0 failed=0 skipped=30 rescued=0 ignored=0
 
</pre>
 
 
 
===Verify the deployment staus===
 
two pods must be in running state
 
kubectl get pods
 
  
===Verify awx service===
+
kustomize build . | kubectl apply -f -
notice the service port 80 for awx
 
kubectl get svc
 
<pre>
 
NAME          TYPE        CLUSTER-IP      EXTERNAL-IP  PORT(S)        AGE
 
awx-postgres  ClusterIP  None            <none>        5432/TCP      35m
 
awx-service    NodePort    10.3.12.26      <none>        80:31982/TCP  35m
 
</pre>
 
  
=Deploy the ingress entry point by traefik=
 
* <tt>vi ingress.yml</tt>
 
<pre>
 
---
 
apiVersion: networking.k8s.io/v1
 
kind: Ingress
 
metadata:
 
  name: minimal-ingress
 
  annotations:
 
    nginx.ingress.kubernetes.io/rewrite-target: /
 
spec:
 
  rules:
 
  - http:
 
      paths:
 
      - path: /
 
        pathType: Prefix
 
        backend:
 
          service:
 
            name: awx-service
 
            port:
 
              number: 80
 
 
</pre>
 
</pre>
  
kubectl apply -f ingress.yml
+
[[Category:Ansible]]
 
+
[[Category:K3S]]
 +
[[Category:OpenShift & K8S]]
  
 
=Fetch the secret and test the login=
 
=Fetch the secret and test the login=
  kubectl get secret awx-admin-password -o jsonpath='{.data.password}' | base64 --decode
+
  kubectl get secret bitbull-admin-password -o jsonpath='{.data.password}' | base64 --decode
  
  firefox https://fqdn
+
  firefox https://fqdn.domain.com
 
* user: admin
 
* user: admin
  
Line 154: Line 123:
  
 
  kubectl exec --stdin --tty <pod-name> -c <container-name> -- /bin/bash
 
  kubectl exec --stdin --tty <pod-name> -c <container-name> -- /bin/bash
 +
 +
=Notes=
 +
==Backup==
 +
 +
vim awx-backup.yml
 +
<pre>
 +
---
 +
apiVersion: awx.ansible.com/v1beta1
 +
kind: AWXBackup
 +
metadata:
 +
  name: awxbackup-20220311
 +
  namespace: awx
 +
spec:
 +
  deployment_name: awx
 +
...
 +
</pre>
 +
 +
oc apply -f awx-backup.yml
 +
 +
oc get awxbackups awxbackup-20220311 -o yaml
 +
 +
<pre>
 +
apiVersion: awx.ansible.com/v1beta1
 +
kind: AWXBackup
 +
...
 +
name: awxbackup-20220311
 +
...
 +
status:
 +
  backupClaim: awx-backup-claim
 +
  backupDirectory: /backups/tower-openshift-backup-2022-03-11-05:45:56
 +
  conditions:
 +
  - lastTransitionTime: "2022-03-11T05:45:07Z"
 +
    reason: Successful
 +
    status: "True"
 +
    type: Running
 +
</pre>
 +
 +
Keep that as well for DR reason
 +
oc get awxbackups awxbackup-20220311 -o yaml > awxbackup-20220311.yml
 +
 +
<pre>
 +
ll /srv/nfs/pv05/tower-openshift-backup-2022-03-11-05\:45\:56/
 +
total 13072
 +
-rw-r--r--. 1 1000680000 root      600 Mar 11 06:46 awx_object
 +
-rw-r--r--. 1 1000680000 root      670 Mar 11 06:46 secrets.yml
 +
-rw-------. 1 1000680000 root 13377441 Mar 11 06:46 tower.db
 +
</pre>
 +
 +
==Restore==
 +
vim awx-restore.yml
 +
<pre>
 +
---
 +
apiVersion: awx.ansible.com/v1beta1
 +
kind: AWXRestore
 +
metadata:
 +
  name: awxrestore-20230221
 +
  namespace: awx
 +
spec:
 +
  deployment_name: bitbull
 +
  backup_pvc_namespace: awx
 +
  backup_dir: /backups/tower-openshift-backup-2023-02-20-17:04:58
 +
  backup_pvc: awx-backup-claim
 +
...
 +
</pre>
 +
 +
oc apply -f awx-restore.yml
 +
 +
oc get awxrestores -o yaml
 +
 +
[[Category:Ansible]]
 +
[[Category:K3S]]
 +
[[Category:OpenShift & K8S]]
 +
 +
==okd 4.10 instance template==
 +
<pre>
 +
apiVersion: awx.ansible.com/v1beta1
 +
kind: AWX
 +
metadata:
 +
  name: bitbull
 +
spec:
 +
  ingress_type: route
 +
  route_host: awx.domain.com
 +
  route_tls_termination_mechanism: edge
 +
</pre>
 +
 +
 +
 +
 +
 +
==AWX CLI==
 +
* https://github.com/ansible/awx/blob/devel/INSTALL.md#installing-the-awx-cli
 +
<pre>
 +
pip3 install awxkit
 +
export TOWER_HOST=https://awx.domain.com TOWER_USERNAME=admin TOWER_PASSWORD=xxx
 +
awx login admin
 +
awx export > export.json
 +
</pre>
 +
 +
[[Category:Ansible]]
 +
[[Category:K3S]]
 +
[[Category:OpenShift & K8S]]

Latest revision as of 13:00, 21 February 2023

Since version 18, AWX, the comunity edition of ansible tower gets deployed by a kubernetes operator.
This makes it easier to install and maintain the installation, but not all of us are familiar with kubernetes and operators.
So I share a short step by step guide on how to setup ansible awx in a "semi professional" way on a single k3s kubernetes node.

1 VM Setup

1.1 VM requirements

Just setup a CentOS8 minimal VM with the following requirements

  • OS: centos8 minimal
  • CPU: 2
  • MEM: 8GB (6 GB may work as well)
  • DISK: 40G (7GB used on a fresh setup)

1.2 Prepare OS

dnf -y upgrade
dnf -y install setroubleshoot-server curl lsof wget make

sed -i  '/swap/d' /etc/fstab
swapoff -a

firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --reload
reboot



2 Setup K3S

curl -sfL https://get.k3s.io | sh

cat /etc/systemd/system/k3s.service
systemctl status k3s

kubectl get nodes
# all pods in running state? fine!
kubectl get pods --all-namespaces

# install kustomize
cd /usr/local/sbin/
curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"  | bash

3 Deploy AWX

export NAMESPACE=awx
kubectl create namespace $NAMESPACE
kubectl config set-context --namespace=$NAMESPACE --current

cd ; mkdir awx ; cd awx
vim kustomization.yaml
------------
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  # Find the latest tag here: https://github.com/ansible/awx-operator/releases
  - github.com/ansible/awx-operator/config/default?ref=0.20.0
  - awx-bitbull.yml

# Set the image tags to match the git version from above
images:
  - name: quay.io/ansible/awx-operator
    newTag: 0.20.0

# Specify a custom namespace in which to install AWX
namespace: awx
------------

vim awx-bitbull.yml
------------
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: bitbull
spec:
  ingress_type: route
  route_host: ansible.apps.bitbull.ch
  route_tls_termination_mechanism: Edge
------------

kustomize build . | kubectl apply -f -

4 Fetch the secret and test the login

kubectl get secret bitbull-admin-password -o jsonpath='{.data.password}' | base64 --decode

firefox https://fqdn.domain.com
  • user: admin

5 Links

6 Debug Notes

6.1 Open Node Port for direct access

PORT=$(kubectl describe svc awx-service | grep NodePort: | awk '{print $3}' | tr 'A-Z' 'a-z')
echo PORT=$PORT
firewall-cmd --zone=public --add-port=$PORT

6.2 Disable SELinux

setenforce 0
> /var/log/audit/audit.log 
# do some bad things
sealert -a /var/log/audit/audit.log

6.3 Traefik Config

- https://levelup.gitconnected.com/a-guide-to-k3s-ingress-using-traefik-with-nodeport-6eb29add0b4b 

kubectl -n kube-system edit cm traefik

6.4 Jump into container for debugging

# get pods
kubectl get pods
# get containers inside of pods
kubectl describe <pod-name>

kubectl exec --stdin --tty <pod-name> -c <container-name> -- /bin/bash

7 Notes

7.1 Backup

vim awx-backup.yml

---
apiVersion: awx.ansible.com/v1beta1
kind: AWXBackup
metadata:
  name: awxbackup-20220311
  namespace: awx
spec:
  deployment_name: awx
...

oc apply -f awx-backup.yml

oc get awxbackups awxbackup-20220311 -o yaml

apiVersion: awx.ansible.com/v1beta1
kind: AWXBackup
...
name: awxbackup-20220311
...
status:
  backupClaim: awx-backup-claim
  backupDirectory: /backups/tower-openshift-backup-2022-03-11-05:45:56
  conditions:
  - lastTransitionTime: "2022-03-11T05:45:07Z"
    reason: Successful
    status: "True"
    type: Running

Keep that as well for DR reason 

oc get awxbackups awxbackup-20220311 -o yaml > awxbackup-20220311.yml

ll /srv/nfs/pv05/tower-openshift-backup-2022-03-11-05\:45\:56/
total 13072
-rw-r--r--. 1 1000680000 root      600 Mar 11 06:46 awx_object
-rw-r--r--. 1 1000680000 root      670 Mar 11 06:46 secrets.yml
-rw-------. 1 1000680000 root 13377441 Mar 11 06:46 tower.db

7.2 Restore

vim awx-restore.yml

---
apiVersion: awx.ansible.com/v1beta1
kind: AWXRestore
metadata:
  name: awxrestore-20230221
  namespace: awx
spec:
  deployment_name: bitbull
  backup_pvc_namespace: awx
  backup_dir: /backups/tower-openshift-backup-2023-02-20-17:04:58
  backup_pvc: awx-backup-claim
...

oc apply -f awx-restore.yml

oc get awxrestores -o yaml

7.3 okd 4.10 instance template

apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: bitbull
spec:
  ingress_type: route
  route_host: awx.domain.com
  route_tls_termination_mechanism: edge



7.4 AWX CLI

pip3 install awxkit
export TOWER_HOST=https://awx.domain.com TOWER_USERNAME=admin TOWER_PASSWORD=xxx
awx login admin
awx export > export.json
Retrieved from "http://www.bitbull.ch/wiki/index.php?title=Install_AWX_on_K3S&oldid=5645"