Add support for HTTPs when using NodePort. #1688
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Introduces two new options: - 'nodeport_protocol' - selectable 'http'(default)/'https' - 'nodeport_tls_secret' - name of secret containing TLS certificate and key When 'nodeport_protocol' is set to 'https' the 'nodeport_tls_secret' must contain name of secret containing TLS key and certifacate that will be used by nginx in AWX web container exposing HTTPS traffic through NodePort. Github issues asking for https on nodeport support: ansible#1559, ansible#1563
9 tasks
| - port: 80 | ||
| protocol: TCP | ||
| targetPort: 8052 | ||
| name: http | ||
| {% if nodeport_port is defined %} | ||
| nodePort: {{ nodeport_port }} | ||
| {% endif %} | ||
| {% elif service_type | lower == "nodeport" and nodeport_protocol | lower == "https" %} | ||
| - port: 80 |
There was a problem hiding this comment.
Thank you, that is nice catch! yes it should be 443 for consistency. Now addressed in commit 778b32d
|
I haven't looked closely yet, but we should double-check and make sure that there are not any changes needed in the nginx.conf: |
Yes, this PR is adjusting the nginx.conf - more specifically the "https nodeport" is using same config as the "route passthrough". Or you mean if there are any changes needed inside (lines 131-139) ? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
Add support for HTTPs when using NodePort.
Introduces two new options:
nodeport_protocol- selectablehttp(default)/httpsnodeport_tls_secret- name of secret containing TLS certificate and keyWhen
nodeport_protocolis set tohttpsthenodeport_tls_secretmust contain name of secret containing TLS key and certificate that will be used by nginx in AWX web container exposing HTTPS traffic through NodePort.Github issues asking for https on nodeport support: #1559, #1563
ISSUE TYPE
ADDITIONAL INFORMATION
Tested on kubernetes 1.28.5, deploying AWX 23.5.1.
Unless the
nodeport_protocol: httpsis specified in spec there should be no change in behaviour (NodePort will be HTTP without encryption).When
nodeport_protocol: httpsis specified in spec then code will add secret specified innodeport_tls_secretto web container so that nginx running inside can read both TLS key and certificate from it. Additionally nginx configuration in such case will include SSL configuration on port 8053 and the service pointing to web container will point to port 8053 where HTTPS is exposed instead of the port 8052 with HTTP traffic.A lot of changes are re-using logic from Route TLS configuration. Documentation was updated as well to contain both original example with NodePort operating in HTTP mode and new changed configuration showing the use of HTTPS.
Why is this change useful? To allow kubernetes without ingress to expose AWX web interface via HTTPS - this allows the awx.awx ansible modules to be used as they require the encrypted connection (plain HTTP will not work with them).
Comment and suggestions are welcomed. My responses may be delayed during weekdays.