image awx-ee:latest broken for use with awx-operator #258
Comments
sgreinerCNS
changed the title
|
Encountering the same issue. This can be reproduced by draining the node they are running on, on first boot on the new node this will happen. Recreating the pod on the new node will restore functionality. k8s info: AWX Resource Details Some extra configuration that might be relevant: Above file inside the container is the CA for a local LDAP domain |
|
Our situation was similar, also involving a LDAPS CA and a CA Bundle (required because TLS Deep Inspection by Security Appliances). ---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: cns-awx
namespace: awx
spec:
image_pull_policy: Always
control_plane_ee_image: quay.io/ansible/awx-ee:23.3.0
init_container_image: quay.io/ansible/awx-ee
init_container_image_version: 24.6.1
ingress_type: Ingress
hostname: <redact>
ingress_annotations: ""
ingress_tls_secret: <redact>
admin_user: <redact>
admin_email: <redact>
admin_password_secret: <redact>
web_resource_requirements:
requests:
cpu: 200m
memory: 500Mi
task_resource_requirements:
requests:
cpu: 200m
memory: 500Mi
ldap_cacert_secret: <redact>
bundle_cacert_secret: <redact>
secret_key_secret: <redact>
projects_persistence: true
projects_existing_claim: cns-awx-storage-projects-claim
postgres_storage_requirements:
requests:
storage: 4Gi
postgres_storage_class: postgresThe ldap_cacert_secret gets the "file" ldap-ca.crt and bundle_cacert_secret get the "file" bundle-ca.crt via a secret By setting init_container_image and pinning init_container_image_version to 24.6.1 I was able to avoid the buggy awx-ee:latest which cannot set ca-certificates.crt for some reason |
|
After digging around for a while, as I've been facing the same problem in a custom EE built from Rocky Linux 9, I found out that the issue is related to changes in the After going through the RPM changelog, I noticed that not only have CA certificates been updated, but the The old script, which is also part of The new script on the other hand, which has been introduced here and its latest version can be found here is much more complex and does more things than the old script. One key change is that in addition to simply calling I was able to verify that the current EE runs if the deployment of Unfortunately I currently lack the time to submit this as a PR to additional_build_files:
- src: files/update-ca-trust
dest: files
additional_build_steps:
append_base:
# Copy legacy update-ca-trust script for compatibility with AWX Operator
- COPY --chmod=755 _build/files/update-ca-trust /usr/bin/update-ca-trustThis might also be of interest to @JoelKle who introduced this init container as part of PR #1846 in the |
If ansible-builder is not an option for you, you can also copy update-ca-trust from 24.6.1 into a custom init container built from latest in its dockerfile (or containerfile for you podman folks). |
The latest release of the update-ca-trust requires the --output param if you run as non-root user. See: https://gitlab.com/redhat/centos-stream/rpms/ca-certificates/-/commit/81a090f89a413487bb8a8677eff9bb4fb8bfbf71 And: ansible/awx-ee#258 (comment) Fixes: ansible/awx-ee#258
|
Thank you @ppmathis for your great analysis on that problem. |
The awx-web and awx-task kubernetes pods stop working with Init:CrashLoopBackOff
the reason was the init container's image quay.io/ansible/awx-ee:latest
ln: failed to create symbolic link '/etc/pki/ca-trust/extracted/pem/directory-hash/ca-certificates.crt': Permission deniedI manually edited the deployments to use quay.io/ansible/awx-ee:24.6.1 instead and the pods come up again.
Unfortunately the awx-operator wants to change it back to the broken latest tag.
The text was updated successfully, but these errors were encountered: