expand/awx-on-k3s
1
0
Fork 0
mirror of https://github.com/Expand-sys/awx-on-k3s synced 2025-12-16 05:52:15 +11:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #279 from kurokobo/hsts

Browse source 
feat: replace guide for https redirection with the guide to enable hsts
This commit is contained in:
kurokobo 2023-11-10 23:11:46 +09:00 committed by GitHub
commit ebe3206c62
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 182 additions and 169 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -247,7 +247,7 @@ Now your AWX is available at `https://awx.example.com/` or the hostname you spec
Note that you have to access via hostname that you specified in `base/awx.yaml`, instead of IP address, since this guide uses Ingress. So you should configure your DNS or `hosts` file on your client where the browser is running.
At this point, AWX can be accessed via HTTP as well as HTTPS. If you want to redirect HTTP to HTTPS, see [📝Tips: Redirect HTTP to HTTPS](tips/https-redirection.md).
At this point, AWX can be accessed via HTTP as well as HTTPS. If you want to force users to use HTTPS, see [📝Tips: Enable HTTP Strict Transport Security (HSTS)](tips/enable-hsts.md).
## Back up and Restore AWX using AWX Operator
@ -287,7 +287,7 @@ Refer [📁 **Back up AWX using AWX Operator**](backup) and [📁 **Restore AWX
- [📝Deploy AWX using external PostgreSQL database](tips/external-db.md)
- [📝Trust custom Certificate Authority](tips/trust-custom-ca.md)
- [📝Expose `/etc/hosts` to Pods on K3s](tips/expose-hosts.md)
- [📝Redirect HTTP to HTTPS](tips/https-redirection.md)
- [📝Enable HTTP Strict Transport Security (HSTS)](tips/enable-hsts.md)
- [📝Use HTTP proxy](tips/use-http-proxy.md)
- [📝Uninstall deployed resources](tips/uninstall.md)
- [📝Deploy older version of AWX Operator](tips/deploy-older-operator.md)

2
restore/README.md
View file

@ -20,7 +20,7 @@ To perform restoration, you need to have AWX Operator running on Kubernetes. If
It is strongly recommended that the version of AWX Operator is the same as the version when the backup was taken. This is because the structure of the backup files differs between versions and may not be compatible. If you have upgraded AWX Operator after taking the backup, it is recommended to downgrade AWX Operator first before performing the restore. To deploy `0.13.0` or earlier version of AWX Operator, refer [📝Tips: Deploy older version of AWX Operator](../tips/deploy-older-operator.md)
Some manual additions, such as [the https redirection](../tips/https-redirection.md) or [similar tips](../tips/README.md) will not be restored automatically, and will have to be reapplied after restoring. AWX may not be fully functional depending on the missing manual additions after restoring.
Some manual additions, such as [the HSTS configuration](../tips/enable-hsts.md) or [similar tips](../tips/README.md) will not be restored automatically, and will have to be reapplied after restoring. AWX may not be fully functional depending on the missing manual additions after restoring.
### Prepare for Restore

2
tips/README.md
View file

@ -4,7 +4,7 @@
- [📝Deploy AWX using external PostgreSQL database](external-db.md)
- [📝Trust custom Certificate Authority](trust-custom-ca.md)
- [📝Expose `/etc/hosts` to Pods on K3s](expose-hosts.md)
- [📝Redirect HTTP to HTTPS](https-redirection.md)
- [📝Enable HTTP Strict Transport Security (HSTS)](enable-hsts.md)
- [📝Use HTTP proxy](use-http-proxy.md)
- [📝Uninstall deployed resources](uninstall.md)
- [📝Deploy older version of AWX Operator](deploy-older-operator.md)

176
tips/enable-hsts.md Normal file
View file

@ -0,0 +1,176 @@
<!-- omit in toc -->
# Enable HTTP Strict Transport Security (HSTS)
Traefik, the default Ingress controller for K3s, listens for access over both HTTP and HTTPS by default, but can be configured to force users to use HTTPS.
To achieve this, this guide provides the steps to enable [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security).
<!-- omit in toc -->
## Table of Contents
- [Procedure](#procedure)
- [Prepare Traefik](#prepare-traefik)
- [Note for restoring AWX that uses HSTS](#note-for-restoring-awx-that-uses-hsts)
- [Patch your AWX to enable HSTS](#patch-your-awx-to-enable-hsts)
- [Patch your AWX using Kustomize](#patch-your-awx-using-kustomize)
- [Patch your AWX manually](#patch-your-awx-manually)
- [Enable HSTS for other services in this repository](#enable-hsts-for-other-services-in-this-repository)
## Procedure
Note that the method described in this page is applicable only when Traefik is used as Ingress Controller.
### Prepare Traefik
To enable HSTS, you need to deploy a middleware with [customized headers](https://doc.traefik.io/traefik/middlewares/http/headers/).
Since this can be referenced from other namespaces, in this guide it will be created in the `kube-system` namespace for ease of sharing.
```bash
cat <<EOF > middleware.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
namespace: kube-system
name: hsts
spec:
headers:
sslRedirect: true
forceSTSHeader: true
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
EOF
kubectl -n kube-system apply -f middleware.yaml
kubectl -n kube-system get middleware
```
#### Note for restoring AWX that uses HSTS
When deploying the middleware, it will not be part of the [restore instructions in the restore guide](../restore/README.md).
Traefik will assume the middleware is present when the restore is complete, but you will have to reapply the middleware in the `kube-system` namespace if it is not already present, e.g. after restoring to a fresh node.
### Patch your AWX to enable HSTS
To enable HSTS for your AWX, the Ingress resource must have the following annotation.
```bash
annotations:
traefik.ingress.kubernetes.io/router.middlewares: kube-system-hsts@kubernetescrd
```
AWX Operator allows you to add any annotations to your Ingress by `ingress_annotations` parameter for AWX. Here are two ways to add `ingress_annotations` parameter.
- Patch your AWX using Kustomize
- Patch your AWX manually
#### Patch your AWX using Kustomize
In this repository, Kustomize was used to deploy AWX. If you still have the files you used for your first deployment, it is easy to use them again to modify AWX.
Add these two lines to your `awx.yaml`,
```yaml
spec:
...
ingress_annotations: | 👈👈👈
traefik.ingress.kubernetes.io/router.middlewares: kube-system-hsts@kubernetescrd 👈👈👈
```
then invoke `apply` again. Once the command has been invoked, then AWX Operator will start to modify related resources. Note that the AWX Pod will be recreated, so AWX will be temporarily disabled.
```bash
$ kubectl apply -k base
namespace/awx unchanged
secret/awx-admin-password unchanged
secret/awx-postgres-configuration unchanged
secret/awx-secret-tls configured
persistentvolume/awx-postgres-13-volume unchanged
persistentvolume/awx-projects-volume unchanged
persistentvolumeclaim/awx-projects-claim unchanged
awx.awx.ansible.com/awx configured 👈👈👈
```
Once this completed, the logs of `deployments/awx-operator-controller-manager` end with:
```txt
$ kubectl -n awx logs -f deployments/awx-operator-controller-manager --tail=100
...
----- Ansible Task Status Event StdOut (awx.ansible.com/v1beta1, Kind=AWX, awx/awx) -----
PLAY RECAP *********************************************************************
localhost : ok=** changed=0 unreachable=0 failed=0 skipped=** rescued=0 ignored=0
```
You can confirm that the annotations will be added to the Ingress resource.
```bash
$ kubectl -n awx get ingress awx-ingress -o=jsonpath='{.metadata.annotations}' | jq
{
...
"traefik.ingress.kubernetes.io/router.middlewares": "kube-system-hsts@kubernetescrd"
}
```
Now the HSTS should be working. Go to `http://awx.example.com/` (HTTP) or the hostname you specified and make sure you are redirected to `https://awx.example.com/` (HTTPS).
#### Patch your AWX manually
You can patch the AWX resource with the following command. Once the command has been invoked, then AWX Operator will start to modify related resources. Note that the AWX Pod will be recreated, so AWX will be temporarily disabled.
```bash
kubectl -n awx patch awx awx --type=merge \
-p '{"spec": {"ingress_annotations": "traefik.ingress.kubernetes.io/router.middlewares: kube-system-hsts@kubernetescrd"}}'
```
Once this completed, the logs of `deployments/awx-operator-controller-manager` end with:
```txt
$ kubectl -n awx logs -f deployments/awx-operator-controller-manager --tail=100
...
----- Ansible Task Status Event StdOut (awx.ansible.com/v1beta1, Kind=AWX, awx/awx) -----
PLAY RECAP *********************************************************************
localhost : ok=** changed=0 unreachable=0 failed=0 skipped=** rescued=0 ignored=0
```
You can confirm that the annotations will be added to the Ingress resource.
```bash
$ kubectl -n awx get ingress awx-ingress -o=jsonpath='{.metadata.annotations}' | jq
{
...
"traefik.ingress.kubernetes.io/router.middlewares": "kube-system-hsts@kubernetescrd"
}
```
Now the HSTS should be working. Go to `http://awx.example.com/` (HTTP) or the hostname you specified and make sure you are redirected to `https://awx.example.com/` (HTTPS).
## Enable HSTS for other services in this repository
You can also enable HSTS for [Git repository](../git/), [container registry](../registry) and [Galaxy NG](../galaxy), which are included in this repository, by configuring Ingress as well.
Add the following lines to the `ingress.yaml` for each resource,
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: <resource name>
annotations: 👈👈👈
traefik.ingress.kubernetes.io/router.middlewares: kube-system-hsts@kubernetescrd 👈👈👈
...
```
and `apply` them by Kustomize as you did the first time you deployed it.
```bash
kubectl apply -k <path>
```
Or you can also patch Ingress resources directly.
```bash
kubectl -n <namespace> patch ingress <resource name> --type=merge \
-p '{"metadata": {"annotations": {"traefik.ingress.kubernetes.io/router.middlewares": "kube-system-hsts@kubernetescrd"}}}'
```

167
tips/https-redirection.md
View file

@ -1,168 +1,5 @@
<!-- omit in toc -->
# Redirect HTTP to HTTPS
Traefik, the default Ingress controller for K3s, listens for access over both HTTP and HTTPS by default, but can be configured to redirect HTTP to HTTPS.
This guide was replaced to use HSTS, a standard, more secure method. Refer to the updated guide: [📝Tips: Enable HTTP Strict Transport Security (HSTS)](enable-hsts.md).
<!-- omit in toc -->
## Table of Contents
- [Procedure](#procedure)
- [Prepare Traefik](#prepare-traefik)
- [Restoring using Redirect HTTP to HTTPS](#restoring-using-redirect-http-to-https)
- [Patch your AWX to enable HTTPS redirection](#patch-your-awx-to-enable-https-redirection)
- [Patch your AWX using Kustomize](#patch-your-awx-using-kustomize)
- [Patch your AWX manually](#patch-your-awx-manually)
- [Enable redirects for other services in this repository](#enable-redirects-for-other-services-in-this-repository)
## Procedure
Note that the method described in this page is applicable only when Traefik is used as Ingress Controller.
### Prepare Traefik
To enable redirection, you need to deploy a middleware with [redirectScheme](https://doc.traefik.io/traefik/v2.0/middlewares/redirectscheme/).
Since this can be referenced from other namespaces, you will create it in the `default` namespace for ease of sharing.
```bash
cat <<EOF > middleware.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect
spec:
redirectScheme:
scheme: https
permanent: true
EOF
kubectl -n default apply -f middleware.yaml
kubectl -n default get middleware
```
#### Restoring using Redirect HTTP to HTTPS
When deploying the middleware, it will not be part of the [restore instructions in the restore guide](../restore/README.md). Traefik will assume the middleware is present when the restore is complete, but you will have to reapply the scheme in the `default` namespace if it is not already present, e.g. after restoring to a fresh node.
### Patch your AWX to enable HTTPS redirection
To enable redirection, the Ingress resource must have the following annotation.
```bash
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd
```
AWX Operator allows you to add any annotations to your Ingress by `ingress_annotations` parameter for AWX. Here are two ways to add `ingress_annotations` parameter.
- Patch your AWX using Kustomize
- Patch your AWX manually
#### Patch your AWX using Kustomize
In this repository, Kustomize was used to deploy AWX. If you still have the files you used for your first deployment, it is easy to use them again to modify AWX.
Add these two lines to your `awx.yaml`,
```yaml
spec:
...
ingress_annotations: | 👈👈👈
traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd 👈👈👈
```
then invoke `apply` again. Once the command has been invoked, then AWX Operator will start to modify related resources. Note that the AWX Pod will be recreated, so AWX will be temporarily disabled.
```bash
$ kubectl apply -k base
namespace/awx unchanged
secret/awx-admin-password unchanged
secret/awx-postgres-configuration unchanged
secret/awx-secret-tls configured
persistentvolume/awx-postgres-13-volume unchanged
persistentvolume/awx-projects-volume unchanged
persistentvolumeclaim/awx-projects-claim unchanged
awx.awx.ansible.com/awx configured 👈👈👈
```
Once this completed, the logs of `deployments/awx-operator-controller-manager` end with:
```txt
$ kubectl -n awx logs -f deployments/awx-operator-controller-manager --tail=100
...
----- Ansible Task Status Event StdOut (awx.ansible.com/v1beta1, Kind=AWX, awx/awx) -----
PLAY RECAP *********************************************************************
localhost : ok=54 changed=0 unreachable=0 failed=0 skipped=37 rescued=0 ignored=0
```
You can confirm that the annotations will be added to the Ingress resource.
```bash
$ kubectl -n awx get ingress awx-ingress -o=jsonpath='{.metadata.annotations}' | jq
{
...
"traefik.ingress.kubernetes.io/router.middlewares": "default-redirect@kubernetescrd"
}
```
Now the redirection should be working. Go to `http://awx.example.com/` or the hostname you specified and make sure you are redirected to `https://`.
#### Patch your AWX manually
You can patch the AWX resource with the following command. Once the command has been invoked, then AWX Operator will start to modify related resources. Note that the AWX Pod will be recreated, so AWX will be temporarily disabled.
```bash
kubectl -n awx patch awx awx --type=merge \
-p '{"spec": {"ingress_annotations": "traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd"}}'
```
Once this completed, the logs of `deployments/awx-operator-controller-manager` end with:
```txt
$ kubectl -n awx logs -f deployments/awx-operator-controller-manager --tail=100
...
----- Ansible Task Status Event StdOut (awx.ansible.com/v1beta1, Kind=AWX, awx/awx) -----
PLAY RECAP *********************************************************************
localhost : ok=54 changed=0 unreachable=0 failed=0 skipped=37 rescued=0 ignored=0
```
You can confirm that the annotations will be added to the Ingress resource.
```bash
$ kubectl -n awx get ingress awx-ingress -o=jsonpath='{.metadata.annotations}' | jq
{
...
"traefik.ingress.kubernetes.io/router.middlewares": "default-redirect@kubernetescrd"
}
```
Now the redirection should be working. Go to `http://awx.example.com/` and make sure you are redirected to `https://awx.example.com/`.
## Enable redirects for other services in this repository
You can also enable HTTPS redirection for [Git repository](../git/), [container registry](../registry) and [Galaxy NG](../galaxy), which are included in this repository, by configuring Ingress as well.
Add the following lines to the `ingress.yaml` for each resource,
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: <resource name>
annotations: 👈👈👈
traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd 👈👈👈
...
```
and `apply` them by Kustomize as you did the first time you deployed it.
```bash
kubectl apply -k <path>
```
Or you can also patch Ingress resources directly.
```bash
kubectl -n <namespace> patch ingress <resource name> --type=merge \
-p '{"metadata": {"annotations": {"traefik.ingress.kubernetes.io/router.middlewares": "default-redirect@kubernetescrd"}}}'
```
If you want to view the old guide, move on to [the page on the old commit](https://github.com/kurokobo/awx-on-k3s/blob/2.7.1/tips/https-redirection.md).