How to pass log aggregator username and password using secrets in Ansible Automation Platform on OpenShift
Environment
- Ansible Automation Platform 2.x
- OpenShift 4.x
Issue
- Provide the external log aggregator username and password through secrets for operator-based deployment of Ansible Automation Platform on OpenShift
Resolution
1) Enable the external log aggregation through UI but do not pass the username/password information through it as the information is lost on Controller pod restart.
Settings > logging > Fill in the information for "Logging Aggregator Type" and "Logging Aggregator" > toggle button for "Enable External Logging"
2) Create a secret containing the username and password for the log aggregator
kind: Secret
apiVersion: v1
metadata:
name: controller-extra-config
namespace: aap
data:
custom.py: >-
LOG_AGGREGATOR_USERNAME = "'username'"
LOG_AGGREGATOR_PASSWORD = "'password'"
3) Create an extra_volumes entry in the controller spec for this secret
extra_volumes: |
- name: custom-py
secret:
secretName: controller-extra-config
items:
- key: custom.py
path: custom.py
4) Create a web_extra_volume_mounts entry in the controller spec to mount this volume
web_extra_volume_mounts: |
- name: custom-py
mountPath: /etc/tower/conf.d/custom.py
subPath: custom.py
Root Cause
- Log aggregator values are not persistent when set through Controller UI. One way is to set those by passing as extra_settings in AAP CR spec but it is not secure.
- This solution suggests an alternative method of passing the log aggregator variables in secret.
- The idea is that the AAP CR spec is the source of truth, and takes the highest precedence over any setting set in the UI
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments