The standard AWX installation works on port 80/http which in today’s enterprise security standard is unacceptable. Here is how to get HTTPS working using your own certificates.
Step 1: Create Ingress Resource
Create a new file named awx-ingress.yml and add the following Ingress resource configuration:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: awx-ingress
namespace: awx
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- awx.ad.asimali.com
secretName: awx-tls-secret
rules:
- host: awx.ad.asimali.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: awx-service
port:
number: 80
if you are using aliases then can use something like below:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: awx-ingress
namespace: awx
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: traefik
rules:
- host: awx.ad.asimali.com
http:
paths:
- backend:
service:
name: awx-service
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- awx.ad.asimali.com
- ff-awx-01
- awx
- 10.10.10.24
secretName: awx-tls-secretApply the Ingress resource using the following command:
kubectl apply -f awx-ingress.ymlStep 2: Update AWX Custom Resource (CR)
Update the AWX Custom Resource (CR) to use the Ingress with TLS configuration. Add the following lines to your AWX CR (awx.yml):
spec:
ingress_type: ingress
ingress_tls_secret: awx-tls-secret
hostname: awx.ad.asimali.comApply the changes using the following command:
kubectl apply -f awx.ymlStep 3: Install Custom Certificates
Update the existing Kubernetes Secret with your new certificates using the following command:
See notes at the end on how to create CSR to generate your custom certificate.
kubectl -n awx create secret tls awx-tls-secret --cert=<path-to-new-cert> --key=<path-to-new-key> --dry-run=client -o yaml | kubectl apply -f -Replace <path-to-new-cert> with the path to your new certificate file, and <path-to-new-key> with the path to your new private key file.
Step 4: Verify the Secret
Ensure that the secret has been updated correctly using the following command:
kubectl -n awx get secret awx-tls-secret -o yamlStep 5: Restart AWX Pods
Restart the AWX pods to apply the new certificates using the following commands:
kubectl -n awx rollout restart deployment awx-web
kubectl -n awx rollout restart deployment awx-taskStep 6: Verify HTTPS
To verify that HTTPS is enabled, open a web browser and navigate to https://awx.ad.mitsuk.com. You should see a secure connection indicated by a padlock icon in the browser’s address bar. You can also use the curl command to test the HTTPS connection:
curl -v https://awx.ad.asimali.comBy following these streamlined steps, you should be able to enable HTTPS and install custom certificates for your AWX setup on K3S. If you have any further questions or need additional assistance, feel free to ask!
Extra Notes:
How to create CSR for certificate request
openssl req -new -sha256 -nodes -days 1095 -out /opt/awx-operator/custom-cert/awx.csr -newkey rsa:2048 -keyout /opt/awx-operator/custom-cert/awx-pri.key -config <(
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=GB
L=London
CN = awx.ad.asimali.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = awx.ad.asimali.com
DNS.2 = awx
IP.1 = 192.168.1.20
EOF
)And if you are using windows CA, then copy above awx.csr to CA server and run the following powershell command:
certreq -submit -attrib "CertificateTemplate:WebServer"Once above is complete, copy the generated cert to awx server.
Leave a Reply