Network and tls configuration
Network and TLS Configuration¶
Service Type¶
If the service_type is not specified, the ClusterIP service will be used for your AWX Tower service.
The service_type supported options are: ClusterIP, LoadBalancer and NodePort.
The following variables are customizable for any service_type
| Name | Description | Default |
|---|---|---|
| service_labels | Add custom labels | Empty string |
| service_annotations | Add service annotations | Empty string |
---
spec:
...
service_type: ClusterIP
service_annotations: |
environment: testing
service_labels: |
environment: testing
- LoadBalancer
The following variables are customizable only when service_type=LoadBalancer
| Name | Description | Default |
|---|---|---|
| loadbalancer_protocol | Protocol to use for Loadbalancer ingress | http |
| loadbalancer_port | Port used for Loadbalancer ingress | 80 |
| loadbalancer_ip | Assign Loadbalancer IP | '' |
| loadbalancer_class | LoadBalancer class to use | '' |
---
spec:
...
service_type: LoadBalancer
loadbalancer_ip: '192.168.10.25'
loadbalancer_protocol: https
loadbalancer_port: 443
loadbalancer_class: service.k8s.aws/nlb
service_annotations: |
environment: testing
service_labels: |
environment: testing
When setting up a Load Balancer for HTTPS you will be required to set the loadbalancer_port to move the port away from 80.
The HTTPS Load Balancer also uses SSL termination at the Load Balancer level and will offload traffic to AWX over HTTP.
- NodePort
The following variables are customizable only when service_type=NodePort
| Name | Description | Default |
|---|---|---|
| nodeport_port | Port used for NodePort | 30080 |
Ingress Type¶
By default, the AWX operator is not opinionated and won't force a specific ingress type on you. So, when the ingress_type is not specified, it will default to none and nothing ingress-wise will be created.
The ingress_type supported options are: none, ingress and route. To toggle between these options, you can add the following to your AWX CRD:
- None
- Generic Ingress Controller
The following variables are customizable when ingress_type=ingress. The ingress type creates an Ingress resource as documented which can be shared with many other Ingress Controllers as listed.
| Name | Description | Default |
|---|---|---|
| ingress_annotations | Ingress annotations | Empty string |
| ingress_tls_secret (deprecated) | Secret that contains the TLS information | Empty string |
| ingress_class_name | Define the ingress class name | Cluster default |
| hostname (deprecated) | Define the FQDN | {{ meta.name }}.example.com |
| ingress_hosts | Define one or multiple FQDN with optional Secret that contains the TLS information | Empty string |
| ingress_path | Define the ingress path to the service | / |
| ingress_path_type | Define the type of the path (for LBs) | Prefix |
| ingress_api_version | Define the Ingress resource apiVersion | 'networking.k8s.io/v1' |
---
spec:
...
ingress_type: ingress
ingress_hosts:
- hostname: awx-demo.example.com
- hostname: awx-demo.sample.com
tls_secret: sample-tls-secret
ingress_annotations: |
environment: testing
Specialized Ingress Controller configuration¶
Some Ingress Controllers need a special configuration to fully support AWX, add the following value with the ingress_controller variable, if you are using one of these:
| Ingress Controller name | value |
|---|---|
| Contour | contour |
---
spec:
...
ingress_type: ingress
ingress_hosts:
- hostname: awx-demo.example.com
- hostname: awx-demo.sample.com
tls_secret: sample-tls-secret
ingress_controller: contour
- Route
The following variables are customizable when ingress_type=route
| Name | Description | Default |
|---|---|---|
| route_host | Common name the route answers for | <instance-name>-<namespace>-<routerCanonicalHostname> |
| route_tls_termination_mechanism | TLS Termination mechanism (Edge, Passthrough) | Edge |
| route_tls_secret | Secret that contains the TLS information | Empty string |
| route_api_version | Define the Route resource apiVersion | 'route.openshift.io/v1' |