We’ve had many requests through the comments section on most AWX related articles on how Traefik Ingress Controller can be configured as a proxy to AWX service running in Kubernetes cluster. AWX provides REST API, user interface, and task engine for managing Ansible-based automation. We’ve done a number of guides on the installation, configuration and usage of AWX. See links provided below.
- How To Run Ansible AWX on Kubernetes / OpenShift Cluster
- Install Ansible AWX on CentOS 8 / Rocky Linux 8
- How To Install Ansible AWX on Ubuntu / Debian
- How To Install Ansible AWX on CentOS 7 / RHEL 7
In Kubernetes, an ingress controller is responsible for routing incoming traffic from outside the cluster to an appropriate service running inside the cluster. Traefik is a one of the most popular reverse proxy and load balancer solutions. It is commonly used as an ingress controller in Kubernetes environments. . Traefik can do load balancing, SSL termination, path-based routing, and service discovery, making it a powerful and flexible tool for managing ingress traffic in Kubernetes.
You can also choose to use other ingress solutions to expose your AWX service, one of this is Nginx ingress:
How To Expose Ansible AWX Service using Traefik Ingress
We’ll kickoff the process by installing Traefik Ingress controller in our Kubernetes cluster.
Step 1: Install Traefik Ingress Controller
See installation guides below:
- Install and Configure Traefik Ingress Controller on Kubernetes Cluster
- Install and Configure Traefik Ingress Controller on k0s
If you’re using k3s Kubernetes distribution, Traefik Ingress is bundled with it. You can check the service with the following commands:
$ kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.43.0.10 <none> 53/UDP,53/TCP,9153/TCP 9m39s
metrics-server ClusterIP 10.43.175.23 <none> 443/TCP 9m38s
traefik LoadBalancer 10.43.233.155 116.203.47.15,2a01:4f8:c2c:a186::1 80:32592/TCP,443:30990/TCP 9m17s
Take note of the External IP address as this will be used later. On normal installation of Traefik, if deployed in traefik namespace you can get service LB IP address.
$ kubectl get svc traefik -n traefik
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
traefik LoadBalancer 10.233.26.243 192.168.1.34 80:32715/TCP,443:30295/TCP,9000:30811/TCP 4h3m
Step 2: Configure DNS record or modify hosts file
In this article we’ll expose our AWX service on the domain awx.geeksforgeeks.org, and IP address 116.203.47.15. If you have a working DNS server, create a new A record with domain name and its IP address (In our case this is Ingress LB IP address / service external IP address).
See example below on how you can set on /etc/hosts
file.
$ sudo vim /etc/hosts
116.203.47.15 awx.geeksforgeeks.org
You can confirm it works by using ping
ping -c 3 awx.example.com
Step 3: Configure Traefik Ingress for AWX
If you used our article to deploy AWX, the services will be running on awx
namespace.
$ kubectl get all -n awx
NAME READY STATUS RESTARTS AGE
pod/awx-operator-controller-manager-68d6f576b4-k2hf5 2/2 Running 0 10m
pod/awx-postgres-13-0 1/1 Running 0 8m49s
pod/awx-56799c5b49-8lqbs 4/4 Running 0 7m54s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/awx-operator-controller-manager-metrics-service ClusterIP 10.43.148.202 <none> 8443/TCP 10m
service/awx-postgres-13 ClusterIP None <none> 5432/TCP 8m49s
service/awx-service NodePort 10.43.223.13 <none> 80:30491/TCP 7m58s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/awx-operator-controller-manager 1/1 1 1 10m
deployment.apps/awx 1/1 1 1 7m54s
NAME DESIRED CURRENT READY AGE
replicaset.apps/awx-operator-controller-manager-68d6f576b4 1 1 1 10m
replicaset.apps/awx-56799c5b49 1 1 1 7m54s
NAME READY AGE
statefulset.apps/awx-postgres-13 1/1 8m49s
Create a new manifest file for AWX ingress.
vim awx-traefik-ingress.yaml
Paste and modify the configurations provided here to suit your use case.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: awx
name: awx-ingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: awx.geeksforgeeks.org
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: awx-service
port:
number: 80
Take note of namespace, host and service name. Edit the parameters to match your environment setup. Once done apply configurations in your Kubernetes cluster.
$ kubectl apply -f awx-traefik-ingress.yaml
ingress.networking.k8s.io/awx-ingress created
To confirm if the ingress was created, use the following commands:
$ kubectl get ingress -n awx
NAME CLASS HOSTS ADDRESS PORTS AGE
awx-ingress traefik awx.geeksforgeeks.org 116.203.47.15,2a01:4f8:c2c:a186::1 80 29s
Assuming the domain name was configured in your DNS server or by editing the /etc/hosts
file, you should be able to access AWX web interface.
Step 4: Secure AWX Traefik Ingress with SSL certificate
There are two main ways of getting an SSL certificate for your domain; either self-signed certificate or commercially signed certificate by public CA.
Using self-signed certificate
For self-signed certificate modify provided file contents used to generate CSR, Key and Certificate.
$ vim awx-openssl.conf
[ req ]
default_bits = 4096
default_md = sha512
default_keyfile = awx.key
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
req_extensions = req_ext
# distinguished_name
[ req_distinguished_name ]
countryName = "KE"
localityName = "Nairobi"
stateOrProvinceName = "Nairobi"
organizationName = "HomeLab"
commonName = "awx.geeksforgeeks.org"
emailAddress = "[email protected]"
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = awx.geeksforgeeks.org
DNS.2 = www.awx.geeksforgeeks.org
Use openssl
command to generate csr, key and certificate.
$ openssl x509 -req -days 3650 -in awx.csr -signkey awx.key -out awx.crt
Certificate request self-signature ok
subject=C = KE, L = Nairobi, ST = Nairobi, O = HomeLab, CN = awx.geeksforgeeks.org, emailAddress = [email protected]
For public CA key signing use generated CSR when requesting for certificate.
Create TLS secret on Kubernetes
Using Key and Certificate create a tls secret in awx namespace.
$ kubectl -n awx create secret tls awx-cert --key ./awx.key --cert ./awx.crt
secret/awx-cert created
Verify secret creation with the following commands.
$ kubectl get secrets -n awx awx-cert
NAME TYPE DATA AGE
awx-cert kubernetes.io/tls 2 31s
Update ingress creation file to include ssl components.
$ vim awx-traefik-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: awx
name: awx-ingress
annotations:
# HTTPS as entry point
traefik.ingress.kubernetes.io/router.entrypoints: websecure
# Enable TLS
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
tls:
- hosts:
- awx.geeksforgeeks.org
secretName: awx-cert
rules:
- host: awx.geeksforgeeks.org
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: awx-service
port:
number: 80
Update ingress object for secure connection to AWX service.
$ kubectl apply -f awx-traefik-ingress.yaml
ingress.networking.k8s.io/awx-ingress configured
You can test on your browser from a system with DNS name. Use the URL https://awx.example.com
Click on “Advanced” button
Accept the risk to continue – this is for Self-signed certificates.
Validate if connection is secure by checking certificate details.
It’s easy to migrate from self-signed certificate to commercial one signed by a certified CA. What you need to do is delete the secret and recreate with new key and certificate. In this article we’ve demonstrated how to configure Traefik Ingress for AWX service. We further discussed on securing the route with SSL certificates. To this end we hope our article was useful to you. Cheers!
More articles on Ansible.