How To Expose Ansible AWX Service using Nginx Ingress

In our previous articles we had covered in detail the process of installing and configuring Ansible AWX on container platforms such as Kubernetes. The links to the articles are shared below.

• How To Run Ansible AWX on Kubernetes / OpenShift Cluster
• Install Ansible AWX on CentOS 8 / Rocky Linux 8
• How To Install Ansible AWX on Debian Linux
• How To Install Ansible AWX on Ubuntu

Many guys on the comments section had requested we do a separate article on Ingress configuration. We understand there are many Ingress solutions for Kubernetes, but this guide will be specific to Nginx Ingress. In our future content we shall consider doing guides on other Ingress solutions.

Step 1: Deploy Ingress Controller in Kubernetes

Before you can proceed with this article you’ll need to install and configure Nginx Ingress Controller in your Kubernetes cluster. Follow the article in the link below to perform this installation.

• Deploy Nginx Ingress Controller on Kubernetes using Helm Chart

Confirm Ingress service is deployed successfully as per steps captured in the article.

$ kubectl get svc -n ingress-nginx
NAME                                 TYPE           CLUSTER-IP      EXTERNAL-IP    PORT(S)                      AGE
ingress-nginx-controller             LoadBalancer   10.233.62.202   192.168.1.30   80:32504/TCP,443:30189/TCP   50d
ingress-nginx-controller-admission   ClusterIP      10.233.1.104    <none>         443/TCP                      50d

Step 2: Configure DNS Name for AWX

Mapping of an A record to Nginx Ingress IP address (In this case LB service IP) is mandatory to use DNS name when accessing AWX service. Our setup is based on the following variable.

• Hostname: awx.apps.k8s.cloudlabske.io
• Ingress Controller LB IP: 192.168.1.30

A sample configuration snippet pulled from FreeIPA server is shown below.

Notice we’re using a wildcard DNS name but you can use awx name when adding record to the zone.

Let’s confirm we can ping DNS name.

$ ping -c 3 awx.apps.k8s.cloudlabske.io
PING awx.apps.k8s.cloudlabske.io (192.168.1.30): 56 data bytes
64 bytes from 192.168.1.30: icmp_seq=0 ttl=63 time=8.405 ms
64 bytes from 192.168.1.30: icmp_seq=1 ttl=63 time=47.933 ms
64 bytes from 192.168.1.30: icmp_seq=2 ttl=63 time=19.875 ms

--- awx.apps.k8s.cloudlabske.io ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 8.405/25.404/47.933/16.604 ms

Step 3: Create Ingress resource for AWX

List all the services in awx namespace:

$ kubectl get services -n awx
NAME                                              TYPE           CLUSTER-IP      EXTERNAL-IP    PORT(S)        AGE
awx-lb-service                                    LoadBalancer   10.233.2.203    192.168.1.32   80:30791/TCP   30h
awx-operator-controller-manager-metrics-service   ClusterIP      10.233.25.242   <none>         8443/TCP       31h
awx-postgres-13                                   ClusterIP      None            <none>         5432/TCP       31h
awx-service                                       NodePort       10.233.28.124   <none>         80:30080/TCP   31h

Create ingress configuration manifest for AWX.

vim awx-nginx-ingress.yaml

Add and modify the contents below to suit your use case.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: awx-ingress
  namespace: awx
spec:
  ingressClassName: nginx
  rules:
  - host: awx.apps.k8s.cloudlabske.io
    http:
      paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: awx-service
              port:
                number: 80

Apply configuration file to create the resource.

$ kubectl apply -f awx-nginx-ingress.yaml
ingress.networking.k8s.io/awx-ingress created

Check available ingress in the namespace after creation.

$ kubectl get ingress -n awx
NAME          CLASS   HOSTS                         ADDRESS   PORTS   AGE
awx-ingress   nginx   awx.apps.k8s.cloudlabske.io             80      21s

Test connection to AWX service using DNS name configured.

Step 4: Generate SSL Certificate for AWX (Recommended)

There is also an option of securing connection to AWX using hostname and SSL certificate.

Option 1) Using Self-signed SSL certificate

For self-signed certificates we’ll consider OpenSSL and pfSense certificates generation process.

1. OpenSSL generated certificate

For OpenSSL generated certificate you can create a configuration file.

$ vim awx-openssl.conf
[ req ]
default_bits       = 4096
default_md         = sha512
default_keyfile    = awx.key
prompt             = no
encrypt_key        = no
distinguished_name = req_distinguished_name
req_extensions = req_ext

# distinguished_name
[ req_distinguished_name ]
countryName            = "KE"
localityName           = "Nairobi"
stateOrProvinceName    = "Nairobi"
organizationName       = "CloudLabsKE"
commonName             = "awx.apps.k8s.cloudlabske.io"
emailAddress           = "[email protected]"

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = awx.apps.k8s.cloudlabske.io
DNS.2 = www.awx.apps.k8s.cloudlabske.io

Generate key and CSR from

openssl req -out awx.csr -newkey rsa:4096 --sha512 -nodes -keyout awx.key -config awx-openssl.conf

You’ll have key and

Generating a RSA private key
.......................................................................................................................++++
...............................++++
writing new private key to 'awx.key'
-----

You can check CSR contents using the commands below.

openssl req -text -noout -in awx.csr

To sign a certificate using a private key and CSR:

$ openssl x509 -req -days 3650 -in awx.csr -signkey awx.key -out awx.crt
Signature ok
subject=C = KE, L = Nairobi, ST = Nairobi, O = CloudLabsKE, CN = awx.apps.k8s.cloudlabske.io, emailAddress = [email protected]
Getting Private key

From the request we can confirm the certificate will be valid for 3650 days = 10 years.

2. pfSense generated certificate

Refer to our guide below on how to create CA and generate certificates on pfSense:

Option 2) Using Trusted CA Signed SSL Certificate

The process is similar to OpenSSL self-signed only that the certificate is singed by publicly trusted certificate authority.

• Create a certificate signing request (CSR).
• Provide your certificate signing request (CSR) to CA. Some CAs allows you to request and generate certs on same portal.
• Provide validation as may be required.
• Save files – Key, Certificate, and CA

Step 5: Create SSL Secret and configure Ingress on k8s

Before creating Ingress resource with SSL, we need to create a Kubernetes Secret that contains the SSL certificate and key.

Create a secret of type tls with the certificate and key files.

$ kubectl -n awx create secret tls  awx-cert --key ./awx.key --cert ./awx.crt
secret/awx-cert created

List secrets in the namespace to confirm they were created successfully.

$ kubectl get secrets -n awx
NAME                           TYPE                DATA   AGE
awx-admin-password             Opaque              1      32h
awx-app-credentials            Opaque              3      32h
awx-broadcast-websocket        Opaque              1      32h
awx-cert                       kubernetes.io/tls   2      16s
awx-postgres-configuration     Opaque              6      32h
awx-receptor-ca                kubernetes.io/tls   2      32h
awx-receptor-work-signing      Opaque              2      32h
awx-secret-key                 Opaque              1      32h
redhat-operators-pull-secret   Opaque              1      32h

Update manifest by adding SSL section.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: awx-ingress
  namespace: awx
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - awx.apps.k8s.cloudlabske.io
    secretName: awx-cert
  rules:
  - host: awx.apps.k8s.cloudlabske.io
    http:
      paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: awx-service
              port:
                number: 80

Apply updated configuration.

$ kubectl apply -f awx-nginx-ingress.yaml
ingress.networking.k8s.io/awx-ingress configured

Step 6: Test on web browser

When using self-signed certificates there is a need to trust the CA (Certificate Authority) certificate on your browser or Desktop OS. For this you’ll need to import it into your browser’s certificate store.

The specific steps for doing this will depend on your browser, but generally, go to the browser settings, find the security or privacy settings, and then locate the option to manage certificates. From there, you can import the CA certificate by selecting the option to import or add a certificate and then browsing to the location where you saved the certificate file.

If using macOS, just double-click on the CA certificate file to open it.

A pop-up window will appear asking if you want to install the certificate. Click “Add” to import the certificate. You’ll see it appear in Certificates section.

Click on the certificate imported to trust it.

Select “Always Trust” when using this certificate.

You’ll see the red flag removed.

Restart your browser and access AWX web interface through secure connection.

Test if you can login successful with admin username and password used earlier after deployment.

Conclusion

With the Ingress resource applied, Nginx Ingress will start routing incoming traffic to your Ansible AWX service based on the rules defined in the Ingress resource. The Ingress resource we created maps incoming requests to the path /on the host awx.apps.k8s.cloudlabske.io to the Kubernetes Service awx-service listening on port http, and enables SSL using the Kubernetes Secret awx-cert.