Description
ISSUE TYPE
- Feature Idea
COMPONENT NAME
- Installer
SUMMARY
It would be good to support SSL connections to an external PostgreSQL database as available parameters in the installer inventory file. Currently we work around this by changing DATABASES in settings.py, then copying settings.py into the official containers along with our certs and pushing the image back up to our private Docker registry.
We've seen good results so far with the following config:
DATABASES = {
'default': {
'ATOMIC_REQUESTS': True,
'ENGINE': 'django.db.backends.postgresql',
'NAME': os.getenv("DATABASE_NAME", None),
'USER': os.getenv("DATABASE_USER", None),
'PASSWORD': os.getenv("DATABASE_PASSWORD", None),
'HOST': os.getenv("DATABASE_HOST", None),
'PORT': os.getenv("DATABASE_PORT", None),
'CONN_MAX_AGE': 60,
'OPTIONS': {
'sslmode': 'require',
'keepalives_idle': 5,
'keepalives_interval': 1,
'keepalives_count': 5,
},
},
}
using the following Dockerfile:
FROM ansible/awx_task:1.0.1.223
USER root
COPY our_ssl_cert.pem /etc/pki/ca-trust/source/anchors/
COPY settings.py /etc/tower/settings.py
RUN update-ca-trust
ENVIRONMENT
- AWX version: 1.0.1.223
- AWX install method: docker for mac
- Ansible version: 2.4.1
- Operating System: OS X 10.12.6
- Web Browser: Chrome
STEPS TO REPRODUCE
The following fields (or equivalent) could be available in the inventory file:
# Set pg_hostname if you have an external postgres server, otherwise
# a new postgres service will be created
pg_hostname=postgresql
pg_username=awx
pg_password=awxpass
pg_database=awx
pg_port=5432
sslmode=require
cert_path=<cert_file_name.pem>
For sslmode, an environment variable would be set in settings.py, same as the other fields.
For cert_path, the certificate would be installed during the container image build.
ADDITIONAL INFORMATION
Client side keepalives seem to be necessary for Django/psycopg2 to stay connected correctly. Otherwise after a few hours of running we start to see issues with AWX saving job event data due to dropped connections.
awx.main.commands.run_callback_receiver Database Error Saving Job Event: SSL SYSCALL error: EOF detected
I'm not familiar enough with Django to know whether this should be hardcoded into settings.py or if it should be user-configurable. It's also unclear whether CONN_MAX_AGE is required.