AWX and Jumphost Configuration

Posted on 2025-03-06

This is heavily based on this Github issue comment but with some changes.

AWX is required to run on a Kubernetes cluster, like k3s. Each execution of a playbook takes place inside of a pod which gets created and then destroyed once the playbook is done.

To ensure AWX can connect via a ssh jumphost we need to create a ConfigMap containing the relevant ssh configuration and a Secret containing the secret part of the ssh key used.

---
kind: ConfigMap
apiVersion: v1
metadata:
  name: awx-ssh-config
  namespace: awx
data:
  default: |
    Host * !jumphost
      UserKnownHostsFile /dev/null
      StrictHostKeyChecking no
      HostKeyAlgorithms=+ssh-rsa
      KexAlgorithms=+ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
      Ciphers=+aes128-cbc
    Host jumphost
      Hostname jumphost.example.net
      User awx
      UserKnownHostsFile /dev/null
      StrictHostKeyChecking no
      IdentityFile /runner/.ssh/id_ed25519
---
kind: Secret
apiVersion: v1
metadata:
  name: awx-ssh-key
  namespace: awx
type: Opaque
data:
  default: <base64 encoded data of id_ed25519>

Apply the changes (kubectl apply -f .) and log in to AWX as an admin user.

Go to Administration, Instance Groups and modify the default group:

apiVersion: v1
kind: Pod
metadata:
  namespace: awx
spec:
  serviceAccountName: default
  automountServiceAccountToken: false
  containers:
    - image: quay.io/ansible/awx-ee:latest
      name: worker
      args:
        - ansible-runner
        - worker
        - '--private-data-dir=/runner'
      resources:
        requests:
          cpu: 250m
          memory: 100Mi
      volumeMounts:
        - name: ssh-config
          mountPath: /runner/.ssh/config
          subPath: default
        - name: ssh-key
          mountPath: /runner/.ssh/id_ed25519
          subPath: default
      securityContext:
        runAsUser: 1000
        runAsGroup: 0
  volumes:
    - name: ssh-config
      configMap:
        name: awx-ssh-config
        defaultMode: 0400
    - name: ssh-key
      secret:
        secretName: awx-ssh-key
        defaultMode: 0400
  securityContext:
    runAsUser: 1000
    runAsGroup: 0
    fsGroup: 0

Kubernetes is not my area of expertise but the ConfigMap and Secret gets mounted as files into the pod filesystem. The securityContext ensures the user inside of the pod can read the files, not sure how but it works.

Important to note is that the default execution environment (at least when I'm writing this) doesn't contain ansible-pylibssh so as noted in my [last post]({{% ref "posts/connect-to-network-devices-through-a-jumphost-with-ansible/" %}}) the relevant ssh settings might not work anyway.