Pass in private_data_dir when project update is on K8S

fosterseth · web-flow · commit 0f0f5aa28955 · 2025-03-11T23:12:10.000-04:00
In OCP/K8S, projects run in the task pod's ee container. The private_data_dir is not extracted to /runner. Instead, the project update runs directly from the mounted in private_data_dir, e.g. /tmp/awx_1_abcd.

When injecting a credential that uses extra vars, we pass the private_data_dir as as the container_root, so that the correct command line argument is generated, e.g. "-e /tmp/awx_1_abcd/env/extra_var_file".

Signed-off-by: Seth Foster &lt;fosterbseth@gmail.com&gt;
diff --git a/awx/api/views/analytics.py b/awx/api/views/analytics.py
@@ -10,7 +10,7 @@
 from awx.api.permissions import AnalyticsPermission
 from awx.api.versioning import reverse
 from awx.main.utils import get_awx_version
-from awx.main.utils.analytics_proxy import OIDCClient, DEFAULT_OIDC_ENDPOINT
+from awx.main.utils.analytics_proxy import OIDCClient, DEFAULT_OIDC_TOKEN_ENDPOINT
 from rest_framework import status
 
 from collections import OrderedDict
@@ -205,7 +205,7 @@ def _send_to_analytics(self, request, method):
             try:
                 rh_user = self._get_setting('REDHAT_USERNAME', None, ERROR_MISSING_USER)
                 rh_password = self._get_setting('REDHAT_PASSWORD', None, ERROR_MISSING_PASSWORD)
-                client = OIDCClient(rh_user, rh_password, DEFAULT_OIDC_ENDPOINT, ['api.console'])
+                client = OIDCClient(rh_user, rh_password, DEFAULT_OIDC_TOKEN_ENDPOINT, ['api.console'])
                 response = client.make_request(
                     method,
                     url,
diff --git a/awx/main/analytics/core.py b/awx/main/analytics/core.py
@@ -22,7 +22,7 @@
 from awx.main.models import Job
 from awx.main.access import access_registry
 from awx.main.utils import get_awx_http_client_headers, set_environ, datetime_hook
-from awx.main.utils.analytics_proxy import OIDCClient, DEFAULT_OIDC_ENDPOINT
+from awx.main.utils.analytics_proxy import OIDCClient, DEFAULT_OIDC_TOKEN_ENDPOINT
 
 __all__ = ['register', 'gather', 'ship']
 
@@ -379,7 +379,7 @@ def ship(path):
         with set_environ(**settings.AWX_TASK_ENV):
             if rh_user and rh_password:
                 try:
-                    client = OIDCClient(rh_user, rh_password, DEFAULT_OIDC_ENDPOINT, ['api.console'])
+                    client = OIDCClient(rh_user, rh_password, DEFAULT_OIDC_TOKEN_ENDPOINT, ['api.console'])
                     response = client.make_request("POST", url, headers=s.headers, files=files, verify=settings.INSIGHTS_CERT_PATH, timeout=(31, 31))
                 except requests.RequestException:
                     logger.error("Automation Analytics API request failed, trying base auth method")
diff --git a/awx/main/models/credential.py b/awx/main/models/credential.py
@@ -550,10 +550,10 @@ def load_plugin(cls, ns, plugin):
         # TODO: User "side-loaded" credential custom_injectors isn't supported
         ManagedCredentialType.registry[ns] = SimpleNamespace(namespace=ns, name=plugin.name, kind='external', inputs=plugin.inputs, backend=plugin.backend)
 
-    def inject_credential(self, credential, env, safe_env, args, private_data_dir):
+    def inject_credential(self, credential, env, safe_env, args, private_data_dir, container_root=None):
         from awx_plugins.interfaces._temporary_private_inject_api import inject_credential
 
-        inject_credential(self, credential, env, safe_env, args, private_data_dir)
+        inject_credential(self, credential, env, safe_env, args, private_data_dir, container_root=container_root)
 
 
 class CredentialTypeHelper:
diff --git a/awx/main/tasks/jobs.py b/awx/main/tasks/jobs.py
@@ -522,9 +522,13 @@ def run(self, pk, **kwargs):
 
             credentials = self.build_credentials_list(self.instance)
 
+            container_root = None
+            if settings.IS_K8S and isinstance(self.instance, ProjectUpdate):
+                container_root = private_data_dir
+
             for credential in credentials:
                 if credential:
-                    credential.credential_type.inject_credential(credential, env, self.safe_cred_env, args, private_data_dir)
+                    credential.credential_type.inject_credential(credential, env, self.safe_cred_env, args, private_data_dir, container_root=container_root)
 
             self.runner_callback.safe_env.update(self.safe_cred_env)
 
diff --git a/awx/main/utils/analytics_proxy.py b/awx/main/utils/analytics_proxy.py
@@ -10,7 +10,7 @@
 
 import requests
 
-DEFAULT_OIDC_ENDPOINT = 'https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token'
+DEFAULT_OIDC_TOKEN_ENDPOINT = 'https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token'
 
 
 class TokenError(requests.RequestException):
