Use awx-manage register_default_execution_environments

Signed-off-by: Julen Landa Alustiza <jlanda@redhat.com>
2026-03-26 21:33:14 +00:00 · 2021-06-02 09:33:02 +02:00
parent 46f5b3dcb0
commit 1fc22749a5
7 changed files with 91 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -556,6 +556,30 @@ In a scenario where custom volumes and volume mounts are required to either over

 Example configuration for ConfigMap

+#### Default execution environments from private registries
+
+In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments.
+
+The secret should be formated as follows:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: <resourcename>-ee-pull-credentials
+  namespace: <target namespace>
+stringData:
+  url: <registry url. i.e. quay.io>
+  username: <username to connect as>
+  password: <password to connect with>
+  ssl_verify: <Optional attribute. Whether verify ssl connection or not. Accepted values "True" (default), "False" >
+type: Opaque
+```
+
+##### Control plane ee from private registry
+The first default execution environment will be deployed as part of the control plane. In order to use a private image for this you'll need to use `image_pull_secret` to provide a k8s pull secret to access it.
+
 ```yaml
 ---
 apiVersion: v1
--- a/ansible/templates/crd.yml.j2
+++ b/ansible/templates/crd.yml.j2
@@ -151,6 +151,8 @@ spec:
                        type: string
                control_plane_ee_image:
                  description: Registry path to the Execution Environment container image to use on control plane pods
+                ee_pull_credentials_secret:
+                  description: Secret where pull credentials for registered ees can be found
                  type: string
                image_pull_policy:
                  description: The image pull policy
--- a/deploy/awx-operator.yaml
+++ b/deploy/awx-operator.yaml
@@ -153,6 +153,8 @@ spec:
                        type: string
                control_plane_ee_image:
                  description: Registry path to the Execution Environment container image to use on control plane pods
+                ee_pull_credentials_secret:
+                  description: Secret where pull credentials for registered ees can be found
                  type: string
                image_pull_policy:
                  description: The image pull policy
--- a/deploy/crds/awx_v1beta1_crd.yaml
+++ b/deploy/crds/awx_v1beta1_crd.yaml
@@ -151,6 +151,8 @@ spec:
                        type: string
                control_plane_ee_image:
                  description: Registry path to the Execution Environment container image to use on control plane pods
+                ee_pull_credentials_secret:
+                  description: Secret where pull credentials for registered ees can be found
                  type: string
                image_pull_policy:
                  description: The image pull policy
--- a/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml
+++ b/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml
@@ -64,6 +64,9 @@ spec:
                      type: string
                  type: object
                type: array
+              ee_pull_credentials_secret:
+                description: Secret where pull credentials for registered ees can be found
+                type: string
              extra_settings:
                description: Extra settings to specify for the API
                items:
--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -93,6 +93,10 @@ postgres_configuration_secret: ''

 old_postgres_configuration_secret: ''

+# Secret to lookup that provides default execution environment pull credentials
+#
+ee_pull_credentials_secret: ''
+
 # Add extra volumes to the AWX pod. Specify as literal block. E.g.:
 # extra_volumes: |
 #   - name: my-volume
--- a/roles/installer/tasks/initialize_django.yml
+++ b/roles/installer/tasks/initialize_django.yml
@@ -72,3 +72,57 @@
    command: >-
      bash -c "awx-manage unregister_queue --queuename=tower"
  when: "'[tower capacity=' in legacy_queue.stdout"
+
+- name: Check for specified default execution environment pull credentials
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ ee_pull_credentials_secret }}'
+  register: _custom_execution_environments_pull_credentials
+  when: ee_pull_credentials_secret | length
+
+- name: Check for default execution environment pull credentials
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ meta.name }}-ee-pull-credentials'
+  register: _default_execution_environments_pull_credentials
+
+- name: Set admin password secret
+  set_fact:
+    _execution_environments_pull_credentials: >-
+      {{ _custom_execution_environments_pull_credentials["resources"] | default([]) | length
+      | ternary(_custom_execution_environments_pull_credentials, _default_execution_environments_pull_credentials) }}
+- name: Register default execution environments (without authentication)
+  k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ meta.name }}-task"
+    command: >-
+      bash -c "awx-manage register_default_execution_environments"
+  register: ree
+  changed_when: "'changed: True' in ree.stdout"
+  when: not _execution_environments_pull_credentials['resources'] | default([]) | length
+
+- block:
+    - name: Store default execution environment pull credentials
+      set_fact:
+        default_execution_environment_pull_credentials_user: "{{ _execution_environments_pull_credentials['resources'][0]['data']['username'] | b64decode }}"
+        default_execution_environment_pull_credentials_pass: "{{ _execution_environments_pull_credentials['resources'][0]['data']['password'] | b64decode }}"
+        default_execution_environment_pull_credentials_url: "{{ _execution_environments_pull_credentials['resources'][0]['data']['url'] | b64decode }}"
+        default_execution_environment_pull_credentials_url_verify: >-
+          {{ _execution_environments_pull_credentials['resources'][0]['data']['ssl_verify'] | default("True"|b64encode) | b64decode }}
+    - name: Register default execution environments (with authentication)
+      k8s_exec:
+        namespace: "{{ meta.namespace }}"
+        pod: "{{ tower_pod_name }}"
+        container: "{{ meta.name }}-task"
+        command: >-
+          bash -c "awx-manage register_default_execution_environments
+          --registry-username='{{ default_execution_environment_pull_credentials_user }}'
+          --registry-password='{{ default_execution_environment_pull_credentials_pass }}'
+          --registry-url='{{ default_execution_environment_pull_credentials_url }}'
+          --verify-ssl='{{ default_execution_environment_pull_credentials_url_verify }}'"
+      register: ree
+      changed_when: "'changed: True' in ree.stdout"
+  when: _execution_environments_pull_credentials['resources'] | default([]) | length