Merge pull request #88 from Spredzy/admin_password

Admin Password: Allow one to specify an admin password secret else generate it
2026-03-26 21:33:14 +00:00 · 2021-02-09 09:28:50 +01:00
parent 90bfe5073b e858f34f2c
commit 72fd95994b
9 changed files with 68 additions and 5 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -13,7 +13,7 @@ env:

 install:
  - pip3 install docker molecule molecule-docker yamllint ansible-lint openshift jmespath
-  - ansible-galaxy collection install community.kubernetes
+  - ansible-galaxy collection install community.kubernetes operator_sdk.util

 script:
  - molecule test -s test-local
--- a/ansible/instantiate-awx-deployment.yml
+++ b/ansible/instantiate-awx-deployment.yml
@@ -20,7 +20,6 @@
          spec:
            tower_admin_user: test
            tower_admin_email: test@example.com
-            tower_admin_password: changeme
            tower_broadcast_websocket_secret: changeme
            tower_ingress_type: "{{ tower_ingress_type | default(omit) }}"  # Either Route or Ingress
            tower_image: "{{ tower_image | default(omit) }}"
--- a/deploy/crds/awx_v1beta1_cr.yaml
+++ b/deploy/crds/awx_v1beta1_cr.yaml
@@ -13,7 +13,6 @@ spec:

  tower_admin_user: test
  tower_admin_email: test@example.com
-  tower_admin_password: changeme

  tower_image: ansible/awx:15.0.0

--- a/deploy/crds/awx_v1beta1_molecule.yaml
+++ b/deploy/crds/awx_v1beta1_molecule.yaml
@@ -12,7 +12,6 @@ spec:
  tower_broadcast_websocket_secret: changeme

  tower_admin_email: test@example.com
-  tower_admin_password: changeme

  tower_image: ansible/awx:15.0.0

--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -19,7 +19,10 @@ tower_hostname: '{{ deployment_type }}.example.com'

 tower_admin_user: admin
 tower_admin_email: test@example.com
-tower_admin_password: changeme
+
+# Secret to lookup that provide the admin password
+#
+tower_admin_password_secret: ''

 tower_broadcast_websocket_secret: changeme

--- a/roles/installer/meta/main.yml
+++ b/roles/installer/meta/main.yml
@@ -29,3 +29,4 @@ dependencies: []

 collections:
  - community.kubernetes
+  - operator_sdk.util
--- a/roles/installer/tasks/admin_password_configuration.yml
+++ b/roles/installer/tasks/admin_password_configuration.yml
@@ -0,0 +1,51 @@
+---
+- name: Check for specified admin password configuration
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ tower_admin_password_secret }}'
+  register: _custom_admin_password
+  when: tower_admin_password_secret | length
+
+- name: Check for default admin password configuration
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ meta.name }}-admin-password'
+  register: _default_admin_password
+
+- name: Set admin password secret
+  set_fact:
+    _admin_password_secret: '{{ _custom_admin_password["resources"] | default([]) | length | ternary(_custom_admin_password, _default_admin_password) }}'
+
+- block:
+    - name: Create admin password secret
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'tower_admin_password_secret.yaml.j2') }}"
+
+    - name: Read admin password secret
+      k8s_info:
+        kind: Secret
+        namespace: '{{ meta.namespace }}'
+        name: '{{ meta.name }}-admin-password'
+      register: _generated_admin_password
+
+  when: not _admin_password_secret['resources'] | default([]) | length
+
+- name: Set admin password secret
+  set_fact:
+    admin_password_secret: '{{ _generated_admin_password["resources"] | default([]) | length | ternary(_generated_admin_password, _admin_password_secret) }}'
+
+- name: Store admin password
+  set_fact:
+    tower_admin_password: "{{ admin_password_secret['resources'][0]['data']['password'] | b64decode }}"
+
+- name: Set admin password secret status
+  operator_sdk.util.k8s_status:
+    api_version: awx.ansible.com/v1beta1
+    kind: "{{ deployment_type | upper  }}"
+    name: "{{ meta.name  }}"
+    namespace: "{{ meta.namespace  }}"
+    status:
+      towerAdminPasswordSecret: "{{ admin_password_secret['resources'][0]['metadata']['name'] }}"
--- a/roles/installer/tasks/main.yml
+++ b/roles/installer/tasks/main.yml
@@ -2,6 +2,9 @@
 - name: Include secret key configuration tasks
  include_tasks: secret_key_configuration.yml

+- name: Include admin password configuration tasks
+  include_tasks: admin_password_configuration.yml
+
 - name: Include database configuration tasks
  include_tasks: database_configuration.yml

--- a/roles/installer/templates/tower_admin_password_secret.yaml.j2
+++ b/roles/installer/templates/tower_admin_password_secret.yaml.j2
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: '{{ meta.name }}-admin-password'
+  namespace: '{{ meta.namespace }}'
+stringData:
+  password: '{{ lookup('password', 'ts' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}'