diff --git a/.yamllint b/.yamllint index 24785e13..0556df0b 100644 --- a/.yamllint +++ b/.yamllint @@ -12,3 +12,8 @@ rules: truthy: disable line-length: max: 170 + document-start: disable + comments-indentation: disable + indentation: + level: warning + indent-sequences: consistent diff --git a/Dockerfile b/Dockerfile index e928702e..d0a9a43f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/operator-framework/ansible-operator:v1.12.0 +FROM quay.io/operator-framework/ansible-operator:v1.22.2 ARG DEFAULT_AWX_VERSION ARG OPERATOR_VERSION @@ -12,3 +12,8 @@ RUN ansible-galaxy collection install -r ${HOME}/requirements.yml \ COPY watches.yaml ${HOME}/watches.yaml COPY roles/ ${HOME}/roles/ COPY playbooks/ ${HOME}/playbooks/ + +ENTRYPOINT ["/tini", "--", "/usr/local/bin/ansible-operator", "run", \ + "--watches-file=./watches.yaml", \ + "--reconcile-period=0s" \ + ] diff --git a/Makefile b/Makefile index facfaef4..a91c93ec 100644 --- a/Makefile +++ b/Makefile @@ -44,6 +44,17 @@ IMAGE_TAG_BASE ?= quay.io/ansible/awx-operator # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=/:) BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION) +# BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command +BUNDLE_GEN_FLAGS ?= -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS) + +# USE_IMAGE_DIGESTS defines if images are resolved via tags or digests +# You can enable this value if you would like to use SHA Based Digests +# To enable set flag to true +USE_IMAGE_DIGESTS ?= false +ifeq ($(USE_IMAGE_DIGESTS), true) + BUNDLE_GEN_FLAGS += --use-image-digests +endif + # Image URL to use all building/pushing image targets IMG ?= $(IMAGE_TAG_BASE):$(VERSION) NAMESPACE ?= awx @@ -56,6 +67,7 @@ CHART_REPO ?= awx-operator CHART_BRANCH ?= gh-pages CHART_INDEX ?= index.yaml +.PHONY: all all: docker-build ##@ General @@ -71,38 +83,47 @@ all: docker-build # More info on the awk command: # http://linuxcommand.org/lc3_adv_awk.php +.PHONY: help help: ## Display this help. @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) ##@ Build +.PHONY: run run: ansible-operator ## Run against the configured Kubernetes cluster in ~/.kube/config ANSIBLE_ROLES_PATH="$(ANSIBLE_ROLES_PATH):$(shell pwd)/roles" $(ANSIBLE_OPERATOR) run +.PHONY: docker-build docker-build: ## Build docker image with the manager. ${CONTAINER_CMD} build $(BUILD_ARGS) -t ${IMG} . +.PHONY: docker-push docker-push: ## Push docker image with the manager. ${CONTAINER_CMD} push ${IMG} ##@ Deployment +.PHONY: install install: kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/crd | kubectl apply -f - +.PHONY: uninstall uninstall: kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/crd | kubectl delete -f - +.PHONY: gen-resources gen-resources: kustomize ## Generate resources for controller and print to stdout @cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} @cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE} @$(KUSTOMIZE) build config/default +.PHONY: deploy deploy: kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. @cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} @cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE} @$(KUSTOMIZE) build config/default | kubectl apply -f - +.PHONY: undeploy undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. @cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE} $(KUSTOMIZE) build config/default | kubectl delete -f - @@ -135,7 +156,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\ - curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.12.0/ansible-operator_$(OS)_$(ARCHA) ;\ + curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.22.2/ansible-operator_$(OS)_$(ARCHA) ;\ chmod +x $(ANSIBLE_OPERATOR) ;\ } else @@ -166,7 +187,7 @@ ifeq (,$(shell which opm 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(OPM)) ;\ - curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCHA)-opm ;\ + curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$(OS)-$(ARCHA)-opm ;\ chmod +x $(OPM) ;\ } else diff --git a/PROJECT b/PROJECT index 1407704d..13ee26d7 100644 --- a/PROJECT +++ b/PROJECT @@ -13,4 +13,18 @@ resources: group: awx kind: AWX version: v1beta1 +- api: + crdVersion: v1 + namespaced: true + domain: ansible.com + group: awx + kind: AWXBackup + version: v1beta1 +- api: + crdVersion: v1 + namespaced: true + domain: ansible.com + group: awx + kind: AWXRestore + version: v1beta1 version: "3" diff --git a/config/crd/bases/awx.ansible.com_awxbackups.yaml b/config/crd/bases/awx.ansible.com_awxbackups.yaml new file mode 100644 index 00000000..497feda0 --- /dev/null +++ b/config/crd/bases/awx.ansible.com_awxbackups.yaml @@ -0,0 +1,102 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: awxbackups.awx.ansible.com +spec: + group: awx.ansible.com + names: + kind: AWXBackup + listKind: AWXBackupList + plural: awxbackups + singular: awxbackup + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + description: Schema validation for the AWXBackup CRD + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - deployment_name + properties: + deployment_name: + description: Name of the deployment to be backed up + type: string + backup_pvc: + description: Name of the backup PVC + type: string + backup_pvc_namespace: + description: (Deprecated) Namespace the PVC is in + type: string + backup_storage_requirements: + description: Storage requirements for backup PVC (may be similar to existing postgres PVC backing up from) + type: string + backup_storage_class: + description: Storage class to use when creating PVC for backup + type: string + clean_backup_on_delete: + description: Flag to indicate if backup should be deleted on PVC if AWXBackup object is deleted + type: boolean + postgres_label_selector: + description: Label selector used to identify postgres pod for backing up data + type: string + postgres_image: + description: Registry path to the PostgreSQL container to use + type: string + postgres_image_version: + description: PostgreSQL container image version to use + type: string + no_log: + description: Configure no_log for no_log tasks + type: string + set_self_labels: + description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self) + type: boolean + default: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + conditions: + description: The resulting conditions when a Service Telemetry is instantiated + items: + properties: + lastTransitionTime: + type: string + reason: + type: string + status: + type: string + type: + type: string + type: object + type: array + backupDirectory: + description: Backup directory name on the specified pvc + type: string + backupClaim: + description: Backup persistent volume claim + type: string diff --git a/config/crd/bases/awx.ansible.com_awxrestores.yaml b/config/crd/bases/awx.ansible.com_awxrestores.yaml new file mode 100644 index 00000000..2c54f099 --- /dev/null +++ b/config/crd/bases/awx.ansible.com_awxrestores.yaml @@ -0,0 +1,101 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: awxrestores.awx.ansible.com +spec: + group: awx.ansible.com + names: + kind: AWXRestore + listKind: AWXRestoreList + plural: awxrestores + singular: awxrestore + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + description: Schema validation for the AWXRestore CRD + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + backup_source: + description: Backup source + type: string + enum: + - CR + - PVC + deployment_name: + description: Name of the restored deployment. This should be different from the original deployment name + if the original deployment still exists. + type: string + backup_name: + description: AWXBackup object name + type: string + backup_pvc: + description: Name of the PVC to be restored from, set as a status found on the awxbackup object (backupClaim) + type: string + backup_pvc_namespace: + description: (Deprecated) Namespace the PVC is in + type: string + backup_dir: + description: Backup directory name, set as a status found on the awxbackup object (backupDirectory) + type: string + postgres_label_selector: + description: Label selector used to identify postgres pod for backing up data + type: string + postgres_image: + description: Registry path to the PostgreSQL container to use + type: string + postgres_image_version: + description: PostgreSQL container image version to use + type: string + no_log: + description: Configure no_log for no_log tasks + type: string + set_self_labels: + description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self) + type: boolean + default: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + conditions: + description: The resulting conditions when a Service Telemetry is instantiated + items: + properties: + lastTransitionTime: + type: string + reason: + type: string + status: + type: string + type: + type: string + type: object + type: array + restoreComplete: + description: Restore process complete + type: boolean diff --git a/config/crd/bases/awx.ansible.com_awxs.yaml b/config/crd/bases/awx.ansible.com_awxs.yaml index 06399885..3706b030 100644 --- a/config/crd/bases/awx.ansible.com_awxs.yaml +++ b/config/crd/bases/awx.ansible.com_awxs.yaml @@ -12,540 +12,554 @@ spec: singular: awx scope: Namespaced versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - description: Schema validation for the AWX CRD - properties: - spec: - properties: - deployment_type: - description: Name of the deployment type + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: Schema validation for the AWX CRD + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + deployment_type: + description: Name of the deployment type + type: string + kind: + description: Kind of the deployment type + type: string + api_version: + description: apiVersion of the deployment type + type: string + task_privileged: + description: If a privileged security context should be enabled + type: boolean + default: false + admin_user: + description: Username to use for the admin account + type: string + default: admin + hostname: + description: The hostname of the instance + type: string + admin_email: + description: The admin user email + type: string + admin_password_secret: + description: Secret where the admin password can be found + type: string + postgres_configuration_secret: + description: Secret where the database configuration can be found + type: string + old_postgres_configuration_secret: + description: Secret where the old database configuration can be found for data migration + type: string + postgres_label_selector: + description: Label selector used to identify postgres pod for data migration + type: string + secret_key_secret: + description: Secret where the secret key can be found + type: string + broadcast_websocket_secret: + description: Secret where the broadcast websocket secret can be found + type: string + extra_volumes: + description: Specify extra volumes to add to the application pod + type: string + service_annotations: + description: Annotations to add to the service + type: string + service_type: + description: The service type to be used on the deployed instance + type: string + enum: + - LoadBalancer + - loadbalancer + - ClusterIP + - clusterip + - NodePort + - nodeport + ingress_type: + description: The ingress type to use to reach the deployed instance + type: string + enum: + - none + - Ingress + - ingress + - Route + - route + ingress_path: + description: The ingress path used to reach the deployed service + type: string + ingress_path_type: + description: The ingress path type for the deployed service + type: string + ingress_annotations: + description: Annotations to add to the Ingress Controller + type: string + ingress_tls_secret: + description: Secret where the Ingress TLS secret can be found + type: string + loadbalancer_protocol: + description: Protocol to use for the loadbalancer + type: string + default: http + enum: + - http + - https + loadbalancer_port: + description: Port to use for the loadbalancer + type: integer + default: 80 + route_host: + description: The DNS to use to points to the instance + type: string + route_tls_termination_mechanism: + description: The secure TLS termination mechanism to use + type: string + default: Edge + enum: + - Edge + - edge + - Passthrough + - passthrough + route_tls_secret: + description: Secret where the TLS related credentials are stored + type: string + nodeport_port: + description: Port to use for the nodeport + type: integer + default: 30080 + node_selector: + description: nodeSelector for the pods + type: string + topology_spread_constraints: + description: topology rule(s) for the pods + type: string + service_labels: + description: Additional labels to apply to the service + type: string + annotations: + description: annotations for the pods + type: string + tolerations: + description: node tolerations for the pods + type: string + image: + description: Registry path to the application container to use + type: string + image_version: + description: Application container image version to use + type: string + ee_images: + description: Registry path to the Execution Environment container to use + type: array + items: + type: object + properties: + name: + type: string + image: + type: string + control_plane_ee_image: + description: Registry path to the Execution Environment container image to use on control plane pods + type: string + control_plane_priority_class: + description: Assign a preexisting priority class to the control plane pods + type: string + ee_pull_credentials_secret: + description: Secret where pull credentials for registered ees can be found + type: string + image_pull_policy: + description: The image pull policy + type: string + default: IfNotPresent + enum: + - Always + - always + - Never + - never + - IfNotPresent + - ifnotpresent + image_pull_secrets: + description: Image pull secrets for app and database containers + type: array + items: type: string - kind: - description: Kind of the deployment type - type: string - api_version: - description: apiVersion of the deployment type - type: string - task_privileged: - description: If a privileged security context should be enabled - type: boolean - default: false - admin_user: - description: Username to use for the admin account - type: string - default: admin - hostname: - description: The hostname of the instance - type: string - admin_email: - description: The admin user email - type: string - admin_password_secret: - description: Secret where the admin password can be found - type: string - postgres_configuration_secret: - description: Secret where the database configuration can be found - type: string - old_postgres_configuration_secret: - description: Secret where the old database configuration can be found for data migration - type: string - postgres_label_selector: - description: Label selector used to identify postgres pod for data migration - type: string - secret_key_secret: - description: Secret where the secret key can be found - type: string - broadcast_websocket_secret: - description: Secret where the broadcast websocket secret can be found - type: string - extra_volumes: - description: Specify extra volumes to add to the application pod - type: string - service_annotations: - description: Annotations to add to the service - type: string - service_type: - description: The service type to be used on the deployed instance - type: string - enum: - - LoadBalancer - - loadbalancer - - ClusterIP - - clusterip - - NodePort - - nodeport - ingress_type: - description: The ingress type to use to reach the deployed instance - type: string - enum: - - none - - Ingress - - ingress - - Route - - route - ingress_path: - description: The ingress path used to reach the deployed service - type: string - ingress_path_type: - description: The ingress path type for the deployed service - type: string - ingress_annotations: - description: Annotations to add to the Ingress Controller - type: string - ingress_tls_secret: - description: Secret where the Ingress TLS secret can be found - type: string - loadbalancer_protocol: - description: Protocol to use for the loadbalancer - type: string - default: http - enum: - - http - - https - loadbalancer_port: - description: Port to use for the loadbalancer - type: integer - default: 80 - route_host: - description: The DNS to use to points to the instance - type: string - route_tls_termination_mechanism: - description: The secure TLS termination mechanism to use - type: string - default: Edge - enum: - - Edge - - edge - - Passthrough - - passthrough - route_tls_secret: - description: Secret where the TLS related credentials are stored - type: string - nodeport_port: - description: Port to use for the nodeport - type: integer - default: 30080 - node_selector: - description: nodeSelector for the pods - type: string - topology_spread_constraints: - description: topology rule(s) for the pods - type: string - service_labels: - description: Additional labels to apply to the service - type: string - annotations: - description: annotations for the pods - type: string - tolerations: - description: node tolerations for the pods - type: string - image: - description: Registry path to the application container to use - type: string - image_version: - description: Application container image version to use - type: string - ee_images: - description: Registry path to the Execution Environment container to use - type: array - items: - type: object + image_pull_secret: # deprecated + description: (Deprecated) Image pull secret for app and database containers + type: string + task_resource_requirements: + description: Resource requirements for the task container + properties: + requests: properties: - name: + cpu: type: string - image: + memory: type: string - control_plane_ee_image: - description: Registry path to the Execution Environment container image to use on control plane pods - type: string - control_plane_priority_class: - description: Assign a preexisting priority class to the control plane pods - type: string - ee_pull_credentials_secret: - description: Secret where pull credentials for registered ees can be found - type: string - image_pull_policy: - description: The image pull policy - type: string - default: IfNotPresent - enum: - - Always - - always - - Never - - never - - IfNotPresent - - ifnotpresent - image_pull_secrets: - description: Image pull secrets for app and database containers - type: array - items: - type: string - image_pull_secret: # deprecated - description: (Deprecated) Image pull secret for app and database containers - type: string - task_resource_requirements: - description: Resource requirements for the task container - properties: - requests: - properties: - cpu: - type: string - memory: - type: string - storage: - type: string - type: object - limits: - properties: - cpu: - type: string - memory: - type: string - storage: - type: string - type: object - type: object - web_resource_requirements: - description: Resource requirements for the web container - properties: - requests: - properties: - cpu: - type: string - memory: - type: string - storage: - type: string - type: object - limits: - properties: - cpu: - type: string - memory: - type: string - storage: - type: string - type: object - type: object - ee_resource_requirements: - description: Resource requirements for the ee container - properties: - requests: - properties: - cpu: - type: string - memory: - type: string - storage: - type: string - type: object - limits: - properties: - cpu: - type: string - memory: - type: string - storage: - type: string - type: object - type: object - postgres_init_container_resource_requirements: - description: Resource requirements for the postgres init container - properties: - requests: - properties: - cpu: - type: string - memory: - type: string - storage: - type: string - type: object - limits: - properties: - cpu: - type: string - memory: - type: string - storage: - type: string - type: object - type: object - redis_resource_requirements: - description: Resource requirements for the redis container - properties: - requests: - properties: - cpu: - type: string - memory: - type: string - storage: - type: string - type: object - limits: - properties: - cpu: - type: string - memory: - type: string - storage: - type: string - type: object - type: object - service_account_annotations: - description: ServiceAccount annotations - type: string - replicas: - description: Number of instance replicas - type: integer - default: 1 - format: int32 - garbage_collect_secrets: - description: Whether or not to remove secrets upon instance removal - default: false - type: boolean - create_preload_data: - description: Whether or not to preload data upon instance creation - default: true - type: boolean - task_args: - type: array - items: - type: string - task_command: - type: array - items: - type: string - web_args: - type: array - items: - type: string - web_command: - type: array - items: - type: string - task_extra_env: - type: string - web_extra_env: - type: string - ee_extra_env: - type: string - ee_extra_volume_mounts: - description: Specify volume mounts to be added to Execution container - type: string - task_extra_volume_mounts: - description: Specify volume mounts to be added to Task container - type: string - web_extra_volume_mounts: - description: Specify volume mounts to be added to the Web container - type: string - redis_image: - description: Registry path to the redis container to use - type: string - redis_image_version: - description: Redis container image version to use - type: string - redis_capabilities: - description: Redis container capabilities - type: array - items: - type: string - init_container_image: - description: Registry path to the init container to use - type: string - init_container_image_version: - description: Init container image version to use - type: string - init_container_extra_commands: - description: Extra commands for the init container - type: string - init_container_extra_volume_mounts: - description: Specify volume mounts to be added to the init container - type: string - postgres_image: - description: Registry path to the PostgreSQL container to use - type: string - postgres_image_version: - description: PostgreSQL container image version to use - type: string - postgres_selector: - description: nodeSelector for the Postgres pods - type: string - postgres_keep_pvc_after_upgrade: - description: Specify whether or not to keep the old PVC after PostgreSQL upgrades - type: boolean - postgres_tolerations: - description: node tolerations for the Postgres pods - type: string - postgres_storage_requirements: - description: Storage requirements for the PostgreSQL container - properties: - requests: - properties: - storage: - type: string - type: object - limits: - properties: - storage: - type: string - type: object - type: object - postgres_resource_requirements: - description: Resource requirements for the PostgreSQL container - properties: - requests: - properties: - cpu: - type: string - memory: - type: string - type: object - limits: - properties: - cpu: - type: string - memory: - type: string - type: object - type: object - postgres_storage_class: - description: Storage class to use for the PostgreSQL PVC - type: string - postgres_priority_class: - description: Assign a preexisting priority class to the postgres pod - type: string - postgres_data_path: - description: Path where the PostgreSQL data are located - type: string - postgres_extra_args: - type: array - items: - type: string - ca_trust_bundle: - description: Path where the trusted CA bundle is available - type: string - development_mode: - description: If the deployment should be done in development mode - type: boolean - ldap_cacert_secret: - description: Secret where can be found the LDAP trusted Certificate Authority Bundle - type: string - ldap_password_secret: - description: Secret where can be found the LDAP bind password - type: string - bundle_cacert_secret: - description: Secret where can be found the trusted Certificate Authority Bundle - type: string - projects_persistence: - description: Whether or not the /var/lib/projects directory will be persistent - default: false - type: boolean - projects_use_existing_claim: - description: Using existing PersistentVolumeClaim - type: string - enum: - - _Yes_ - - _No_ - projects_existing_claim: - description: PersistentVolumeClaim to mount /var/lib/projects directory - type: string - projects_storage_class: - description: Storage class for the /var/lib/projects PersistentVolumeClaim - type: string - projects_storage_size: - description: Size for the /var/lib/projects PersistentVolumeClaim - default: 8Gi - type: string - projects_storage_access_mode: - description: AccessMode for the /var/lib/projects PersistentVolumeClaim - default: ReadWriteMany - type: string - csrf_cookie_secure: - description: Set csrf cookie secure mode for web - type: string - session_cookie_secure: - description: Set session cookie secure mode for web - type: string - extra_settings: - description: Extra settings to specify for the API - items: - properties: - setting: - type: string - value: - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - no_log: - description: Configure no_log for no_log tasks - type: string - security_context_settings: - description: Key/values that will be set under the pod-level securityContext field - type: object - x-kubernetes-preserve-unknown-fields: true - auto_upgrade: - description: Should AWX instances be automatically upgraded when operator gets upgraded - type: boolean - default: true - set_self_labels: - description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self) - type: boolean - default: true - type: object - status: - properties: - URL: - description: URL to access the deployed instance - type: string - adminUser: - description: Admin user of the deployed instance - type: string - adminPasswordSecret: - description: Admin password secret name of the deployed instance - type: string - postgresConfigurationSecret: - description: Postgres Configuration secret name of the deployed instance - type: string - broadcastWebsocketSecret: - description: Broadcast websocket secret name of the deployed instance - type: string - secretKeySecret: - description: Secret key secret name of the deployed instance - type: string - migratedFromSecret: - description: The secret used for migrating an old instance - type: string - upgradedPostgresVersion: - description: Status to indicate that the database has been upgraded to the version in the status - type: string - version: - description: Version of the deployed instance - type: string - image: - description: URL of the image used for the deployed instance - type: string - conditions: - description: The resulting conditions when a Service Telemetry is instantiated - items: - properties: - status: - type: string - type: - type: string - reason: - type: string - lastTransitionTime: + storage: type: string type: object - type: array - type: object - type: object + limits: + properties: + cpu: + type: string + memory: + type: string + storage: + type: string + type: object + type: object + web_resource_requirements: + description: Resource requirements for the web container + properties: + requests: + properties: + cpu: + type: string + memory: + type: string + storage: + type: string + type: object + limits: + properties: + cpu: + type: string + memory: + type: string + storage: + type: string + type: object + type: object + ee_resource_requirements: + description: Resource requirements for the ee container + properties: + requests: + properties: + cpu: + type: string + memory: + type: string + storage: + type: string + type: object + limits: + properties: + cpu: + type: string + memory: + type: string + storage: + type: string + type: object + type: object + postgres_init_container_resource_requirements: + description: Resource requirements for the postgres init container + properties: + requests: + properties: + cpu: + type: string + memory: + type: string + storage: + type: string + type: object + limits: + properties: + cpu: + type: string + memory: + type: string + storage: + type: string + type: object + type: object + redis_resource_requirements: + description: Resource requirements for the redis container + properties: + requests: + properties: + cpu: + type: string + memory: + type: string + storage: + type: string + type: object + limits: + properties: + cpu: + type: string + memory: + type: string + storage: + type: string + type: object + type: object + service_account_annotations: + description: ServiceAccount annotations + type: string + replicas: + description: Number of instance replicas + type: integer + default: 1 + format: int32 + garbage_collect_secrets: + description: Whether or not to remove secrets upon instance removal + default: false + type: boolean + create_preload_data: + description: Whether or not to preload data upon instance creation + default: true + type: boolean + task_args: + type: array + items: + type: string + task_command: + type: array + items: + type: string + web_args: + type: array + items: + type: string + web_command: + type: array + items: + type: string + task_extra_env: + type: string + web_extra_env: + type: string + ee_extra_env: + type: string + ee_extra_volume_mounts: + description: Specify volume mounts to be added to Execution container + type: string + task_extra_volume_mounts: + description: Specify volume mounts to be added to Task container + type: string + web_extra_volume_mounts: + description: Specify volume mounts to be added to the Web container + type: string + redis_image: + description: Registry path to the redis container to use + type: string + redis_image_version: + description: Redis container image version to use + type: string + redis_capabilities: + description: Redis container capabilities + type: array + items: + type: string + init_container_image: + description: Registry path to the init container to use + type: string + init_container_image_version: + description: Init container image version to use + type: string + init_container_extra_commands: + description: Extra commands for the init container + type: string + init_container_extra_volume_mounts: + description: Specify volume mounts to be added to the init container + type: string + postgres_image: + description: Registry path to the PostgreSQL container to use + type: string + postgres_image_version: + description: PostgreSQL container image version to use + type: string + postgres_selector: + description: nodeSelector for the Postgres pods + type: string + postgres_keep_pvc_after_upgrade: + description: Specify whether or not to keep the old PVC after PostgreSQL upgrades + type: boolean + postgres_tolerations: + description: node tolerations for the Postgres pods + type: string + postgres_storage_requirements: + description: Storage requirements for the PostgreSQL container + properties: + requests: + properties: + storage: + type: string + type: object + limits: + properties: + storage: + type: string + type: object + type: object + postgres_resource_requirements: + description: Resource requirements for the PostgreSQL container + properties: + requests: + properties: + cpu: + type: string + memory: + type: string + type: object + limits: + properties: + cpu: + type: string + memory: + type: string + type: object + type: object + postgres_storage_class: + description: Storage class to use for the PostgreSQL PVC + type: string + postgres_priority_class: + description: Assign a preexisting priority class to the postgres pod + type: string + postgres_data_path: + description: Path where the PostgreSQL data are located + type: string + postgres_extra_args: + type: array + items: + type: string + ca_trust_bundle: + description: Path where the trusted CA bundle is available + type: string + development_mode: + description: If the deployment should be done in development mode + type: boolean + ldap_cacert_secret: + description: Secret where can be found the LDAP trusted Certificate Authority Bundle + type: string + ldap_password_secret: + description: Secret where can be found the LDAP bind password + type: string + bundle_cacert_secret: + description: Secret where can be found the trusted Certificate Authority Bundle + type: string + projects_persistence: + description: Whether or not the /var/lib/projects directory will be persistent + default: false + type: boolean + projects_use_existing_claim: + description: Using existing PersistentVolumeClaim + type: string + enum: + - _Yes_ + - _No_ + projects_existing_claim: + description: PersistentVolumeClaim to mount /var/lib/projects directory + type: string + projects_storage_class: + description: Storage class for the /var/lib/projects PersistentVolumeClaim + type: string + projects_storage_size: + description: Size for the /var/lib/projects PersistentVolumeClaim + default: 8Gi + type: string + projects_storage_access_mode: + description: AccessMode for the /var/lib/projects PersistentVolumeClaim + default: ReadWriteMany + type: string + csrf_cookie_secure: + description: Set csrf cookie secure mode for web + type: string + session_cookie_secure: + description: Set session cookie secure mode for web + type: string + extra_settings: + description: Extra settings to specify for the API + items: + properties: + setting: + type: string + value: + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + no_log: + description: Configure no_log for no_log tasks + type: string + security_context_settings: + description: Key/values that will be set under the pod-level securityContext field + type: object + x-kubernetes-preserve-unknown-fields: true + auto_upgrade: + description: Should AWX instances be automatically upgraded when operator gets upgraded + type: boolean + default: true + set_self_labels: + description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self) + type: boolean + default: true + type: object + status: + properties: + URL: + description: URL to access the deployed instance + type: string + adminUser: + description: Admin user of the deployed instance + type: string + adminPasswordSecret: + description: Admin password secret name of the deployed instance + type: string + postgresConfigurationSecret: + description: Postgres Configuration secret name of the deployed instance + type: string + broadcastWebsocketSecret: + description: Broadcast websocket secret name of the deployed instance + type: string + secretKeySecret: + description: Secret key secret name of the deployed instance + type: string + migratedFromSecret: + description: The secret used for migrating an old instance + type: string + upgradedPostgresVersion: + description: Status to indicate that the database has been upgraded to the version in the status + type: string + version: + description: Version of the deployed instance + type: string + image: + description: URL of the image used for the deployed instance + type: string + conditions: + description: The resulting conditions when a Service Telemetry is instantiated + items: + properties: + status: + type: string + type: + type: string + reason: + type: string + lastTransitionTime: + type: string + type: object + type: array + type: object + type: object diff --git a/config/crd/bases/awxbackup.ansible.com_awxbackups.yaml b/config/crd/bases/awxbackup.ansible.com_awxbackups.yaml deleted file mode 100644 index 27699e05..00000000 --- a/config/crd/bases/awxbackup.ansible.com_awxbackups.yaml +++ /dev/null @@ -1,87 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: awxbackups.awx.ansible.com -spec: - group: awx.ansible.com - names: - kind: AWXBackup - listKind: AWXBackupList - plural: awxbackups - singular: awxbackup - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - description: Schema validation for the AWXBackup CRD - properties: - spec: - type: object - required: - - deployment_name - properties: - deployment_name: - description: Name of the deployment to be backed up - type: string - backup_pvc: - description: Name of the backup PVC - type: string - backup_pvc_namespace: - description: (Deprecated) Namespace the PVC is in - type: string - backup_storage_requirements: - description: Storage requirements for backup PVC (may be similar to existing postgres PVC backing up from) - type: string - backup_storage_class: - description: Storage class to use when creating PVC for backup - type: string - clean_backup_on_delete: - description: Flag to indicate if backup should be deleted on PVC if AWXBackup object is deleted - type: boolean - postgres_label_selector: - description: Label selector used to identify postgres pod for backing up data - type: string - postgres_image: - description: Registry path to the PostgreSQL container to use - type: string - postgres_image_version: - description: PostgreSQL container image version to use - type: string - no_log: - description: Configure no_log for no_log tasks - type: string - set_self_labels: - description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self) - type: boolean - default: true - status: - type: object - properties: - conditions: - description: The resulting conditions when a Service Telemetry is instantiated - items: - properties: - lastTransitionTime: - type: string - reason: - type: string - status: - type: string - type: - type: string - type: object - type: array - backupDirectory: - description: Backup directory name on the specified pvc - type: string - backupClaim: - description: Backup persistent volume claim - type: string diff --git a/config/crd/bases/awxrestore.ansible.com_awxrestores.yaml b/config/crd/bases/awxrestore.ansible.com_awxrestores.yaml deleted file mode 100644 index 5a3640ae..00000000 --- a/config/crd/bases/awxrestore.ansible.com_awxrestores.yaml +++ /dev/null @@ -1,86 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: awxrestores.awx.ansible.com -spec: - group: awx.ansible.com - names: - kind: AWXRestore - listKind: AWXRestoreList - plural: awxrestores - singular: awxrestore - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - description: Schema validation for the AWXRestore CRD - properties: - spec: - type: object - properties: - backup_source: - description: Backup source - type: string - enum: - - CR - - PVC - deployment_name: - description: Name of the restored deployment. This should be different from the original deployment name - if the original deployment still exists. - type: string - backup_name: - description: AWXBackup object name - type: string - backup_pvc: - description: Name of the PVC to be restored from, set as a status found on the awxbackup object (backupClaim) - type: string - backup_pvc_namespace: - description: (Deprecated) Namespace the PVC is in - type: string - backup_dir: - description: Backup directory name, set as a status found on the awxbackup object (backupDirectory) - type: string - postgres_label_selector: - description: Label selector used to identify postgres pod for backing up data - type: string - postgres_image: - description: Registry path to the PostgreSQL container to use - type: string - postgres_image_version: - description: PostgreSQL container image version to use - type: string - no_log: - description: Configure no_log for no_log tasks - type: string - set_self_labels: - description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self) - type: boolean - default: true - status: - type: object - properties: - conditions: - description: The resulting conditions when a Service Telemetry is instantiated - items: - properties: - lastTransitionTime: - type: string - reason: - type: string - status: - type: string - type: - type: string - type: object - type: array - restoreComplete: - description: Restore process complete - type: boolean diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 4a700296..166d9f09 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -1,9 +1,8 @@ ---- # This kustomization.yaml is not intended to be run by itself, # since it depends on service name and namespace that are out of this kustomize package. # It should be run by config/default resources: - - bases/awx.ansible.com_awxs.yaml - - bases/awxbackup.ansible.com_awxbackups.yaml - - bases/awxrestore.ansible.com_awxrestores.yaml -# +kubebuilder:scaffold:crdkustomizeresource +- bases/awx.ansible.com_awxs.yaml +- bases/awx.ansible.com_awxbackups.yaml +- bases/awx.ansible.com_awxrestores.yaml +#+kubebuilder:scaffold:crdkustomizeresource diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index f5ebf777..ab706e4d 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -1,24 +1,30 @@ # Adds namespace to all resources. namespace: awx + # Value of this field is prepended to the # names of all resources, e.g. a deployment named # "wordpress" becomes "alices-wordpress". # Note that it should also match with the prefix (text before '-') of the namespace # field above. namePrefix: awx-operator- + # Labels to add to all resources and selectors. -# commonLabels: -# someName: someValue - # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. - # - ../prometheus - # Protect the /metrics endpoint by putting it behind auth. - # If you want your controller-manager to expose the /metrics - # endpoint w/o any authn/z, please comment the following line. -patchesStrategicMerge: -- manager_auth_proxy_patch.yaml -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: +#commonLabels: +# someName: someValue + +bases: - ../crd - ../rbac - ../manager +# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. +#- ../prometheus + +patchesStrategicMerge: +# Protect the /metrics endpoint by putting it behind auth. +# If you want your controller-manager to expose the /metrics +# endpoint w/o any authn/z, please comment the following line. +- manager_auth_proxy_patch.yaml + +# Mount the controller config file for loading manager configurations +# through a ComponentConfig type +#- manager_config_patch.yaml diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 4b913f7b..6baafc01 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -1,4 +1,3 @@ ---- # This patch inject a sidecar container which is a HTTP proxy for the # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. apiVersion: apps/v1 @@ -10,20 +9,33 @@ spec: template: spec: containers: - - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - protocol: TCP - name: https - - name: awx-manager - args: - - "--health-probe-bind-address=:6789" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" - - "--leader-election-id=awx-operator" + - name: kube-rbac-proxy + securityContext: + allowPrivilegeEscalation: false + # TODO(user): uncomment for common cases that do not require escalating privileges + # capabilities: + # drop: + # - "ALL" + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=0" + ports: + - containerPort: 8443 + protocol: TCP + name: https + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + - name: awx-manager + args: + - "--health-probe-bind-address=:6789" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" + - "--leader-election-id=awx-operator" diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml index 9a2c0072..f99057d2 100644 --- a/config/default/manager_config_patch.yaml +++ b/config/default/manager_config_patch.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -8,14 +7,14 @@ spec: template: spec: containers: - - name: awx-manager - args: - - "--config=controller_manager_config.yaml" - volumeMounts: - - name: awx-manager-config - mountPath: /controller_manager_config.yaml - subPath: controller_manager_config.yaml - volumes: + - name: awx-manager + args: + - "--config=controller_manager_config.yaml" + volumeMounts: - name: awx-manager-config - configMap: - name: awx-manager-config + mountPath: /controller_manager_config.yaml + subPath: controller_manager_config.yaml + volumes: + - name: awx-manager-config + configMap: + name: awx-manager-config diff --git a/config/manager/controller_manager_config.yaml b/config/manager/controller_manager_config.yaml index a261f45a..2e9b6bae 100644 --- a/config/manager/controller_manager_config.yaml +++ b/config/manager/controller_manager_config.yaml @@ -1,10 +1,20 @@ ---- -apiVersion: controller-runtime.sigs.k8s.io/v1beta1 +apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 kind: ControllerManagerConfig health: healthProbeBindAddress: :6789 metrics: bindAddress: 127.0.0.1:8080 + leaderElection: leaderElect: true resourceName: 811c9dc5.ansible.com +# leaderElectionReleaseOnCancel defines if the leader should step down volume +# when the Manager ends. This requires the binary to immediately end when the +# Manager is stopped, otherwise, this setting is unsafe. Setting this significantly +# speeds up voluntary leader transitions as the new leader don't have to wait +# LeaseDuration time first. +# In the default scaffold provided, the program ends immediately after +# the manager stops, so would be fine to enable this option. However, +# if you are doing or is intended to do any operation such as perform cleanups +# after the manager stops then its usage might be unsafe. +# leaderElectionReleaseOnCancel: true diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 260f8f08..995c877c 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,11 +1,14 @@ resources: - manager.yaml + generatorOptions: disableNameSuffixHash: true + configMapGenerator: -- files: +- name: awx-manager-config + files: - controller_manager_config.yaml - name: awx-manager-config + apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index d836cc1a..e0c298ca 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -20,48 +20,62 @@ spec: replicas: 1 template: metadata: + annotations: + kubectl.kubernetes.io/default-container: manager labels: control-plane: controller-manager spec: securityContext: runAsNonRoot: true + # For common cases that do not require escalating privileges + # it is recommended to ensure that all your Pods/Containers are restrictive. + # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + # Please uncomment the following code if your project does NOT have to work on old Kubernetes + # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). + # seccompProfile: + # type: RuntimeDefault containers: - - args: - - --leader-elect - - --leader-election-id=awx-operator - image: controller:latest - name: awx-manager - env: - - name: ANSIBLE_GATHERING - value: explicit - - name: ANSIBLE_DEBUG_LOGS - value: 'false' - - name: WATCH_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - livenessProbe: - httpGet: - path: /healthz - port: 6789 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /readyz - port: 6789 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - memory: "32Mi" - cpu: "50m" - limits: - memory: "4096Mi" - cpu: "2000m" + - args: + - --leader-elect + - --leader-election-id=awx-operator + image: controller:latest + name: awx-manager + env: + - name: ANSIBLE_GATHERING + value: explicit + - name: ANSIBLE_DEBUG_LOGS + value: 'false' + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + # TODO(user): uncomment for common cases that do not require escalating privileges + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 6789 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 6789 + initialDelaySeconds: 5 + periodSeconds: 10 + # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + memory: "32Mi" + cpu: "50m" + limits: + memory: "4096Mi" + cpu: "2000m" serviceAccountName: controller-manager imagePullSecrets: - - name: redhat-operators-pull-secret + - name: redhat-operators-pull-secret terminationGracePeriodSeconds: 10 diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 777156ba..b484d72d 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -1,8 +1,7 @@ ---- # These resources constitute the fully configured set of manifests # used to generate the 'manifests/' directory in a bundle. resources: - - bases/awx-operator.clusterserviceversion.yaml - - ../default - - ../samples - - ../scorecard +- bases/awx-operator.clusterserviceversion.yaml +- ../default +- ../samples +- ../scorecard diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml index c4aaaee0..ed137168 100644 --- a/config/prometheus/kustomization.yaml +++ b/config/prometheus/kustomization.yaml @@ -1,3 +1,2 @@ ---- resources: - - monitor.yaml +- monitor.yaml diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml index a5bd8b17..6812d4d5 100644 --- a/config/prometheus/monitor.yaml +++ b/config/prometheus/monitor.yaml @@ -1,4 +1,3 @@ ---- # Prometheus Monitor Service (Metrics) apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml index 8e6154f3..51a75db4 100644 --- a/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/config/rbac/auth_proxy_client_clusterrole.yaml @@ -1,10 +1,9 @@ ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: metrics-reader rules: - - nonResourceURLs: - - "/metrics" - verbs: - - get +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml index 449cb4bf..80e1857c 100644 --- a/config/rbac/auth_proxy_role.yaml +++ b/config/rbac/auth_proxy_role.yaml @@ -1,18 +1,17 @@ ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: proxy-role rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml index 08cb903f..ec7acc0a 100644 --- a/config/rbac/auth_proxy_role_binding.yaml +++ b/config/rbac/auth_proxy_role_binding.yaml @@ -1,4 +1,3 @@ ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -8,6 +7,6 @@ roleRef: kind: ClusterRole name: proxy-role subjects: - - kind: ServiceAccount - name: controller-manager - namespace: system +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml index bb2ed2cf..71f17972 100644 --- a/config/rbac/auth_proxy_service.yaml +++ b/config/rbac/auth_proxy_service.yaml @@ -1,4 +1,3 @@ ---- apiVersion: v1 kind: Service metadata: @@ -8,9 +7,9 @@ metadata: namespace: system spec: ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https + - name: https + port: 8443 + protocol: TCP + targetPort: https selector: control-plane: controller-manager diff --git a/config/rbac/awx_editor_role.yaml b/config/rbac/awx_editor_role.yaml index 8994f52f..908ba1f2 100644 --- a/config/rbac/awx_editor_role.yaml +++ b/config/rbac/awx_editor_role.yaml @@ -1,25 +1,24 @@ ---- # permissions for end users to edit awxs. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: awx-editor-role rules: - - apiGroups: - - awx.ansible.com - resources: - - awxs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - awx.ansible.com - resources: - - awxs/status - verbs: - - get +- apiGroups: + - awx.ansible.com + resources: + - awxs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - awx.ansible.com + resources: + - awxs/status + verbs: + - get diff --git a/config/rbac/awx_viewer_role.yaml b/config/rbac/awx_viewer_role.yaml index d5e31a6b..925b5175 100644 --- a/config/rbac/awx_viewer_role.yaml +++ b/config/rbac/awx_viewer_role.yaml @@ -1,21 +1,20 @@ ---- # permissions for end users to view awxs. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: awx-viewer-role rules: - - apiGroups: - - awx.ansible.com - resources: - - awxs - verbs: - - get - - list - - watch - - apiGroups: - - awx.ansible.com - resources: - - awxs/status - verbs: - - get +- apiGroups: + - awx.ansible.com + resources: + - awxs + verbs: + - get + - list + - watch +- apiGroups: + - awx.ansible.com + resources: + - awxs/status + verbs: + - get diff --git a/config/rbac/awxbackup_editor_role.yaml b/config/rbac/awxbackup_editor_role.yaml new file mode 100644 index 00000000..95261725 --- /dev/null +++ b/config/rbac/awxbackup_editor_role.yaml @@ -0,0 +1,24 @@ +# permissions for end users to edit awxbackups. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awxbackup-editor-role +rules: +- apiGroups: + - awx.ansible.com + resources: + - awxbackups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - awx.ansible.com + resources: + - awxbackups/status + verbs: + - get diff --git a/config/rbac/awxbackup_viewer_role.yaml b/config/rbac/awxbackup_viewer_role.yaml new file mode 100644 index 00000000..d0a6d589 --- /dev/null +++ b/config/rbac/awxbackup_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions for end users to view awxbackups. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awxbackup-viewer-role +rules: +- apiGroups: + - awx.ansible.com + resources: + - awxbackups + verbs: + - get + - list + - watch +- apiGroups: + - awx.ansible.com + resources: + - awxbackups/status + verbs: + - get diff --git a/config/rbac/awxrestore_editor_role.yaml b/config/rbac/awxrestore_editor_role.yaml new file mode 100644 index 00000000..7878c1d2 --- /dev/null +++ b/config/rbac/awxrestore_editor_role.yaml @@ -0,0 +1,24 @@ +# permissions for end users to edit awxrestores. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awxrestore-editor-role +rules: +- apiGroups: + - awx.ansible.com + resources: + - awxrestores + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - awx.ansible.com + resources: + - awxrestores/status + verbs: + - get diff --git a/config/rbac/awxrestore_viewer_role.yaml b/config/rbac/awxrestore_viewer_role.yaml new file mode 100644 index 00000000..d905a08c --- /dev/null +++ b/config/rbac/awxrestore_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions for end users to view awxrestores. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awxrestore-viewer-role +rules: +- apiGroups: + - awx.ansible.com + resources: + - awxrestores + verbs: + - get + - list + - watch +- apiGroups: + - awx.ansible.com + resources: + - awxrestores/status + verbs: + - get diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index f4afe7a4..731832a6 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -1,19 +1,18 @@ ---- resources: - # All RBAC will be applied under this service account in - # the deployment namespace. You may comment out this resource - # if your manager will use a service account that exists at - # runtime. Be sure to update RoleBinding and ClusterRoleBinding - # subjects if changing service account names. - - service_account.yaml - - role.yaml - - role_binding.yaml - - leader_election_role.yaml - - leader_election_role_binding.yaml - # Comment the following 4 lines if you want to disable - # the auth proxy (https://github.com/brancz/kube-rbac-proxy) - # which protects your /metrics endpoint. - - auth_proxy_service.yaml - - auth_proxy_role.yaml - - auth_proxy_role_binding.yaml - - auth_proxy_client_clusterrole.yaml +# All RBAC will be applied under this service account in +# the deployment namespace. You may comment out this resource +# if your manager will use a service account that exists at +# runtime. Be sure to update RoleBinding and ClusterRoleBinding +# subjects if changing service account names. +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +# Comment the following 4 lines if you want to disable +# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# which protects your /metrics endpoint. +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml +- auth_proxy_client_clusterrole.yaml diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml index 19d17762..4190ec80 100644 --- a/config/rbac/leader_election_role.yaml +++ b/config/rbac/leader_election_role.yaml @@ -1,38 +1,37 @@ ---- # permissions to do leader election. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: leader-election-role rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml index c536feb4..1d1321ed 100644 --- a/config/rbac/leader_election_role_binding.yaml +++ b/config/rbac/leader_election_role_binding.yaml @@ -1,4 +1,3 @@ ---- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -8,6 +7,6 @@ roleRef: kind: Role name: leader-election-role subjects: - - kind: ServiceAccount - name: controller-manager - namespace: system +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index a1ae812d..7cd6025b 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -1,4 +1,3 @@ ---- apiVersion: v1 kind: ServiceAccount metadata: diff --git a/config/samples/awx_v1beta1_awxbackup.yaml b/config/samples/awx_v1beta1_awxbackup.yaml new file mode 100644 index 00000000..b617c051 --- /dev/null +++ b/config/samples/awx_v1beta1_awxbackup.yaml @@ -0,0 +1,6 @@ +apiVersion: awx.ansible.com/v1beta1 +kind: AWXBackup +metadata: + name: example-awx-backup +spec: + deployment_name: example-awx diff --git a/config/samples/awx_v1beta1_awxrestore.yaml b/config/samples/awx_v1beta1_awxrestore.yaml new file mode 100644 index 00000000..bc05e8c9 --- /dev/null +++ b/config/samples/awx_v1beta1_awxrestore.yaml @@ -0,0 +1,7 @@ +apiVersion: awx.ansible.com/v1beta1 +kind: AWXRestore +metadata: + name: awxrestore-sample +spec: + deployment_name: example-awx-2 + backup_name: example-awx-backup diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml index d4af7e2a..0dc07e09 100644 --- a/config/samples/kustomization.yaml +++ b/config/samples/kustomization.yaml @@ -1,5 +1,6 @@ ---- ## Append samples you want in your CSV to this file as resources ## resources: - - awx_v1beta1_awx.yaml -# +kubebuilder:scaffold:manifestskustomizesamples +- awx_v1beta1_awx.yaml +- awx_v1beta1_awxbackup.yaml +- awx_v1beta1_awxrestore.yaml +#+kubebuilder:scaffold:manifestskustomizesamples diff --git a/config/scorecard/bases/config.yaml b/config/scorecard/bases/config.yaml index 0907f0f7..c7704784 100644 --- a/config/scorecard/bases/config.yaml +++ b/config/scorecard/bases/config.yaml @@ -1,8 +1,7 @@ ---- apiVersion: scorecard.operatorframework.io/v1alpha3 kind: Configuration metadata: name: config stages: - - parallel: true - tests: [] +- parallel: true + tests: [] diff --git a/config/scorecard/kustomization.yaml b/config/scorecard/kustomization.yaml index 8f683c0d..50cd2d08 100644 --- a/config/scorecard/kustomization.yaml +++ b/config/scorecard/kustomization.yaml @@ -1,17 +1,16 @@ ---- resources: - - bases/config.yaml +- bases/config.yaml patchesJson6902: - - path: patches/basic.config.yaml - target: - group: scorecard.operatorframework.io - version: v1alpha3 - kind: Configuration - name: config - - path: patches/olm.config.yaml - target: - group: scorecard.operatorframework.io - version: v1alpha3 - kind: Configuration - name: config -# +kubebuilder:scaffold:patchesJson6902 +- path: patches/basic.config.yaml + target: + group: scorecard.operatorframework.io + version: v1alpha3 + kind: Configuration + name: config +- path: patches/olm.config.yaml + target: + group: scorecard.operatorframework.io + version: v1alpha3 + kind: Configuration + name: config +#+kubebuilder:scaffold:patchesJson6902 diff --git a/config/scorecard/patches/basic.config.yaml b/config/scorecard/patches/basic.config.yaml index 9e486c80..4a6c8167 100644 --- a/config/scorecard/patches/basic.config.yaml +++ b/config/scorecard/patches/basic.config.yaml @@ -1,11 +1,10 @@ ---- - op: add path: /stages/0/tests/- value: entrypoint: - - scorecard-test - - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.12.0 + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.22.2 labels: suite: basic test: basic-check-spec-test diff --git a/config/scorecard/patches/olm.config.yaml b/config/scorecard/patches/olm.config.yaml index ae9921ee..c342410a 100644 --- a/config/scorecard/patches/olm.config.yaml +++ b/config/scorecard/patches/olm.config.yaml @@ -1,11 +1,10 @@ ---- - op: add path: /stages/0/tests/- value: entrypoint: - - scorecard-test - - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.12.0 + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.22.2 labels: suite: olm test: olm-bundle-validation-test @@ -13,9 +12,9 @@ path: /stages/0/tests/- value: entrypoint: - - scorecard-test - - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.12.0 + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.22.2 labels: suite: olm test: olm-crds-have-validation-test @@ -23,9 +22,9 @@ path: /stages/0/tests/- value: entrypoint: - - scorecard-test - - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.12.0 + - scorecard-test + - olm-crds-have-resources + image: quay.io/operator-framework/scorecard-test:v1.22.2 labels: suite: olm test: olm-crds-have-resources-test @@ -33,9 +32,9 @@ path: /stages/0/tests/- value: entrypoint: - - scorecard-test - - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.12.0 + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.22.2 labels: suite: olm test: olm-spec-descriptors-test @@ -43,9 +42,9 @@ path: /stages/0/tests/- value: entrypoint: - - scorecard-test - - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.12.0 + - scorecard-test + - olm-status-descriptors + image: quay.io/operator-framework/scorecard-test:v1.22.2 labels: suite: olm test: olm-status-descriptors-test diff --git a/config/testing/kustomization.yaml b/config/testing/kustomization.yaml index b6b45328..41091623 100644 --- a/config/testing/kustomization.yaml +++ b/config/testing/kustomization.yaml @@ -1,13 +1,17 @@ # Adds namespace to all resources. namespace: osdk-test + namePrefix: osdk- + # Labels to add to all resources and selectors. -# commonLabels: -# someName: someValue +#commonLabels: +# someName: someValue + patchesStrategicMerge: - manager_image.yaml - debug_logs_patch.yaml - ../default/manager_auth_proxy_patch.yaml + apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: @@ -17,5 +21,3 @@ resources: images: - name: testing newName: testing-operator -patches: -- path: pull_policy/Never.yaml diff --git a/molecule/default/destroy.yml b/molecule/default/destroy.yml index 9a41e7de..1a80ef64 100644 --- a/molecule/default/destroy.yml +++ b/molecule/default/destroy.yml @@ -19,6 +19,6 @@ state: absent - name: Unset pull policy - command: '{{ kustomize }} edit remove patch pull_policy/{{ operator_pull_policy }}.yaml' + command: '{{ kustomize }} edit remove patch --path pull_policy/{{ operator_pull_policy }}.yaml' args: chdir: '{{ config_dir }}/testing' diff --git a/molecule/default/kustomize.yml b/molecule/default/kustomize.yml index 75183ccf..d33e6d0f 100644 --- a/molecule/default/kustomize.yml +++ b/molecule/default/kustomize.yml @@ -1,6 +1,6 @@ --- - name: Build kustomize testing overlay - # load_restrictor must be set to none so we can load patch files from the default overlay + # load-restrictor must be set to none so we can load patch files from the default overlay command: '{{ kustomize }} build --load-restrictor LoadRestrictionsNone .' args: chdir: '{{ config_dir }}/testing' diff --git a/molecule/default/tasks/awxbackup_test.yml b/molecule/default/tasks/awxbackup_test.yml new file mode 100644 index 00000000..7582dd46 --- /dev/null +++ b/molecule/default/tasks/awxbackup_test.yml @@ -0,0 +1,18 @@ +--- +# - name: Create the awx.ansible.com/v1beta1.AWXBackup +# k8s: +# state: present +# namespace: '{{ namespace }}' +# definition: "{{ lookup('template', '/'.join([samples_dir, cr_file])) | from_yaml }}" +# wait: yes +# wait_timeout: 300 +# wait_condition: +# type: Successful +# status: "True" +# vars: +# cr_file: 'awx_v1beta1_awxbackup.yaml' +# +# - name: Add assertions here +# assert: +# that: false +# fail_msg: FIXME Add real assertions for your operator diff --git a/molecule/default/tasks/awxrestore_test.yml b/molecule/default/tasks/awxrestore_test.yml new file mode 100644 index 00000000..ccfc3e4e --- /dev/null +++ b/molecule/default/tasks/awxrestore_test.yml @@ -0,0 +1,18 @@ +--- +# - name: Create the awx.ansible.com/v1beta1.AWXRestore +# k8s: +# state: present +# namespace: '{{ namespace }}' +# definition: "{{ lookup('template', '/'.join([samples_dir, cr_file])) | from_yaml }}" +# wait: yes +# wait_timeout: 300 +# wait_condition: +# type: Successful +# status: "True" +# vars: +# cr_file: 'awx_v1beta1_awxrestore.yaml' +# +# - name: Add assertions here +# assert: +# that: false +# fail_msg: FIXME Add real assertions for your operator diff --git a/molecule/kind/destroy.yml b/molecule/kind/destroy.yml index 304cca21..2f51540e 100644 --- a/molecule/kind/destroy.yml +++ b/molecule/kind/destroy.yml @@ -11,6 +11,6 @@ command: kind delete cluster --name osdk-test --kubeconfig {{ kubeconfig }} - name: Unset pull policy - command: '{{ kustomize }} edit remove patch pull_policy/{{ operator_pull_policy }}.yaml' + command: '{{ kustomize }} edit remove patch --path pull_policy/{{ operator_pull_policy }}.yaml' args: chdir: '{{ config_dir }}/testing' diff --git a/molecule/requirements.yml b/molecule/requirements.yml index d1eb52a5..0adb8a98 100644 --- a/molecule/requirements.yml +++ b/molecule/requirements.yml @@ -2,7 +2,7 @@ collections: - name: community.general - name: kubernetes.core - version: 1.2.1 + version: 2.3.2 - name: operator_sdk.util - name: community.docker - name: awx.awx diff --git a/requirements.yml b/requirements.yml index 54173725..9773bfd0 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,6 +1,6 @@ --- collections: - name: kubernetes.core - version: '==1.2.1' + version: '>=2.3.2' - name: operator_sdk.util version: "0.2.0" diff --git a/roles/installer/tasks/initialize_django.yml b/roles/installer/tasks/initialize_django.yml index 85c2fa43..057c1a39 100644 --- a/roles/installer/tasks/initialize_django.yml +++ b/roles/installer/tasks/initialize_django.yml @@ -34,6 +34,7 @@ bash -c "awx-manage list_instances | grep '^\[tower capacity=[0-9]*\]'" register: legacy_queue changed_when: false + ignore_errors: true - name: Unregister legacy queue k8s_exec: diff --git a/roles/restore/tasks/init.yml b/roles/restore/tasks/init.yml index 29ae8305..de9ccb1e 100644 --- a/roles/restore/tasks/init.yml +++ b/roles/restore/tasks/init.yml @@ -2,37 +2,37 @@ - name: Set variables from awxbackup object statuses if provided block: - - name: Look up details for the backup - k8s_info: - api_version: "{{ backup_api_version }}" - kind: "{{ backup_kind }}" - name: "{{ backup_name }}" - namespace: "{{ backup_pvc_namespace }}" - register: this_backup + - name: Look up details for the backup + k8s_info: + api_version: "{{ backup_api_version }}" + kind: "{{ backup_kind }}" + name: "{{ backup_name }}" + namespace: "{{ backup_pvc_namespace }}" + register: this_backup - - name: Surface error to user - block: - - name: Set error message - set_fact: - error_msg: "Cannot read the backup status variables for {{ backup_kind }} {{ backup_name }}." + - name: Surface error to user + block: + - name: Set error message + set_fact: + error_msg: "Cannot read the backup status variables for {{ backup_kind }} {{ backup_name }}." - - name: Handle error - import_tasks: error_handling.yml + - name: Handle error + import_tasks: error_handling.yml - - name: Fail early if pvc is defined but does not exist - fail: - msg: "{{ error_msg }}" - when: - - this_backup['resources'] | length == 0 - - this_backup['resources'][0] is not defined - - this_backup['resources'][0]['status'] is not defined - - this_backup['resources'][0]['status']['backupClaim'] is not defined - - this_backup['resources'][0]['status']['backupDirectory'] is not defined + - name: Fail early if pvc is defined but does not exist + fail: + msg: "{{ error_msg }}" + when: + - this_backup['resources'] | length == 0 + - this_backup['resources'][0] is not defined + - this_backup['resources'][0]['status'] is not defined + - this_backup['resources'][0]['status']['backupClaim'] is not defined + - this_backup['resources'][0]['status']['backupDirectory'] is not defined - - name: Set backup facts - set_fact: - backup_pvc: "{{ this_backup['resources'][0]['status']['backupClaim'] }}" - backup_dir: "{{ this_backup['resources'][0]['status']['backupDirectory'] }}" + - name: Set backup facts + set_fact: + backup_pvc: "{{ this_backup['resources'][0]['status']['backupClaim'] }}" + backup_dir: "{{ this_backup['resources'][0]['status']['backupDirectory'] }}" when: - backup_name != '' or backup_name is defined