From d743936ee479ccf816eb11cba2a83571be1ef716 Mon Sep 17 00:00:00 2001
From: "Christian M. Adams" <rooftopcellist@gmail.com>
Date: Tue, 27 Apr 2021 10:43:02 -0400
Subject: [PATCH] Update admin user password with value in provided/generated
 secret

---
 roles/installer/tasks/initialize_django.yml | 13 ++++-
 roles/restore/README.md                     |  4 +-
 roles/restore/tasks/initialize_django.yml   | 54 +++++++++++++++++++++
 roles/restore/tasks/main.yml                |  2 +
 4 files changed, 71 insertions(+), 2 deletions(-)
 create mode 100644 roles/restore/tasks/initialize_django.yml

diff --git a/roles/installer/tasks/initialize_django.yml b/roles/installer/tasks/initialize_django.yml
index cb6a6e1b..3e977e06 100644
--- a/roles/installer/tasks/initialize_django.yml
+++ b/roles/installer/tasks/initialize_django.yml
@@ -6,13 +6,24 @@
     container: "{{ meta.name }}-task"
     command: >-
       bash -c "echo 'from django.contrib.auth.models import User;
-      nsu = User.objects.filter(is_superuser=True).count();
+      nsu = User.objects.filter(is_superuser=True, username='{{ tower_admin_user }}').count();
       exit(0 if nsu > 0 else 1)'
       | awx-manage shell"
   ignore_errors: true
   register: users_result
   changed_when: users_result.return_code > 0
 
+- name: Update super user password via Django if it does exist (same password is a noop)
+  k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ meta.name }}-task"
+    command: >-
+      bash -c "awx-manage update_password --username '{{ tower_admin_user }}' --password '{{ tower_admin_password }}'"
+  register: update_pw_result
+  changed_when: users_result.stdout == 'Password not updated'
+  when: users_result.return_code == 0
+
 - name: Create super user via Django if it doesn't exist.
   k8s_exec:
     namespace: "{{ meta.namespace }}"
diff --git a/roles/restore/README.md b/roles/restore/README.md
index be2db0a4..e2b31378 100644
--- a/roles/restore/README.md
+++ b/roles/restore/README.md
@@ -50,7 +50,9 @@ Finally, use `kubectl` to create the restore object in your cluster:
 $ kubectl apply -f restore-awx.yml
 ```
 
-This will create a new deployment and restore your backup to it.  
+This will create a new deployment and restore your backup to it.
+
+> :warning: tower_admin_password_secret value will replace the password for the `tower_admin_user` user (by default, this is the `admin` user).
 
 
 Role Variables
diff --git a/roles/restore/tasks/initialize_django.yml b/roles/restore/tasks/initialize_django.yml
new file mode 100644
index 00000000..e1c350cd
--- /dev/null
+++ b/roles/restore/tasks/initialize_django.yml
@@ -0,0 +1,54 @@
+---
+
+- name: Get the new deployment resource pod information.
+  k8s_info:
+    api_version: v1
+    kind: Pod
+    namespace: '{{ tower_backup_pvc_namespace }}'
+    label_selectors:
+      - "app.kubernetes.io/name={{ tower_name }}"
+      - "app.kubernetes.io/managed-by=awx-operator"
+      - "app.kubernetes.io/component=awx"
+    field_selectors:
+      - status.phase=Running
+  register: tower_pods
+
+- name: Set the resource pod name as a variable.
+  set_fact:
+    tower_pod_name: "{{ tower_pods['resources'][0]['metadata']['name'] | default('') }}"
+
+- name: Check if there are any super users defined.
+  k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ meta.name }}-task"
+    command: >-
+      bash -c "echo 'from django.contrib.auth.models import User;
+      nsu = User.objects.filter(is_superuser=True, username='{{ tower_admin_user }}').count();
+      exit(0 if nsu > 0 else 1)'
+      | awx-manage shell"
+  ignore_errors: true
+  register: users_result
+  changed_when: users_result.return_code > 0
+
+- name: Update super user password via Django if it does exist (same password is a noop)
+  k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ meta.name }}-task"
+    command: >-
+      bash -c "awx-manage update_password --username '{{ tower_admin_user }}' --password '{{ tower_admin_password }}'"
+  register: update_pw_result
+  changed_when: users_result.stdout == 'Password not updated'
+  when: users_result.return_code == 0
+
+- name: Create super user via Django if it doesn't exist.
+  k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ meta.name }}-task"
+    command: >-
+      bash -c "echo \"from django.contrib.auth.models import User;
+      User.objects.create_superuser('{{ tower_admin_user }}', '{{ tower_admin_email }}', '{{ tower_admin_password }}')\"
+      | awx-manage shell"
+  when: users_result.return_code > 0
diff --git a/roles/restore/tasks/main.yml b/roles/restore/tasks/main.yml
index 7fda2e1c..5d861909 100644
--- a/roles/restore/tasks/main.yml
+++ b/roles/restore/tasks/main.yml
@@ -22,6 +22,8 @@
 
     - include_tasks: postgres.yml
 
+    - include_tasks: initialize_django.yml
+
     - name: Set flag signifying this restore was successful
       set_fact:
         tower_restore_complete: True