diff --git a/.travis.yml b/.travis.yml index 615ec471..de146bd1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,7 +13,7 @@ env: install: - pip3 install docker molecule molecule-docker yamllint ansible-lint openshift jmespath - - ansible-galaxy collection install community.kubernetes + - ansible-galaxy collection install community.kubernetes operator_sdk.util script: - molecule test -s test-local diff --git a/ansible/instantiate-awx-deployment.yml b/ansible/instantiate-awx-deployment.yml index f55239a3..39b9c621 100644 --- a/ansible/instantiate-awx-deployment.yml +++ b/ansible/instantiate-awx-deployment.yml @@ -20,7 +20,6 @@ spec: tower_admin_user: test tower_admin_email: test@example.com - tower_admin_password: changeme tower_broadcast_websocket_secret: changeme tower_ingress_type: "{{ tower_ingress_type | default(omit) }}" # Either Route or Ingress tower_image: "{{ tower_image | default(omit) }}" diff --git a/deploy/crds/awx_v1beta1_cr.yaml b/deploy/crds/awx_v1beta1_cr.yaml index c2a16d92..206ccf3e 100644 --- a/deploy/crds/awx_v1beta1_cr.yaml +++ b/deploy/crds/awx_v1beta1_cr.yaml @@ -13,7 +13,6 @@ spec: tower_admin_user: test tower_admin_email: test@example.com - tower_admin_password: changeme tower_image: ansible/awx:15.0.0 diff --git a/deploy/crds/awx_v1beta1_molecule.yaml b/deploy/crds/awx_v1beta1_molecule.yaml index 474f7e62..b09a4f51 100644 --- a/deploy/crds/awx_v1beta1_molecule.yaml +++ b/deploy/crds/awx_v1beta1_molecule.yaml @@ -12,7 +12,6 @@ spec: tower_broadcast_websocket_secret: changeme tower_admin_email: test@example.com - tower_admin_password: changeme tower_image: ansible/awx:15.0.0 diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index 41fa3cba..f5ede761 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -19,7 +19,10 @@ tower_hostname: '{{ deployment_type }}.example.com' tower_admin_user: admin tower_admin_email: test@example.com -tower_admin_password: changeme + +# Secret to lookup that provide the admin password +# +tower_admin_password_secret: '' tower_broadcast_websocket_secret: changeme diff --git a/roles/installer/meta/main.yml b/roles/installer/meta/main.yml index 0b582768..69592776 100644 --- a/roles/installer/meta/main.yml +++ b/roles/installer/meta/main.yml @@ -29,3 +29,4 @@ dependencies: [] collections: - community.kubernetes + - operator_sdk.util diff --git a/roles/installer/tasks/admin_password_configuration.yml b/roles/installer/tasks/admin_password_configuration.yml new file mode 100644 index 00000000..2fec994e --- /dev/null +++ b/roles/installer/tasks/admin_password_configuration.yml @@ -0,0 +1,51 @@ +--- +- name: Check for specified admin password configuration + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ tower_admin_password_secret }}' + register: _custom_admin_password + when: tower_admin_password_secret | length + +- name: Check for default admin password configuration + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ meta.name }}-admin-password' + register: _default_admin_password + +- name: Set admin password secret + set_fact: + _admin_password_secret: '{{ _custom_admin_password["resources"] | default([]) | length | ternary(_custom_admin_password, _default_admin_password) }}' + +- block: + - name: Create admin password secret + k8s: + apply: true + definition: "{{ lookup('template', 'tower_admin_password_secret.yaml.j2') }}" + + - name: Read admin password secret + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ meta.name }}-admin-password' + register: _generated_admin_password + + when: not _admin_password_secret['resources'] | default([]) | length + +- name: Set admin password secret + set_fact: + admin_password_secret: '{{ _generated_admin_password["resources"] | default([]) | length | ternary(_generated_admin_password, _admin_password_secret) }}' + +- name: Store admin password + set_fact: + tower_admin_password: "{{ admin_password_secret['resources'][0]['data']['password'] | b64decode }}" + +- name: Set admin password secret status + operator_sdk.util.k8s_status: + api_version: awx.ansible.com/v1beta1 + kind: "{{ deployment_type | upper }}" + name: "{{ meta.name }}" + namespace: "{{ meta.namespace }}" + status: + towerAdminPasswordSecret: "{{ admin_password_secret['resources'][0]['metadata']['name'] }}" diff --git a/roles/installer/tasks/main.yml b/roles/installer/tasks/main.yml index 30fad4a0..be3beeef 100644 --- a/roles/installer/tasks/main.yml +++ b/roles/installer/tasks/main.yml @@ -2,6 +2,9 @@ - name: Include secret key configuration tasks include_tasks: secret_key_configuration.yml +- name: Include admin password configuration tasks + include_tasks: admin_password_configuration.yml + - name: Include database configuration tasks include_tasks: database_configuration.yml diff --git a/roles/installer/templates/tower_admin_password_secret.yaml.j2 b/roles/installer/templates/tower_admin_password_secret.yaml.j2 new file mode 100644 index 00000000..0486d6ba --- /dev/null +++ b/roles/installer/templates/tower_admin_password_secret.yaml.j2 @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: '{{ meta.name }}-admin-password' + namespace: '{{ meta.namespace }}' +stringData: + password: '{{ lookup('password', 'ts' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}'