Autogenerate database configuration and secret key if not provided

This also persists those after removal, so the database PV is still functional
2026-04-25 07:56:35 +00:00 · 2020-08-13 14:36:49 -04:00
parent 88d55a870a
commit edc60300be
14 changed files with 109 additions and 50 deletions
--- a/README.md
+++ b/README.md
@@ -26,7 +26,7 @@ First you need to deploy AWX Operator into your cluster:
 Then you can create instances of AWX, for example:

  1. Make sure the namespace you're deploying into already exists (e.g. `kubectl create namespace ansible-awx`).
-  1. Create a file named `my-awx.yml` with the following contents:
+  2. Create a file named `my-awx.yml` with the following contents:

     ```
     ---
@@ -37,14 +37,13 @@ Then you can create instances of AWX, for example:
       namespace: ansible-awx
     spec:
       deployment_type: awx
-       tower_secret_key: aabbcc
       tower_admin_user: test
       tower_admin_email: test@example.com
       tower_admin_password: changeme
       tower_broadcast_websocket_secret: changeme
     ```

-  1. Use `kubectl` to create the mcrouter instance in your cluster:
+  3. Use `kubectl` to create the mcrouter instance in your cluster:

     ```
     kubectl apply -f my-awx.yml
@@ -52,21 +51,6 @@ Then you can create instances of AWX, for example:

 After a few minutes, your new AWX instance will be accessible at `http://awx.mycompany.com/` (assuming your cluster has an Ingress controller configured). Log in using the `tower_admin_` credentials configured in the `spec`.

-### Deploy Tower instead of AWX
-
-If you would like to deploy Tower into your cluster instead of AWX, override the default variables in the AWX `spec` for the `tower_task_image` and `tower_web_image`, so the Tower container images are used instead, and set the `deployment_type` to ``awx`:
-
-    ---
-    spec:
-      ...
-      deployment_type: tower
-      tower_task_image: registry.redhat.io/ansible-tower-37/ansible-tower-rhel7:3.7.0
-      tower_web_image: registry.redhat.io/ansible-tower-37/ansible-tower-rhel7:3.7.0
-
-To deploy Ansible Tower, images are pulled from the Red Hat Registry. Your Kubernetes or OpenShift cluster will have to have [Authentication Enabled for the Red Hat Registry](https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/configuring_clusters/install-config-configuring-red-hat-registry) for this to work, otherwise the Tower image will not be pulled.
-
-If you deploy Ansible AWX, images are available from public registries, so no authentication is required.
-

 ### Ingress Types

--- a/deploy/awx-operator.yaml
+++ b/deploy/awx-operator.yaml
@@ -96,6 +96,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: awx-operator
+  namespace: default
 spec:
  replicas: 1
  selector:
--- a/deploy/crds/awx_v1beta1_cr.yaml
+++ b/deploy/crds/awx_v1beta1_cr.yaml
@@ -10,7 +10,6 @@ spec:
  tower_task_privileged: false

  tower_hostname: example-awx.test
-  tower_secret_key: aabbcc
  tower_broadcast_websocket_secret: changeme

  tower_admin_user: test
--- a/deploy/crds/awx_v1beta1_molecule.yaml
+++ b/deploy/crds/awx_v1beta1_molecule.yaml
@@ -10,7 +10,6 @@ spec:
  tower_task_privileged: false

  tower_hostname: example-awx.test
-  tower_secret_key: aabbcc
  tower_broadcast_websocket_secret: changeme

  tower_admin_user: test
--- a/deploy/role_binding.yaml
+++ b/deploy/role_binding.yaml
@@ -6,7 +6,6 @@ metadata:
 subjects:
  - kind: ServiceAccount
    name: awx-operator
-    namespace: default
 roleRef:
  kind: ClusterRole
  name: awx-operator
--- a/deploy/service_account.yaml
+++ b/deploy/service_account.yaml
@@ -3,4 +3,3 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: awx-operator
-  namespace: default
--- a/roles/awx/defaults/main.yml
+++ b/roles/awx/defaults/main.yml
@@ -3,7 +3,6 @@ tower_task_privileged: false
 tower_ingress_type: none

 tower_hostname: example-awx.test
-tower_secret_key: aabbcc

 tower_admin_user: test
 tower_admin_email: test@example.com
--- a/roles/awx/tasks/main.yml
+++ b/roles/awx/tasks/main.yml
@@ -2,6 +2,27 @@
 - name: Include deployment type vars
  include_vars: "{{ deployment_type }}.yml"

+- name: Check for existing secret key
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ meta.name }}-secret-key'
+  register: secret_key_resources
+
+- name: Check for existing postgres configuration
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{meta.name }}-postgres-configuration'
+  register: postgres_config_resources
+
+- name: Create Database configuration if it doesn't already exist
+  k8s:
+    apply: yes
+    definition: "{{ lookup('template', 'tower_postgres_secret.yaml.j2') }}"
+  register: k8s_postgres_config_result
+  when: postgres_config_resources['resources'] | length < 1 and not external_database | default(False) | bool
+
 - name: Create Database if External Database not selected
  k8s:
    apply: yes
@@ -24,6 +45,14 @@
    awx_postgres_port: "{{ postgres_configuration['resources'][0]['data']['port'] | b64decode }}"
    awx_postgres_host: "{{ postgres_configuration['resources'][0]['data']['host'] | b64decode }}"

+- name: Deploy Tower Secret Key if needed
+  k8s:
+    apply: yes
+    definition: "{{ lookup('template', 'tower_secret.yaml.j2') }}"
+  register: k8s_tower_secret_result
+  when: secret_key_resources['resources'] | length < 1
+  
+
 - name: Ensure configured AWX resources exist in the cluster.
  k8s:
    apply: yes
@@ -33,7 +62,12 @@
    - tower_config.yaml.j2
    - launch_awx.yaml.j2
    - supervisor.yaml.j2
-    - tower.yaml.j2
+
+- name: Apply Tower Deployment Configuration
+  k8s:
+    apply: yes
+    definition: "{{ lookup('template', 'tower.yaml.j2') }}"
+  register: tower_deployment_result

 - name: Get the AWX pod information.
  k8s_info:
--- a/roles/awx/templates/tower.yaml.j2
+++ b/roles/awx/templates/tower.yaml.j2
@@ -1,14 +1,13 @@
-# AWX Secret.
+# AWX Secret Configurations
 ---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: '{{ meta.name }}-secrets'
-  namespace: '{{ meta.namespace }}'
-data:
-  secret_key: '{{ tower_secret_key | b64encode }}'
-  credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}"
-  environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}"
+  apiVersion: v1
+  kind: Secret
+  metadata:
+    name: '{{ meta.name }}-secrets'
+    namespace: '{{ meta.namespace }}'
+  data:
+    credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}"
+    environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}"

 # AWX Deployment.
 ---
@@ -167,7 +166,7 @@ spec:
                path: 'environment.sh'
        - name: {{ meta.name }}-secret-key
          secret:
-            secretName: '{{ meta.name }}-secrets'
+            secretName: '{{ meta.name }}-secret-key'
            items:
              - key: secret_key
                path: SECRET_KEY
--- a/roles/awx/templates/tower_postgres.yaml.j2
+++ b/roles/awx/templates/tower_postgres.yaml.j2
@@ -1,18 +1,3 @@
-# Postgres Secret.
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: '{{ meta.name }}-postgres-configuration'
-  namespace: '{{ meta.namespace }}'
-stringData:
-  password: '{{ lookup('password', 'p' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}'
-  username: 'awx'
-  database: 'awx'
-  port: '5432'
-  host: {{ meta.name }}-postgres
-
-
 # Postgres StatefulSet.
 ---
 apiVersion: v1
--- a/roles/awx/templates/tower_postgres_secret.yaml.j2
+++ b/roles/awx/templates/tower_postgres_secret.yaml.j2
@@ -0,0 +1,13 @@
+# Postgres Secret.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: '{{ meta.name }}-postgres-configuration'
+  namespace: '{{ meta.namespace }}'
+stringData:
+  password: '{{ lookup('password', 'p' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}'
+  username: 'awx'
+  database: 'awx'
+  port: '5432'
+  host: {{ meta.name }}-postgres
--- a/roles/awx/templates/tower_secret.yaml.j2
+++ b/roles/awx/templates/tower_secret.yaml.j2
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: '{{ meta.name }}-secret-key'
+  namespace: '{{ meta.namespace }}'
+stringData:
+  secret_key: '{{ lookup('password', 'ts' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}'
--- a/roles/awx_remove/tasks/main.yml
+++ b/roles/awx_remove/tasks/main.yml
@@ -0,0 +1,37 @@
+
+
+- name: Check for existing secret key
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ meta.name }}-secret-key'
+  register: secret_key_resources
+
+- name: Check for existing postgres configuration
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{meta.name }}-postgres-configuration'
+  register: postgres_config_resources
+
+- name: Remove ownerReferences from PG configuration if it exists
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: '{{ meta.name }}-postgres-configuration'
+        namespace: '{{ meta.namespace }}'
+        ownerReferences: null
+  when: postgres_config_resources['resources'] | length > 0
+
+- name: Remove ownerReferences from Tower Secret if it exists
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: '{{ meta.name }}-secret-key'
+        namespace: '{{ meta.namespace }}'
+        ownerReferences: null
+  when: secret_key_resources['resources'] | length > 0
--- a/watches.yaml
+++ b/watches.yaml
@@ -3,3 +3,6 @@
  group: awx.ansible.com
  kind: AWX
  playbook: /opt/ansible/main.yml
+  finalizer:
+    name: finalizer.awx.ansible.com
+    role: awx_remove