diff --git a/README.md b/README.md index 1fa5417b..3d7b52b7 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ First you need to deploy AWX Operator into your cluster: Then you can create instances of AWX, for example: 1. Make sure the namespace you're deploying into already exists (e.g. `kubectl create namespace ansible-awx`). - 1. Create a file named `my-awx.yml` with the following contents: + 2. Create a file named `my-awx.yml` with the following contents: ``` --- @@ -37,14 +37,13 @@ Then you can create instances of AWX, for example: namespace: ansible-awx spec: deployment_type: awx - tower_secret_key: aabbcc tower_admin_user: test tower_admin_email: test@example.com tower_admin_password: changeme tower_broadcast_websocket_secret: changeme ``` - 1. Use `kubectl` to create the mcrouter instance in your cluster: + 3. Use `kubectl` to create the mcrouter instance in your cluster: ``` kubectl apply -f my-awx.yml @@ -52,21 +51,6 @@ Then you can create instances of AWX, for example: After a few minutes, your new AWX instance will be accessible at `http://awx.mycompany.com/` (assuming your cluster has an Ingress controller configured). Log in using the `tower_admin_` credentials configured in the `spec`. -### Deploy Tower instead of AWX - -If you would like to deploy Tower into your cluster instead of AWX, override the default variables in the AWX `spec` for the `tower_task_image` and `tower_web_image`, so the Tower container images are used instead, and set the `deployment_type` to ``awx`: - - --- - spec: - ... - deployment_type: tower - tower_task_image: registry.redhat.io/ansible-tower-37/ansible-tower-rhel7:3.7.0 - tower_web_image: registry.redhat.io/ansible-tower-37/ansible-tower-rhel7:3.7.0 - -To deploy Ansible Tower, images are pulled from the Red Hat Registry. Your Kubernetes or OpenShift cluster will have to have [Authentication Enabled for the Red Hat Registry](https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/configuring_clusters/install-config-configuring-red-hat-registry) for this to work, otherwise the Tower image will not be pulled. - -If you deploy Ansible AWX, images are available from public registries, so no authentication is required. - ### Ingress Types diff --git a/deploy/awx-operator.yaml b/deploy/awx-operator.yaml index edceaffb..9932fdb8 100644 --- a/deploy/awx-operator.yaml +++ b/deploy/awx-operator.yaml @@ -96,6 +96,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: awx-operator + namespace: default spec: replicas: 1 selector: diff --git a/deploy/crds/awx_v1beta1_cr.yaml b/deploy/crds/awx_v1beta1_cr.yaml index 543a9b89..6ca69b93 100644 --- a/deploy/crds/awx_v1beta1_cr.yaml +++ b/deploy/crds/awx_v1beta1_cr.yaml @@ -10,7 +10,6 @@ spec: tower_task_privileged: false tower_hostname: example-awx.test - tower_secret_key: aabbcc tower_broadcast_websocket_secret: changeme tower_admin_user: test diff --git a/deploy/crds/awx_v1beta1_molecule.yaml b/deploy/crds/awx_v1beta1_molecule.yaml index 06d4e126..01583a0e 100644 --- a/deploy/crds/awx_v1beta1_molecule.yaml +++ b/deploy/crds/awx_v1beta1_molecule.yaml @@ -10,7 +10,6 @@ spec: tower_task_privileged: false tower_hostname: example-awx.test - tower_secret_key: aabbcc tower_broadcast_websocket_secret: changeme tower_admin_user: test diff --git a/deploy/role_binding.yaml b/deploy/role_binding.yaml index c2c64a87..50feae1c 100644 --- a/deploy/role_binding.yaml +++ b/deploy/role_binding.yaml @@ -6,7 +6,6 @@ metadata: subjects: - kind: ServiceAccount name: awx-operator - namespace: default roleRef: kind: ClusterRole name: awx-operator diff --git a/deploy/service_account.yaml b/deploy/service_account.yaml index 91d79652..c4d60043 100644 --- a/deploy/service_account.yaml +++ b/deploy/service_account.yaml @@ -3,4 +3,3 @@ apiVersion: v1 kind: ServiceAccount metadata: name: awx-operator - namespace: default diff --git a/roles/awx/defaults/main.yml b/roles/awx/defaults/main.yml index 5cf43288..987a6239 100644 --- a/roles/awx/defaults/main.yml +++ b/roles/awx/defaults/main.yml @@ -3,7 +3,6 @@ tower_task_privileged: false tower_ingress_type: none tower_hostname: example-awx.test -tower_secret_key: aabbcc tower_admin_user: test tower_admin_email: test@example.com diff --git a/roles/awx/tasks/main.yml b/roles/awx/tasks/main.yml index b71b3bff..922d5bab 100644 --- a/roles/awx/tasks/main.yml +++ b/roles/awx/tasks/main.yml @@ -2,6 +2,27 @@ - name: Include deployment type vars include_vars: "{{ deployment_type }}.yml" +- name: Check for existing secret key + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ meta.name }}-secret-key' + register: secret_key_resources + +- name: Check for existing postgres configuration + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{meta.name }}-postgres-configuration' + register: postgres_config_resources + +- name: Create Database configuration if it doesn't already exist + k8s: + apply: yes + definition: "{{ lookup('template', 'tower_postgres_secret.yaml.j2') }}" + register: k8s_postgres_config_result + when: postgres_config_resources['resources'] | length < 1 and not external_database | default(False) | bool + - name: Create Database if External Database not selected k8s: apply: yes @@ -24,6 +45,14 @@ awx_postgres_port: "{{ postgres_configuration['resources'][0]['data']['port'] | b64decode }}" awx_postgres_host: "{{ postgres_configuration['resources'][0]['data']['host'] | b64decode }}" +- name: Deploy Tower Secret Key if needed + k8s: + apply: yes + definition: "{{ lookup('template', 'tower_secret.yaml.j2') }}" + register: k8s_tower_secret_result + when: secret_key_resources['resources'] | length < 1 + + - name: Ensure configured AWX resources exist in the cluster. k8s: apply: yes @@ -33,7 +62,12 @@ - tower_config.yaml.j2 - launch_awx.yaml.j2 - supervisor.yaml.j2 - - tower.yaml.j2 + +- name: Apply Tower Deployment Configuration + k8s: + apply: yes + definition: "{{ lookup('template', 'tower.yaml.j2') }}" + register: tower_deployment_result - name: Get the AWX pod information. k8s_info: diff --git a/roles/awx/templates/tower.yaml.j2 b/roles/awx/templates/tower.yaml.j2 index 8efcb28e..99206da8 100644 --- a/roles/awx/templates/tower.yaml.j2 +++ b/roles/awx/templates/tower.yaml.j2 @@ -1,14 +1,13 @@ -# AWX Secret. +# AWX Secret Configurations --- -apiVersion: v1 -kind: Secret -metadata: - name: '{{ meta.name }}-secrets' - namespace: '{{ meta.namespace }}' -data: - secret_key: '{{ tower_secret_key | b64encode }}' - credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}" - environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}" + apiVersion: v1 + kind: Secret + metadata: + name: '{{ meta.name }}-secrets' + namespace: '{{ meta.namespace }}' + data: + credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}" + environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}" # AWX Deployment. --- @@ -167,7 +166,7 @@ spec: path: 'environment.sh' - name: {{ meta.name }}-secret-key secret: - secretName: '{{ meta.name }}-secrets' + secretName: '{{ meta.name }}-secret-key' items: - key: secret_key path: SECRET_KEY diff --git a/roles/awx/templates/tower_postgres.yaml.j2 b/roles/awx/templates/tower_postgres.yaml.j2 index 8962bf0c..318f2143 100644 --- a/roles/awx/templates/tower_postgres.yaml.j2 +++ b/roles/awx/templates/tower_postgres.yaml.j2 @@ -1,18 +1,3 @@ -# Postgres Secret. ---- -apiVersion: v1 -kind: Secret -metadata: - name: '{{ meta.name }}-postgres-configuration' - namespace: '{{ meta.namespace }}' -stringData: - password: '{{ lookup('password', 'p' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}' - username: 'awx' - database: 'awx' - port: '5432' - host: {{ meta.name }}-postgres - - # Postgres StatefulSet. --- apiVersion: v1 diff --git a/roles/awx/templates/tower_postgres_secret.yaml.j2 b/roles/awx/templates/tower_postgres_secret.yaml.j2 new file mode 100644 index 00000000..cb2dc1ac --- /dev/null +++ b/roles/awx/templates/tower_postgres_secret.yaml.j2 @@ -0,0 +1,13 @@ +# Postgres Secret. +--- +apiVersion: v1 +kind: Secret +metadata: + name: '{{ meta.name }}-postgres-configuration' + namespace: '{{ meta.namespace }}' +stringData: + password: '{{ lookup('password', 'p' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}' + username: 'awx' + database: 'awx' + port: '5432' + host: {{ meta.name }}-postgres diff --git a/roles/awx/templates/tower_secret.yaml.j2 b/roles/awx/templates/tower_secret.yaml.j2 new file mode 100644 index 00000000..223a4a8b --- /dev/null +++ b/roles/awx/templates/tower_secret.yaml.j2 @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: '{{ meta.name }}-secret-key' + namespace: '{{ meta.namespace }}' +stringData: + secret_key: '{{ lookup('password', 'ts' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}' \ No newline at end of file diff --git a/roles/awx_remove/tasks/main.yml b/roles/awx_remove/tasks/main.yml new file mode 100644 index 00000000..e7706084 --- /dev/null +++ b/roles/awx_remove/tasks/main.yml @@ -0,0 +1,37 @@ + + +- name: Check for existing secret key + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ meta.name }}-secret-key' + register: secret_key_resources + +- name: Check for existing postgres configuration + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{meta.name }}-postgres-configuration' + register: postgres_config_resources + +- name: Remove ownerReferences from PG configuration if it exists + k8s: + definition: + apiVersion: v1 + kind: Secret + metadata: + name: '{{ meta.name }}-postgres-configuration' + namespace: '{{ meta.namespace }}' + ownerReferences: null + when: postgres_config_resources['resources'] | length > 0 + +- name: Remove ownerReferences from Tower Secret if it exists + k8s: + definition: + apiVersion: v1 + kind: Secret + metadata: + name: '{{ meta.name }}-secret-key' + namespace: '{{ meta.namespace }}' + ownerReferences: null + when: secret_key_resources['resources'] | length > 0 diff --git a/watches.yaml b/watches.yaml index 5ddfbbc4..ef17892f 100644 --- a/watches.yaml +++ b/watches.yaml @@ -3,3 +3,6 @@ group: awx.ansible.com kind: AWX playbook: /opt/ansible/main.yml + finalizer: + name: finalizer.awx.ansible.com + role: awx_remove