internet/awx-operator
3
0
Fork 0
mirror of https://github.com/ansible/awx-operator.git synced 2026-03-26 21:33:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove Helm chart code (#1938)

Browse Source 
* rm Helm chart starter directory

* rm Helm release playbook

* rm Helm install from docs

* rm Helm chart workflows

* rm Helm starter from yamllint

* rm Helm targets from Makefile

* Revert "rm Helm targets from Makefile"

This reverts commit da38360168.

* remove helm from Makefile

* rm kubectl-slice and yp from Makefile
This commit is contained in:
Don Naro
2024-08-08 18:39:33 +01:00
committed by GitHub
parent 8224b0b354
commit f0a518baf6
28 changed files with 0 additions and 1374 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
.github/workflows/ci.yaml vendored
View File

@@ -50,49 +50,6 @@ jobs:
with: with:
name: awx_operator_molecule_test name: awx_operator_molecule_test
path: ${{ env.DEBUG_OUTPUT_DIR }} path: ${{ env.DEBUG_OUTPUT_DIR }}
helm:
runs-on: ubuntu-latest
name: helm
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Create k8s Kind Cluster
uses: helm/kind-action@v1.10.0
- name: Build operator image and load into kind
run: |
IMG=awx-operator-ci make docker-build
kind load docker-image --name chart-testing awx-operator-ci
- name: Patch pull policy for tests
run: |
kustomize edit add patch --path ../testing/pull_policy/Never.yaml
working-directory: config/default
- name: Build and lint helm chart
run: |
IMG=awx-operator-ci make helm-chart
helm lint ./charts/awx-operator
- name: Install kubeval
run: |
mkdir tmp && cd tmp
wget https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz
tar xf kubeval-linux-amd64.tar.gz
sudo cp kubeval /usr/local/bin
working-directory: ./charts
- name: Run kubeval
run: |
helm template -n awx awx-operator > tmp/test.yaml
kubeval --strict --force-color --ignore-missing-schemas tmp/test.yaml
working-directory: ./charts
- name: Install helm chart
run: |
helm install --wait my-awx-operator --namespace awx --create-namespace ./charts/awx-operator
no-log: no-log:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:

11
.github/workflows/promote.yaml vendored
View File

@@ -70,14 +70,3 @@ jobs:
docker buildx imagetools create \ docker buildx imagetools create \
ghcr.io/${{ github.repository }}:${{ env.TAG_NAME }} \ ghcr.io/${{ github.repository }}:${{ env.TAG_NAME }} \
--tag ${{ env.QUAY_REGISTRY }}/awx-operator:latest --tag ${{ env.QUAY_REGISTRY }}/awx-operator:latest
- name: Release Helm chart
run: |
ansible-playbook ansible/helm-release.yml -v \
-e operator_image=${{ env.QUAY_REGISTRY }}/awx-operator \
-e chart_owner=${{ github.repository_owner }} \
-e tag=${{ env.TAG_NAME }} \
-e gh_token=${{ secrets.GITHUB_TOKEN }} \
-e gh_user=${{ github.actor }} \
-e repo_type=https

26
.github/workflows/publish-helm.yml vendored
View File

@@ -1,26 +0,0 @@
---
name: Re-publish helm chart
on:
workflow_dispatch:
inputs:
tag:
description: 'Release tag'
required: true
type: string
jobs:
promote:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
depth: 0
- name: Release Helm chart
run: |
ansible-playbook ansible/helm-release.yml -v \
-e operator_image=quay.io/${{ github.repository }} \
-e chart_owner=${{ github.repository_owner }} \
-e tag=${{ inputs.tag }} \
-e gh_token=${{ secrets.GITHUB_TOKEN }} \
-e gh_user=${{ github.actor }} \
-e repo_type=https

23
.helm/starter/.helmignore
View File

@@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

7
.helm/starter/Chart.yaml
View File

@@ -1,7 +0,0 @@
---
apiVersion: v2
appVersion: 0.1.0
description: A Helm chart for Kubernetes
name: starter
type: application
version: 0.1.0

371
.helm/starter/README.md
View File

@@ -1,371 +0,0 @@
# AWX Operator Helm Chart
This chart installs the AWX Operator resources configured in [this](https://github.com/ansible/awx-operator) repository.
## Getting Started
To configure your AWX resource using this chart, create your own `yaml` values file. The name is up to personal preference since it will explicitly be passed into the helm chart. Helm will merge whatever values you specify in your file with the default `values.yaml`, overriding any settings you've changed while allowing you to fall back on defaults. Because of this functionality, `values.yaml` should not be edited directly.
In your values config, enable `AWX.enabled` and add `AWX.spec` values based on the awx operator's [documentation](https://github.com/ansible/awx-operator/blob/devel/README.md). Consult the docs below for additional functionality.
### Installing
The operator's [helm install](https://ansible.readthedocs.io/projects/awx-operator/en/latest/installation/helm-install-on-existing-cluster.html) guide provides key installation instructions.
Example:
```bash
helm install my-awx-operator awx-operator/awx-operator -n awx --create-namespace -f myvalues.yaml
```
Argument breakdown:
* `-f` passes in the file with your custom values
* `-n` sets the namespace to be installed in
* This value is accessed by `{{ $.Release.Namespace }}` in the templates
* Acts as the default namespace for all unspecified resources
* `--create-namespace` specifies that helm should create the namespace before installing
To update an existing installation, use `helm upgrade` instead of `install`. The rest of the syntax remains the same.
### Caveats on upgrading existing installation
There is no support at this time for upgrading or deleting CRDs using Helm. See [helm documentation](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations) for additional detail.
When upgrading to releases with CRD changes use the following command to update the CRDs
```bash
kubectl apply --server-side -k github.com/ansible/awx-operator/config/crd?ref=<VERSION>
```
If running above command results in an error like below:
```text
Apply failed with 1 conflict: conflict with "helm" using apiextensions.k8s.io/v1: .spec.versions
Please review the fields above--they currently have other managers. Here
are the ways you can resolve this warning:
* If you intend to manage all of these fields, please re-run the apply
command with the `--force-conflicts` flag.
* If you do not intend to manage all of the fields, please edit your
manifest to remove references to the fields that should keep their
current managers.
* You may co-own fields by updating your manifest to match the existing
value; in this case, you'll become the manager if the other manager(s)
stop managing the field (remove it from their configuration).
See https://kubernetes.io/docs/reference/using-api/server-side-apply/#conflicts
```
Use `--force-conflicts` flag to resolve the conflict.
```bash
kubectl apply --server-side --force-conflicts -k github.com/ansible/awx-operator/config/crd?ref=<VERSION>
```
## Configuration
The goal of adding helm configurations is to abstract out and simplify the creation of multi-resource configs. The `AWX.spec` field maps directly to the spec configs of the `AWX` resource that the operator provides, which are detailed in the [main README](https://github.com/ansible/awx-operator/blob/devel/README.md). Other sub-config can be added with the goal of simplifying more involved setups that require additional resources to be specified.
These sub-headers aim to be a more intuitive entrypoint into customizing your deployment, and are easier to manage in the long-term. By design, the helm templates will defer to the manually defined specs to avoid configuration conflicts. For example, if `AWX.spec.postgres_configuration_secret` is being used, the `AWX.postgres` settings will not be applied, even if enabled.
### External Postgres
The `AWX.postgres` section simplifies the creation of the external postgres secret. If enabled, the configs provided will automatically be placed in a `postgres-config` secret and linked to the `AWX` resource. For proper secret management, the `AWX.postgres.password` value, and any other sensitive values, can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`. Supplying the password this way is not recommended for production use, but may be helpful for initial PoC.
### Additional Kubernetes Resources
The `AWX.extraDeploy` section allows the creation of additional Kubernetes resources. This simplifies setups requiring additional objects that are used by AWX, e.g. using `ExternalSecrets` to create Kubernetes secrets.
Resources are passed as an array, either as YAML or strings (literal "|"). The resources are passed through `tpl`, so templating is possible. Example:
```yaml
AWX:
# enable use of awx-deploy template
...
# configurations for external postgres instance
postgres:
enabled: false
...
extraDeploy:
- |
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: {{ .Release.Name }}-postgres-secret-string-example
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Release.Name }}
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
refreshInterval: "1h"
target:
name: postgres-configuration-secret-string-example
creationPolicy: "Owner"
deletionPolicy: "Delete"
dataFrom:
- extract:
key: awx/postgres-configuration-secret
- apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: "{{ .Release.Name }}-postgres-secret-yaml-example"
namespace: "{{ .Release.Namespace }}"
labels:
app: "{{ .Release.Name }}"
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
refreshInterval: "1h"
target:
name: postgres-configuration-secret-yaml-example
creationPolicy: "Owner"
deletionPolicy: "Delete"
dataFrom:
- extract:
key: awx/postgres-configuration-secret
```
### Custom secrets
The `customSecrets` section simplifies the creation of our custom secrets used during AWX deployment. Supplying the passwords this way is not recommended for production use, but may be helpful for initial PoC.
If enabled, the configs provided will automatically used to create the respective secrets and linked at the CR spec level. For proper secret management, the sensitive values can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`.
Example:
```yaml
AWX:
# enable use of awx-deploy template
...
# configurations for external postgres instance
postgres:
enabled: false
...
customSecrets:
enabled: true
admin:
enabled: true
password: mysuperlongpassword
secretName: my-admin-password
secretKey:
enabled: true
key: supersecuresecretkey
secretName: my-awx-secret-key
ingressTls:
enabled: true
selfSignedCert: true
key: unset
certificate: unset
routeTls:
enabled: false
key: <contentoftheprivatekey>
certificate: <contentofthepublickey>
ldapCacert:
enabled: false
crt: <contentofmybundlecacrt>
ldap:
enabled: true
password: yourldapdnpassword
bundleCacert:
enabled: false
crt: <contentofmybundlecacrt>
eePullCredentials:
enabled: false
url: unset
username: unset
password: unset
sslVerify: true
secretName: my-ee-pull-credentials
cpPullCredentials:
enabled: false
dockerconfig:
- registry: https://index.docker.io/v1/
username: unset
password: unset
secretName: my-cp-pull-credentials
```
### Custom volumes
The `customVolumes` section simplifies the creation of Persistent Volumes used when you want to store your databases and projects files on the cluster's Node. Since their backends are `hostPath`, the size specified are just like a label and there is no actual capacity limitation.
You have to prepare directories for these volumes. For example:
```bash
sudo mkdir -p /data/postgres-13
sudo mkdir -p /data/projects
sudo chmod 755 /data/postgres-13
sudo chown 1000:0 /data/projects
```
Example:
```yaml
AWX:
# enable use of awx-deploy template
...
# configurations for external postgres instance
postgres:
enabled: false
...
customVolumes:
postgres:
enabled: true
hostPath: /data/postgres-13
projects:
enabled: true
hostPath: /data/projects
size: 1Gi
```
## Values Summary
### AWX
| Value | Description | Default |
|---|---|---|
| `AWX.enabled` | Enable this AWX resource configuration | `false` |
| `AWX.name` | The name of the AWX resource and default prefix for other resources | `"awx"` |
| `AWX.spec` | specs to directly configure the AWX resource | `{}` |
| `AWX.postgres` | configurations for the external postgres secret | - |
### extraDeploy
| Value | Description | Default |
|---|---|---|
| `extraDeploy` | array of additional resources to be deployed (supports YAML or literal "\|") | - |
### Operator
| Value | Description | Default |
|---|---|---|
| `Operator.replicas` | Number of controller-manager instance replicas | `1` |
### customSecrets
| Value | Description | Default |
|---|---|---|
| `customSecrets.enabled` | Enable the secret resources configuration | `false` |
| `customSecrets.admin` | Configurations for the secret that contains the admin user password | - |
| `customSecrets.secretKey` | Configurations for the secret that contains the symmetric key for encryption | - |
| `customSecrets.ingressTls` | Configurations for the secret that contains the TLS information when `ingress_type=ingress` | - |
| `customSecrets.routeTls` | Configurations for the secret that contains the TLS information when `ingress_type=route` (`route_tls_secret`) | - |
| `customSecrets.ldapCacert` | Configurations for the secret that contains the LDAP Certificate Authority | - |
| `customSecrets.ldap` | Configurations for the secret that contains the LDAP BIND DN password | - |
| `customSecrets.bundleCacert` | Configurations for the secret that contains the Certificate Authority | - |
| `customSecrets.eePullCredentials` | Configurations for the secret that contains the pull credentials for registered ees can be found | - |
| `customSecrets.cpPullCredentials` | Configurations for the secret that contains the image pull credentials for app and database containers | - |
Below the addition variables to customize the secret configuration.
#### Admin user password secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.admin.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.admin.password` | Admin user password | - |
| `customSecrets.admin.secretName` | Name of secret for `admin_password_secret` | `<resourcename>-admin-password>` |
#### Secret Key secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.secretKey.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.secretKey.key` | Key is used to encrypt sensitive data in the database | - |
| `customSecrets.secretKey.secretName` | Name of secret for `secret_key_secret` | `<resourcename>-secret-key` |
#### Ingress TLS secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.ingressTls.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.ingressTls.selfSignedCert` | If `true`, an self-signed TLS certificate for `AWX.spec.hostname` will be create by helm | `false` |
| `customSecrets.ingressTls.key` | Private key to use for TLS/SSL | - |
| `customSecrets.ingressTls.certificate` | Certificate to use for TLS/SSL | - |
| `customSecrets.ingressTls.secretName` | Name of secret for `ingress_tls_secret` | `<resourcename>-ingress-tls` |
| `customSecrets.ingressTls.labels` | Array of labels for the secret | - |
#### Route TLS secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.routeTls.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.routeTls.key` | Private key to use for TLS/SSL | - |
| `customSecrets.routeTls.certificate` | Certificate to use for TLS/SSL | - |
| `customSecrets.routeTls.secretName` | Name of secret for `route_tls_secret` | `<resourcename>-route-tls` |
#### LDAP Certificate Authority secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.ldapCacert.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.ldapCacert.crt` | Bundle of CA Root Certificates | - |
| `customSecrets.ldapCacert.secretName` | Name of secret for `ldap_cacert_secret` | `<resourcename>-custom-certs` |
#### LDAP BIND DN Password secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.ldap.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.ldap.password` | LDAP BIND DN password | - |
| `customSecrets.ldap.secretName` | Name of secret for `ldap_password_secret` | `<resourcename>-ldap-password` |
#### Certificate Authority secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.bundleCacert.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.bundleCacert.crt` | Bundle of CA Root Certificates | - |
| `customSecrets.bundleCacert.secretName` | Name of secret for `bundle_cacert_secret` | `<resourcename>-custom-certs` |
#### Default EE pull secrets configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.eePullCredentials.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.eePullCredentials.url` | Registry url | - |
| `customSecrets.eePullCredentials.username` | Username to connect as | - |
| `customSecrets.eePullCredentials.password` | Password to connect with | - |
| `customSecrets.eePullCredentials.sslVerify` | Whether verify ssl connection or not. | `true` |
| `customSecrets.eePullCredentials.secretName` | Name of secret for `ee_pull_credentials_secret` | `<resourcename>-ee-pull-credentials` |
#### Control Plane pull secrets configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.cpPullCredentials.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.cpPullCredentials.dockerconfig` | Array of configurations for the Docker credentials that are used for accessing a registry | - |
| `customSecrets.cpPullCredentials.dockerconfig[].registry` | Server location for Docker registry | `https://index.docker.io/v1/` |
| `customSecrets.cpPullCredentials.dockerconfig[].username` | Username to connect as | - |
| `customSecrets.cpPullCredentials.dockerconfig[].password` | Password to connect with | - |
| `customSecrets.cpPullCredentials.secretName` | Name of secret for `image_pull_secrets`| `<resoucename>-cp-pull-credentials` |
### customVolumes
#### Persistent Volume for databases postgres
| Value | Description | Default |
|---|---|---|
| `customVolumes.postgres.enabled` | Enable the PV resource configuration for the postgres databases | `false` |
| `customVolumes.postgres.hostPath` | Directory location on host | - |
| `customVolumes.postgres.size` | Size of the volume | `8Gi` |
| `customVolumes.postgres.accessModes` | Volume access mode | `ReadWriteOnce` |
| `customVolumes.postgres.storageClassName` | PersistentVolume storage class name for `postgres_storage_class` | `<resourcename>-postgres-volume` |
#### Persistent Volume for projects files
| Value | Description | Default |
|---|---|---|
| `customVolumes.projects.enabled` | Enable the PVC and PVC resources configuration for the projects files | `false` |
| `customVolumes.projects.hostPath` | Directory location on host | - |
| `customVolumes.projects.size` | Size of the volume | `8Gi` |
| `customVolumes.projects.accessModes` | Volume access mode | `ReadWriteOnce` |
| `customVolumes.postgres.storageClassName` | PersistentVolume storage class name | `<resourcename>-projects-volume` |
# Contributing
## Adding abstracted sections
Where possible, defer to `AWX.spec` configs before applying the abstracted configs to avoid collision. This can be facilitated by the `(hasKey .spec what_i_will_abstract)` check.
## Building and Testing
This chart is built using the Makefile in the [awx-operator repo](https://github.com/ansible/awx-operator). Clone the repo and run `make helm-chart`. This will create the awx-operator chart in the `charts/awx-operator` directory. In this process, the contents of the `.helm/starter` directory will be added to the chart.
## Future Goals
All values under the `AWX` header are focused on configurations that use the operator. Configurations that relate to the Operator itself could be placed under an `Operator` heading, but that may add a layer of complication over current development.
# Chart Publishing
The chart is currently hosted on the gh-pages branch of the repo. During the release pipeline, the `index.yaml` stored in that branch is generated with helm chart entries from all valid tags. We are currently unable to use the `chart-releaser` pipeline due to the fact that the complete helm chart is not committed to the repo and is instead built during the release process. Therefore, the cr action is unable to compare against previous versions.
Instead of CR, we use `helm repo index` to generate an index from all locally pulled chart versions. Since we build from scratch every time, the timestamps of all entries will be updated. This could be improved by using yq or something similar to detect which tags are already in the index.yaml file, and only merge in tags that are not present.
Not using CR could be addressed in the future by keeping the chart built as a part of releases, as long as CR compares the chart to previous release packages rather than previous commits. If the latter is the case, then we would not have the necessary history for comparison.

6
.helm/starter/templates/_helpers.tpl
View File

@@ -1,6 +0,0 @@
{{/*
Generate the name of the postgres secret, expects AWX context passed in
*/}}
{{- define "postgres.secretName" -}}
{{ default (printf "%s-postgres-configuration" .Values.AWX.name) .Values.AWX.postgres.secretName }}
{{- end }}

28
.helm/starter/templates/awx-deploy.yaml
View File

@@ -1,28 +0,0 @@
{{- if $.Values.AWX.enabled }}
{{- with .Values.AWX }}
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: {{ .name }}
namespace: {{ $.Release.Namespace }}
spec:
{{- /* Provide custom persistent volumes configs if enabled */}}
{{- include "spec.storageClassNames" $ }}
{{- /* Provide custom secrets configs if enabled */}}
{{- include "spec.secrets" $ }}
{{- /* Include raw map from the values file spec */}}
{{ .spec | toYaml | indent 2 }}
{{- /* Provide security context defaults */}}
{{- if not (hasKey .spec "security_context_settings") }}
security_context_settings:
runAsGroup: 0
runAsUser: 0
fsGroup: 0
fsGroupChangePolicy: OnRootMismatch
{{- end }}
{{- /* Postgres configs if enabled and not already present */}}
{{- if and .postgres.enabled (not (hasKey .spec "postgres_configuration_secret")) }}
postgres_configuration_secret: {{ include "postgres.secretName" $ }}
{{- end }}
{{- end }}
{{- end }}

8
.helm/starter/templates/extra-list.yaml
View File

@@ -1,8 +0,0 @@
{{- range .Values.extraDeploy }}
---
{{- if typeIs "string" . }}
{{- tpl . $ }}
{{- else }}
{{- tpl (. | toYaml | nindent 0) $ }}
{{- end }}
{{- end }}

19
.helm/starter/templates/postgres-config.yaml
View File

@@ -1,19 +0,0 @@
{{- if and $.Values.AWX.enabled $.Values.AWX.postgres.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "postgres.secretName" . }}
namespace: {{ $.Release.Namespace }}
{{- with $.Values.AWX.postgres }}
stringData:
host: {{ .host }}
port: {{ .port | quote }}
database: {{ .dbName }}
username: {{ .username }}
password: {{ .password }}
sslmode: {{ .sslmode }}
target_session_attrs: {{ .target_session_attrs | default "any" }}
type: {{ .type }}
type: Opaque
{{- end }}
{{- end }}

170
.helm/starter/templates/secrets/_helpers.tpl
View File

@@ -1,170 +0,0 @@
{{/*
Generate certificates for ingress
*/}}
{{- define "ingress.gen-certs" -}}
{{- $ca := genCA "ingress-ca" 365 -}}
{{- $cert := genSignedCert ( $.Values.AWX.spec.hostname | required "AWX.spec.hostname is required!" ) nil nil 365 $ca -}}
tls.crt: {{ $cert.Cert | b64enc }}
tls.key: {{ $cert.Key | b64enc }}
{{- end -}}
{{/*
Generate the name of the secret that contains the admin user password
*/}}
{{- define "admin.secretName" -}}
{{ default (printf "%s-admin-password" $.Values.AWX.name) (default $.Values.customSecrets.admin.secretName $.Values.AWX.spec.admin_password_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the TLS information when ingress_type=route
*/}}
{{- define "routeTls.secretName" -}}
{{ default (printf "%s-route-tls" $.Values.AWX.name) (default $.Values.customSecrets.routeTls.secretName $.Values.AWX.spec.route_tls_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the TLS information when ingress_type=ingress
*/}}
{{- define "ingressTls.secretName" -}}
{{ default (printf "%s-ingress-tls" $.Values.AWX.name) (default $.Values.customSecrets.ingressTls.secretName $.Values.AWX.spec.ingress_tls_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the LDAP Certificate Authority
*/}}
{{- define "ldapCacert.secretName" -}}
{{ default (printf "%s-custom-certs" $.Values.AWX.name) (default ($.Values.customSecrets.ldapCacert).secretName $.Values.AWX.spec.ldap_cacert_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the custom Certificate Authority
*/}}
{{- define "bundleCacert.secretName" -}}
{{ default (printf "%s-custom-certs" $.Values.AWX.name) (default ($.Values.customSecrets.bundleCacert).secretName $.Values.AWX.spec.bundle_cacert_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the LDAP BIND DN password
*/}}
{{- define "ldap.secretName" -}}
{{ default (printf "%s-ldap-password" $.Values.AWX.name) (default $.Values.customSecrets.ldap.secretName $.Values.AWX.spec.ldap_password_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the symmetric key for encryption
*/}}
{{- define "secretKey.secretName" -}}
{{ default (printf "%s-secret-key" $.Values.AWX.name) (default $.Values.customSecrets.secretKey.secretName $.Values.AWX.spec.secret_key_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the default execution environment pull credentials
*/}}
{{- define "eePullCredentials.secretName" -}}
{{ default (printf "%s-ee-pull-credentials" $.Values.AWX.name) (default $.Values.customSecrets.eePullCredentials.secretName $.Values.AWX.spec.ee_pull_credentials_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the default control plane pull credentials
*/}}
{{- define "cpPullCredentials.secretName" -}}
{{ default (printf "%s-cp-pull-credentials" $.Values.AWX.name) (default $.Values.customSecrets.cpPullCredentials.secretName $.Values.AWX.spec.image_pull_secrets) }}
{{- end }}
{{/*
Generate the .dockerconfigjson file unencoded.
*/}}
{{- define "dockerconfigjson.b64dec" }}
{{- print "{\"auths\":{" }}
{{- range $index, $item := . }}
{{- if $index }}
{{- print "," }}
{{- end }}
{{- printf "\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}" (default "https://index.docker.io/v1/" $item.registry) $item.username $item.password (default "" $item.email) (printf "%s:%s" $item.username $item.password | b64enc) }}
{{- end }}
{{- print "}}" }}
{{- end }}
{{/*
Generate the base64-encoded .dockerconfigjson.
*/}}
{{- define "dockerconfigjson.b64enc" }}
{{- $list := ternary (list .) . (kindIs "map" .) }}
{{- include "dockerconfigjson.required" $list }}
{{- include "dockerconfigjson.b64dec" $list | b64enc }}
{{- end }}
{{/*
Required values for .dockerconfigjson
*/}}
{{- define "dockerconfigjson.required" -}}
{{- range . -}}
{{- $_ := required "cpPullCredentials.dockerconfigjson[].username is required!" .username -}}
{{- $_ := required "cpPullCredentials.dockerconfigjson[].password is required!" .password -}}
{{- end -}}
{{/* Check for registry uniqueness */}}
{{- $registries := list -}}
{{- range . -}}
{{- $registries = append $registries (default "https://index.docker.io/v1/" .registry) -}}
{{- end -}}
{{- $_ := required "All cpPullCredentials.dockerconfigjson[].registry's must be unique!" (or (eq (len $registries) (len ($registries | uniq))) nil) -}}
{{- end -}}
{{/*
Generate the name of the secrets
*/}}
{{- define "spec.secrets" -}}
{{- /* secret configs if enabled */}}
{{- if hasKey $.Values "customSecrets" }}
{{- with $.Values.customSecrets }}
{{- if .enabled }}
{{- if hasKey . "admin" }}
{{- if and (not (hasKey $.Values.AWX.spec "admin_password_secret")) .admin.enabled }}
admin_password_secret: {{ include "admin.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "secretKey" }}
{{- if and (not (hasKey $.Values.AWX.spec "secret_key_secret")) .secretKey.enabled }}
secret_key_secret: {{ include "secretKey.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "routeTls" }}
{{- if and (not (hasKey $.Values.AWX.spec "route_tls_secret")) .routeTls.enabled }}
route_tls_secret: {{ include "routeTls.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "ingressTls" }}
{{- if and (not (hasKey $.Values.AWX.spec "ingress_tls_secret")) .ingressTls.enabled }}
ingress_tls_secret: {{ include "ingressTls.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "ldapCacert" }}
{{- if and (not (hasKey $.Values.AWX.spec "ldap_cacert_secret")) .ldapCacert.enabled }}
ldap_cacert_secret: {{ include "ldapCacert.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "bundleCacert" }}
{{- if and (not (hasKey $.Values.AWX.spec "bundle_cacert_secret")) .bundleCacert.enabled }}
bundle_cacert_secret: {{ include "bundleCacert.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "ldap" }}
{{- if and (not (hasKey $.Values.AWX.spec "ldap_password_secret")) .ldap.enabled }}
ldap_password_secret: {{ include "ldap.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "eePullCredentials" }}
{{- if and (not (hasKey $.Values.AWX.spec "ee_pull_credentials_secret")) .eePullCredentials.enabled }}
ee_pull_credentials_secret: {{ include "eePullCredentials.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "cpPullCredentials" }}
{{- if and (not (hasKey $.Values.AWX.spec "image_pull_secrets")) .cpPullCredentials.enabled }}
image_pull_secrets:
- {{ include "cpPullCredentials.secretName" $ }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

16
.helm/starter/templates/secrets/admin-password-secret.yaml
View File

@@ -1,16 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "admin" }}
{{- with $.Values.customSecrets.admin }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "admin.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: Opaque
data:
password: {{ .password | required "customSecrets.admin.password is required!" | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

16
.helm/starter/templates/secrets/cp-pull-credentials-secret.yaml
View File

@@ -1,16 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "cpPullCredentials" }}
{{- with $.Values.customSecrets.cpPullCredentials }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "cpPullCredentials.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "dockerconfigjson.b64enc" .dockerconfig | required "customSecrets.cpPullCredentials.dockerconfig is required!" }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

49
.helm/starter/templates/secrets/custom-certs-secret.yaml
View File

@@ -1,49 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- with .Values.customSecrets }}
{{- $hasLdapCrt := (hasKey $.Values.customSecrets "ldapCacert") -}}
{{- $hasBundleCrt := (hasKey . "bundleCacert") -}}
{{- if or $hasLdapCrt $hasBundleCrt }}
{{- $ldapCrtEnabled := ternary (.ldapCacert).enabled false $hasLdapCrt -}}
{{- $bundleCrtEnabled := ternary (.bundleCacert).enabled false $hasBundleCrt -}}
{{- $ldapSecretName := (include "ldapCacert.secretName" $) -}}
{{- $bundleSecretName := (include "bundleCacert.secretName" $) -}}
{{- if and (or $bundleCrtEnabled $ldapCrtEnabled) (eq $ldapSecretName $bundleSecretName) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $ldapSecretName }}
namespace: {{ $.Release.Namespace }}
type: Opaque
data:
{{- if $ldapCrtEnabled }}
ldap-ca.crt: {{ .ldapCacert.crt | required "customSecrets.ldapCacert.crt is required!" | b64enc }}
{{- end }}
{{- if $bundleCrtEnabled }}
bundle-ca.crt: {{ .bundleCacert.crt | required "customSecrets.bundleCacert.crt is required!" | b64enc }}
{{- end }}
{{- else }}
{{- if $ldapCrtEnabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $ldapSecretName }}
namespace: {{ $.Release.Namespace }}
type: Opaque
data:
ldap-ca.crt: {{ .ldapCacert.crt | required "customSecrets.ldapCacert.crt is required!" | b64enc }}
{{- end }}
{{- if $bundleCrtEnabled }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $bundleSecretName }}
namespace: {{ $.Release.Namespace }}
type: Opaque
data:
bundle-ca.crt: {{ .bundleCacert.crt | required "customSecrets.bundleCacert.crt is required!" | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

19
.helm/starter/templates/secrets/ee-pull-credentials-secret.yaml
View File

@@ -1,19 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "eePullCredentials" }}
{{- with $.Values.customSecrets.eePullCredentials }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "eePullCredentials.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: Opaque
stringData:
url: {{ (required "customSecrets.eePullCredentials.url is required!" .url) | quote }}
username: {{ (required "customSecrets.eePullCredentials.username is required!" .username) | quote }}
password: {{ (required "customSecrets.eePullCredentials.password is required!" .password) | quote }}
ssl_verify: {{ or .sslVerify (eq (.sslVerify | toString) "<nil>") | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

25
.helm/starter/templates/secrets/ingress-tls-secret.yaml
View File

@@ -1,25 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "ingressTls" }}
{{- with $.Values.customSecrets.ingressTls }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "ingressTls.secretName" $ }}
namespace: {{ $.Release.Namespace }}
{{- if .labels }}
labels:
{{ toYaml .labels | indent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
{{- if .selfSignedCert }}
{{ ( include "ingress.gen-certs" $ ) | indent 2 }}
{{ else }}
tls.key: {{ (.key | required "customSecrets.ingressTls.key is required!") | b64enc }}
tls.crt: {{ (.certificate | required "customSecrets.ingressTls.certificate is required!") | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

16
.helm/starter/templates/secrets/ldap-password-secret.yaml
View File

@@ -1,16 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "ldap" }}
{{- with $.Values.customSecrets.ldap }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "ldap.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: Opaque
data:
ldap-password: {{ .password | required "customSecrets.ldap.password is required!" | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

17
.helm/starter/templates/secrets/route-tls-secret.yaml
View File

@@ -1,17 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "routeTls" }}
{{- with $.Values.customSecrets.routeTls }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "routeTls.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: kubernetes.io/tls
data:
tls.key: {{ (.key | required "customSecrets.routeTls.key is required!") | b64enc }}
tls.crt: {{ (.certificate | required "customSecrets.routeTls.certificate is required!") | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

16
.helm/starter/templates/secrets/secret-key-secret.yaml
View File

@@ -1,16 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "secretKey" }}
{{- with $.Values.customSecrets.secretKey }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "secretKey.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: Opaque
stringData:
secret_key: {{ .key | required "customSecrets.secretKey.key is required!" | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

57
.helm/starter/templates/storage/_helpers.tpl
View File

@@ -1,57 +0,0 @@
{{/*
Generate the name of the persistent volume for postgres folders
*/}}
{{- define "postgres.persistentVolumeName" -}}
{{ printf "%s-postgres-volume" $.Values.AWX.name }}
{{- end }}
{{/*
Generate the name of the persistent volume for projects folder
*/}}
{{- define "projects.persistentVolumeName" -}}
{{ printf "%s-projects-volume" $.Values.AWX.name }}
{{- end }}
{{/*
Generate the name of the persistent volume claim for the projects volume
*/}}
{{- define "projects.persistentVolumeClaim" -}}
{{ printf "%s-projects-claim" $.Values.AWX.name }}
{{- end }}
{{/*
Generate the name of the storage class to use for the postgres volume
*/}}
{{- define "postgres.storageClassName" -}}
{{ default (printf "%s-postgres-volume" $.Values.AWX.name) (default $.Values.AWX.spec.postgres_storage_class (($.Values.customVolumes).postgres).storageClassName) }}
{{- end }}
{{/*
Generate the name of the storage class to use for the projects volume
*/}}
{{- define "projects.storageClassName" -}}
{{ default (printf "%s-projects-volume" $.Values.AWX.name) (default $.Values.AWX.spec.projects_storage_class (($.Values.customVolumes).projects).storageClassName) }}
{{- end }}
{{/*
Generate the name of the storage class names, expects AWX context passed in
*/}}
{{- define "spec.storageClassNames" -}}
{{- if and (not $.Values.AWX.postgres.enabled) (eq (($.Values.AWX.spec).postgres_configuration_secret | default "") "") -}}
{{- if (($.Values.customVolumes).postgres).enabled -}}
{{- if not (hasKey $.Values.AWX.spec "postgres_storage_class") }}
postgres_storage_class: {{ include "postgres.storageClassName" $ }}
{{- end }}
{{- if not (hasKey $.Values.AWX.spec "postgres_storage_requirements") }}
postgres_storage_requirements:
requests:
storage: {{ default "8Gi" $.Values.customVolumes.postgres.size | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if and ($.Values.AWX.spec.projects_persistence) (eq (($.Values.AWX.spec).projects_existing_claim | default "") "") -}}
{{- if (($.Values.customVolumes).projects).enabled }}
projects_existing_claim: {{ include "projects.persistentVolumeClaim" $ }}
{{- end }}
{{- end }}
{{- end }}

19
.helm/starter/templates/storage/postgres-pv.yaml
View File

@@ -1,19 +0,0 @@
{{- if and (not $.Values.AWX.postgres.enabled) (eq (($.Values.AWX.spec).postgres_configuration_secret | default "") "") -}}
{{- if (($.Values.customVolumes).postgres).enabled -}}
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ include "postgres.persistentVolumeName" $ }}
{{- with $.Values.customVolumes.postgres }}
spec:
accessModes:
- {{ default "ReadWriteOnce" .accessModes }}
persistentVolumeReclaimPolicy: {{ default "Retain" .reclaimPolicy | quote }}
capacity:
storage: {{ default "8Gi" .size | quote }}
storageClassName: {{ include "postgres.storageClassName" $ }}
hostPath:
path: /var/lib/pgsql/data/userdata
{{- end }}
{{- end }}
{{- end }}

32
.helm/starter/templates/storage/projects-pv.yaml
View File

@@ -1,32 +0,0 @@
{{- if and ($.Values.AWX.spec.projects_persistence) (eq (($.Values.AWX.spec).projects_existing_claim | default "") "") -}}
{{- if (($.Values.customVolumes).projects).enabled -}}
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ include "projects.persistentVolumeName" $ }}
{{- with $.Values.customVolumes.projects }}
spec:
accessModes:
- {{ default "ReadWriteOnce" (default $.Values.AWX.spec.projects_storage_access_mode .accessModes) }}
persistentVolumeReclaimPolicy: {{ default "Retain" .reclaimPolicy | quote }}
capacity:
storage: {{ default "8Gi" (default $.Values.AWX.spec.projects_storage_size .size) | quote }}
storageClassName: {{ include "projects.storageClassName" $ }}
hostPath:
path: {{ required "customVolumes.projects.hostPath is required!" .hostPath | quote }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "projects.persistentVolumeClaim" $ }}
spec:
accessModes:
- {{ default "ReadWriteOnce" (default $.Values.AWX.spec.projects_storage_access_mode .accessModes) }}
volumeMode: Filesystem
resources:
requests:
storage: {{ default "8Gi" (default $.Values.AWX.spec.projects_storage_size .size) | quote }}
storageClassName: {{ include "projects.storageClassName" $ }}
{{- end }}
{{- end }}
{{- end }}

19
.helm/starter/values.yaml
View File

@@ -1,19 +0,0 @@
AWX:
# enable use of awx-deploy template
enabled: false
name: awx
spec:
admin_user: admin
# configurations for external postgres instance
postgres:
enabled: false
host: Unset
port: 5678
dbName: Unset
username: admin
# for secret management, pass in the password independently of this file
# at the command line, use --set AWX.postgres.password
password: Unset
sslmode: prefer
type: unmanaged

1
.yamllint
View File

@@ -6,7 +6,6 @@ ignore: |
kustomization.yaml kustomization.yaml
awx-operator.clusterserviceversion.yaml awx-operator.clusterserviceversion.yaml
bundle bundle
.helm/starter
hacking/ hacking/
rules: rules:

208
Makefile
View File

@@ -8,13 +8,6 @@ PREV_VERSION ?= $(shell git describe --abbrev=0 --tags $(shell git rev-list --ta
CONTAINER_CMD ?= docker CONTAINER_CMD ?= docker
# GNU vs BSD in-place sed
ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
SED_I := sed -i
else
SED_I := sed -i ''
endif
# CHANNELS define the bundle channels used in the bundle. # CHANNELS define the bundle channels used in the bundle.
# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
# To re-generate a bundle for other specific channels without changing the standard setup, you can: # To re-generate a bundle for other specific channels without changing the standard setup, you can:
@@ -60,15 +53,6 @@ endif
IMG ?= $(IMAGE_TAG_BASE):$(VERSION) IMG ?= $(IMAGE_TAG_BASE):$(VERSION)
NAMESPACE ?= awx NAMESPACE ?= awx
# Helm variables
CHART_NAME ?= awx-operator
CHART_DESCRIPTION ?= A Helm chart for the AWX Operator
CHART_OWNER ?= $(GH_REPO_OWNER)
CHART_REPO ?= awx-operator
CHART_BRANCH ?= gh-pages
CHART_DIR ?= gh-pages
CHART_INDEX ?= index.yaml
.PHONY: all .PHONY: all
all: docker-build all: docker-build
@@ -255,195 +239,3 @@ catalog-build: opm ## Build a catalog image.
.PHONY: catalog-push .PHONY: catalog-push
catalog-push: ## Push a catalog image. catalog-push: ## Push a catalog image.
$(MAKE) docker-push IMG=$(CATALOG_IMG) $(MAKE) docker-push IMG=$(CATALOG_IMG)
.PHONY: kubectl-slice
KUBECTL_SLICE = $(shell pwd)/bin/kubectl-slice
kubectl-slice: ## Download kubectl-slice locally if necessary.
ifeq (,$(wildcard $(KUBECTL_SLICE)))
ifeq (,$(shell which kubectl-slice 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(KUBECTL_SLICE)) ;\
curl -sSLo - https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.6/kubectl-slice_$(OS)_$(ARCHX).tar.gz | \
tar xzf - -C bin/ kubectl-slice ;\
}
else
KUBECTL_SLICE = $(shell which kubectl-slice)
endif
endif
.PHONY: helm
HELM = $(shell pwd)/bin/helm
helm: ## Download helm locally if necessary.
ifeq (,$(wildcard $(HELM)))
ifeq (,$(shell which helm 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(HELM)) ;\
curl -sSLo - https://get.helm.sh/helm-v3.8.0-$(OS)-$(ARCHA).tar.gz | \
tar xzf - -C bin/ $(OS)-$(ARCHA)/helm ;\
mv bin/$(OS)-$(ARCHA)/helm bin/helm ;\
rmdir bin/$(OS)-$(ARCHA) ;\
}
else
HELM = $(shell which helm)
endif
endif
.PHONY: yq
YQ = $(shell pwd)/bin/yq
yq: ## Download yq locally if necessary.
ifeq (,$(wildcard $(YQ)))
ifeq (,$(shell which yq 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(HELM)) ;\
curl -sSLo - https://github.com/mikefarah/yq/releases/download/v4.20.2/yq_$(OS)_$(ARCHA).tar.gz | \
tar xzf - -C bin/ ;\
mv bin/yq_$(OS)_$(ARCHA) bin/yq ;\
}
else
YQ = $(shell which yq)
endif
endif
PHONY: cr
CR = $(shell pwd)/bin/cr
cr: ## Download cr locally if necessary.
ifeq (,$(wildcard $(CR)))
ifeq (,$(shell which cr 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(CR)) ;\
curl -sSLo - https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_$(OS)_$(ARCHA).tar.gz | \
tar xzf - -C bin/ cr ;\
}
else
CR = $(shell which cr)
endif
endif
charts:
mkdir -p $@
.PHONY: helm-chart
helm-chart: helm-chart-generate
.PHONY: helm-chart-generate
helm-chart-generate: kustomize helm kubectl-slice yq charts
@echo "== KUSTOMIZE: Set image and chart label =="
cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
cd config/manager && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
cd config/default && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
@echo "== Gather Helm Chart Metadata =="
# remove the existing chart if it exists
rm -rf charts/$(CHART_NAME)
# create new chart metadata in Chart.yaml
cd charts && \
$(HELM) create $(CHART_NAME) --starter $(shell pwd)/.helm/starter ;\
$(YQ) -i '.version = "$(VERSION)"' $(CHART_NAME)/Chart.yaml ;\
$(YQ) -i '.appVersion = "$(VERSION)" | .appVersion style="double"' $(CHART_NAME)/Chart.yaml ;\
$(YQ) -i '.description = "$(CHART_DESCRIPTION)"' $(CHART_NAME)/Chart.yaml ;\
@echo "Generated chart metadata:"
@cat charts/$(CHART_NAME)/Chart.yaml
@echo "== KUSTOMIZE: Generate resources and slice into templates =="
# place in raw-files directory so they can be modified while they are valid yaml - as soon as they are in templates/,
# wild cards pick up the actual templates, which are not real yaml and can't have yq run on them.
$(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone config/default | \
$(KUBECTL_SLICE) --input-file=- \
--output-dir=charts/$(CHART_NAME)/raw-files \
--sort-by-kind
@echo "== GIT: Reset kustomize configs =="
# reset kustomize configs following kustomize build
git checkout -f config/.
@echo "== Build Templates and CRDS =="
# Delete metadata.namespace, release namespace will be automatically inserted by helm
for file in charts/$(CHART_NAME)/raw-files/*; do\
$(YQ) -i 'del(.metadata.namespace)' $${file};\
done
# Correct namespace for rolebinding to be release namespace, this must be explicit
for file in charts/$(CHART_NAME)/raw-files/*rolebinding*; do\
$(YQ) -i '.subjects[0].namespace = "{{ .Release.Namespace }}"' $${file};\
done
# Add .spec.replicas for the controller-manager deployment
for file in charts/$(CHART_NAME)/raw-files/deployment-*-controller-manager.yaml; do\
$(YQ) -i '.spec.replicas = "{{ (.Values.Operator).replicas | default 1 }}"' $${file};\
done
# Correct .metadata.name for cluster scoped resources
cluster_scoped_files="charts/$(CHART_NAME)/raw-files/clusterrolebinding-awx-operator-proxy-rolebinding.yaml charts/$(CHART_NAME)/raw-files/clusterrole-awx-operator-metrics-reader.yaml charts/$(CHART_NAME)/raw-files/clusterrole-awx-operator-proxy-role.yaml";\
for file in $${cluster_scoped_files}; do\
$(YQ) -i '.metadata.name += "-{{ .Release.Name }}"' $${file};\
done
# Correct the reference for the clusterrolebinding
$(YQ) -i '.roleRef.name += "-{{ .Release.Name }}"' 'charts/$(CHART_NAME)/raw-files/clusterrolebinding-awx-operator-proxy-rolebinding.yaml'
# Correct .spec.replicas type for the controller-manager deployment
for file in charts/$(CHART_NAME)/raw-files/deployment-*-controller-manager.yaml; do\
$(SED_I) "s/'{{ (.Values.Operator).replicas | default 1 }}'/{{ (.Values.Operator).replicas | default 1 }}/g" $${file};\
done
# move all custom resource definitions to crds folder
mkdir charts/$(CHART_NAME)/crds
mv charts/$(CHART_NAME)/raw-files/customresourcedefinition*.yaml charts/$(CHART_NAME)/crds/.
# remove any namespace definitions
rm -f charts/$(CHART_NAME)/raw-files/namespace*.yaml
# move remaining resources to helm templates
mv charts/$(CHART_NAME)/raw-files/* charts/$(CHART_NAME)/templates/.
# remove the raw-files folder
rm -rf charts/$(CHART_NAME)/raw-files
# create and populate NOTES.txt
@echo "AWX Operator installed with Helm Chart version $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
@echo "Helm chart successfully configured for $(CHART_NAME) version $(VERSION)"
.PHONY: helm-package
helm-package: helm-chart
@echo "== Package Current Chart Version =="
mkdir -p .cr-release-packages
# package the chart and put it in .cr-release-packages dir
$(HELM) package ./charts/$(CHART_NAME) -d .cr-release-packages/$(VERSION)
# List all tags oldest to newest.
TAGS := $(shell git ls-remote --tags --sort=version:refname --refs -q | cut -d/ -f3)
# The actual release happens in ansible/helm-release.yml, which calls this targer
# until https://github.com/helm/chart-releaser/issues/122 happens, chart-releaser is not ideal for a chart
# that is contained within a larger repo, where a tag may not require a new chart version
.PHONY: helm-index
helm-index:
# when running in CI the gh-pages branch is checked out by the ansible playbook
# TODO: test if gh-pages directory exists and if not exist
@echo "== GENERATE INDEX FILE =="
# This step to workaround issues with old releases being dropped.
# Until https://github.com/helm/chart-releaser/issues/133 happens
@echo "== CHART FETCH previous releases =="
# Download all old releases
mkdir -p .cr-release-packages
for tag in $(TAGS); do\
dl_url="https://github.com/$(CHART_OWNER)/$(CHART_REPO)/releases/download/$${tag}/$(CHART_REPO)-$${tag}.tgz";\
echo "Downloading $${tag} from $${dl_url}";\
curl -RLOs -z "$(CHART_REPO)-$${tag}.tgz" --fail $${dl_url};\
result=$$?;\
if [ $${result} -eq 0 ]; then\
echo "Downloaded $${dl_url}";\
mkdir -p .cr-release-packages/$${tag};\
mv ./$(CHART_REPO)-$${tag}.tgz .cr-release-packages/$${tag};\
else\
echo "Skipping release $${tag}; No helm chart present";\
rm -rf "$(CHART_REPO)-$${tag}.tgz";\
fi;\
done;\
# generate the index file in the root of the gh-pages branch
# --merge will leave any values in index.yaml that don't get generated by this command, but
# it is likely that all values are overridden
$(HELM) repo index .cr-release-packages --url https://github.com/$(CHART_OWNER)/$(CHART_REPO)/releases/download/ --merge $(CHART_DIR)/index.yaml
mv .cr-release-packages/index.yaml $(CHART_DIR)/index.yaml

122
ansible/helm-release.yml
View File

@@ -1,122 +0,0 @@
---
- hosts: localhost
vars:
chart_repo: awx-operator
environment:
CHART_OWNER: "{{ chart_owner }}"
tasks:
- name: Look up release
uri:
url: "https://api.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/tags/{{ tag }}"
register: release
ignore_errors: yes
- fail:
msg: |
Release must exist before running this playbook
when: release is not success
- name: Set helm filename and commit message
set_fact:
asset_already_attached: False
helm_file_name: "awx-operator-{{ tag }}.tgz"
commit_message: "Updated index.yaml for release {{ release.json.tag_name }}"
- name: See if file is already attached
set_fact:
asset_already_attached: True
loop: "{{ release.json.get('assets', []) }}"
loop_control:
label: "{{ item.name }}"
when: item.name == helm_file_name
- when: not asset_already_attached
block:
- name: Build and package helm chart
command: |
make helm-package
environment:
VERSION: "{{ tag }}"
IMAGE_TAG_BASE: "{{ operator_image }}"
args:
chdir: "{{ playbook_dir }}/../"
# Move to chart releaser after https://github.com/helm/chart-releaser/issues/122 exists
- name: Upload helm chart
uri:
url: "https://uploads.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/{{ release.json.id }}/assets?name={{ helm_file_name }}"
src: "{{ playbook_dir }}/../.cr-release-packages/{{ tag }}/awx-operator-{{ tag }}.tgz"
headers:
Authorization: "token {{ gh_token }}"
Content-Type: "application/octet-stream"
status_code:
- 200
- 201
register: asset_upload
changed_when: asset_upload.json.state == "uploaded"
- name: Ensure gh-pages exists
file:
state: directory
path: "{{ playbook_dir }}/../gh-pages"
- name: Check if we have published the release
command:
cmd: "git log --grep='{{ commit_message }}'"
chdir: "{{ playbook_dir }}/../gh-pages"
register: commits_for_release
- when: commits_for_release.stdout == ''
block:
- name: Make a temp dir
tempfile:
state: directory
register: temp_dir
- name: Clone the gh-pages branch from {{ chart_owner }}
git:
repo: "{{ ((repo_type | default('http')) == 'ssh') | ternary(ssh_repo, http_repo) }}"
dest: "{{ temp_dir.path }}"
single_branch: yes
version: gh-pages
vars:
http_repo: "https://github.com/{{ chart_owner }}/{{ chart_repo }}"
ssh_repo: "git@github.com:{{ chart_owner }}/{{ chart_repo }}.git"
- name: Publish helm index
ansible.builtin.command:
cmd: make helm-index
environment:
CHART_OWNER: "{{ chart_owner }}"
CR_TOKEN: "{{ gh_token }}"
CHART_DIR: "{{ temp_dir.path }}"
args:
chdir: "{{ playbook_dir }}/.."
- name: Set url base swap in gitconfig
command:
cmd: "git config --local url.https://{{ gh_user }}:{{ gh_token }}@github.com/.insteadOf https://github.com/"
args:
chdir: "{{ temp_dir.path }}/"
no_log: true
- name: Stage and Push commit to gh-pages branch
command:
cmd: "{{ item }}"
loop:
- git add index.yaml
- git commit -m "{{ commit_message }}"
- git push
args:
chdir: "{{ temp_dir.path }}/"
environment:
GIT_AUTHOR_NAME: "{{ gh_user }}"
GIT_AUTHOR_EMAIL: "{{ gh_user }}@users.noreply.github.com"
GIT_COMMITTER_NAME: "{{ gh_user }}"
GIT_COMMITTER_EMAIL: "{{ gh_user }}@users.noreply.github.com"
always:
- name: Remove temp dir
file:
path: "{{ temp_dir.path }}"
state: absent

29
docs/installation/helm-install-on-existing-cluster.md
View File

@@ -1,29 +0,0 @@
# Helm Install on existing cluster
For those that wish to use [Helm](https://helm.sh/) to install the awx-operator to an existing K8s cluster:
The helm chart is generated from the `helm-chart` Makefile section using the starter files in `.helm/starter`. Consult [the documentation](https://github.com/ansible/awx-operator/blob/devel/.helm/starter/README.md) on how to customize the AWX resource with your own values.
```bash
$ helm repo add awx-operator https://ansible.github.io/awx-operator/
"awx-operator" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "awx-operator" chart repository
Update Complete. ⎈Happy Helming!⎈
$ helm search repo awx-operator
NAME CHART VERSION APP VERSION DESCRIPTION
awx-operator/awx-operator 0.17.1 0.17.1 A Helm chart for the AWX Operator
$ helm install -n awx --create-namespace my-awx-operator awx-operator/awx-operator
NAME: my-awx-operator
LAST DEPLOYED: Thu Feb 17 22:09:05 2022
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Helm Chart 0.17.1
```

1
mkdocs.yml
View File

@@ -41,7 +41,6 @@ nav:
- Home: index.md - Home: index.md
- Installation: - Installation:
- installation/basic-install.md - installation/basic-install.md
- installation/helm-install-on-existing-cluster.md
- installation/kind-install.md - installation/kind-install.md
- installation/creating-a-minikube-cluster-for-testing.md - installation/creating-a-minikube-cluster-for-testing.md
- Migrate: - Migrate: