* Add use_db_compression option for backup database dumps
Enable optional pg_dump compression (-Z 9) via use_db_compression
boolean flag. Restore auto-detects compressed (.db.gz) or
uncompressed (.db) backups for backward compatibility.
Authored By: Christian M. Adams <chadams@redhat.com>
Assisted By: Claude
* Add CRD field, CSV descriptor, and restore auto-detection for use_db_compression
Authored By: Christian M. Adams <chadams@redhat.com>
Assisted By: Claude
Quote {{ now }} in firstTimestamp and lastTimestamp to prevent
YAML parser from converting the value to a datetime object.
Assisted-by: Claude
Signed-off-by: Lucas Benedito <lbenedit@redhat.com>
Use backup_pvc for custom backup PVC name in templates
When backup_pvc is specified with create_backup_pvc: true, the PVC
template and ownerReference removal used the hardcoded default name
(deployment_name-backup-claim) instead of the user-specified name.
This caused the management pod to reference a PVC that didn't exist.
Replace backup_claim variable with backup_pvc throughout the backup
role so the resolved PVC name is used consistently in all templates.
Authored By: Adam Knochowski <aknochow@redhat.com>
Assisted By: Claude
The testing kustomization overlay still referenced the deleted
manager_auth_proxy_patch.yaml. Update to use manager_metrics_patch.yaml
and add metrics_service.yaml resource.
Ref: AAP-65254
Authored By: Christian M. Adams <chadams@redhat.com>
Assisted By: Claude
Bump operator-sdk, ansible-operator, and OPM binaries to align with
the OCP 4.20 / AAP 2.7 target. Replace the deprecated kube-rbac-proxy
sidecar (removed in operator-sdk v1.38.0) with controller-runtime's
built-in WithAuthenticationAndAuthorization for metrics endpoint
protection.
Changes:
- Makefile: operator-sdk v1.36.1 → v1.40.0, OPM v1.26.0 → v1.55.0
- Dockerfile: ansible-operator base image v1.36.1 → v1.40.0
- Remove kube-rbac-proxy sidecar and auth_proxy_* RBAC manifests
- Add metrics_auth_role, metrics_reader, and metrics_service resources
- Add --metrics-secure, --metrics-require-rbac, --metrics-bind-address
flags via JSON patch to serve metrics directly from the manager on
port 8443 with TLS and RBAC authentication
Ref: AAP-65254
Authored By: Christian M. Adams <chadams@redhat.com>
Assisted By: Claude
- Move force_drop_db from vars/main.yml to defaults/main.yml so CR spec
values are not overridden by Ansible variable precedence
- Grant CREATEDB priv to database user before DROP/CREATE and revoke
it after restore, following the containerized-installer pattern
- Omit --clean --if-exists from pg_restore when force_drop_db is true
since the database is freshly created and empty, avoiding partition
index dependency errors
Signed-off-by: Lucas Benedito <lbenedit@redhat.com>
When users specify a custom backup_pvc name, the operator now
automatically creates the PVC instead of failing with
"does not exist, please create this pvc first."
Changes:
- Add create_backup_pvc variable (default: true) to backup defaults
- Update error condition to check create_backup_pvc before failing
- Update PVC creation condition to include create_backup_pvc
- Add create_backup_pvc field to AWXBackup CRD
Users who want the previous behavior can set create_backup_pvc: false.
Add map directives for X-Trusted-Proxy and X-DAB-JW-TOKEN headers to
log the presence of these headers as trusted_proxy_present and
dab_jwt_present fields in the nginx access log.
These markers enable the detection tool (aap-detect-direct-component-access)
to identify direct API access that bypasses AAP Gateway.
Also add explicit error_log /dev/stderr warn; instead of relying on
container base image symlinks.
Part of ANSTRAT-1840: Remove direct API access to platform components.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
AWX Operator is no longer published to OperatorHub. Remove the
publish-operator-hub GHA workflow, the hack/publish-to-operator-hub.sh
script, the OperatorHub section from the release process docs, and the
OperatorHub-specific resource list from the debugging guide.
Author: Christian M. Adams
Assisted By: Claude
The Docker daemon on ubuntu-latest runners now requires minimum API
version 1.44, causing molecule kind tests to fail during cluster
teardown.
Author: Christian M. Adams
Assisted By: Claude
The application container image is now using python3.12 so we need
to update the associated volume mount for the redirect page.
Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
add the functionality to accept an annotation in the awx-cr to be able to override the default client_request_timeout value.
rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
This avoids running in to the following error when pg_restore is run as
the application db user from the db-management pod:
pg_restore: error: could not execute query: ERROR: must be member of role postgres
Command was: ALTER SCHEMA public OWNER TO postgres;
* fix: Correct the image_version conditional
When image is set and image_version is unset, the conditional is failing
due to the unset variable causes and error.
Implemented the correct conditional and added an assert to validate that
both variables are set properly when image is set.
Signed-off-by: Lucas Benedito <lbenedit@redhat.com>
* Add hacking/ directory to .gitignore as it is commonly used for dev scripts
* Add postgres_extra_settings
* Add postgres_configuration_secret checksum to DB statefulset
* Docs for postgres_extra_settings, CI coverage, and examples
---------
Co-authored-by: Christian M. Adams <chadams@redhat.com>
- Applies a pull-secret yaml file if it exists at hacking/awx-cr.yml
- The operator will look for a pull secret called
redhat-operators-pull-secret
- This makes it possible to use a private operator image on your quay.io
registry out of the box with the up.sh
- Add PULL_SECRET_FILE environment variable with default hacking/pull-secret.yml
* updating task descriptions in backup and restore roles
* Revert "Run import_auth_config_to_gateway when public_url is defined (#2064)"
This reverts commit 54293a0efb.
Set password_encryption to scram-sha-256 and re-encrypt db user passwords for FIPS compliance
(cherry picked from commit 0e76404357a77a5f773aee6e2b3a5b85d1f514b7)
Co-authored-by: Christian M. Adams <chadams@redhat.com>
feat: set api timeout to match proxy timeout
Timeout before the openshift route times out
not timing out before undercuts usefulness of our log-traceback-middleware in
django-ansible-base that logs a traceback from requests that get timed
out -- because uwsgi or gunicorn has to send the timeout signal to the
worker handling the request. Also leads to issues where requests that
envoy has already timed out are filling up queues of the workers of the
components.
Also, configure nginx to return a 503 if WSGI server doesn't respond.
Co-authored-by: Elijah DeLee <kdelee@redhat.com>
Other installer uses 3.7.1 and the file on disk is also using 3.7.1
from the rest framework directory.
Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
* Add deployment type shortname for legacy API url
* Add trailing slash to legacy API url
Co-authored-by: Christian Adams <rooftopcellist@gmail.com>
---------
Co-authored-by: Christian Adams <rooftopcellist@gmail.com>
Enables users to customize client_max_body_size in Nginx conf to allow
for larger file uploads. This is useful in cases when users need to upload
large subscription manifest files.
---------
Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com>
* awx.awx collection on galaxy is ooooold at this point. Releases are
paused, so point at awx collection in devel to get that new bleeding
edge hotness.
