* Add use_db_compression option for backup database dumps
Enable optional pg_dump compression (-Z 9) via use_db_compression
boolean flag. Restore auto-detects compressed (.db.gz) or
uncompressed (.db) backups for backward compatibility.
Authored By: Christian M. Adams <chadams@redhat.com>
Assisted By: Claude
* Add CRD field, CSV descriptor, and restore auto-detection for use_db_compression
Authored By: Christian M. Adams <chadams@redhat.com>
Assisted By: Claude
Quote {{ now }} in firstTimestamp and lastTimestamp to prevent
YAML parser from converting the value to a datetime object.
Assisted-by: Claude
Signed-off-by: Lucas Benedito <lbenedit@redhat.com>
Use backup_pvc for custom backup PVC name in templates
When backup_pvc is specified with create_backup_pvc: true, the PVC
template and ownerReference removal used the hardcoded default name
(deployment_name-backup-claim) instead of the user-specified name.
This caused the management pod to reference a PVC that didn't exist.
Replace backup_claim variable with backup_pvc throughout the backup
role so the resolved PVC name is used consistently in all templates.
Authored By: Adam Knochowski <aknochow@redhat.com>
Assisted By: Claude
- Move force_drop_db from vars/main.yml to defaults/main.yml so CR spec
values are not overridden by Ansible variable precedence
- Grant CREATEDB priv to database user before DROP/CREATE and revoke
it after restore, following the containerized-installer pattern
- Omit --clean --if-exists from pg_restore when force_drop_db is true
since the database is freshly created and empty, avoiding partition
index dependency errors
Signed-off-by: Lucas Benedito <lbenedit@redhat.com>
When users specify a custom backup_pvc name, the operator now
automatically creates the PVC instead of failing with
"does not exist, please create this pvc first."
Changes:
- Add create_backup_pvc variable (default: true) to backup defaults
- Update error condition to check create_backup_pvc before failing
- Update PVC creation condition to include create_backup_pvc
- Add create_backup_pvc field to AWXBackup CRD
Users who want the previous behavior can set create_backup_pvc: false.
Add map directives for X-Trusted-Proxy and X-DAB-JW-TOKEN headers to
log the presence of these headers as trusted_proxy_present and
dab_jwt_present fields in the nginx access log.
These markers enable the detection tool (aap-detect-direct-component-access)
to identify direct API access that bypasses AAP Gateway.
Also add explicit error_log /dev/stderr warn; instead of relying on
container base image symlinks.
Part of ANSTRAT-1840: Remove direct API access to platform components.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The application container image is now using python3.12 so we need
to update the associated volume mount for the redirect page.
Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
add the functionality to accept an annotation in the awx-cr to be able to override the default client_request_timeout value.
rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
This avoids running in to the following error when pg_restore is run as
the application db user from the db-management pod:
pg_restore: error: could not execute query: ERROR: must be member of role postgres
Command was: ALTER SCHEMA public OWNER TO postgres;
* fix: Correct the image_version conditional
When image is set and image_version is unset, the conditional is failing
due to the unset variable causes and error.
Implemented the correct conditional and added an assert to validate that
both variables are set properly when image is set.
Signed-off-by: Lucas Benedito <lbenedit@redhat.com>
* Add hacking/ directory to .gitignore as it is commonly used for dev scripts
* Add postgres_extra_settings
* Add postgres_configuration_secret checksum to DB statefulset
* Docs for postgres_extra_settings, CI coverage, and examples
---------
Co-authored-by: Christian M. Adams <chadams@redhat.com>
* updating task descriptions in backup and restore roles
* Revert "Run import_auth_config_to_gateway when public_url is defined (#2064)"
This reverts commit 54293a0efb.
Set password_encryption to scram-sha-256 and re-encrypt db user passwords for FIPS compliance
(cherry picked from commit 0e76404357a77a5f773aee6e2b3a5b85d1f514b7)
Co-authored-by: Christian M. Adams <chadams@redhat.com>
feat: set api timeout to match proxy timeout
Timeout before the openshift route times out
not timing out before undercuts usefulness of our log-traceback-middleware in
django-ansible-base that logs a traceback from requests that get timed
out -- because uwsgi or gunicorn has to send the timeout signal to the
worker handling the request. Also leads to issues where requests that
envoy has already timed out are filling up queues of the workers of the
components.
Also, configure nginx to return a 503 if WSGI server doesn't respond.
Co-authored-by: Elijah DeLee <kdelee@redhat.com>
Other installer uses 3.7.1 and the file on disk is also using 3.7.1
from the rest framework directory.
Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
* Add deployment type shortname for legacy API url
* Add trailing slash to legacy API url
Co-authored-by: Christian Adams <rooftopcellist@gmail.com>
---------
Co-authored-by: Christian Adams <rooftopcellist@gmail.com>
Enables users to customize client_max_body_size in Nginx conf to allow
for larger file uploads. This is useful in cases when users need to upload
large subscription manifest files.
---------
Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com>
* Compare gating version against existing deployment versions and set upgradeFrom status
* Add quotes to default version
Co-authored-by: Dimitri Savineau <savineau.dimitri@gmail.com>
When enabling debug web requests, the /var/log/tower directory needs
to exist.
Rather than just creating that directory in the container image then
create an emptyDir volume.
Closes: #1485
Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
- Update role name for README.md
- Avoid the this_awx['resources'][0] is undefined in database_configuration.yml
- Add update_status variable to include or not the update_status.yml
- metrics_utility_enabled exists in CRD but not as variable
Co-authored-by: Christian Adams <chadams@redhat.com>
