Merge pull request #436 from shanemcd/bump-0.12.0

Bump versions for next release

.github/workflows/ci.yaml

@@ -31,14 +31,21 @@ jobs:
             ansible-lint \
             openshift \
             jmespath \
-            ansible
+            ansible-core
 
       - name: Install Collections
         run: |
-         ansible-galaxy collection install community.kubernetes operator_sdk.util
+         ansible-galaxy collection install community.general kubernetes.core:1.2.1 operator_sdk.util
+
+      - name: Setup Minikube
+        uses: manusa/actions-setup-minikube@v2.4.2
+        with:
+          minikube version: 'v1.16.0'
+          kubernetes version: 'v1.19.2'
+          github token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Run Molecule
         env:
           MOLECULE_VERBOSITY: 3
         run: |
-          molecule test -s test-local
+          molecule test -s test-minikube

CHANGELOG.md

@@ -2,6 +2,23 @@
 
 This is a list of high-level changes for each release of `awx-operator`. A full list of commits can be found at `https://github.com/ansible/awx-operator/releases/tag/<version>`.
 
+# 0.10.0 (Jun 1, 2021)
+
+- Make tower_ingress_type to respect ClusterIP definition (Marcelo Moreira de Mello) - e37c091 (breaking_change)
+- Add ability to get/create/delete secrets for the awx service account (Christian M. Adams) - 61b3cb4
+- Added ability to specify annotations to ServiceAccount (Marcelo Moreira de Mello) - 446ac0b
+- Do not shadow other variables (Yanis Guenane) - 223fe98
+- Do not prepend variables name with tower_ (Yanis Guenane) - 75458d0 (breaking_change)
+- Fully remove finalizer (Christian M. Adams) - fd92050
+- Use custom pg_dump format for faster restores (Christian M. Adams) - f16d9ac
+- Allow user to specify empty string for storage class on PVC (Christian M. Adams) - 818b837
+- Unset ownerRefs in the installer instead of the finalizer (Christian M. Adams) - c12a1f0
+- Make awx-operator compatible with Ansible 2.12 (Alan Rominger) - 5216489
+- Restore: set proper kind var after deploying AWX CR (Julen Landa Alustiza) - fc4687f
+- Add support for custom service labels (Jeremy Kimber) - fd42802
+- Rename product specific variable names (Christian M. Adams) - 5ae3636 (breaking_change)
+- Add watcher for backup CR (Christian M. Adams) - fdcc745
+
 # 0.9.0 (May 1, 2021)
 
 - Update playbook to allow for deploying custom image version/tag (Shane McDonald) - 77e7039 

README.md

@@ -24,10 +24,11 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
          * [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
          * [Privileged Tasks](#privileged-tasks)
          * [Containers Resource Requirements](#containers-resource-requirements)
-         * [LDAP Certificate Authority](#ldap-certificate-authority)
+         * [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
          * [Persisting Projects Directory](#persisting-projects-directory)
          * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
          * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
+         * [Extra Settings](#extra-settings)
          * [Service Account](#service-account)
    * [Upgrading](#upgrading)
    * [Contributing](#contributing)
@@ -427,10 +428,11 @@ Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to
 
 The resource requirements for both, the task and the web containers are configurable - both the lower end (requests) and the upper end (limits).
 
-| Name                             | Description                          | Default                             |
-| -------------------------------- | ------------------------------------ | ----------------------------------- |
-| web_resource_requirements        | Web container resource requirements  | requests: {cpu: 1000m, memory: 2Gi} |
-| task_resource_requirements       | Task container resource requirements | requests: {cpu: 500m, memory: 1Gi}  |
+| Name                             | Description                                      | Default                             |
+| -------------------------------- | ------------------------------------------------ | ----------------------------------- |
+| web_resource_requirements        | Web container resource requirements              | requests: {cpu: 1000m, memory: 2Gi} |
+| task_resource_requirements       | Task container resource requirements             | requests: {cpu: 500m, memory: 1Gi}  |
+| ee_resource_requirements         | EE control plane container resource requirements | requests: {cpu: 500m, memory: 1Gi}  |
 
 Example of customization could be:
 
@@ -452,6 +454,13 @@ spec:
     limits:
       cpu: 1000m
       memory: 2Gi
+  ee_resource_requirements:
+    requests:
+      cpu: 500m
+      memory: 1Gi
+    limits:
+      cpu: 1000m
+      memory: 2Gi
 ```
 
 #### Assigning AWX pods to specific nodes
@@ -496,28 +505,36 @@ spec:
       effect: "NoSchedule"
 ```
 
-#### LDAP Certificate Authority
+#### Trusting a Custom Certificate Authority
 
-If the variable `ldap_cacert_secret` is provided, the operator will look for a the data field `ldap-ca.crt` in the specified secret.
+In cases which you need to trust a custom Certificate Authority, there are few variables you can customize for the `awx-operator`.
 
-| Name                             | Description                             | Default |
-| -------------------------------- | --------------------------------------- | --------|
-| ldap_cacert_secret               | LDAP Certificate Authority secret name  |  ''     |
+Trusting a custom Certificate Authority allows the AWX to access network services configured with SSL certificates issued locally, such as cloning a project from from an internal Git server via HTTPS. It is common for these scenarios, experiencing the error [unable to verify the first certificate](https://github.com/ansible/awx-operator/issues/376).
 
 
+| Name                             | Description                              | Default |
+| -------------------------------- | ---------------------------------------- | --------|
+| ldap_cacert_secret               | LDAP Certificate Authority secret name   |  ''     |
+| bundle_cacert_secret             | Certificate Authority secret name        |  ''     |
+
+Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter.
+
 Example of customization could be:
 
 ```yaml
 ---
 spec:
   ...
-  ldap_cacert_secret: <resourcename>-ldap-ca-cert
+  ldap_cacert_secret: <resourcename>-custom-certs
+  bundle_cacert_secret: <resourcename>-custom-certs
 ```
 
 To create the secret, you can use the command below:
 
 ```sh
-# kubectl create secret generic <resourcename>-ldap-ca-cert --from-file=ldap-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
+# kubectl create secret generic <resourcename>-custom-certs \
+    --from-file=ldap-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>  \
+    --from-fle=bundle-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
 ```
 
 #### Persisting Projects Directory
@@ -554,8 +571,53 @@ In a scenario where custom volumes and volume mounts are required to either over
 | task_extra_volume_mounts       | Specify volume mounts to be added to Task container      | ''      |
 | ee_extra_volume_mounts         | Specify volume mounts to be added to Execution container | ''      |
 
+> :warning: The `ee_extra_volume_mounts` and `extra_volumes` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
+
 Example configuration for ConfigMap
 
+#### Default execution environments from private registries
+
+In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments.
+
+The secret should be formated as follows:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: <resourcename>-ee-pull-credentials
+  namespace: <target namespace>
+stringData:
+  url: <registry url. i.e. quay.io>
+  username: <username to connect as>
+  password: <password to connect with>
+  ssl_verify: <Optional attribute. Whether verify ssl connection or not. Accepted values "True" (default), "False" >
+type: Opaque
+```
+
+##### Control plane ee from private registry
+The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time. 
+
+You can create `image_pull_secret`
+```
+kubectl create secret <resoucename>-cp-pull-credentials regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
+```
+If you need more control (for example, to set a namespace or a label on the new secret) then you can customise the Secret before storing it
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: <resoucename>-cp-pull-credentials
+  namespace: <target namespace>
+data:
+  .dockerconfigjson: <base64 docker config>
+type: kubernetes.io/dockerconfigjson
+```
+Example spec file extra-config
+
 ```yaml
 ---
 apiVersion: v1
@@ -617,6 +679,9 @@ If you need to export custom environment variables to your containers.
 | ----------------------------- | -------------------------------------------------------- | ------- |
 | task_extra_env                | Environment variables to be added to Task container      | ''      |
 | web_extra_env                 | Environment variables to be added to Web container       | ''      |
+| ee_extra_env                  | Environment variables to be added to EE container        | ''      |
+
+> :warning: The `ee_extra_env` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
 
 Example configuration of environment variables
 
@@ -628,6 +693,29 @@ Example configuration of environment variables
     web_extra_env: |
       - name: MYCUSTOMVAR
         value: foo
+    ee_extra_env: |
+      - name: MYCUSTOMVAR
+        value: foo
+```
+
+#### Extra Settings
+
+With`extra_settings`, you can pass multiple custom settings via the `awx-operator`. The parameter `extra_settings`  will be appended to the `/etc/tower/settings.py` and can be an alternative to the `extra_volumes` parameter.
+
+| Name                          | Description                                              | Default |
+| ----------------------------- | -------------------------------------------------------- | ------- |
+| extra_settings                | Extra settings                                           | ''      |
+
+Example configuration of `extra_settings` parameter
+
+```yaml
+  spec:
+    extra_settings:
+      - setting: MAX_PAGE_SIZE
+        value: "500"
+
+      - setting: AUTH_LDAP_BIND_DN
+        value: "cn=admin,dc=example,dc=com"
 ```
 
 #### Service Account
@@ -662,43 +750,13 @@ Please visit [our contributing guidelines](https://github.com/ansible/awx-operat
 
 There are a few moving parts to this project:
 
-  1. The Docker image which powers AWX Operator.
-  2. The `awx-operator.yaml` Kubernetes manifest file which initially deploys the Operator into a cluster.
-  3. Then use the command below to generate a list of commits between the versions.
-  ```sh
-  #> git log --no-merges --pretty="- %s (%an) - %h " <old_tag>..<new_tag>
-  ```
+  * The `awx-operator` container image which powers AWX Operator
+  * The `awx-operator.yaml` file, which initially deploys the Operator
+  * The ClusterServiceVersion (CSV), which is generated as part of the bundle and needed for the olm-catalog
 
 Each of these must be appropriately built in preparation for a new tag:
 
-### Verify Functionality
-
-Run the following command inside this directory:
-
-```sh
-#> operator-sdk build quay.io/<user>/awx-operator:test
-```
-
-Then push the generated image to Docker Hub:
-
-```sh
-#> docker push quay.io/<user>/awx-operator:test
-```
-
-After it is built, test it on a local cluster:
-
-
-```sh
-#> minikube start --memory 6g --cpus 4
-#> minikube addons enable ingress
-#> ansible-playbook ansible/deploy-operator.yml -e operator_image=quay.io/<user>/awx-operator -e operator_version=test
-#> kubectl create namespace example-awx
-#> ansible-playbook ansible/instantiate-awx-deployment.yml -e namespace=example-awx
-#> <test everything>
-#> minikube delete
-```
-
-### Update version
+### Update version and files
 
 Update the awx-operator version:
 
@@ -710,6 +768,51 @@ Once the version has been updated, run from the root of the repo:
 #> ansible-playbook ansible/chain-operator-files.yml
 ```
 
+Generate the olm-catalog bundle.
+
+```bash
+$ operator-sdk generate bundle --operator-name awx-operator --version <new_tag>
+```
+
+> This should be done with operator-sdk v0.19.4.  
+
+> It is a good idea to use the [build script](./build.sh) at this point to build the catalog and test out installing it in Operator Hub.
+
+### Verify Functionality
+
+Run the following command inside this directory:
+
+```sh
+#> operator-sdk build quay.io/<user>/awx-operator:<new-version>
+```
+
+Then push the generated image to Docker Hub:
+
+```sh
+#> docker push quay.io/<user>/awx-operator:<new-version>
+```
+
+After it is built, test it on a local cluster:
+
+
+```sh
+#> minikube start --memory 6g --cpus 4
+#> minikube addons enable ingress
+#> ansible-playbook ansible/deploy-operator.yml -e operator_image=quay.io/<user>/awx-operator -e operator_version=<new-version> -e pull_policy=Always
+#> kubectl create namespace example-awx
+#> ansible-playbook ansible/instantiate-awx-deployment.yml -e namespace=example-awx -e image=quay.io/<user>/awx -e service_type=nodeport
+#> # Verify that the awx-task and awx-web containers are launched 
+#> # with the right version of the awx image
+#> minikube delete
+```
+
+### Update changelog
+
+Generate a list of commits between the versions and add it to the [changelog](./CHANGELOG.md).
+```sh
+#> git log --no-merges --pretty="- %s (%an) - %h " <old_tag>..<new_tag>
+```
+
 ### Commit / Create Release
 
 If everything works, commit the updated version, then [publish a new release](https://github.com/ansible/awx-operator/releases/new) using the same version you used in `ansible/group_vars/all`.

ansible/build-and-push.yml

@@ -3,15 +3,15 @@
   hosts: localhost
 
   collections:
-    - community.general
+    - community.docker
 
   tasks:
     - name: Build and (optionally) push operator image
       docker_image:
         name: "{{ operator_image }}:{{ operator_version }}"
-        pull: no
-        push: "{{ push_image | bool }}"
+        source: "build"
+        push: "{{ push_image }}"
         build:
           dockerfile: "build/Dockerfile"
           path: "../"
-        force: yes
+        force_source: "yes"

ansible/deploy-operator.yml

@@ -9,7 +9,7 @@
     obliterate: no
 
   collections:
-    - community.kubernetes
+    - kubernetes.core
 
   tasks:
     - name: Obliterate Operator

ansible/group_vars/all

@@ -1,4 +1,4 @@
 operator_image: quay.io/ansible/awx-operator
-operator_version: 0.10.0
+operator_version: 0.12.0
 pull_policy: Always
 ansible_debug_logs: "false"

ansible/instantiate-awx-deployment.yml

@@ -3,7 +3,7 @@
   hosts: localhost
 
   collections:
-    - community.kubernetes
+    - kubernetes.core
 
   tasks:
     - name: Deploy AWX

ansible/templates/awxbackup_crd.yml.j2

@@ -35,7 +35,7 @@ spec:
                   description: Name of the PVC to be used for storing the backup
                   type: string
                 backup_pvc_namespace:
-                  description: Namespace PVC is in
+                  description: Namespace the PVC is in
                   type: string
                 backup_storage_requirements:
                   description: Storage requirements for the PostgreSQL container
@@ -46,3 +46,33 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                backupDirectory:
+                  description: Backup directory name on the specified pvc
+                  type: string
+                backupClaim:
+                  description: Backup persistent volume claim
+                  type: string

ansible/templates/awxrestore_crd.yml.j2

@@ -50,3 +50,30 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                restoreComplete:
+                  description: Restore process complete
+                  type: boolean

ansible/templates/crd.yml.j2

@@ -26,15 +26,12 @@ spec:
                 deployment_type:
                   description: Name of the deployment type
                   type: string
-                  default: awx
                 kind:
                   description: Kind of the deployment type
                   type: string
-                  default: AWX
                 api_version:
                   description: apiVersion of the deployment type
                   type: string
-                  default: awx.ansible.com/v1beta1
                 task_privileged:
                   description: If a privileged security context should be enabled
                   type: boolean
@@ -149,6 +146,12 @@ spec:
                         type: string
                       image:
                         type: string
+                control_plane_ee_image:
+                  description: Registry path to the Execution Environment container image to use on control plane pods
+                  type: string
+                ee_pull_credentials_secret:
+                  description: Secret where pull credentials for registered ees can be found
+                  type: string
                 image_pull_policy:
                   description: The image pull policy
                   type: string
@@ -207,6 +210,28 @@ spec:
                           type: string
                       type: object
                   type: object
+                ee_resource_requirements:
+                  description: Resource requirements for the ee container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                 service_account_annotations:
                   description: ServiceAccount annotations
                   type: string
@@ -243,6 +268,8 @@ spec:
                   type: string
                 web_extra_env:
                   type: string
+                ee_extra_env:
+                  type: string
                 ee_extra_volume_mounts:
                   description: Specify volume mounts to be added to Execution container
                   type: string
@@ -258,6 +285,12 @@ spec:
                 redis_image_version:
                   description: Redis container image version to use
                   type: string
+                init_container_image:
+                  description: Registry path to the init container to use
+                  type: string
+                init_container_image_version:
+                  description: Init container image version to use
+                  type: string
                 postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
@@ -317,6 +350,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                bundle_cacert_secret:
+                  description: Secret where can be found the trusted Certificate Authority Bundle
+                  type: string
                 projects_persistence:
                   description: Whether or not the /var/lib/projects directory will be persistent
                   default: false
@@ -348,7 +384,7 @@ spec:
                       setting:
                         type: string
                       value:
-                        type: string
+                        x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
               type: object

deploy/awx-operator.yaml

@@ -28,15 +28,12 @@ spec:
                 deployment_type:
                   description: Name of the deployment type
                   type: string
-                  default: awx
                 kind:
                   description: Kind of the deployment type
                   type: string
-                  default: AWX
                 api_version:
                   description: apiVersion of the deployment type
                   type: string
-                  default: awx.ansible.com/v1beta1
                 task_privileged:
                   description: If a privileged security context should be enabled
                   type: boolean
@@ -151,6 +148,12 @@ spec:
                         type: string
                       image:
                         type: string
+                control_plane_ee_image:
+                  description: Registry path to the Execution Environment container image to use on control plane pods
+                  type: string
+                ee_pull_credentials_secret:
+                  description: Secret where pull credentials for registered ees can be found
+                  type: string
                 image_pull_policy:
                   description: The image pull policy
                   type: string
@@ -209,6 +212,28 @@ spec:
                           type: string
                       type: object
                   type: object
+                ee_resource_requirements:
+                  description: Resource requirements for the ee container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                 service_account_annotations:
                   description: ServiceAccount annotations
                   type: string
@@ -245,6 +270,8 @@ spec:
                   type: string
                 web_extra_env:
                   type: string
+                ee_extra_env:
+                  type: string
                 ee_extra_volume_mounts:
                   description: Specify volume mounts to be added to Execution container
                   type: string
@@ -260,6 +287,12 @@ spec:
                 redis_image_version:
                   description: Redis container image version to use
                   type: string
+                init_container_image:
+                  description: Registry path to the init container to use
+                  type: string
+                init_container_image_version:
+                  description: Init container image version to use
+                  type: string
                 postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
@@ -319,6 +352,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                bundle_cacert_secret:
+                  description: Secret where can be found the trusted Certificate Authority Bundle
+                  type: string
                 projects_persistence:
                   description: Whether or not the /var/lib/projects directory will be persistent
                   default: false
@@ -350,7 +386,7 @@ spec:
                       setting:
                         type: string
                       value:
-                        type: string
+                        x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
               type: object
@@ -437,7 +473,7 @@ spec:
                   description: Name of the PVC to be used for storing the backup
                   type: string
                 backup_pvc_namespace:
-                  description: Namespace PVC is in
+                  description: Namespace the PVC is in
                   type: string
                 backup_storage_requirements:
                   description: Storage requirements for the PostgreSQL container
@@ -448,6 +484,36 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                backupDirectory:
+                  description: Backup directory name on the specified pvc
+                  type: string
+                backupClaim:
+                  description: Backup persistent volume claim
+                  type: string
 
 ---
 apiVersion: apiextensions.k8s.io/v1
@@ -501,6 +567,33 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                restoreComplete:
+                  description: Restore process complete
+                  type: boolean
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -627,7 +720,7 @@ spec:
       serviceAccountName: awx-operator
       containers:
         - name: awx-operator
-          image: "quay.io/ansible/awx-operator:0.10.0"
+          image: "quay.io/ansible/awx-operator:0.12.0"
           imagePullPolicy: "Always"
           volumeMounts:
             - mountPath: /tmp/ansible-operator/runner
@@ -645,7 +738,7 @@ spec:
             - name: ANSIBLE_GATHERING
               value: explicit
             - name: OPERATOR_VERSION
-              value: "0.10.0"
+              value: "0.12.0"
             - name: ANSIBLE_DEBUG_LOGS
               value: "false"
           livenessProbe:

deploy/crds/awx_v1beta1_crd.yaml

@@ -26,15 +26,12 @@ spec:
                 deployment_type:
                   description: Name of the deployment type
                   type: string
-                  default: awx
                 kind:
                   description: Kind of the deployment type
                   type: string
-                  default: AWX
                 api_version:
                   description: apiVersion of the deployment type
                   type: string
-                  default: awx.ansible.com/v1beta1
                 task_privileged:
                   description: If a privileged security context should be enabled
                   type: boolean
@@ -149,6 +146,12 @@ spec:
                         type: string
                       image:
                         type: string
+                control_plane_ee_image:
+                  description: Registry path to the Execution Environment container image to use on control plane pods
+                  type: string
+                ee_pull_credentials_secret:
+                  description: Secret where pull credentials for registered ees can be found
+                  type: string
                 image_pull_policy:
                   description: The image pull policy
                   type: string
@@ -207,6 +210,28 @@ spec:
                           type: string
                       type: object
                   type: object
+                ee_resource_requirements:
+                  description: Resource requirements for the ee container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                 service_account_annotations:
                   description: ServiceAccount annotations
                   type: string
@@ -243,6 +268,8 @@ spec:
                   type: string
                 web_extra_env:
                   type: string
+                ee_extra_env:
+                  type: string
                 ee_extra_volume_mounts:
                   description: Specify volume mounts to be added to Execution container
                   type: string
@@ -258,6 +285,12 @@ spec:
                 redis_image_version:
                   description: Redis container image version to use
                   type: string
+                init_container_image:
+                  description: Registry path to the init container to use
+                  type: string
+                init_container_image_version:
+                  description: Init container image version to use
+                  type: string
                 postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
@@ -317,6 +350,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                bundle_cacert_secret:
+                  description: Secret where can be found the trusted Certificate Authority Bundle
+                  type: string
                 projects_persistence:
                   description: Whether or not the /var/lib/projects directory will be persistent
                   default: false
@@ -348,7 +384,7 @@ spec:
                       setting:
                         type: string
                       value:
-                        type: string
+                        x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
               type: object

deploy/crds/awx_v1beta1_molecule.yaml

@@ -17,3 +17,7 @@ spec:
     requests:
       cpu: 500m
       memory: 128M
+  ee_resource_requirements:
+    requests:
+      cpu: 200m
+      memory: 64M

deploy/crds/awxbackup_v1beta1_crd.yaml

@@ -35,7 +35,7 @@ spec:
                   description: Name of the PVC to be used for storing the backup
                   type: string
                 backup_pvc_namespace:
-                  description: Namespace PVC is in
+                  description: Namespace the PVC is in
                   type: string
                 backup_storage_requirements:
                   description: Storage requirements for the PostgreSQL container
@@ -46,3 +46,33 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                backupDirectory:
+                  description: Backup directory name on the specified pvc
+                  type: string
+                backupClaim:
+                  description: Backup persistent volume claim
+                  type: string

deploy/crds/awxrestore_v1beta1_crd.yaml

@@ -50,3 +50,30 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                restoreComplete:
+                  description: Restore process complete
+                  type: boolean

deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml

@@ -13,7 +13,14 @@ metadata:
           },
           "spec": {
             "deployment_type": "awx",
+            "ee_resource_requirements": {
+              "requests": {
+                "cpu": "200m",
+                "memory": "64M"
+              }
+            },
             "ingress_type": "ingress",
+            "service_account_annotations": "foo: bar\n",
             "task_resource_requirements": {
               "requests": {
                 "cpu": "500m",
@@ -32,16 +39,15 @@ metadata:
     capabilities: Basic Install
     operators.operatorframework.io/builder: operator-sdk-v0.19.4
     operators.operatorframework.io/project_layout: ansible
-  name: awx-operator.v0.0.1
+  name: awx-operator.v0.12.0
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
   customresourcedefinitions:
     owned:
-    - kind: AWXBackup
+    - displayName: AWX Backup
+      kind: AWXBackup
       name: awxbackups.awx.ansible.com
-      version: v1beta1
-      displayName: AWX Backup
       specDescriptors:
       - displayName: Deployment name
         path: deployment_name
@@ -73,26 +79,26 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
       statusDescriptors:
-      - displayName: Backup claim
-        description: The persistent volume claim name used during backup
+      - description: The persistent volume claim name used during backup
+        displayName: Backup claim
         path: backupClaim
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-      - displayName: Backup directory
-        description: The directory data is backed up to on the PVC
+      - description: The directory data is backed up to on the PVC
+        displayName: Backup directory
         path: backupDirectory
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-    - kind: AWXRestore
-      name: awxrestores.awx.ansible.com
       version: v1beta1
-      displayName: AWX Restore
+    - displayName: AWX Restore
+      kind: AWXRestore
+      name: awxrestores.awx.ansible.com
       specDescriptors:
       - displayName: Backup source to restore ?
         path: backup_source
         x-descriptors:
-          - urn:alm:descriptor:com.tectonic.ui:select:CR
-          - urn:alm:descriptor:com.tectonic.ui:select:PVC
+        - urn:alm:descriptor:com.tectonic.ui:select:CR
+        - urn:alm:descriptor:com.tectonic.ui:select:PVC
       - displayName: Backup name
         path: backup_name
         x-descriptors:
@@ -123,11 +129,12 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:hidden
       statusDescriptors:
-      - displayName: Restore status
-        description: The state of the restore
+      - description: The state of the restore
+        displayName: Restore status
         path: restoreComplete
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
+      version: v1beta1
     - description: A AWX Instance
       displayName: AWX
       kind: AWX
@@ -262,12 +269,19 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
-      - displayName: PostgreSQL container resource requirements (when using a managed instance)
+      - displayName: EE Control Plane container resource requirements
+        path: ee_resource_requirements
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
+      - displayName: PostgreSQL container resource requirements (when using a managed
+          instance)
         path: postgres_resource_requirements
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
-      - displayName: PostgreSQL container storage requirements (when using a managed instance)
+      - displayName: PostgreSQL container storage requirements (when using a managed
+          instance)
         path: postgres_storage_requirements
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -349,6 +363,11 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Postgres Label Selector
+        path: postgres_label_selector
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - displayName: Postgres Tolerations
         path: postgres_tolerations
         x-descriptors:
@@ -397,8 +416,8 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_Yes_
         - urn:alm:descriptor:io.kubernetes:PersistentVolumeClaim
-      - description: Projects Storage Class Name. If not present, the default
-          storage class will be used.
+      - description: Projects Storage Class Name. If not present, the default storage
+          class will be used.
         displayName: Projects Storage Class Name
         path: projects_storage_class
         x-descriptors:
@@ -424,26 +443,45 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: Task Extra Env
-        description: Environment variables to be added to Task container
+      - description: Environment variables to be added to Task container
+        displayName: Task Extra Env
         path: task_extra_env
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: EE Extra Volume Mounts
+      - description: Specify volume mounts to be added to Execution container
+        displayName: EE Extra Volume Mounts
         path: ee_extra_volume_mounts
-        description: Specify volume mounts to be added to Execution container
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: EE Images
-        description: Registry path to the Execution Environment container to use
+      - description: Registry path to the Execution Environment container to use
+        displayName: EE Images
         path: ee_images
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: Task Extra Volume Mounts
-        description: Specify volume mounts to be added to Task container
+      - description: Environment variables to be added to EE container
+        displayName: EE Extra Env
+        path: ee_extra_env
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Registry path to the Execution Environment container to use on
+          control plane pods
+        displayName: Control Plane EE Image
+        path: control_plane_ee_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: EE Images Pull Credentials Secret
+        displayName: EE Images Pull Credentials Secret
+        path: ee_pull_credentials_secret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:io.kubernetes:Secret
+      - description: Specify volume mounts to be added to Task container
+        displayName: Task Extra Volume Mounts
         path: task_extra_volume_mounts
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -458,20 +496,20 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: Web Extra Env
-        description: Environment variables to be added to Web container
+      - description: Environment variables to be added to Web container
+        displayName: Web Extra Env
         path: web_extra_env
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: Web Extra Volume Mounts
-        description: Specify volume mounts to be added to Web container
+      - description: Specify volume mounts to be added to Web container
+        displayName: Web Extra Volume Mounts
         path: web_extra_volume_mounts
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: Extra Volumes
-        description: Specify extra volumes to add to the application pod
+      - description: Specify extra volumes to add to the application pod
+        displayName: Extra Volumes
         path: extra_volumes
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -497,6 +535,23 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Registry path to the init container to use
+        displayName: Init Container Image
+        path: init_container_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Init container image version to use
+        displayName: Init Container Image Version
+        path: init_container_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Secret where can be found the trusted Certificate Authority Bundle
+        path: bundle_cacert_secret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:io.kubernetes:Secret
       statusDescriptors:
       - description: Route to access the instance deployed
         displayName: URL
@@ -607,6 +662,8 @@ spec:
           - awx.ansible.com
           resources:
           - '*'
+          - awxbackups
+          - awxrestores
           verbs:
           - '*'
         serviceAccountName: awx-operator
@@ -637,7 +694,11 @@ spec:
                   value: awx-operator
                 - name: ANSIBLE_GATHERING
                   value: explicit
-                image: quay.io/ansible/awx-operator:0.8.0
+                - name: OPERATOR_VERSION
+                  value: 0.12.0
+                - name: ANSIBLE_DEBUG_LOGS
+                  value: "false"
+                image: quay.io/ansible/awx-operator:0.12.0
                 imagePullPolicy: Always
                 livenessProbe:
                   httpGet:
@@ -676,4 +737,5 @@ spec:
   provider:
     name: AWX Community
     url: https://github.com/ansible/awx-operator
-  version: 0.0.1
+  replaces: awx-operator.v0.11.0
+  version: 0.12.0

deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxbackups_crd.yaml

@@ -18,14 +18,12 @@ spec:
         description: Schema validation for the AWXBackup CRD
         properties:
           spec:
-            required:
-              - deployment_name
             properties:
               backup_pvc:
                 description: Name of the PVC to be used for storing the backup
                 type: string
               backup_pvc_namespace:
-                description: Namespace PVC is in
+                description: Namespace the PVC is in
                 type: string
               backup_storage_class:
                 description: Storage class to use when creating PVC for backup
@@ -36,10 +34,42 @@ spec:
               deployment_name:
                 description: Name of the deployment to be backed up
                 type: string
+              postgres_image:
+                description: Registry path to the PostgreSQL container to use
+                type: string
+              postgres_image_version:
+                description: PostgreSQL container image version to use
+                type: string
               postgres_label_selector:
                 description: Label selector used to identify postgres pod for backing
                   up data
                 type: string
+            required:
+            - deployment_name
+            type: object
+          status:
+            properties:
+              backupClaim:
+                description: Backup persistent volume claim
+                type: string
+              backupDirectory:
+                description: Backup directory name on the specified pvc
+                type: string
+              conditions:
+                description: The resulting conditions when a Service Telemetry is
+                  instantiated
+                items:
+                  properties:
+                    lastTransitionTime:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  type: object
+                type: array
             type: object
         type: object
         x-kubernetes-preserve-unknown-fields: true

deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxrestores_crd.yaml

@@ -19,12 +19,6 @@ spec:
         properties:
           spec:
             properties:
-              backup_source:
-                description: Backup source
-                type: string
-                enum:
-                  - CR
-                  - PVC
               backup_dir:
                 description: Backup directory name, set as a status found on the awxbackup
                   object (backupDirectory)
@@ -39,14 +33,47 @@ spec:
               backup_pvc_namespace:
                 description: Namespace the PVC is in
                 type: string
+              backup_source:
+                description: Backup source
+                enum:
+                - CR
+                - PVC
+                type: string
               deployment_name:
                 description: Name of the deployment to be restored to
                 type: string
+              postgres_image:
+                description: Registry path to the PostgreSQL container to use
+                type: string
+              postgres_image_version:
+                description: PostgreSQL container image version to use
+                type: string
               postgres_label_selector:
                 description: Label selector used to identify postgres pod for backing
                   up data
                 type: string
             type: object
+          status:
+            properties:
+              conditions:
+                description: The resulting conditions when a Service Telemetry is
+                  instantiated
+                items:
+                  properties:
+                    lastTransitionTime:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  type: object
+                type: array
+              restoreComplete:
+                description: Restore process complete
+                type: boolean
+            type: object
         type: object
         x-kubernetes-preserve-unknown-fields: true
     served: true

deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml

@@ -19,28 +19,6 @@ spec:
         properties:
           spec:
             properties:
-              ca_trust_bundle:
-                description: Path where the trusted CA bundle is available
-                type: string
-              deployment_type:
-                description: Name of the deployment type
-                type: string
-                default: awx
-              kind:
-                description: Kind of the deployment type
-                type: string
-                default: AWX
-              api_version:
-                description: apiVersion of the deployment type
-                type: string
-                default: awx.ansible.com/v1beta1
-              development_mode:
-                description: If the deployment should be done in development mode
-                type: boolean
-              ldap_cacert_secret:
-                description: Secret where can be found the LDAP trusted Certificate
-                  Authority Bundle
-                type: string
               admin_email:
                 description: The admin user email
                 type: string
@@ -51,13 +29,37 @@ spec:
                 default: admin
                 description: Username to use for the admin account
                 type: string
+              api_version:
+                description: apiVersion of the deployment type
+                type: string
               broadcast_websocket_secret:
                 description: Secret where the broadcast websocket secret can be found
                 type: string
+              bundle_cacert_secret:
+                description: Secret where can be found the trusted Certificate Authority Bundle
+                type: string
+              ca_trust_bundle:
+                description: Path where the trusted CA bundle is available
+                type: string
+              control_plane_ee_image:
+                description: Registry path to the Execution Environment container
+                  image to use on control plane pods
+                type: string
               create_preload_data:
                 default: true
                 description: Whether or not to preload data upon instance creation
                 type: boolean
+              deployment_type:
+                description: Name of the deployment type
+                type: string
+              development_mode:
+                description: If the deployment should be done in development mode
+                type: boolean
+              ee_extra_env:
+                type: string
+              ee_extra_volume_mounts:
+                description: Specify volume mounts to be added to Execution container
+                type: string
               ee_images:
                 description: Registry path to the Execution Environment container
                   to use
@@ -69,6 +71,42 @@ spec:
                       type: string
                   type: object
                 type: array
+              ee_pull_credentials_secret:
+                description: Secret where pull credentials for registered ees can
+                  be found
+                type: string
+              ee_resource_requirements:
+                description: Resource requirements for the ee container
+                properties:
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                      storage:
+                        type: string
+                    type: object
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                      storage:
+                        type: string
+                    type: object
+                type: object
+              extra_settings:
+                description: Extra settings to specify for the API
+                items:
+                  properties:
+                    setting:
+                      type: string
+                    value:
+                      x-kubernetes-preserve-unknown-fields: true
+                  type: object
+                type: array
               extra_volumes:
                 description: Specify extra volumes to add to the application pod
                 type: string
@@ -82,9 +120,6 @@ spec:
               image:
                 description: Registry path to the application container to use
                 type: string
-              image_version:
-                description: Application container image version to use
-                type: string
               image_pull_policy:
                 default: IfNotPresent
                 description: The image pull policy
@@ -99,11 +134,14 @@ spec:
               image_pull_secret:
                 description: The image pull secret
                 type: string
+              image_version:
+                description: Application container image version to use
+                type: string
               ingress_annotations:
-                description: Annotations to add to the ingress
+                description: Annotations to add to the Ingress Controller
                 type: string
               ingress_tls_secret:
-                description: Secret where the ingress TLS secret can be found
+                description: Secret where the Ingress TLS secret can be found
                 type: string
               ingress_type:
                 description: The ingress type to use to reach the deployed instance
@@ -113,10 +151,19 @@ spec:
                 - ingress
                 - Route
                 - route
-                - LoadBalancer
-                - loadbalancer
-                - NodePort
-                - nodeport
+                type: string
+              init_container_image:
+                description: Registry path to the init container to use
+                type: string
+              init_container_image_version:
+                description: Init container image version to use
+                type: string
+              kind:
+                description: Kind of the deployment type
+                type: string
+              ldap_cacert_secret:
+                description: Secret where can be found the LDAP trusted Certificate
+                  Authority Bundle
                 type: string
               loadbalancer_annotations:
                 description: Annotations to add to the loadbalancer
@@ -135,9 +182,6 @@ spec:
               node_selector:
                 description: nodeSelector for the pods
                 type: string
-              service_labels:
-                description: Additional labels to apply to the service
-                type: string
               old_postgres_configuration_secret:
                 description: Secret where the old database configuration can be found
                   for data migration
@@ -154,46 +198,50 @@ spec:
               postgres_image_version:
                 description: PostgreSQL container image version to use
                 type: string
+              postgres_label_selector:
+                description: Label selector used to identify postgres pod for data
+                  migration
+                type: string
+              postgres_resource_requirements:
+                description: Resource requirements for the PostgreSQL container
+                properties:
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                type: object
               postgres_selector:
                 description: nodeSelector for the Postgres pods
                 type: string
-              postgres_tolerations:
-                description: node tolerations for the Postgres pods
+              postgres_storage_class:
+                description: Storage class to use for the PostgreSQL PVC
                 type: string
               postgres_storage_requirements:
                 description: Storage requirements for the PostgreSQL container
                 properties:
-                  requests:
-                    properties:
-                      storage:
-                        type: string
-                    type: object
                   limits:
                     properties:
                       storage:
                         type: string
                     type: object
-                type: object
-              postgres_resource_requirements:
-                description: Resource requirements for the PostgreSQL container
-                properties:
                   requests:
                     properties:
-                      cpu:
-                        type: string
-                      memory:
-                        type: string
-                    type: object
-                  limits:
-                    properties:
-                      cpu:
-                        type: string
-                      memory:
+                      storage:
                         type: string
                     type: object
                 type: object
-              postgres_storage_class:
-                description: Storage class to use for the PostgreSQL PVC
+              postgres_tolerations:
+                description: node tolerations for the Postgres pods
                 type: string
               projects_existing_claim:
                 description: PersistentVolumeClaim to mount /var/lib/projects directory
@@ -226,9 +274,6 @@ spec:
               redis_image_version:
                 description: Redis container image version to use
                 type: string
-              service_account_annotations:
-                description: ServiceAccount annotations
-                type: string
               replicas:
                 default: 1
                 description: Number of instance replicas
@@ -252,6 +297,22 @@ spec:
               secret_key_secret:
                 description: Secret where the secret key can be found
                 type: string
+              service_account_annotations:
+                description: ServiceAccount annotations
+                type: string
+              service_labels:
+                description: Additional labels to apply to the service
+                type: string
+              service_type:
+                description: The service type to be used on the deployed instance
+                enum:
+                - LoadBalancer
+                - loadbalancer
+                - ClusterIP
+                - clusterip
+                - NodePort
+                - nodeport
+                type: string
               task_args:
                 items:
                   type: string
@@ -261,10 +322,6 @@ spec:
                   type: string
                 type: array
               task_extra_env:
-                description: Environment variables to be added to Task container
-                type: string
-              ee_extra_volume_mounts:
-                description: Specify volume mounts to be added to Execution container
                 type: string
               task_extra_volume_mounts:
                 description: Specify volume mounts to be added to Task container
@@ -307,10 +364,9 @@ spec:
                   type: string
                 type: array
               web_extra_env:
-                description: Environment variables to be added to Web container
                 type: string
               web_extra_volume_mounts:
-                description: Specify volume mounts to be added to web container
+                description: Specify volume mounts to be added to the Web container
                 type: string
               web_resource_requirements:
                 description: Resource requirements for the web container
@@ -334,19 +390,21 @@ spec:
                         type: string
                     type: object
                 type: object
-              extra_settings:
-                description: Extra settings to specify for the API
-                items:
-                  properties:
-                    setting:
-                      type: string
-                    value:
-                      type: string
-                  type: object
-                type: array
             type: object
           status:
             properties:
+              URL:
+                description: URL to access the deployed instance
+                type: string
+              adminPasswordSecret:
+                description: Admin password secret name of the deployed instance
+                type: string
+              adminUser:
+                description: Admin user of the deployed instance
+                type: string
+              broadcastWebsocketSecret:
+                description: Broadcast websocket secret name of the deployed instance
+                type: string
               conditions:
                 description: The resulting conditions when a Service Telemetry is
                   instantiated
@@ -362,20 +420,17 @@ spec:
                       type: string
                   type: object
                 type: array
-              adminPasswordSecret:
-                description: Admin password of the deployed instance
-                type: string
-              adminUser:
-                description: Admin user of the deployed instance
-                type: string
               image:
                 description: URL of the image used for the deployed instance
                 type: string
               migratedFromSecret:
                 description: The secret used for migrating an old instance.
                 type: string
-              URL:
-                description: URL to access the deployed instance
+              postgresConfigurationSecret:
+                description: Postgres Configuration secret name of the deployed instance
+                type: string
+              secretKeySecret:
+                description: Secret key secret name of the deployed instance
                 type: string
               version:
                 description: Version of the deployed instance

molecule/default/molecule.yml

@@ -27,8 +27,3 @@ provisioner:
     group_vars:
       all:
         operator_namespace: ${TEST_NAMESPACE:-default}
-  env:
-    K8S_AUTH_KUBECONFIG: /tmp/molecule/kind-default/kubeconfig
-    KUBECONFIG: /tmp/molecule/kind-default/kubeconfig
-    ANSIBLE_ROLES_PATH: ${MOLECULE_PROJECT_DIRECTORY}/roles
-    KIND_PORT: '${TEST_CLUSTER_PORT:-9443}'

molecule/test-local/ansible.cfg

@@ -1,2 +0,0 @@
-[defaults]
-stdout_callback = yaml

molecule/test-local/converge.yml

@@ -1,133 +0,0 @@
----
-- name: Build Operator in Kind container
-  hosts: k8s
-
-  vars:
-    image_name: awx.ansible.com/awx-operator:testing
-
-  tasks:
-    # using command so we don't need to install any dependencies
-    - name: Get existing image hash
-      command: docker images -q {{ image_name }}
-      register: prev_hash
-      changed_when: false
-
-    - name: Build Operator Image
-      command: docker build -f /build/build/Dockerfile -t {{ image_name }} /build
-      register: build_cmd
-      changed_when: not prev_hash.stdout or (prev_hash.stdout and prev_hash.stdout not in ''.join(build_cmd.stdout_lines[-2:]))
-
-- name: Converge
-  hosts: localhost
-  connection: local
-
-  vars:
-    ansible_python_interpreter: '{{ ansible_playbook_python }}'
-    deploy_dir: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/deploy"
-    templates_dir: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/ansible/templates"
-    pull_policy: Never
-    operator_image: awx.ansible.com/awx-operator
-    operator_version: testing
-    ansible_debug_logs: "true"
-    custom_resource: "{{ lookup('file', '/'.join([deploy_dir, 'crds/awx_v1beta1_molecule.yaml'])) | from_yaml }}"
-
-  tasks:
-    - block:
-        - name: Delete the Operator Deployment
-          k8s:
-            state: absent
-            namespace: '{{ operator_namespace }}'
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) }}"
-          register: delete_deployment
-          when: hostvars[groups.k8s.0].build_cmd.changed
-
-        - name: Wait 30s for Operator Deployment to terminate
-          k8s_info:
-            api_version: '{{ definition.apiVersion }}'
-            kind: '{{ definition.kind }}'
-            namespace: '{{ operator_namespace }}'
-            name: '{{ definition.metadata.name }}'
-          vars:
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) | from_yaml }}"
-          register: deployment
-          until: not deployment.resources
-          delay: 3
-          retries: 10
-          when: delete_deployment.changed
-
-        - name: Create the Operator Deployment
-          k8s:
-            namespace: '{{ operator_namespace }}'
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) }}"
-
-        - name: Ensure the AWX custom_resource namespace exists
-          k8s:
-            state: present
-            name: '{{ custom_resource.metadata.namespace }}'
-            kind: Namespace
-            api_version: v1
-
-        - name: Create the AWX Custom Resource
-          k8s:
-            state: present
-            namespace: '{{ custom_resource.metadata.namespace }}'
-            definition: '{{ custom_resource }}'
-
-        - name: Wait 15m for reconciliation to run
-          k8s_info:
-            api_version: '{{ custom_resource.apiVersion }}'
-            kind: '{{ custom_resource.kind }}'
-            namespace: '{{ custom_resource.metadata.namespace }}'
-            name: '{{ custom_resource.metadata.name }}'
-          register: cr
-          until:
-            - "'Successful' in (cr | json_query('resources[].status.conditions[].reason'))"
-          delay: 6
-          retries: 150
-
-      rescue:
-
-        - name: debug cr
-          ignore_errors: yes
-          failed_when: false
-          debug:
-            var: debug_cr
-          vars:
-            debug_cr: '{{ lookup("k8s",
-              kind=custom_resource.kind,
-              api_version=custom_resource.apiVersion,
-              namespace=custom_resource.metadata.namespace,
-              resource_name=custom_resource.metadata.name)
-            }}'
-
-        - name: debug awx deployment
-          ignore_errors: yes
-          failed_when: false
-          debug:
-            var: deploy
-          vars:
-            deploy: '{{ lookup("k8s",
-              kind="Deployment",
-              api_version="apps/v1",
-              namespace=custom_resource.metadata.namespace,
-              label_selector="app.kubernetes.io/name=example-awx")
-            }}'
-
-        - name: get operator logs
-          ignore_errors: yes
-          failed_when: false
-          command: kubectl logs deployment/{{ definition.metadata.name }} -n {{ operator_namespace }}
-          environment:
-            KUBECONFIG: '{{ lookup("env", "KUBECONFIG") }}'
-          vars:
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) | from_yaml }}"
-          register: log
-
-        - name: print debug output
-          debug: var=log.stdout_lines
-
-        - name: fail if converge didn't succeed
-          fail:
-            msg: "Failed on action: converge"
-
-- import_playbook: '{{ playbook_dir }}/../default/asserts.yml'

molecule/test-local/molecule.yml

@@ -1,46 +0,0 @@
----
-dependency:
-  name: galaxy
-driver:
-  name: docker
-lint: |
-  set -e
-  yamllint .
-  ansible-lint
-platforms:
-  - name: kind-test-local
-    groups:
-      - k8s
-    image: bsycorp/kind:v1.17.9
-    privileged: True
-    override_command: no
-    exposed_ports:
-      - 8443/tcp
-      - 10080/tcp
-    published_ports:
-      - 0.0.0.0:${TEST_CLUSTER_PORT:-10443}:8443/tcp
-    pre_build_image: yes
-    volumes:
-      - ${MOLECULE_PROJECT_DIRECTORY}:/build:Z
-provisioner:
-  name: ansible
-  log: True
-  inventory:
-    group_vars:
-      all:
-        operator_namespace: ${TEST_NAMESPACE:-default}
-  env:
-    K8S_AUTH_KUBECONFIG: /tmp/molecule/kind-test-local/kubeconfig
-    KUBECONFIG: /tmp/molecule/kind-test-local/kubeconfig
-    ANSIBLE_ROLES_PATH: ${MOLECULE_PROJECT_DIRECTORY}/roles
-    KIND_PORT: '${TEST_CLUSTER_PORT:-10443}'
-scenario:
-  test_sequence:
-    - lint
-    - destroy
-    - dependency
-    - syntax
-    - create
-    - prepare
-    - converge
-    - destroy

molecule/test-local/prepare.yml

@@ -1,38 +0,0 @@
----
-- name: Prepare kubernetes environment
-  hosts: k8s
-  gather_facts: no
-  vars:
-    kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
-  tasks:
-    - name: delete the kubeconfig if present
-      file:
-        path: '{{ kubeconfig }}'
-        state: absent
-      delegate_to: localhost
-
-    - name: Fetch the kubeconfig
-      fetch:
-        dest: '{{ kubeconfig }}'
-        flat: yes
-        src: /root/.kube/config
-
-    - name: Change the kubeconfig port to the proper value
-      replace:
-        regexp: 8443
-        replace: "{{ lookup('env', 'KIND_PORT') }}"
-        path: '{{ kubeconfig }}'
-        mode: 0644
-      delegate_to: localhost
-
-    - name: Wait for the Kubernetes API to become available (this could take a minute)
-      uri:
-        url: "http://localhost:10080/kubernetes-ready"
-        status_code: 200
-        validate_certs: no
-      register: result
-      until: (result.status|default(-1)) == 200
-      retries: 60
-      delay: 5
-
-- import_playbook: ../default/prepare.yml

molecule/test-minikube/converge.yml

@@ -126,8 +126,6 @@
           ignore_errors: yes
           failed_when: false
           command: kubectl logs deployment/{{ definition.metadata.name }} -n {{ operator_namespace }} -c operator
-          environment:
-            KUBECONFIG: '{{ lookup("env", "KUBECONFIG") }}'
           vars:
             definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) | from_yaml }}"
           register: log

requirements.yml

@@ -1,6 +1,6 @@
 ---
 collections:
-  - name: community.kubernetes
+  - name: kubernetes.core
     version: '==1.1.1'
   - name: operator_sdk.util
     version: '==0.1.0'

roles/backup/meta/main.yml

@@ -27,5 +27,5 @@ galaxy_info:
 dependencies: []
 
 collections:
-  - community.kubernetes
+  - kubernetes.core
   - operator_sdk.util

roles/backup/tasks/awx-cro.yml

@@ -10,15 +10,21 @@
 
 - name: Set AWX object
   set_fact:
-    _awx: "{{ _awx_cro['resources'][0] }}"
+    awx_spec:
+      spec: "{{ this_awx['resources'][0]['spec'] }}"
 
-- name: Set user specified spec
+- name: Set names of backed up secrets in the CR spec
   set_fact:
-    awx_spec: "{{ _awx['spec'] }}"
+    awx_spec: "{{ awx_spec | combine ({ item.key : item.value }) }}"
+  with_items:
+    - {"key": "secret_key_secret", "value": "{{ this_awx['resources'][0]['status']['secretKeySecret'] }}"}
+    - {"key": "admin_password_secret", "value": "{{ this_awx['resources'][0]['status']['adminPasswordSecret'] }}"}
+    - {"key": "broadcast_websocket_secret", "value": "{{ this_awx['resources'][0]['status']['broadcastWebsocketSecret'] }}"}
+    - {"key": "postgres_configuration_secret", "value": "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"}
 
 - name: Write awx object to pvc
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ meta.name }}-db-management"
     command: >-
-      bash -c "echo '{{ awx_spec }}' > {{ backup_dir }}/awx_object"
+      bash -c 'echo "$0" > {{ backup_dir  }}/awx_object' {{ awx_spec | to_yaml | quote  }}

roles/backup/tasks/dump_generated_secret.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Get secret name
+  set_fact:
+      _name: "{{ this_awx['resources'][0]['status'][item] }}"
+
+- name: Fail if status is not set on AWX CR
+  block:
+      - name: Set error message
+        set_fact:
+            error_msg: "{{ item }} status is not set on AWX object yet"
+
+      - name: Handle error
+        import_tasks: error_handling.yml
+
+      - name: Fail early if secret name status is not set
+        fail:
+            msg: "{{ error_msg }}"
+  when: _name is not defined or _name == ''
+
+- name: Get secret
+  k8s_info:
+      version: v1
+      kind: Secret
+      namespace: '{{ meta.namespace }}'
+      name: "{{ _name }}"
+  register: _secret
+
+- name: Set secret data
+  set_fact:
+      _data: "{{ _secret['resources'][0]['data'] }}"
+
+- name: Create and Add secret names and data to dictionary
+  set_fact:
+      secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data }}) }}"

roles/backup/tasks/dump_secret.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Get Secret Name
+  set_fact:
+      _name: "{{ awx_spec[item] | default('') }}"
+
+- name: Skip if secret name not defined
+  block:
+      - name: Get secret
+        k8s_info:
+            version: v1
+            kind: Secret
+            namespace: '{{ meta.namespace }}'
+            name: "{{ _name }}"
+        register: _secret
+
+      - name: Set secret key
+        set_fact:
+            _data: "{{ _secret['resources'][0]['data'] }}"
+
+      - name: Create and Add secret names and data to dictionary
+        set_fact:
+            secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data }}) }}"
+  when: _name != ''

roles/backup/tasks/init.yml

@@ -45,10 +45,21 @@
   set_fact:
     backup_claim: "{{ backup_pvc | default(_default_backup_pvc, true) }}"
 
-- name: Create PVC for backup
-  k8s:
-    kind: PersistentVolumeClaim
-    template: "backup_pvc.yml.j2"
+- block:
+    - name: Create PVC for backup
+      k8s:
+        kind: PersistentVolumeClaim
+        template: "backup_pvc.yml.j2"
+
+    - name: Remove PVC ownerReference
+      k8s:
+        definition:
+          apiVersion: v1
+          kind: PersistentVolumeClaim
+          metadata:
+            name: '{{ deployment_name }}-backup-claim'
+            namespace: '{{ backup_pvc_namespace }}'
+            ownerReferences: null
   when:
     - backup_pvc == '' or backup_pvc is not defined
 

roles/backup/tasks/main.yml

@@ -30,10 +30,10 @@
 
     - include_tasks: postgres.yml
 
-    - include_tasks: secrets.yml
-
     - include_tasks: awx-cro.yml
 
+    - include_tasks: secrets.yml
+
     - name: Set flag signifying this backup was successful
       set_fact:
         backup_complete: true
@@ -45,5 +45,3 @@
 
 - name: Update status variables
   include_tasks: update_status.yml
-
-# TODO: backup tower settings or make sure that users only specify settings/config changes via AWX object.  See ticket

roles/backup/tasks/postgres.yml

@@ -24,7 +24,7 @@
 - block:
     - name: Delete pod to reload a resource configuration
       set_fact:
-        postgres_label_selector: "app.kubernetes.io/name={{ deployment_name }}-postgres"
+        postgres_label_selector: "app.kubernetes.io/instance=postgres-{{ deployment_name }}"
       when: postgres_label_selector is not defined
 
     - name: Get the postgres pod information
@@ -92,6 +92,11 @@
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ meta.name }}-db-management"
-    command: >-
-      bash -c "PGPASSWORD={{ awx_postgres_pass }} {{ pgdump }} > {{ backup_dir }}/tower.db"
+    command: |
+      bash -c """
+      set -e -o pipefail
+      PGPASSWORD={{ awx_postgres_pass }} {{ pgdump }} > {{ backup_dir }}/tower.db
+      echo 'Successful'
+      """
   register: data_migration
+  failed_when: "'Successful' not in data_migration.stdout"

roles/backup/tasks/secrets.yml

@@ -1,65 +1,36 @@
 ---
 
-- name: Get secret_key
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['secretKeySecret'] }}"
-  register: _secret_key
+- name: Create Temporary secrets file
+  tempfile:
+    state: file
+    suffix: .json
+  register: tmp_secrets
 
-- name: Set secret key
+- name: Dump (generated) secret names from statuses and data into file
+  include_tasks: dump_generated_secret.yml
+  with_items:
+    - secretKeySecret
+    - adminPasswordSecret
+    - broadcastWebsocketSecret
+    - postgresConfigurationSecret
+
+- name: Dump secret names from awx spec and data into file
+  include_tasks: dump_secret.yml
+  loop:
+    - route_tls_secret
+    - ingress_tls_secret
+    - ldap_cacert_secret
+    - bundle_cacert_secret
+    - image_pull_secret
+    - ee_pull_credentials_secret
+
+- name: Nest secrets under a single variable
   set_fact:
-    secret_key: "{{ _secret_key['resources'][0]['data']['secret_key'] | b64decode }}"
-
-- name: Get admin_password
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['adminPasswordSecret'] }}"
-  register: _admin_password
-
-- name: Set admin_password
-  set_fact:
-    admin_password: "{{ _admin_password['resources'][0]['data']['password'] | b64decode }}"
-
-- name: Get broadcast_websocket
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['broadcastWebsocketSecret'] }}"
-  register: _broadcast_websocket
-
-- name: Set broadcast_websocket key
-  set_fact:
-    broadcast_websocket: "{{ _broadcast_websocket['resources'][0]['data']['secret'] | b64decode }}"
-
-- name: Get postgres configuration
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"
-  register: _postgres_configuration
-
-- name: Set postgres type
-  set_fact:
-    database_type: "{{ _postgres_configuration['resources'][0]['data']['type'] | b64decode }}"
-  when: _postgres_configuration['resources'][0]['data']['type'] is defined
-
-- name: Set postgres configuration
-  set_fact:
-    database_password: "{{ _postgres_configuration['resources'][0]['data']['password'] | b64decode }}"
-    database_username: "{{ _postgres_configuration['resources'][0]['data']['username'] | b64decode }}"
-    database_name: "{{ _postgres_configuration['resources'][0]['data']['database'] | b64decode }}"
-    database_port: "{{ _postgres_configuration['resources'][0]['data']['port'] | b64decode }}"
-    database_host: "{{ _postgres_configuration['resources'][0]['data']['host'] | b64decode }}"
-
-- name: Template secrets into yaml
-  set_fact:
-    secrets_file: "{{ lookup('template', 'secrets.yml.j2') }}"
+    secrets: {"secrets": '{{ secret_dict }}'}
 
 - name: Write postgres configuration to pvc
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ meta.name }}-db-management"
     command: >-
-      bash -c "echo '{{ secrets_file }}' > {{ backup_dir }}/secrets.yml"
+      bash -c "echo '{{ secrets | to_yaml }}' > {{ backup_dir }}/secrets.yml"

roles/backup/templates/backup_pvc.yml.j2

@@ -4,6 +4,7 @@ kind: PersistentVolumeClaim
 metadata:
   name: {{ deployment_name }}-backup-claim
   namespace: {{ backup_pvc_namespace }}
+  ownerReferences: null
   labels:
     app.kubernetes.io/name: '{{ meta.name }}'
     app.kubernetes.io/part-of: '{{ meta.name }}'

roles/backup/templates/management-pod.yml.j2

@@ -13,7 +13,7 @@ metadata:
 spec:
   containers:
   - name: {{ meta.name }}-db-management
-    image: "{{ postgres_image }}"
+    image: "{{ postgres_image }}:{{ postgres_image_version }}"
     imagePullPolicy: Always
     command: ["sleep", "infinity"]
     volumeMounts:

roles/backup/templates/secrets.yml.j2

@@ -1,14 +0,0 @@
----
-secret_key_secret_name: "{{ _secret_key['resources'][0]['metadata']['name'] }}"
-admin_password_secret_name: "{{ _admin_password['resources'][0]['metadata']['name'] }}"
-broadcast_websocket_secret_name: "{{ _broadcast_websocket['resources'][0]['metadata']['name'] }}"
-postgres_configuration_secret_name: "{{ _postgres_configuration['resources'][0]['metadata']['name'] }}"
-secret_key: {{ secret_key }}
-admin_password: {{ admin_password }}
-broadcast_websocket: {{ broadcast_websocket }}
-database_password: {{ database_password }}
-database_username: {{ database_username }}
-database_name: {{ database_name }}
-database_port: {{ database_port }}
-database_host: {{ database_host }}
-database_type: {{ database_type }}

roles/backup/vars/main.yml

@@ -1,5 +1,6 @@
 ---
 deployment_type: "awx"
-postgres_image: postgres:12
+postgres_image: postgres
+postgres_image_version: 12
 backup_complete: false
 database_type: "unmanaged"

roles/installer/defaults/main.yml

@@ -93,6 +93,10 @@ postgres_configuration_secret: ''
 
 old_postgres_configuration_secret: ''
 
+# Secret to lookup that provides default execution environment pull credentials
+#
+ee_pull_credentials_secret: ''
+
 # Add extra volumes to the AWX pod. Specify as literal block. E.g.:
 # extra_volumes: |
 #   - name: my-volume
@@ -102,17 +106,21 @@ extra_volumes: ''
 # Use these image versions for Ansible AWX.
 
 image: quay.io/ansible/awx
-image_version: 19.2.0
+image_version: 19.2.2
 redis_image: docker.io/redis
 redis_image_version: latest
 postgres_image: postgres
 postgres_image_version: 12
+init_container_image: quay.io/centos/centos
+init_container_image_version: 8
 image_pull_policy: IfNotPresent
 image_pull_secret: ''
 
 ee_images:
-  - name: AWX EE 0.3.0
-    image: quay.io/ansible/awx-ee:0.3.0
+  - name: AWX EE 0.5.0
+    image: quay.io/ansible/awx-ee:0.5.0
+
+control_plane_ee_image: quay.io/ansible/awx-ee:0.5.0
 
 create_preload_data: true
 
@@ -134,6 +142,11 @@ web_resource_requirements:
     cpu: 1000m
     memory: 2Gi
 
+ee_resource_requirements:
+  requests:
+    cpu: 500m
+    memory: 1Gi
+
 # Add extra environment variables to the AWX task/web containers. Specify as
 # literal block. E.g.:
 # task_extra_env: |
@@ -143,6 +156,7 @@ web_resource_requirements:
 #     value: bing
 task_extra_env: ''
 web_extra_env: ''
+ee_extra_env: ''
 
 # Mount extra volumes on the AWX task/web containers. Specify as literal block.
 # E.g.:
@@ -194,6 +208,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
 #
 ldap_cacert_secret: ''
 
+# Secret to lookup that provides the custom CA trusted bundle
+bundle_cacert_secret: ''
+
 # Whether secrets should be garbage collected
 # on teardown
 #

roles/installer/meta/main.yml

@@ -28,5 +28,5 @@ galaxy_info:
 dependencies: []
 
 collections:
-  - community.kubernetes
+  - kubernetes.core
   - operator_sdk.util

roles/installer/tasks/database_configuration.yml

@@ -80,7 +80,7 @@
       include_tasks: scale_down_deployment.yml
 
     - name: Scale down PostgreSQL statefulset for migration
-      community.kubernetes.k8s_scale:
+      kubernetes.core.k8s_scale:
         api_version: apps/v1
         kind: StatefulSet
         name: "{{ meta.name }}-postgres"

roles/installer/tasks/initialize_django.yml

@@ -6,7 +6,7 @@
     container: "{{ meta.name }}-task"
     command: >-
       bash -c "echo 'from django.contrib.auth.models import User;
-      nsu = User.objects.filter(is_superuser=True, username='{{ admin_user }}').count();
+      nsu = User.objects.filter(is_superuser=True, username=\"{{ admin_user }}\").count();
       exit(0 if nsu > 0 else 1)'
       | awx-manage shell"
   ignore_errors: true
@@ -45,3 +45,76 @@
   register: cdo
   changed_when: "'added' in cdo.stdout"
   when: create_preload_data | bool
+
+- name: Check if legacy queue is present
+  k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ meta.name }}-task"
+    command: >-
+      bash -c "awx-manage list_instances | grep '^\[tower capacity=[0-9]*\]'"
+  register: legacy_queue
+  changed_when: false
+
+- name: Unregister legacy queue
+  k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ meta.name }}-task"
+    command: >-
+      bash -c "awx-manage unregister_queue --queuename=tower"
+  when: "'[tower capacity=' in legacy_queue.stdout"
+
+- name: Check for specified default execution environment pull credentials
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ ee_pull_credentials_secret }}'
+  register: _custom_execution_environments_pull_credentials
+  when: ee_pull_credentials_secret | length
+
+- name: Check for default execution environment pull credentials
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ meta.name }}-ee-pull-credentials'
+  register: _default_execution_environments_pull_credentials
+
+- name: Set admin password secret
+  set_fact:
+    _execution_environments_pull_credentials: >-
+      {{ _custom_execution_environments_pull_credentials["resources"] | default([]) | length
+      | ternary(_custom_execution_environments_pull_credentials, _default_execution_environments_pull_credentials) }}
+- name: Register default execution environments (without authentication)
+  k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ meta.name }}-task"
+    command: >-
+      bash -c "awx-manage register_default_execution_environments"
+  register: ree
+  changed_when: "'changed: True' in ree.stdout"
+  when: not _execution_environments_pull_credentials['resources'] | default([]) | length
+
+- block:
+    - name: Store default execution environment pull credentials
+      set_fact:
+        default_execution_environment_pull_credentials_user: "{{ _execution_environments_pull_credentials['resources'][0]['data']['username'] | b64decode }}"
+        default_execution_environment_pull_credentials_pass: "{{ _execution_environments_pull_credentials['resources'][0]['data']['password'] | b64decode }}"
+        default_execution_environment_pull_credentials_url: "{{ _execution_environments_pull_credentials['resources'][0]['data']['url'] | b64decode }}"
+        default_execution_environment_pull_credentials_url_verify: >-
+          {{ _execution_environments_pull_credentials['resources'][0]['data']['ssl_verify'] | default("True"|b64encode) | b64decode }}
+    - name: Register default execution environments (with authentication)
+      k8s_exec:
+        namespace: "{{ meta.namespace }}"
+        pod: "{{ tower_pod_name }}"
+        container: "{{ meta.name }}-task"
+        command: >-
+          bash -c "awx-manage register_default_execution_environments
+          --registry-username='{{ default_execution_environment_pull_credentials_user }}'
+          --registry-password='{{ default_execution_environment_pull_credentials_pass }}'
+          --registry-url='{{ default_execution_environment_pull_credentials_url }}'
+          --verify-ssl='{{ default_execution_environment_pull_credentials_url_verify }}'"
+      register: ree
+      changed_when: "'changed: True' in ree.stdout"
+  when: _execution_environments_pull_credentials['resources'] | default([]) | length

roles/installer/tasks/load_bundle_cacert_secret.yml

@@ -0,0 +1,12 @@
+---
+- name: Retrieve bundle Certificate Authority Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ bundle_cacert_secret }}'
+  register: bundle_cacert
+
+- name: Load bundle Certificate Authority Secret content
+  set_fact:
+    bundle_ca_crt: '{{ bundle_cacert["resources"][0]["data"]["bundle-ca.crt"] | b64decode }}'
+  when: '"bundle-ca.crt" in bundle_cacert["resources"][0]["data"]'

roles/installer/tasks/main.yml

@@ -25,6 +25,11 @@
   when:
     - ldap_cacert_secret != ''
 
+- name: Load bundle certificate authority certificate
+  include_tasks: load_bundle_cacert_secret.yml
+  when:
+    - bundle_cacert_secret != ''
+
 - name: Include admin password configuration tasks
   include_tasks: admin_password_configuration.yml
 

roles/installer/tasks/scale_down_deployment.yml

@@ -9,7 +9,7 @@
   register: tower_deployment
 
 - name: Scale down Deployment for migration
-  community.kubernetes.k8s_scale:
+  kubernetes.core.k8s_scale:
     api_version: v1
     kind: Deployment
     name: "{{ meta.name }}"

roles/installer/templates/config.yaml.j2

@@ -46,7 +46,7 @@ data:
     AWX_AUTO_DEPROVISION_INSTANCES = True
     
     CLUSTER_HOST_ID = socket.gethostname()
-    SYSTEM_UUID = '00000000-0000-0000-0000-000000000000'
+    SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
     
     CSRF_COOKIE_SECURE = False
     SESSION_COOKIE_SECURE = False
@@ -90,11 +90,7 @@ data:
     BROADCAST_WEBSOCKET_PROTOCOL = 'http'
 
 {% for item in extra_settings | default([]) %}
-{% if item.value is string %}
-    {{ item.setting }} = '{{ item.value }}'
-{% else %}
     {{ item.setting }} = {{ item.value }}
-{% endif %}
 {% endfor %}
 
   nginx_conf: |
@@ -150,6 +146,11 @@ data:
 
             ssl_certificate /etc/nginx/pki/web.crt;
             ssl_certificate_key /etc/nginx/pki/web.key;
+            ssl_session_cache shared:SSL:50m;
+            ssl_session_timeout 1d;
+            ssl_session_tickets off;
+            ssl_ciphers PROFILE=SYSTEM;
+            ssl_prefer_server_ciphers on;
         {% else %}
             listen 8052 default_server;
         {% endif %}
@@ -160,8 +161,6 @@ data:
     
             # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
             add_header Strict-Transport-Security max-age=15768000;
-            add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
-            add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
     
             # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
             add_header X-Frame-Options "DENY";
@@ -178,7 +177,7 @@ data:
             }
     
             location /favicon.ico {
-                alias /var/lib/awx/public/static/favicon.ico;
+                alias /var/lib/awx/public/static/media/favicon.ico;
             }
     
             location /websocket {
@@ -214,6 +213,13 @@ data:
                 {%- endif %}
                 proxy_set_header X-Forwarded-Port 443;
                 uwsgi_param HTTP_X_FORWARDED_PORT 443;
+
+                add_header Strict-Transport-Security max-age=15768000;
+                # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
+                add_header X-Frame-Options "DENY";
+                add_header Cache-Control "no-cache, no-store, must-revalidate";
+                add_header Expires "0";
+                add_header Pragma "no-cache";
             }
         }
     }

roles/installer/templates/deployment.yaml.j2

@@ -32,6 +32,25 @@ spec:
 {% if image_pull_secret %}
       imagePullSecrets:
         - name: {{ image_pull_secret }}
+{% endif %}
+{% if bundle_ca_crt %}
+      initContainers:
+        - name: init
+          image: '{{ init_container_image }}:{{ init_container_image_version }}'
+          imagePullPolicy: '{{ image_pull_policy }}'
+          command:
+            - /bin/sh
+            - -c
+            - |
+              mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
+              update-ca-trust
+          volumeMounts:
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
 {% endif %}
       containers:
         - image: '{{ redis_image }}:{{ redis_image_version }}'
@@ -62,6 +81,14 @@ spec:
             - containerPort: 8053
 {% endif %}
           volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
             - name: "{{ meta.name }}-application-credentials"
               mountPath: "/etc/tower/conf.d/execution_environments.py"
               subPath: execution_environments.py
@@ -141,6 +168,14 @@ spec:
           args: {{ task_args }}
 {% endif %}
           volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
             - name: "{{ meta.name }}-application-credentials"
               mountPath: "/etc/tower/conf.d/execution_environments.py"
               subPath: execution_environments.py
@@ -205,11 +240,20 @@ spec:
             {{ task_extra_env | indent(width=12, indentfirst=True) }}
 {% endif %}
           resources: {{ task_resource_requirements }}
-        - image: '{{ ee_images[0].image }}'
+        - image: '{{ control_plane_ee_image }}'
           name: '{{ meta.name }}-ee'
           imagePullPolicy: '{{ image_pull_policy }}'
+          resources: {{ ee_resource_requirements }}
           args: ['receptor', '--config', '/etc/receptor.conf']
           volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
             - name: "{{ meta.name }}-receptor-config"
               mountPath: "/etc/receptor.conf"
               subPath: receptor.conf
@@ -221,13 +265,16 @@ spec:
 {% if ee_extra_volume_mounts -%}
             {{ ee_extra_volume_mounts | indent(width=12, indentfirst=True) }}
 {% endif %}
-{% if development_mode | bool %}
           env:
+{% if development_mode | bool %}
             - name: SDB_NOTIFY_HOST
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
 {% endif %}
+{% if ee_extra_env -%}
+            {{ ee_extra_env | indent(width=12, indentfirst=True) }}
+{% endif %}
 {% if node_selector %}
       nodeSelector:
         {{ node_selector | indent(width=8) }}
@@ -237,6 +284,16 @@ spec:
         {{ tolerations | indent(width=8) }}
 {% endif %}
       volumes:
+{% if bundle_ca_crt %}
+        - name: "ca-trust-extracted"
+          emptyDir: {}
+        - name: "{{ meta.name }}-bundle-cacert"
+          secret:
+            secretName: "{{ bundle_cacert_secret }}"
+            items:
+              - key: bundle-ca.crt
+                path: 'bundle-ca.crt'
+{% endif %}
 {% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %}
         - name: "{{ meta.name }}-nginx-certs"
           secret:

roles/installer/templates/execution_environments.py.j2

@@ -1,5 +1,6 @@
-DEFAULT_EXECUTION_ENVIRONMENTS = [
+GLOBAL_JOB_EXECUTION_ENVIRONMENTS = [
 {% for item in ee_images %}
     {'name': '{{ item.name }}' , 'image': '{{ item.image }}'},
 {% endfor %}
 ]
+CONTROL_PLANE_EXECUTION_ENVIRONMENT = '{{ control_plane_ee_image }}'

roles/installer/templates/service.yaml.j2

@@ -11,7 +11,7 @@ metadata:
     app.kubernetes.io/component: '{{ deployment_type }}'
     app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
     {{ service_labels | indent(width=4) }}
-{% if ingress_type | lower == 'loadbalancer' and loadbalancer_annotations %}
+{% if service_type | lower == 'loadbalancer' and loadbalancer_annotations %}
   annotations:
     {{ loadbalancer_annotations | indent(width=4) }}
 {% endif %}

roles/installer/vars/main.yml

@@ -2,4 +2,5 @@
 postgres_initdb_args: '--auth-host=scram-sha-256'
 postgres_host_auth_method: 'scram-sha-256'
 ldap_cacert_ca_crt: ''
+bundle_ca_crt: ''
 projects_existing_claim: ''

roles/restore/meta/main.yml

@@ -27,5 +27,5 @@ galaxy_info:
 dependencies: []
 
 collections:
-  - community.kubernetes
+  - kubernetes.core
   - operator_sdk.util

roles/restore/tasks/cleanup.yml

@@ -18,7 +18,19 @@
         namespace: '{{ meta.namespace }}'
         ownerReferences: null
   loop:
-    - '{{ secret_key_secret_name }}'
-    - '{{ admin_password_secret_name }}'
-    - '{{ broadcast_websocket_secret_name }}'
-    - '{{ postgres_configuration_secret_name }}'
+    - '{{ secret_key_secret }}'
+    - '{{ admin_password_secret }}'
+    - '{{ broadcast_websocket_secret }}'
+    - '{{ postgres_configuration_secret }}'
+
+- name: Cleanup temp spec file
+  file:
+    path: "{{ tmp_spec.path }}"
+    state: absent
+  when: tmp_spec.path is defined
+
+- name: Cleanup temp secret vars file
+  file:
+    path: "{{ secret_vars.path }}"
+    state: absent
+  when: secret_vars.path is defined

roles/restore/tasks/deploy_awx.yml

@@ -1,9 +1,5 @@
 ---
 
-- name: Save kind
-  set_fact:
-    _kind: "{{ kind }}"
-
 - name: Get AWX object definition from pvc
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
@@ -25,31 +21,13 @@
 
 - name: Include spec vars to save them as a dict
   include_vars: "{{ tmp_spec.path }}"
-  register: spec
-
-- name: Use include_vars to read in spec as a dict (because spec doesn't have quotes)
-  set_fact:
-    awx_spec: "{{ spec.ansible_facts }}"
-
-- name: Set names of backed up secrets in the CR spec
-  set_fact:
-    awx_spec: "{{ awx_spec | combine ({ item.key : item.value }) }}"
-  with_items:
-    - {'key': 'secret_key_secret', 'value': '{{ secret_key_secret_name }}'}
-    - {'key': 'admin_password_secret', 'value': '{{ admin_password_secret_name }}'}
-    - {'key': 'broadcast_websocket_secret', 'value': '{{ broadcast_websocket_secret_name }}'}
-    - {'key': 'postgres_configuration_secret', 'value': '{{ postgres_configuration_secret_name }}'}
-
-- name: Restore kind
-  set_fact:
-    kind: "{{ _kind }}"
 
 - name: Deploy AWX
   k8s:
     state: "{{ state | default('present') }}"
     namespace: "{{ meta.namespace }}"
     apply: yes
-    template: awx_object.yml.j2
+    definition: "{{ lookup('template', 'awx_object.yml.j2') }}"
     wait: true
     wait_condition:
       type: "Running"

roles/restore/tasks/postgres.yml

@@ -4,7 +4,7 @@
   k8s_info:
     kind: Secret
     namespace: '{{ meta.namespace }}'
-    name: '{{ postgres_configuration_secret_name }}'
+    name: '{{ postgres_configuration_secret }}'
   register: pg_config
 
 - name: Store Database Configuration

roles/restore/tasks/secrets.yml

@@ -6,27 +6,45 @@
     pod: "{{ meta.name }}-db-management"
     command: >-
       bash -c "cat '{{ backup_dir }}/secrets.yml'"
-  register: secrets
+  register: _secrets
 
-- name: Create temp vars file
+- name: Create Temporary secrets file
   tempfile:
-    prefix: secret_vars-
-  register: secret_vars
+    state: file
+    suffix: .json
+  register: tmp_secrets
 
 - name: Write vars to file locally
   copy:
-    dest: "{{ secret_vars.path }}"
-    content: "{{ secrets.stdout }}"
+    dest: "{{ tmp_secrets.path }}"
+    content: "{{ _secrets.stdout }}"
     mode: 0640
 
 - name: Include secret vars from backup
-  include_vars: "{{ secret_vars.path }}"
+  include_vars: "{{ tmp_secrets.path }}"
 
-- name: Set new database host based on supplied deployment_name
-  set_fact:
-    database_host: "{{ deployment_name }}-postgres"
-  when:
-    - database_type == 'managed'
+- name: If deployment is managed, set the database_host in the pg config secret
+  block:
+    - name: Set new database host
+      set_fact:
+        database_host: "{{ deployment_name }}-postgres"
+
+    - name: Set tmp postgres secret dict
+      set_fact:
+        _pg_secret: "{{ secrets['postgresConfigurationSecret'] }}"
+
+    - name: Change postgres host value
+      set_fact:
+        _pg_data: "{{ _pg_secret['data'] | combine({'host': database_host | b64encode }) }}"
+
+    - name: Create a postgres secret with the new host value
+      set_fact:
+        _pg_secret: "{{ _pg_secret | combine({'data': _pg_data}) }}"
+
+    - name: Create a new dict of secrets with the new postgres secret
+      set_fact:
+        secrets: "{{ secrets | combine({'postgresConfigurationSecret': _pg_secret}) }}"
+  when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed'
 
 - name: Apply secret
   k8s:

roles/restore/templates/awx_object.yml.j2

@@ -4,4 +4,5 @@ kind: AWX
 metadata:
   name: '{{ deployment_name }}'
   namespace: '{{ meta.namespace }}'
-spec: {{ awx_spec }}
+spec:
+  {{ spec | to_yaml | indent(2) }}

roles/restore/templates/management-pod.yml.j2

@@ -13,7 +13,7 @@ metadata:
 spec:
   containers:
   - name: {{ meta.name }}-db-management
-    image: "{{ postgres_image }}"
+    image: "{{ postgres_image }}:{{ postgres_image_version }}"
     imagePullPolicy: Always
     command: ["sleep", "infinity"]
     volumeMounts:

roles/restore/templates/secrets.yml.j2

@@ -1,9 +1,9 @@
-# Postgres Secret
+{% for secret in secrets %}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: '{{ postgres_configuration_secret_name }}'
+  name: '{{ secrets[secret]['name'] }}'
   namespace: '{{ meta.namespace }}'
   labels:
     app.kubernetes.io/name: '{{ meta.name }}'
@@ -12,57 +12,9 @@ metadata:
     app.kubernetes.io/component: '{{ deployment_type }}'
     app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
 stringData:
-  password: '{{ database_password }}'
-  username: '{{ database_username }}'
-  database: '{{ database_name }}'
-  port: '{{ database_port }}'
-  host: '{{ database_host }}'
-  type: '{{ database_type }}'
+{% for key, value in secrets[secret]['data'].items() %}
+  {{ key }}: |-
+    {{ value | b64decode | indent(4) }}
+{% endfor %}
 
-# Secret Key Secret
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: '{{ secret_key_secret_name }}'
-  namespace: '{{ meta.namespace }}'
-  labels:
-    app.kubernetes.io/name: '{{ meta.name }}'
-    app.kubernetes.io/part-of: '{{ meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
-stringData:
-  secret_key: '{{ secret_key }}'
-
-# Admin Password Secret
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: '{{ admin_password_secret_name }}'
-  namespace: '{{ meta.namespace }}'
-  labels:
-    app.kubernetes.io/name: '{{ meta.name }}'
-    app.kubernetes.io/part-of: '{{ meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
-stringData:
-  password: '{{ admin_password }}'
-
-# Broadcast Websocket Secret
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: '{{ broadcast_websocket_secret_name }}'
-  namespace: '{{ meta.namespace }}'
-  labels:
-    app.kubernetes.io/name: '{{ meta.name }}'
-    app.kubernetes.io/part-of: '{{ meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
-stringData:
-  secret: '{{ broadcast_websocket }}'
+{% endfor %}

roles/restore/vars/main.yml

@@ -1,13 +1,14 @@
 ---
 
 deployment_type: "awx"
-postgres_image: postgres:12
+postgres_image: postgres
+postgres_image_version: 12
 
 backup_api_version: '{{ deployment_type }}.ansible.com/v1beta1'
 backup_kind: 'AWXBackup'
 
 # set default secret names to be used if a backup dir and claim are provided (not a backup_name)
-secret_key_secret_name: '{{ deployment_name }}-secret-key'
-admin_password_secret_name: '{{ deployment_name }}-admin-password'
-broadcast_websocket_secret_name: '{{ deployment_name }}-broadcast-websocket'
-postgres_configuration_secret_name: '{{ deployment_name }}-postgres-configuration'
+secret_key_secret: '{{ deployment_name }}-secret-key'
+admin_password_secret: '{{ deployment_name }}-admin-password'
+broadcast_websocket_secret: '{{ deployment_name }}-broadcast-websocket'
+postgres_configuration_secret: '{{ deployment_name }}-postgres-configuration'

scripts/build.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-## This script will be build 3 images awx-{operator,bundle,catalog}
+## This script will generate a bundle manifest, build 3 images awx-{operator,bundle,catalog}
 ## and push to the $REGISTRY specified.
 ##
 ## The goal is provide an quick way to build a test image.
@@ -10,7 +10,7 @@
 ## cd awx-operator
 ## REGISTRY=registry.example.com/ansible TAG=mytag ANSIBLE_DEBUG_LOGS=true scripts/build.sh
 ##
-## As a result, the $REGISTRY will be populated with 2 images
+## As a result, the $REGISTRY will be populated with 3 images
 ## registry.example.com/ansible/awx-operator:mytag
 ## registry.example.com/ansible/awx-operator-bundle:mytag
 ## registry.example.com/ansible/awx-operator-catalog:mytag
@@ -78,6 +78,7 @@ build_operator_image() {
 
 build_bundle_image() {
   echo "Building and pushing $BUNDLE_IMAGE image"
+  operator-sdk generate bundle --operator-name awx-operator --version $TAG
   $POD_MANAGER build . -f bundle.Dockerfile -t $REGISTRY/$BUNDLE_IMAGE:$TAG
   $POD_MANAGER push $REGISTRY/$BUNDLE_IMAGE:$TAG
 }

scripts/generate-files.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+## This script will auto-generate the templated files and bundle files 
+## after changes to CRD template files. Please use this instead of manually
+## updating the managed yaml files.  
+##
+## Example:
+## TAG=0.10.0 ./generate-files.sh
+
+TAG=${TAG:-''}
+if [[ -z "$TAG" ]]; then
+    echo "Set your \$TAG variable to your registry server."
+    echo "export TAG=mytag"
+    exit 1
+fi
+
+ansible-playbook ansible/chain-operator-files.yml
+operator-sdk generate bundle --operator-name awx-operator --version $TAG