Merge pull request #409 from shanemcd/bump-0.11.0

AWX Operator 0.11.0

CHANGELOG.md

@@ -2,6 +2,23 @@
 
 This is a list of high-level changes for each release of `awx-operator`. A full list of commits can be found at `https://github.com/ansible/awx-operator/releases/tag/<version>`.
 
+# 0.10.0 (Jun 1, 2021)
+
+- Make tower_ingress_type to respect ClusterIP definition (Marcelo Moreira de Mello) - e37c091 (breaking_change)
+- Add ability to get/create/delete secrets for the awx service account (Christian M. Adams) - 61b3cb4
+- Added ability to specify annotations to ServiceAccount (Marcelo Moreira de Mello) - 446ac0b
+- Do not shadow other variables (Yanis Guenane) - 223fe98
+- Do not prepend variables name with tower_ (Yanis Guenane) - 75458d0 (breaking_change)
+- Fully remove finalizer (Christian M. Adams) - fd92050
+- Use custom pg_dump format for faster restores (Christian M. Adams) - f16d9ac
+- Allow user to specify empty string for storage class on PVC (Christian M. Adams) - 818b837
+- Unset ownerRefs in the installer instead of the finalizer (Christian M. Adams) - c12a1f0
+- Make awx-operator compatible with Ansible 2.12 (Alan Rominger) - 5216489
+- Restore: set proper kind var after deploying AWX CR (Julen Landa Alustiza) - fc4687f
+- Add support for custom service labels (Jeremy Kimber) - fd42802
+- Rename product specific variable names (Christian M. Adams) - 5ae3636 (breaking_change)
+- Add watcher for backup CR (Christian M. Adams) - fdcc745
+
 # 0.9.0 (May 1, 2021)
 
 - Update playbook to allow for deploying custom image version/tag (Shane McDonald) - 77e7039 

README.md

@@ -28,6 +28,7 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
          * [Persisting Projects Directory](#persisting-projects-directory)
          * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
          * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
+         * [Extra Settings](#extra-settings)
          * [Service Account](#service-account)
    * [Upgrading](#upgrading)
    * [Contributing](#contributing)
@@ -427,10 +428,11 @@ Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to
 
 The resource requirements for both, the task and the web containers are configurable - both the lower end (requests) and the upper end (limits).
 
-| Name                             | Description                          | Default                             |
-| -------------------------------- | ------------------------------------ | ----------------------------------- |
-| web_resource_requirements        | Web container resource requirements  | requests: {cpu: 1000m, memory: 2Gi} |
-| task_resource_requirements       | Task container resource requirements | requests: {cpu: 500m, memory: 1Gi}  |
+| Name                             | Description                                      | Default                             |
+| -------------------------------- | ------------------------------------------------ | ----------------------------------- |
+| web_resource_requirements        | Web container resource requirements              | requests: {cpu: 1000m, memory: 2Gi} |
+| task_resource_requirements       | Task container resource requirements             | requests: {cpu: 500m, memory: 1Gi}  |
+| ee_resource_requirements         | EE control plane container resource requirements | requests: {cpu: 500m, memory: 1Gi}  |
 
 Example of customization could be:
 
@@ -452,6 +454,13 @@ spec:
     limits:
       cpu: 1000m
       memory: 2Gi
+  ee_resource_requirements:
+    requests:
+      cpu: 500m
+      memory: 1Gi
+    limits:
+      cpu: 1000m
+      memory: 2Gi
 ```
 
 #### Assigning AWX pods to specific nodes
@@ -556,6 +565,30 @@ In a scenario where custom volumes and volume mounts are required to either over
 
 Example configuration for ConfigMap
 
+#### Default execution environments from private registries
+
+In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments.
+
+The secret should be formated as follows:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: <resourcename>-ee-pull-credentials
+  namespace: <target namespace>
+stringData:
+  url: <registry url. i.e. quay.io>
+  username: <username to connect as>
+  password: <password to connect with>
+  ssl_verify: <Optional attribute. Whether verify ssl connection or not. Accepted values "True" (default), "False" >
+type: Opaque
+```
+
+##### Control plane ee from private registry
+The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time.
+
 ```yaml
 ---
 apiVersion: v1
@@ -617,6 +650,7 @@ If you need to export custom environment variables to your containers.
 | ----------------------------- | -------------------------------------------------------- | ------- |
 | task_extra_env                | Environment variables to be added to Task container      | ''      |
 | web_extra_env                 | Environment variables to be added to Web container       | ''      |
+| ee_extra_env                  | Environment variables to be added to EE container        | ''      |
 
 Example configuration of environment variables
 
@@ -628,6 +662,29 @@ Example configuration of environment variables
     web_extra_env: |
       - name: MYCUSTOMVAR
         value: foo
+    ee_extra_env: |
+      - name: MYCUSTOMVAR
+        value: foo
+```
+
+#### Extra Settings
+
+With`extra_settings`, you can pass multiple custom settings via the `awx-operator`. The parameter `extra_settings`  will be appended to the `/etc/tower/settings.py` and can be an alternative to the `extra_volumes` parameter.
+
+| Name                          | Description                                              | Default |
+| ----------------------------- | -------------------------------------------------------- | ------- |
+| extra_settings                | Extra settings                                           | ''      |
+
+Example configuration of `extra_settings` parameter
+
+```yaml
+  spec:
+    extra_settings:
+      - setting: MAX_PAGE_SIZE
+        value: "500"
+
+      - setting: AUTH_LDAP_BIND_DN
+        value: "cn=admin,dc=example,dc=com"
 ```
 
 #### Service Account
@@ -662,43 +719,13 @@ Please visit [our contributing guidelines](https://github.com/ansible/awx-operat
 
 There are a few moving parts to this project:
 
-  1. The Docker image which powers AWX Operator.
-  2. The `awx-operator.yaml` Kubernetes manifest file which initially deploys the Operator into a cluster.
-  3. Then use the command below to generate a list of commits between the versions.
-  ```sh
-  #> git log --no-merges --pretty="- %s (%an) - %h " <old_tag>..<new_tag>
-  ```
+  * The `awx-operator` container image which powers AWX Operator
+  * The `awx-operator.yaml` file, which initially deploys the Operator
+  * The ClusterServiceVersion (CSV), which is generated as part of the bundle and needed for the olm-catalog
 
 Each of these must be appropriately built in preparation for a new tag:
 
-### Verify Functionality
-
-Run the following command inside this directory:
-
-```sh
-#> operator-sdk build quay.io/<user>/awx-operator:test
-```
-
-Then push the generated image to Docker Hub:
-
-```sh
-#> docker push quay.io/<user>/awx-operator:test
-```
-
-After it is built, test it on a local cluster:
-
-
-```sh
-#> minikube start --memory 6g --cpus 4
-#> minikube addons enable ingress
-#> ansible-playbook ansible/deploy-operator.yml -e operator_image=quay.io/<user>/awx-operator -e operator_version=test
-#> kubectl create namespace example-awx
-#> ansible-playbook ansible/instantiate-awx-deployment.yml -e namespace=example-awx
-#> <test everything>
-#> minikube delete
-```
-
-### Update version
+### Update version and files
 
 Update the awx-operator version:
 
@@ -710,6 +737,51 @@ Once the version has been updated, run from the root of the repo:
 #> ansible-playbook ansible/chain-operator-files.yml
 ```
 
+Generate the olm-catalog bundle.
+
+```bash
+$ operator-sdk generate bundle --operator-name awx-operator --version <new_tag>
+```
+
+> This should be done with operator-sdk v0.19.4.  
+
+> It is a good idea to use the [build script](./build.sh) at this point to build the catalog and test out installing it in Operator Hub.
+
+### Verify Functionality
+
+Run the following command inside this directory:
+
+```sh
+#> operator-sdk build quay.io/<user>/awx-operator:<new-version>
+```
+
+Then push the generated image to Docker Hub:
+
+```sh
+#> docker push quay.io/<user>/awx-operator:<new-version>
+```
+
+After it is built, test it on a local cluster:
+
+
+```sh
+#> minikube start --memory 6g --cpus 4
+#> minikube addons enable ingress
+#> ansible-playbook ansible/deploy-operator.yml -e operator_image=quay.io/<user>/awx-operator -e operator_version=<new-version> -e pull_policy=Always
+#> kubectl create namespace example-awx
+#> ansible-playbook ansible/instantiate-awx-deployment.yml -e namespace=example-awx -e image=quay.io/<user>/awx -e service_type=nodeport
+#> # Verify that the awx-task and awx-web containers are launched 
+#> # with the right version of the awx image
+#> minikube delete
+```
+
+### Update changelog
+
+Generate a list of commits between the versions and add it to the [changelog](./CHANGELOG.md).
+```sh
+#> git log --no-merges --pretty="- %s (%an) - %h " <old_tag>..<new_tag>
+```
+
 ### Commit / Create Release
 
 If everything works, commit the updated version, then [publish a new release](https://github.com/ansible/awx-operator/releases/new) using the same version you used in `ansible/group_vars/all`.

ansible/build-and-push.yml

@@ -3,15 +3,15 @@
   hosts: localhost
 
   collections:
-    - community.general
+    - community.docker
 
   tasks:
     - name: Build and (optionally) push operator image
       docker_image:
         name: "{{ operator_image }}:{{ operator_version }}"
-        pull: no
-        push: "{{ push_image | bool }}"
+        source: "build"
+        push: "{{ push_image }}"
         build:
           dockerfile: "build/Dockerfile"
           path: "../"
-        force: yes
+        force_source: "yes"

ansible/group_vars/all

@@ -1,4 +1,4 @@
 operator_image: quay.io/ansible/awx-operator
-operator_version: 0.10.0
+operator_version: 0.11.0
 pull_policy: Always
 ansible_debug_logs: "false"

ansible/templates/awxbackup_crd.yml.j2

@@ -35,7 +35,7 @@ spec:
                   description: Name of the PVC to be used for storing the backup
                   type: string
                 backup_pvc_namespace:
-                  description: Namespace PVC is in
+                  description: Namespace the PVC is in
                   type: string
                 backup_storage_requirements:
                   description: Storage requirements for the PostgreSQL container
@@ -46,3 +46,33 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                backupDirectory:
+                  description: Backup directory name on the specified pvc
+                  type: string
+                backupClaim:
+                  description: Backup persistent volume claim
+                  type: string

ansible/templates/awxrestore_crd.yml.j2

@@ -50,3 +50,30 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                restoreComplete:
+                  description: Restore process complete
+                  type: boolean

ansible/templates/crd.yml.j2

@@ -26,15 +26,12 @@ spec:
                 deployment_type:
                   description: Name of the deployment type
                   type: string
-                  default: awx
                 kind:
                   description: Kind of the deployment type
                   type: string
-                  default: AWX
                 api_version:
                   description: apiVersion of the deployment type
                   type: string
-                  default: awx.ansible.com/v1beta1
                 task_privileged:
                   description: If a privileged security context should be enabled
                   type: boolean
@@ -149,6 +146,12 @@ spec:
                         type: string
                       image:
                         type: string
+                control_plane_ee_image:
+                  description: Registry path to the Execution Environment container image to use on control plane pods
+                  type: string
+                ee_pull_credentials_secret:
+                  description: Secret where pull credentials for registered ees can be found
+                  type: string
                 image_pull_policy:
                   description: The image pull policy
                   type: string
@@ -207,6 +210,28 @@ spec:
                           type: string
                       type: object
                   type: object
+                ee_resource_requirements:
+                  description: Resource requirements for the ee container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                 service_account_annotations:
                   description: ServiceAccount annotations
                   type: string
@@ -243,6 +268,8 @@ spec:
                   type: string
                 web_extra_env:
                   type: string
+                ee_extra_env:
+                  type: string
                 ee_extra_volume_mounts:
                   description: Specify volume mounts to be added to Execution container
                   type: string

bundle.Dockerfile

@@ -6,9 +6,9 @@ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=awx-operator
 LABEL operators.operatorframework.io.bundle.channels.v1=alpha
 LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha
-LABEL operators.operatorframework.io.metrics.project_layout=ansible
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v0.19.4
+LABEL operators.operatorframework.io.metrics.project_layout=ansible
 
 COPY deploy/olm-catalog/awx-operator/manifests /manifests/
 COPY deploy/olm-catalog/awx-operator/metadata /metadata/

deploy/awx-operator.yaml

@@ -28,15 +28,12 @@ spec:
                 deployment_type:
                   description: Name of the deployment type
                   type: string
-                  default: awx
                 kind:
                   description: Kind of the deployment type
                   type: string
-                  default: AWX
                 api_version:
                   description: apiVersion of the deployment type
                   type: string
-                  default: awx.ansible.com/v1beta1
                 task_privileged:
                   description: If a privileged security context should be enabled
                   type: boolean
@@ -151,6 +148,12 @@ spec:
                         type: string
                       image:
                         type: string
+                control_plane_ee_image:
+                  description: Registry path to the Execution Environment container image to use on control plane pods
+                  type: string
+                ee_pull_credentials_secret:
+                  description: Secret where pull credentials for registered ees can be found
+                  type: string
                 image_pull_policy:
                   description: The image pull policy
                   type: string
@@ -209,6 +212,28 @@ spec:
                           type: string
                       type: object
                   type: object
+                ee_resource_requirements:
+                  description: Resource requirements for the ee container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                 service_account_annotations:
                   description: ServiceAccount annotations
                   type: string
@@ -245,6 +270,8 @@ spec:
                   type: string
                 web_extra_env:
                   type: string
+                ee_extra_env:
+                  type: string
                 ee_extra_volume_mounts:
                   description: Specify volume mounts to be added to Execution container
                   type: string
@@ -437,7 +464,7 @@ spec:
                   description: Name of the PVC to be used for storing the backup
                   type: string
                 backup_pvc_namespace:
-                  description: Namespace PVC is in
+                  description: Namespace the PVC is in
                   type: string
                 backup_storage_requirements:
                   description: Storage requirements for the PostgreSQL container
@@ -448,6 +475,36 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                backupDirectory:
+                  description: Backup directory name on the specified pvc
+                  type: string
+                backupClaim:
+                  description: Backup persistent volume claim
+                  type: string
 
 ---
 apiVersion: apiextensions.k8s.io/v1
@@ -501,6 +558,33 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                restoreComplete:
+                  description: Restore process complete
+                  type: boolean
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -627,7 +711,7 @@ spec:
       serviceAccountName: awx-operator
       containers:
         - name: awx-operator
-          image: "quay.io/ansible/awx-operator:0.10.0"
+          image: "quay.io/ansible/awx-operator:0.11.0"
           imagePullPolicy: "Always"
           volumeMounts:
             - mountPath: /tmp/ansible-operator/runner
@@ -645,7 +729,7 @@ spec:
             - name: ANSIBLE_GATHERING
               value: explicit
             - name: OPERATOR_VERSION
-              value: "0.10.0"
+              value: "0.11.0"
             - name: ANSIBLE_DEBUG_LOGS
               value: "false"
           livenessProbe:

deploy/crds/awx_v1beta1_crd.yaml

@@ -26,15 +26,12 @@ spec:
                 deployment_type:
                   description: Name of the deployment type
                   type: string
-                  default: awx
                 kind:
                   description: Kind of the deployment type
                   type: string
-                  default: AWX
                 api_version:
                   description: apiVersion of the deployment type
                   type: string
-                  default: awx.ansible.com/v1beta1
                 task_privileged:
                   description: If a privileged security context should be enabled
                   type: boolean
@@ -149,6 +146,12 @@ spec:
                         type: string
                       image:
                         type: string
+                control_plane_ee_image:
+                  description: Registry path to the Execution Environment container image to use on control plane pods
+                  type: string
+                ee_pull_credentials_secret:
+                  description: Secret where pull credentials for registered ees can be found
+                  type: string
                 image_pull_policy:
                   description: The image pull policy
                   type: string
@@ -207,6 +210,28 @@ spec:
                           type: string
                       type: object
                   type: object
+                ee_resource_requirements:
+                  description: Resource requirements for the ee container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                 service_account_annotations:
                   description: ServiceAccount annotations
                   type: string
@@ -243,6 +268,8 @@ spec:
                   type: string
                 web_extra_env:
                   type: string
+                ee_extra_env:
+                  type: string
                 ee_extra_volume_mounts:
                   description: Specify volume mounts to be added to Execution container
                   type: string

deploy/crds/awx_v1beta1_molecule.yaml

@@ -17,3 +17,7 @@ spec:
     requests:
       cpu: 500m
       memory: 128M
+  ee_resource_requirements:
+    requests:
+      cpu: 200m
+      memory: 64M

deploy/crds/awxbackup_v1beta1_crd.yaml

@@ -35,7 +35,7 @@ spec:
                   description: Name of the PVC to be used for storing the backup
                   type: string
                 backup_pvc_namespace:
-                  description: Namespace PVC is in
+                  description: Namespace the PVC is in
                   type: string
                 backup_storage_requirements:
                   description: Storage requirements for the PostgreSQL container
@@ -46,3 +46,33 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                backupDirectory:
+                  description: Backup directory name on the specified pvc
+                  type: string
+                backupClaim:
+                  description: Backup persistent volume claim
+                  type: string

deploy/crds/awxrestore_v1beta1_crd.yaml

@@ -50,3 +50,30 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                restoreComplete:
+                  description: Restore process complete
+                  type: boolean

deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml

@@ -13,7 +13,14 @@ metadata:
           },
           "spec": {
             "deployment_type": "awx",
+            "ee_resource_requirements": {
+              "requests": {
+                "cpu": "200m",
+                "memory": "64M"
+              }
+            },
             "ingress_type": "ingress",
+            "service_account_annotations": "foo: bar\n",
             "task_resource_requirements": {
               "requests": {
                 "cpu": "500m",
@@ -32,16 +39,15 @@ metadata:
     capabilities: Basic Install
     operators.operatorframework.io/builder: operator-sdk-v0.19.4
     operators.operatorframework.io/project_layout: ansible
-  name: awx-operator.v0.0.1
+  name: awx-operator.v0.11.0
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
   customresourcedefinitions:
     owned:
-    - kind: AWXBackup
+    - displayName: AWX Backup
+      kind: AWXBackup
       name: awxbackups.awx.ansible.com
-      version: v1beta1
-      displayName: AWX Backup
       specDescriptors:
       - displayName: Deployment name
         path: deployment_name
@@ -73,26 +79,26 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
       statusDescriptors:
-      - displayName: Backup claim
-        description: The persistent volume claim name used during backup
+      - description: The persistent volume claim name used during backup
+        displayName: Backup claim
         path: backupClaim
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-      - displayName: Backup directory
-        description: The directory data is backed up to on the PVC
+      - description: The directory data is backed up to on the PVC
+        displayName: Backup directory
         path: backupDirectory
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-    - kind: AWXRestore
-      name: awxrestores.awx.ansible.com
       version: v1beta1
-      displayName: AWX Restore
+    - displayName: AWX Restore
+      kind: AWXRestore
+      name: awxrestores.awx.ansible.com
       specDescriptors:
       - displayName: Backup source to restore ?
         path: backup_source
         x-descriptors:
-          - urn:alm:descriptor:com.tectonic.ui:select:CR
-          - urn:alm:descriptor:com.tectonic.ui:select:PVC
+        - urn:alm:descriptor:com.tectonic.ui:select:CR
+        - urn:alm:descriptor:com.tectonic.ui:select:PVC
       - displayName: Backup name
         path: backup_name
         x-descriptors:
@@ -123,11 +129,12 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:hidden
       statusDescriptors:
-      - displayName: Restore status
-        description: The state of the restore
+      - description: The state of the restore
+        displayName: Restore status
         path: restoreComplete
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
+      version: v1beta1
     - description: A AWX Instance
       displayName: AWX
       kind: AWX
@@ -262,12 +269,19 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
-      - displayName: PostgreSQL container resource requirements (when using a managed instance)
+      - displayName: EE Control Plane container resource requirements
+        path: ee_resource_requirements
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
+      - displayName: PostgreSQL container resource requirements (when using a managed
+          instance)
         path: postgres_resource_requirements
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
-      - displayName: PostgreSQL container storage requirements (when using a managed instance)
+      - displayName: PostgreSQL container storage requirements (when using a managed
+          instance)
         path: postgres_storage_requirements
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -349,6 +363,11 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Postgres Label Selector
+        path: postgres_label_selector
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - displayName: Postgres Tolerations
         path: postgres_tolerations
         x-descriptors:
@@ -397,8 +416,8 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_Yes_
         - urn:alm:descriptor:io.kubernetes:PersistentVolumeClaim
-      - description: Projects Storage Class Name. If not present, the default
-          storage class will be used.
+      - description: Projects Storage Class Name. If not present, the default storage
+          class will be used.
         displayName: Projects Storage Class Name
         path: projects_storage_class
         x-descriptors:
@@ -424,26 +443,45 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: Task Extra Env
-        description: Environment variables to be added to Task container
+      - description: Environment variables to be added to Task container
+        displayName: Task Extra Env
         path: task_extra_env
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: EE Extra Volume Mounts
+      - description: Specify volume mounts to be added to Execution container
+        displayName: EE Extra Volume Mounts
         path: ee_extra_volume_mounts
-        description: Specify volume mounts to be added to Execution container
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: EE Images
-        description: Registry path to the Execution Environment container to use
+      - description: Registry path to the Execution Environment container to use
+        displayName: EE Images
         path: ee_images
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: Task Extra Volume Mounts
-        description: Specify volume mounts to be added to Task container
+      - description: Environment variables to be added to EE container
+        displayName: EE Extra Env
+        path: ee_extra_env
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Registry path to the Execution Environment container to use on
+          control plane pods
+        displayName: Control Plane EE Image
+        path: control_plane_ee_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: EE Images Pull Credentials Secret
+        displayName: EE Images Pull Credentials Secret
+        path: ee_pull_credentials_secret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:io.kubernetes:Secret
+      - description: Specify volume mounts to be added to Task container
+        displayName: Task Extra Volume Mounts
         path: task_extra_volume_mounts
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -458,20 +496,20 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: Web Extra Env
-        description: Environment variables to be added to Web container
+      - description: Environment variables to be added to Web container
+        displayName: Web Extra Env
         path: web_extra_env
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: Web Extra Volume Mounts
-        description: Specify volume mounts to be added to Web container
+      - description: Specify volume mounts to be added to Web container
+        displayName: Web Extra Volume Mounts
         path: web_extra_volume_mounts
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: Extra Volumes
-        description: Specify extra volumes to add to the application pod
+      - description: Specify extra volumes to add to the application pod
+        displayName: Extra Volumes
         path: extra_volumes
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -607,6 +645,8 @@ spec:
           - awx.ansible.com
           resources:
           - '*'
+          - awxbackups
+          - awxrestores
           verbs:
           - '*'
         serviceAccountName: awx-operator
@@ -637,7 +677,11 @@ spec:
                   value: awx-operator
                 - name: ANSIBLE_GATHERING
                   value: explicit
-                image: quay.io/ansible/awx-operator:0.8.0
+                - name: OPERATOR_VERSION
+                  value: 0.11.0
+                - name: ANSIBLE_DEBUG_LOGS
+                  value: "false"
+                image: quay.io/ansible/awx-operator:0.11.0
                 imagePullPolicy: Always
                 livenessProbe:
                   httpGet:
@@ -676,4 +720,5 @@ spec:
   provider:
     name: AWX Community
     url: https://github.com/ansible/awx-operator
-  version: 0.0.1
+  replaces: awx-operator.v0.10.0
+  version: 0.11.0

deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxbackups_crd.yaml

@@ -18,14 +18,12 @@ spec:
         description: Schema validation for the AWXBackup CRD
         properties:
           spec:
-            required:
-              - deployment_name
             properties:
               backup_pvc:
                 description: Name of the PVC to be used for storing the backup
                 type: string
               backup_pvc_namespace:
-                description: Namespace PVC is in
+                description: Namespace the PVC is in
                 type: string
               backup_storage_class:
                 description: Storage class to use when creating PVC for backup
@@ -36,10 +34,42 @@ spec:
               deployment_name:
                 description: Name of the deployment to be backed up
                 type: string
+              postgres_image:
+                description: Registry path to the PostgreSQL container to use
+                type: string
+              postgres_image_version:
+                description: PostgreSQL container image version to use
+                type: string
               postgres_label_selector:
                 description: Label selector used to identify postgres pod for backing
                   up data
                 type: string
+            required:
+            - deployment_name
+            type: object
+          status:
+            properties:
+              backupClaim:
+                description: Backup persistent volume claim
+                type: string
+              backupDirectory:
+                description: Backup directory name on the specified pvc
+                type: string
+              conditions:
+                description: The resulting conditions when a Service Telemetry is
+                  instantiated
+                items:
+                  properties:
+                    lastTransitionTime:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  type: object
+                type: array
             type: object
         type: object
         x-kubernetes-preserve-unknown-fields: true

deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxrestores_crd.yaml

@@ -19,12 +19,6 @@ spec:
         properties:
           spec:
             properties:
-              backup_source:
-                description: Backup source
-                type: string
-                enum:
-                  - CR
-                  - PVC
               backup_dir:
                 description: Backup directory name, set as a status found on the awxbackup
                   object (backupDirectory)
@@ -39,14 +33,47 @@ spec:
               backup_pvc_namespace:
                 description: Namespace the PVC is in
                 type: string
+              backup_source:
+                description: Backup source
+                enum:
+                - CR
+                - PVC
+                type: string
               deployment_name:
                 description: Name of the deployment to be restored to
                 type: string
+              postgres_image:
+                description: Registry path to the PostgreSQL container to use
+                type: string
+              postgres_image_version:
+                description: PostgreSQL container image version to use
+                type: string
               postgres_label_selector:
                 description: Label selector used to identify postgres pod for backing
                   up data
                 type: string
             type: object
+          status:
+            properties:
+              conditions:
+                description: The resulting conditions when a Service Telemetry is
+                  instantiated
+                items:
+                  properties:
+                    lastTransitionTime:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  type: object
+                type: array
+              restoreComplete:
+                description: Restore process complete
+                type: boolean
+            type: object
         type: object
         x-kubernetes-preserve-unknown-fields: true
     served: true

deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml

@@ -19,28 +19,6 @@ spec:
         properties:
           spec:
             properties:
-              ca_trust_bundle:
-                description: Path where the trusted CA bundle is available
-                type: string
-              deployment_type:
-                description: Name of the deployment type
-                type: string
-                default: awx
-              kind:
-                description: Kind of the deployment type
-                type: string
-                default: AWX
-              api_version:
-                description: apiVersion of the deployment type
-                type: string
-                default: awx.ansible.com/v1beta1
-              development_mode:
-                description: If the deployment should be done in development mode
-                type: boolean
-              ldap_cacert_secret:
-                description: Secret where can be found the LDAP trusted Certificate
-                  Authority Bundle
-                type: string
               admin_email:
                 description: The admin user email
                 type: string
@@ -51,13 +29,34 @@ spec:
                 default: admin
                 description: Username to use for the admin account
                 type: string
+              api_version:
+                description: apiVersion of the deployment type
+                type: string
               broadcast_websocket_secret:
                 description: Secret where the broadcast websocket secret can be found
                 type: string
+              ca_trust_bundle:
+                description: Path where the trusted CA bundle is available
+                type: string
+              control_plane_ee_image:
+                description: Registry path to the Execution Environment container
+                  image to use on control plane pods
+                type: string
               create_preload_data:
                 default: true
                 description: Whether or not to preload data upon instance creation
                 type: boolean
+              deployment_type:
+                description: Name of the deployment type
+                type: string
+              development_mode:
+                description: If the deployment should be done in development mode
+                type: boolean
+              ee_extra_env:
+                type: string
+              ee_extra_volume_mounts:
+                description: Specify volume mounts to be added to Execution container
+                type: string
               ee_images:
                 description: Registry path to the Execution Environment container
                   to use
@@ -69,6 +68,42 @@ spec:
                       type: string
                   type: object
                 type: array
+              ee_pull_credentials_secret:
+                description: Secret where pull credentials for registered ees can
+                  be found
+                type: string
+              ee_resource_requirements:
+                description: Resource requirements for the ee container
+                properties:
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                      storage:
+                        type: string
+                    type: object
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                      storage:
+                        type: string
+                    type: object
+                type: object
+              extra_settings:
+                description: Extra settings to specify for the API
+                items:
+                  properties:
+                    setting:
+                      type: string
+                    value:
+                      type: string
+                  type: object
+                type: array
               extra_volumes:
                 description: Specify extra volumes to add to the application pod
                 type: string
@@ -82,9 +117,6 @@ spec:
               image:
                 description: Registry path to the application container to use
                 type: string
-              image_version:
-                description: Application container image version to use
-                type: string
               image_pull_policy:
                 default: IfNotPresent
                 description: The image pull policy
@@ -99,11 +131,14 @@ spec:
               image_pull_secret:
                 description: The image pull secret
                 type: string
+              image_version:
+                description: Application container image version to use
+                type: string
               ingress_annotations:
-                description: Annotations to add to the ingress
+                description: Annotations to add to the Ingress Controller
                 type: string
               ingress_tls_secret:
-                description: Secret where the ingress TLS secret can be found
+                description: Secret where the Ingress TLS secret can be found
                 type: string
               ingress_type:
                 description: The ingress type to use to reach the deployed instance
@@ -113,10 +148,13 @@ spec:
                 - ingress
                 - Route
                 - route
-                - LoadBalancer
-                - loadbalancer
-                - NodePort
-                - nodeport
+                type: string
+              kind:
+                description: Kind of the deployment type
+                type: string
+              ldap_cacert_secret:
+                description: Secret where can be found the LDAP trusted Certificate
+                  Authority Bundle
                 type: string
               loadbalancer_annotations:
                 description: Annotations to add to the loadbalancer
@@ -135,9 +173,6 @@ spec:
               node_selector:
                 description: nodeSelector for the pods
                 type: string
-              service_labels:
-                description: Additional labels to apply to the service
-                type: string
               old_postgres_configuration_secret:
                 description: Secret where the old database configuration can be found
                   for data migration
@@ -154,46 +189,50 @@ spec:
               postgres_image_version:
                 description: PostgreSQL container image version to use
                 type: string
+              postgres_label_selector:
+                description: Label selector used to identify postgres pod for data
+                  migration
+                type: string
+              postgres_resource_requirements:
+                description: Resource requirements for the PostgreSQL container
+                properties:
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                type: object
               postgres_selector:
                 description: nodeSelector for the Postgres pods
                 type: string
-              postgres_tolerations:
-                description: node tolerations for the Postgres pods
+              postgres_storage_class:
+                description: Storage class to use for the PostgreSQL PVC
                 type: string
               postgres_storage_requirements:
                 description: Storage requirements for the PostgreSQL container
                 properties:
-                  requests:
-                    properties:
-                      storage:
-                        type: string
-                    type: object
                   limits:
                     properties:
                       storage:
                         type: string
                     type: object
-                type: object
-              postgres_resource_requirements:
-                description: Resource requirements for the PostgreSQL container
-                properties:
                   requests:
                     properties:
-                      cpu:
-                        type: string
-                      memory:
-                        type: string
-                    type: object
-                  limits:
-                    properties:
-                      cpu:
-                        type: string
-                      memory:
+                      storage:
                         type: string
                     type: object
                 type: object
-              postgres_storage_class:
-                description: Storage class to use for the PostgreSQL PVC
+              postgres_tolerations:
+                description: node tolerations for the Postgres pods
                 type: string
               projects_existing_claim:
                 description: PersistentVolumeClaim to mount /var/lib/projects directory
@@ -226,9 +265,6 @@ spec:
               redis_image_version:
                 description: Redis container image version to use
                 type: string
-              service_account_annotations:
-                description: ServiceAccount annotations
-                type: string
               replicas:
                 default: 1
                 description: Number of instance replicas
@@ -252,6 +288,22 @@ spec:
               secret_key_secret:
                 description: Secret where the secret key can be found
                 type: string
+              service_account_annotations:
+                description: ServiceAccount annotations
+                type: string
+              service_labels:
+                description: Additional labels to apply to the service
+                type: string
+              service_type:
+                description: The service type to be used on the deployed instance
+                enum:
+                - LoadBalancer
+                - loadbalancer
+                - ClusterIP
+                - clusterip
+                - NodePort
+                - nodeport
+                type: string
               task_args:
                 items:
                   type: string
@@ -261,10 +313,6 @@ spec:
                   type: string
                 type: array
               task_extra_env:
-                description: Environment variables to be added to Task container
-                type: string
-              ee_extra_volume_mounts:
-                description: Specify volume mounts to be added to Execution container
                 type: string
               task_extra_volume_mounts:
                 description: Specify volume mounts to be added to Task container
@@ -307,10 +355,9 @@ spec:
                   type: string
                 type: array
               web_extra_env:
-                description: Environment variables to be added to Web container
                 type: string
               web_extra_volume_mounts:
-                description: Specify volume mounts to be added to web container
+                description: Specify volume mounts to be added to the Web container
                 type: string
               web_resource_requirements:
                 description: Resource requirements for the web container
@@ -334,19 +381,21 @@ spec:
                         type: string
                     type: object
                 type: object
-              extra_settings:
-                description: Extra settings to specify for the API
-                items:
-                  properties:
-                    setting:
-                      type: string
-                    value:
-                      type: string
-                  type: object
-                type: array
             type: object
           status:
             properties:
+              URL:
+                description: URL to access the deployed instance
+                type: string
+              adminPasswordSecret:
+                description: Admin password secret name of the deployed instance
+                type: string
+              adminUser:
+                description: Admin user of the deployed instance
+                type: string
+              broadcastWebsocketSecret:
+                description: Broadcast websocket secret name of the deployed instance
+                type: string
               conditions:
                 description: The resulting conditions when a Service Telemetry is
                   instantiated
@@ -362,20 +411,17 @@ spec:
                       type: string
                   type: object
                 type: array
-              adminPasswordSecret:
-                description: Admin password of the deployed instance
-                type: string
-              adminUser:
-                description: Admin user of the deployed instance
-                type: string
               image:
                 description: URL of the image used for the deployed instance
                 type: string
               migratedFromSecret:
                 description: The secret used for migrating an old instance.
                 type: string
-              URL:
-                description: URL to access the deployed instance
+              postgresConfigurationSecret:
+                description: Postgres Configuration secret name of the deployed instance
+                type: string
+              secretKeySecret:
+                description: Secret key secret name of the deployed instance
                 type: string
               version:
                 description: Version of the deployed instance

roles/backup/tasks/awx-cro.yml

@@ -16,9 +16,18 @@
   set_fact:
     awx_spec: "{{ _awx['spec'] }}"
 
+- name: Set names of backed up secrets in the CR spec
+  set_fact:
+    awx_spec: "{{ awx_spec | combine ({ item.key : item.value }) }}"
+  with_items:
+    - {"key": "secret_key_secret", "value": "{{ this_awx['resources'][0]['status']['secretKeySecret'] }}"}
+    - {"key": "admin_password_secret", "value": "{{ this_awx['resources'][0]['status']['adminPasswordSecret'] }}"}
+    - {"key": "broadcast_websocket_secret", "value": "{{ this_awx['resources'][0]['status']['broadcastWebsocketSecret'] }}"}
+    - {"key": "postgres_configuration_secret", "value": "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }} "}
+
 - name: Write awx object to pvc
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ meta.name }}-db-management"
     command: >-
-      bash -c "echo '{{ awx_spec }}' > {{ backup_dir }}/awx_object"
+      bash -c 'echo "$0" > {{ backup_dir  }}/awx_object' {{ awx_spec | quote  }}

roles/backup/tasks/dump_generated_secret.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Get secret name
+  set_fact:
+      _name: "{{ this_awx['resources'][0]['status'][item] }}"
+
+- name: Fail if status is not set on AWX CR
+  block:
+      - name: Set error message
+        set_fact:
+            error_msg: "{{ item }} status is not set on AWX object yet"
+
+      - name: Handle error
+        import_tasks: error_handling.yml
+
+      - name: Fail early if secret name status is not set
+        fail:
+            msg: "{{ error_msg }}"
+  when: _name is not defined or _name == ''
+
+- name: Get secret
+  k8s_info:
+      version: v1
+      kind: Secret
+      namespace: '{{ meta.namespace }}'
+      name: "{{ _name }}"
+  register: _secret
+
+- name: Set secret data
+  set_fact:
+      _data: "{{ _secret['resources'][0]['data'] }}"
+
+- name: Create and Add secret names and data to dictionary
+  set_fact:
+      secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data }}) }}"

roles/backup/tasks/dump_secret.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Get Secret Name
+  set_fact:
+      _name: "{{ awx_spec[item] | default('') }}"
+
+- name: Skip if secret name not defined
+  block:
+      - name: Get secret
+        k8s_info:
+            version: v1
+            kind: Secret
+            namespace: '{{ meta.namespace }}'
+            name: "{{ _name }}"
+        register: _secret
+
+      - name: Set secret key
+        set_fact:
+            _data: "{{ _secret['resources'][0]['data'] }}"
+
+      - name: Create and Add secret names and data to dictionary
+        set_fact:
+            secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data }}) }}"
+  when: _name != ''

roles/backup/tasks/main.yml

@@ -30,10 +30,10 @@
 
     - include_tasks: postgres.yml
 
-    - include_tasks: secrets.yml
-
     - include_tasks: awx-cro.yml
 
+    - include_tasks: secrets.yml
+
     - name: Set flag signifying this backup was successful
       set_fact:
         backup_complete: true
@@ -45,5 +45,3 @@
 
 - name: Update status variables
   include_tasks: update_status.yml
-
-# TODO: backup tower settings or make sure that users only specify settings/config changes via AWX object.  See ticket

roles/backup/tasks/postgres.yml

@@ -24,7 +24,7 @@
 - block:
     - name: Delete pod to reload a resource configuration
       set_fact:
-        postgres_label_selector: "app.kubernetes.io/name={{ deployment_name }}-postgres"
+        postgres_label_selector: "app.kubernetes.io/instance=postgres-{{ deployment_name }}"
       when: postgres_label_selector is not defined
 
     - name: Get the postgres pod information
@@ -92,6 +92,11 @@
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ meta.name }}-db-management"
-    command: >-
-      bash -c "PGPASSWORD={{ awx_postgres_pass }} {{ pgdump }} > {{ backup_dir }}/tower.db"
+    command: |
+      bash -c """
+      set -e -o pipefail
+      PGPASSWORD={{ awx_postgres_pass }} {{ pgdump }} > {{ backup_dir }}/tower.db
+      echo 'Successful'
+      """
   register: data_migration
+  failed_when: "'Successful' not in data_migration.stdout"

roles/backup/tasks/secrets.yml

@@ -1,65 +1,33 @@
 ---
 
-- name: Get secret_key
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['secretKeySecret'] }}"
-  register: _secret_key
+- name: Create Temporary secrets file
+  tempfile:
+    state: file
+    suffix: .json
+  register: tmp_secrets
 
-- name: Set secret key
+- name: Dump (generated) secret names from statuses and data into file
+  include_tasks: dump_generated_secret.yml
+  with_items:
+    - secretKeySecret
+    - adminPasswordSecret
+    - broadcastWebsocketSecret
+    - postgresConfigurationSecret
+
+- name: Dump secret names from awx spec and data into file
+  include_tasks: dump_secret.yml
+  loop:
+    - route_tls_secret
+    - ldap_cacert_secret
+    - image_pull_secret
+
+- name: Nest secrets under a single variable
   set_fact:
-    secret_key: "{{ _secret_key['resources'][0]['data']['secret_key'] | b64decode }}"
-
-- name: Get admin_password
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['adminPasswordSecret'] }}"
-  register: _admin_password
-
-- name: Set admin_password
-  set_fact:
-    admin_password: "{{ _admin_password['resources'][0]['data']['password'] | b64decode }}"
-
-- name: Get broadcast_websocket
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['broadcastWebsocketSecret'] }}"
-  register: _broadcast_websocket
-
-- name: Set broadcast_websocket key
-  set_fact:
-    broadcast_websocket: "{{ _broadcast_websocket['resources'][0]['data']['secret'] | b64decode }}"
-
-- name: Get postgres configuration
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"
-  register: _postgres_configuration
-
-- name: Set postgres type
-  set_fact:
-    database_type: "{{ _postgres_configuration['resources'][0]['data']['type'] | b64decode }}"
-  when: _postgres_configuration['resources'][0]['data']['type'] is defined
-
-- name: Set postgres configuration
-  set_fact:
-    database_password: "{{ _postgres_configuration['resources'][0]['data']['password'] | b64decode }}"
-    database_username: "{{ _postgres_configuration['resources'][0]['data']['username'] | b64decode }}"
-    database_name: "{{ _postgres_configuration['resources'][0]['data']['database'] | b64decode }}"
-    database_port: "{{ _postgres_configuration['resources'][0]['data']['port'] | b64decode }}"
-    database_host: "{{ _postgres_configuration['resources'][0]['data']['host'] | b64decode }}"
-
-- name: Template secrets into yaml
-  set_fact:
-    secrets_file: "{{ lookup('template', 'secrets.yml.j2') }}"
+    secrets: {"secrets": '{{ secret_dict }}'}
 
 - name: Write postgres configuration to pvc
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ meta.name }}-db-management"
     command: >-
-      bash -c "echo '{{ secrets_file }}' > {{ backup_dir }}/secrets.yml"
+      bash -c "echo '{{ secrets | to_yaml }}' > {{ backup_dir }}/secrets.yml"

roles/backup/templates/backup_pvc.yml.j2

@@ -4,6 +4,7 @@ kind: PersistentVolumeClaim
 metadata:
   name: {{ deployment_name }}-backup-claim
   namespace: {{ backup_pvc_namespace }}
+  ownerReferences: null
   labels:
     app.kubernetes.io/name: '{{ meta.name }}'
     app.kubernetes.io/part-of: '{{ meta.name }}'

roles/backup/templates/management-pod.yml.j2

@@ -13,7 +13,7 @@ metadata:
 spec:
   containers:
   - name: {{ meta.name }}-db-management
-    image: "{{ postgres_image }}"
+    image: "{{ postgres_image }}:{{ postgres_image_version }}"
     imagePullPolicy: Always
     command: ["sleep", "infinity"]
     volumeMounts:

roles/backup/templates/secrets.yml.j2

@@ -1,14 +0,0 @@
----
-secret_key_secret_name: "{{ _secret_key['resources'][0]['metadata']['name'] }}"
-admin_password_secret_name: "{{ _admin_password['resources'][0]['metadata']['name'] }}"
-broadcast_websocket_secret_name: "{{ _broadcast_websocket['resources'][0]['metadata']['name'] }}"
-postgres_configuration_secret_name: "{{ _postgres_configuration['resources'][0]['metadata']['name'] }}"
-secret_key: {{ secret_key }}
-admin_password: {{ admin_password }}
-broadcast_websocket: {{ broadcast_websocket }}
-database_password: {{ database_password }}
-database_username: {{ database_username }}
-database_name: {{ database_name }}
-database_port: {{ database_port }}
-database_host: {{ database_host }}
-database_type: {{ database_type }}

roles/backup/vars/main.yml

@@ -1,5 +1,6 @@
 ---
 deployment_type: "awx"
-postgres_image: postgres:12
+postgres_image: postgres
+postgres_image_version: 12
 backup_complete: false
 database_type: "unmanaged"

roles/installer/defaults/main.yml

@@ -93,6 +93,10 @@ postgres_configuration_secret: ''
 
 old_postgres_configuration_secret: ''
 
+# Secret to lookup that provides default execution environment pull credentials
+#
+ee_pull_credentials_secret: ''
+
 # Add extra volumes to the AWX pod. Specify as literal block. E.g.:
 # extra_volumes: |
 #   - name: my-volume
@@ -102,7 +106,7 @@ extra_volumes: ''
 # Use these image versions for Ansible AWX.
 
 image: quay.io/ansible/awx
-image_version: 19.2.0
+image_version: 19.2.1
 redis_image: docker.io/redis
 redis_image_version: latest
 postgres_image: postgres
@@ -111,8 +115,10 @@ image_pull_policy: IfNotPresent
 image_pull_secret: ''
 
 ee_images:
-  - name: AWX EE 0.3.0
-    image: quay.io/ansible/awx-ee:0.3.0
+  - name: AWX EE 0.4.0
+    image: quay.io/ansible/awx-ee:0.4.0
+
+control_plane_ee_image: quay.io/ansible/awx-ee:0.4.0
 
 create_preload_data: true
 
@@ -134,6 +140,11 @@ web_resource_requirements:
     cpu: 1000m
     memory: 2Gi
 
+ee_resource_requirements:
+  requests:
+    cpu: 500m
+    memory: 1Gi
+
 # Add extra environment variables to the AWX task/web containers. Specify as
 # literal block. E.g.:
 # task_extra_env: |
@@ -143,6 +154,7 @@ web_resource_requirements:
 #     value: bing
 task_extra_env: ''
 web_extra_env: ''
+ee_extra_env: ''
 
 # Mount extra volumes on the AWX task/web containers. Specify as literal block.
 # E.g.:

roles/installer/tasks/initialize_django.yml

@@ -6,7 +6,7 @@
     container: "{{ meta.name }}-task"
     command: >-
       bash -c "echo 'from django.contrib.auth.models import User;
-      nsu = User.objects.filter(is_superuser=True, username='{{ admin_user }}').count();
+      nsu = User.objects.filter(is_superuser=True, username=\"{{ admin_user }}\").count();
       exit(0 if nsu > 0 else 1)'
       | awx-manage shell"
   ignore_errors: true
@@ -45,3 +45,76 @@
   register: cdo
   changed_when: "'added' in cdo.stdout"
   when: create_preload_data | bool
+
+- name: Check if legacy queue is present
+  k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ meta.name }}-task"
+    command: >-
+      bash -c "awx-manage list_instances | grep '^\[tower capacity=[0-9]*\]'"
+  register: legacy_queue
+  changed_when: false
+
+- name: Unregister legacy queue
+  k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ meta.name }}-task"
+    command: >-
+      bash -c "awx-manage unregister_queue --queuename=tower"
+  when: "'[tower capacity=' in legacy_queue.stdout"
+
+- name: Check for specified default execution environment pull credentials
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ ee_pull_credentials_secret }}'
+  register: _custom_execution_environments_pull_credentials
+  when: ee_pull_credentials_secret | length
+
+- name: Check for default execution environment pull credentials
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ meta.name }}-ee-pull-credentials'
+  register: _default_execution_environments_pull_credentials
+
+- name: Set admin password secret
+  set_fact:
+    _execution_environments_pull_credentials: >-
+      {{ _custom_execution_environments_pull_credentials["resources"] | default([]) | length
+      | ternary(_custom_execution_environments_pull_credentials, _default_execution_environments_pull_credentials) }}
+- name: Register default execution environments (without authentication)
+  k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ meta.name }}-task"
+    command: >-
+      bash -c "awx-manage register_default_execution_environments"
+  register: ree
+  changed_when: "'changed: True' in ree.stdout"
+  when: not _execution_environments_pull_credentials['resources'] | default([]) | length
+
+- block:
+    - name: Store default execution environment pull credentials
+      set_fact:
+        default_execution_environment_pull_credentials_user: "{{ _execution_environments_pull_credentials['resources'][0]['data']['username'] | b64decode }}"
+        default_execution_environment_pull_credentials_pass: "{{ _execution_environments_pull_credentials['resources'][0]['data']['password'] | b64decode }}"
+        default_execution_environment_pull_credentials_url: "{{ _execution_environments_pull_credentials['resources'][0]['data']['url'] | b64decode }}"
+        default_execution_environment_pull_credentials_url_verify: >-
+          {{ _execution_environments_pull_credentials['resources'][0]['data']['ssl_verify'] | default("True"|b64encode) | b64decode }}
+    - name: Register default execution environments (with authentication)
+      k8s_exec:
+        namespace: "{{ meta.namespace }}"
+        pod: "{{ tower_pod_name }}"
+        container: "{{ meta.name }}-task"
+        command: >-
+          bash -c "awx-manage register_default_execution_environments
+          --registry-username='{{ default_execution_environment_pull_credentials_user }}'
+          --registry-password='{{ default_execution_environment_pull_credentials_pass }}'
+          --registry-url='{{ default_execution_environment_pull_credentials_url }}'
+          --verify-ssl='{{ default_execution_environment_pull_credentials_url_verify }}'"
+      register: ree
+      changed_when: "'changed: True' in ree.stdout"
+  when: _execution_environments_pull_credentials['resources'] | default([]) | length

roles/installer/templates/config.yaml.j2

@@ -150,6 +150,11 @@ data:
 
             ssl_certificate /etc/nginx/pki/web.crt;
             ssl_certificate_key /etc/nginx/pki/web.key;
+            ssl_session_cache shared:SSL:50m;
+            ssl_session_timeout 1d;
+            ssl_session_tickets off;
+            ssl_ciphers PROFILE=SYSTEM;
+            ssl_prefer_server_ciphers on;
         {% else %}
             listen 8052 default_server;
         {% endif %}
@@ -160,8 +165,6 @@ data:
     
             # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
             add_header Strict-Transport-Security max-age=15768000;
-            add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
-            add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
     
             # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
             add_header X-Frame-Options "DENY";
@@ -178,7 +181,7 @@ data:
             }
     
             location /favicon.ico {
-                alias /var/lib/awx/public/static/favicon.ico;
+                alias /var/lib/awx/public/static/media/favicon.ico;
             }
     
             location /websocket {
@@ -214,6 +217,13 @@ data:
                 {%- endif %}
                 proxy_set_header X-Forwarded-Port 443;
                 uwsgi_param HTTP_X_FORWARDED_PORT 443;
+
+                add_header Strict-Transport-Security max-age=15768000;
+                # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
+                add_header X-Frame-Options "DENY";
+                add_header Cache-Control "no-cache, no-store, must-revalidate";
+                add_header Expires "0";
+                add_header Pragma "no-cache";
             }
         }
     }

roles/installer/templates/deployment.yaml.j2

@@ -205,9 +205,10 @@ spec:
             {{ task_extra_env | indent(width=12, indentfirst=True) }}
 {% endif %}
           resources: {{ task_resource_requirements }}
-        - image: '{{ ee_images[0].image }}'
+        - image: '{{ control_plane_ee_image }}'
           name: '{{ meta.name }}-ee'
           imagePullPolicy: '{{ image_pull_policy }}'
+          resources: {{ ee_resource_requirements }}
           args: ['receptor', '--config', '/etc/receptor.conf']
           volumeMounts:
             - name: "{{ meta.name }}-receptor-config"
@@ -221,13 +222,16 @@ spec:
 {% if ee_extra_volume_mounts -%}
             {{ ee_extra_volume_mounts | indent(width=12, indentfirst=True) }}
 {% endif %}
-{% if development_mode | bool %}
           env:
+{% if development_mode | bool %}
             - name: SDB_NOTIFY_HOST
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
 {% endif %}
+{% if ee_extra_env -%}
+            {{ ee_extra_env | indent(width=12, indentfirst=True) }}
+{% endif %}
 {% if node_selector %}
       nodeSelector:
         {{ node_selector | indent(width=8) }}

roles/installer/templates/execution_environments.py.j2

@@ -1,5 +1,6 @@
-DEFAULT_EXECUTION_ENVIRONMENTS = [
+GLOBAL_JOB_EXECUTION_ENVIRONMENTS = [
 {% for item in ee_images %}
     {'name': '{{ item.name }}' , 'image': '{{ item.image }}'},
 {% endfor %}
 ]
+CONTROL_PLANE_EXECUTION_ENVIRONMENT = '{{ control_plane_ee_image }}'

roles/installer/templates/service.yaml.j2

@@ -11,7 +11,7 @@ metadata:
     app.kubernetes.io/component: '{{ deployment_type }}'
     app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
     {{ service_labels | indent(width=4) }}
-{% if ingress_type | lower == 'loadbalancer' and loadbalancer_annotations %}
+{% if service_type | lower == 'loadbalancer' and loadbalancer_annotations %}
   annotations:
     {{ loadbalancer_annotations | indent(width=4) }}
 {% endif %}

roles/restore/tasks/cleanup.yml

@@ -18,7 +18,19 @@
         namespace: '{{ meta.namespace }}'
         ownerReferences: null
   loop:
-    - '{{ secret_key_secret_name }}'
-    - '{{ admin_password_secret_name }}'
-    - '{{ broadcast_websocket_secret_name }}'
-    - '{{ postgres_configuration_secret_name }}'
+    - '{{ secret_key_secret }}'
+    - '{{ admin_password_secret }}'
+    - '{{ broadcast_websocket_secret }}'
+    - '{{ postgres_configuration_secret }}'
+
+- name: Cleanup temp spec file
+  file:
+    path: "{{ tmp_spec.path }}"
+    state: absent
+  when: tmp_spec.path is defined
+
+- name: Cleanup temp secret vars file
+  file:
+    path: "{{ secret_vars.path }}"
+    state: absent
+  when: secret_vars.path is defined

roles/restore/tasks/deploy_awx.yml

@@ -31,15 +31,6 @@
   set_fact:
     awx_spec: "{{ spec.ansible_facts }}"
 
-- name: Set names of backed up secrets in the CR spec
-  set_fact:
-    awx_spec: "{{ awx_spec | combine ({ item.key : item.value }) }}"
-  with_items:
-    - {'key': 'secret_key_secret', 'value': '{{ secret_key_secret_name }}'}
-    - {'key': 'admin_password_secret', 'value': '{{ admin_password_secret_name }}'}
-    - {'key': 'broadcast_websocket_secret', 'value': '{{ broadcast_websocket_secret_name }}'}
-    - {'key': 'postgres_configuration_secret', 'value': '{{ postgres_configuration_secret_name }}'}
-
 - name: Restore kind
   set_fact:
     kind: "{{ _kind }}"

roles/restore/tasks/postgres.yml

@@ -4,7 +4,7 @@
   k8s_info:
     kind: Secret
     namespace: '{{ meta.namespace }}'
-    name: '{{ postgres_configuration_secret_name }}'
+    name: '{{ postgres_configuration_secret }}'
   register: pg_config
 
 - name: Store Database Configuration

roles/restore/tasks/secrets.yml

@@ -6,27 +6,45 @@
     pod: "{{ meta.name }}-db-management"
     command: >-
       bash -c "cat '{{ backup_dir }}/secrets.yml'"
-  register: secrets
+  register: _secrets
 
-- name: Create temp vars file
+- name: Create Temporary secrets file
   tempfile:
-    prefix: secret_vars-
-  register: secret_vars
+    state: file
+    suffix: .json
+  register: tmp_secrets
 
 - name: Write vars to file locally
   copy:
-    dest: "{{ secret_vars.path }}"
-    content: "{{ secrets.stdout }}"
+    dest: "{{ tmp_secrets.path }}"
+    content: "{{ _secrets.stdout }}"
     mode: 0640
 
 - name: Include secret vars from backup
-  include_vars: "{{ secret_vars.path }}"
+  include_vars: "{{ tmp_secrets.path }}"
 
-- name: Set new database host based on supplied deployment_name
-  set_fact:
-    database_host: "{{ deployment_name }}-postgres"
-  when:
-    - database_type == 'managed'
+- name: If deployment is managed, set the database_host in the pg config secret
+  block:
+    - name: Set new database host
+      set_fact:
+        database_host: "{{ deployment_name }}-postgres"
+
+    - name: Set tmp postgres secret dict
+      set_fact:
+        _pg_secret: "{{ secrets['postgresConfigurationSecret'] }}"
+
+    - name: Change postgres host value
+      set_fact:
+        _pg_data: "{{ _pg_secret['data'] | combine({'host': database_host | b64encode }) }}"
+
+    - name: Create a postgres secret with the new host value
+      set_fact:
+        _pg_secret: "{{ _pg_secret | combine({'data': _pg_data}) }}"
+
+    - name: Create a new dict of secrets with the new postgres secret
+      set_fact:
+        secrets: "{{ secrets | combine({'postgresConfigurationSecret': _pg_secret}) }}"
+  when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed'
 
 - name: Apply secret
   k8s:

roles/restore/templates/management-pod.yml.j2

@@ -13,7 +13,7 @@ metadata:
 spec:
   containers:
   - name: {{ meta.name }}-db-management
-    image: "{{ postgres_image }}"
+    image: "{{ postgres_image }}:{{ postgres_image_version }}"
     imagePullPolicy: Always
     command: ["sleep", "infinity"]
     volumeMounts:

roles/restore/templates/secrets.yml.j2

@@ -1,9 +1,9 @@
-# Postgres Secret
+{% for secret in secrets %}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: '{{ postgres_configuration_secret_name }}'
+  name: '{{ secrets[secret]['name'] }}'
   namespace: '{{ meta.namespace }}'
   labels:
     app.kubernetes.io/name: '{{ meta.name }}'
@@ -12,57 +12,8 @@ metadata:
     app.kubernetes.io/component: '{{ deployment_type }}'
     app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
 stringData:
-  password: '{{ database_password }}'
-  username: '{{ database_username }}'
-  database: '{{ database_name }}'
-  port: '{{ database_port }}'
-  host: '{{ database_host }}'
-  type: '{{ database_type }}'
+  {% for key, value in secrets[secret]['data'].items() %}
+    '{{ key }}': '{{ value | b64decode }}'
+  {% endfor %}
 
-# Secret Key Secret
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: '{{ secret_key_secret_name }}'
-  namespace: '{{ meta.namespace }}'
-  labels:
-    app.kubernetes.io/name: '{{ meta.name }}'
-    app.kubernetes.io/part-of: '{{ meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
-stringData:
-  secret_key: '{{ secret_key }}'
-
-# Admin Password Secret
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: '{{ admin_password_secret_name }}'
-  namespace: '{{ meta.namespace }}'
-  labels:
-    app.kubernetes.io/name: '{{ meta.name }}'
-    app.kubernetes.io/part-of: '{{ meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
-stringData:
-  password: '{{ admin_password }}'
-
-# Broadcast Websocket Secret
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: '{{ broadcast_websocket_secret_name }}'
-  namespace: '{{ meta.namespace }}'
-  labels:
-    app.kubernetes.io/name: '{{ meta.name }}'
-    app.kubernetes.io/part-of: '{{ meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
-stringData:
-  secret: '{{ broadcast_websocket }}'
+{% endfor %}

roles/restore/vars/main.yml

@@ -1,13 +1,14 @@
 ---
 
 deployment_type: "awx"
-postgres_image: postgres:12
+postgres_image: postgres
+postgres_image_version: 12
 
 backup_api_version: '{{ deployment_type }}.ansible.com/v1beta1'
 backup_kind: 'AWXBackup'
 
 # set default secret names to be used if a backup dir and claim are provided (not a backup_name)
-secret_key_secret_name: '{{ deployment_name }}-secret-key'
-admin_password_secret_name: '{{ deployment_name }}-admin-password'
-broadcast_websocket_secret_name: '{{ deployment_name }}-broadcast-websocket'
-postgres_configuration_secret_name: '{{ deployment_name }}-postgres-configuration'
+secret_key_secret: '{{ deployment_name }}-secret-key'
+admin_password_secret: '{{ deployment_name }}-admin-password'
+broadcast_websocket_secret: '{{ deployment_name }}-broadcast-websocket'
+postgres_configuration_secret: '{{ deployment_name }}-postgres-configuration'

scripts/build.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-## This script will be build 3 images awx-{operator,bundle,catalog}
+## This script will generate a bundle manifest, build 3 images awx-{operator,bundle,catalog}
 ## and push to the $REGISTRY specified.
 ##
 ## The goal is provide an quick way to build a test image.
@@ -10,7 +10,7 @@
 ## cd awx-operator
 ## REGISTRY=registry.example.com/ansible TAG=mytag ANSIBLE_DEBUG_LOGS=true scripts/build.sh
 ##
-## As a result, the $REGISTRY will be populated with 2 images
+## As a result, the $REGISTRY will be populated with 3 images
 ## registry.example.com/ansible/awx-operator:mytag
 ## registry.example.com/ansible/awx-operator-bundle:mytag
 ## registry.example.com/ansible/awx-operator-catalog:mytag
@@ -78,6 +78,7 @@ build_operator_image() {
 
 build_bundle_image() {
   echo "Building and pushing $BUNDLE_IMAGE image"
+  operator-sdk generate bundle --operator-name awx-operator --version $TAG
   $POD_MANAGER build . -f bundle.Dockerfile -t $REGISTRY/$BUNDLE_IMAGE:$TAG
   $POD_MANAGER push $REGISTRY/$BUNDLE_IMAGE:$TAG
 }

scripts/generate-files.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+## This script will auto-generate the templated files and bundle files 
+## after changes to CRD template files. Please use this instead of manually
+## updating the managed yaml files.  
+##
+## Example:
+## TAG=0.10.0 ./generate-files.sh
+
+TAG=${TAG:-''}
+if [[ -z "$TAG" ]]; then
+    echo "Set your \$TAG variable to your registry server."
+    echo "export TAG=mytag"
+    exit 1
+fi
+
+ansible-playbook ansible/chain-operator-files.yml
+operator-sdk generate bundle --operator-name awx-operator --version $TAG