update name of ee as well as the image

We are updating the requirements in awx to get the latest receptor and runner in the task container,
we should also have the latest in the EE

see https://github.com/ansible/awx/pull/10861 and https://github.com/ansible/awx/pull/10858

.github/workflows/ci.yaml

@@ -31,14 +31,21 @@ jobs:
             ansible-lint \
             openshift \
             jmespath \
-            ansible
+            ansible-core
 
       - name: Install Collections
         run: |
-         ansible-galaxy collection install community.kubernetes operator_sdk.util
+         ansible-galaxy collection install community.general kubernetes.core:1.2.1 operator_sdk.util
+
+      - name: Setup Minikube
+        uses: manusa/actions-setup-minikube@v2.4.2
+        with:
+          minikube version: 'v1.16.0'
+          kubernetes version: 'v1.19.2'
+          github token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Run Molecule
         env:
           MOLECULE_VERBOSITY: 3
         run: |
-          molecule test -s test-local
+          molecule test -s test-minikube

CHANGELOG.md

@@ -2,6 +2,23 @@
 
 This is a list of high-level changes for each release of `awx-operator`. A full list of commits can be found at `https://github.com/ansible/awx-operator/releases/tag/<version>`.
 
+# 0.10.0 (Jun 1, 2021)
+
+- Make tower_ingress_type to respect ClusterIP definition (Marcelo Moreira de Mello) - e37c091 (breaking_change)
+- Add ability to get/create/delete secrets for the awx service account (Christian M. Adams) - 61b3cb4
+- Added ability to specify annotations to ServiceAccount (Marcelo Moreira de Mello) - 446ac0b
+- Do not shadow other variables (Yanis Guenane) - 223fe98
+- Do not prepend variables name with tower_ (Yanis Guenane) - 75458d0 (breaking_change)
+- Fully remove finalizer (Christian M. Adams) - fd92050
+- Use custom pg_dump format for faster restores (Christian M. Adams) - f16d9ac
+- Allow user to specify empty string for storage class on PVC (Christian M. Adams) - 818b837
+- Unset ownerRefs in the installer instead of the finalizer (Christian M. Adams) - c12a1f0
+- Make awx-operator compatible with Ansible 2.12 (Alan Rominger) - 5216489
+- Restore: set proper kind var after deploying AWX CR (Julen Landa Alustiza) - fc4687f
+- Add support for custom service labels (Jeremy Kimber) - fd42802
+- Rename product specific variable names (Christian M. Adams) - 5ae3636 (breaking_change)
+- Add watcher for backup CR (Christian M. Adams) - fdcc745
+
 # 0.9.0 (May 1, 2021)
 
 - Update playbook to allow for deploying custom image version/tag (Shane McDonald) - 77e7039 

README.md

@@ -24,10 +24,11 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
          * [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
          * [Privileged Tasks](#privileged-tasks)
          * [Containers Resource Requirements](#containers-resource-requirements)
-         * [LDAP Certificate Authority](#ldap-certificate-authority)
+         * [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
          * [Persisting Projects Directory](#persisting-projects-directory)
          * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
          * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
+         * [Extra Settings](#extra-settings)
          * [Service Account](#service-account)
    * [Upgrading](#upgrading)
    * [Contributing](#contributing)
@@ -77,11 +78,11 @@ $ minikube start --addons=ingress --cpus=4 --cni=flannel --install-addons=true \
 Once Minikube is deployed, check if the node(s) and `kube-apiserver` communication is working as expected.
 
 ```bash
-$ kubectl get nodes
+$ minikube kubectl -- get nodes
 NAME       STATUS   ROLES                  AGE     VERSION
 minikube   Ready    control-plane,master   6m28s   v1.20.2
 
-$ kubectl get pods -A
+$ minikube kubectl -- get pods -A
 NAMESPACE       NAME                                        READY   STATUS      RESTARTS   AGE
 ingress-nginx   ingress-nginx-admission-create-tjk94        0/1     Completed   0          6m4s
 ingress-nginx   ingress-nginx-admission-patch-r4pl6         0/1     Completed   0          6m4s
@@ -96,6 +97,14 @@ kube-system     kube-scheduler-minikube                     1/1     Running
 kube-system     storage-provisioner                         1/1     Running     1          6m17s
 ```
 
+It is not required for `kubectl` to be separately installed since it comes already wrapped inside minikube. As demonstrated above, simply prefix `minikube kubectl --` before kubectl command, i.e. `kubectl get nodes` would become `minikube kubectl -- get nodes`
+
+Let's create an alias for easier usage: 
+
+```bash
+$ alias kubectl="minikube kubectl --"
+```
+
 Now you need to deploy AWX Operator into your cluster. Start by going to https://github.com/ansible/awx-operator/releases and making note of the latest release. Replace `<TAG>` in the URL `https://raw.githubusercontent.com/ansible/awx-operator/<TAG>/deploy/awx-operator.yaml` with the version you are deploying.
 
 ```bash
@@ -267,6 +276,7 @@ The following variables are customizable when `ingress_type=ingress`. The `ingre
 | ingress_annotations        | Ingress annotations                      | Empty string                 |
 | ingress_tls_secret         | Secret that contains the TLS information | Empty string                 |
 | hostname                   | Define the FQDN                          | {{ meta.name }}.example.com  |
+| ingress_path               | Define the ingress path to the service   | /                            |
 
 ```yaml
 ---
@@ -427,10 +437,11 @@ Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to
 
 The resource requirements for both, the task and the web containers are configurable - both the lower end (requests) and the upper end (limits).
 
-| Name                             | Description                          | Default                             |
-| -------------------------------- | ------------------------------------ | ----------------------------------- |
-| web_resource_requirements        | Web container resource requirements  | requests: {cpu: 1000m, memory: 2Gi} |
-| task_resource_requirements       | Task container resource requirements | requests: {cpu: 500m, memory: 1Gi}  |
+| Name                             | Description                                      | Default                             |
+| -------------------------------- | ------------------------------------------------ | ----------------------------------- |
+| web_resource_requirements        | Web container resource requirements              | requests: {cpu: 1000m, memory: 2Gi} |
+| task_resource_requirements       | Task container resource requirements             | requests: {cpu: 500m, memory: 1Gi}  |
+| ee_resource_requirements         | EE control plane container resource requirements | requests: {cpu: 500m, memory: 1Gi}  |
 
 Example of customization could be:
 
@@ -452,6 +463,13 @@ spec:
     limits:
       cpu: 1000m
       memory: 2Gi
+  ee_resource_requirements:
+    requests:
+      cpu: 500m
+      memory: 1Gi
+    limits:
+      cpu: 1000m
+      memory: 2Gi
 ```
 
 #### Assigning AWX pods to specific nodes
@@ -496,28 +514,36 @@ spec:
       effect: "NoSchedule"
 ```
 
-#### LDAP Certificate Authority
+#### Trusting a Custom Certificate Authority
 
-If the variable `ldap_cacert_secret` is provided, the operator will look for a the data field `ldap-ca.crt` in the specified secret.
+In cases which you need to trust a custom Certificate Authority, there are few variables you can customize for the `awx-operator`.
 
-| Name                             | Description                             | Default |
-| -------------------------------- | --------------------------------------- | --------|
-| ldap_cacert_secret               | LDAP Certificate Authority secret name  |  ''     |
+Trusting a custom Certificate Authority allows the AWX to access network services configured with SSL certificates issued locally, such as cloning a project from from an internal Git server via HTTPS. It is common for these scenarios, experiencing the error [unable to verify the first certificate](https://github.com/ansible/awx-operator/issues/376).
 
 
+| Name                             | Description                              | Default |
+| -------------------------------- | ---------------------------------------- | --------|
+| ldap_cacert_secret               | LDAP Certificate Authority secret name   |  ''     |
+| bundle_cacert_secret             | Certificate Authority secret name        |  ''     |
+
+Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter.
+
 Example of customization could be:
 
 ```yaml
 ---
 spec:
   ...
-  ldap_cacert_secret: <resourcename>-ldap-ca-cert
+  ldap_cacert_secret: <resourcename>-custom-certs
+  bundle_cacert_secret: <resourcename>-custom-certs
 ```
 
 To create the secret, you can use the command below:
 
 ```sh
-# kubectl create secret generic <resourcename>-ldap-ca-cert --from-file=ldap-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
+# kubectl create secret generic <resourcename>-custom-certs \
+    --from-file=ldap-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>  \
+    --from-file=bundle-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
 ```
 
 #### Persisting Projects Directory
@@ -547,12 +573,17 @@ spec:
 
 In a scenario where custom volumes and volume mounts are required to either overwrite defaults or mount configuration files.
 
-| Name                           | Description                                              | Default |
-| ------------------------------ | -------------------------------------------------------- | ------- |
-| extra_volumes                  | Specify extra volumes to add to the application pod      | ''      |
-| web_extra_volume_mounts        | Specify volume mounts to be added to Web container       | ''      |
-| task_extra_volume_mounts       | Specify volume mounts to be added to Task container      | ''      |
-| ee_extra_volume_mounts         | Specify volume mounts to be added to Execution container | ''      |
+| Name                              | Description                                              | Default |
+| --------------------------------- | -------------------------------------------------------- | ------- |
+| extra_volumes                     | Specify extra volumes to add to the application pod      | ''      |
+| web_extra_volume_mounts           | Specify volume mounts to be added to Web container       | ''      |
+| task_extra_volume_mounts          | Specify volume mounts to be added to Task container      | ''      |
+| ee_extra_volume_mounts            | Specify volume mounts to be added to Execution container | ''      |
+| init_container_extra_volume_mounts| Specify volume mounts to be added to Init container      | ''      |
+| init_container_extra_commands     | Specify additional commands for Init container           | ''      |
+
+
+> :warning: The `ee_extra_volume_mounts` and `extra_volumes` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
 
 Example configuration for ConfigMap
 
@@ -579,16 +610,6 @@ Example spec file for volumes and volume mounts
 ---
     spec:
     ...
-      ee_extra_volume_mounts: |
-        - name: ansible-cfg
-          mountPath: /etc/ansible/ansible.cfg
-          subPath: ansible.cfg
-
-      task_extra_volume_mounts: |
-        - name: custom-py
-          mountPath: /etc/tower/conf.d/custom.py
-          subPath: custom.py
-
       extra_volumes: |
         - name: ansible-cfg
           configMap:
@@ -604,11 +625,78 @@ Example spec file for volumes and volume mounts
               - key: custom.py
                 path: custom.py
             name: <resourcename>-extra-config
+        - name: shared-volume
+          persistentVolumeClaim:
+            claimName: my-external-volume-claim
 
+      init_container_extra_volume_mounts: |
+        - name: shared-volume
+          mountPath: /shared
+
+      init_container_extra_commands: |
+        # set proper permissions (rwx) for the awx user
+        chmod 775 /shared
+        chgrp 1000 /shared
+
+      ee_extra_volume_mounts: |
+        - name: ansible-cfg
+          mountPath: /etc/ansible/ansible.cfg
+          subPath: ansible.cfg
+
+      task_extra_volume_mounts: |
+        - name: custom-py
+          mountPath: /etc/tower/conf.d/custom.py
+          subPath: custom.py
+        - name: shared-volume
+          mountPath: /shared
 ```
 
 > :warning: **Volume and VolumeMount names cannot contain underscores(_)**
 
+#### Default execution environments from private registries
+
+In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments.
+
+The secret should be formated as follows:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: <resourcename>-ee-pull-credentials
+  namespace: <target namespace>
+stringData:
+  url: <registry url. i.e. quay.io>
+  username: <username to connect as>
+  password: <password to connect with>
+  ssl_verify: <Optional attribute. Whether verify ssl connection or not. Accepted values "True" (default), "False" >
+type: Opaque
+```
+
+##### Control plane ee from private registry
+The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time.
+
+You can create `image_pull_secret`
+```
+kubectl create secret <resoucename>-cp-pull-credentials regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
+```
+If you need more control (for example, to set a namespace or a label on the new secret) then you can customise the Secret before storing it
+
+Example spec file extra-config
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: <resoucename>-cp-pull-credentials
+  namespace: <target namespace>
+data:
+  .dockerconfigjson: <base64 docker config>
+type: kubernetes.io/dockerconfigjson
+```
+
 #### Exporting Environment Variables to Containers
 
 If you need to export custom environment variables to your containers.
@@ -617,6 +705,9 @@ If you need to export custom environment variables to your containers.
 | ----------------------------- | -------------------------------------------------------- | ------- |
 | task_extra_env                | Environment variables to be added to Task container      | ''      |
 | web_extra_env                 | Environment variables to be added to Web container       | ''      |
+| ee_extra_env                  | Environment variables to be added to EE container        | ''      |
+
+> :warning: The `ee_extra_env` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
 
 Example configuration of environment variables
 
@@ -628,6 +719,29 @@ Example configuration of environment variables
     web_extra_env: |
       - name: MYCUSTOMVAR
         value: foo
+    ee_extra_env: |
+      - name: MYCUSTOMVAR
+        value: foo
+```
+
+#### Extra Settings
+
+With`extra_settings`, you can pass multiple custom settings via the `awx-operator`. The parameter `extra_settings`  will be appended to the `/etc/tower/settings.py` and can be an alternative to the `extra_volumes` parameter.
+
+| Name                          | Description                                              | Default |
+| ----------------------------- | -------------------------------------------------------- | ------- |
+| extra_settings                | Extra settings                                           | ''      |
+
+Example configuration of `extra_settings` parameter
+
+```yaml
+  spec:
+    extra_settings:
+      - setting: MAX_PAGE_SIZE
+        value: "500"
+
+      - setting: AUTH_LDAP_BIND_DN
+        value: "cn=admin,dc=example,dc=com"
 ```
 
 #### Service Account
@@ -662,43 +776,13 @@ Please visit [our contributing guidelines](https://github.com/ansible/awx-operat
 
 There are a few moving parts to this project:
 
-  1. The Docker image which powers AWX Operator.
-  2. The `awx-operator.yaml` Kubernetes manifest file which initially deploys the Operator into a cluster.
-  3. Then use the command below to generate a list of commits between the versions.
-  ```sh
-  #> git log --no-merges --pretty="- %s (%an) - %h " <old_tag>..<new_tag>
-  ```
+  * The `awx-operator` container image which powers AWX Operator
+  * The `awx-operator.yaml` file, which initially deploys the Operator
+  * The ClusterServiceVersion (CSV), which is generated as part of the bundle and needed for the olm-catalog
 
 Each of these must be appropriately built in preparation for a new tag:
 
-### Verify Functionality
-
-Run the following command inside this directory:
-
-```sh
-#> operator-sdk build quay.io/<user>/awx-operator:test
-```
-
-Then push the generated image to Docker Hub:
-
-```sh
-#> docker push quay.io/<user>/awx-operator:test
-```
-
-After it is built, test it on a local cluster:
-
-
-```sh
-#> minikube start --memory 6g --cpus 4
-#> minikube addons enable ingress
-#> ansible-playbook ansible/deploy-operator.yml -e operator_image=quay.io/<user>/awx-operator -e operator_version=test
-#> kubectl create namespace example-awx
-#> ansible-playbook ansible/instantiate-awx-deployment.yml -e namespace=example-awx
-#> <test everything>
-#> minikube delete
-```
-
-### Update version
+### Update version and files
 
 Update the awx-operator version:
 
@@ -710,6 +794,51 @@ Once the version has been updated, run from the root of the repo:
 #> ansible-playbook ansible/chain-operator-files.yml
 ```
 
+Generate the olm-catalog bundle.
+
+```bash
+$ operator-sdk generate bundle --operator-name awx-operator --version <new_tag>
+```
+
+> This should be done with operator-sdk v0.19.4.  
+
+> It is a good idea to use the [build script](./build.sh) at this point to build the catalog and test out installing it in Operator Hub.
+
+### Verify Functionality
+
+Run the following command inside this directory:
+
+```sh
+#> operator-sdk build quay.io/<user>/awx-operator:<new-version>
+```
+
+Then push the generated image to Docker Hub:
+
+```sh
+#> docker push quay.io/<user>/awx-operator:<new-version>
+```
+
+After it is built, test it on a local cluster:
+
+
+```sh
+#> minikube start --memory 6g --cpus 4
+#> minikube addons enable ingress
+#> ansible-playbook ansible/deploy-operator.yml -e operator_image=quay.io/<user>/awx-operator -e operator_version=<new-version> -e pull_policy=Always
+#> kubectl create namespace example-awx
+#> ansible-playbook ansible/instantiate-awx-deployment.yml -e namespace=example-awx -e image=quay.io/<user>/awx -e service_type=nodeport
+#> # Verify that the awx-task and awx-web containers are launched 
+#> # with the right version of the awx image
+#> minikube delete
+```
+
+### Update changelog
+
+Generate a list of commits between the versions and add it to the [changelog](./CHANGELOG.md).
+```sh
+#> git log --no-merges --pretty="- %s (%an) - %h " <old_tag>..<new_tag>
+```
+
 ### Commit / Create Release
 
 If everything works, commit the updated version, then [publish a new release](https://github.com/ansible/awx-operator/releases/new) using the same version you used in `ansible/group_vars/all`.

ansible/build-and-push.yml

@@ -3,15 +3,15 @@
   hosts: localhost
 
   collections:
-    - community.general
+    - community.docker
 
   tasks:
     - name: Build and (optionally) push operator image
       docker_image:
         name: "{{ operator_image }}:{{ operator_version }}"
-        pull: no
-        push: "{{ push_image | bool }}"
+        source: "build"
+        push: "{{ push_image }}"
         build:
           dockerfile: "build/Dockerfile"
           path: "../"
-        force: yes
+        force_source: "yes"

ansible/deploy-operator.yml

@@ -9,7 +9,7 @@
     obliterate: no
 
   collections:
-    - community.kubernetes
+    - kubernetes.core
 
   tasks:
     - name: Obliterate Operator

ansible/group_vars/all

@@ -1,4 +1,4 @@
 operator_image: quay.io/ansible/awx-operator
-operator_version: 0.10.0
+operator_version: 0.12.0
 pull_policy: Always
 ansible_debug_logs: "false"

ansible/instantiate-awx-deployment.yml

@@ -3,7 +3,7 @@
   hosts: localhost
 
   collections:
-    - community.kubernetes
+    - kubernetes.core
 
   tasks:
     - name: Deploy AWX

ansible/templates/awxbackup_crd.yml.j2

@@ -35,7 +35,7 @@ spec:
                   description: Name of the PVC to be used for storing the backup
                   type: string
                 backup_pvc_namespace:
-                  description: Namespace PVC is in
+                  description: Namespace the PVC is in
                   type: string
                 backup_storage_requirements:
                   description: Storage requirements for the PostgreSQL container
@@ -46,3 +46,33 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                backupDirectory:
+                  description: Backup directory name on the specified pvc
+                  type: string
+                backupClaim:
+                  description: Backup persistent volume claim
+                  type: string

ansible/templates/awxrestore_crd.yml.j2

@@ -50,3 +50,30 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                restoreComplete:
+                  description: Restore process complete
+                  type: boolean

ansible/templates/crd.yml.j2

@@ -26,15 +26,12 @@ spec:
                 deployment_type:
                   description: Name of the deployment type
                   type: string
-                  default: awx
                 kind:
                   description: Kind of the deployment type
                   type: string
-                  default: AWX
                 api_version:
                   description: apiVersion of the deployment type
                   type: string
-                  default: awx.ansible.com/v1beta1
                 task_privileged:
                   description: If a privileged security context should be enabled
                   type: boolean
@@ -89,6 +86,9 @@ spec:
                     - ingress
                     - Route
                     - route
+                ingress_path:
+                  description: The ingress path used to reach the deployed service
+                  type: string
                 ingress_annotations:
                   description: Annotations to add to the Ingress Controller
                   type: string
@@ -149,6 +149,12 @@ spec:
                         type: string
                       image:
                         type: string
+                control_plane_ee_image:
+                  description: Registry path to the Execution Environment container image to use on control plane pods
+                  type: string
+                ee_pull_credentials_secret:
+                  description: Secret where pull credentials for registered ees can be found
+                  type: string
                 image_pull_policy:
                   description: The image pull policy
                   type: string
@@ -207,6 +213,28 @@ spec:
                           type: string
                       type: object
                   type: object
+                ee_resource_requirements:
+                  description: Resource requirements for the ee container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                 service_account_annotations:
                   description: ServiceAccount annotations
                   type: string
@@ -243,6 +271,8 @@ spec:
                   type: string
                 web_extra_env:
                   type: string
+                ee_extra_env:
+                  type: string
                 ee_extra_volume_mounts:
                   description: Specify volume mounts to be added to Execution container
                   type: string
@@ -258,6 +288,18 @@ spec:
                 redis_image_version:
                   description: Redis container image version to use
                   type: string
+                init_container_image:
+                  description: Registry path to the init container to use
+                  type: string
+                init_container_image_version:
+                  description: Init container image version to use
+                  type: string
+                init_container_extra_commands:
+                  description: Extra commands for the init container
+                  type: string
+                init_container_extra_volume_mounts:
+                  description: Specify volume mounts to be added to the init container
+                  type: string
                 postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
@@ -317,6 +359,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                bundle_cacert_secret:
+                  description: Secret where can be found the trusted Certificate Authority Bundle
+                  type: string
                 projects_persistence:
                   description: Whether or not the /var/lib/projects directory will be persistent
                   default: false
@@ -348,7 +393,7 @@ spec:
                       setting:
                         type: string
                       value:
-                        type: string
+                        x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
               type: object

bundle.Dockerfile

@@ -6,9 +6,9 @@ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=awx-operator
 LABEL operators.operatorframework.io.bundle.channels.v1=alpha
 LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha
-LABEL operators.operatorframework.io.metrics.project_layout=ansible
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v0.19.4
+LABEL operators.operatorframework.io.metrics.project_layout=ansible
 
 COPY deploy/olm-catalog/awx-operator/manifests /manifests/
 COPY deploy/olm-catalog/awx-operator/metadata /metadata/

deploy/awx-operator.yaml

@@ -28,15 +28,12 @@ spec:
                 deployment_type:
                   description: Name of the deployment type
                   type: string
-                  default: awx
                 kind:
                   description: Kind of the deployment type
                   type: string
-                  default: AWX
                 api_version:
                   description: apiVersion of the deployment type
                   type: string
-                  default: awx.ansible.com/v1beta1
                 task_privileged:
                   description: If a privileged security context should be enabled
                   type: boolean
@@ -91,6 +88,9 @@ spec:
                     - ingress
                     - Route
                     - route
+                ingress_path:
+                  description: The ingress path used to reach the deployed service
+                  type: string
                 ingress_annotations:
                   description: Annotations to add to the Ingress Controller
                   type: string
@@ -151,6 +151,12 @@ spec:
                         type: string
                       image:
                         type: string
+                control_plane_ee_image:
+                  description: Registry path to the Execution Environment container image to use on control plane pods
+                  type: string
+                ee_pull_credentials_secret:
+                  description: Secret where pull credentials for registered ees can be found
+                  type: string
                 image_pull_policy:
                   description: The image pull policy
                   type: string
@@ -209,6 +215,28 @@ spec:
                           type: string
                       type: object
                   type: object
+                ee_resource_requirements:
+                  description: Resource requirements for the ee container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                 service_account_annotations:
                   description: ServiceAccount annotations
                   type: string
@@ -245,6 +273,8 @@ spec:
                   type: string
                 web_extra_env:
                   type: string
+                ee_extra_env:
+                  type: string
                 ee_extra_volume_mounts:
                   description: Specify volume mounts to be added to Execution container
                   type: string
@@ -260,6 +290,18 @@ spec:
                 redis_image_version:
                   description: Redis container image version to use
                   type: string
+                init_container_image:
+                  description: Registry path to the init container to use
+                  type: string
+                init_container_image_version:
+                  description: Init container image version to use
+                  type: string
+                init_container_extra_commands:
+                  description: Extra commands for the init container
+                  type: string
+                init_container_extra_volume_mounts:
+                  description: Specify volume mounts to be added to the init container
+                  type: string
                 postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
@@ -319,6 +361,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                bundle_cacert_secret:
+                  description: Secret where can be found the trusted Certificate Authority Bundle
+                  type: string
                 projects_persistence:
                   description: Whether or not the /var/lib/projects directory will be persistent
                   default: false
@@ -350,7 +395,7 @@ spec:
                       setting:
                         type: string
                       value:
-                        type: string
+                        x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
               type: object
@@ -437,7 +482,7 @@ spec:
                   description: Name of the PVC to be used for storing the backup
                   type: string
                 backup_pvc_namespace:
-                  description: Namespace PVC is in
+                  description: Namespace the PVC is in
                   type: string
                 backup_storage_requirements:
                   description: Storage requirements for the PostgreSQL container
@@ -448,6 +493,36 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                backupDirectory:
+                  description: Backup directory name on the specified pvc
+                  type: string
+                backupClaim:
+                  description: Backup persistent volume claim
+                  type: string
 
 ---
 apiVersion: apiextensions.k8s.io/v1
@@ -501,6 +576,33 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                restoreComplete:
+                  description: Restore process complete
+                  type: boolean
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -627,7 +729,7 @@ spec:
       serviceAccountName: awx-operator
       containers:
         - name: awx-operator
-          image: "quay.io/ansible/awx-operator:0.10.0"
+          image: "quay.io/ansible/awx-operator:0.12.0"
           imagePullPolicy: "Always"
           volumeMounts:
             - mountPath: /tmp/ansible-operator/runner
@@ -645,7 +747,7 @@ spec:
             - name: ANSIBLE_GATHERING
               value: explicit
             - name: OPERATOR_VERSION
-              value: "0.10.0"
+              value: "0.12.0"
             - name: ANSIBLE_DEBUG_LOGS
               value: "false"
           livenessProbe:

deploy/crds/awx_v1beta1_crd.yaml

@@ -26,15 +26,12 @@ spec:
                 deployment_type:
                   description: Name of the deployment type
                   type: string
-                  default: awx
                 kind:
                   description: Kind of the deployment type
                   type: string
-                  default: AWX
                 api_version:
                   description: apiVersion of the deployment type
                   type: string
-                  default: awx.ansible.com/v1beta1
                 task_privileged:
                   description: If a privileged security context should be enabled
                   type: boolean
@@ -89,6 +86,9 @@ spec:
                     - ingress
                     - Route
                     - route
+                ingress_path:
+                  description: The ingress path used to reach the deployed service
+                  type: string
                 ingress_annotations:
                   description: Annotations to add to the Ingress Controller
                   type: string
@@ -149,6 +149,12 @@ spec:
                         type: string
                       image:
                         type: string
+                control_plane_ee_image:
+                  description: Registry path to the Execution Environment container image to use on control plane pods
+                  type: string
+                ee_pull_credentials_secret:
+                  description: Secret where pull credentials for registered ees can be found
+                  type: string
                 image_pull_policy:
                   description: The image pull policy
                   type: string
@@ -207,6 +213,28 @@ spec:
                           type: string
                       type: object
                   type: object
+                ee_resource_requirements:
+                  description: Resource requirements for the ee container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                 service_account_annotations:
                   description: ServiceAccount annotations
                   type: string
@@ -243,6 +271,8 @@ spec:
                   type: string
                 web_extra_env:
                   type: string
+                ee_extra_env:
+                  type: string
                 ee_extra_volume_mounts:
                   description: Specify volume mounts to be added to Execution container
                   type: string
@@ -258,6 +288,18 @@ spec:
                 redis_image_version:
                   description: Redis container image version to use
                   type: string
+                init_container_image:
+                  description: Registry path to the init container to use
+                  type: string
+                init_container_image_version:
+                  description: Init container image version to use
+                  type: string
+                init_container_extra_commands:
+                  description: Extra commands for the init container
+                  type: string
+                init_container_extra_volume_mounts:
+                  description: Specify volume mounts to be added to the init container
+                  type: string
                 postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
@@ -317,6 +359,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                bundle_cacert_secret:
+                  description: Secret where can be found the trusted Certificate Authority Bundle
+                  type: string
                 projects_persistence:
                   description: Whether or not the /var/lib/projects directory will be persistent
                   default: false
@@ -348,7 +393,7 @@ spec:
                       setting:
                         type: string
                       value:
-                        type: string
+                        x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
               type: object

deploy/crds/awx_v1beta1_molecule.yaml

@@ -17,3 +17,7 @@ spec:
     requests:
       cpu: 500m
       memory: 128M
+  ee_resource_requirements:
+    requests:
+      cpu: 200m
+      memory: 64M

deploy/crds/awxbackup_v1beta1_crd.yaml

@@ -35,7 +35,7 @@ spec:
                   description: Name of the PVC to be used for storing the backup
                   type: string
                 backup_pvc_namespace:
-                  description: Namespace PVC is in
+                  description: Namespace the PVC is in
                   type: string
                 backup_storage_requirements:
                   description: Storage requirements for the PostgreSQL container
@@ -46,3 +46,33 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                backupDirectory:
+                  description: Backup directory name on the specified pvc
+                  type: string
+                backupClaim:
+                  description: Backup persistent volume claim
+                  type: string

deploy/crds/awxrestore_v1beta1_crd.yaml

@@ -50,3 +50,30 @@ spec:
                 postgres_label_selector:
                   description: Label selector used to identify postgres pod for backing up data
                   type: string
+                postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is
+                    instantiated
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    type: object
+                  type: array
+                restoreComplete:
+                  description: Restore process complete
+                  type: boolean

deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml

@@ -13,7 +13,14 @@ metadata:
           },
           "spec": {
             "deployment_type": "awx",
+            "ee_resource_requirements": {
+              "requests": {
+                "cpu": "200m",
+                "memory": "64M"
+              }
+            },
             "ingress_type": "ingress",
+            "service_account_annotations": "foo: bar\n",
             "task_resource_requirements": {
               "requests": {
                 "cpu": "500m",
@@ -32,16 +39,15 @@ metadata:
     capabilities: Basic Install
     operators.operatorframework.io/builder: operator-sdk-v0.19.4
     operators.operatorframework.io/project_layout: ansible
-  name: awx-operator.v0.0.1
+  name: awx-operator.v0.12.0
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
   customresourcedefinitions:
     owned:
-    - kind: AWXBackup
+    - displayName: AWX Backup
+      kind: AWXBackup
       name: awxbackups.awx.ansible.com
-      version: v1beta1
-      displayName: AWX Backup
       specDescriptors:
       - displayName: Deployment name
         path: deployment_name
@@ -72,47 +78,55 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Image
+        path: postgres_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Image Version
+        path: postgres_image_version
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       statusDescriptors:
-      - displayName: Backup claim
-        description: The persistent volume claim name used during backup
+      - description: The persistent volume claim name used during backup
+        displayName: Backup claim
         path: backupClaim
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-      - displayName: Backup directory
-        description: The directory data is backed up to on the PVC
+      - description: The directory data is backed up to on the PVC
+        displayName: Backup directory
         path: backupDirectory
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-    - kind: AWXRestore
-      name: awxrestores.awx.ansible.com
       version: v1beta1
-      displayName: AWX Restore
+    - displayName: AWX Restore
+      kind: AWXRestore
+      name: awxrestores.awx.ansible.com
       specDescriptors:
       - displayName: Backup source to restore ?
         path: backup_source
         x-descriptors:
-          - urn:alm:descriptor:com.tectonic.ui:select:CR
-          - urn:alm:descriptor:com.tectonic.ui:select:PVC
+        - urn:alm:descriptor:com.tectonic.ui:select:CR
+        - urn:alm:descriptor:com.tectonic.ui:select:PVC
       - displayName: Backup name
         path: backup_name
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:CR
-      - displayName: Deployment name
+      - displayName: Name of newly restored deployment
         path: deployment_name
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
       - displayName: Backup persistent volume claim
         path: backup_pvc
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
-      - displayName: Backup persistent volume claim namespace
+      - displayName: Backup namespace
         path: backup_pvc_namespace
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
       - displayName: Backup directory in the persistent volume claim
         path: backup_dir
         x-descriptors:
@@ -122,12 +136,23 @@ spec:
         path: postgres_label_selector
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Image
+        path: postgres_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Image Version
+        path: postgres_image_version
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       statusDescriptors:
-      - displayName: Restore status
-        description: The state of the restore
+      - description: The state of the restore
+        displayName: Restore status
         path: restoreComplete
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
+      version: v1beta1
     - description: A AWX Instance
       displayName: AWX
       kind: AWX
@@ -251,7 +276,7 @@ spec:
         path: image_pull_secret
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:imagePullSecret
+        - urn:alm:descriptor:io.kubernetes:Secret
       - displayName: Web container resource requirements
         path: web_resource_requirements
         x-descriptors:
@@ -262,12 +287,19 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
-      - displayName: PostgreSQL container resource requirements (when using a managed instance)
+      - displayName: EE Control Plane container resource requirements
+        path: ee_resource_requirements
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
+      - displayName: PostgreSQL container resource requirements (when using a managed
+          instance)
         path: postgres_resource_requirements
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
-      - displayName: PostgreSQL container storage requirements (when using a managed instance)
+      - displayName: PostgreSQL container storage requirements (when using a managed
+          instance)
         path: postgres_storage_requirements
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -349,6 +381,11 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Postgres Label Selector
+        path: postgres_label_selector
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - displayName: Postgres Tolerations
         path: postgres_tolerations
         x-descriptors:
@@ -397,8 +434,8 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_Yes_
         - urn:alm:descriptor:io.kubernetes:PersistentVolumeClaim
-      - description: Projects Storage Class Name. If not present, the default
-          storage class will be used.
+      - description: Projects Storage Class Name. If not present, the default storage
+          class will be used.
         displayName: Projects Storage Class Name
         path: projects_storage_class
         x-descriptors:
@@ -424,26 +461,45 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: Task Extra Env
-        description: Environment variables to be added to Task container
+      - description: Environment variables to be added to Task container
+        displayName: Task Extra Env
         path: task_extra_env
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: EE Extra Volume Mounts
+      - description: Specify volume mounts to be added to Execution container
+        displayName: EE Extra Volume Mounts
         path: ee_extra_volume_mounts
-        description: Specify volume mounts to be added to Execution container
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: EE Images
-        description: Registry path to the Execution Environment container to use
+      - description: Registry path to the Execution Environment container to use
+        displayName: EE Images
         path: ee_images
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: Task Extra Volume Mounts
-        description: Specify volume mounts to be added to Task container
+      - description: Environment variables to be added to EE container
+        displayName: EE Extra Env
+        path: ee_extra_env
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Registry path to the Execution Environment container to use on
+          control plane pods
+        displayName: Control Plane EE Image
+        path: control_plane_ee_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: EE Images Pull Credentials Secret
+        displayName: EE Images Pull Credentials Secret
+        path: ee_pull_credentials_secret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:io.kubernetes:Secret
+      - description: Specify volume mounts to be added to Task container
+        displayName: Task Extra Volume Mounts
         path: task_extra_volume_mounts
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -458,20 +514,20 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: Web Extra Env
-        description: Environment variables to be added to Web container
+      - description: Environment variables to be added to Web container
+        displayName: Web Extra Env
         path: web_extra_env
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: Web Extra Volume Mounts
-        description: Specify volume mounts to be added to Web container
+      - description: Specify volume mounts to be added to Web container
+        displayName: Web Extra Volume Mounts
         path: web_extra_volume_mounts
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
-      - displayName: Extra Volumes
-        description: Specify extra volumes to add to the application pod
+      - description: Specify extra volumes to add to the application pod
+        displayName: Extra Volumes
         path: extra_volumes
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -497,6 +553,35 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Registry path to the init container to use
+        displayName: Init Container Image
+        path: init_container_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Init container image version to use
+        displayName: Init Container Image Version
+        path: init_container_image_version
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Specify Extra commands for the Init container
+        displayName: Init Container Extra Commands
+        path: init_container_extra_commands
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Specify volume mounts to be added to Init container
+        displayName: Init Container Extra Volume Mounts
+        path: init_container_extra_volume_mounts
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Secret where can be found the trusted Certificate Authority Bundle
+        path: bundle_cacert_secret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:io.kubernetes:Secret
       statusDescriptors:
       - description: Route to access the instance deployed
         displayName: URL
@@ -607,6 +692,8 @@ spec:
           - awx.ansible.com
           resources:
           - '*'
+          - awxbackups
+          - awxrestores
           verbs:
           - '*'
         serviceAccountName: awx-operator
@@ -637,7 +724,11 @@ spec:
                   value: awx-operator
                 - name: ANSIBLE_GATHERING
                   value: explicit
-                image: quay.io/ansible/awx-operator:0.8.0
+                - name: OPERATOR_VERSION
+                  value: 0.12.0
+                - name: ANSIBLE_DEBUG_LOGS
+                  value: "false"
+                image: quay.io/ansible/awx-operator:0.12.0
                 imagePullPolicy: Always
                 livenessProbe:
                   httpGet:
@@ -676,4 +767,5 @@ spec:
   provider:
     name: AWX Community
     url: https://github.com/ansible/awx-operator
-  version: 0.0.1
+  replaces: awx-operator.v0.11.0
+  version: 0.12.0

deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxbackups_crd.yaml

@@ -18,14 +18,12 @@ spec:
         description: Schema validation for the AWXBackup CRD
         properties:
           spec:
-            required:
-              - deployment_name
             properties:
               backup_pvc:
                 description: Name of the PVC to be used for storing the backup
                 type: string
               backup_pvc_namespace:
-                description: Namespace PVC is in
+                description: Namespace the PVC is in
                 type: string
               backup_storage_class:
                 description: Storage class to use when creating PVC for backup
@@ -36,10 +34,42 @@ spec:
               deployment_name:
                 description: Name of the deployment to be backed up
                 type: string
+              postgres_image:
+                description: Registry path to the PostgreSQL container to use
+                type: string
+              postgres_image_version:
+                description: PostgreSQL container image version to use
+                type: string
               postgres_label_selector:
                 description: Label selector used to identify postgres pod for backing
                   up data
                 type: string
+            required:
+            - deployment_name
+            type: object
+          status:
+            properties:
+              backupClaim:
+                description: Backup persistent volume claim
+                type: string
+              backupDirectory:
+                description: Backup directory name on the specified pvc
+                type: string
+              conditions:
+                description: The resulting conditions when a Service Telemetry is
+                  instantiated
+                items:
+                  properties:
+                    lastTransitionTime:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  type: object
+                type: array
             type: object
         type: object
         x-kubernetes-preserve-unknown-fields: true

deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxrestores_crd.yaml

@@ -19,12 +19,6 @@ spec:
         properties:
           spec:
             properties:
-              backup_source:
-                description: Backup source
-                type: string
-                enum:
-                  - CR
-                  - PVC
               backup_dir:
                 description: Backup directory name, set as a status found on the awxbackup
                   object (backupDirectory)
@@ -39,14 +33,47 @@ spec:
               backup_pvc_namespace:
                 description: Namespace the PVC is in
                 type: string
+              backup_source:
+                description: Backup source
+                enum:
+                - CR
+                - PVC
+                type: string
               deployment_name:
                 description: Name of the deployment to be restored to
                 type: string
+              postgres_image:
+                description: Registry path to the PostgreSQL container to use
+                type: string
+              postgres_image_version:
+                description: PostgreSQL container image version to use
+                type: string
               postgres_label_selector:
                 description: Label selector used to identify postgres pod for backing
                   up data
                 type: string
             type: object
+          status:
+            properties:
+              conditions:
+                description: The resulting conditions when a Service Telemetry is
+                  instantiated
+                items:
+                  properties:
+                    lastTransitionTime:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  type: object
+                type: array
+              restoreComplete:
+                description: Restore process complete
+                type: boolean
+            type: object
         type: object
         x-kubernetes-preserve-unknown-fields: true
     served: true

deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml

@@ -19,28 +19,6 @@ spec:
         properties:
           spec:
             properties:
-              ca_trust_bundle:
-                description: Path where the trusted CA bundle is available
-                type: string
-              deployment_type:
-                description: Name of the deployment type
-                type: string
-                default: awx
-              kind:
-                description: Kind of the deployment type
-                type: string
-                default: AWX
-              api_version:
-                description: apiVersion of the deployment type
-                type: string
-                default: awx.ansible.com/v1beta1
-              development_mode:
-                description: If the deployment should be done in development mode
-                type: boolean
-              ldap_cacert_secret:
-                description: Secret where can be found the LDAP trusted Certificate
-                  Authority Bundle
-                type: string
               admin_email:
                 description: The admin user email
                 type: string
@@ -51,13 +29,38 @@ spec:
                 default: admin
                 description: Username to use for the admin account
                 type: string
+              api_version:
+                description: apiVersion of the deployment type
+                type: string
               broadcast_websocket_secret:
                 description: Secret where the broadcast websocket secret can be found
                 type: string
+              bundle_cacert_secret:
+                description: Secret where can be found the trusted Certificate Authority
+                  Bundle
+                type: string
+              ca_trust_bundle:
+                description: Path where the trusted CA bundle is available
+                type: string
+              control_plane_ee_image:
+                description: Registry path to the Execution Environment container
+                  image to use on control plane pods
+                type: string
               create_preload_data:
                 default: true
                 description: Whether or not to preload data upon instance creation
                 type: boolean
+              deployment_type:
+                description: Name of the deployment type
+                type: string
+              development_mode:
+                description: If the deployment should be done in development mode
+                type: boolean
+              ee_extra_env:
+                type: string
+              ee_extra_volume_mounts:
+                description: Specify volume mounts to be added to Execution container
+                type: string
               ee_images:
                 description: Registry path to the Execution Environment container
                   to use
@@ -69,6 +72,42 @@ spec:
                       type: string
                   type: object
                 type: array
+              ee_pull_credentials_secret:
+                description: Secret where pull credentials for registered ees can
+                  be found
+                type: string
+              ee_resource_requirements:
+                description: Resource requirements for the ee container
+                properties:
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                      storage:
+                        type: string
+                    type: object
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                      storage:
+                        type: string
+                    type: object
+                type: object
+              extra_settings:
+                description: Extra settings to specify for the API
+                items:
+                  properties:
+                    setting:
+                      type: string
+                    value:
+                      x-kubernetes-preserve-unknown-fields: true
+                  type: object
+                type: array
               extra_volumes:
                 description: Specify extra volumes to add to the application pod
                 type: string
@@ -82,9 +121,6 @@ spec:
               image:
                 description: Registry path to the application container to use
                 type: string
-              image_version:
-                description: Application container image version to use
-                type: string
               image_pull_policy:
                 default: IfNotPresent
                 description: The image pull policy
@@ -99,11 +135,17 @@ spec:
               image_pull_secret:
                 description: The image pull secret
                 type: string
+              image_version:
+                description: Application container image version to use
+                type: string
               ingress_annotations:
-                description: Annotations to add to the ingress
+                description: Annotations to add to the Ingress Controller
+                type: string
+              ingress_path:
+                description: The ingress path used to reach the deployed service
                 type: string
               ingress_tls_secret:
-                description: Secret where the ingress TLS secret can be found
+                description: Secret where the Ingress TLS secret can be found
                 type: string
               ingress_type:
                 description: The ingress type to use to reach the deployed instance
@@ -113,10 +155,25 @@ spec:
                 - ingress
                 - Route
                 - route
-                - LoadBalancer
-                - loadbalancer
-                - NodePort
-                - nodeport
+                type: string
+              init_container_image:
+                description: Registry path to the init container to use
+                type: string
+              init_container_image_version:
+                description: Init container image version to use
+                type: string
+              init_container_extra_commands:
+                description: Extra commands for the init container
+                type: string
+              init_container_extra_volume_mounts:
+                description: Specify volume mounts to be added to the init container
+                type: string
+              kind:
+                description: Kind of the deployment type
+                type: string
+              ldap_cacert_secret:
+                description: Secret where can be found the LDAP trusted Certificate
+                  Authority Bundle
                 type: string
               loadbalancer_annotations:
                 description: Annotations to add to the loadbalancer
@@ -135,9 +192,6 @@ spec:
               node_selector:
                 description: nodeSelector for the pods
                 type: string
-              service_labels:
-                description: Additional labels to apply to the service
-                type: string
               old_postgres_configuration_secret:
                 description: Secret where the old database configuration can be found
                   for data migration
@@ -154,46 +208,50 @@ spec:
               postgres_image_version:
                 description: PostgreSQL container image version to use
                 type: string
+              postgres_label_selector:
+                description: Label selector used to identify postgres pod for data
+                  migration
+                type: string
+              postgres_resource_requirements:
+                description: Resource requirements for the PostgreSQL container
+                properties:
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                type: object
               postgres_selector:
                 description: nodeSelector for the Postgres pods
                 type: string
-              postgres_tolerations:
-                description: node tolerations for the Postgres pods
+              postgres_storage_class:
+                description: Storage class to use for the PostgreSQL PVC
                 type: string
               postgres_storage_requirements:
                 description: Storage requirements for the PostgreSQL container
                 properties:
-                  requests:
-                    properties:
-                      storage:
-                        type: string
-                    type: object
                   limits:
                     properties:
                       storage:
                         type: string
                     type: object
-                type: object
-              postgres_resource_requirements:
-                description: Resource requirements for the PostgreSQL container
-                properties:
                   requests:
                     properties:
-                      cpu:
-                        type: string
-                      memory:
-                        type: string
-                    type: object
-                  limits:
-                    properties:
-                      cpu:
-                        type: string
-                      memory:
+                      storage:
                         type: string
                     type: object
                 type: object
-              postgres_storage_class:
-                description: Storage class to use for the PostgreSQL PVC
+              postgres_tolerations:
+                description: node tolerations for the Postgres pods
                 type: string
               projects_existing_claim:
                 description: PersistentVolumeClaim to mount /var/lib/projects directory
@@ -226,9 +284,6 @@ spec:
               redis_image_version:
                 description: Redis container image version to use
                 type: string
-              service_account_annotations:
-                description: ServiceAccount annotations
-                type: string
               replicas:
                 default: 1
                 description: Number of instance replicas
@@ -252,6 +307,22 @@ spec:
               secret_key_secret:
                 description: Secret where the secret key can be found
                 type: string
+              service_account_annotations:
+                description: ServiceAccount annotations
+                type: string
+              service_labels:
+                description: Additional labels to apply to the service
+                type: string
+              service_type:
+                description: The service type to be used on the deployed instance
+                enum:
+                - LoadBalancer
+                - loadbalancer
+                - ClusterIP
+                - clusterip
+                - NodePort
+                - nodeport
+                type: string
               task_args:
                 items:
                   type: string
@@ -261,10 +332,6 @@ spec:
                   type: string
                 type: array
               task_extra_env:
-                description: Environment variables to be added to Task container
-                type: string
-              ee_extra_volume_mounts:
-                description: Specify volume mounts to be added to Execution container
                 type: string
               task_extra_volume_mounts:
                 description: Specify volume mounts to be added to Task container
@@ -307,10 +374,9 @@ spec:
                   type: string
                 type: array
               web_extra_env:
-                description: Environment variables to be added to Web container
                 type: string
               web_extra_volume_mounts:
-                description: Specify volume mounts to be added to web container
+                description: Specify volume mounts to be added to the Web container
                 type: string
               web_resource_requirements:
                 description: Resource requirements for the web container
@@ -334,19 +400,21 @@ spec:
                         type: string
                     type: object
                 type: object
-              extra_settings:
-                description: Extra settings to specify for the API
-                items:
-                  properties:
-                    setting:
-                      type: string
-                    value:
-                      type: string
-                  type: object
-                type: array
             type: object
           status:
             properties:
+              URL:
+                description: URL to access the deployed instance
+                type: string
+              adminPasswordSecret:
+                description: Admin password secret name of the deployed instance
+                type: string
+              adminUser:
+                description: Admin user of the deployed instance
+                type: string
+              broadcastWebsocketSecret:
+                description: Broadcast websocket secret name of the deployed instance
+                type: string
               conditions:
                 description: The resulting conditions when a Service Telemetry is
                   instantiated
@@ -362,20 +430,17 @@ spec:
                       type: string
                   type: object
                 type: array
-              adminPasswordSecret:
-                description: Admin password of the deployed instance
-                type: string
-              adminUser:
-                description: Admin user of the deployed instance
-                type: string
               image:
                 description: URL of the image used for the deployed instance
                 type: string
               migratedFromSecret:
                 description: The secret used for migrating an old instance.
                 type: string
-              URL:
-                description: URL to access the deployed instance
+              postgresConfigurationSecret:
+                description: Postgres Configuration secret name of the deployed instance
+                type: string
+              secretKeySecret:
+                description: Secret key secret name of the deployed instance
                 type: string
               version:
                 description: Version of the deployed instance

molecule/default/molecule.yml

@@ -27,8 +27,3 @@ provisioner:
     group_vars:
       all:
         operator_namespace: ${TEST_NAMESPACE:-default}
-  env:
-    K8S_AUTH_KUBECONFIG: /tmp/molecule/kind-default/kubeconfig
-    KUBECONFIG: /tmp/molecule/kind-default/kubeconfig
-    ANSIBLE_ROLES_PATH: ${MOLECULE_PROJECT_DIRECTORY}/roles
-    KIND_PORT: '${TEST_CLUSTER_PORT:-9443}'

molecule/test-local/ansible.cfg

@@ -1,2 +0,0 @@
-[defaults]
-stdout_callback = yaml

molecule/test-local/converge.yml

@@ -1,133 +0,0 @@
----
-- name: Build Operator in Kind container
-  hosts: k8s
-
-  vars:
-    image_name: awx.ansible.com/awx-operator:testing
-
-  tasks:
-    # using command so we don't need to install any dependencies
-    - name: Get existing image hash
-      command: docker images -q {{ image_name }}
-      register: prev_hash
-      changed_when: false
-
-    - name: Build Operator Image
-      command: docker build -f /build/build/Dockerfile -t {{ image_name }} /build
-      register: build_cmd
-      changed_when: not prev_hash.stdout or (prev_hash.stdout and prev_hash.stdout not in ''.join(build_cmd.stdout_lines[-2:]))
-
-- name: Converge
-  hosts: localhost
-  connection: local
-
-  vars:
-    ansible_python_interpreter: '{{ ansible_playbook_python }}'
-    deploy_dir: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/deploy"
-    templates_dir: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/ansible/templates"
-    pull_policy: Never
-    operator_image: awx.ansible.com/awx-operator
-    operator_version: testing
-    ansible_debug_logs: "true"
-    custom_resource: "{{ lookup('file', '/'.join([deploy_dir, 'crds/awx_v1beta1_molecule.yaml'])) | from_yaml }}"
-
-  tasks:
-    - block:
-        - name: Delete the Operator Deployment
-          k8s:
-            state: absent
-            namespace: '{{ operator_namespace }}'
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) }}"
-          register: delete_deployment
-          when: hostvars[groups.k8s.0].build_cmd.changed
-
-        - name: Wait 30s for Operator Deployment to terminate
-          k8s_info:
-            api_version: '{{ definition.apiVersion }}'
-            kind: '{{ definition.kind }}'
-            namespace: '{{ operator_namespace }}'
-            name: '{{ definition.metadata.name }}'
-          vars:
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) | from_yaml }}"
-          register: deployment
-          until: not deployment.resources
-          delay: 3
-          retries: 10
-          when: delete_deployment.changed
-
-        - name: Create the Operator Deployment
-          k8s:
-            namespace: '{{ operator_namespace }}'
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) }}"
-
-        - name: Ensure the AWX custom_resource namespace exists
-          k8s:
-            state: present
-            name: '{{ custom_resource.metadata.namespace }}'
-            kind: Namespace
-            api_version: v1
-
-        - name: Create the AWX Custom Resource
-          k8s:
-            state: present
-            namespace: '{{ custom_resource.metadata.namespace }}'
-            definition: '{{ custom_resource }}'
-
-        - name: Wait 15m for reconciliation to run
-          k8s_info:
-            api_version: '{{ custom_resource.apiVersion }}'
-            kind: '{{ custom_resource.kind }}'
-            namespace: '{{ custom_resource.metadata.namespace }}'
-            name: '{{ custom_resource.metadata.name }}'
-          register: cr
-          until:
-            - "'Successful' in (cr | json_query('resources[].status.conditions[].reason'))"
-          delay: 6
-          retries: 150
-
-      rescue:
-
-        - name: debug cr
-          ignore_errors: yes
-          failed_when: false
-          debug:
-            var: debug_cr
-          vars:
-            debug_cr: '{{ lookup("k8s",
-              kind=custom_resource.kind,
-              api_version=custom_resource.apiVersion,
-              namespace=custom_resource.metadata.namespace,
-              resource_name=custom_resource.metadata.name)
-            }}'
-
-        - name: debug awx deployment
-          ignore_errors: yes
-          failed_when: false
-          debug:
-            var: deploy
-          vars:
-            deploy: '{{ lookup("k8s",
-              kind="Deployment",
-              api_version="apps/v1",
-              namespace=custom_resource.metadata.namespace,
-              label_selector="app.kubernetes.io/name=example-awx")
-            }}'
-
-        - name: get operator logs
-          ignore_errors: yes
-          failed_when: false
-          command: kubectl logs deployment/{{ definition.metadata.name }} -n {{ operator_namespace }}
-          environment:
-            KUBECONFIG: '{{ lookup("env", "KUBECONFIG") }}'
-          vars:
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) | from_yaml }}"
-          register: log
-
-        - name: print debug output
-          debug: var=log.stdout_lines
-
-        - name: fail if converge didn't succeed
-          fail:
-            msg: "Failed on action: converge"
-
-- import_playbook: '{{ playbook_dir }}/../default/asserts.yml'

molecule/test-local/molecule.yml

@@ -1,46 +0,0 @@
----
-dependency:
-  name: galaxy
-driver:
-  name: docker
-lint: |
-  set -e
-  yamllint .
-  ansible-lint
-platforms:
-  - name: kind-test-local
-    groups:
-      - k8s
-    image: bsycorp/kind:v1.17.9
-    privileged: True
-    override_command: no
-    exposed_ports:
-      - 8443/tcp
-      - 10080/tcp
-    published_ports:
-      - 0.0.0.0:${TEST_CLUSTER_PORT:-10443}:8443/tcp
-    pre_build_image: yes
-    volumes:
-      - ${MOLECULE_PROJECT_DIRECTORY}:/build:Z
-provisioner:
-  name: ansible
-  log: True
-  inventory:
-    group_vars:
-      all:
-        operator_namespace: ${TEST_NAMESPACE:-default}
-  env:
-    K8S_AUTH_KUBECONFIG: /tmp/molecule/kind-test-local/kubeconfig
-    KUBECONFIG: /tmp/molecule/kind-test-local/kubeconfig
-    ANSIBLE_ROLES_PATH: ${MOLECULE_PROJECT_DIRECTORY}/roles
-    KIND_PORT: '${TEST_CLUSTER_PORT:-10443}'
-scenario:
-  test_sequence:
-    - lint
-    - destroy
-    - dependency
-    - syntax
-    - create
-    - prepare
-    - converge
-    - destroy

molecule/test-local/prepare.yml

@@ -1,38 +0,0 @@
----
-- name: Prepare kubernetes environment
-  hosts: k8s
-  gather_facts: no
-  vars:
-    kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
-  tasks:
-    - name: delete the kubeconfig if present
-      file:
-        path: '{{ kubeconfig }}'
-        state: absent
-      delegate_to: localhost
-
-    - name: Fetch the kubeconfig
-      fetch:
-        dest: '{{ kubeconfig }}'
-        flat: yes
-        src: /root/.kube/config
-
-    - name: Change the kubeconfig port to the proper value
-      replace:
-        regexp: 8443
-        replace: "{{ lookup('env', 'KIND_PORT') }}"
-        path: '{{ kubeconfig }}'
-        mode: 0644
-      delegate_to: localhost
-
-    - name: Wait for the Kubernetes API to become available (this could take a minute)
-      uri:
-        url: "http://localhost:10080/kubernetes-ready"
-        status_code: 200
-        validate_certs: no
-      register: result
-      until: (result.status|default(-1)) == 200
-      retries: 60
-      delay: 5
-
-- import_playbook: ../default/prepare.yml

molecule/test-minikube/converge.yml

@@ -126,8 +126,6 @@
           ignore_errors: yes
           failed_when: false
           command: kubectl logs deployment/{{ definition.metadata.name }} -n {{ operator_namespace }} -c operator
-          environment:
-            KUBECONFIG: '{{ lookup("env", "KUBECONFIG") }}'
           vars:
             definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) | from_yaml }}"
           register: log

requirements.yml

@@ -1,6 +1,6 @@
 ---
 collections:
-  - name: community.kubernetes
+  - name: kubernetes.core
     version: '==1.1.1'
   - name: operator_sdk.util
     version: '==0.1.0'

roles/backup/meta/main.yml

@@ -27,5 +27,5 @@ galaxy_info:
 dependencies: []
 
 collections:
-  - community.kubernetes
+  - kubernetes.core
   - operator_sdk.util

roles/backup/tasks/awx-cro.yml

@@ -10,15 +10,25 @@
 
 - name: Set AWX object
   set_fact:
-    _awx: "{{ _awx_cro['resources'][0] }}"
+    _awx: "{{ this_awx['resources'][0]['spec'] }}"
 
-- name: Set user specified spec
+- name: Set names of backed up secrets in the CR spec
   set_fact:
-    awx_spec: "{{ _awx['spec'] }}"
+    _awx: "{{ _awx | combine ({ item.key : item.value }) }}"
+  with_items:
+    - {"key": "secret_key_secret", "value": "{{ this_awx['resources'][0]['status']['secretKeySecret'] }}"}
+    - {"key": "admin_password_secret", "value": "{{ this_awx['resources'][0]['status']['adminPasswordSecret'] }}"}
+    - {"key": "broadcast_websocket_secret", "value": "{{ this_awx['resources'][0]['status']['broadcastWebsocketSecret'] }}"}
+    - {"key": "postgres_configuration_secret", "value": "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"}
+
+- name: Set AWX object
+  set_fact:
+    awx_spec:
+      spec: "{{ _awx }}"
 
 - name: Write awx object to pvc
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ meta.name }}-db-management"
     command: >-
-      bash -c "echo '{{ awx_spec }}' > {{ backup_dir }}/awx_object"
+      bash -c 'echo "$0" > {{ backup_dir  }}/awx_object' {{ awx_spec | to_yaml | quote  }}

roles/backup/tasks/dump_generated_secret.yml

@@ -0,0 +1,39 @@
+---
+
+- name: Get secret name
+  set_fact:
+      _name: "{{ this_awx['resources'][0]['status'][item] }}"
+
+- name: Fail if status is not set on AWX CR
+  block:
+      - name: Set error message
+        set_fact:
+            error_msg: "{{ item }} status is not set on AWX object yet"
+
+      - name: Handle error
+        import_tasks: error_handling.yml
+
+      - name: Fail early if secret name status is not set
+        fail:
+            msg: "{{ error_msg }}"
+  when: _name is not defined or _name == ''
+
+- name: Get secret
+  k8s_info:
+      version: v1
+      kind: Secret
+      namespace: '{{ meta.namespace }}'
+      name: "{{ _name }}"
+  register: _secret
+  no_log: true
+
+- name: Set secret data
+  set_fact:
+      _data: "{{ _secret['resources'][0]['data'] }}"
+      _type: "{{ _secret['resources'][0]['type'] }}"
+  no_log: true
+
+- name: Create and Add secret names and data to dictionary
+  set_fact:
+      secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data, 'type': _type }}) }}"
+  no_log: true

roles/backup/tasks/dump_secret.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Get Secret Name
+  set_fact:
+      _name: "{{ awx_spec.spec[item] | default('') }}"
+
+- name: Backup secret if defined
+  block:
+      - name: Get secret
+        k8s_info:
+            version: v1
+            kind: Secret
+            namespace: '{{ meta.namespace }}'
+            name: "{{ _name }}"
+        register: _secret
+        no_log: true
+
+      - name: Set secret key
+        set_fact:
+            _data: "{{ _secret['resources'][0]['data'] }}"
+            _type: "{{ _secret['resources'][0]['type'] }}"
+        no_log: true
+
+      - name: Create and Add secret names and data to dictionary
+        set_fact:
+            secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data, 'type': _type }}) }}"
+        no_log: true
+  when: _name != ''

roles/backup/tasks/init.yml

@@ -45,10 +45,21 @@
   set_fact:
     backup_claim: "{{ backup_pvc | default(_default_backup_pvc, true) }}"
 
-- name: Create PVC for backup
-  k8s:
-    kind: PersistentVolumeClaim
-    template: "backup_pvc.yml.j2"
+- block:
+    - name: Create PVC for backup
+      k8s:
+        kind: PersistentVolumeClaim
+        template: "backup_pvc.yml.j2"
+
+    - name: Remove PVC ownerReference
+      k8s:
+        definition:
+          apiVersion: v1
+          kind: PersistentVolumeClaim
+          metadata:
+            name: '{{ deployment_name }}-backup-claim'
+            namespace: '{{ backup_pvc_namespace }}'
+            ownerReferences: null
   when:
     - backup_pvc == '' or backup_pvc is not defined
 

roles/backup/tasks/main.yml

@@ -30,10 +30,10 @@
 
     - include_tasks: postgres.yml
 
-    - include_tasks: secrets.yml
-
     - include_tasks: awx-cro.yml
 
+    - include_tasks: secrets.yml
+
     - name: Set flag signifying this backup was successful
       set_fact:
         backup_complete: true
@@ -45,5 +45,3 @@
 
 - name: Update status variables
   include_tasks: update_status.yml
-
-# TODO: backup tower settings or make sure that users only specify settings/config changes via AWX object.  See ticket

roles/backup/tasks/postgres.yml

@@ -6,6 +6,7 @@
     namespace: '{{ meta.namespace }}'
     name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"
   register: pg_config
+  no_log: true
 
 - name: Fail if postgres configuration secret status does not exist
   fail:
@@ -20,11 +21,12 @@
     awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
     awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | default('unmanaged'|b64encode) | b64decode }}"
+  no_log: true
 
 - block:
     - name: Delete pod to reload a resource configuration
       set_fact:
-        postgres_label_selector: "app.kubernetes.io/name={{ deployment_name }}-postgres"
+        postgres_label_selector: "app.kubernetes.io/instance=postgres-{{ deployment_name }}"
       when: postgres_label_selector is not defined
 
     - name: Get the postgres pod information
@@ -77,6 +79,7 @@
 - name: Set full resolvable host name for postgres pod
   set_fact:
     resolvable_db_host: '{{ (awx_postgres_type == "managed") | ternary(awx_postgres_host + "." + meta.namespace + ".svc.cluster.local", awx_postgres_host) }}'  # noqa 204
+  no_log: true
 
 - name: Set pg_dump command
   set_fact:
@@ -87,11 +90,18 @@
       -d {{ awx_postgres_database }}
       -p {{ awx_postgres_port }}
       -F custom
+  no_log: true
 
 - name: Write pg_dump to backup on PVC
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ meta.name }}-db-management"
-    command: >-
-      bash -c "PGPASSWORD={{ awx_postgres_pass }} {{ pgdump }} > {{ backup_dir }}/tower.db"
+    command: |
+      bash -c """
+      set -e -o pipefail
+      PGPASSWORD={{ awx_postgres_pass }} {{ pgdump }} > {{ backup_dir }}/tower.db
+      echo 'Successful'
+      """
   register: data_migration
+  no_log: true
+  failed_when: "'Successful' not in data_migration.stdout"

roles/backup/tasks/secrets.yml

@@ -1,65 +1,38 @@
 ---
 
-- name: Get secret_key
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['secretKeySecret'] }}"
-  register: _secret_key
+- name: Create Temporary secrets file
+  tempfile:
+    state: file
+    suffix: .json
+  register: tmp_secrets
 
-- name: Set secret key
+- name: Dump (generated) secret names from statuses and data into file
+  include_tasks: dump_generated_secret.yml
+  with_items:
+    - secretKeySecret
+    - adminPasswordSecret
+    - broadcastWebsocketSecret
+    - postgresConfigurationSecret
+
+- name: Dump secret names from awx spec and data into file
+  include_tasks: dump_secret.yml
+  loop:
+    - route_tls_secret
+    - ingress_tls_secret
+    - ldap_cacert_secret
+    - bundle_cacert_secret
+    - image_pull_secret
+    - ee_pull_credentials_secret
+
+- name: Nest secrets under a single variable
   set_fact:
-    secret_key: "{{ _secret_key['resources'][0]['data']['secret_key'] | b64decode }}"
-
-- name: Get admin_password
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['adminPasswordSecret'] }}"
-  register: _admin_password
-
-- name: Set admin_password
-  set_fact:
-    admin_password: "{{ _admin_password['resources'][0]['data']['password'] | b64decode }}"
-
-- name: Get broadcast_websocket
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['broadcastWebsocketSecret'] }}"
-  register: _broadcast_websocket
-
-- name: Set broadcast_websocket key
-  set_fact:
-    broadcast_websocket: "{{ _broadcast_websocket['resources'][0]['data']['secret'] | b64decode }}"
-
-- name: Get postgres configuration
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"
-  register: _postgres_configuration
-
-- name: Set postgres type
-  set_fact:
-    database_type: "{{ _postgres_configuration['resources'][0]['data']['type'] | b64decode }}"
-  when: _postgres_configuration['resources'][0]['data']['type'] is defined
-
-- name: Set postgres configuration
-  set_fact:
-    database_password: "{{ _postgres_configuration['resources'][0]['data']['password'] | b64decode }}"
-    database_username: "{{ _postgres_configuration['resources'][0]['data']['username'] | b64decode }}"
-    database_name: "{{ _postgres_configuration['resources'][0]['data']['database'] | b64decode }}"
-    database_port: "{{ _postgres_configuration['resources'][0]['data']['port'] | b64decode }}"
-    database_host: "{{ _postgres_configuration['resources'][0]['data']['host'] | b64decode }}"
-
-- name: Template secrets into yaml
-  set_fact:
-    secrets_file: "{{ lookup('template', 'secrets.yml.j2') }}"
+    secrets: {"secrets": '{{ secret_dict }}'}
+  no_log: true
 
 - name: Write postgres configuration to pvc
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ meta.name }}-db-management"
     command: >-
-      bash -c "echo '{{ secrets_file }}' > {{ backup_dir }}/secrets.yml"
+      bash -c "echo '{{ secrets | to_yaml }}' > {{ backup_dir }}/secrets.yml"
+  no_log: true

roles/backup/templates/backup_pvc.yml.j2

@@ -4,6 +4,7 @@ kind: PersistentVolumeClaim
 metadata:
   name: {{ deployment_name }}-backup-claim
   namespace: {{ backup_pvc_namespace }}
+  ownerReferences: null
   labels:
     app.kubernetes.io/name: '{{ meta.name }}'
     app.kubernetes.io/part-of: '{{ meta.name }}'

roles/backup/templates/management-pod.yml.j2

@@ -13,7 +13,7 @@ metadata:
 spec:
   containers:
   - name: {{ meta.name }}-db-management
-    image: "{{ postgres_image }}"
+    image: "{{ postgres_image }}:{{ postgres_image_version }}"
     imagePullPolicy: Always
     command: ["sleep", "infinity"]
     volumeMounts:

roles/backup/templates/secrets.yml.j2

@@ -1,14 +0,0 @@
----
-secret_key_secret_name: "{{ _secret_key['resources'][0]['metadata']['name'] }}"
-admin_password_secret_name: "{{ _admin_password['resources'][0]['metadata']['name'] }}"
-broadcast_websocket_secret_name: "{{ _broadcast_websocket['resources'][0]['metadata']['name'] }}"
-postgres_configuration_secret_name: "{{ _postgres_configuration['resources'][0]['metadata']['name'] }}"
-secret_key: {{ secret_key }}
-admin_password: {{ admin_password }}
-broadcast_websocket: {{ broadcast_websocket }}
-database_password: {{ database_password }}
-database_username: {{ database_username }}
-database_name: {{ database_name }}
-database_port: {{ database_port }}
-database_host: {{ database_host }}
-database_type: {{ database_type }}

roles/backup/vars/main.yml

@@ -1,5 +1,6 @@
 ---
 deployment_type: "awx"
-postgres_image: postgres:12
+postgres_image: postgres
+postgres_image_version: 12
 backup_complete: false
 database_type: "unmanaged"

roles/installer/defaults/main.yml

@@ -9,7 +9,7 @@ database_username: "{{ deployment_type }}"
 task_privileged: false
 service_type: ClusterIP
 ingress_type: none
-
+ingress_path: '/'
 # Add annotations to the service account. Specify as literal block. E.g.:
 # service_account_annotations: |
 #   eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>
@@ -93,6 +93,10 @@ postgres_configuration_secret: ''
 
 old_postgres_configuration_secret: ''
 
+# Secret to lookup that provides default execution environment pull credentials
+#
+ee_pull_credentials_secret: ''
+
 # Add extra volumes to the AWX pod. Specify as literal block. E.g.:
 # extra_volumes: |
 #   - name: my-volume
@@ -102,17 +106,37 @@ extra_volumes: ''
 # Use these image versions for Ansible AWX.
 
 image: quay.io/ansible/awx
-image_version: 19.2.0
+image_version: 19.2.2
 redis_image: docker.io/redis
 redis_image_version: latest
 postgres_image: postgres
 postgres_image_version: 12
+init_container_image: quay.io/centos/centos
+init_container_image_version: 8
 image_pull_policy: IfNotPresent
 image_pull_secret: ''
 
+# Extra commands which will be appended to the initContainer
+# Make sure that each command entered return an exit code 0
+# otherwise the initContainer will fail
+# init_container_extra_commands: |
+#   date >> /var/lib/awx/projects/timestamp
+#   chgrp 1000 /shared
+#   chmod 775 /shared
+init_container_extra_commands: ''
+
+# Mount extra volumes on the initContainer.
+# The volume used must be defined as an `extra_volumes` resource
+# init_container_extra_volume_mounts: |
+#   - name: shared-vol
+#     mountPath: /shared
+init_container_extra_volume_mounts: ''
+
 ee_images:
-  - name: AWX EE 0.3.0
-    image: quay.io/ansible/awx-ee:0.3.0
+  - name: AWX EE (latest)
+    image: quay.io/ansible/awx-ee:latest
+
+control_plane_ee_image: quay.io/ansible/awx-ee:latest
 
 create_preload_data: true
 
@@ -134,6 +158,11 @@ web_resource_requirements:
     cpu: 1000m
     memory: 2Gi
 
+ee_resource_requirements:
+  requests:
+    cpu: 500m
+    memory: 1Gi
+
 # Add extra environment variables to the AWX task/web containers. Specify as
 # literal block. E.g.:
 # task_extra_env: |
@@ -143,6 +172,7 @@ web_resource_requirements:
 #     value: bing
 task_extra_env: ''
 web_extra_env: ''
+ee_extra_env: ''
 
 # Mount extra volumes on the AWX task/web containers. Specify as literal block.
 # E.g.:
@@ -194,6 +224,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
 #
 ldap_cacert_secret: ''
 
+# Secret to lookup that provides the custom CA trusted bundle
+bundle_cacert_secret: ''
+
 # Whether secrets should be garbage collected
 # on teardown
 #

roles/installer/meta/main.yml

@@ -28,5 +28,5 @@ galaxy_info:
 dependencies: []
 
 collections:
-  - community.kubernetes
+  - kubernetes.core
   - operator_sdk.util

roles/installer/tasks/admin_password_configuration.yml

@@ -5,6 +5,7 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ admin_password_secret }}'
   register: _custom_admin_password
+  no_log: true
   when: admin_password_secret | length
 
 - name: Check for default admin password configuration
@@ -13,16 +14,19 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ meta.name }}-admin-password'
   register: _default_admin_password
+  no_log: true
 
 - name: Set admin password secret
   set_fact:
     _admin_password_secret: '{{ _custom_admin_password["resources"] | default([]) | length | ternary(_custom_admin_password, _default_admin_password) }}'
+  no_log: true
 
 - block:
     - name: Create admin password secret
       k8s:
         apply: true
         definition: "{{ lookup('template', 'admin_password_secret.yaml.j2') }}"
+      no_log: true
 
     - name: Read admin password secret
       k8s_info:
@@ -30,13 +34,16 @@
         namespace: '{{ meta.namespace }}'
         name: '{{ meta.name }}-admin-password'
       register: _generated_admin_password
+      no_log: true
 
   when: not _admin_password_secret['resources'] | default([]) | length
 
 - name: Set admin password secret
   set_fact:
     __admin_password_secret: '{{ _generated_admin_password["resources"] | default([]) | length | ternary(_generated_admin_password, _admin_password_secret) }}'
+  no_log: true
 
 - name: Store admin password
   set_fact:
     admin_password: "{{ __admin_password_secret['resources'][0]['data']['password'] | b64decode }}"
+  no_log: true

roles/installer/tasks/broadcast_websocket_configuration.yml

@@ -5,6 +5,7 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ broadcast_websocket_secret }}'
   register: _custom_broadcast_websocket
+  no_log: true
   when: broadcast_websocket_secret | length
 
 - name: Check for default broadcast websocket secret configuration
@@ -13,17 +14,20 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ meta.name }}-broadcast-websocket'
   register: _default_broadcast_websocket
+  no_log: true
 
 - name: Set broadcast websocket secret
   set_fact:
     # yamllint disable-line rule:line-length
     _broadcast_websocket_secret: '{{ _custom_broadcast_websocket["resources"] | default([]) | length | ternary(_custom_broadcast_websocket, _default_broadcast_websocket) }}'  # noqa 204
+  no_log: true
 
 - block:
     - name: Create broadcast websocket secret
       k8s:
         apply: true
         definition: "{{ lookup('template', 'broadcast_websocket_secret.yaml.j2') }}"
+      no_log: true
 
     - name: Read broadcast websocket secret
       k8s_info:
@@ -31,6 +35,7 @@
         namespace: '{{ meta.namespace }}'
         name: '{{ meta.name }}-broadcast-websocket'
       register: _generated_broadcast_websocket
+      no_log: true
 
   when: not _broadcast_websocket_secret['resources'] | default([]) | length
 
@@ -38,7 +43,9 @@
   set_fact:
     # yamllint disable-line rule:line-length
     __broadcast_websocket_secret: '{{ _generated_broadcast_websocket["resources"] | default([]) | length | ternary(_generated_broadcast_websocket, _broadcast_websocket_secret)  }}'  # noqa 204
+  no_log: true
 
 - name: Store broadcast websocket secret name
   set_fact:
     broadcast_websocket_secret_value: "{{ __broadcast_websocket_secret['resources'][0]['data']['secret'] | b64decode }}"
+  no_log: true

roles/installer/tasks/cleanup.yml

@@ -23,5 +23,6 @@
         - '{{ _secret_key }}'
         - '{{ _postgres_configuration }}'
         - '{{ _broadcast_websocket_secret }}'
+      no_log: true
 
   when: not garbage_collect_secrets | bool

roles/installer/tasks/database_configuration.yml

@@ -6,6 +6,7 @@
     name: '{{ postgres_configuration_secret }}'
   register: _custom_pg_config_resources
   when: postgres_configuration_secret | length
+  no_log: true
 
 - name: Check for default PostgreSQL configuration
   k8s_info:
@@ -13,6 +14,7 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ meta.name }}-postgres-configuration'
   register: _default_pg_config_resources
+  no_log: true
 
 - name: Check for specified old PostgreSQL configuration secret
   k8s_info:
@@ -21,6 +23,7 @@
     name: '{{ old_postgres_configuration_secret }}'
   register: _custom_old_pg_config_resources
   when: old_postgres_configuration_secret | length
+  no_log: true
 
 - name: Check for default old PostgreSQL configuration
   k8s_info:
@@ -28,6 +31,7 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ meta.name }}-old-postgres-configuration'
   register: _default_old_pg_config_resources
+  no_log: true
 
 - name: Set old PostgreSQL configuration
   set_fact:
@@ -41,16 +45,19 @@
   when:
     - old_pg_config['resources'] is defined
     - old_pg_config['resources'] | length
+  no_log: true
 
 - name: Set PostgreSQL configuration
   set_fact:
     _pg_config: '{{ _custom_pg_config_resources["resources"] | default([]) | length | ternary(_custom_pg_config_resources, _default_pg_config_resources) }}'
+  no_log: true
 
 - block:
     - name: Create Database configuration
       k8s:
         apply: true
         definition: "{{ lookup('template', 'postgres_secret.yaml.j2') }}"
+      no_log: true
 
     - name: Read Database Configuration
       k8s_info:
@@ -58,11 +65,13 @@
         namespace: '{{ meta.namespace }}'
         name: '{{ meta.name }}-postgres-configuration'
       register: _generated_pg_config_resources
+      no_log: true
   when: not _pg_config['resources'] | default([]) | length
 
 - name: Set PostgreSQL Configuration
   set_fact:
     pg_config: '{{ _generated_pg_config_resources["resources"] | default([]) | length | ternary(_generated_pg_config_resources, _pg_config) }}'
+  no_log: true
 
 - name: Set actual postgres configuration secret used
   set_fact:
@@ -80,7 +89,7 @@
       include_tasks: scale_down_deployment.yml
 
     - name: Scale down PostgreSQL statefulset for migration
-      community.kubernetes.k8s_scale:
+      kubernetes.core.k8s_scale:
         api_version: apps/v1
         kind: StatefulSet
         name: "{{ meta.name }}-postgres"
@@ -112,6 +121,7 @@
     awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
     awx_postgres_sslmode: "{{ pg_config['resources'][0]['data']['sslmode'] |  default('prefer'|b64encode) | b64decode }}"
+  no_log: true
 
 - name: Look up details for this deployment
   k8s_info:

roles/installer/tasks/initialize_django.yml

@@ -6,7 +6,7 @@
     container: "{{ meta.name }}-task"
     command: >-
       bash -c "echo 'from django.contrib.auth.models import User;
-      nsu = User.objects.filter(is_superuser=True, username='{{ admin_user }}').count();
+      nsu = User.objects.filter(is_superuser=True, username=\"{{ admin_user }}\").count();
       exit(0 if nsu > 0 else 1)'
       | awx-manage shell"
   ignore_errors: true
@@ -22,6 +22,7 @@
       bash -c "awx-manage update_password --username '{{ admin_user }}' --password '{{ admin_password }}'"
   register: update_pw_result
   changed_when: users_result.stdout == 'Password not updated'
+  no_log: true
   when: users_result.return_code == 0
 
 - name: Create super user via Django if it doesn't exist.
@@ -33,6 +34,7 @@
       bash -c "echo \"from django.contrib.auth.models import User;
       User.objects.create_superuser('{{ admin_user }}', '{{ admin_email }}', '{{ admin_password }}')\"
       | awx-manage shell"
+  no_log: true
   when: users_result.return_code > 0
 
 - name: Create preload data if necessary.  # noqa 305
@@ -45,3 +47,74 @@
   register: cdo
   changed_when: "'added' in cdo.stdout"
   when: create_preload_data | bool
+
+- name: Check if legacy queue is present
+  k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ meta.name }}-task"
+    command: >-
+      bash -c "awx-manage list_instances | grep '^\[tower capacity=[0-9]*\]'"
+  register: legacy_queue
+  changed_when: false
+
+- name: Unregister legacy queue
+  k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ meta.name }}-task"
+    command: >-
+      bash -c "awx-manage unregister_queue --queuename=tower"
+  when: "'[tower capacity=' in legacy_queue.stdout"
+
+- name: Check for specified default execution environment pull credentials
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ ee_pull_credentials_secret }}'
+  register: _custom_execution_environments_pull_credentials
+  when: ee_pull_credentials_secret | length
+
+- name: Set execution environment pull credential secret
+  set_fact:
+    _execution_environments_pull_credentials: >-
+      {{ _custom_execution_environments_pull_credentials["resources"] | default([]) | length
+      | ternary(_custom_execution_environments_pull_credentials, []) }}
+  no_log: true
+
+- name: Register default execution environments (without authentication)
+  k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ meta.name }}-task"
+    command: >-
+      bash -c "awx-manage register_default_execution_environments"
+  register: ree
+  changed_when: "'changed: True' in ree.stdout"
+  when: not _execution_environments_pull_credentials['resources'] | default([]) | length
+
+- block:
+    - name: Store default execution environment pull credentials
+      set_fact:
+        default_execution_environment_pull_credentials_user: "{{ _execution_environments_pull_credentials['resources'][0]['data']['username'] | b64decode }}"
+        default_execution_environment_pull_credentials_pass: "{{ _execution_environments_pull_credentials['resources'][0]['data']['password'] | b64decode }}"
+        default_execution_environment_pull_credentials_url: "{{ _execution_environments_pull_credentials['resources'][0]['data']['url'] | b64decode }}"
+        default_execution_environment_pull_credentials_url_verify: >-
+          {{ _execution_environments_pull_credentials['resources'][0]['data']['ssl_verify'] | default("True"|b64encode) | b64decode }}
+      no_log: true
+
+    - name: Register default execution environments (with authentication)
+      k8s_exec:
+        namespace: "{{ meta.namespace }}"
+        pod: "{{ tower_pod_name }}"
+        container: "{{ meta.name }}-task"
+        command: >-
+          bash -c "awx-manage register_default_execution_environments
+          --registry-username='{{ default_execution_environment_pull_credentials_user }}'
+          --registry-password='{{ default_execution_environment_pull_credentials_pass }}'
+          --registry-url='{{ default_execution_environment_pull_credentials_url }}'
+          --verify-ssl='{{ default_execution_environment_pull_credentials_url_verify }}'"
+      register: ree
+      changed_when: "'changed: True' in ree.stdout"
+      no_log: true
+  when: _execution_environments_pull_credentials['resources'] | default([]) | length

roles/installer/tasks/load_bundle_cacert_secret.yml

@@ -0,0 +1,14 @@
+---
+- name: Retrieve bundle Certificate Authority Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ bundle_cacert_secret }}'
+  register: bundle_cacert
+  no_log: true
+
+- name: Load bundle Certificate Authority Secret content
+  set_fact:
+    bundle_ca_crt: '{{ bundle_cacert["resources"][0]["data"]["bundle-ca.crt"] | b64decode }}'
+  no_log: true
+  when: '"bundle-ca.crt" in bundle_cacert["resources"][0]["data"]'

roles/installer/tasks/load_ldap_cacert_secret.yml

@@ -5,8 +5,10 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ ldap_cacert_secret }}'
   register: ldap_cacert
+  no_log: true
 
 - name: Load LDAP CA Certificate Secret content
   set_fact:
     ldap_cacert_ca_crt: '{{ ldap_cacert["resources"][0]["data"]["ldap-ca.crt"] | b64decode }}'
+  no_log: true
   when: '"ldap-ca.crt" in ldap_cacert["resources"][0]["data"]'

roles/installer/tasks/load_route_tls_secret.yml

@@ -5,13 +5,16 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ route_tls_secret }}'
   register: route_tls
+  no_log: true
 
 - name: Load Route TLS Secret content
   set_fact:
     route_tls_key: '{{ route_tls["resources"][0]["data"]["tls.key"] | b64decode }}'
     route_tls_crt: '{{ route_tls["resources"][0]["data"]["tls.crt"] | b64decode }}'
+  no_log: true
 
 - name: Load Route TLS Secret content
   set_fact:
     route_ca_crt: '{{ route_tls["resources"][0]["data"]["ca.crt"] | b64decode }}'
+  no_log: true
   when: '"ca.crt" in route_tls["resources"][0]["data"]'

roles/installer/tasks/main.yml

@@ -25,6 +25,11 @@
   when:
     - ldap_cacert_secret != ''
 
+- name: Load bundle certificate authority certificate
+  include_tasks: load_bundle_cacert_secret.yml
+  when:
+    - bundle_cacert_secret != ''
+
 - name: Include admin password configuration tasks
   include_tasks: admin_password_configuration.yml
 

roles/installer/tasks/migrate_data.yml

@@ -11,6 +11,7 @@
     awx_old_postgres_database: "{{ old_pg_config['resources'][0]['data']['database'] | b64decode }}"
     awx_old_postgres_port: "{{ old_pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_old_postgres_host: "{{ old_pg_config['resources'][0]['data']['host'] | b64decode }}"
+  no_log: true
 
 - name: Default label selector to custom resource generated postgres
   set_fact:
@@ -47,6 +48,7 @@
       -d {{ awx_old_postgres_database }}
       -p {{ awx_old_postgres_port }}
       -F custom
+  no_log: true
 
 - name: Set pg_restore command
   set_fact:
@@ -54,6 +56,7 @@
       pg_restore --clean --if-exists
       -U {{ database_username }}
       -d {{ database_name }}
+  no_log: true
 
 - name: Stream backup from pg_dump to the new postgresql container
   k8s_exec:
@@ -65,6 +68,7 @@
       PGPASSWORD={{ awx_old_postgres_pass }} {{ pgdump }} | PGPASSWORD={{ awx_postgres_pass }} {{ pg_restore }}
       echo 'Successful'
       """
+  no_log: true
   register: data_migration
   failed_when: "'Successful' not in data_migration.stdout"
 

roles/installer/tasks/resources_configuration.yml

@@ -30,6 +30,7 @@
     - 'persistent'
     - 'service'
     - 'ingress'
+  no_log: true
 
 - name: Apply deployment resources
   k8s:

roles/installer/tasks/scale_down_deployment.yml

@@ -9,7 +9,7 @@
   register: tower_deployment
 
 - name: Scale down Deployment for migration
-  community.kubernetes.k8s_scale:
+  kubernetes.core.k8s_scale:
     api_version: v1
     kind: Deployment
     name: "{{ meta.name }}"

roles/installer/tasks/secret_key_configuration.yml

@@ -5,6 +5,7 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ secret_key_secret }}'
   register: _custom_secret_key
+  no_log: true
   when: secret_key_secret | length
 
 - name: Check for default secret key configuration
@@ -13,16 +14,19 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ meta.name }}-secret-key'
   register: _default_secret_key
+  no_log: true
 
 - name: Set secret key secret
   set_fact:
     _secret_key_secret: '{{ _custom_secret_key["resources"] | default([]) | length | ternary(_custom_secret_key, _default_secret_key) }}'
+  no_log: true
 
 - block:
     - name: Create secret key secret
       k8s:
         apply: true
         definition: "{{ lookup('template', 'secret_key.yaml.j2') }}"
+      no_log: true
 
     - name: Read secret key secret
       k8s_info:
@@ -30,13 +34,16 @@
         namespace: '{{ meta.namespace }}'
         name: '{{ meta.name }}-secret-key'
       register: _generated_secret_key
+      no_log: true
 
   when: not _secret_key_secret['resources'] | default([]) | length
 
 - name: Set secret key secret
   set_fact:
     __secret_key_secret: '{{ _generated_secret_key["resources"] | default([]) | length | ternary(_generated_secret_key, _secret_key_secret)  }}'
+  no_log: true
 
 - name: Store secret key secret name
   set_fact:
     secret_key_secret_name: "{{ __secret_key_secret['resources'][0]['metadata']['name'] }}"
+  no_log: true

roles/installer/tasks/update_status.yml

@@ -75,6 +75,7 @@
 - block:
     - name: Retrieve route URL
       k8s_info:
+        api_version: 'route.openshift.io/v1'
         kind: Route
         namespace: '{{ meta.namespace }}'
         name: '{{ meta.name }}'

roles/installer/templates/config.yaml.j2

@@ -46,7 +46,7 @@ data:
     AWX_AUTO_DEPROVISION_INSTANCES = True
     
     CLUSTER_HOST_ID = socket.gethostname()
-    SYSTEM_UUID = '00000000-0000-0000-0000-000000000000'
+    SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
     
     CSRF_COOKIE_SECURE = False
     SESSION_COOKIE_SECURE = False
@@ -90,11 +90,7 @@ data:
     BROADCAST_WEBSOCKET_PROTOCOL = 'http'
 
 {% for item in extra_settings | default([]) %}
-{% if item.value is string %}
-    {{ item.setting }} = '{{ item.value }}'
-{% else %}
     {{ item.setting }} = {{ item.value }}
-{% endif %}
 {% endfor %}
 
   nginx_conf: |
@@ -150,6 +146,11 @@ data:
 
             ssl_certificate /etc/nginx/pki/web.crt;
             ssl_certificate_key /etc/nginx/pki/web.key;
+            ssl_session_cache shared:SSL:50m;
+            ssl_session_timeout 1d;
+            ssl_session_tickets off;
+            ssl_ciphers PROFILE=SYSTEM;
+            ssl_prefer_server_ciphers on;
         {% else %}
             listen 8052 default_server;
         {% endif %}
@@ -160,8 +161,6 @@ data:
     
             # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
             add_header Strict-Transport-Security max-age=15768000;
-            add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
-            add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
     
             # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
             add_header X-Frame-Options "DENY";
@@ -178,7 +177,7 @@ data:
             }
     
             location /favicon.ico {
-                alias /var/lib/awx/public/static/favicon.ico;
+                alias /var/lib/awx/public/static/media/favicon.ico;
             }
     
             location /websocket {
@@ -214,6 +213,13 @@ data:
                 {%- endif %}
                 proxy_set_header X-Forwarded-Port 443;
                 uwsgi_param HTTP_X_FORWARDED_PORT 443;
+
+                add_header Strict-Transport-Security max-age=15768000;
+                # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
+                add_header X-Frame-Options "DENY";
+                add_header Cache-Control "no-cache, no-store, must-revalidate";
+                add_header Expires "0";
+                add_header Pragma "no-cache";
             }
         }
     }

roles/installer/templates/deployment.yaml.j2

@@ -32,6 +32,43 @@ spec:
 {% if image_pull_secret %}
       imagePullSecrets:
         - name: {{ image_pull_secret }}
+{% endif %}
+{% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
+      initContainers:
+        - name: init
+          image: '{{ init_container_image }}:{{ init_container_image_version }}'
+          imagePullPolicy: '{{ image_pull_policy }}'
+          command:
+            - /bin/sh
+            - -c
+            - |
+{% if bundle_ca_crt  %}
+              mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
+              update-ca-trust
+{% endif %}
+{% if projects_persistence|bool %}
+              chmod 775 /var/lib/awx/projects
+              chgrp 1000 /var/lib/awx/projects
+{% endif %}
+{% if init_container_extra_commands %}
+              {{ init_container_extra_commands | indent(width=14) }}
+{% endif %}
+          volumeMounts:
+{% if bundle_ca_crt  %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
+{% if projects_persistence|bool %}
+            - name: "{{ meta.name }}-projects"
+              mountPath: "/var/lib/awx/projects"
+{% endif %}
+{% if init_container_extra_volume_mounts -%}
+            {{ init_container_extra_volume_mounts | indent(width=12, indentfirst=True) }}
+{% endif %}
 {% endif %}
       containers:
         - image: '{{ redis_image }}:{{ redis_image_version }}'
@@ -62,6 +99,14 @@ spec:
             - containerPort: 8053
 {% endif %}
           volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
             - name: "{{ meta.name }}-application-credentials"
               mountPath: "/etc/tower/conf.d/execution_environments.py"
               subPath: execution_environments.py
@@ -141,6 +186,14 @@ spec:
           args: {{ task_args }}
 {% endif %}
           volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
             - name: "{{ meta.name }}-application-credentials"
               mountPath: "/etc/tower/conf.d/execution_environments.py"
               subPath: execution_environments.py
@@ -205,11 +258,20 @@ spec:
             {{ task_extra_env | indent(width=12, indentfirst=True) }}
 {% endif %}
           resources: {{ task_resource_requirements }}
-        - image: '{{ ee_images[0].image }}'
+        - image: '{{ control_plane_ee_image }}'
           name: '{{ meta.name }}-ee'
           imagePullPolicy: '{{ image_pull_policy }}'
+          resources: {{ ee_resource_requirements }}
           args: ['receptor', '--config', '/etc/receptor.conf']
           volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
             - name: "{{ meta.name }}-receptor-config"
               mountPath: "/etc/receptor.conf"
               subPath: receptor.conf
@@ -221,13 +283,16 @@ spec:
 {% if ee_extra_volume_mounts -%}
             {{ ee_extra_volume_mounts | indent(width=12, indentfirst=True) }}
 {% endif %}
-{% if development_mode | bool %}
           env:
+{% if development_mode | bool %}
             - name: SDB_NOTIFY_HOST
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
 {% endif %}
+{% if ee_extra_env -%}
+            {{ ee_extra_env | indent(width=12, indentfirst=True) }}
+{% endif %}
 {% if node_selector %}
       nodeSelector:
         {{ node_selector | indent(width=8) }}
@@ -235,8 +300,22 @@ spec:
 {% if tolerations %}
       tolerations:
         {{ tolerations | indent(width=8) }}
+{% endif %}
+{% if projects_persistence|bool %}
+      securityContext:
+        fsGroup: 1000
 {% endif %}
       volumes:
+{% if bundle_ca_crt %}
+        - name: "ca-trust-extracted"
+          emptyDir: {}
+        - name: "{{ meta.name }}-bundle-cacert"
+          secret:
+            secretName: "{{ bundle_cacert_secret }}"
+            items:
+              - key: bundle-ca.crt
+                path: 'bundle-ca.crt'
+{% endif %}
 {% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %}
         - name: "{{ meta.name }}-nginx-certs"
           secret:

roles/installer/templates/execution_environments.py.j2

@@ -1,5 +1,6 @@
-DEFAULT_EXECUTION_ENVIRONMENTS = [
+GLOBAL_JOB_EXECUTION_ENVIRONMENTS = [
 {% for item in ee_images %}
     {'name': '{{ item.name }}' , 'image': '{{ item.image }}'},
 {% endfor %}
 ]
+CONTROL_PLANE_EXECUTION_ENVIRONMENT = '{{ control_plane_ee_image }}'

roles/installer/templates/ingress.yaml.j2

@@ -20,7 +20,7 @@ spec:
     - host: '{{ hostname }}'
       http:
         paths:
-          - path: /
+          - path: '{{ ingress_path }}'
             backend:
               serviceName: '{{ meta.name }}-service'
               servicePort: 80

roles/installer/templates/postgres.yaml.j2

@@ -33,6 +33,10 @@ spec:
         app.kubernetes.io/part-of: '{{ meta.name }}'
         app.kubernetes.io/managed-by: '{{ deployment_type }}-operator' 
     spec:
+{% if image_pull_secret %}
+      imagePullSecrets:
+        - name: {{ image_pull_secret }}
+{% endif %}
       containers:
         - image: '{{ postgres_image }}:{{ postgres_image_version }}'
           imagePullPolicy: '{{ image_pull_policy }}'

roles/installer/templates/service.yaml.j2

@@ -11,7 +11,7 @@ metadata:
     app.kubernetes.io/component: '{{ deployment_type }}'
     app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
     {{ service_labels | indent(width=4) }}
-{% if ingress_type | lower == 'loadbalancer' and loadbalancer_annotations %}
+{% if service_type | lower == 'loadbalancer' and loadbalancer_annotations %}
   annotations:
     {{ loadbalancer_annotations | indent(width=4) }}
 {% endif %}

roles/installer/vars/main.yml

@@ -2,4 +2,5 @@
 postgres_initdb_args: '--auth-host=scram-sha-256'
 postgres_host_auth_method: 'scram-sha-256'
 ldap_cacert_ca_crt: ''
+bundle_ca_crt: ''
 projects_existing_claim: ''

roles/restore/defaults/main.yml

@@ -6,7 +6,7 @@ api_version: '{{ deployment_type }}.ansible.com/v1beta1'
 
 # Required: specify a pre-created PVC (name) to restore from
 backup_pvc: ''
-backup_pvc_namespace: ''
+backup_pvc_namespace: '{{ meta.namespace }}'
 
 # Required: backup name, found on the awxbackup object
 backup_dir: ''

roles/restore/meta/main.yml

@@ -27,5 +27,5 @@ galaxy_info:
 dependencies: []
 
 collections:
-  - community.kubernetes
+  - kubernetes.core
   - operator_sdk.util

roles/restore/tasks/cleanup.yml

@@ -18,7 +18,20 @@
         namespace: '{{ meta.namespace }}'
         ownerReferences: null
   loop:
-    - '{{ secret_key_secret_name }}'
-    - '{{ admin_password_secret_name }}'
-    - '{{ broadcast_websocket_secret_name }}'
-    - '{{ postgres_configuration_secret_name }}'
+    - '{{ secret_key_secret }}'
+    - '{{ admin_password_secret }}'
+    - '{{ broadcast_websocket_secret }}'
+    - '{{ postgres_configuration_secret }}'
+  no_log: true
+
+- name: Cleanup temp spec file
+  file:
+    path: "{{ tmp_spec.path }}"
+    state: absent
+  when: tmp_spec.path is defined
+
+- name: Cleanup temp secret vars file
+  file:
+    path: "{{ secret_vars.path }}"
+    state: absent
+  when: secret_vars.path is defined

roles/restore/tasks/deploy_awx.yml

@@ -1,9 +1,5 @@
 ---
 
-- name: Save kind
-  set_fact:
-    _kind: "{{ kind }}"
-
 - name: Get AWX object definition from pvc
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
@@ -25,31 +21,13 @@
 
 - name: Include spec vars to save them as a dict
   include_vars: "{{ tmp_spec.path }}"
-  register: spec
-
-- name: Use include_vars to read in spec as a dict (because spec doesn't have quotes)
-  set_fact:
-    awx_spec: "{{ spec.ansible_facts }}"
-
-- name: Set names of backed up secrets in the CR spec
-  set_fact:
-    awx_spec: "{{ awx_spec | combine ({ item.key : item.value }) }}"
-  with_items:
-    - {'key': 'secret_key_secret', 'value': '{{ secret_key_secret_name }}'}
-    - {'key': 'admin_password_secret', 'value': '{{ admin_password_secret_name }}'}
-    - {'key': 'broadcast_websocket_secret', 'value': '{{ broadcast_websocket_secret_name }}'}
-    - {'key': 'postgres_configuration_secret', 'value': '{{ postgres_configuration_secret_name }}'}
-
-- name: Restore kind
-  set_fact:
-    kind: "{{ _kind }}"
 
 - name: Deploy AWX
   k8s:
     state: "{{ state | default('present') }}"
     namespace: "{{ meta.namespace }}"
     apply: yes
-    template: awx_object.yml.j2
+    definition: "{{ lookup('template', 'awx_object.yml.j2') }}"
     wait: true
     wait_condition:
       type: "Running"

roles/restore/tasks/postgres.yml

@@ -1,11 +1,16 @@
 ---
 
+- name: Set Postgres Configuration Secret name
+  set_fact:
+    postgres_configuration_secret: "{{ spec['postgres_configuration_secret'] | default(postgres_configuration_secret) }}"
+
 - name: Check for specified PostgreSQL configuration
   k8s_info:
     kind: Secret
     namespace: '{{ meta.namespace }}'
-    name: '{{ postgres_configuration_secret_name }}'
+    name: '{{ postgres_configuration_secret }}'
   register: pg_config
+  no_log: true
 
 - name: Store Database Configuration
   set_fact:
@@ -15,6 +20,7 @@
     awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
     awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | b64decode | default('unmanaged') }}"
+  no_log: true
 
 - name: Default label selector to custom resource generated postgres
   set_fact:
@@ -59,6 +65,7 @@
 - name: Set full resolvable host name for postgres pod
   set_fact:
     resolvable_db_host: "{{ awx_postgres_host }}.{{ meta.namespace }}.svc.cluster.local"
+  no_log: true
   when: awx_postgres_type == 'managed'
 
 - name: Set pg_restore command
@@ -70,6 +77,7 @@
       -U {{ awx_postgres_user }}
       -d {{ awx_postgres_database }}
       -p {{ awx_postgres_port }}
+  no_log: true
 
 - name: Restore database dump to the new postgresql container
   k8s_exec:
@@ -82,4 +90,5 @@
       echo 'Successful'
       """
   register: data_migration
+  no_log: true
   failed_when: "'Successful' not in data_migration.stdout"

roles/restore/tasks/secrets.yml

@@ -6,27 +6,53 @@
     pod: "{{ meta.name }}-db-management"
     command: >-
       bash -c "cat '{{ backup_dir }}/secrets.yml'"
-  register: secrets
+  register: _secrets
+  no_log: true
 
-- name: Create temp vars file
+- name: Create Temporary secrets file
   tempfile:
-    prefix: secret_vars-
-  register: secret_vars
+    state: file
+    suffix: .json
+  register: tmp_secrets
 
 - name: Write vars to file locally
   copy:
-    dest: "{{ secret_vars.path }}"
-    content: "{{ secrets.stdout }}"
+    dest: "{{ tmp_secrets.path }}"
+    content: "{{ _secrets.stdout }}"
     mode: 0640
+  no_log: true
 
 - name: Include secret vars from backup
-  include_vars: "{{ secret_vars.path }}"
+  include_vars: "{{ tmp_secrets.path }}"
+  no_log: true
 
-- name: Set new database host based on supplied deployment_name
-  set_fact:
-    database_host: "{{ deployment_name }}-postgres"
-  when:
-    - database_type == 'managed'
+- name: If deployment is managed, set the database_host in the pg config secret
+  block:
+    - name: Set new database host
+      set_fact:
+        database_host: "{{ deployment_name }}-postgres"
+      no_log: true
+
+    - name: Set tmp postgres secret dict
+      set_fact:
+        _pg_secret: "{{ secrets['postgresConfigurationSecret'] }}"
+      no_log: true
+
+    - name: Change postgres host value
+      set_fact:
+        _pg_data: "{{ _pg_secret['data'] | combine({'host': database_host | b64encode }) }}"
+      no_log: true
+
+    - name: Create a postgres secret with the new host value
+      set_fact:
+        _pg_secret: "{{ _pg_secret | combine({'data': _pg_data}) }}"
+      no_log: true
+
+    - name: Create a new dict of secrets with the new postgres secret
+      set_fact:
+        secrets: "{{ secrets | combine({'postgresConfigurationSecret': _pg_secret}) }}"
+      no_log: true
+  when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed'
 
 - name: Apply secret
   k8s:
@@ -35,3 +61,16 @@
     apply: yes
     wait: yes
     template: "secrets.yml.j2"
+  no_log: true
+
+- name: Remove ownerReference on restored secrets
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: "{{ item.value.name }}"
+        namespace: '{{ meta.namespace }}'
+        ownerReferences: null
+  loop: "{{ secrets | dict2items }}"
+  no_log: true

roles/restore/templates/awx_object.yml.j2

@@ -4,4 +4,5 @@ kind: AWX
 metadata:
   name: '{{ deployment_name }}'
   namespace: '{{ meta.namespace }}'
-spec: {{ awx_spec }}
+spec:
+  {{ spec | to_yaml | indent(2) }}

roles/restore/templates/management-pod.yml.j2

@@ -13,7 +13,7 @@ metadata:
 spec:
   containers:
   - name: {{ meta.name }}-db-management
-    image: "{{ postgres_image }}"
+    image: "{{ postgres_image }}:{{ postgres_image_version }}"
     imagePullPolicy: Always
     command: ["sleep", "infinity"]
     volumeMounts:

roles/restore/templates/secrets.yml.j2

@@ -1,9 +1,9 @@
-# Postgres Secret
+{% for secret in secrets %}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: '{{ postgres_configuration_secret_name }}'
+  name: '{{ secrets[secret]['name'] }}'
   namespace: '{{ meta.namespace }}'
   labels:
     app.kubernetes.io/name: '{{ meta.name }}'
@@ -11,58 +11,11 @@ metadata:
     app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
     app.kubernetes.io/component: '{{ deployment_type }}'
     app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+type: '{{ secrets[secret]['type'] }}'
 stringData:
-  password: '{{ database_password }}'
-  username: '{{ database_username }}'
-  database: '{{ database_name }}'
-  port: '{{ database_port }}'
-  host: '{{ database_host }}'
-  type: '{{ database_type }}'
+{% for key, value in secrets[secret]['data'].items() %}
+  {{ key }}: |-
+    {{ value | b64decode | indent(4) }}
+{% endfor %}
 
-# Secret Key Secret
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: '{{ secret_key_secret_name }}'
-  namespace: '{{ meta.namespace }}'
-  labels:
-    app.kubernetes.io/name: '{{ meta.name }}'
-    app.kubernetes.io/part-of: '{{ meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
-stringData:
-  secret_key: '{{ secret_key }}'
-
-# Admin Password Secret
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: '{{ admin_password_secret_name }}'
-  namespace: '{{ meta.namespace }}'
-  labels:
-    app.kubernetes.io/name: '{{ meta.name }}'
-    app.kubernetes.io/part-of: '{{ meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
-stringData:
-  password: '{{ admin_password }}'
-
-# Broadcast Websocket Secret
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: '{{ broadcast_websocket_secret_name }}'
-  namespace: '{{ meta.namespace }}'
-  labels:
-    app.kubernetes.io/name: '{{ meta.name }}'
-    app.kubernetes.io/part-of: '{{ meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
-stringData:
-  secret: '{{ broadcast_websocket }}'
+{% endfor %}

roles/restore/vars/main.yml

@@ -1,13 +1,14 @@
 ---
 
 deployment_type: "awx"
-postgres_image: postgres:12
+postgres_image: postgres
+postgres_image_version: 12
 
 backup_api_version: '{{ deployment_type }}.ansible.com/v1beta1'
 backup_kind: 'AWXBackup'
 
 # set default secret names to be used if a backup dir and claim are provided (not a backup_name)
-secret_key_secret_name: '{{ deployment_name }}-secret-key'
-admin_password_secret_name: '{{ deployment_name }}-admin-password'
-broadcast_websocket_secret_name: '{{ deployment_name }}-broadcast-websocket'
-postgres_configuration_secret_name: '{{ deployment_name }}-postgres-configuration'
+secret_key_secret: '{{ deployment_name }}-secret-key'
+admin_password_secret: '{{ deployment_name }}-admin-password'
+broadcast_websocket_secret: '{{ deployment_name }}-broadcast-websocket'
+postgres_configuration_secret: '{{ deployment_name }}-postgres-configuration'

scripts/build.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-## This script will be build 3 images awx-{operator,bundle,catalog}
+## This script will generate a bundle manifest, build 3 images awx-{operator,bundle,catalog}
 ## and push to the $REGISTRY specified.
 ##
 ## The goal is provide an quick way to build a test image.
@@ -10,7 +10,7 @@
 ## cd awx-operator
 ## REGISTRY=registry.example.com/ansible TAG=mytag ANSIBLE_DEBUG_LOGS=true scripts/build.sh
 ##
-## As a result, the $REGISTRY will be populated with 2 images
+## As a result, the $REGISTRY will be populated with 3 images
 ## registry.example.com/ansible/awx-operator:mytag
 ## registry.example.com/ansible/awx-operator-bundle:mytag
 ## registry.example.com/ansible/awx-operator-catalog:mytag
@@ -78,6 +78,7 @@ build_operator_image() {
 
 build_bundle_image() {
   echo "Building and pushing $BUNDLE_IMAGE image"
+  operator-sdk generate bundle --operator-name awx-operator --version $TAG
   $POD_MANAGER build . -f bundle.Dockerfile -t $REGISTRY/$BUNDLE_IMAGE:$TAG
   $POD_MANAGER push $REGISTRY/$BUNDLE_IMAGE:$TAG
 }

scripts/generate-files.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+## This script will auto-generate the templated files and bundle files 
+## after changes to CRD template files. Please use this instead of manually
+## updating the managed yaml files.  
+##
+## Example:
+## TAG=0.10.0 ./generate-files.sh
+
+TAG=${TAG:-''}
+if [[ -z "$TAG" ]]; then
+    echo "Set your \$TAG variable to your registry server."
+    echo "export TAG=mytag"
+    exit 1
+fi
+
+ansible-playbook ansible/chain-operator-files.yml
+operator-sdk generate bundle --operator-name awx-operator --version $TAG