Merge pull request #500 from shanemcd/0.13.0

Bump versions / OLM metadata

.github/workflows/ci.yaml

@@ -31,14 +31,21 @@ jobs:
             ansible-lint \
             openshift \
             jmespath \
-            ansible
+            ansible-core
 
       - name: Install Collections
         run: |
-         ansible-galaxy collection install community.kubernetes operator_sdk.util
+         ansible-galaxy collection install community.general kubernetes.core:1.2.1 operator_sdk.util
+
+      - name: Setup Minikube
+        uses: manusa/actions-setup-minikube@v2.4.2
+        with:
+          minikube version: 'v1.16.0'
+          kubernetes version: 'v1.19.2'
+          github token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Run Molecule
         env:
           MOLECULE_VERBOSITY: 3
         run: |
-          molecule test -s test-local
+          molecule test -s test-minikube

README.md

@@ -24,7 +24,7 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
          * [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
          * [Privileged Tasks](#privileged-tasks)
          * [Containers Resource Requirements](#containers-resource-requirements)
-         * [LDAP Certificate Authority](#ldap-certificate-authority)
+         * [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
          * [Persisting Projects Directory](#persisting-projects-directory)
          * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
          * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
@@ -78,11 +78,11 @@ $ minikube start --addons=ingress --cpus=4 --cni=flannel --install-addons=true \
 Once Minikube is deployed, check if the node(s) and `kube-apiserver` communication is working as expected.
 
 ```bash
-$ kubectl get nodes
+$ minikube kubectl -- get nodes
 NAME       STATUS   ROLES                  AGE     VERSION
 minikube   Ready    control-plane,master   6m28s   v1.20.2
 
-$ kubectl get pods -A
+$ minikube kubectl -- get pods -A
 NAMESPACE       NAME                                        READY   STATUS      RESTARTS   AGE
 ingress-nginx   ingress-nginx-admission-create-tjk94        0/1     Completed   0          6m4s
 ingress-nginx   ingress-nginx-admission-patch-r4pl6         0/1     Completed   0          6m4s
@@ -97,6 +97,14 @@ kube-system     kube-scheduler-minikube                     1/1     Running
 kube-system     storage-provisioner                         1/1     Running     1          6m17s
 ```
 
+It is not required for `kubectl` to be separately installed since it comes already wrapped inside minikube. As demonstrated above, simply prefix `minikube kubectl --` before kubectl command, i.e. `kubectl get nodes` would become `minikube kubectl -- get nodes`
+
+Let's create an alias for easier usage: 
+
+```bash
+$ alias kubectl="minikube kubectl --"
+```
+
 Now you need to deploy AWX Operator into your cluster. Start by going to https://github.com/ansible/awx-operator/releases and making note of the latest release. Replace `<TAG>` in the URL `https://raw.githubusercontent.com/ansible/awx-operator/<TAG>/deploy/awx-operator.yaml` with the version you are deploying.
 
 ```bash
@@ -268,6 +276,7 @@ The following variables are customizable when `ingress_type=ingress`. The `ingre
 | ingress_annotations        | Ingress annotations                      | Empty string                 |
 | ingress_tls_secret         | Secret that contains the TLS information | Empty string                 |
 | hostname                   | Define the FQDN                          | {{ meta.name }}.example.com  |
+| ingress_path               | Define the ingress path to the service   | /                            |
 
 ```yaml
 ---
@@ -505,28 +514,36 @@ spec:
       effect: "NoSchedule"
 ```
 
-#### LDAP Certificate Authority
+#### Trusting a Custom Certificate Authority
 
-If the variable `ldap_cacert_secret` is provided, the operator will look for a the data field `ldap-ca.crt` in the specified secret.
+In cases which you need to trust a custom Certificate Authority, there are few variables you can customize for the `awx-operator`.
 
-| Name                             | Description                             | Default |
-| -------------------------------- | --------------------------------------- | --------|
-| ldap_cacert_secret               | LDAP Certificate Authority secret name  |  ''     |
+Trusting a custom Certificate Authority allows the AWX to access network services configured with SSL certificates issued locally, such as cloning a project from from an internal Git server via HTTPS. It is common for these scenarios, experiencing the error [unable to verify the first certificate](https://github.com/ansible/awx-operator/issues/376).
 
 
+| Name                             | Description                              | Default |
+| -------------------------------- | ---------------------------------------- | --------|
+| ldap_cacert_secret               | LDAP Certificate Authority secret name   |  ''     |
+| bundle_cacert_secret             | Certificate Authority secret name        |  ''     |
+
+Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter.
+
 Example of customization could be:
 
 ```yaml
 ---
 spec:
   ...
-  ldap_cacert_secret: <resourcename>-ldap-ca-cert
+  ldap_cacert_secret: <resourcename>-custom-certs
+  bundle_cacert_secret: <resourcename>-custom-certs
 ```
 
 To create the secret, you can use the command below:
 
 ```sh
-# kubectl create secret generic <resourcename>-ldap-ca-cert --from-file=ldap-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
+# kubectl create secret generic <resourcename>-custom-certs \
+    --from-file=ldap-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>  \
+    --from-file=bundle-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
 ```
 
 #### Persisting Projects Directory
@@ -556,15 +573,86 @@ spec:
 
 In a scenario where custom volumes and volume mounts are required to either overwrite defaults or mount configuration files.
 
-| Name                           | Description                                              | Default |
-| ------------------------------ | -------------------------------------------------------- | ------- |
-| extra_volumes                  | Specify extra volumes to add to the application pod      | ''      |
-| web_extra_volume_mounts        | Specify volume mounts to be added to Web container       | ''      |
-| task_extra_volume_mounts       | Specify volume mounts to be added to Task container      | ''      |
-| ee_extra_volume_mounts         | Specify volume mounts to be added to Execution container | ''      |
+| Name                              | Description                                              | Default |
+| --------------------------------- | -------------------------------------------------------- | ------- |
+| extra_volumes                     | Specify extra volumes to add to the application pod      | ''      |
+| web_extra_volume_mounts           | Specify volume mounts to be added to Web container       | ''      |
+| task_extra_volume_mounts          | Specify volume mounts to be added to Task container      | ''      |
+| ee_extra_volume_mounts            | Specify volume mounts to be added to Execution container | ''      |
+| init_container_extra_volume_mounts| Specify volume mounts to be added to Init container      | ''      |
+| init_container_extra_commands     | Specify additional commands for Init container           | ''      |
+
+
+> :warning: The `ee_extra_volume_mounts` and `extra_volumes` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
 
 Example configuration for ConfigMap
 
+```yaml
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: <resourcename>-extra-config
+  namespace: <target namespace>
+data:
+  ansible.cfg: |
+     [defaults]
+     remote_tmp = /tmp
+     [ssh_connection]
+     ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
+  custom.py:  |
+      INSIGHTS_URL_BASE = "example.org"
+      AWX_CLEANUP_PATHS = True
+```
+Example spec file for volumes and volume mounts
+
+```yaml
+---
+    spec:
+    ...
+      extra_volumes: |
+        - name: ansible-cfg
+          configMap:
+            defaultMode: 420
+            items:
+              - key: ansible.cfg
+                path: ansible.cfg
+            name: <resourcename>-extra-config
+        - name: custom-py
+          configMap:
+            defaultMode: 420
+            items:
+              - key: custom.py
+                path: custom.py
+            name: <resourcename>-extra-config
+        - name: shared-volume
+          persistentVolumeClaim:
+            claimName: my-external-volume-claim
+
+      init_container_extra_volume_mounts: |
+        - name: shared-volume
+          mountPath: /shared
+
+      init_container_extra_commands: |
+        # set proper permissions (rwx) for the awx user
+        chmod 775 /shared
+        chgrp 1000 /shared
+
+      ee_extra_volume_mounts: |
+        - name: ansible-cfg
+          mountPath: /etc/ansible/ansible.cfg
+          subPath: ansible.cfg
+
+      task_extra_volume_mounts: |
+        - name: custom-py
+          mountPath: /etc/tower/conf.d/custom.py
+          subPath: custom.py
+        - name: shared-volume
+          mountPath: /shared
+```
+
+> :warning: **Volume and VolumeMount names cannot contain underscores(_)**
+
 #### Default execution environments from private registries
 
 In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments.
@@ -589,58 +677,25 @@ type: Opaque
 ##### Control plane ee from private registry
 The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time.
 
+You can create `image_pull_secret`
+```
+kubectl create secret <resoucename>-cp-pull-credentials regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
+```
+If you need more control (for example, to set a namespace or a label on the new secret) then you can customise the Secret before storing it
+
+Example spec file extra-config
+
 ```yaml
 ---
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
-  name: <resourcename>-extra-config
+  name: <resoucename>-cp-pull-credentials
   namespace: <target namespace>
 data:
-  ansible.cfg: |
-     [defaults]
-     remote_tmp = /tmp
-     [ssh_connection]
-     ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
-  custom.py:  |
-      INSIGHTS_URL_BASE = "example.org"
-      AWX_CLEANUP_PATHS = True
+  .dockerconfigjson: <base64 docker config>
+type: kubernetes.io/dockerconfigjson
 ```
-Example spec file for volumes and volume mounts
-
-```yaml
----
-    spec:
-    ...
-      ee_extra_volume_mounts: |
-        - name: ansible-cfg
-          mountPath: /etc/ansible/ansible.cfg
-          subPath: ansible.cfg
-
-      task_extra_volume_mounts: |
-        - name: custom-py
-          mountPath: /etc/tower/conf.d/custom.py
-          subPath: custom.py
-
-      extra_volumes: |
-        - name: ansible-cfg
-          configMap:
-            defaultMode: 420
-            items:
-              - key: ansible.cfg
-                path: ansible.cfg
-            name: <resourcename>-extra-config
-        - name: custom-py
-          configMap:
-            defaultMode: 420
-            items:
-              - key: custom.py
-                path: custom.py
-            name: <resourcename>-extra-config
-
-```
-
-> :warning: **Volume and VolumeMount names cannot contain underscores(_)**
 
 #### Exporting Environment Variables to Containers
 
@@ -652,6 +707,8 @@ If you need to export custom environment variables to your containers.
 | web_extra_env                 | Environment variables to be added to Web container       | ''      |
 | ee_extra_env                  | Environment variables to be added to EE container        | ''      |
 
+> :warning: The `ee_extra_env` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
+
 Example configuration of environment variables
 
 ```yaml

ansible/deploy-operator.yml

@@ -9,7 +9,7 @@
     obliterate: no
 
   collections:
-    - community.kubernetes
+    - kubernetes.core
 
   tasks:
     - name: Obliterate Operator

ansible/group_vars/all

@@ -1,4 +1,4 @@
 operator_image: quay.io/ansible/awx-operator
-operator_version: 0.11.0
+operator_version: 0.13.0
 pull_policy: Always
 ansible_debug_logs: "false"

ansible/instantiate-awx-deployment.yml

@@ -3,7 +3,7 @@
   hosts: localhost
 
   collections:
-    - community.kubernetes
+    - kubernetes.core
 
   tasks:
     - name: Deploy AWX

ansible/templates/crd.yml.j2

@@ -86,6 +86,9 @@ spec:
                     - ingress
                     - Route
                     - route
+                ingress_path:
+                  description: The ingress path used to reach the deployed service
+                  type: string
                 ingress_annotations:
                   description: Annotations to add to the Ingress Controller
                   type: string
@@ -285,6 +288,18 @@ spec:
                 redis_image_version:
                   description: Redis container image version to use
                   type: string
+                init_container_image:
+                  description: Registry path to the init container to use
+                  type: string
+                init_container_image_version:
+                  description: Init container image version to use
+                  type: string
+                init_container_extra_commands:
+                  description: Extra commands for the init container
+                  type: string
+                init_container_extra_volume_mounts:
+                  description: Specify volume mounts to be added to the init container
+                  type: string
                 postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
@@ -344,6 +359,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                bundle_cacert_secret:
+                  description: Secret where can be found the trusted Certificate Authority Bundle
+                  type: string
                 projects_persistence:
                   description: Whether or not the /var/lib/projects directory will be persistent
                   default: false
@@ -375,7 +393,7 @@ spec:
                       setting:
                         type: string
                       value:
-                        type: string
+                        x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
               type: object

deploy/awx-operator.yaml

@@ -88,6 +88,9 @@ spec:
                     - ingress
                     - Route
                     - route
+                ingress_path:
+                  description: The ingress path used to reach the deployed service
+                  type: string
                 ingress_annotations:
                   description: Annotations to add to the Ingress Controller
                   type: string
@@ -287,6 +290,18 @@ spec:
                 redis_image_version:
                   description: Redis container image version to use
                   type: string
+                init_container_image:
+                  description: Registry path to the init container to use
+                  type: string
+                init_container_image_version:
+                  description: Init container image version to use
+                  type: string
+                init_container_extra_commands:
+                  description: Extra commands for the init container
+                  type: string
+                init_container_extra_volume_mounts:
+                  description: Specify volume mounts to be added to the init container
+                  type: string
                 postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
@@ -346,6 +361,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                bundle_cacert_secret:
+                  description: Secret where can be found the trusted Certificate Authority Bundle
+                  type: string
                 projects_persistence:
                   description: Whether or not the /var/lib/projects directory will be persistent
                   default: false
@@ -377,7 +395,7 @@ spec:
                       setting:
                         type: string
                       value:
-                        type: string
+                        x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
               type: object
@@ -711,7 +729,7 @@ spec:
       serviceAccountName: awx-operator
       containers:
         - name: awx-operator
-          image: "quay.io/ansible/awx-operator:0.11.0"
+          image: "quay.io/ansible/awx-operator:0.13.0"
           imagePullPolicy: "Always"
           volumeMounts:
             - mountPath: /tmp/ansible-operator/runner
@@ -729,7 +747,7 @@ spec:
             - name: ANSIBLE_GATHERING
               value: explicit
             - name: OPERATOR_VERSION
-              value: "0.11.0"
+              value: "0.13.0"
             - name: ANSIBLE_DEBUG_LOGS
               value: "false"
           livenessProbe:

deploy/crds/awx_v1beta1_crd.yaml

@@ -86,6 +86,9 @@ spec:
                     - ingress
                     - Route
                     - route
+                ingress_path:
+                  description: The ingress path used to reach the deployed service
+                  type: string
                 ingress_annotations:
                   description: Annotations to add to the Ingress Controller
                   type: string
@@ -285,6 +288,18 @@ spec:
                 redis_image_version:
                   description: Redis container image version to use
                   type: string
+                init_container_image:
+                  description: Registry path to the init container to use
+                  type: string
+                init_container_image_version:
+                  description: Init container image version to use
+                  type: string
+                init_container_extra_commands:
+                  description: Extra commands for the init container
+                  type: string
+                init_container_extra_volume_mounts:
+                  description: Specify volume mounts to be added to the init container
+                  type: string
                 postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
@@ -344,6 +359,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                bundle_cacert_secret:
+                  description: Secret where can be found the trusted Certificate Authority Bundle
+                  type: string
                 projects_persistence:
                   description: Whether or not the /var/lib/projects directory will be persistent
                   default: false
@@ -375,7 +393,7 @@ spec:
                       setting:
                         type: string
                       value:
-                        type: string
+                        x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
               type: object

deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml

@@ -39,7 +39,7 @@ metadata:
     capabilities: Basic Install
     operators.operatorframework.io/builder: operator-sdk-v0.19.4
     operators.operatorframework.io/project_layout: ansible
-  name: awx-operator.v0.11.0
+  name: awx-operator.v0.13.0
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -78,6 +78,16 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Image
+        path: postgres_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Image Version
+        path: postgres_image_version
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       statusDescriptors:
       - description: The persistent volume claim name used during backup
         displayName: Backup claim
@@ -104,21 +114,19 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:CR
-      - displayName: Deployment name
+      - displayName: Name of newly restored deployment
         path: deployment_name
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
       - displayName: Backup persistent volume claim
         path: backup_pvc
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
-      - displayName: Backup persistent volume claim namespace
+      - displayName: Backup namespace
         path: backup_pvc_namespace
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
       - displayName: Backup directory in the persistent volume claim
         path: backup_dir
         x-descriptors:
@@ -128,6 +136,16 @@ spec:
         path: postgres_label_selector
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Image
+        path: postgres_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Image Version
+        path: postgres_image_version
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       statusDescriptors:
       - description: The state of the restore
         displayName: Restore status
@@ -258,7 +276,7 @@ spec:
         path: image_pull_secret
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:imagePullSecret
+        - urn:alm:descriptor:io.kubernetes:Secret
       - displayName: Web container resource requirements
         path: web_resource_requirements
         x-descriptors:
@@ -535,6 +553,35 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Registry path to the init container to use
+        displayName: Init Container Image
+        path: init_container_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Init container image version to use
+        displayName: Init Container Image Version
+        path: init_container_image_version
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Specify Extra commands for the Init container
+        displayName: Init Container Extra Commands
+        path: init_container_extra_commands
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Specify volume mounts to be added to Init container
+        displayName: Init Container Extra Volume Mounts
+        path: init_container_extra_volume_mounts
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Secret where can be found the trusted Certificate Authority Bundle
+        path: bundle_cacert_secret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:io.kubernetes:Secret
       statusDescriptors:
       - description: Route to access the instance deployed
         displayName: URL
@@ -678,10 +725,10 @@ spec:
                 - name: ANSIBLE_GATHERING
                   value: explicit
                 - name: OPERATOR_VERSION
-                  value: 0.11.0
+                  value: 0.13.0
                 - name: ANSIBLE_DEBUG_LOGS
                   value: "false"
-                image: quay.io/ansible/awx-operator:0.11.0
+                image: quay.io/ansible/awx-operator:0.13.0
                 imagePullPolicy: Always
                 livenessProbe:
                   httpGet:
@@ -720,5 +767,5 @@ spec:
   provider:
     name: AWX Community
     url: https://github.com/ansible/awx-operator
-  replaces: awx-operator.v0.10.0
-  version: 0.11.0
+  replaces: awx-operator.v0.12.0
+  version: 0.13.0

deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml

@@ -35,6 +35,10 @@ spec:
               broadcast_websocket_secret:
                 description: Secret where the broadcast websocket secret can be found
                 type: string
+              bundle_cacert_secret:
+                description: Secret where can be found the trusted Certificate Authority
+                  Bundle
+                type: string
               ca_trust_bundle:
                 description: Path where the trusted CA bundle is available
                 type: string
@@ -101,7 +105,7 @@ spec:
                     setting:
                       type: string
                     value:
-                      type: string
+                      x-kubernetes-preserve-unknown-fields: true
                   type: object
                 type: array
               extra_volumes:
@@ -137,6 +141,9 @@ spec:
               ingress_annotations:
                 description: Annotations to add to the Ingress Controller
                 type: string
+              ingress_path:
+                description: The ingress path used to reach the deployed service
+                type: string
               ingress_tls_secret:
                 description: Secret where the Ingress TLS secret can be found
                 type: string
@@ -149,6 +156,18 @@ spec:
                 - Route
                 - route
                 type: string
+              init_container_extra_commands:
+                description: Extra commands for the init container
+                type: string
+              init_container_extra_volume_mounts:
+                description: Specify volume mounts to be added to the init container
+                type: string
+              init_container_image:
+                description: Registry path to the init container to use
+                type: string
+              init_container_image_version:
+                description: Init container image version to use
+                type: string
               kind:
                 description: Kind of the deployment type
                 type: string

molecule/default/molecule.yml

@@ -27,8 +27,3 @@ provisioner:
     group_vars:
       all:
         operator_namespace: ${TEST_NAMESPACE:-default}
-  env:
-    K8S_AUTH_KUBECONFIG: /tmp/molecule/kind-default/kubeconfig
-    KUBECONFIG: /tmp/molecule/kind-default/kubeconfig
-    ANSIBLE_ROLES_PATH: ${MOLECULE_PROJECT_DIRECTORY}/roles
-    KIND_PORT: '${TEST_CLUSTER_PORT:-9443}'

molecule/test-local/ansible.cfg

@@ -1,2 +0,0 @@
-[defaults]
-stdout_callback = yaml

molecule/test-local/converge.yml

@@ -1,133 +0,0 @@
----
-- name: Build Operator in Kind container
-  hosts: k8s
-
-  vars:
-    image_name: awx.ansible.com/awx-operator:testing
-
-  tasks:
-    # using command so we don't need to install any dependencies
-    - name: Get existing image hash
-      command: docker images -q {{ image_name }}
-      register: prev_hash
-      changed_when: false
-
-    - name: Build Operator Image
-      command: docker build -f /build/build/Dockerfile -t {{ image_name }} /build
-      register: build_cmd
-      changed_when: not prev_hash.stdout or (prev_hash.stdout and prev_hash.stdout not in ''.join(build_cmd.stdout_lines[-2:]))
-
-- name: Converge
-  hosts: localhost
-  connection: local
-
-  vars:
-    ansible_python_interpreter: '{{ ansible_playbook_python }}'
-    deploy_dir: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/deploy"
-    templates_dir: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/ansible/templates"
-    pull_policy: Never
-    operator_image: awx.ansible.com/awx-operator
-    operator_version: testing
-    ansible_debug_logs: "true"
-    custom_resource: "{{ lookup('file', '/'.join([deploy_dir, 'crds/awx_v1beta1_molecule.yaml'])) | from_yaml }}"
-
-  tasks:
-    - block:
-        - name: Delete the Operator Deployment
-          k8s:
-            state: absent
-            namespace: '{{ operator_namespace }}'
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) }}"
-          register: delete_deployment
-          when: hostvars[groups.k8s.0].build_cmd.changed
-
-        - name: Wait 30s for Operator Deployment to terminate
-          k8s_info:
-            api_version: '{{ definition.apiVersion }}'
-            kind: '{{ definition.kind }}'
-            namespace: '{{ operator_namespace }}'
-            name: '{{ definition.metadata.name }}'
-          vars:
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) | from_yaml }}"
-          register: deployment
-          until: not deployment.resources
-          delay: 3
-          retries: 10
-          when: delete_deployment.changed
-
-        - name: Create the Operator Deployment
-          k8s:
-            namespace: '{{ operator_namespace }}'
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) }}"
-
-        - name: Ensure the AWX custom_resource namespace exists
-          k8s:
-            state: present
-            name: '{{ custom_resource.metadata.namespace }}'
-            kind: Namespace
-            api_version: v1
-
-        - name: Create the AWX Custom Resource
-          k8s:
-            state: present
-            namespace: '{{ custom_resource.metadata.namespace }}'
-            definition: '{{ custom_resource }}'
-
-        - name: Wait 15m for reconciliation to run
-          k8s_info:
-            api_version: '{{ custom_resource.apiVersion }}'
-            kind: '{{ custom_resource.kind }}'
-            namespace: '{{ custom_resource.metadata.namespace }}'
-            name: '{{ custom_resource.metadata.name }}'
-          register: cr
-          until:
-            - "'Successful' in (cr | json_query('resources[].status.conditions[].reason'))"
-          delay: 6
-          retries: 150
-
-      rescue:
-
-        - name: debug cr
-          ignore_errors: yes
-          failed_when: false
-          debug:
-            var: debug_cr
-          vars:
-            debug_cr: '{{ lookup("k8s",
-              kind=custom_resource.kind,
-              api_version=custom_resource.apiVersion,
-              namespace=custom_resource.metadata.namespace,
-              resource_name=custom_resource.metadata.name)
-            }}'
-
-        - name: debug awx deployment
-          ignore_errors: yes
-          failed_when: false
-          debug:
-            var: deploy
-          vars:
-            deploy: '{{ lookup("k8s",
-              kind="Deployment",
-              api_version="apps/v1",
-              namespace=custom_resource.metadata.namespace,
-              label_selector="app.kubernetes.io/name=example-awx")
-            }}'
-
-        - name: get operator logs
-          ignore_errors: yes
-          failed_when: false
-          command: kubectl logs deployment/{{ definition.metadata.name }} -n {{ operator_namespace }}
-          environment:
-            KUBECONFIG: '{{ lookup("env", "KUBECONFIG") }}'
-          vars:
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) | from_yaml }}"
-          register: log
-
-        - name: print debug output
-          debug: var=log.stdout_lines
-
-        - name: fail if converge didn't succeed
-          fail:
-            msg: "Failed on action: converge"
-
-- import_playbook: '{{ playbook_dir }}/../default/asserts.yml'

molecule/test-local/molecule.yml

@@ -1,46 +0,0 @@
----
-dependency:
-  name: galaxy
-driver:
-  name: docker
-lint: |
-  set -e
-  yamllint .
-  ansible-lint
-platforms:
-  - name: kind-test-local
-    groups:
-      - k8s
-    image: bsycorp/kind:v1.17.9
-    privileged: True
-    override_command: no
-    exposed_ports:
-      - 8443/tcp
-      - 10080/tcp
-    published_ports:
-      - 0.0.0.0:${TEST_CLUSTER_PORT:-10443}:8443/tcp
-    pre_build_image: yes
-    volumes:
-      - ${MOLECULE_PROJECT_DIRECTORY}:/build:Z
-provisioner:
-  name: ansible
-  log: True
-  inventory:
-    group_vars:
-      all:
-        operator_namespace: ${TEST_NAMESPACE:-default}
-  env:
-    K8S_AUTH_KUBECONFIG: /tmp/molecule/kind-test-local/kubeconfig
-    KUBECONFIG: /tmp/molecule/kind-test-local/kubeconfig
-    ANSIBLE_ROLES_PATH: ${MOLECULE_PROJECT_DIRECTORY}/roles
-    KIND_PORT: '${TEST_CLUSTER_PORT:-10443}'
-scenario:
-  test_sequence:
-    - lint
-    - destroy
-    - dependency
-    - syntax
-    - create
-    - prepare
-    - converge
-    - destroy

molecule/test-local/prepare.yml

@@ -1,38 +0,0 @@
----
-- name: Prepare kubernetes environment
-  hosts: k8s
-  gather_facts: no
-  vars:
-    kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
-  tasks:
-    - name: delete the kubeconfig if present
-      file:
-        path: '{{ kubeconfig }}'
-        state: absent
-      delegate_to: localhost
-
-    - name: Fetch the kubeconfig
-      fetch:
-        dest: '{{ kubeconfig }}'
-        flat: yes
-        src: /root/.kube/config
-
-    - name: Change the kubeconfig port to the proper value
-      replace:
-        regexp: 8443
-        replace: "{{ lookup('env', 'KIND_PORT') }}"
-        path: '{{ kubeconfig }}'
-        mode: 0644
-      delegate_to: localhost
-
-    - name: Wait for the Kubernetes API to become available (this could take a minute)
-      uri:
-        url: "http://localhost:10080/kubernetes-ready"
-        status_code: 200
-        validate_certs: no
-      register: result
-      until: (result.status|default(-1)) == 200
-      retries: 60
-      delay: 5
-
-- import_playbook: ../default/prepare.yml

molecule/test-minikube/converge.yml

@@ -126,8 +126,6 @@
           ignore_errors: yes
           failed_when: false
           command: kubectl logs deployment/{{ definition.metadata.name }} -n {{ operator_namespace }} -c operator
-          environment:
-            KUBECONFIG: '{{ lookup("env", "KUBECONFIG") }}'
           vars:
             definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) | from_yaml }}"
           register: log

requirements.yml

@@ -1,6 +1,6 @@
 ---
 collections:
-  - name: community.kubernetes
+  - name: kubernetes.core
     version: '==1.1.1'
   - name: operator_sdk.util
     version: '==0.1.0'

roles/backup/meta/main.yml

@@ -27,5 +27,5 @@ galaxy_info:
 dependencies: []
 
 collections:
-  - community.kubernetes
+  - kubernetes.core
   - operator_sdk.util

roles/backup/tasks/awx-cro.yml

@@ -10,24 +10,25 @@
 
 - name: Set AWX object
   set_fact:
-    _awx: "{{ _awx_cro['resources'][0] }}"
-
-- name: Set user specified spec
-  set_fact:
-    awx_spec: "{{ _awx['spec'] }}"
+    _awx: "{{ this_awx['resources'][0]['spec'] }}"
 
 - name: Set names of backed up secrets in the CR spec
   set_fact:
-    awx_spec: "{{ awx_spec | combine ({ item.key : item.value }) }}"
+    _awx: "{{ _awx | combine ({ item.key : item.value }) }}"
   with_items:
     - {"key": "secret_key_secret", "value": "{{ this_awx['resources'][0]['status']['secretKeySecret'] }}"}
     - {"key": "admin_password_secret", "value": "{{ this_awx['resources'][0]['status']['adminPasswordSecret'] }}"}
     - {"key": "broadcast_websocket_secret", "value": "{{ this_awx['resources'][0]['status']['broadcastWebsocketSecret'] }}"}
-    - {"key": "postgres_configuration_secret", "value": "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }} "}
+    - {"key": "postgres_configuration_secret", "value": "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"}
+
+- name: Set AWX object
+  set_fact:
+    awx_spec:
+      spec: "{{ _awx }}"
 
 - name: Write awx object to pvc
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ meta.name }}-db-management"
     command: >-
-      bash -c 'echo "$0" > {{ backup_dir  }}/awx_object' {{ awx_spec | quote  }}
+      bash -c 'echo "$0" > {{ backup_dir  }}/awx_object' {{ awx_spec | to_yaml | quote  }}

roles/backup/tasks/dump_generated_secret.yml

@@ -25,11 +25,15 @@
       namespace: '{{ meta.namespace }}'
       name: "{{ _name }}"
   register: _secret
+  no_log: true
 
 - name: Set secret data
   set_fact:
       _data: "{{ _secret['resources'][0]['data'] }}"
+      _type: "{{ _secret['resources'][0]['type'] }}"
+  no_log: true
 
 - name: Create and Add secret names and data to dictionary
   set_fact:
-      secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data }}) }}"
+      secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data, 'type': _type }}) }}"
+  no_log: true

roles/backup/tasks/dump_secret.yml

@@ -2,9 +2,9 @@
 
 - name: Get Secret Name
   set_fact:
-      _name: "{{ awx_spec[item] | default('') }}"
+      _name: "{{ awx_spec.spec[item] | default('') }}"
 
-- name: Skip if secret name not defined
+- name: Backup secret if defined
   block:
       - name: Get secret
         k8s_info:
@@ -13,12 +13,16 @@
             namespace: '{{ meta.namespace }}'
             name: "{{ _name }}"
         register: _secret
+        no_log: true
 
       - name: Set secret key
         set_fact:
             _data: "{{ _secret['resources'][0]['data'] }}"
+            _type: "{{ _secret['resources'][0]['type'] }}"
+        no_log: true
 
       - name: Create and Add secret names and data to dictionary
         set_fact:
-            secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data }}) }}"
+            secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data, 'type': _type }}) }}"
+        no_log: true
   when: _name != ''

roles/backup/tasks/init.yml

@@ -45,10 +45,21 @@
   set_fact:
     backup_claim: "{{ backup_pvc | default(_default_backup_pvc, true) }}"
 
-- name: Create PVC for backup
-  k8s:
-    kind: PersistentVolumeClaim
-    template: "backup_pvc.yml.j2"
+- block:
+    - name: Create PVC for backup
+      k8s:
+        kind: PersistentVolumeClaim
+        template: "backup_pvc.yml.j2"
+
+    - name: Remove PVC ownerReference
+      k8s:
+        definition:
+          apiVersion: v1
+          kind: PersistentVolumeClaim
+          metadata:
+            name: '{{ deployment_name }}-backup-claim'
+            namespace: '{{ backup_pvc_namespace }}'
+            ownerReferences: null
   when:
     - backup_pvc == '' or backup_pvc is not defined
 

roles/backup/tasks/postgres.yml

@@ -6,6 +6,7 @@
     namespace: '{{ meta.namespace }}'
     name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"
   register: pg_config
+  no_log: true
 
 - name: Fail if postgres configuration secret status does not exist
   fail:
@@ -20,6 +21,7 @@
     awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
     awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | default('unmanaged'|b64encode) | b64decode }}"
+  no_log: true
 
 - block:
     - name: Delete pod to reload a resource configuration
@@ -77,6 +79,7 @@
 - name: Set full resolvable host name for postgres pod
   set_fact:
     resolvable_db_host: '{{ (awx_postgres_type == "managed") | ternary(awx_postgres_host + "." + meta.namespace + ".svc.cluster.local", awx_postgres_host) }}'  # noqa 204
+  no_log: true
 
 - name: Set pg_dump command
   set_fact:
@@ -87,6 +90,7 @@
       -d {{ awx_postgres_database }}
       -p {{ awx_postgres_port }}
       -F custom
+  no_log: true
 
 - name: Write pg_dump to backup on PVC
   k8s_exec:
@@ -99,4 +103,5 @@
       echo 'Successful'
       """
   register: data_migration
+  no_log: true
   failed_when: "'Successful' not in data_migration.stdout"

roles/backup/tasks/secrets.yml

@@ -18,12 +18,16 @@
   include_tasks: dump_secret.yml
   loop:
     - route_tls_secret
+    - ingress_tls_secret
     - ldap_cacert_secret
+    - bundle_cacert_secret
     - image_pull_secret
+    - ee_pull_credentials_secret
 
 - name: Nest secrets under a single variable
   set_fact:
     secrets: {"secrets": '{{ secret_dict }}'}
+  no_log: true
 
 - name: Write postgres configuration to pvc
   k8s_exec:
@@ -31,3 +35,4 @@
     pod: "{{ meta.name }}-db-management"
     command: >-
       bash -c "echo '{{ secrets | to_yaml }}' > {{ backup_dir }}/secrets.yml"
+  no_log: true

roles/installer/defaults/main.yml

@@ -9,7 +9,7 @@ database_username: "{{ deployment_type }}"
 task_privileged: false
 service_type: ClusterIP
 ingress_type: none
-
+ingress_path: '/'
 # Add annotations to the service account. Specify as literal block. E.g.:
 # service_account_annotations: |
 #   eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>
@@ -106,19 +106,37 @@ extra_volumes: ''
 # Use these image versions for Ansible AWX.
 
 image: quay.io/ansible/awx
-image_version: 19.2.1
+image_version: 19.3.0
 redis_image: docker.io/redis
 redis_image_version: latest
 postgres_image: postgres
 postgres_image_version: 12
+init_container_image: quay.io/centos/centos
+init_container_image_version: 8
 image_pull_policy: IfNotPresent
 image_pull_secret: ''
 
-ee_images:
-  - name: AWX EE 0.4.0
-    image: quay.io/ansible/awx-ee:0.4.0
+# Extra commands which will be appended to the initContainer
+# Make sure that each command entered return an exit code 0
+# otherwise the initContainer will fail
+# init_container_extra_commands: |
+#   date >> /var/lib/awx/projects/timestamp
+#   chgrp 1000 /shared
+#   chmod 775 /shared
+init_container_extra_commands: ''
 
-control_plane_ee_image: quay.io/ansible/awx-ee:0.4.0
+# Mount extra volumes on the initContainer.
+# The volume used must be defined as an `extra_volumes` resource
+# init_container_extra_volume_mounts: |
+#   - name: shared-vol
+#     mountPath: /shared
+init_container_extra_volume_mounts: ''
+
+ee_images:
+  - name: AWX EE (latest)
+    image: quay.io/ansible/awx-ee:latest
+
+control_plane_ee_image: quay.io/ansible/awx-ee:latest
 
 create_preload_data: true
 
@@ -206,6 +224,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
 #
 ldap_cacert_secret: ''
 
+# Secret to lookup that provides the custom CA trusted bundle
+bundle_cacert_secret: ''
+
 # Whether secrets should be garbage collected
 # on teardown
 #

roles/installer/meta/main.yml

@@ -28,5 +28,5 @@ galaxy_info:
 dependencies: []
 
 collections:
-  - community.kubernetes
+  - kubernetes.core
   - operator_sdk.util

roles/installer/tasks/admin_password_configuration.yml

@@ -5,6 +5,7 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ admin_password_secret }}'
   register: _custom_admin_password
+  no_log: true
   when: admin_password_secret | length
 
 - name: Check for default admin password configuration
@@ -13,16 +14,19 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ meta.name }}-admin-password'
   register: _default_admin_password
+  no_log: true
 
 - name: Set admin password secret
   set_fact:
     _admin_password_secret: '{{ _custom_admin_password["resources"] | default([]) | length | ternary(_custom_admin_password, _default_admin_password) }}'
+  no_log: true
 
 - block:
     - name: Create admin password secret
       k8s:
         apply: true
         definition: "{{ lookup('template', 'admin_password_secret.yaml.j2') }}"
+      no_log: true
 
     - name: Read admin password secret
       k8s_info:
@@ -30,13 +34,16 @@
         namespace: '{{ meta.namespace }}'
         name: '{{ meta.name }}-admin-password'
       register: _generated_admin_password
+      no_log: true
 
   when: not _admin_password_secret['resources'] | default([]) | length
 
 - name: Set admin password secret
   set_fact:
     __admin_password_secret: '{{ _generated_admin_password["resources"] | default([]) | length | ternary(_generated_admin_password, _admin_password_secret) }}'
+  no_log: true
 
 - name: Store admin password
   set_fact:
     admin_password: "{{ __admin_password_secret['resources'][0]['data']['password'] | b64decode }}"
+  no_log: true

roles/installer/tasks/broadcast_websocket_configuration.yml

@@ -5,6 +5,7 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ broadcast_websocket_secret }}'
   register: _custom_broadcast_websocket
+  no_log: true
   when: broadcast_websocket_secret | length
 
 - name: Check for default broadcast websocket secret configuration
@@ -13,17 +14,20 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ meta.name }}-broadcast-websocket'
   register: _default_broadcast_websocket
+  no_log: true
 
 - name: Set broadcast websocket secret
   set_fact:
     # yamllint disable-line rule:line-length
     _broadcast_websocket_secret: '{{ _custom_broadcast_websocket["resources"] | default([]) | length | ternary(_custom_broadcast_websocket, _default_broadcast_websocket) }}'  # noqa 204
+  no_log: true
 
 - block:
     - name: Create broadcast websocket secret
       k8s:
         apply: true
         definition: "{{ lookup('template', 'broadcast_websocket_secret.yaml.j2') }}"
+      no_log: true
 
     - name: Read broadcast websocket secret
       k8s_info:
@@ -31,6 +35,7 @@
         namespace: '{{ meta.namespace }}'
         name: '{{ meta.name }}-broadcast-websocket'
       register: _generated_broadcast_websocket
+      no_log: true
 
   when: not _broadcast_websocket_secret['resources'] | default([]) | length
 
@@ -38,7 +43,9 @@
   set_fact:
     # yamllint disable-line rule:line-length
     __broadcast_websocket_secret: '{{ _generated_broadcast_websocket["resources"] | default([]) | length | ternary(_generated_broadcast_websocket, _broadcast_websocket_secret)  }}'  # noqa 204
+  no_log: true
 
 - name: Store broadcast websocket secret name
   set_fact:
     broadcast_websocket_secret_value: "{{ __broadcast_websocket_secret['resources'][0]['data']['secret'] | b64decode }}"
+  no_log: true

roles/installer/tasks/cleanup.yml

@@ -23,5 +23,6 @@
         - '{{ _secret_key }}'
         - '{{ _postgres_configuration }}'
         - '{{ _broadcast_websocket_secret }}'
+      no_log: true
 
   when: not garbage_collect_secrets | bool

roles/installer/tasks/database_configuration.yml

@@ -6,6 +6,7 @@
     name: '{{ postgres_configuration_secret }}'
   register: _custom_pg_config_resources
   when: postgres_configuration_secret | length
+  no_log: true
 
 - name: Check for default PostgreSQL configuration
   k8s_info:
@@ -13,6 +14,7 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ meta.name }}-postgres-configuration'
   register: _default_pg_config_resources
+  no_log: true
 
 - name: Check for specified old PostgreSQL configuration secret
   k8s_info:
@@ -21,6 +23,7 @@
     name: '{{ old_postgres_configuration_secret }}'
   register: _custom_old_pg_config_resources
   when: old_postgres_configuration_secret | length
+  no_log: true
 
 - name: Check for default old PostgreSQL configuration
   k8s_info:
@@ -28,6 +31,7 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ meta.name }}-old-postgres-configuration'
   register: _default_old_pg_config_resources
+  no_log: true
 
 - name: Set old PostgreSQL configuration
   set_fact:
@@ -41,16 +45,19 @@
   when:
     - old_pg_config['resources'] is defined
     - old_pg_config['resources'] | length
+  no_log: true
 
 - name: Set PostgreSQL configuration
   set_fact:
     _pg_config: '{{ _custom_pg_config_resources["resources"] | default([]) | length | ternary(_custom_pg_config_resources, _default_pg_config_resources) }}'
+  no_log: true
 
 - block:
     - name: Create Database configuration
       k8s:
         apply: true
         definition: "{{ lookup('template', 'postgres_secret.yaml.j2') }}"
+      no_log: true
 
     - name: Read Database Configuration
       k8s_info:
@@ -58,11 +65,13 @@
         namespace: '{{ meta.namespace }}'
         name: '{{ meta.name }}-postgres-configuration'
       register: _generated_pg_config_resources
+      no_log: true
   when: not _pg_config['resources'] | default([]) | length
 
 - name: Set PostgreSQL Configuration
   set_fact:
     pg_config: '{{ _generated_pg_config_resources["resources"] | default([]) | length | ternary(_generated_pg_config_resources, _pg_config) }}'
+  no_log: true
 
 - name: Set actual postgres configuration secret used
   set_fact:
@@ -80,7 +89,7 @@
       include_tasks: scale_down_deployment.yml
 
     - name: Scale down PostgreSQL statefulset for migration
-      community.kubernetes.k8s_scale:
+      kubernetes.core.k8s_scale:
         api_version: apps/v1
         kind: StatefulSet
         name: "{{ meta.name }}-postgres"
@@ -112,6 +121,7 @@
     awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
     awx_postgres_sslmode: "{{ pg_config['resources'][0]['data']['sslmode'] |  default('prefer'|b64encode) | b64decode }}"
+  no_log: true
 
 - name: Look up details for this deployment
   k8s_info:

roles/installer/tasks/initialize_django.yml

@@ -22,6 +22,7 @@
       bash -c "awx-manage update_password --username '{{ admin_user }}' --password '{{ admin_password }}'"
   register: update_pw_result
   changed_when: users_result.stdout == 'Password not updated'
+  no_log: true
   when: users_result.return_code == 0
 
 - name: Create super user via Django if it doesn't exist.
@@ -33,6 +34,7 @@
       bash -c "echo \"from django.contrib.auth.models import User;
       User.objects.create_superuser('{{ admin_user }}', '{{ admin_email }}', '{{ admin_password }}')\"
       | awx-manage shell"
+  no_log: true
   when: users_result.return_code > 0
 
 - name: Create preload data if necessary.  # noqa 305
@@ -73,18 +75,13 @@
   register: _custom_execution_environments_pull_credentials
   when: ee_pull_credentials_secret | length
 
-- name: Check for default execution environment pull credentials
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: '{{ meta.name }}-ee-pull-credentials'
-  register: _default_execution_environments_pull_credentials
-
-- name: Set admin password secret
+- name: Set execution environment pull credential secret
   set_fact:
     _execution_environments_pull_credentials: >-
       {{ _custom_execution_environments_pull_credentials["resources"] | default([]) | length
-      | ternary(_custom_execution_environments_pull_credentials, _default_execution_environments_pull_credentials) }}
+      | ternary(_custom_execution_environments_pull_credentials, []) }}
+  no_log: true
+
 - name: Register default execution environments (without authentication)
   k8s_exec:
     namespace: "{{ meta.namespace }}"
@@ -104,6 +101,8 @@
         default_execution_environment_pull_credentials_url: "{{ _execution_environments_pull_credentials['resources'][0]['data']['url'] | b64decode }}"
         default_execution_environment_pull_credentials_url_verify: >-
           {{ _execution_environments_pull_credentials['resources'][0]['data']['ssl_verify'] | default("True"|b64encode) | b64decode }}
+      no_log: true
+
     - name: Register default execution environments (with authentication)
       k8s_exec:
         namespace: "{{ meta.namespace }}"
@@ -117,4 +116,5 @@
           --verify-ssl='{{ default_execution_environment_pull_credentials_url_verify }}'"
       register: ree
       changed_when: "'changed: True' in ree.stdout"
+      no_log: true
   when: _execution_environments_pull_credentials['resources'] | default([]) | length

roles/installer/tasks/load_bundle_cacert_secret.yml

@@ -0,0 +1,14 @@
+---
+- name: Retrieve bundle Certificate Authority Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ bundle_cacert_secret }}'
+  register: bundle_cacert
+  no_log: true
+
+- name: Load bundle Certificate Authority Secret content
+  set_fact:
+    bundle_ca_crt: '{{ bundle_cacert["resources"][0]["data"]["bundle-ca.crt"] | b64decode }}'
+  no_log: true
+  when: '"bundle-ca.crt" in bundle_cacert["resources"][0]["data"]'

roles/installer/tasks/load_ldap_cacert_secret.yml

@@ -5,8 +5,10 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ ldap_cacert_secret }}'
   register: ldap_cacert
+  no_log: true
 
 - name: Load LDAP CA Certificate Secret content
   set_fact:
     ldap_cacert_ca_crt: '{{ ldap_cacert["resources"][0]["data"]["ldap-ca.crt"] | b64decode }}'
+  no_log: true
   when: '"ldap-ca.crt" in ldap_cacert["resources"][0]["data"]'

roles/installer/tasks/load_route_tls_secret.yml

@@ -5,13 +5,16 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ route_tls_secret }}'
   register: route_tls
+  no_log: true
 
 - name: Load Route TLS Secret content
   set_fact:
     route_tls_key: '{{ route_tls["resources"][0]["data"]["tls.key"] | b64decode }}'
     route_tls_crt: '{{ route_tls["resources"][0]["data"]["tls.crt"] | b64decode }}'
+  no_log: true
 
 - name: Load Route TLS Secret content
   set_fact:
     route_ca_crt: '{{ route_tls["resources"][0]["data"]["ca.crt"] | b64decode }}'
+  no_log: true
   when: '"ca.crt" in route_tls["resources"][0]["data"]'

roles/installer/tasks/main.yml

@@ -25,6 +25,11 @@
   when:
     - ldap_cacert_secret != ''
 
+- name: Load bundle certificate authority certificate
+  include_tasks: load_bundle_cacert_secret.yml
+  when:
+    - bundle_cacert_secret != ''
+
 - name: Include admin password configuration tasks
   include_tasks: admin_password_configuration.yml
 

roles/installer/tasks/migrate_data.yml

@@ -11,6 +11,7 @@
     awx_old_postgres_database: "{{ old_pg_config['resources'][0]['data']['database'] | b64decode }}"
     awx_old_postgres_port: "{{ old_pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_old_postgres_host: "{{ old_pg_config['resources'][0]['data']['host'] | b64decode }}"
+  no_log: true
 
 - name: Default label selector to custom resource generated postgres
   set_fact:
@@ -47,6 +48,7 @@
       -d {{ awx_old_postgres_database }}
       -p {{ awx_old_postgres_port }}
       -F custom
+  no_log: true
 
 - name: Set pg_restore command
   set_fact:
@@ -54,6 +56,7 @@
       pg_restore --clean --if-exists
       -U {{ database_username }}
       -d {{ database_name }}
+  no_log: true
 
 - name: Stream backup from pg_dump to the new postgresql container
   k8s_exec:
@@ -65,6 +68,7 @@
       PGPASSWORD={{ awx_old_postgres_pass }} {{ pgdump }} | PGPASSWORD={{ awx_postgres_pass }} {{ pg_restore }}
       echo 'Successful'
       """
+  no_log: true
   register: data_migration
   failed_when: "'Successful' not in data_migration.stdout"
 

roles/installer/tasks/resources_configuration.yml

@@ -30,6 +30,7 @@
     - 'persistent'
     - 'service'
     - 'ingress'
+  no_log: true
 
 - name: Apply deployment resources
   k8s:

roles/installer/tasks/scale_down_deployment.yml

@@ -9,7 +9,7 @@
   register: tower_deployment
 
 - name: Scale down Deployment for migration
-  community.kubernetes.k8s_scale:
+  kubernetes.core.k8s_scale:
     api_version: v1
     kind: Deployment
     name: "{{ meta.name }}"

roles/installer/tasks/secret_key_configuration.yml

@@ -5,6 +5,7 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ secret_key_secret }}'
   register: _custom_secret_key
+  no_log: true
   when: secret_key_secret | length
 
 - name: Check for default secret key configuration
@@ -13,16 +14,19 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ meta.name }}-secret-key'
   register: _default_secret_key
+  no_log: true
 
 - name: Set secret key secret
   set_fact:
     _secret_key_secret: '{{ _custom_secret_key["resources"] | default([]) | length | ternary(_custom_secret_key, _default_secret_key) }}'
+  no_log: true
 
 - block:
     - name: Create secret key secret
       k8s:
         apply: true
         definition: "{{ lookup('template', 'secret_key.yaml.j2') }}"
+      no_log: true
 
     - name: Read secret key secret
       k8s_info:
@@ -30,13 +34,16 @@
         namespace: '{{ meta.namespace }}'
         name: '{{ meta.name }}-secret-key'
       register: _generated_secret_key
+      no_log: true
 
   when: not _secret_key_secret['resources'] | default([]) | length
 
 - name: Set secret key secret
   set_fact:
     __secret_key_secret: '{{ _generated_secret_key["resources"] | default([]) | length | ternary(_generated_secret_key, _secret_key_secret)  }}'
+  no_log: true
 
 - name: Store secret key secret name
   set_fact:
     secret_key_secret_name: "{{ __secret_key_secret['resources'][0]['metadata']['name'] }}"
+  no_log: true

roles/installer/tasks/update_status.yml

@@ -75,6 +75,7 @@
 - block:
     - name: Retrieve route URL
       k8s_info:
+        api_version: 'route.openshift.io/v1'
         kind: Route
         namespace: '{{ meta.namespace }}'
         name: '{{ meta.name }}'

roles/installer/templates/config.yaml.j2

@@ -46,7 +46,7 @@ data:
     AWX_AUTO_DEPROVISION_INSTANCES = True
     
     CLUSTER_HOST_ID = socket.gethostname()
-    SYSTEM_UUID = '00000000-0000-0000-0000-000000000000'
+    SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
     
     CSRF_COOKIE_SECURE = False
     SESSION_COOKIE_SECURE = False
@@ -90,11 +90,7 @@ data:
     BROADCAST_WEBSOCKET_PROTOCOL = 'http'
 
 {% for item in extra_settings | default([]) %}
-{% if item.value is string %}
-    {{ item.setting }} = '{{ item.value }}'
-{% else %}
     {{ item.setting }} = {{ item.value }}
-{% endif %}
 {% endfor %}
 
   nginx_conf: |

roles/installer/templates/deployment.yaml.j2

@@ -32,6 +32,43 @@ spec:
 {% if image_pull_secret %}
       imagePullSecrets:
         - name: {{ image_pull_secret }}
+{% endif %}
+{% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
+      initContainers:
+        - name: init
+          image: '{{ init_container_image }}:{{ init_container_image_version }}'
+          imagePullPolicy: '{{ image_pull_policy }}'
+          command:
+            - /bin/sh
+            - -c
+            - |
+{% if bundle_ca_crt  %}
+              mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
+              update-ca-trust
+{% endif %}
+{% if projects_persistence|bool %}
+              chmod 775 /var/lib/awx/projects
+              chgrp 1000 /var/lib/awx/projects
+{% endif %}
+{% if init_container_extra_commands %}
+              {{ init_container_extra_commands | indent(width=14) }}
+{% endif %}
+          volumeMounts:
+{% if bundle_ca_crt  %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
+{% if projects_persistence|bool %}
+            - name: "{{ meta.name }}-projects"
+              mountPath: "/var/lib/awx/projects"
+{% endif %}
+{% if init_container_extra_volume_mounts -%}
+            {{ init_container_extra_volume_mounts | indent(width=12, indentfirst=True) }}
+{% endif %}
 {% endif %}
       containers:
         - image: '{{ redis_image }}:{{ redis_image_version }}'
@@ -62,6 +99,14 @@ spec:
             - containerPort: 8053
 {% endif %}
           volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
             - name: "{{ meta.name }}-application-credentials"
               mountPath: "/etc/tower/conf.d/execution_environments.py"
               subPath: execution_environments.py
@@ -141,6 +186,14 @@ spec:
           args: {{ task_args }}
 {% endif %}
           volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
             - name: "{{ meta.name }}-application-credentials"
               mountPath: "/etc/tower/conf.d/execution_environments.py"
               subPath: execution_environments.py
@@ -211,6 +264,14 @@ spec:
           resources: {{ ee_resource_requirements }}
           args: ['receptor', '--config', '/etc/receptor.conf']
           volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
             - name: "{{ meta.name }}-receptor-config"
               mountPath: "/etc/receptor.conf"
               subPath: receptor.conf
@@ -239,8 +300,22 @@ spec:
 {% if tolerations %}
       tolerations:
         {{ tolerations | indent(width=8) }}
+{% endif %}
+{% if projects_persistence|bool %}
+      securityContext:
+        fsGroup: 1000
 {% endif %}
       volumes:
+{% if bundle_ca_crt %}
+        - name: "ca-trust-extracted"
+          emptyDir: {}
+        - name: "{{ meta.name }}-bundle-cacert"
+          secret:
+            secretName: "{{ bundle_cacert_secret }}"
+            items:
+              - key: bundle-ca.crt
+                path: 'bundle-ca.crt'
+{% endif %}
 {% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %}
         - name: "{{ meta.name }}-nginx-certs"
           secret:

roles/installer/templates/ingress.yaml.j2

@@ -20,7 +20,7 @@ spec:
     - host: '{{ hostname }}'
       http:
         paths:
-          - path: /
+          - path: '{{ ingress_path }}'
             backend:
               serviceName: '{{ meta.name }}-service'
               servicePort: 80

roles/installer/templates/postgres.yaml.j2

@@ -33,6 +33,10 @@ spec:
         app.kubernetes.io/part-of: '{{ meta.name }}'
         app.kubernetes.io/managed-by: '{{ deployment_type }}-operator' 
     spec:
+{% if image_pull_secret %}
+      imagePullSecrets:
+        - name: {{ image_pull_secret }}
+{% endif %}
       containers:
         - image: '{{ postgres_image }}:{{ postgres_image_version }}'
           imagePullPolicy: '{{ image_pull_policy }}'

roles/installer/vars/main.yml

@@ -2,4 +2,5 @@
 postgres_initdb_args: '--auth-host=scram-sha-256'
 postgres_host_auth_method: 'scram-sha-256'
 ldap_cacert_ca_crt: ''
+bundle_ca_crt: ''
 projects_existing_claim: ''

roles/restore/defaults/main.yml

@@ -6,7 +6,7 @@ api_version: '{{ deployment_type }}.ansible.com/v1beta1'
 
 # Required: specify a pre-created PVC (name) to restore from
 backup_pvc: ''
-backup_pvc_namespace: ''
+backup_pvc_namespace: '{{ meta.namespace }}'
 
 # Required: backup name, found on the awxbackup object
 backup_dir: ''

roles/restore/meta/main.yml

@@ -27,5 +27,5 @@ galaxy_info:
 dependencies: []
 
 collections:
-  - community.kubernetes
+  - kubernetes.core
   - operator_sdk.util

roles/restore/tasks/cleanup.yml

@@ -22,6 +22,7 @@
     - '{{ admin_password_secret }}'
     - '{{ broadcast_websocket_secret }}'
     - '{{ postgres_configuration_secret }}'
+  no_log: true
 
 - name: Cleanup temp spec file
   file:

roles/restore/tasks/deploy_awx.yml

@@ -1,9 +1,5 @@
 ---
 
-- name: Save kind
-  set_fact:
-    _kind: "{{ kind }}"
-
 - name: Get AWX object definition from pvc
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
@@ -25,22 +21,13 @@
 
 - name: Include spec vars to save them as a dict
   include_vars: "{{ tmp_spec.path }}"
-  register: spec
-
-- name: Use include_vars to read in spec as a dict (because spec doesn't have quotes)
-  set_fact:
-    awx_spec: "{{ spec.ansible_facts }}"
-
-- name: Restore kind
-  set_fact:
-    kind: "{{ _kind }}"
 
 - name: Deploy AWX
   k8s:
     state: "{{ state | default('present') }}"
     namespace: "{{ meta.namespace }}"
     apply: yes
-    template: awx_object.yml.j2
+    definition: "{{ lookup('template', 'awx_object.yml.j2') }}"
     wait: true
     wait_condition:
       type: "Running"

roles/restore/tasks/postgres.yml

@@ -1,11 +1,16 @@
 ---
 
+- name: Set Postgres Configuration Secret name
+  set_fact:
+    postgres_configuration_secret: "{{ spec['postgres_configuration_secret'] | default(postgres_configuration_secret) }}"
+
 - name: Check for specified PostgreSQL configuration
   k8s_info:
     kind: Secret
     namespace: '{{ meta.namespace }}'
     name: '{{ postgres_configuration_secret }}'
   register: pg_config
+  no_log: true
 
 - name: Store Database Configuration
   set_fact:
@@ -15,6 +20,7 @@
     awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
     awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | b64decode | default('unmanaged') }}"
+  no_log: true
 
 - name: Default label selector to custom resource generated postgres
   set_fact:
@@ -59,6 +65,7 @@
 - name: Set full resolvable host name for postgres pod
   set_fact:
     resolvable_db_host: "{{ awx_postgres_host }}.{{ meta.namespace }}.svc.cluster.local"
+  no_log: true
   when: awx_postgres_type == 'managed'
 
 - name: Set pg_restore command
@@ -70,6 +77,7 @@
       -U {{ awx_postgres_user }}
       -d {{ awx_postgres_database }}
       -p {{ awx_postgres_port }}
+  no_log: true
 
 - name: Restore database dump to the new postgresql container
   k8s_exec:
@@ -82,4 +90,5 @@
       echo 'Successful'
       """
   register: data_migration
+  no_log: true
   failed_when: "'Successful' not in data_migration.stdout"

roles/restore/tasks/secrets.yml

@@ -7,6 +7,7 @@
     command: >-
       bash -c "cat '{{ backup_dir }}/secrets.yml'"
   register: _secrets
+  no_log: true
 
 - name: Create Temporary secrets file
   tempfile:
@@ -19,31 +20,38 @@
     dest: "{{ tmp_secrets.path }}"
     content: "{{ _secrets.stdout }}"
     mode: 0640
+  no_log: true
 
 - name: Include secret vars from backup
   include_vars: "{{ tmp_secrets.path }}"
+  no_log: true
 
 - name: If deployment is managed, set the database_host in the pg config secret
   block:
     - name: Set new database host
       set_fact:
         database_host: "{{ deployment_name }}-postgres"
+      no_log: true
 
     - name: Set tmp postgres secret dict
       set_fact:
         _pg_secret: "{{ secrets['postgresConfigurationSecret'] }}"
+      no_log: true
 
     - name: Change postgres host value
       set_fact:
         _pg_data: "{{ _pg_secret['data'] | combine({'host': database_host | b64encode }) }}"
+      no_log: true
 
     - name: Create a postgres secret with the new host value
       set_fact:
         _pg_secret: "{{ _pg_secret | combine({'data': _pg_data}) }}"
+      no_log: true
 
     - name: Create a new dict of secrets with the new postgres secret
       set_fact:
         secrets: "{{ secrets | combine({'postgresConfigurationSecret': _pg_secret}) }}"
+      no_log: true
   when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed'
 
 - name: Apply secret
@@ -53,3 +61,16 @@
     apply: yes
     wait: yes
     template: "secrets.yml.j2"
+  no_log: true
+
+- name: Remove ownerReference on restored secrets
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: "{{ item.value.name }}"
+        namespace: '{{ meta.namespace }}'
+        ownerReferences: null
+  loop: "{{ secrets | dict2items }}"
+  no_log: true

roles/restore/templates/awx_object.yml.j2

@@ -4,4 +4,5 @@ kind: AWX
 metadata:
   name: '{{ deployment_name }}'
   namespace: '{{ meta.namespace }}'
-spec: {{ awx_spec }}
+spec:
+  {{ spec | to_yaml | indent(2) }}

roles/restore/templates/secrets.yml.j2

@@ -11,9 +11,11 @@ metadata:
     app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
     app.kubernetes.io/component: '{{ deployment_type }}'
     app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+type: '{{ secrets[secret]['type'] }}'
 stringData:
-  {% for key, value in secrets[secret]['data'].items() %}
-    '{{ key }}': '{{ value | b64decode }}'
-  {% endfor %}
+{% for key, value in secrets[secret]['data'].items() %}
+  {{ key }}: |-
+    {{ value | b64decode | indent(4) }}
+{% endfor %}
 
 {% endfor %}