Merge pull request #436 from shanemcd/bump-0.12.0

Bump versions for next release

.github/workflows/ci.yaml

@@ -31,14 +31,21 @@ jobs:
             ansible-lint \
             openshift \
             jmespath \
-            ansible
+            ansible-core
 
       - name: Install Collections
         run: |
-         ansible-galaxy collection install community.kubernetes operator_sdk.util
+         ansible-galaxy collection install community.general kubernetes.core:1.2.1 operator_sdk.util
+
+      - name: Setup Minikube
+        uses: manusa/actions-setup-minikube@v2.4.2
+        with:
+          minikube version: 'v1.16.0'
+          kubernetes version: 'v1.19.2'
+          github token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Run Molecule
         env:
           MOLECULE_VERBOSITY: 3
         run: |
-          molecule test -s test-local
+          molecule test -s test-minikube

README.md

@@ -24,7 +24,7 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
          * [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
          * [Privileged Tasks](#privileged-tasks)
          * [Containers Resource Requirements](#containers-resource-requirements)
-         * [LDAP Certificate Authority](#ldap-certificate-authority)
+         * [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
          * [Persisting Projects Directory](#persisting-projects-directory)
          * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
          * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
@@ -505,28 +505,36 @@ spec:
       effect: "NoSchedule"
 ```
 
-#### LDAP Certificate Authority
+#### Trusting a Custom Certificate Authority
 
-If the variable `ldap_cacert_secret` is provided, the operator will look for a the data field `ldap-ca.crt` in the specified secret.
+In cases which you need to trust a custom Certificate Authority, there are few variables you can customize for the `awx-operator`.
 
-| Name                             | Description                             | Default |
-| -------------------------------- | --------------------------------------- | --------|
-| ldap_cacert_secret               | LDAP Certificate Authority secret name  |  ''     |
+Trusting a custom Certificate Authority allows the AWX to access network services configured with SSL certificates issued locally, such as cloning a project from from an internal Git server via HTTPS. It is common for these scenarios, experiencing the error [unable to verify the first certificate](https://github.com/ansible/awx-operator/issues/376).
 
 
+| Name                             | Description                              | Default |
+| -------------------------------- | ---------------------------------------- | --------|
+| ldap_cacert_secret               | LDAP Certificate Authority secret name   |  ''     |
+| bundle_cacert_secret             | Certificate Authority secret name        |  ''     |
+
+Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter.
+
 Example of customization could be:
 
 ```yaml
 ---
 spec:
   ...
-  ldap_cacert_secret: <resourcename>-ldap-ca-cert
+  ldap_cacert_secret: <resourcename>-custom-certs
+  bundle_cacert_secret: <resourcename>-custom-certs
 ```
 
 To create the secret, you can use the command below:
 
 ```sh
-# kubectl create secret generic <resourcename>-ldap-ca-cert --from-file=ldap-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
+# kubectl create secret generic <resourcename>-custom-certs \
+    --from-file=ldap-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>  \
+    --from-fle=bundle-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
 ```
 
 #### Persisting Projects Directory
@@ -563,6 +571,8 @@ In a scenario where custom volumes and volume mounts are required to either over
 | task_extra_volume_mounts       | Specify volume mounts to be added to Task container      | ''      |
 | ee_extra_volume_mounts         | Specify volume mounts to be added to Execution container | ''      |
 
+> :warning: The `ee_extra_volume_mounts` and `extra_volumes` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
+
 Example configuration for ConfigMap
 
 #### Default execution environments from private registries
@@ -587,7 +597,26 @@ type: Opaque
 ```
 
 ##### Control plane ee from private registry
-The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time.
+The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time. 
+
+You can create `image_pull_secret`
+```
+kubectl create secret <resoucename>-cp-pull-credentials regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
+```
+If you need more control (for example, to set a namespace or a label on the new secret) then you can customise the Secret before storing it
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: <resoucename>-cp-pull-credentials
+  namespace: <target namespace>
+data:
+  .dockerconfigjson: <base64 docker config>
+type: kubernetes.io/dockerconfigjson
+```
+Example spec file extra-config
 
 ```yaml
 ---
@@ -652,6 +681,8 @@ If you need to export custom environment variables to your containers.
 | web_extra_env                 | Environment variables to be added to Web container       | ''      |
 | ee_extra_env                  | Environment variables to be added to EE container        | ''      |
 
+> :warning: The `ee_extra_env` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
+
 Example configuration of environment variables
 
 ```yaml

ansible/deploy-operator.yml

@@ -9,7 +9,7 @@
     obliterate: no
 
   collections:
-    - community.kubernetes
+    - kubernetes.core
 
   tasks:
     - name: Obliterate Operator

ansible/group_vars/all

@@ -1,4 +1,4 @@
 operator_image: quay.io/ansible/awx-operator
-operator_version: 0.11.0
+operator_version: 0.12.0
 pull_policy: Always
 ansible_debug_logs: "false"

ansible/instantiate-awx-deployment.yml

@@ -3,7 +3,7 @@
   hosts: localhost
 
   collections:
-    - community.kubernetes
+    - kubernetes.core
 
   tasks:
     - name: Deploy AWX

ansible/templates/crd.yml.j2

@@ -285,6 +285,12 @@ spec:
                 redis_image_version:
                   description: Redis container image version to use
                   type: string
+                init_container_image:
+                  description: Registry path to the init container to use
+                  type: string
+                init_container_image_version:
+                  description: Init container image version to use
+                  type: string
                 postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
@@ -344,6 +350,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                bundle_cacert_secret:
+                  description: Secret where can be found the trusted Certificate Authority Bundle
+                  type: string
                 projects_persistence:
                   description: Whether or not the /var/lib/projects directory will be persistent
                   default: false
@@ -375,7 +384,7 @@ spec:
                       setting:
                         type: string
                       value:
-                        type: string
+                        x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
               type: object

bundle.Dockerfile

@@ -6,9 +6,9 @@ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=awx-operator
 LABEL operators.operatorframework.io.bundle.channels.v1=alpha
 LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha
+LABEL operators.operatorframework.io.metrics.project_layout=ansible
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v0.19.4
-LABEL operators.operatorframework.io.metrics.project_layout=ansible
 
 COPY deploy/olm-catalog/awx-operator/manifests /manifests/
 COPY deploy/olm-catalog/awx-operator/metadata /metadata/

deploy/awx-operator.yaml

@@ -287,6 +287,12 @@ spec:
                 redis_image_version:
                   description: Redis container image version to use
                   type: string
+                init_container_image:
+                  description: Registry path to the init container to use
+                  type: string
+                init_container_image_version:
+                  description: Init container image version to use
+                  type: string
                 postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
@@ -346,6 +352,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                bundle_cacert_secret:
+                  description: Secret where can be found the trusted Certificate Authority Bundle
+                  type: string
                 projects_persistence:
                   description: Whether or not the /var/lib/projects directory will be persistent
                   default: false
@@ -377,7 +386,7 @@ spec:
                       setting:
                         type: string
                       value:
-                        type: string
+                        x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
               type: object
@@ -711,7 +720,7 @@ spec:
       serviceAccountName: awx-operator
       containers:
         - name: awx-operator
-          image: "quay.io/ansible/awx-operator:0.11.0"
+          image: "quay.io/ansible/awx-operator:0.12.0"
           imagePullPolicy: "Always"
           volumeMounts:
             - mountPath: /tmp/ansible-operator/runner
@@ -729,7 +738,7 @@ spec:
             - name: ANSIBLE_GATHERING
               value: explicit
             - name: OPERATOR_VERSION
-              value: "0.11.0"
+              value: "0.12.0"
             - name: ANSIBLE_DEBUG_LOGS
               value: "false"
           livenessProbe:

deploy/crds/awx_v1beta1_crd.yaml

@@ -285,6 +285,12 @@ spec:
                 redis_image_version:
                   description: Redis container image version to use
                   type: string
+                init_container_image:
+                  description: Registry path to the init container to use
+                  type: string
+                init_container_image_version:
+                  description: Init container image version to use
+                  type: string
                 postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
@@ -344,6 +350,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                bundle_cacert_secret:
+                  description: Secret where can be found the trusted Certificate Authority Bundle
+                  type: string
                 projects_persistence:
                   description: Whether or not the /var/lib/projects directory will be persistent
                   default: false
@@ -375,7 +384,7 @@ spec:
                       setting:
                         type: string
                       value:
-                        type: string
+                        x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
               type: object

deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml

@@ -39,7 +39,7 @@ metadata:
     capabilities: Basic Install
     operators.operatorframework.io/builder: operator-sdk-v0.19.4
     operators.operatorframework.io/project_layout: ansible
-  name: awx-operator.v0.11.0
+  name: awx-operator.v0.12.0
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -535,6 +535,23 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Registry path to the init container to use
+        displayName: Init Container Image
+        path: init_container_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Init container image version to use
+        displayName: Init Container Image Version
+        path: init_container_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Secret where can be found the trusted Certificate Authority Bundle
+        path: bundle_cacert_secret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:io.kubernetes:Secret
       statusDescriptors:
       - description: Route to access the instance deployed
         displayName: URL
@@ -678,10 +695,10 @@ spec:
                 - name: ANSIBLE_GATHERING
                   value: explicit
                 - name: OPERATOR_VERSION
-                  value: 0.11.0
+                  value: 0.12.0
                 - name: ANSIBLE_DEBUG_LOGS
                   value: "false"
-                image: quay.io/ansible/awx-operator:0.11.0
+                image: quay.io/ansible/awx-operator:0.12.0
                 imagePullPolicy: Always
                 livenessProbe:
                   httpGet:
@@ -720,5 +737,5 @@ spec:
   provider:
     name: AWX Community
     url: https://github.com/ansible/awx-operator
-  replaces: awx-operator.v0.10.0
-  version: 0.11.0
+  replaces: awx-operator.v0.11.0
+  version: 0.12.0

deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml

@@ -35,6 +35,9 @@ spec:
               broadcast_websocket_secret:
                 description: Secret where the broadcast websocket secret can be found
                 type: string
+              bundle_cacert_secret:
+                description: Secret where can be found the trusted Certificate Authority Bundle
+                type: string
               ca_trust_bundle:
                 description: Path where the trusted CA bundle is available
                 type: string
@@ -101,7 +104,7 @@ spec:
                     setting:
                       type: string
                     value:
-                      type: string
+                      x-kubernetes-preserve-unknown-fields: true
                   type: object
                 type: array
               extra_volumes:
@@ -149,6 +152,12 @@ spec:
                 - Route
                 - route
                 type: string
+              init_container_image:
+                description: Registry path to the init container to use
+                type: string
+              init_container_image_version:
+                description: Init container image version to use
+                type: string
               kind:
                 description: Kind of the deployment type
                 type: string

molecule/default/molecule.yml

@@ -27,8 +27,3 @@ provisioner:
     group_vars:
       all:
         operator_namespace: ${TEST_NAMESPACE:-default}
-  env:
-    K8S_AUTH_KUBECONFIG: /tmp/molecule/kind-default/kubeconfig
-    KUBECONFIG: /tmp/molecule/kind-default/kubeconfig
-    ANSIBLE_ROLES_PATH: ${MOLECULE_PROJECT_DIRECTORY}/roles
-    KIND_PORT: '${TEST_CLUSTER_PORT:-9443}'

molecule/test-local/ansible.cfg

@@ -1,2 +0,0 @@
-[defaults]
-stdout_callback = yaml

molecule/test-local/converge.yml

@@ -1,133 +0,0 @@
----
-- name: Build Operator in Kind container
-  hosts: k8s
-
-  vars:
-    image_name: awx.ansible.com/awx-operator:testing
-
-  tasks:
-    # using command so we don't need to install any dependencies
-    - name: Get existing image hash
-      command: docker images -q {{ image_name }}
-      register: prev_hash
-      changed_when: false
-
-    - name: Build Operator Image
-      command: docker build -f /build/build/Dockerfile -t {{ image_name }} /build
-      register: build_cmd
-      changed_when: not prev_hash.stdout or (prev_hash.stdout and prev_hash.stdout not in ''.join(build_cmd.stdout_lines[-2:]))
-
-- name: Converge
-  hosts: localhost
-  connection: local
-
-  vars:
-    ansible_python_interpreter: '{{ ansible_playbook_python }}'
-    deploy_dir: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/deploy"
-    templates_dir: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/ansible/templates"
-    pull_policy: Never
-    operator_image: awx.ansible.com/awx-operator
-    operator_version: testing
-    ansible_debug_logs: "true"
-    custom_resource: "{{ lookup('file', '/'.join([deploy_dir, 'crds/awx_v1beta1_molecule.yaml'])) | from_yaml }}"
-
-  tasks:
-    - block:
-        - name: Delete the Operator Deployment
-          k8s:
-            state: absent
-            namespace: '{{ operator_namespace }}'
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) }}"
-          register: delete_deployment
-          when: hostvars[groups.k8s.0].build_cmd.changed
-
-        - name: Wait 30s for Operator Deployment to terminate
-          k8s_info:
-            api_version: '{{ definition.apiVersion }}'
-            kind: '{{ definition.kind }}'
-            namespace: '{{ operator_namespace }}'
-            name: '{{ definition.metadata.name }}'
-          vars:
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) | from_yaml }}"
-          register: deployment
-          until: not deployment.resources
-          delay: 3
-          retries: 10
-          when: delete_deployment.changed
-
-        - name: Create the Operator Deployment
-          k8s:
-            namespace: '{{ operator_namespace }}'
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) }}"
-
-        - name: Ensure the AWX custom_resource namespace exists
-          k8s:
-            state: present
-            name: '{{ custom_resource.metadata.namespace }}'
-            kind: Namespace
-            api_version: v1
-
-        - name: Create the AWX Custom Resource
-          k8s:
-            state: present
-            namespace: '{{ custom_resource.metadata.namespace }}'
-            definition: '{{ custom_resource }}'
-
-        - name: Wait 15m for reconciliation to run
-          k8s_info:
-            api_version: '{{ custom_resource.apiVersion }}'
-            kind: '{{ custom_resource.kind }}'
-            namespace: '{{ custom_resource.metadata.namespace }}'
-            name: '{{ custom_resource.metadata.name }}'
-          register: cr
-          until:
-            - "'Successful' in (cr | json_query('resources[].status.conditions[].reason'))"
-          delay: 6
-          retries: 150
-
-      rescue:
-
-        - name: debug cr
-          ignore_errors: yes
-          failed_when: false
-          debug:
-            var: debug_cr
-          vars:
-            debug_cr: '{{ lookup("k8s",
-              kind=custom_resource.kind,
-              api_version=custom_resource.apiVersion,
-              namespace=custom_resource.metadata.namespace,
-              resource_name=custom_resource.metadata.name)
-            }}'
-
-        - name: debug awx deployment
-          ignore_errors: yes
-          failed_when: false
-          debug:
-            var: deploy
-          vars:
-            deploy: '{{ lookup("k8s",
-              kind="Deployment",
-              api_version="apps/v1",
-              namespace=custom_resource.metadata.namespace,
-              label_selector="app.kubernetes.io/name=example-awx")
-            }}'
-
-        - name: get operator logs
-          ignore_errors: yes
-          failed_when: false
-          command: kubectl logs deployment/{{ definition.metadata.name }} -n {{ operator_namespace }}
-          environment:
-            KUBECONFIG: '{{ lookup("env", "KUBECONFIG") }}'
-          vars:
-            definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) | from_yaml }}"
-          register: log
-
-        - name: print debug output
-          debug: var=log.stdout_lines
-
-        - name: fail if converge didn't succeed
-          fail:
-            msg: "Failed on action: converge"
-
-- import_playbook: '{{ playbook_dir }}/../default/asserts.yml'

molecule/test-local/molecule.yml

@@ -1,46 +0,0 @@
----
-dependency:
-  name: galaxy
-driver:
-  name: docker
-lint: |
-  set -e
-  yamllint .
-  ansible-lint
-platforms:
-  - name: kind-test-local
-    groups:
-      - k8s
-    image: bsycorp/kind:v1.17.9
-    privileged: True
-    override_command: no
-    exposed_ports:
-      - 8443/tcp
-      - 10080/tcp
-    published_ports:
-      - 0.0.0.0:${TEST_CLUSTER_PORT:-10443}:8443/tcp
-    pre_build_image: yes
-    volumes:
-      - ${MOLECULE_PROJECT_DIRECTORY}:/build:Z
-provisioner:
-  name: ansible
-  log: True
-  inventory:
-    group_vars:
-      all:
-        operator_namespace: ${TEST_NAMESPACE:-default}
-  env:
-    K8S_AUTH_KUBECONFIG: /tmp/molecule/kind-test-local/kubeconfig
-    KUBECONFIG: /tmp/molecule/kind-test-local/kubeconfig
-    ANSIBLE_ROLES_PATH: ${MOLECULE_PROJECT_DIRECTORY}/roles
-    KIND_PORT: '${TEST_CLUSTER_PORT:-10443}'
-scenario:
-  test_sequence:
-    - lint
-    - destroy
-    - dependency
-    - syntax
-    - create
-    - prepare
-    - converge
-    - destroy

molecule/test-local/prepare.yml

@@ -1,38 +0,0 @@
----
-- name: Prepare kubernetes environment
-  hosts: k8s
-  gather_facts: no
-  vars:
-    kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
-  tasks:
-    - name: delete the kubeconfig if present
-      file:
-        path: '{{ kubeconfig }}'
-        state: absent
-      delegate_to: localhost
-
-    - name: Fetch the kubeconfig
-      fetch:
-        dest: '{{ kubeconfig }}'
-        flat: yes
-        src: /root/.kube/config
-
-    - name: Change the kubeconfig port to the proper value
-      replace:
-        regexp: 8443
-        replace: "{{ lookup('env', 'KIND_PORT') }}"
-        path: '{{ kubeconfig }}'
-        mode: 0644
-      delegate_to: localhost
-
-    - name: Wait for the Kubernetes API to become available (this could take a minute)
-      uri:
-        url: "http://localhost:10080/kubernetes-ready"
-        status_code: 200
-        validate_certs: no
-      register: result
-      until: (result.status|default(-1)) == 200
-      retries: 60
-      delay: 5
-
-- import_playbook: ../default/prepare.yml

molecule/test-minikube/converge.yml

@@ -126,8 +126,6 @@
           ignore_errors: yes
           failed_when: false
           command: kubectl logs deployment/{{ definition.metadata.name }} -n {{ operator_namespace }} -c operator
-          environment:
-            KUBECONFIG: '{{ lookup("env", "KUBECONFIG") }}'
           vars:
             definition: "{{ lookup('template', '/'.join([templates_dir, 'operator.yml.j2'])) | from_yaml }}"
           register: log

requirements.yml

@@ -1,6 +1,6 @@
 ---
 collections:
-  - name: community.kubernetes
+  - name: kubernetes.core
     version: '==1.1.1'
   - name: operator_sdk.util
     version: '==0.1.0'

roles/backup/meta/main.yml

@@ -27,5 +27,5 @@ galaxy_info:
 dependencies: []
 
 collections:
-  - community.kubernetes
+  - kubernetes.core
   - operator_sdk.util

roles/backup/tasks/awx-cro.yml

@@ -10,11 +10,8 @@
 
 - name: Set AWX object
   set_fact:
-    _awx: "{{ _awx_cro['resources'][0] }}"
-
-- name: Set user specified spec
-  set_fact:
-    awx_spec: "{{ _awx['spec'] }}"
+    awx_spec:
+      spec: "{{ this_awx['resources'][0]['spec'] }}"
 
 - name: Set names of backed up secrets in the CR spec
   set_fact:
@@ -23,11 +20,11 @@
     - {"key": "secret_key_secret", "value": "{{ this_awx['resources'][0]['status']['secretKeySecret'] }}"}
     - {"key": "admin_password_secret", "value": "{{ this_awx['resources'][0]['status']['adminPasswordSecret'] }}"}
     - {"key": "broadcast_websocket_secret", "value": "{{ this_awx['resources'][0]['status']['broadcastWebsocketSecret'] }}"}
-    - {"key": "postgres_configuration_secret", "value": "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }} "}
+    - {"key": "postgres_configuration_secret", "value": "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"}
 
 - name: Write awx object to pvc
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ meta.name }}-db-management"
     command: >-
-      bash -c 'echo "$0" > {{ backup_dir  }}/awx_object' {{ awx_spec | quote  }}
+      bash -c 'echo "$0" > {{ backup_dir  }}/awx_object' {{ awx_spec | to_yaml | quote  }}

roles/backup/tasks/init.yml

@@ -45,10 +45,21 @@
   set_fact:
     backup_claim: "{{ backup_pvc | default(_default_backup_pvc, true) }}"
 
-- name: Create PVC for backup
-  k8s:
-    kind: PersistentVolumeClaim
-    template: "backup_pvc.yml.j2"
+- block:
+    - name: Create PVC for backup
+      k8s:
+        kind: PersistentVolumeClaim
+        template: "backup_pvc.yml.j2"
+
+    - name: Remove PVC ownerReference
+      k8s:
+        definition:
+          apiVersion: v1
+          kind: PersistentVolumeClaim
+          metadata:
+            name: '{{ deployment_name }}-backup-claim'
+            namespace: '{{ backup_pvc_namespace }}'
+            ownerReferences: null
   when:
     - backup_pvc == '' or backup_pvc is not defined
 

roles/backup/tasks/secrets.yml

@@ -18,8 +18,11 @@
   include_tasks: dump_secret.yml
   loop:
     - route_tls_secret
+    - ingress_tls_secret
     - ldap_cacert_secret
+    - bundle_cacert_secret
     - image_pull_secret
+    - ee_pull_credentials_secret
 
 - name: Nest secrets under a single variable
   set_fact:

roles/installer/defaults/main.yml

@@ -106,19 +106,21 @@ extra_volumes: ''
 # Use these image versions for Ansible AWX.
 
 image: quay.io/ansible/awx
-image_version: 19.2.1
+image_version: 19.2.2
 redis_image: docker.io/redis
 redis_image_version: latest
 postgres_image: postgres
 postgres_image_version: 12
+init_container_image: quay.io/centos/centos
+init_container_image_version: 8
 image_pull_policy: IfNotPresent
 image_pull_secret: ''
 
 ee_images:
-  - name: AWX EE 0.4.0
-    image: quay.io/ansible/awx-ee:0.4.0
+  - name: AWX EE 0.5.0
+    image: quay.io/ansible/awx-ee:0.5.0
 
-control_plane_ee_image: quay.io/ansible/awx-ee:0.4.0
+control_plane_ee_image: quay.io/ansible/awx-ee:0.5.0
 
 create_preload_data: true
 
@@ -206,6 +208,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
 #
 ldap_cacert_secret: ''
 
+# Secret to lookup that provides the custom CA trusted bundle
+bundle_cacert_secret: ''
+
 # Whether secrets should be garbage collected
 # on teardown
 #

roles/installer/meta/main.yml

@@ -28,5 +28,5 @@ galaxy_info:
 dependencies: []
 
 collections:
-  - community.kubernetes
+  - kubernetes.core
   - operator_sdk.util

roles/installer/tasks/database_configuration.yml

@@ -80,7 +80,7 @@
       include_tasks: scale_down_deployment.yml
 
     - name: Scale down PostgreSQL statefulset for migration
-      community.kubernetes.k8s_scale:
+      kubernetes.core.k8s_scale:
         api_version: apps/v1
         kind: StatefulSet
         name: "{{ meta.name }}-postgres"

roles/installer/tasks/load_bundle_cacert_secret.yml

@@ -0,0 +1,12 @@
+---
+- name: Retrieve bundle Certificate Authority Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ bundle_cacert_secret }}'
+  register: bundle_cacert
+
+- name: Load bundle Certificate Authority Secret content
+  set_fact:
+    bundle_ca_crt: '{{ bundle_cacert["resources"][0]["data"]["bundle-ca.crt"] | b64decode }}'
+  when: '"bundle-ca.crt" in bundle_cacert["resources"][0]["data"]'

roles/installer/tasks/main.yml

@@ -25,6 +25,11 @@
   when:
     - ldap_cacert_secret != ''
 
+- name: Load bundle certificate authority certificate
+  include_tasks: load_bundle_cacert_secret.yml
+  when:
+    - bundle_cacert_secret != ''
+
 - name: Include admin password configuration tasks
   include_tasks: admin_password_configuration.yml
 

roles/installer/tasks/scale_down_deployment.yml

@@ -9,7 +9,7 @@
   register: tower_deployment
 
 - name: Scale down Deployment for migration
-  community.kubernetes.k8s_scale:
+  kubernetes.core.k8s_scale:
     api_version: v1
     kind: Deployment
     name: "{{ meta.name }}"

roles/installer/templates/config.yaml.j2

@@ -46,7 +46,7 @@ data:
     AWX_AUTO_DEPROVISION_INSTANCES = True
     
     CLUSTER_HOST_ID = socket.gethostname()
-    SYSTEM_UUID = '00000000-0000-0000-0000-000000000000'
+    SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
     
     CSRF_COOKIE_SECURE = False
     SESSION_COOKIE_SECURE = False
@@ -90,11 +90,7 @@ data:
     BROADCAST_WEBSOCKET_PROTOCOL = 'http'
 
 {% for item in extra_settings | default([]) %}
-{% if item.value is string %}
-    {{ item.setting }} = '{{ item.value }}'
-{% else %}
     {{ item.setting }} = {{ item.value }}
-{% endif %}
 {% endfor %}
 
   nginx_conf: |

roles/installer/templates/deployment.yaml.j2

@@ -32,6 +32,25 @@ spec:
 {% if image_pull_secret %}
       imagePullSecrets:
         - name: {{ image_pull_secret }}
+{% endif %}
+{% if bundle_ca_crt %}
+      initContainers:
+        - name: init
+          image: '{{ init_container_image }}:{{ init_container_image_version }}'
+          imagePullPolicy: '{{ image_pull_policy }}'
+          command:
+            - /bin/sh
+            - -c
+            - |
+              mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
+              update-ca-trust
+          volumeMounts:
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
 {% endif %}
       containers:
         - image: '{{ redis_image }}:{{ redis_image_version }}'
@@ -62,6 +81,14 @@ spec:
             - containerPort: 8053
 {% endif %}
           volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
             - name: "{{ meta.name }}-application-credentials"
               mountPath: "/etc/tower/conf.d/execution_environments.py"
               subPath: execution_environments.py
@@ -141,6 +168,14 @@ spec:
           args: {{ task_args }}
 {% endif %}
           volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
             - name: "{{ meta.name }}-application-credentials"
               mountPath: "/etc/tower/conf.d/execution_environments.py"
               subPath: execution_environments.py
@@ -211,6 +246,14 @@ spec:
           resources: {{ ee_resource_requirements }}
           args: ['receptor', '--config', '/etc/receptor.conf']
           volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
             - name: "{{ meta.name }}-receptor-config"
               mountPath: "/etc/receptor.conf"
               subPath: receptor.conf
@@ -241,6 +284,16 @@ spec:
         {{ tolerations | indent(width=8) }}
 {% endif %}
       volumes:
+{% if bundle_ca_crt %}
+        - name: "ca-trust-extracted"
+          emptyDir: {}
+        - name: "{{ meta.name }}-bundle-cacert"
+          secret:
+            secretName: "{{ bundle_cacert_secret }}"
+            items:
+              - key: bundle-ca.crt
+                path: 'bundle-ca.crt'
+{% endif %}
 {% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %}
         - name: "{{ meta.name }}-nginx-certs"
           secret:

roles/installer/vars/main.yml

@@ -2,4 +2,5 @@
 postgres_initdb_args: '--auth-host=scram-sha-256'
 postgres_host_auth_method: 'scram-sha-256'
 ldap_cacert_ca_crt: ''
+bundle_ca_crt: ''
 projects_existing_claim: ''

roles/restore/meta/main.yml

@@ -27,5 +27,5 @@ galaxy_info:
 dependencies: []
 
 collections:
-  - community.kubernetes
+  - kubernetes.core
   - operator_sdk.util

roles/restore/tasks/deploy_awx.yml

@@ -1,9 +1,5 @@
 ---
 
-- name: Save kind
-  set_fact:
-    _kind: "{{ kind }}"
-
 - name: Get AWX object definition from pvc
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
@@ -25,22 +21,13 @@
 
 - name: Include spec vars to save them as a dict
   include_vars: "{{ tmp_spec.path }}"
-  register: spec
-
-- name: Use include_vars to read in spec as a dict (because spec doesn't have quotes)
-  set_fact:
-    awx_spec: "{{ spec.ansible_facts }}"
-
-- name: Restore kind
-  set_fact:
-    kind: "{{ _kind }}"
 
 - name: Deploy AWX
   k8s:
     state: "{{ state | default('present') }}"
     namespace: "{{ meta.namespace }}"
     apply: yes
-    template: awx_object.yml.j2
+    definition: "{{ lookup('template', 'awx_object.yml.j2') }}"
     wait: true
     wait_condition:
       type: "Running"

roles/restore/templates/awx_object.yml.j2

@@ -4,4 +4,5 @@ kind: AWX
 metadata:
   name: '{{ deployment_name }}'
   namespace: '{{ meta.namespace }}'
-spec: {{ awx_spec }}
+spec:
+  {{ spec | to_yaml | indent(2) }}

roles/restore/templates/secrets.yml.j2

@@ -12,8 +12,9 @@ metadata:
     app.kubernetes.io/component: '{{ deployment_type }}'
     app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
 stringData:
-  {% for key, value in secrets[secret]['data'].items() %}
-    '{{ key }}': '{{ value | b64decode }}'
-  {% endfor %}
+{% for key, value in secrets[secret]['data'].items() %}
+  {{ key }}: |-
+    {{ value | b64decode | indent(4) }}
+{% endfor %}
 
 {% endfor %}