Look for a specific pull secret when deployed in certain cloud environments (#894)

* Load LDAP password from secret and update guideline

* Add pod_labels for custom pod labels

Signed-off-by: Loc Mai <lmai@axon.com>

* Omit tls secret if using wildcard cert

* Resolve conflicts

* Remove the ingress changes

* Remove the config changes

* Load LDAP password from secret and update guideline

* Omit tls secret if using wildcard cert

* Resolve conflicts

* Remove the ingress changes

* Remove the config changes

Co-authored-by: hungts <hungts@axon.com>
Co-authored-by: Loc Mai <lmai@axon.com>
Co-authored-by: Max Bidlingmaier <Max-Florian.Bidlingmaier@sap.com>
Co-authored-by: Max Bidlingmaier <maks@konsolan.de>

.github/issue_labeler.yml

@@ -0,0 +1,3 @@
+---
+needs_triage:
+  - '.*'

.github/workflows/devel.yaml

@@ -23,5 +23,5 @@ jobs:
           image: awx-operator
           tags: devel
           registry: quay.io/ansible/
-          username: ${{ secrets.QUAY_USERNAME }}
+          username: ${{ secrets.QUAY_USER }}
           password: ${{ secrets.QUAY_TOKEN }}

.github/workflows/stage.yml

@@ -0,0 +1,85 @@
+---
+name: Stage Release
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to stage'
+        required: true
+      default_awx_version:
+        description: 'Will be injected as the DEFAULT_AWX_VERSION build arg.'
+        required: true
+      confirm:
+        description: 'Are you sure? Set this to yes.'
+        required: true
+        default: 'no'
+
+jobs:
+  stage:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: write
+    steps:
+      - name: Verify inputs
+        run: |
+          set -e
+
+          if [[ ${{ github.event.inputs.confirm }} != "yes" ]]; then
+            >&2 echo "Confirm must be 'yes'"
+            exit 1
+          fi
+
+          if [[ ${{ github.event.inputs.version }} == "" ]]; then
+            >&2 echo "Set version to continue."
+            exit 1
+          fi
+
+          exit 0
+
+      - name: Checkout awx
+        uses: actions/checkout@v2
+        with:
+          repository: ${{ github.repository_owner }}/awx
+          path: awx
+
+      - name: Checkout awx-operator
+        uses: actions/checkout@v2
+        with:
+          repository: ${{ github.repository_owner }}/awx-operator
+          path: awx-operator
+
+      - name: Install playbook dependencies
+        run: |
+          python3 -m pip install docker
+
+      - name: Log in to GHCR
+        run: |
+          echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Build and stage awx-operator
+        working-directory: awx-operator
+        run: |
+          BUILD_ARGS="--build-arg DEFAULT_AWX_VERSION=${{ github.event.inputs.default_awx_version }} \
+                      --build-arg OPERATOR_VERSION=${{ github.event.inputs.version }}" \
+          IMAGE_TAG_BASE=ghcr.io/${{ github.repository_owner }}/awx-operator \
+          VERSION=${{ github.event.inputs.version }} make docker-build docker-push
+
+      - name: Run test deployment
+        working-directory: awx-operator
+        run: |
+          python3 -m pip install -r molecule/requirements.txt
+          ansible-galaxy collection install -r molecule/requirements.yml
+          sudo rm -f $(which kustomize)
+          make kustomize
+          KUSTOMIZE_PATH=$(readlink -f bin/kustomize) molecule test -s kind
+        env:
+          AWX_TEST_VERSION: ${{ github.event.inputs.default_awx_version }}
+
+      - name: Create draft release
+        working-directory: awx
+        run: |
+          ansible-playbook tools/ansible/stage.yml \
+            -e version=${{ github.event.inputs.version }} \
+            -e repo=${{ github.repository_owner }}/awx-operator \
+            -e github_token=${{ secrets.GITHUB_TOKEN }}

.github/workflows/triage_new.yml

@@ -0,0 +1,22 @@
+---
+name: Triage
+
+on:
+  issues:
+    types:
+      - opened
+
+jobs:
+  triage:
+    runs-on: ubuntu-latest
+    name: Label
+
+    steps:
+      - name: Label issues
+        uses: github/issue-labeler@v2.4.1
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          not-before: 2021-12-07T07:00:00Z
+          configuration-path: .github/issue_labeler.yml
+          enable-versioned-regex: 0
+        if: github.event_name == 'issues'

.yamllint

@@ -11,4 +11,3 @@ rules:
   truthy: disable
   line-length:
     max: 170
-    level: warning

CHANGELOG.md

@@ -2,7 +2,14 @@
 
 This is a list of high-level changes for each release of `awx-operator`. A full list of commits can be found at `https://github.com/ansible/awx-operator/releases/tag/<version>`.
 
-# 0.14.0 (TBA)
+# 0.19.0 (Mar 23, 2022)
+
+- Fix corrupted spec for the service with nodeport type (kurokobo) - dbaf64e
+- Add ability to deploy with OLM & added logo (Christian Adams) - 86c31a4
+- Fix backup & restore issues with special characters in the postgres password (kurokobo) - 589a375
+- Use centos:stream8 container where applicable (Shane McDonald)- 12a58d7
+
+# 0.14.0 (Oct 03, 2021)
 
 - Starting with awx-operator 0.14.0, the project is now based on operator-sdk 1.x.
   - To avoid a headache, you probably want to delete your existing operator Deployment and follow the README.

Dockerfile

@@ -1,7 +1,9 @@
 FROM quay.io/operator-framework/ansible-operator:v1.12.0
 
 ARG DEFAULT_AWX_VERSION
+ARG OPERATOR_VERSION
 ENV DEFAULT_AWX_VERSION=${DEFAULT_AWX_VERSION}
+ENV OPERATOR_VERSION=${OPERATOR_VERSION}
 
 COPY requirements.yml ${HOME}/requirements.yml
 RUN ansible-galaxy collection install -r ${HOME}/requirements.yml \

Makefile

@@ -5,6 +5,8 @@
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
 VERSION ?= $(shell git describe --tags)
 
+CONTAINER_CMD ?= docker
+
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
 # To re-generate a bundle for other specific channels without changing the standard setup, you can:
@@ -63,10 +65,10 @@ run: ansible-operator ## Run against the configured Kubernetes cluster in ~/.kub
 	ANSIBLE_ROLES_PATH="$(ANSIBLE_ROLES_PATH):$(shell pwd)/roles" $(ANSIBLE_OPERATOR) run
 
 docker-build: ## Build docker image with the manager.
-	docker build $(BUILD_ARGS) -t ${IMG} .
+	${CONTAINER_CMD} build $(BUILD_ARGS) -t ${IMG} .
 
 docker-push: ## Push docker image with the manager.
-	docker push ${IMG}
+	${CONTAINER_CMD} push ${IMG}
 
 ##@ Deployment
 
@@ -76,16 +78,22 @@ install: kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/con
 uninstall: kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/crd | kubectl delete -f -
 
+gen-resources: kustomize ## Generate resources for controller and print to stdout
+	@cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
+	@$(KUSTOMIZE) build config/default
+
 deploy: kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
-	$(KUSTOMIZE) build config/default | kubectl apply -f -
+	@cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
+	@$(KUSTOMIZE) build config/default | kubectl apply -f -
 
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
+	@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
 	$(KUSTOMIZE) build config/default | kubectl delete -f -
 
 OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
-ARCH := $(shell uname -m | sed 's/x86_64/amd64/')
+ARCH := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
 
 .PHONY: kustomize
 KUSTOMIZE = $(shell pwd)/bin/kustomize
@@ -124,12 +132,11 @@ bundle: kustomize ## Generate bundle manifests and metadata, then validate gener
 	operator-sdk generate kustomize manifests -q
 	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
 	$(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
-	cd config/manifests/bases && python inject-csv-config.py
 	operator-sdk bundle validate ./bundle
 
 .PHONY: bundle-build
 bundle-build: ## Build the bundle image.
-	docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) .
+	${CONTAINER_CMD} build -f bundle.Dockerfile -t $(BUNDLE_IMG) .
 
 .PHONY: bundle-push
 bundle-push: ## Push the bundle image.
@@ -168,7 +175,7 @@ endif
 # https://github.com/operator-framework/community-operators/blob/7f1438c/docs/packaging-operator.md#updating-your-existing-operator
 .PHONY: catalog-build
 catalog-build: opm ## Build a catalog image.
-	$(OPM) index add --container-tool docker --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT)
+	$(OPM) index add --container-tool ${CONTAINER_CMD} --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT)
 
 # Push the catalog image.
 .PHONY: catalog-push

README.md

@@ -5,54 +5,62 @@
 An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built with [Operator SDK](https://github.com/operator-framework/operator-sdk) and Ansible.
 
 # Table of Contents
-
+<!-- Regenerate this table of contents using https://github.com/ekalinin/github-markdown-toc -->
+<!-- gh-md-toc --insert README.md -->
 <!--ts-->
-* [AWX Operator](#awx-operator)
-* [Table of Contents](#table-of-contents)
-   * [Purpose](#purpose)
-   * [Usage](#usage)
-      * [Basic Install](#basic-install)
-      * [Admin user account configuration](#admin-user-account-configuration)
-      * [Network and TLS Configuration](#network-and-tls-configuration)
-         * [Service Type](#service-type)
-         * [Ingress Type](#ingress-type)
-      * [Database Configuration](#database-configuration)
-         * [External PostgreSQL Service](#external-postgresql-service)
-         * [Migrating data from an old AWX instance](#migrating-data-from-an-old-awx-instance)
-         * [Managed PostgreSQL Service](#managed-postgresql-service)
-      * [Advanced Configuration](#advanced-configuration)
-         * [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
-         * [Privileged Tasks](#privileged-tasks)
-         * [Containers Resource Requirements](#containers-resource-requirements)
-         * [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
-         * [Persisting Projects Directory](#persisting-projects-directory)
-         * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
-         * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
-         * [Extra Settings](#extra-settings)
-         * [Service Account](#service-account)
-      * [Uninstall](#uninstall)
-   * [Upgrading](#upgrading)
-   * [Contributing](#contributing)
-   * [Release Process](#release-process)
-      * [Verifiy Functionality](#verify-functionality)
-      * [Update Version](#update-version)
-      * [Commit / Create Release](#commit--create-release)
-   * [Author](#author)
+- [AWX Operator](#awx-operator)
+- [Table of Contents](#table-of-contents)
+  - [Purpose](#purpose)
+  - [Usage](#usage)
+    - [Creating a minikube cluster for testing](#creating-a-minikube-cluster-for-testing)
+    - [Basic Install](#basic-install)
+    - [Admin user account configuration](#admin-user-account-configuration)
+    - [Network and TLS Configuration](#network-and-tls-configuration)
+      - [Service Type](#service-type)
+      - [Ingress Type](#ingress-type)
+    - [Database Configuration](#database-configuration)
+      - [External PostgreSQL Service](#external-postgresql-service)
+      - [Migrating data from an old AWX instance](#migrating-data-from-an-old-awx-instance)
+      - [Managed PostgreSQL Service](#managed-postgresql-service)
+    - [Advanced Configuration](#advanced-configuration)
+      - [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
+      - [Redis container capabilities](#redis-container-capabilities)
+      - [Privileged Tasks](#privileged-tasks)
+      - [Containers Resource Requirements](#containers-resource-requirements)
+      - [Assigning AWX pods to specific nodes](#assigning-awx-pods-to-specific-nodes)
+      - [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
+      - [Enabling LDAP Integration at AWX bootstrap](#enabling-ldap-integration-at-awx-bootstrap)
+      - [Persisting Projects Directory](#persisting-projects-directory)
+      - [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
+      - [Default execution environments from private registries](#default-execution-environments-from-private-registries)
+        - [Control plane ee from private registry](#control-plane-ee-from-private-registry)
+      - [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
+      - [Extra Settings](#extra-settings)
+      - [Service Account](#service-account)
+    - [Uninstall](#uninstall)
+    - [Upgrading](#upgrading)
+      - [v0.14.0](#v0140)
+        - [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations)
+        - [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project)
+        - [Steps to upgrade](#steps-to-upgrade)
+  - [Contributing](#contributing)
+  - [Release Process](#release-process)
+  - [Author](#author)
+
+<!-- Created by https://github.com/ekalinin/github-markdown-toc -->
 <!--te-->
 
 ## Purpose
 
 This operator is meant to provide a more Kubernetes-native installation method for AWX via an AWX Custom Resource Definition (CRD).
 
-> :warning: The operator is not supported by Red Hat, and is in **alpha** status. For now, use it at your own risk!
-
 ## Usage
 
-### Basic Install
-
 This Kubernetes Operator is meant to be deployed in your Kubernetes cluster(s) and can manage one or more AWX instances in any namespace.
 
-For testing purposes, the `awx-operator` can be deployed on a [Minikube](https://minikube.sigs.k8s.io/docs/) cluster. Due to different OS and hardware environments, please refer to the official Minikube documentation for further information.
+### Creating a minikube cluster for testing
+
+If you do not have an existing cluster, the `awx-operator` can be deployed on a [Minikube](https://minikube.sigs.k8s.io/docs/) cluster for testing purposes. Due to different OS and hardware environments, please refer to the official Minikube documentation for further information.
 
 ```
 $ minikube start --cpus=4 --memory=6g --addons=ingress
@@ -101,26 +109,47 @@ Let's create an alias for easier usage:
 $ alias kubectl="minikube kubectl --"
 ```
 
-Now you need to deploy AWX Operator into your cluster. Clone this repo and `git checkout` the latest version from https://github.com/ansible/awx-operator/releases, and then run the following command:
+### Basic Install
+
+Once you have a running Kubernetes cluster, you can deploy AWX Operator into your cluster using [Kustomize](https://kubectl.docs.kubernetes.io/guides/introduction/kustomize/). Follow the instructions here to install the latest version of Kustomize: https://kubectl.docs.kubernetes.io/installation/kustomize/
+
+First, create a file called `kustomization.yaml` with the following content:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # Find the latest tag here: https://github.com/ansible/awx-operator/releases
+  - github.com/ansible/awx-operator/config/default?ref=<tag>
+
+# Set the image tags to match the git version from above
+images:
+  - name: quay.io/ansible/awx-operator
+    newTag: <tag>
+
+# Specify a custom namespace in which to install AWX
+namespace: awx
+```
+
+> **TIP:** If you need to change any of the default settings for the operator (such as resources.limits), you can add [patches](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patches/) at the bottom of your kustomization.yaml file.
+
+Install the manifests by running this:
 
 ```
-$ export NAMESPACE=my-namespace
-$ make deploy
-cd config/manager && /home/user/awx-operator/bin/kustomize edit set image controller=quay.io/ansible/awx-operator:0.14.0
-/home/user/awx-operator/bin/kustomize build config/default | kubectl apply -f -
-namespace/my-namespace created
+$ kustomize build . | kubectl apply -f -
+namespace/awx created
 customresourcedefinition.apiextensions.k8s.io/awxbackups.awx.ansible.com created
 customresourcedefinition.apiextensions.k8s.io/awxrestores.awx.ansible.com created
 customresourcedefinition.apiextensions.k8s.io/awxs.awx.ansible.com created
 serviceaccount/awx-operator-controller-manager created
+role.rbac.authorization.k8s.io/awx-operator-awx-manager-role created
 role.rbac.authorization.k8s.io/awx-operator-leader-election-role created
-role.rbac.authorization.k8s.io/awx-operator-manager-role created
 clusterrole.rbac.authorization.k8s.io/awx-operator-metrics-reader created
 clusterrole.rbac.authorization.k8s.io/awx-operator-proxy-role created
+rolebinding.rbac.authorization.k8s.io/awx-operator-awx-manager-rolebinding created
 rolebinding.rbac.authorization.k8s.io/awx-operator-leader-election-rolebinding created
-rolebinding.rbac.authorization.k8s.io/awx-operator-manager-rolebinding created
 clusterrolebinding.rbac.authorization.k8s.io/awx-operator-proxy-rolebinding created
-configmap/awx-operator-manager-config created
+configmap/awx-operator-awx-manager-config created
 service/awx-operator-controller-manager-metrics-service created
 deployment.apps/awx-operator-controller-manager created
 ```
@@ -128,18 +157,18 @@ deployment.apps/awx-operator-controller-manager created
 Wait a bit and you should have the `awx-operator` running:
 
 ```
-$ kubectl get pods -n $NAMESPACE
+$ kubectl get pods -n awx
 NAME                                               READY   STATUS    RESTARTS   AGE
 awx-operator-controller-manager-66ccd8f997-rhd4z   2/2     Running   0          11s
 ```
 
-So we don't have to keep repeating `-n $NAMESPACE`, let's set the current namespace for `kubectl`:
+So we don't have to keep repeating `-n awx`, let's set the current namespace for `kubectl`:
 
 ```
-$ kubectl config set-context --current --namespace=$NAMESPACE 
+$ kubectl config set-context --current --namespace=awx
 ```
 
-Next, create a file named `awx-demo.yml` with the suggested content below. The `metadata.name` you provide, will be the name of the resulting AWX deployment.
+Next, create a file named `awx-demo.yaml` in the same folder with the suggested content below. The `metadata.name` you provide will be the name of the resulting AWX deployment.
 
 **Note:** If you deploy more than one AWX instance to the same namespace, be sure to use unique names.
 
@@ -153,11 +182,21 @@ spec:
   service_type: nodeport
 ```
 
-Finally, use `kubectl` to create the awx instance in your cluster:
+Make sure to add this new file to the list of "resources" in your `kustomization.yaml` file:
+
+```yaml
+...
+resources:
+  - github.com/ansible/awx-operator/config/default?ref=<tag>
+  # Add this extra line:
+  - awx-demo.yaml
+...
+```
+
+Finally, run `kustomize` again to create the AWX instance in your cluster:
 
 ```
-$ kubectl apply -f awx-demo.yml
-awx.awx.ansible.com/awx-demo created
+kustomize build . | kubectl apply -f -
 ```
 
 After a few minutes, the new AWX instance will be deployed. You can look at the operator pod logs in order to know where the installation process is at:
@@ -197,17 +236,16 @@ You just completed the most basic install of an AWX instance via this operator.
 
 For an example using the Nginx Controller in Minukube, don't miss our [demo video](https://asciinema.org/a/416946).
 
-[![asciicast](https://raw.githubusercontent.com/ansible/awx-operator/devel/docs/awx-demo.svg)](https://asciinema.org/a/416946)
 
 ### Admin user account configuration
 
 There are three variables that are customizable for the admin user account creation.
 
-| Name                        | Description                                  | Default          |
-| --------------------------- | -------------------------------------------- | ---------------- |
-| admin_user                  | Name of the admin user                       | admin            |
-| admin_email                 | Email of the admin user                      | test@example.com |
-| admin_password_secret       | Secret that contains the admin user password | Empty string     |
+| Name                  | Description                                  | Default          |
+| --------------------- | -------------------------------------------- | ---------------- |
+| admin_user            | Name of the admin user                       | admin            |
+| admin_email           | Email of the admin user                      | test@example.com |
+| admin_password_secret | Secret that contains the admin user password | Empty string     |
 
 
 > :warning: **admin_password_secret must be a Kubernetes secret and not your text clear password**.
@@ -240,15 +278,18 @@ The `service_type` supported options are: `ClusterIP`, `LoadBalancer` and `NodeP
 
 The following variables are customizable for any `service_type`
 
-| Name                                  | Description                                   | Default                           |
-| ------------------------------------- | --------------------------------------------- | --------------------------------- |
-| service_labels                  | Add custom labels                             | Empty string                      |
+| Name                | Description             | Default      |
+| ------------------- | ----------------------- | ------------ |
+| service_labels      | Add custom labels       | Empty string |
+| service_annotations | Add service annotations | Empty string |
 
 ```yaml
 ---
 spec:
   ...
   service_type: ClusterIP
+  service_annotations: |
+    environment: testing
   service_labels: |
     environment: testing
 ```
@@ -257,11 +298,10 @@ spec:
 
 The following variables are customizable only when `service_type=LoadBalancer`
 
-| Name                           | Description                              | Default       |
-| ------------------------------ | ---------------------------------------- | ------------- |
-| loadbalancer_annotations | LoadBalancer annotations                 | Empty string  |
-| loadbalancer_protocol    | Protocol to use for Loadbalancer ingress | http          |
-| loadbalancer_port        | Port used for Loadbalancer ingress       | 80            |
+| Name                  | Description                              | Default |
+| --------------------- | ---------------------------------------- | ------- |
+| loadbalancer_protocol | Protocol to use for Loadbalancer ingress | http    |
+| loadbalancer_port     | Port used for Loadbalancer ingress       | 80      |
 
 ```yaml
 ---
@@ -270,7 +310,7 @@ spec:
   service_type: LoadBalancer
   loadbalancer_protocol: https
   loadbalancer_port: 443
-  loadbalancer_annotations: |
+  service_annotations: |
     environment: testing
   service_labels: |
     environment: testing
@@ -284,9 +324,9 @@ The HTTPS Load Balancer also uses SSL termination at the Load Balancer level and
 
 The following variables are customizable only when `service_type=NodePort`
 
-| Name                           | Description                              | Default       |
-| ------------------------------ | ---------------------------------------- | ------------- |
-| nodeport_port            | Port used for NodePort       | 30080            |
+| Name          | Description            | Default |
+| ------------- | ---------------------- | ------- |
+| nodeport_port | Port used for NodePort | 30080   |
 
 ```yaml
 ---
@@ -314,13 +354,13 @@ spec:
 
 The following variables are customizable when `ingress_type=ingress`. The `ingress` type creates an Ingress resource as [documented](https://kubernetes.io/docs/concepts/services-networking/ingress/) which can be shared with many other Ingress Controllers as [listed](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/).
 
-| Name                       | Description                              | Default                      |
-| -------------------------- | ---------------------------------------- | ---------------------------- |
-| ingress_annotations        | Ingress annotations                      | Empty string                 |
-| ingress_tls_secret         | Secret that contains the TLS information | Empty string                 |
-| hostname                   | Define the FQDN                          | {{ meta.name }}.example.com  |
-| ingress_path               | Define the ingress path to the service   | /                            |
-| ingress_path_type          | Define the type of the path (for LBs)    | Prefix                       |
+| Name                | Description                              | Default                     |
+| ------------------- | ---------------------------------------- | --------------------------- |
+| ingress_annotations | Ingress annotations                      | Empty string                |
+| ingress_tls_secret  | Secret that contains the TLS information | Empty string                |
+| hostname            | Define the FQDN                          | {{ meta.name }}.example.com |
+| ingress_path        | Define the ingress path to the service   | /                           |
+| ingress_path_type   | Define the type of the path (for LBs)    | Prefix                      |
 
 ```yaml
 ---
@@ -336,8 +376,8 @@ spec:
 
 The following variables are customizable when `ingress_type=route`
 
-| Name                                  | Description                                   | Default                                                 |
-| ------------------------------------- | --------------------------------------------- | --------------------------------------------------------|
+| Name                            | Description                                   | Default                                                 |
+| ------------------------------- | --------------------------------------------- | ------------------------------------------------------- |
 | route_host                      | Common name the route answers for             | `<instance-name>-<namespace>-<routerCanonicalHostname>` |
 | route_tls_termination_mechanism | TLS Termination mechanism (Edge, Passthrough) | Edge                                                    |
 | route_tls_secret                | Secret that contains the TLS information      | Empty string                                            |
@@ -379,7 +419,7 @@ stringData:
 type: Opaque
 ```
 
-> Please ensure that the value for the variable "password" is wrapped in quotes if the password contains any special characters.
+> Please ensure that the value for the variable `password` should _not_ contain single or double quotes (`'`, `"`) or backslashes (`\`) to avoid any issues during deployment, backup or restoration.
 
 > It is possible to set a specific username, password, port, or database, but still have the database managed by the operator. In this case, when creating the postgres-configuration secret, the `type: managed` field should be added.
 
@@ -395,13 +435,15 @@ If you don't have access to an external PostgreSQL service, the AWX operator can
 
 The following variables are customizable for the managed PostgreSQL service
 
-| Name                                 | Description                                | Default                           |
-| ------------------------------------ | ------------------------------------------ | --------------------------------- |
-| postgres_image                       | Path of the image to pull                  | postgres:12                       |
-| postgres_resource_requirements       | PostgreSQL container resource requirements | Empty object                      |
-| postgres_storage_requirements        | PostgreSQL container storage requirements  | requests: {storage: 8Gi}          |
-| postgres_storage_class               | PostgreSQL PV storage class                | Empty string                      |
-| postgres_data_path                   | PostgreSQL data path                       | `/var/lib/postgresql/data/pgdata` |
+| Name                                          | Description                                   | Default                            |
+| --------------------------------------------- | --------------------------------------------- | ---------------------------------- |
+| postgres_image                                | Path of the image to pull                     | postgres:12                        |
+| postgres_init_container_resource_requirements | Database init container resource requirements | requests: {cpu: 10m, memory: 64Mi} |
+| postgres_resource_requirements                | PostgreSQL container resource requirements    | requests: {cpu: 10m, memory: 64Mi} |
+| postgres_storage_requirements                 | PostgreSQL container storage requirements     | requests: {storage: 8Gi}           |
+| postgres_storage_class                        | PostgreSQL PV storage class                   | Empty string                       |
+| postgres_data_path                            | PostgreSQL data path                          | `/var/lib/postgresql/data/pgdata`  |
+| postgres_priority_class                       | Priority class used for PostgreSQL pod        | Empty string                       |
 
 Example of customization could be:
 
@@ -422,6 +464,9 @@ spec:
     limits:
       storage: 50Gi
   postgres_storage_class: fast-ssd
+  postgres_extra_args:
+    - '-c'
+    - 'max_connections=1000'
 ```
 
 **Note**: If `postgres_storage_class` is not defined, Postgres will store it's data on a volume using the default storage class for your cluster.
@@ -432,15 +477,15 @@ spec:
 
 There are a few variables that are customizable for awx the image management.
 
-| Name                      | Description                |
-| --------------------------| -------------------------- |
-| image                     | Path of the image to pull  |
-| image_version             | Image version to pull      |
-| image_pull_policy         | The pull policy to adopt   |
-| image_pull_secret         | The pull secret to use     |
-| ee_images                 | A list of EEs to register  |
-| redis_image               | Path of the image to pull  |
-| redis_image_version       | Image version to pull      |
+| Name                | Description               |
+| ------------------- | ------------------------- |
+| image               | Path of the image to pull |
+| image_version       | Image version to pull     |
+| image_pull_policy   | The pull policy to adopt  |
+| image_pull_secrets  | The pull secrets to use   |
+| ee_images           | A list of EEs to register |
+| redis_image         | Path of the image to pull |
+| redis_image_version | Image version to pull     |
 
 Example of customization could be:
 
@@ -451,7 +496,8 @@ spec:
   image: myorg/my-custom-awx
   image_version: latest
   image_pull_policy: Always
-  image_pull_secret: pull_secret_name
+  image_pull_secrets:
+    - pull_secret_name
   ee_images:
     - name: my-custom-awx-ee
       image: myorg/my-custom-awx-ee
@@ -497,11 +543,11 @@ Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to
 
 The resource requirements for both, the task and the web containers are configurable - both the lower end (requests) and the upper end (limits).
 
-| Name                             | Description                                      | Default                             |
-| -------------------------------- | ------------------------------------------------ | ----------------------------------- |
-| web_resource_requirements        | Web container resource requirements              | requests: {cpu: 1000m, memory: 2Gi} |
-| task_resource_requirements       | Task container resource requirements             | requests: {cpu: 500m, memory: 1Gi}  |
-| ee_resource_requirements         | EE control plane container resource requirements | requests: {cpu: 500m, memory: 1Gi}  |
+| Name                       | Description                                      | Default                              |
+| -------------------------- | ------------------------------------------------ | ------------------------------------ |
+| web_resource_requirements  | Web container resource requirements              | requests: {cpu: 100m, memory: 128Mi} |
+| task_resource_requirements | Task container resource requirements             | requests: {cpu: 100m, memory: 128Mi} |
+| ee_resource_requirements   | EE control plane container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
 
 Example of customization could be:
 
@@ -511,42 +557,63 @@ spec:
   ...
   web_resource_requirements:
     requests:
-      cpu: 1000m
+      cpu: 250m
       memory: 2Gi
     limits:
-      cpu: 2000m
+      cpu: 1000m
       memory: 4Gi
   task_resource_requirements:
     requests:
-      cpu: 500m
+      cpu: 250m
       memory: 1Gi
     limits:
-      cpu: 1000m
+      cpu: 2000m
       memory: 2Gi
   ee_resource_requirements:
     requests:
-      cpu: 500m
-      memory: 1Gi
+      cpu: 250m
+      memory: 100Mi
     limits:
-      cpu: 1000m
+      cpu: 500m
       memory: 2Gi
 ```
 
+#### Priority Classes
+
+The AWX and Postgres pods can be assigned a custom PriorityClass to rank their importance compared to other pods in your cluster, which determines which pods get evicted first if resources are running low.
+First, [create your PriorityClass](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) if needed.
+Then set the name of your priority class to the control plane and postgres pods as shown below.  
+
+```yaml
+---
+apiVersion: awx.ansible.com/v1beta1
+kind: AWX
+metadata:
+  name: awx-demo
+spec:
+  ...
+  control_plane_priority_class: awx-demo-high-priority
+  postgres_priority_class: awx-demo-medium-priority
+```
+
 #### Assigning AWX pods to specific nodes
 
 You can constrain the AWX pods created by the operator to run on a certain subset of nodes. `node_selector` and `postgres_selector` constrains
 the AWX pods to run only on the nodes that match all the specified key/value pairs. `tolerations` and `postgres_tolerations` allow the AWX
 pods to be scheduled onto nodes with matching taints.
+The ability to specify topologySpreadConstraints is also allowed through `topology_spread_constraints`
 
 
-| Name                           | Description                 | Default |
-| -------------------------------| --------------------------- | ------- |
-| postgres_image                 | Path of the image to pull   | 12      |
-| postgres_image_version         | Image version to pull       | 12      |
-| node_selector                  | AWX pods' nodeSelector      | ''      |
-| tolerations                    | AWX pods' tolerations       | ''      |
-| postgres_selector              | Postgres pods' nodeSelector | ''      |
-| postgres_tolerations           | Postgres pods' tolerations  | ''      |
+| Name                        | Description                         | Default |
+| --------------------------- | ----------------------------------- | ------- |
+| postgres_image              | Path of the image to pull           | 12      |
+| postgres_image_version      | Image version to pull               | 12      |
+| node_selector               | AWX pods' nodeSelector              | ''      |
+| topology_spread_constraints | AWX pods' topologySpreadConstraints | ''      |
+| tolerations                 | AWX pods' tolerations               | ''      |
+| annotations                 | AWX pods' annotations               | ''      |
+| postgres_selector           | Postgres pods' nodeSelector         | ''      |
+| postgres_tolerations        | Postgres pods' tolerations          | ''      |
 
 Example of customization could be:
 
@@ -558,6 +625,13 @@ spec:
     disktype: ssd
     kubernetes.io/arch: amd64
     kubernetes.io/os: linux
+  topology_spread_constraints: |
+    - maxSkew: 100
+      topologyKey: "topology.kubernetes.io/zone"
+      whenUnsatisfiable: "ScheduleAnyway"
+      labelSelector:
+        matchLabels:
+          app.kubernetes.io/name: "<resourcename>"
   tolerations: |
     - key: "dedicated"
       operator: "Equal"
@@ -584,8 +658,8 @@ Trusting a custom Certificate Authority allows the AWX to access network service
 | Name                             | Description                              | Default |
 | -------------------------------- | ---------------------------------------- | --------|
 | ldap_cacert_secret               | LDAP Certificate Authority secret name   |  ''     |
+| ldap_password_secret             | LDAP BIND DN Password secret name        |  ''     |
 | bundle_cacert_secret             | Certificate Authority secret name        |  ''     |
-
 Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter.
 
 Example of customization could be:
@@ -595,10 +669,13 @@ Example of customization could be:
 spec:
   ...
   ldap_cacert_secret: <resourcename>-custom-certs
+  ldap_password_secret: <resourcename>-ldap-password
   bundle_cacert_secret: <resourcename>-custom-certs
 ```
 
-To create the secret, you can use the command below:
+To create the secrets, you can use the commands below:
+
+* Certificate Authority secret
 
 ```
 # kubectl create secret generic <resourcename>-custom-certs \
@@ -606,17 +683,77 @@ To create the secret, you can use the command below:
     --from-file=bundle-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
 ```
 
+* LDAP BIND DN Password secret
+
+```
+# kubectl create secret generic <resourcename>-ldap-password \
+    --from-literal=ldap-password=<your_ldap_dn_password>
+```
+
+#### Enabling LDAP Integration at AWX bootstrap
+
+A sample of extra settings can be found as below:
+
+```yaml
+    - setting: AUTH_LDAP_SERVER_URI
+      value: >-
+        "ldaps://ad01.abc.com:636 ldaps://ad02.abc.com:636"
+
+    - setting: AUTH_LDAP_BIND_DN
+      value: >-
+        "CN=LDAP User,OU=Service Accounts,DC=abc,DC=com"
+
+    - setting: AUTH_LDAP_USER_SEARCH
+      value: 'LDAPSearch("DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(sAMAccountName=%(user)s)",)'
+
+    - setting: AUTH_LDAP_GROUP_SEARCH
+      value: 'LDAPSearch("OU=Groups,DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(objectClass=group)",)'
+
+    - setting: AUTH_LDAP_USER_ATTR_MAP
+      value: '{"first_name": "givenName","last_name": "sn","email": "mail"}'
+
+    - setting: AUTH_LDAP_REQUIRE_GROUP
+      value: >-
+        "CN=operators,OU=Groups,DC=abc,DC=com"
+    - setting: AUTH_LDAP_USER_FLAGS_BY_GROUP
+      value: {
+        "is_superuser": [
+          "CN=admin,OU=Groups,DC=abc,DC=com"
+        ]
+      }
+
+
+    - setting: AUTH_LDAP_ORGANIZATION_MAP
+      value: {
+        "abc": {
+          "admins": "CN=admin,OU=Groups,DC=abc,DC=com",
+          "remove_users": false,
+          "remove_admins": false,
+          "users": true
+        }
+      }
+
+    - setting: AUTH_LDAP_TEAM_MAP
+      value: {
+        "admin": {
+          "remove": true,
+          "users": "CN=admin,OU=Groups,DC=abc,DC=com",
+          "organization": "abc"
+        }
+      }
+```
+
 #### Persisting Projects Directory
 
 In cases which you want to persist the `/var/lib/projects` directory, there are few variables that are customizable for the `awx-operator`.
 
-| Name                               | Description                                                                                          | Default        |
-| -----------------------------------| ---------------------------------------------------------------------------------------------------- | ---------------|
-| projects_persistence         | Whether or not the /var/lib/projects directory will be persistent                                    |  false         |
-| projects_storage_class       | Define the PersistentVolume storage class                                                            |  ''            |
-| projects_storage_size        | Define the PersistentVolume size                                                                     |  8Gi           |
-| projects_storage_access_mode | Define the PersistentVolume access mode                                                              |  ReadWriteMany |
-| projects_existing_claim      | Define an existing PersistentVolumeClaim to use (cannot be combined with `projects_storage_*`) |  ''            |
+| Name                         | Description                                                                                    | Default       |
+| ---------------------------- | ---------------------------------------------------------------------------------------------- | ------------- |
+| projects_persistence         | Whether or not the /var/lib/projects directory will be persistent                              | false         |
+| projects_storage_class       | Define the PersistentVolume storage class                                                      | ''            |
+| projects_storage_size        | Define the PersistentVolume size                                                               | 8Gi           |
+| projects_storage_access_mode | Define the PersistentVolume access mode                                                        | ReadWriteMany |
+| projects_existing_claim      | Define an existing PersistentVolumeClaim to use (cannot be combined with `projects_storage_*`) | ''            |
 
 Example of customization when the `awx-operator` automatically handles the persistent volume could be:
 
@@ -633,14 +770,14 @@ spec:
 
 In a scenario where custom volumes and volume mounts are required to either overwrite defaults or mount configuration files.
 
-| Name                              | Description                                              | Default |
-| --------------------------------- | -------------------------------------------------------- | ------- |
-| extra_volumes                     | Specify extra volumes to add to the application pod      | ''      |
-| web_extra_volume_mounts           | Specify volume mounts to be added to Web container       | ''      |
-| task_extra_volume_mounts          | Specify volume mounts to be added to Task container      | ''      |
-| ee_extra_volume_mounts            | Specify volume mounts to be added to Execution container | ''      |
-| init_container_extra_volume_mounts| Specify volume mounts to be added to Init container      | ''      |
-| init_container_extra_commands     | Specify additional commands for Init container           | ''      |
+| Name                               | Description                                              | Default |
+| ---------------------------------- | -------------------------------------------------------- | ------- |
+| extra_volumes                      | Specify extra volumes to add to the application pod      | ''      |
+| web_extra_volume_mounts            | Specify volume mounts to be added to Web container       | ''      |
+| task_extra_volume_mounts           | Specify volume mounts to be added to Task container      | ''      |
+| ee_extra_volume_mounts             | Specify volume mounts to be added to Execution container | ''      |
+| init_container_extra_volume_mounts | Specify volume mounts to be added to Init container      | ''      |
+| init_container_extra_commands      | Specify additional commands for Init container           | ''      |
 
 
 > :warning: The `ee_extra_volume_mounts` and `extra_volumes` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
@@ -735,7 +872,7 @@ type: Opaque
 ```
 
 ##### Control plane ee from private registry
-The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time.
+The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secrets` to provide a list of k8s pull secrets to access it. Currently the same secret is used for any of these images supplied at install time.
 
 You can create `image_pull_secret`
 ```
@@ -761,11 +898,11 @@ type: kubernetes.io/dockerconfigjson
 
 If you need to export custom environment variables to your containers.
 
-| Name                          | Description                                              | Default |
-| ----------------------------- | -------------------------------------------------------- | ------- |
-| task_extra_env                | Environment variables to be added to Task container      | ''      |
-| web_extra_env                 | Environment variables to be added to Web container       | ''      |
-| ee_extra_env                  | Environment variables to be added to EE container        | ''      |
+| Name           | Description                                         | Default |
+| -------------- | --------------------------------------------------- | ------- |
+| task_extra_env | Environment variables to be added to Task container | ''      |
+| web_extra_env  | Environment variables to be added to Web container  | ''      |
+| ee_extra_env   | Environment variables to be added to EE container   | ''      |
 
 > :warning: The `ee_extra_env` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
 
@@ -784,13 +921,43 @@ Example configuration of environment variables
         value: foo
 ```
 
+#### CSRF Cookie Secure Setting
+
+With `csrf_cookie_secure`, you can pass the value for `CSRF_COOKIE_SECURE` to `/etc/tower/settings.py`
+
+| Name               | Description        | Default |
+| ------------------ | ------------------ | ------- |
+| csrf_cookie_secure | CSRF Cookie Secure | ''      |
+
+Example configuration of the `csrf_cookie_secure` setting:
+
+```yaml
+  spec:
+    csrf_cookie_secure: 'False'
+```
+
+#### Session Cookie Secure Setting
+
+With `session_cookie_secure`, you can pass the value for `SESSION_COOKIE_SECURE` to `/etc/tower/settings.py`
+
+| Name                  | Description           | Default |
+| --------------------- | --------------------- | ------- |
+| session_cookie_secure | Session Cookie Secure | ''      |
+
+Example configuration of the `session_cookie_secure` setting:
+
+```yaml
+  spec:
+    session_cookie_secure: 'False'
+```
+
 #### Extra Settings
 
 With`extra_settings`, you can pass multiple custom settings via the `awx-operator`. The parameter `extra_settings`  will be appended to the `/etc/tower/settings.py` and can be an alternative to the `extra_volumes` parameter.
 
-| Name                          | Description                                              | Default |
-| ----------------------------- | -------------------------------------------------------- | ------- |
-| extra_settings                | Extra settings                                           | ''      |
+| Name           | Description    | Default |
+| -------------- | -------------- | ------- |
+| extra_settings | Extra settings | ''      |
 
 Example configuration of `extra_settings` parameter
 
@@ -808,9 +975,9 @@ Example configuration of `extra_settings` parameter
 
 If you need to modify some `ServiceAccount` proprieties
 
-| Name                          | Description                                              | Default |
-| ----------------------------- | -------------------------------------------------------- | ------- |
-| service_account_annotations   | Annotations to the ServiceAccount                        | ''      |
+| Name                        | Description                       | Default |
+| --------------------------- | --------------------------------- | ------- |
+| service_account_annotations | Annotations to the ServiceAccount | ''      |
 
 Example configuration of environment variables
 
@@ -849,6 +1016,21 @@ delete your existing `awx-operator` service account, role and role binding.
 
 Starting with awx-operator 0.14.0, the project is now based on operator-sdk 1.x. You may need to manually delete your old operator Deployment to avoid issues.
 
+##### Steps to upgrade
+
+Delete your old AWX Operator and existing `awx-operator` service account, role and role binding in `default` namespace first:
+
+```
+$ kubectl -n default delete deployment awx-operator
+$ kubectl -n default delete serviceaccount awx-operator
+$ kubectl -n default delete clusterrolebinding awx-operator
+$ kubectl -n default delete clusterrole awx-operator
+```
+
+Then install the new AWX Operator by following the instructions in [Basic Install](#basic-install-on-existing-cluster). The `NAMESPACE` environment variable have to be the name of the namespace in which your old AWX instance resides.
+
+Once the new AWX Operator is up and running, your AWX deployment will also be upgraded.
+
 ## Contributing
 
 Please visit [our contributing guidelines](https://github.com/ansible/awx-operator/blob/devel/CONTRIBUTING.md).
@@ -856,46 +1038,11 @@ Please visit [our contributing guidelines](https://github.com/ansible/awx-operat
 
 ## Release Process
 
-### Update version and files
+The first step is to create a draft release. Typically this will happen in the [Stage Release](https://github.com/ansible/awx/blob/devel/.github/workflows/stage.yml) workflow for AWX and you dont need to do it as a separate step.
 
-Update the awx-operator version:
+If you need to do an independent release of the operator, you can run the [Stage Release](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/stage.yml) in the awx-operator repo. Both of these workflows will run smoke tests, so there is no need to do this manually.
 
-  - `Makefile`
-
-### Verify Functionality
-
-Run the following command inside this directory:
-
-```
-$ IMAGE_TAG_BASE=quay.io/<user>/awx-operator make docker-build docker-push
-```
-
-After it is built, test it on a local cluster:
-
-```
-$ minikube start --memory 6g --cpus 4
-$ minikube addons enable ingress
-$ export NAMESPACE=example-awx
-$ make deploy
-$ ansible-playbook ansible/instantiate-awx-deployment.yml -e namespace=$NAMESPACE -e image=quay.io/<user>/awx -e service_type=nodeport
-$ # Verify that the awx-task and awx-web containers are launched
-$ # with the right version of the awx image
-$ # Launch a job at `minikube service awx-demo-service --url -n $NAMESPACE`
-$ minikube delete
-```
-
-### Update changelog
-
-Generate a list of commits between the versions and add it to the [changelog](./CHANGELOG.md).
-```
-$ git log --no-merges --pretty="- %s (%an) - %h " <old_tag>..<new_tag>
-```
-
-### Commit / Create Release
-
-If everything works, commit the updated version, then [publish a new release](https://github.com/ansible/awx-operator/releases/new) using the same version you used in `ansible/group_vars/all`.
-
-After creating the release, [this GitHub Workflow](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/release.yaml) will run and publish the new image to quay.io.
+After the draft release is created, publish it and the [Promote AWX Operator image](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/promote.yaml) will run, publishing the image to Quay.
 
 ## Author
 

config/crd/bases/awx.ansible.com_awxs.yaml

@@ -67,6 +67,9 @@ spec:
                 extra_volumes:
                   description: Specify extra volumes to add to the application pod
                   type: string
+                service_annotations:
+                  description: Annotations to add to the service
+                  type: string
                 service_type:
                   description: The service type to be used on the deployed instance
                   type: string
@@ -98,9 +101,6 @@ spec:
                 ingress_tls_secret:
                   description: Secret where the Ingress TLS secret can be found
                   type: string
-                loadbalancer_annotations:
-                  description: Annotations to add to the loadbalancer
-                  type: string
                 loadbalancer_protocol:
                   description: Protocol to use for the loadbalancer
                   type: string
@@ -134,9 +134,15 @@ spec:
                 node_selector:
                   description: nodeSelector for the pods
                   type: string
+                topology_spread_constraints:
+                  description: topology rule(s) for the pods
+                  type: string
                 service_labels:
                   description: Additional labels to apply to the service
                   type: string
+                annotations:
+                  description: annotations for the pods
+                  type: string
                 tolerations:
                   description: node tolerations for the pods
                   type: string
@@ -159,6 +165,9 @@ spec:
                 control_plane_ee_image:
                   description: Registry path to the Execution Environment container image to use on control plane pods
                   type: string
+                control_plane_priority_class:
+                  description: Assign a preexisting priority class to the control plane pods
+                  type: string
                 ee_pull_credentials_secret:
                   description: Secret where pull credentials for registered ees can be found
                   type: string
@@ -173,8 +182,13 @@ spec:
                     - never
                     - IfNotPresent
                     - ifnotpresent
-                image_pull_secret:
-                  description: The image pull secret
+                image_pull_secrets:
+                  description: Image pull secrets for app and database containers
+                  type: array
+                  items:
+                    type: string
+                image_pull_secret:  # deprecated
+                  description: (Deprecated) Image pull secret for app and database containers
                   type: string
                 task_resource_requirements:
                   description: Resource requirements for the task container
@@ -242,6 +256,28 @@ spec:
                           type: string
                       type: object
                   type: object
+                postgres_init_container_resource_requirements:
+                  description: Resource requirements for the postgres init container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                 service_account_annotations:
                   description: ServiceAccount annotations
                   type: string
@@ -359,9 +395,16 @@ spec:
                 postgres_storage_class:
                   description: Storage class to use for the PostgreSQL PVC
                   type: string
+                postgres_priority_class:
+                  description: Assign a preexisting priority class to the postgres pod
+                  type: string
                 postgres_data_path:
                   description: Path where the PostgreSQL data are located
                   type: string
+                postgres_extra_args:
+                  type: array
+                  items:
+                    type: string
                 ca_trust_bundle:
                   description: Path where the trusted CA bundle is available
                   type: string
@@ -371,6 +414,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                ldap_password_secret:
+                  description: Secret where can be found the LDAP bind password
+                  type: string
                 bundle_cacert_secret:
                   description: Secret where can be found the trusted Certificate Authority Bundle
                   type: string
@@ -398,6 +444,12 @@ spec:
                   description: AccessMode for the /var/lib/projects PersistentVolumeClaim
                   default: ReadWriteMany
                   type: string
+                csrf_cookie_secure:
+                  description: Set csrf cookie secure mode for web
+                  type: string
+                session_cookie_secure:
+                  description: Set session cookie secure mode for web
+                  type: string
                 extra_settings:
                   description: Extra settings to specify for the API
                   items:

config/manager/manager.yaml

@@ -34,6 +34,8 @@ spec:
           env:
             - name: ANSIBLE_GATHERING
               value: explicit
+            - name: ANSIBLE_DEBUG_LOGS
+              value: 'false'
             - name: WATCH_NAMESPACE
               valueFrom:
                 fieldRef:
@@ -53,4 +55,6 @@ spec:
             initialDelaySeconds: 5
             periodSeconds: 10
       serviceAccountName: controller-manager
+      imagePullSecrets:
+        - name: ansible-deployment-pull-secret
       terminationGracePeriodSeconds: 10

config/manifests/bases/inject-csv-config.py

@@ -1,24 +0,0 @@
-'''
-After generating the CSV file, inject custom configuration such as
-OLM parameters, relatedImages, etc.
-'''
-
-import yaml
-
-csv_path = "../../../bundle/manifests/awx-operator.clusterserviceversion.yaml"
-existing_csv = open(csv_path, 'r')
-csv = yaml.safe_load(existing_csv)
-
-
-raw_olm_params = open("olm-parameters.yaml")
-olm_params = yaml.safe_load(raw_olm_params)
-
-# Inject OLM parameters for Customer Resource Objects
-csv['spec']['customresourcedefinitions']['owned'] = olm_params
-
-csv['metadata']['annotations']['alm-examples'] = ''
-
-file_content = yaml.safe_dump(csv, default_flow_style=False, explicit_start=True)
-
-with open(csv_path, 'w') as f:
-    f.write(file_content)

config/manifests/bases/olm-parameters.yaml

@@ -1,594 +0,0 @@
----
-- displayName: AWX Backup
-  description: Back up a deployment of the awx, including jobs, inventories, and credentials
-  kind: AWXBackup
-  name: awxbackups.awx.ansible.com
-  version: v1beta1
-  specDescriptors:
-  - displayName: Deployment name
-    path: deployment_name
-    x-descriptors:
-      - urn:alm:descriptor:com.tectonic.ui:text
-  - displayName: Backup persistent volume claim
-    path: backup_pvc
-    x-descriptors:
-      - urn:alm:descriptor:com.tectonic.ui:text
-      - urn:alm:descriptor:com.tectonic.ui:advanced
-  - displayName: Backup persistent volume claim namespace
-    path: backup_pvc_namespace
-    x-descriptors:
-      - urn:alm:descriptor:com.tectonic.ui:text
-      - urn:alm:descriptor:com.tectonic.ui:advanced
-  - displayName: Backup PVC storage requirements
-    path: backup_storage_requirements
-    x-descriptors:
-      - urn:alm:descriptor:com.tectonic.ui:text
-      - urn:alm:descriptor:com.tectonic.ui:advanced
-  - displayName: Backup PVC storage class
-    path: backup_storage_class
-    x-descriptors:
-      - urn:alm:descriptor:com.tectonic.ui:text
-      - urn:alm:descriptor:com.tectonic.ui:advanced
-  - displayName: Database backup label selector
-    path: postgres_label_selector
-    x-descriptors:
-      - urn:alm:descriptor:com.tectonic.ui:advanced
-      - urn:alm:descriptor:com.tectonic.ui:hidden
-  - displayName: PostgreSQL Image
-    path: postgres_image
-    x-descriptors:
-      - urn:alm:descriptor:com.tectonic.ui:advanced
-      - urn:alm:descriptor:com.tectonic.ui:hidden
-  - displayName: PostgreSQL Image Version
-    path: postgres_image_version
-    x-descriptors:
-      - urn:alm:descriptor:com.tectonic.ui:advanced
-      - urn:alm:descriptor:com.tectonic.ui:hidden
-  statusDescriptors:
-    - description: The persistent volume claim name used during backup
-      displayName: Backup claim
-      path: backupClaim
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:text
-    - description: The directory data is backed up to on the PVC
-      displayName: Backup directory
-      path: backupDirectory
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:text
-- displayName: AWX Restore
-  description: Restore a previous awx deployment into the namespace
-  kind: AWXRestore
-  name: awxrestores.awx.ansible.com
-  version: v1beta1
-  specDescriptors:
-    - displayName: Backup source to restore ?
-      path: backup_source
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:select:CR
-        - urn:alm:descriptor:com.tectonic.ui:select:PVC
-    - displayName: Backup name
-      path: backup_name
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:text
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:CR
-    - displayName: Name of newly restored deployment
-      path: deployment_name
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:text
-    - displayName: Backup persistent volume claim
-      path: backup_pvc
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:text
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
-    - displayName: Backup namespace
-      path: backup_pvc_namespace
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:text
-    - displayName: Backup directory in the persistent volume claim
-      path: backup_dir
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:text
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
-    - displayName: Database restore label selector
-      path: postgres_label_selector
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: PostgreSQL Image
-      path: postgres_image
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: PostgreSQL Image Version
-      path: postgres_image_version
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-  statusDescriptors:
-    - description: The state of the restore
-      displayName: Restore status
-      path: restoreComplete
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:text
-- description: Deploy a new instance of AWX
-  displayName: AWX
-  kind: AWX
-  name: awxs.awx.ansible.com
-  version: v1beta1
-  specDescriptors:
-    - displayName: Hostname
-      path: hostname
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:text
-    - displayName: Admin account username
-      path: admin_user
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:text
-    - displayName: Admin email address
-      path: admin_email
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:text
-    - displayName: Admin password secret
-      path: admin_password_secret
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:io.kubernetes:Secret
-    - displayName: Database configuration secret
-      path: postgres_configuration_secret
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:io.kubernetes:Secret
-    - displayName: Old Database configuration secret
-      path: old_postgres_configuration_secret
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:io.kubernetes:Secret
-    - displayName: Secret key secret
-      path: secret_key_secret
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:io.kubernetes:Secret
-    - displayName: Broadcast Websocket Secret
-      path: broadcast_websocket_secret
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:io.kubernetes:Secret
-    - displayName: Service Account Annotations
-      path: service_account_annotations
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:text
-    - displayName: Tower Service Type
-      path: service_type
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:select:ClusterIP
-        - urn:alm:descriptor:com.tectonic.ui:select:LoadBalancer
-        - urn:alm:descriptor:com.tectonic.ui:select:NodePort
-    - displayName: Tower Ingress Type
-      path: ingress_type
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:select:none
-        - urn:alm:descriptor:com.tectonic.ui:select:Ingress
-        - urn:alm:descriptor:com.tectonic.ui:select:Route
-    - displayName: Ingress Path
-      path: ingress_path
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:text
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
-    - displayName: Ingress Path Type
-      path: ingress_path_type
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:text
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
-    - displayName: Tower Ingress Annotations
-      path: ingress_annotations
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:text
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
-    - displayName: Tower Ingress TLS Secret
-      path: ingress_tls_secret
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:io.kubernetes:Secret
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
-    - displayName: Tower LoadBalancer Annotations
-      path: loadbalancer_annotations
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:text
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:service_type:LoadBalancer
-    - displayName: Tower LoadBalancer Protocol
-      path: loadbalancer_protocol
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:select:http
-        - urn:alm:descriptor:com.tectonic.ui:select:https
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:service_type:LoadBalancer
-    - displayName: Tower LoadBalancer Port
-      path: loadbalancer_port
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:number
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:service_type:LoadBalancer
-    - displayName: Route DNS host
-      path: route_host
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:text
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Route
-    - displayName: Route TLS termination mechanism
-      path: route_tls_termination_mechanism
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:select:Edge
-        - urn:alm:descriptor:com.tectonic.ui:select:Passthrough
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Route
-    - displayName: Route TLS credential secret
-      path: route_tls_secret
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:io.kubernetes:Secret
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Route
-    - displayName: Image Pull Policy
-      path: image_pull_policy
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:imagePullPolicy
-    - displayName: Image Pull Secret
-      path: image_pull_secret
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:io.kubernetes:Secret
-    - displayName: Web container resource requirements
-      path: web_resource_requirements
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
-    - displayName: Task container resource requirements
-      path: task_resource_requirements
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
-    - displayName: EE Control Plane container resource requirements
-      path: ee_resource_requirements
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
-    - displayName: PostgreSQL container resource requirements (when using a managed
-        instance)
-      path: postgres_resource_requirements
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
-    - displayName: PostgreSQL container storage requirements (when using a managed
-        instance)
-      path: postgres_storage_requirements
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
-    - displayName: Replicas
-      path: replicas
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:number
-    - displayName: Remove used secrets on instance removal ?
-      path: garbage_collect_secrets
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
-    - displayName: Preload instance with data upon creation ?
-      path: create_preload_data
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
-    - displayName: Deploy the instance in development mode ?
-      path: development_mode
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Should the task container deployed with privileged level ?
-      path: task_privileged
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Deployment Type
-      path: deployment_type
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Deployment Kind
-      path: kind
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Deployment apiVersion
-      path: api_version
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Image
-      path: image
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Image Version
-      path: image_version
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Redis Image
-      path: redis_image
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Redis Image Version
-      path: redis_image_version
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Redis Capabilities
-      path: redis_capabilities
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: PostgreSQL Image
-      path: postgres_image
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: PostgreSQL Image Version
-      path: postgres_image_version
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Postgres Selector
-      path: postgres_selector
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Postgres Label Selector
-      path: postgres_label_selector
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Postgres Tolerations
-      path: postgres_tolerations
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Postgres Storage Class
-      path: postgres_storage_class
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Postgres Datapath
-      path: postgres_data_path
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Certificate Authorirty Trust Bundle
-      path: ca_trust_bundle
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: LDAP Certificate Authority Trust Bundle
-      path: ldap_cacert_secret
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:io.kubernetes:Secret
-    - displayName: Task Args
-      path: task_args
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Enable persistence for /var/lib/projects directory?
-      path: projects_persistence
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
-    - displayName: Use existing Persistent Claim?
-      path: projects_use_existing_claim
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:select:_Yes_
-        - urn:alm:descriptor:com.tectonic.ui:select:_No_
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_persistence:true
-    - displayName: Projects Existing Persistent Claim
-      path: projects_existing_claim
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_Yes_
-        - urn:alm:descriptor:io.kubernetes:PersistentVolumeClaim
-    - description: Projects Storage Class Name. If not present, the default storage
-        class will be used.
-      displayName: Projects Storage Class Name
-      path: projects_storage_class
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_No_
-        - urn:alm:descriptor:com.tectonic.ui:text
-    - description: Projects Storage Size
-      displayName: Projects Storage Size
-      path: projects_storage_size
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_No_
-        - urn:alm:descriptor:com.tectonic.ui:text
-    - description: Projects Storage Access Mode
-      displayName: Projects Storage Access Mode
-      path: projects_storage_access_mode
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_No_
-        - urn:alm:descriptor:com.tectonic.ui:text
-    - displayName: Task Command
-      path: task_command
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - description: Environment variables to be added to Task container
-      displayName: Task Extra Env
-      path: task_extra_env
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - description: Specify volume mounts to be added to Execution container
-      displayName: EE Extra Volume Mounts
-      path: ee_extra_volume_mounts
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - description: Registry path to the Execution Environment container to use
-      displayName: EE Images
-      path: ee_images
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - description: Environment variables to be added to EE container
-      displayName: EE Extra Env
-      path: ee_extra_env
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - description: Registry path to the Execution Environment container to use on
-        control plane pods
-      displayName: Control Plane EE Image
-      path: control_plane_ee_image
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - description: EE Images Pull Credentials Secret
-      displayName: EE Images Pull Credentials Secret
-      path: ee_pull_credentials_secret
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:io.kubernetes:Secret
-    - description: Specify volume mounts to be added to Task container
-      displayName: Task Extra Volume Mounts
-      path: task_extra_volume_mounts
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Web Args
-      path: web_args
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Web Command
-      path: web_command
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - description: Environment variables to be added to Web container
-      displayName: Web Extra Env
-      path: web_extra_env
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - description: Specify volume mounts to be added to Web container
-      displayName: Web Extra Volume Mounts
-      path: web_extra_volume_mounts
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - description: Specify extra volumes to add to the application pod
-      displayName: Extra Volumes
-      path: extra_volumes
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Node Selector
-      path: node_selector
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Service Labels
-      path: service_labels
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:text
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Tolerations
-      path: tolerations
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: API Extra Settings
-      path: extra_settings
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - displayName: Security Context Settings
-      path: security_context_settings
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - description: Registry path to the init container to use
-      displayName: Init Container Image
-      path: init_container_image
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - description: Init container image version to use
-      displayName: Init Container Image Version
-      path: init_container_image_version
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - description: Specify Extra commands for the Init container
-      displayName: Init Container Extra Commands
-      path: init_container_extra_commands
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - description: Specify volume mounts to be added to Init container
-      displayName: Init Container Extra Volume Mounts
-      path: init_container_extra_volume_mounts
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-    - description: Secret where can be found the trusted Certificate Authority Bundle
-      path: bundle_cacert_secret
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:io.kubernetes:Secret
-    - displayName: Nodeport Port
-      path: nodeport_port
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-  statusDescriptors:
-    - description: Route to access the instance deployed
-      displayName: URL
-      path: URL
-      x-descriptors:
-        - urn:alm:descriptor:org.w3:link
-    - description: Admin user for the instance deployed
-      displayName: Admin User
-      path: adminUser
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:text
-    - description: Admin password for the instance deployed
-      displayName: Admin Password
-      path: adminPasswordSecret
-      x-descriptors:
-        - urn:alm:descriptor:io.kubernetes:Secret
-    - description: Version of the instance deployed
-      displayName: Version
-      path: version
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:text
-    - description: Image of the instance deployed
-      displayName: Image
-      path: image
-      x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:text

docs/debugging.md

@@ -0,0 +1,51 @@
+# Iterating on the installer without deploying the operator
+
+Go through the [normal basic install](https://github.com/ansible/awx-operator/blob/devel/README.md#basic-install) steps.
+
+Install some dependencies:
+
+```
+$ ansible-galaxy collection install -r molecule/requirements.yml
+$ pip install -r molecule/requirements.txt
+```
+
+To prevent the changes we're about to make from being overwritten, scale down any running instance of the operator:
+
+```
+$ kubectl scale deployment awx-operator-controller-manager --replicas=0
+```
+
+Create a playbook that invokes the installer role (the operator uses ansible-runner's role execution feature):
+
+```yaml
+# run.yml
+---
+- hosts: localhost
+  roles:
+    - installer
+```
+
+Create a vars file:
+
+```yaml
+# vars.yml
+---
+ansible_operator_meta:
+  name: awx
+  namespace: awx
+service_type: nodeport
+```
+
+Run the installer:
+
+```
+$ ansible-playbook run.yml -e @vars.yml -v
+```
+
+Grab the URL and admin password:
+
+```
+$ minikube service awx-service --url -n awx
+$ minikube kubectl get secret awx-admin-password -- -o jsonpath="{.data.password}" | base64 --decode
+LU6lTfvnkjUvDwL240kXKy1sNhjakZmT
+```

molecule/default/molecule.yml

@@ -23,6 +23,7 @@ provisioner:
       localhost:
         awx_image: ${AWX_TEST_IMAGE:-""}
         awx_version: ${AWX_TEST_VERSION:-""}
+        default_awx_version: "{{ lookup('url', 'https://api.github.com/repos/ansible/awx/releases/latest') | from_json | json_query('tag_name') }}"
         ansible_python_interpreter: '{{ ansible_playbook_python }}'
         config_dir: ${MOLECULE_PROJECT_DIRECTORY}/config
         samples_dir: ${MOLECULE_PROJECT_DIRECTORY}/config/samples

molecule/default/tasks/awx_test.yml

@@ -19,6 +19,31 @@
   register: admin_pw_secret
 
 - block:
+    - name: Get pod details
+      k8s_info:
+        namespace: '{{ namespace }}'
+        kind: Pod
+        label_selectors:
+          - app.kubernetes.io/name = example-awx
+      register: awx_pod
+      when: not awx_version
+
+    - name: Exract tags from images
+      set_fact:
+        image_tags: |
+          {{ awx_pod.resources[0].spec.containers |
+             map(attribute='image') |
+             map('regex_search', default_awx_version) }}
+      when: not awx_version
+
+    - fail:
+        msg: |
+          It looks like you may have broken the DEFAULT_AWX_VERSION functionality.
+          This is an environment variable that is set via build arg when releasing awx-operator.
+      when:
+        - not awx_version
+        - default_awx_version not in image_tags
+
     - name: Launch Demo Job Template
       awx.awx.job_launch:
         name: Demo Job Template
@@ -30,7 +55,7 @@
   rescue:
     - name: Get list of project updates and jobs
       uri:
-        url: "http://localhost/api/v2/{{ item }}/"
+        url: "http://localhost/api/v2/{{ resource }}/"
         user: admin
         password: "{{ admin_pw_secret.resources[0].data.password | b64decode }}"
         force_basic_auth: yes
@@ -38,15 +63,19 @@
       loop:
         - project_updates
         - jobs
+      loop_control:
+        loop_var: resource
 
     - name: Get all job and project details
       uri:
-        url: "http://localhost{{ item }}"
+        url: "http://localhost{{ endpoint }}"
         user: admin
         password: "{{ admin_pw_secret.resources[0].data.password | b64decode }}"
         force_basic_auth: yes
       loop: |
         {{ job_lists.results | map(attribute='json') | map(attribute='results') | flatten | map(attribute='url') }}
+      loop_control:
+        loop_var: endpoint
 
     - name: Re-emit failure
       vars:

molecule/default/templates/awx_cr_molecule.yml.j2

@@ -15,13 +15,15 @@ spec:
     kubernetes.io/ingress.class: nginx
   web_resource_requirements:
     requests:
-      cpu: 250m
-      memory: 128M
+      cpu: 100m
+      memory: 32M
   task_resource_requirements:
     requests:
-      cpu: 250m
-      memory: 128M
+      cpu: 100m
+      memory: 32M
   ee_resource_requirements:
     requests:
       cpu: 200m
-      memory: 64M
+      memory: 32M
+  postgres_resource_requirements: {}
+  postgres_init_container_resource_requirements: {}

molecule/kind/converge.yml

@@ -10,6 +10,8 @@
         build:
           path: '{{ project_dir }}'
           pull: no
+          args:
+            DEFAULT_AWX_VERSION: '{{ default_awx_version }}'
         name: '{{ operator_image }}'
         tag: latest
         push: no

molecule/kind/molecule.yml

@@ -26,6 +26,7 @@ provisioner:
         awx_image: ${AWX_TEST_IMAGE:-""}
         awx_version: ${AWX_TEST_VERSION:-""}
         ansible_python_interpreter: '{{ ansible_playbook_python }}'
+        default_awx_version: "{{ lookup('url', 'https://api.github.com/repos/ansible/awx/releases/latest') | from_json | json_query('tag_name') }}"
         config_dir: ${MOLECULE_PROJECT_DIRECTORY}/config
         samples_dir: ${MOLECULE_PROJECT_DIRECTORY}/config/samples
         project_dir: ${MOLECULE_PROJECT_DIRECTORY}

molecule/requirements.txt

@@ -2,6 +2,6 @@ molecule
 molecule-docker
 yamllint
 ansible-lint
-openshift
+openshift!=0.13.0
 jmespath
 ansible-core

roles/backup/tasks/postgres.yml

@@ -39,6 +39,7 @@
       until:
         - "postgres_pod['resources'] | length"
         - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+        - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
       delay: 5
       retries: 60
 
@@ -99,7 +100,7 @@
     command: |
       bash -c """
       set -e -o pipefail
-      PGPASSWORD={{ awx_postgres_pass }} {{ pgdump }} > {{ backup_dir }}/tower.db
+      PGPASSWORD='{{ awx_postgres_pass }}' {{ pgdump }} > {{ backup_dir }}/tower.db
       echo 'Successful'
       """
   register: data_migration

roles/backup/tasks/secrets.yml

@@ -21,9 +21,21 @@
     - ingress_tls_secret
     - ldap_cacert_secret
     - bundle_cacert_secret
-    - image_pull_secret
     - ee_pull_credentials_secret
 
+# image_pull_secret is deprecated in favor of image_pull_secrets
+- name: Dump image_pull_secret into file
+  include_tasks: dump_secret.yml
+  with_items:
+    - image_pull_secret
+  when: image_pull_secret is defined
+
+- name: Dump image_pull_secrets into file
+  include_tasks: dump_secret.yml
+  with_items:
+    - image_pull_secrets
+  when: image_pull_secrets | default([]) | length
+
 - name: Nest secrets under a single variable
   set_fact:
     secrets: {"secrets": '{{ secret_dict }}'}

roles/installer/defaults/main.yml

@@ -36,7 +36,7 @@ ingress_tls_secret: ''
 
 loadbalancer_protocol: 'http'
 loadbalancer_port: '80'
-loadbalancer_annotations: ''
+service_annotations: ''
 
 nodeport_port: '30080'
 # The TLS termination mechanism to use to access
@@ -64,6 +64,17 @@ hostname: ''
 #   kubernetes.io/os: linux
 node_selector: ''
 
+# Add a topologySpreadConstraints for the AWX pods.
+# Specify as literal block. E.g.:
+# topology_spread_constraints: |
+#   - maxSkew: 100
+#     topologyKey: "topology.kubernetes.io/zone"
+#     whenUnsatisfiable: "ScheduleAnyway"
+#     labelSelector:
+#       matchLabels:
+#         app.kubernetes.io/name: "<resourcename>"
+topology_spread_constraints: ''
+
 # Add node tolerations for the AWX pods. Specify as literal block. E.g.:
 # tolerations: |
 #   - key: "dedicated"
@@ -72,6 +83,12 @@ node_selector: ''
 #     effect: "NoSchedule"
 tolerations: ''
 
+# Add annotations to awx pods. Specify as literal block. E.g.:
+# annotations: |
+#   my.annotation/1: value
+#   my.annotation/2: value2
+annotations: ''
+
 admin_user: admin
 admin_email: test@example.com
 
@@ -114,9 +131,9 @@ _redis_image_version: latest
 _postgres_image: postgres
 _postgres_image_version: 12
 _init_container_image: quay.io/centos/centos
-_init_container_image_version: 8
+_init_container_image_version: stream8
 image_pull_policy: IfNotPresent
-image_pull_secret: ''
+image_pull_secrets: []
 
 # Extra commands which will be appended to the initContainer
 # Make sure that each command entered return an exit code 0
@@ -152,19 +169,25 @@ web_command: []
 
 task_resource_requirements:
   requests:
-    cpu: 500m
-    memory: 1Gi
+    cpu: 100m
+    memory: 128Mi
 
 web_resource_requirements:
   requests:
-    cpu: 1000m
-    memory: 2Gi
+    cpu: 100m
+    memory: 128Mi
 
 ee_resource_requirements:
   requests:
-    cpu: 500m
-    memory: 1Gi
+    cpu: 100m
+    memory: 64Mi
 
+# Customize CSRF options
+csrf_cookie_secure: False
+session_cookie_secure: False
+
+# Assign a preexisting priority class to the control plane pods
+control_plane_priority_class: ''
 # Add extra environment variables to the AWX task/web containers. Specify as
 # literal block. E.g.:
 # task_extra_env: |
@@ -205,7 +228,16 @@ postgres_tolerations: ''
 postgres_storage_requirements:
   requests:
     storage: 8Gi
-postgres_resource_requirements: {}
+postgres_resource_requirements:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+postgres_init_container_resource_requirements:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+# Assign a preexisting priority class to the postgres pod
+postgres_priority_class: ''
 postgres_data_path: '/var/lib/postgresql/data/pgdata'
 
 # Persistence to the AWX project data folder
@@ -215,6 +247,9 @@ projects_persistence: false
 # Define an existing PersistentVolumeClaim to use
 projects_existing_claim: ''
 #
+# Define postgres configuration arguments to use
+postgres_extra_args: ''
+
 # Define the storage_class, size and access_mode
 # when not using an existing claim
 projects_storage_size: 8Gi
@@ -226,6 +261,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
 #
 ldap_cacert_secret: ''
 
+# Secret to lookup that provides the LDAP bind password
+ldap_password_secret: ''
+
 # Secret to lookup that provides the custom CA trusted bundle
 bundle_cacert_secret: ''
 

roles/installer/tasks/database_configuration.yml

@@ -99,6 +99,10 @@
         definition: "{{ lookup('template', 'postgres.yaml.j2') }}"
       register: create_statefulset_result
 
+    - name: Scale down Deployment for migration
+      include_tasks: scale_down_deployment.yml
+      when: create_statefulset_result.changed
+
   rescue:
     - name: Scale down Deployment for migration
       include_tasks: scale_down_deployment.yml
@@ -138,6 +142,26 @@
     awx_postgres_sslmode: "{{ pg_config['resources'][0]['data']['sslmode'] |  default('prefer'|b64encode) | b64decode }}"
   no_log: true
 
+- name: Wait for Database to initialize if managed DB
+  k8s_info:
+    kind: Pod
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: '{{ ansible_operator_meta.name }}-postgres-0'  # using name to keep compatibility
+    field_selectors:
+      - status.phase=Running
+  register: postgres_pod
+  until:
+    - "postgres_pod['resources'] | length"
+    - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+    - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
+  delay: 5
+  retries: 60
+  when: pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed'
+
+- name: Set database as managed
+  set_fact:
+    managed_database: "{{ pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed' }}"
+
 - name: Look up details for this deployment
   k8s_info:
     api_version: "{{ api_version }}"

roles/installer/tasks/initialize_django.yml

@@ -13,18 +13,6 @@
   register: users_result
   changed_when: users_result.return_code > 0
 
-- name: Update super user password via Django if it does exist (same password is a noop)
-  k8s_exec:
-    namespace: "{{ ansible_operator_meta.namespace }}"
-    pod: "{{ tower_pod_name }}"
-    container: "{{ ansible_operator_meta.name }}-task"
-    command: >-
-      bash -c "awx-manage update_password --username '{{ admin_user }}' --password '{{ admin_password }}'"
-  register: update_pw_result
-  changed_when: users_result.stdout == 'Password not updated'
-  no_log: true
-  when: users_result.return_code == 0
-
 - name: Create super user via Django if it doesn't exist.
   k8s_exec:
     namespace: "{{ ansible_operator_meta.namespace }}"
@@ -37,17 +25,6 @@
   no_log: true
   when: users_result.return_code > 0
 
-- name: Create preload data if necessary.  # noqa 305
-  k8s_exec:
-    namespace: "{{ ansible_operator_meta.namespace }}"
-    pod: "{{ tower_pod_name }}"
-    container: "{{ ansible_operator_meta.name }}-task"
-    command: >-
-      bash -c "awx-manage create_preload_data"
-  register: cdo
-  changed_when: "'added' in cdo.stdout"
-  when: create_preload_data | bool
-
 - name: Check if legacy queue is present
   k8s_exec:
     namespace: "{{ ansible_operator_meta.namespace }}"
@@ -118,3 +95,14 @@
       changed_when: "'changed: True' in ree.stdout"
       no_log: true
   when: _execution_environments_pull_credentials['resources'] | default([]) | length
+
+- name: Create preload data if necessary.  # noqa 305
+  k8s_exec:
+    namespace: "{{ ansible_operator_meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ ansible_operator_meta.name }}-task"
+    command: >-
+      bash -c "awx-manage create_preload_data"
+  register: cdo
+  changed_when: "'added' in cdo.stdout"
+  when: create_preload_data | bool

roles/installer/tasks/load_ldap_password_secret.yml

@@ -0,0 +1,14 @@
+---
+- name: Retrieve LDAP bind password Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: '{{ ldap_password_secret }}'
+  register: ldap_password
+  no_log: true
+
+- name: Load LDAP bind password Secret content
+  set_fact:
+    ldap_bind_password: '{{ ldap_password["resources"][0]["data"]["ldap-password"] | b64decode }}'
+  no_log: true
+  when: '"ldap-password" in ldap_password["resources"][0]["data"]'

roles/installer/tasks/main.yml

@@ -25,6 +25,11 @@
   when:
     - ldap_cacert_secret != ''
 
+- name: Load ldap bind password
+  include_tasks: load_ldap_password_secret.yml
+  when:
+    - ldap_password_secret != ''
+
 - name: Load bundle certificate authority certificate
   include_tasks: load_bundle_cacert_secret.yml
   when:
@@ -36,6 +41,9 @@
 - name: Include broadcast websocket configuration tasks
   include_tasks: broadcast_websocket_configuration.yml
 
+- name: Include set_images tasks
+  include_tasks: set_images.yml
+
 - name: Include database configuration tasks
   include_tasks: database_configuration.yml
 

roles/installer/tasks/migrate_data.yml

@@ -29,6 +29,7 @@
   until:
     - "postgres_pod['resources'] | length"
     - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+    - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
   delay: 5
   retries: 60
 
@@ -65,7 +66,7 @@
     command: |
       bash -c """
       set -e -o pipefail
-      PGPASSWORD={{ awx_old_postgres_pass }} {{ pgdump }} | PGPASSWORD={{ awx_postgres_pass }} {{ pg_restore }}
+      PGPASSWORD='{{ awx_old_postgres_pass }}' {{ pgdump }} | PGPASSWORD='{{ awx_postgres_pass }}' {{ pg_restore }}
       echo 'Successful'
       """
   no_log: true

roles/installer/tasks/resources_configuration.yml

@@ -17,6 +17,16 @@
   set_fact:
     tower_pod_name: "{{ tower_pods['resources'][0]['metadata']['name'] | default('') }}"
 
+- name: Set user provided control plane ee image
+  set_fact:
+    _custom_control_plane_ee_image: "{{ control_plane_ee_image }}"
+  when:
+    - control_plane_ee_image | default([]) | length
+
+- name: Set Control Plane EE image URL
+  set_fact:
+    _control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
+
 - name: Apply Resources
   k8s:
     apply: yes
@@ -47,21 +57,6 @@
   set_fact:
     _image: "{{ _custom_image | default(lookup('env', 'RELATED_IMAGE_AWX')) | default(_default_image, true) }}"
 
-- name: Set default awx init container image
-  set_fact:
-    _default_init_container_image: "{{ _init_container_image }}:{{ _init_container_image_version }}"
-
-- name: Set user provided awx init image
-  set_fact:
-    _custom_init_container_image: "{{ init_container_image }}:{{ init_container_image_version }}"
-  when:
-    - init_container_image | default([]) | length
-    - init_container_image_version is defined or init_container_image_version != ''
-
-- name: Set Init image URL
-  set_fact:
-    _init_container_image: "{{ _custom_init_container_image | default(lookup('env', 'RELATED_IMAGE_AWX_INIT_CONTAINER')) | default(_default_init_container_image, true) }}"
-
 - name: Set default redis image
   set_fact:
     _default_redis_image: "{{ _redis_image }}:{{ _redis_image_version }}"
@@ -77,16 +72,6 @@
   set_fact:
     _redis_image: "{{ _custom_redis_image | default(lookup('env', 'RELATED_IMAGE_AWX_REDIS')) | default(_default_redis_image, true) }}"
 
-- name: Set user provided control plane ee image
-  set_fact:
-    _custom_control_plane_ee_image: "{{ control_plane_ee_image }}"
-  when:
-    - control_plane_ee_image | default([]) | length
-
-- name: Set Control Plane EE image URL
-  set_fact:
-    _control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
-
 - name: Apply deployment resources
   k8s:
     apply: yes

roles/installer/tasks/set_images.yml

@@ -0,0 +1,19 @@
+# For disconnected environments, images must be set based on the values of `RELATED_IMAGE_` variables
+---
+- name: Set default awx init container image
+  set_fact:
+    _default_init_container_image: "{{ _init_container_image }}:{{ _init_container_image_version }}"
+
+- name: Set user provided awx init image
+  set_fact:
+    _custom_init_container_image: "{{ init_container_image }}:{{ init_container_image_version }}"
+  when:
+    - init_container_image | default([]) | length
+    - init_container_image_version is defined or init_container_image_version != ''
+
+- name: Set Init image URL
+  set_fact:
+    _init_container_image: >-
+      {{ _custom_init_container_image |
+         default(lookup('env', 'RELATED_IMAGE_AWX_INIT_CONTAINER')) |
+         default(_default_init_container_image, true) }}

roles/installer/templates/config.yaml.j2

@@ -18,6 +18,7 @@ data:
   settings: |
     import os
     import socket
+    from django_auth_ldap.config import LDAPSearch
     
     def get_secret():
         if os.path.exists("/etc/tower/SECRET_KEY"):
@@ -25,11 +26,22 @@ data:
     
     ADMINS = ()
     STATIC_ROOT = '/var/lib/awx/public/static'
+    STATIC_URL = '{{ (ingress_path + '/static/').replace('//', '/') }}'
     PROJECTS_ROOT = '/var/lib/awx/projects'
     JOBOUTPUT_ROOT = '/var/lib/awx/job_status'
 
     IS_K8S = True
 
+    # Set memory available based off of resource request/limit for the task pod
+    memory_limit = '{{ task_resource_requirements["limits"]["memory"] if "limits" in task_resource_requirements and "memory" in task_resource_requirements["limits"] }}'
+    if memory_limit:
+        SYSTEM_TASK_ABS_MEM = memory_limit
+
+    # Set cpu available based off of resource request/limit for the task pod
+    cpu_limit = '{{ task_resource_requirements["limits"]["cpu"] if "limits" in task_resource_requirements and "cpu" in task_resource_requirements["limits"] }}'
+    if cpu_limit:
+        SYSTEM_TASK_ABS_CPU = cpu_limit
+
     SECRET_KEY = get_secret()
     
     ALLOWED_HOSTS = ['*']
@@ -48,8 +60,8 @@ data:
     CLUSTER_HOST_ID = socket.gethostname()
     SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
     
-    CSRF_COOKIE_SECURE = False
-    SESSION_COOKIE_SECURE = False
+    CSRF_COOKIE_SECURE = {{ csrf_cookie_secure | bool }}
+    SESSION_COOKIE_SECURE = {{ session_cookie_secure | bool }}
     
     SERVER_EMAIL = 'root@localhost'
     DEFAULT_FROM_EMAIL = 'webmaster@localhost'
@@ -172,15 +184,15 @@ data:
                 deny all;
             }
     
-            location /static/ {
+            location {{ (ingress_path + '/static').replace('//', '/') }} {
                 alias /var/lib/awx/public/static/;
             }
     
-            location /favicon.ico {
+            location {{ (ingress_path + '/favicon.ico').replace('//', '/') }} {
                 alias /var/lib/awx/public/static/media/favicon.ico;
             }
     
-            location /websocket {
+            location {{ (ingress_path + '/websocket').replace('//', '/') }} {
                 # Pass request to the upstream alias
                 proxy_pass http://daphne;
                 # Require http version 1.1 to allow for upgrade requests
@@ -202,7 +214,7 @@ data:
                 proxy_set_header Connection $connection_upgrade;
             }
     
-            location / {
+            location {{ ingress_path }} {
                 # Add trailing / if missing
                 rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
                 uwsgi_read_timeout 120s;

roles/installer/templates/deployment.yaml.j2

@@ -7,7 +7,7 @@ metadata:
   namespace: '{{ ansible_operator_meta.namespace }}'
   labels:
     app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
-    app.kubernetes.io/version: '{{ _image_version }}'
+    app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '') }}'
     app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
     app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
     app.kubernetes.io/component: '{{ deployment_type }}'
@@ -23,18 +23,30 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
-        app.kubernetes.io/version: '{{ _image_version }}'
+        app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '') }}'
         app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
         app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
         app.kubernetes.io/component: '{{ deployment_type }}'
+{% if annotations %}
+      annotations:
+        {{ annotations | indent(width=8) }}
+{% endif %}
     spec:
       serviceAccountName: '{{ ansible_operator_meta.name }}'
-{% if image_pull_secret %}
+{% if image_pull_secret is defined %}
       imagePullSecrets:
         - name: {{ image_pull_secret }}
+{% elif image_pull_secrets | length > 0 %}
+      imagePullSecrets:
+{% for secret in image_pull_secrets %}
+        - name: {{ secret }}
+{% endfor %}
+{% endif %}
+{% if control_plane_priority_class is defined %}
+      priorityClassName: '{{ control_plane_priority_class }}'
 {% endif %}
-{% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
       initContainers:
+{% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
         - name: init
           image: '{{ _init_container_image }}'
           imagePullPolicy: '{{ image_pull_policy }}'
@@ -169,6 +181,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            - name: UWSGI_MOUNT_PATH
+              value: "{{ ingress_path }}"
 {% if development_mode | bool %}
             - name: AWX_KUBE_DEVEL
               value: "1"
@@ -306,6 +320,10 @@ spec:
       nodeSelector:
         {{ node_selector | indent(width=8) }}
 {% endif %}
+{% if topology_spread_constraints %}
+      topologySpreadConstraints:
+        {{ topology_spread_constraints | indent(width=8) }}
+{% endif %}
 {% if tolerations %}
       tolerations:
         {{ tolerations | indent(width=8) }}

roles/installer/templates/postgres.yaml.j2

@@ -33,14 +33,39 @@ spec:
         app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
         app.kubernetes.io/managed-by: '{{ deployment_type }}-operator' 
     spec:
-{% if image_pull_secret %}
+{% if image_pull_secret is defined %}
       imagePullSecrets:
         - name: {{ image_pull_secret }}
+{% elif image_pull_secrets | length > 0 %}
+      imagePullSecrets:
+{% for secret in image_pull_secrets %}
+        - name: {{ secret }}
+{% endfor %}
 {% endif %}
+{% if postgres_priority_class is defined %}
+      priorityClassName: '{{ postgres_priority_class }}'
+{% endif %}
+      initContainers:
+        - name: database-check
+          image: '{{ _init_container_image }}'
+          resources: {{ postgres_init_container_resource_requirements }}
+          imagePullPolicy: '{{ image_pull_policy }}'
+          command:
+            - /bin/sh
+            - -c
+            - |
+              [[ -d /check-db/pgsql/data ]] && rm -rf /check-db/data && mv /check-db/pgsql/data/ /check-db/data/ && rm -rf /check-db/pgsql || exit 0
+          volumeMounts:
+            - name: postgres
+              mountPath: /check-db
+              subPath: ''
       containers:
         - image: '{{ _postgres_image }}'
           imagePullPolicy: '{{ image_pull_policy }}'
           name: postgres
+{% if postgres_extra_args %}
+          args: {{ postgres_extra_args }}
+{% endif %}
           env:
             # For postgres_image based on rhel8/postgresql-12
             - name: POSTGRESQL_DATABASE

roles/installer/templates/service.yaml.j2

@@ -11,13 +11,20 @@ metadata:
     app.kubernetes.io/component: '{{ deployment_type }}'
     app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
     {{ service_labels | indent(width=4) }}
-{% if service_type | lower == 'loadbalancer' and loadbalancer_annotations %}
+{% if service_annotations %}
   annotations:
-    {{ loadbalancer_annotations | indent(width=4) }}
+    {{ service_annotations | indent(width=4) }}
 {% endif %}
 spec:
   ports:
-{% if service_type | lower != 'loadbalancer' and loadbalancer_protocol | lower != 'https' %}
+  
+{% if service_type | lower == "nodeport" %}
+    - port: 80
+      protocol: TCP
+      targetPort: 8052
+      name: http
+      nodePort: {{ nodeport_port }}
+{% elif service_type | lower != 'loadbalancer' and loadbalancer_protocol | lower != 'https' %}
     - port: 80
       protocol: TCP
       targetPort: 8052
@@ -44,10 +51,10 @@ spec:
     app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
     app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
     app.kubernetes.io/component: '{{ deployment_type }}'
-{% if service_type | lower == "loadbalancer" %}
-  type: LoadBalancer
-{% elif service_type | lower == "nodeport" %}
+{% if service_type | lower == "nodeport" %}
   type: NodePort
+{% elif service_type | lower == "loadbalancer" %}
+  type: LoadBalancer
 {% else %}
   type: ClusterIP
 {% endif %}

roles/restore/tasks/postgres.yml

@@ -37,6 +37,7 @@
   until:
     - "postgres_pod['resources'] | length"
     - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+    - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
   delay: 5
   retries: 60
 
@@ -86,7 +87,7 @@
     command: |
       bash -c """
       set -e -o pipefail
-      cat {{ backup_dir }}/tower.db | PGPASSWORD={{ awx_postgres_pass }} {{ pg_restore }}
+      cat {{ backup_dir }}/tower.db | PGPASSWORD='{{ awx_postgres_pass }}' {{ pg_restore }}
       echo 'Successful'
       """
   register: data_migration