internet/awx-operator
3
0
Fork 0
mirror of https://github.com/ansible/awx-operator.git synced 2026-03-27 05:43:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:0.16.0
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0
...
compare: internet:0.27.0
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0

159 Commits
0.16.0 ... 0.27.0

Author SHA1 Message Date
Christian Adams
7d2d1b3c5e Upgrade to Operator SDK v1.22.2 (#1001) 
* Upgrade to Operator SDK 1.16.0

* Upgrade Operator SDK to v1.22.2 & bump base image version
 2022-08-22 18:54:56 -04:00
Shane McDonald
5d0ebd0121 Merge pull request #1029 from shanemcd/delete-logging-code 
Delete logging overrides in configmap
 2022-08-22 11:48:05 -04:00
Shane McDonald
f368a539a9 Delete logging overrides in configmap 2022-08-22 10:56:37 -04:00
Shane McDonald
0aef4cc35f Merge pull request #1026 from shanemcd/respect-LOG_AGGREGATOR_LEVEL 
Respect LOG_AGGREGATOR_LEVEL
 2022-08-19 13:25:33 -04:00
Shane McDonald
e3701dd3db Respect LOG_AGGREGATOR_LEVEL 2022-08-18 19:10:54 -04:00
Elijah DeLee
cf98edc282 Merge pull request #976 from jainnikhil30/scale_callback_receiver_workers 
configure callback receiver workers based on CPU
 2022-08-09 07:23:08 -04:00
Nikhil
58a4778c89 configure callback receiver workers based on CPU 2022-08-09 13:18:41 +05:30
Shane McDonald
8e50bdde9b Merge pull request #1015 from shanemcd/installer-templates-cleanup 
Organize installer templates into subdirectories
 2022-08-05 12:49:51 -04:00
Shane McDonald
60386bc928 Organize installer templates into subdirectories 2022-08-05 10:45:15 -04:00
kurokobo
f1df88dc53 fix: change to safely skip task if backupDirectory is not defined (#1003) (#1004) 2022-08-04 10:42:43 -04:00
Dimitri Savineau
8a3c8e727a Merge pull request #929 from dsavineau/undefined_limits_key 
installer: fix undefined limit key in config
 2022-08-02 10:05:47 -04:00
Christian Adams
c230016819 Fix helm package build redundancy and release automation (#1010) 2022-08-01 21:27:15 +00:00
John Westcott IV
3a6040e0cd Adding GitHub check to ensure PRs have the proper X/Y/Z flags 2022-08-01 14:09:56 -04:00
John Westcott IV
24f3f440f1 Adding GitHub check to ensure PRs have the proper X/Y/Z flags 2022-08-01 13:04:38 -04:00
Christian Adams
87b0511997 Use new postgres pod label when migrating from old instance (#1005) 2022-07-29 16:38:04 -04:00
Christian Adams
fde4a47a14 Bump dependencies stream (#841) 
* Bump Postgresql, Nginx and Redis versions
* pg12 --> pg13 upgrade path
* Set supported pg version as a variable to remain DRY
* Make deleting the old db data pvc after upgrade configurable
* Use labels to find the postgres pod

* backup/restore: fix postgres label selector value

We need to use the deployment_name variable for the postgres instance
name.

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>

* backup/restore: add missing default supported_pg_version variable

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>

* restore: update database_host fact with pg suffix

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>

Co-authored-by: Dimitri Savineau <dsavinea@redhat.com>
 2022-07-29 13:21:51 -04:00
John Westcott IV
af2e681f1e Please backup before attempting an upgrade (#1002) 2022-07-28 16:19:57 -04:00
lutskevich
82ffa3d348 Restore not managed external postgresql (#877) 
* Restore not managed external postgresql

Update postgres.yml for restore from backup not managed external postgresql db.

* Update postgres.yml

* rm trailing spaces #48

Co-authored-by: Viktor Lutskevich <lutskevich.v@mail366.com>
 2022-07-27 16:23:51 -04:00
Ming Quah
db6a5b53ed Move custom resource definitions into a CRDs folder (#994) 
* Add missing quote for port parameter

* Add step to move CRDs into the correct folder
 2022-07-26 18:48:20 -04:00
Shane McDonald
0be17476cd Merge pull request #979 from stanislav-zaprudskiy/allow_skipping_labels_patching_on_awx_resource 
Introduce `set_self_labels` in CRDs
 2022-07-20 12:41:20 -04:00
Shane McDonald
f4a781ccc5 Merge pull request #984 from bewing/makefile-logic 
fix helm-chart Makefile issue
 2022-07-20 12:40:20 -04:00
John Westcott IV
fcd2c4c023 Merge pull request #982 from john-westcott-iv/pr_template 
Adding PR template
 2022-07-19 04:22:41 -04:00
John Westcott IV
8e30a17a77 Adding PR template 2022-07-19 04:12:38 -04:00
Christian Adams
b3037c1067 Deprecate the backup_pvc_namespace field (#988) 
- Removes backup_pvc_namespace field from OLM forms
  - This field has created confusion for users and there is no strong
    case for needing this functionality
  - Users will still be able to add it to the yaml for the CR if they
    want to use it with the cluster-scoped AWX operator
  - Remove unneeded advanced descriptors to avoid empty Advanced
    configuration expander

fixes AAP-1176
 2022-07-18 17:35:11 -04:00
Brandon Ewing
f7ff132a2e fix helm-chart Makefile issue 
GNU make resolves the $(wildcard ) macro when starting a block, and
caches it for the duration of the run.  In order to correctly remove
namespace references from the generated helm charts, we have to split
the generation and editing into two makefile targets.
 2022-07-14 14:38:09 -05:00
Shane McDonald
5f06e90906 Merge pull request #963 from miles-w-3/helm-values 
Added helm values, templates, and readme
 2022-07-12 13:50:27 -04:00
Stanislav Zaprudskiy
36355b6a15 Introduce set_self_labels in CRDs 
To allow skipping labels maintenance on CRs processed by the operator.
Resolves https://github.com/ansible/awx-operator/issues/756
 2022-07-12 10:48:16 +02:00
Miles Wilson
bc08c4bbbe Added helm values, templates, and readme 2022-07-11 19:59:03 -04:00
Shane McDonald
7697825944 Merge pull request #983 from shanemcd/ingress_path-test 
Add tests around ingress_path feature
 2022-07-11 19:55:28 -04:00
Shane McDonald
8a325293b1 Add tests around ingress_path feature 2022-07-11 19:45:11 -04:00
Shane McDonald
dd53a1d415 Merge pull request #980 from sdktr/958_pgdump_command_customization 
Fix 958: allow pg_dump backup command customization
 2022-07-11 19:30:30 -04:00
Shane McDonald
c5db0e7104 Merge pull request #954 from bewing/helm-namespace 
remove namespace from helm chart
 2022-07-11 19:18:08 -04:00
Stefan de Kooter
59036fc373 Add free format pg_dump backup parameter 2022-07-10 19:03:32 +00:00
Christian Adams
c45a7bd4d7 Add Docs notes for custom secret keys (#969) 2022-06-28 11:05:49 -04:00
Shane McDonald
34b6354001 Merge pull request #956 from Cl0udius/add_auto_upgrade_parameter 
added auto_upgrade flag
 2022-06-27 13:39:11 -04:00
Shane McDonald
801f392447 Merge pull request #964 from taishen/devel 
Add an example of the nodeport_port in readme
 2022-06-27 13:38:24 -04:00
Shane McDonald
779572e8ff Merge pull request #944 from viv-dev/backup-cleanup 
Option to delete backup dir on PV when AWXBackup object is deleted
 2022-06-27 13:35:57 -04:00
Shane McDonald
e7e48f92a0 Merge pull request #962 from rooftopcellist/operator-resource-defaults 
Add default resource requests for operator container
 2022-06-27 13:33:32 -04:00
Brandon Ewing
3cd9ddd8c6 remove namespace from helm chart 
Helm should be able to set the namespace for the operator at deploy time
via the --namespace option.  Use yq to remove all references to
namespaces in the helm chart prior to publishing.

Update CI process to create namespace during install.

Resolves #907
 2022-06-27 12:26:14 -05:00
taishen
4e6be0a82c Add an example of the nodeport_port in readme 2022-06-27 22:02:42 +08:00
Viviana Capote
05943687fe Added option to also delete backup directory on PVC when AWXBackup CRD object is deleted 2022-06-27 15:45:33 +10:00
Shane McDonald
9676ebc008 Merge pull request #955 from doanminhtu/tudoan/fix-ldap-password-secret-usage 
Fix ldap bind password secret usage: ldap_password_secret
 2022-06-26 10:45:26 -04:00
Christian M. Adams
8352237260 Add default resource requests for operator container 2022-06-24 16:40:45 -04:00
Alexander Stock
35d4954027 added auto_update flag 2022-06-23 15:05:05 +02:00
Shane McDonald
4d6a491766 Merge pull request #959 from mac-chaffee/no-latest 
Use specific version of redis image
 2022-06-23 08:16:21 -04:00
Shane McDonald
fa9eb53f92 Merge pull request #950 from basecom/feature/nginx-ipv6-support 
Enable ipv6 listening in nginx config
 2022-06-23 07:51:41 -04:00
Tu Doan
00c9f5fbd1 Fix ldap secret to secret file 2022-06-23 10:49:27 +07:00
Mac Chaffee
fe82e9259e Use specific version of redis image 
Signed-off-by: Mac Chaffee <machaffe@renci.org>
 2022-06-22 16:14:39 -04:00
Tu Doan
635d530dc9 Fix ldap bind password secret usage 2022-06-20 17:03:38 +07:00
David Luong
e966e9299f Resolves #918 to make no_log configurable (#923) 2022-06-16 01:03:13 -04:00
John Westcott IV
683d23dbea Adding feature requests issue type (#951) 2022-06-15 17:30:00 -04:00
Roger Sikorski
8b3a297086 enable ipv6 on nginx 2022-06-15 17:37:02 +02:00
John Westcott IV
15830e3536 Merge pull request #947 from john-westcott-iv/github_folder_maintainance 
.github folder maintainance
 2022-06-13 12:20:00 -04:00
John Westcott IV
ef46d7f49c Changes from PR review 2022-06-13 11:15:52 -04:00
John Westcott IV
a5328b1a09 .github folder maintainance 
Changing bug_report from markdown to yaml
Adding config.yml for new issues
Adding Code of Conduct and support to the README (along with tags at the
top of the readme)
Adding SECURITY.md
Adding CODE_OF_CONDUCT.md
 2022-06-13 08:22:40 -04:00
Christian Adams
0983220fba Use awx web launch script to pick up the correct supervisor config (#935) 
- reduce resource requests so that CI passes in resource constrained
    environments
 2022-06-01 19:11:25 -04:00
Dimitri Savineau
ba3b6f5436 installer: fix undefined limit key in config 
When the task_resource_requirements variable has no "limits" key (which
is the default value) then the config template generation fails

----------------------------------
looking for "config.yaml.j2" at "/opt/ansible/roles/installer/templates/config.yaml.j2"
File lookup using /opt/ansible/roles/installer/templates/config.yaml.j2 as file
fatal: [localhost]: FAILED! => {
"msg": "The task includes an option with an undefined variable. The error was: the inline if-expression on line 36 evaluated to false and no else section was defined.

The error appears to be in /opt/ansible/roles/installer/tasks/resources_configuration.yml: line 30, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

- name: Apply Resources
 ^ here
----------------------------------

The current condition doesn't have a else statement so the template fails
when the "limits" key isn't present.
This rewrite the current if/else statement in jinja template.

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
 2022-05-24 09:29:36 -04:00
Paul Verhoeven
3ac0232e89 Updated the Readme (#906) 
* defaults in Deploying a specific version of AWX added

* Update README.md

updated the README clarified the defaults of Deploying a specific version of AWX
 2022-05-09 17:24:43 -04:00
Christian Adams
75c7231afd Remove unneeded olm-parameter template file (#901) 2022-05-04 16:45:18 -04:00
Christian Adams
363aa3642b added capability to set the redis container resources (#899) 
* added capability to set the redis container resources

* Reduce resource requests so that it can be scheduled on GitHub workflows

Co-authored-by: Cedric Morin <cedric.morin_ext@michelin.com>
 2022-05-03 08:53:45 -04:00
Shane McDonald
bf74d5cc34 Merge pull request #799 from mamercad/helm 
Add Helm functionality
 2022-05-02 14:38:24 -04:00
Shane McDonald
46586bd7b6 Rework helm release process 
This was mostly me working around a limitation in chart-releaser where it does not allow for uploading a chart to an existing release.
 2022-05-02 14:12:59 -04:00
Shane McDonald
191be7bf3c Run test helm install in CI 2022-05-02 14:12:59 -04:00
Shane McDonald
b7e5f235ad Fix yq target 
Without this I was seeing:

$ make yq
tar: yq_linux_amd64: Not found in archive
tar: Exiting with failure status due to previous errors
make: *** [Makefile:240: yq] Error 2
 2022-05-02 14:12:59 -04:00
Mark Mercado
6cbc6a7234 Set CHART_OWNER as ${{ github.repository_owner }} 2022-05-02 14:12:59 -04:00
Mark Mercado
beba6a900d Update kustomize build args for v4+ 2022-05-02 14:12:59 -04:00
Mark Mercado
7f72260445 Adding document-start markers 2022-05-02 14:12:59 -04:00
Mark Mercado
5b7baa106d Adding CI for "make helm-chart" 2022-05-02 14:12:59 -04:00
Mark Mercado
9380686395 Handle amd64 versus x86_64 2022-05-02 14:12:59 -04:00
Mark Mercado
0de966153d Fix kubectl-slice for amd64 2022-05-02 14:12:59 -04:00
Mark Mercado
efaa4718ec Adding Helm functionality 2022-05-02 14:12:57 -04:00
Shane McDonald
e6a473b765 Merge pull request #887 from ansible/add-content-type-option-header-op 
Add the X-Content-Type-Options nosniff header
 2022-05-02 08:25:48 -04:00
Christian Adams
859384e9f6 Changed default pull secret to agreed upon name (#896) 2022-04-29 16:21:03 -04:00
Christian Adams
b66a16508f Clarify docs on how to configure an External Database (#895) 2022-04-29 15:35:07 -04:00
Christian Adams
3da427f31d Look for a specific pull secret when deployed in certain cloud environments (#894) 2022-04-27 15:44:10 -04:00
Shane McDonald
9f2b51a6a9 Fix mistake in debugging docs 2022-04-25 16:32:50 -04:00
Hung Tran
5b73ad172e Load LDAP password from secret and update guideline (#659) 
* Load LDAP password from secret and update guideline

* Add pod_labels for custom pod labels

Signed-off-by: Loc Mai <lmai@axon.com>

* Omit tls secret if using wildcard cert

* Resolve conflicts

* Remove the ingress changes

* Remove the config changes

* Load LDAP password from secret and update guideline

* Omit tls secret if using wildcard cert

* Resolve conflicts

* Remove the ingress changes

* Remove the config changes

Co-authored-by: hungts <hungts@axon.com>
Co-authored-by: Loc Mai <lmai@axon.com>
Co-authored-by: Max Bidlingmaier <Max-Florian.Bidlingmaier@sap.com>
Co-authored-by: Max Bidlingmaier <maks@konsolan.de>
 2022-04-25 16:16:10 -04:00
Shane McDonald
2227301707 Merge pull request #888 from shanemcd/debugging-docs 
Add docs/debugging.md
 2022-04-25 16:11:21 -04:00
Shane McDonald
9f63fc0da5 Add docs/debugging.md 2022-04-25 16:02:30 -04:00
Seth Foster
322aea970d Merge pull request #886 from fosterseth/make_csrf_settings_boolean 
Render cookie settings as a boolean
 2022-04-25 15:45:42 -04:00
Seth Foster
c4bef95662 Render cookie settings as a boolean 2022-04-25 15:31:09 -04:00
Jeff Bradberry
fa705f6466 Add the X-Content-Type-Options nosniff header 2022-04-25 14:00:07 -04:00
Seth Foster
7fd5083c16 Merge pull request #862 from fosterseth/add_priorityclass_option 
Add priority class options to high priority pods
 2022-04-21 15:40:55 -04:00
Christian M. Adams
daf15a93bf Reduce the resources requests for CI runs 
* GitHub Workflows run in a resource constrained environment, we were
    asking too much of it, so pods never got scheduled.
 2022-04-21 15:10:09 -04:00
Christian M. Adams
dfa0f6d45e Add docs for priority classes & fix typo 2022-04-21 11:59:15 -04:00
Christian M. Adams
21062f0708 Add default resource requests for postgres containers 2022-04-18 12:30:02 -04:00
Seth Foster
5372771bac Add priority class options to high priority pods 
- Add postgres_priority_class
- Add control_plane_priority_class
- Add default requests for postgres pod to ensure at a "Burstable" QoS
 2022-04-18 12:29:54 -04:00
Mac Chaffee
8df0969e6a Fix namespace name in readme (#868) 
Signed-off-by: Mac Chaffee <machaffe@renci.org>
 2022-04-15 16:08:43 -04:00
Jeremy Kimber
5af7e7f4b9 Ensure custom control plane EE is defined prior to creation of application credentials (#873) 
Co-authored-by: Jeremy Kimber <jeremy.kimber@garmin.com>
 2022-04-15 16:04:47 -04:00
Christian Adams
d8f91d112e Stop updating the admin user password (#874) 
* This is overwriting changes the user makes to the admin password via
    the app itself
 2022-04-14 16:35:37 -04:00
Christian Adams
379552218d Add back image_pull_secret field for backwards compatibility (#870) 2022-04-14 13:25:54 -04:00
David Luong
1686875321 Customize CSRF options (#825) 2022-04-13 19:42:07 -04:00
Christian Adams
1b41d945e6 Check if image_pull_secrets variable is defined (#865) 
* Do not attempt to backup secret if none are defined
 2022-04-11 11:10:09 -04:00
Dragutan Alexandr
5e81729bc9 Update README.md (#858) 
cut off svg-content, link preserverd.
 2022-04-06 21:39:49 -04:00
Christian Adams
575e594314 Wait for the postgres pod to enter the ready state before starting containers (#861) 2022-04-06 08:29:53 -04:00
Christian Adams
5f76d4917e Enable setting a list of image_pull_secrets (#860) 
When there are e.g. multiple authenticated container registries used
we need to be able to add multiple imagePullSecrets to the k8s resource

Co-authored-by: Maximilian Meister <maximilian.meister@pm.me>
 2022-04-05 11:51:21 -04:00
gamuniz
94c5c41a24 reording the django tasks to avoid race condition aap-2847 (#855) 
* Reorder the django init tasks to avoid race condition - aap-2847
 2022-04-01 14:55:57 -04:00
Shane McDonald
ee84625107 Merge pull request #843 from mac-chaffee/kustomize-umbrella 
Add docs for proper kustomization installs
 2022-03-28 16:56:01 -04:00
Mac Chaffee
add76c159b Mention how to install Kustomize. 
It's recommended to install the standalone version of kustomize rather
than using the version that ships with kubectl because that version is
typically very old and doesn't match the docs.
 2022-03-26 11:53:17 -04:00
Mac Chaffee
375031e1f8 Remove explicit tags to avoid need to bump versions 
Signed-off-by: Mac Chaffee <machaffe@renci.org>
 2022-03-24 19:18:46 -04:00
Christian Adams
ca6ab0a380 Merge pull request #844 from rooftopcellist/update-changelog 
Add Changelog entries for 0.19.0 release
 2022-03-23 18:20:00 -04:00
Christian M. Adams
236bce6970 Add Changelog entries for 0.19.0 release 2022-03-23 18:10:23 -04:00
Mac Chaffee
0a9e9722c5 Add docs for proper kustomization installs 2022-03-23 15:42:24 -04:00
Shane McDonald
58ac0cc369 Merge pull request #835 from shanemcd/stream8 
Use stream8 for init container
 2022-03-22 09:11:19 -04:00
Christian Adams
c3ac2e2cde Merge pull request #838 from kurokobo/quote 
fix: add quotes for PGPASSWORD for the backup and restore roles
 2022-03-21 10:50:51 -04:00
kurokobo
589a3751e1 fix: add quotes for PGPASSWORD for the backup and restore roles 2022-03-20 16:13:12 +09:00
Shane McDonald
12a58d71fb Use stream8 for init container 2022-03-18 13:56:15 -04:00
Shane McDonald
6b873b05ab Merge pull request #822 from kurokobo/operator_version 
fix: add OPERATOR_VERSION as build-arg to pass the version to operator
 2022-03-18 11:06:08 -04:00
Christian Adams
5e97ff7c08 Merge pull request #827 from rooftopcellist/rm-inject-params 
Add AWX Logo to OLM deployments
 2022-03-16 14:15:49 -04:00
Christian M. Adams
86c31a4317 Add AWX Logo to OLM deployments 
* Remove unnecessary script for injecting olm params, use bases template instead

Signed-off-by: Christian M. Adams <chadams@redhat.com>
 2022-03-16 12:01:28 -04:00
Seth Foster
487727b454 Merge pull request #815 from kurokobo/nodeport 
fix: fix corrupted spec for the service with nodeport type (#814)
 2022-03-15 14:39:13 -04:00
kurokobo
2f47b907fd fix: add OPERATOR_VERSION as build-arg to pass the version to operator 2022-03-09 22:32:39 +09:00
kurokobo
dbaf64efa0 fix: fix corrupted spec for the service with nodeport type (#814) 2022-03-09 21:00:24 +09:00
Shane McDonald
5375fec77d Merge pull request #811 from shanemcd/format-readme-tables 
Reformat markdown tables in README.md
 2022-03-05 12:12:25 -05:00
Shane McDonald
9980192d9e Reformat markdown tables in README.md 2022-03-05 12:02:18 -05:00
Shane McDonald
e2fc5f46c0 Merge pull request #803 from rooftopcellist/sts-db-check 
Run database-check initContainer on postgres sts instead
 2022-03-05 11:59:00 -05:00
Shane McDonald
5b3be06e8d Allow for customizing postgres init container resources 2022-03-05 11:48:13 -05:00
Shane McDonald
3c2405f304 Merge pull request #807 from MrBones757/devel 
added support for pod annotations to awx deployment
 2022-03-05 10:18:50 -05:00
Christian M. Adams
192611eea8 Run database-check initContainer on postgres sts instead 
- This avoids issues with multple initContainers trying to mount the
    postgres pvc at once, as is the case when there are multiple
replicas.

Signed-off-by: Christian M. Adams <chadams@redhat.com>
 2022-03-05 10:07:07 -05:00
MrBones757
9ca14cef93 added support for pod annotations to awx deployment 2022-02-25 09:54:55 +08:00
Shane McDonald
fbc2d3475c Merge pull request #800 from ggiinnoo/readme-dummy-proof 
Added namespace warning | added apply command for missing namespace
 2022-02-23 09:30:19 -05:00
Shane McDonald
58f30fb96c Merge pull request #789 from ubajze/fix-nodeport-port 
Fix the custom port specification when service type is NodePort
 2022-02-23 09:28:42 -05:00
Gino Jansen
c81b78aad6 Added namespace warning | added apply command for missing namespace 2022-02-18 14:31:29 +01:00
Shane McDonald
c02e05925e Merge pull request #797 from kdelee/sky-is-the-limit 
only set mem/cpu setting if limit is set
 2022-02-15 15:41:52 -05:00
Elijah DeLee
479c009716 only set mem/cpu setting if limit is set 
Otherwise, we get the too-low setting of the request, which
will be a rough experience for folks who have been using the operator
and are used to the experience of having entire underlying node capacity

Users can still set the setting via extra_settings to get the experience
of having each pod with a individualized capacity, or set a limit.
 2022-02-15 15:35:36 -05:00
Shane McDonald
7807bc516e Merge pull request #791 from kdelee/set_controlpod_mem_cpu 
set memory setting based on resource settings
 2022-02-15 14:12:41 -05:00
Elijah DeLee
3afcd7fd89 set memory and cpu setting based on resource settings 
This way we can start using this setting in AWX again to help fix
https://github.com/ansible/awx/issues/11640
 2022-02-15 14:09:21 -05:00
Shane McDonald
7002131dda Merge pull request #793 from kurokobo/readme 
Update TOC in README.md
 2022-02-12 13:04:17 -05:00
kurokobo
877943cc27 fix: update TOC in README.md 2022-02-12 16:49:17 +09:00
Shane McDonald
b59a0c5b80 Merge pull request #766 from nodje/Makefile-aarch64-patch 
Take into account `aarch64` architecture return from uname
 2022-02-11 17:36:10 -05:00
Shane McDonald
26b1eb6c87 Merge pull request #776 from arrase/feature/service_annotations 
Allow service annotations not only for LoadBalancer type
 2022-02-11 17:30:56 -05:00
Matthias R. Wiora
39437da72b feat(readme): add k8s cluster setup instructions (#592) 
Add instructions for using with existing kubernetes cluster
 2022-02-11 17:25:37 -05:00
Shane McDonald
e1645a2f8d Merge pull request #593 from kurokobo/upgrading 
Add steps to upgrade to 0.14.0
 2022-02-11 17:24:10 -05:00
Shane McDonald
224dde769a Merge pull request #536 from siju-vasudevan/patch-1 
LDAPSearch Module is missing
 2022-02-11 17:20:56 -05:00
Uros Bajzelj
536d7dc842 Fix the NodePort port specification 2022-02-11 10:57:43 +00:00
Shane McDonald
eac2328bd3 Merge pull request #721 from longns1/update-makefile-undeploy 
update Makefile undeploy
 2022-02-10 10:19:10 -05:00
Shane McDonald
3be986c96c Merge pull request #783 from AlanCoding/loop_control 
Add some loop control for ansible warnings
 2022-02-10 10:18:26 -05:00
Shane McDonald
768bc2f857 Merge pull request #652 from shanemcd/url-prefix-support 
Support running AWX at non-root path
 2022-02-09 10:37:07 -05:00
Alan Rominger
f05faaaaa0 Add some loop control for ansible warnings 2022-02-04 16:12:28 -05:00
Shane McDonald
957566993b Merge pull request #782 from AlanCoding/not_that_one 
Avoid broken openshift package
 2022-02-04 15:36:33 -05:00
Alan Rominger
c95f3299b0 Avoid broken openshift package 2022-02-04 15:24:49 -05:00
Christian Adams
1a0e3cf410 Merge pull request #772 from rooftopcellist/always-run-pg-initContainer 
Always run database-check initContainer
 2022-02-02 16:16:34 -05:00
Christian Adams
9368b43614 Merge pull request #775 from rooftopcellist/pg-args-advanced 
Add OLM params for postgres_extra_vars
 2022-02-01 17:02:42 -05:00
Juan Ezquerro LLanes
108addc06e Allow service annotations not only for LoadBalancer 2022-02-01 20:49:37 +01:00
Shane McDonald
3a3260ffb7 Merge pull request #770 from john-westcott-iv/github_meta_changes 
Adding triage label to any new issue
 2022-02-01 13:15:18 -05:00
Christian M. Adams
960d1f8a32 Fix volume mount syntax error 
* conditionally run database-check init container only for managed db
    deployments
Signed-off-by: Christian M. Adams <chadams@redhat.com>
 2022-02-01 10:50:48 -05:00
Christian M. Adams
4d8f84eb74 Add OLM params for postgres_extra_vars 
* follow-up for https://github.com/ansible/awx-operator/pull/753
Signed-off-by: Christian M. Adams <chadams@redhat.com>
 2022-02-01 08:17:11 -05:00
John Westcott IV
1320c9d175 Fixing linting issues 2022-01-31 12:19:31 -05:00
Christian M. Adams
fab71e054e Always run database-check initContainer 2022-01-31 09:40:19 -05:00
John Westcott IV
3eede3c922 Adding triage label to any new issue 2022-01-30 13:59:22 -05:00
Christian Adams
d27ce3c34d Merge pull request #755 from rooftopcellist/mv-data-subPath 
Use an Init Container to move the pg data subPath in the pvc
 2022-01-27 19:55:48 -05:00
Shane McDonald
18d17f2485 Merge pull request #763 from sooslaca/devel 
Fix issue #762
 2022-01-27 08:16:33 -05:00
nodje
47d3ef57f2 Take into account aarch64 architecture return from uname 2022-01-26 09:32:16 +01:00
sooslaca
8f8336b25a Fix issue #762 
Fix https://github.com/ansible/awx-operator/issues/762
 2022-01-23 16:17:24 +01:00
Christian M. Adams
5b636bb8ea Use an Init Container to move the pg data subPath in the pvc 2022-01-13 23:17:33 -05:00
longns1
79152d2417 update to make undeploy in Makefile works correctly when namespace is not awx 2022-01-07 15:57:27 +07:00
Shane McDonald
c843194cbd Support running AWX at non-root path 2021-11-14 04:26:24 +00:00
kurokobo
b0824acc48 Add steps to upgrade to 0.14.0 2021-10-29 22:01:10 -04:00
siju-vasudevan
38ec4a3b00 LDAPSearch Module is missing 
Since LDAPSearch Module is missing LDAP authentication is not working if you configure the LDAP configuration via extra_settings.
 2021-09-09 10:04:30 +05:30
139 changed files with 3976 additions and 2104 deletions
Expand all files Collapse all files

3
.github/CODE_OF_CONDUCT.md vendored Normal file
View File

@@ -0,0 +1,3 @@
# Community Code of Conduct
Please see the official [Ansible Community Code of Conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).

39
.github/ISSUE_TEMPLATE/bug_report.md vendored
View File

@@ -1,39 +0,0 @@
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
---
##### ISSUE TYPE
- Bug Report
##### SUMMARY
<!-- Briefly describe the problem. -->
##### ENVIRONMENT
* AWX version: X.Y.Z
* Operator version: X.Y.Z
* Kubernetes version:
* AWX install method: openshift, minishift, docker on linux, docker for mac, boot2docker
##### STEPS TO REPRODUCE
<!-- Please describe exactly how to reproduce the problem. -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
##### ACTUAL RESULTS
<!-- What actually happened? -->
##### ADDITIONAL INFORMATION
<!-- Include any links to sosreport, database dumps, screenshots or other
information. -->
##### AWX-OPERATOR LOGS

125
.github/ISSUE_TEMPLATE/bug_report.yml vendored Normal file
View File

@@ -0,0 +1,125 @@
---
name: Bug Report
description: "🐞 Create a report to help us improve"
body:
- type: markdown
attributes:
value: |
Bug Report issues are for **concrete, actionable bugs** only.
For debugging help or technical support, please see the [Get Involved section of our README](https://github.com/ansible/awx-operator#get-involved)
- type: checkboxes
id: terms
attributes:
label: Please confirm the following
options:
- label: I agree to follow this project's [code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
required: true
- label: I have checked the [current issues](https://github.com/ansible/awx-operator/issues) for duplicates.
required: true
- label: I understand that the AWX Operator is open source software provided for free and that I might not receive a timely response.
required: true
- type: textarea
id: summary
attributes:
label: Bug Summary
description: Briefly describe the problem.
validations:
required: false
- type: input
id: awx-operator-version
attributes:
label: AWX Operator version
description: What version of the AWX Operator are you running?
validations:
required: true
- type: input
id: awx-version
attributes:
label: AWX version
description: What version of AWX are you running?
validations:
required: true
- type: dropdown
id: platform
attributes:
label: Kubernetes platform
description: What platform did you install the Operator in?
multiple: false
options:
- kubernetes
- minikube
- openshift
- minishift
- docker development environment
- other (please specify in additional information)
validations:
required: true
- type: input
id: kube-version
attributes:
label: Kubernetes/Platform version
description: What version of your platform/kuberneties are you using?
validations:
required: true
- type: dropdown
id: modified-architecture
attributes:
label: Modifications
description: >-
Have you modified the installation, deployment topology, or container images in any way? If yes, please
explain in the "additional information" field at the bottom of the form.
multiple: false
options:
- "no"
- "yes"
validations:
required: true
- type: textarea
id: steps-to-reproduce
attributes:
label: Steps to reproduce
description: >-
Starting from a new installation of the system, describe exactly how a developer or quality engineer can reproduce the bug
on infrastructure that isn't yours. Include any and all resources created, input values, test users, roles assigned, playbooks used, etc.
validations:
required: true
- type: textarea
id: expected-results
attributes:
label: Expected results
description: What did you expect to happpen when running the steps above?
validations:
required: true
- type: textarea
id: actual-results
attributes:
label: Actual results
description: What actually happened?
validations:
required: true
- type: textarea
id: additional-information
attributes:
label: Additional information
description: Include any relevant log output, links to sosreport, database dumps, screenshots, AWX spec yaml, or other information.
validations:
required: false
- type: textarea
id: operator-logs
attributes:
label: Operator Logs
description: Include any relevant logs generated by the operator.
validations:
required: false

12
.github/ISSUE_TEMPLATE/config.yml vendored Normal file
View File

@@ -0,0 +1,12 @@
---
blank_issues_enabled: false
contact_links:
- name: For debugging help or technical support
url: https://github.com/ansible/awx-operator#get-involved
about: For general debugging or technical support please see the Get Involved section of our readme.
- name: 📝 Ansible Code of Conduct
url: https://docs.ansible.com/ansible/latest/community/code_of_conduct.html?utm_medium=github&utm_source=issue_template_chooser
about: AWX uses the Ansible Code of Conduct; ❤ Be nice to other members of the community. ☮ Behave.
- name: 💼 For Enterprise
url: https://www.ansible.com/products/engine?utm_medium=github&utm_source=issue_template_chooser
about: Red Hat offers support for the Ansible Automation Platform

29
.github/ISSUE_TEMPLATE/feature_request.yml vendored Normal file
View File

@@ -0,0 +1,29 @@
---
name: ✨ Feature request
description: Suggest an idea for this project
body:
- type: markdown
attributes:
value: |
Feature Request issues are for **feature requests** only.
For debugging help or technical support, please see the [Get Involved section of our README](https://github.com/ansible/awx-operator#get-involved)
- type: checkboxes
id: terms
attributes:
label: Please confirm the following
options:
- label: I agree to follow this project's [code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
required: true
- label: I have checked the [current issues](https://github.com/ansible/awx-operator/issues) for duplicates.
required: true
- label: I understand that AWX Operator is open source software provided for free and that I might not receive a timely response.
required: true
- type: textarea
id: summary
attributes:
label: Feature Summary
description: Briefly describe the desired enhancement.
validations:
required: true

26
.github/PULL_REQUEST_TEMPLATE.md vendored Normal file
View File

@@ -0,0 +1,26 @@
##### SUMMARY
<!--- Describe the change, including rationale and design decisions -->
<!---
If you are fixing an existing issue, please include "fixes #nnn" in your
commit message and your description; but you should still explain what
the change does.
-->
##### ISSUE TYPE
<!--- Pick one below and delete the rest: -->
- Breaking Change
- New or Enhanced Feature
- Bug, Docs Fix or other nominal change
##### ADDITIONAL INFORMATION
<!---
Include additional information to help people understand the change here.
For bugs that don't have a linked bug report, a step-by-step reproduction
of the problem is helpful.
-->
<!--- Paste verbatim command output below, e.g. before and after your change -->
```
```

3
.github/issue_labeler.yml vendored Normal file
View File

@@ -0,0 +1,3 @@
---
needs_triage:
- '.*'

47
.github/workflows/ci.yaml vendored
View File

@@ -10,9 +10,9 @@ on:
branches: [devel]
jobs:
pull_request:
molecule:
runs-on: ubuntu-18.04
name: pull_request
name: molecule
env:
DOCKER_API_VERSION: "1.38"
steps:
@@ -39,3 +39,46 @@ jobs:
sudo rm -f $(which kustomize)
make kustomize
KUSTOMIZE_PATH=$(readlink -f bin/kustomize) molecule test -s kind
helm:
runs-on: ubuntu-18.04
name: helm
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Create k8s Kind Cluster
uses: helm/kind-action@v1.2.0
- name: Build operator image and load into kind
run: |
IMG=awx-operator-ci make docker-build
kind load docker-image --name chart-testing awx-operator-ci
- name: Patch pull policy for tests
run: |
kustomize edit add patch --path ../testing/pull_policy/Never.yaml
working-directory: config/default
- name: Build and lint helm chart
run: |
IMG=awx-operator-ci make helm-chart
helm lint ./charts/awx-operator
- name: Install kubeval
run: |
mkdir tmp && cd tmp
wget https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz
tar xf kubeval-linux-amd64.tar.gz
sudo cp kubeval /usr/local/bin
working-directory: ./charts
- name: Run kubeval
run: |
helm template -n awx awx-operator > tmp/test.yaml
kubeval --strict --force-color --ignore-missing-schemas tmp/test.yaml
working-directory: ./charts
- name: Install helm chart
run: |
helm install --wait my-awx-operator --namespace awx --create-namespace ./charts/awx-operator

45
.github/workflows/pr_body_check.yml vendored Normal file
View File

@@ -0,0 +1,45 @@
---
name: PR Check
env:
BRANCH: ${{ github.base_ref || 'devel' }}
on:
pull_request:
types: [opened, edited, reopened, synchronize]
jobs:
pr-check:
name: Scan PR description for semantic versioning keywords
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
steps:
- name: Write PR body to a file
run: |
cat >> pr.body << __SOME_RANDOM_PR_EOF__
${{ github.event.pull_request.body }}
__SOME_RANDOM_PR_EOF__
- name: Display the received body for troubleshooting
run: cat pr.body
# We want to write these out individually just incase the options were joined on a single line
- name: Check for each of the lines
run: |
grep "Bug, Docs Fix or other nominal change" pr.body > Z
grep "New or Enhanced Feature" pr.body > Y
grep "Breaking Change" pr.body > X
exit 0
# We exit 0 and set the shell to prevent the returns from the greps from failing this step
# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash {0}
- name: Check for exactly one item
run: |
if [ $(cat X Y Z | wc -l) != 1 ] ; then
echo "The PR body must contain exactly one of [ 'Bug, Docs Fix or other nominal change', 'New or Enhanced Feature', 'Breaking Change' ]"
echo "We counted $(cat X Y Z | wc -l)"
echo "See the default PR body for examples"
exit 255;
else
exit 0;
fi

15
.github/workflows/promote.yaml vendored
View File

@@ -8,6 +8,8 @@ jobs:
promote:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Log in to GHCR
run: |
echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
@@ -23,3 +25,16 @@ jobs:
docker tag ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} quay.io/${{ github.repository }}:latest
docker push quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
docker push quay.io/${{ github.repository }}:latest
- name: Configure git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Release Helm chart
run: |
ansible-playbook ansible/helm-release.yml -v \
-e operator_image=quay.io/${{ github.repository }} \
-e chart_owner=${{ github.repository_owner }} \
-e tag=${{ github.event.release.tag_name }} \
-e gh_token=${{ secrets.GITHUB_TOKEN }}

3
.github/workflows/stage.yml vendored
View File

@@ -60,7 +60,8 @@ jobs:
- name: Build and stage awx-operator
working-directory: awx-operator
run: |
BUILD_ARGS="--build-arg DEFAULT_AWX_VERSION=${{ github.event.inputs.default_awx_version }}" \
BUILD_ARGS="--build-arg DEFAULT_AWX_VERSION=${{ github.event.inputs.default_awx_version }} \
--build-arg OPERATOR_VERSION=${{ github.event.inputs.version }}" \
IMAGE_TAG_BASE=ghcr.io/${{ github.repository_owner }}/awx-operator \
VERSION=${{ github.event.inputs.version }} make docker-build docker-push

22
.github/workflows/triage_new.yml vendored Normal file
View File

@@ -0,0 +1,22 @@
---
name: Triage
on:
issues:
types:
- opened
jobs:
triage:
runs-on: ubuntu-latest
name: Label
steps:
- name: Label issues
uses: github/issue-labeler@v2.4.1
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
not-before: 2021-12-07T07:00:00Z
configuration-path: .github/issue_labeler.yml
enable-versioned-regex: 0
if: github.event_name == 'issues'

3
.gitignore vendored
View File

@@ -4,3 +4,6 @@
/bundle
/bundle_tmp*
/bundle.Dockerfile
/charts
/.cr-release-packages
.vscode/

23
.helm/starter/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

7
.helm/starter/Chart.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
apiVersion: v2
appVersion: 0.1.0
description: A Helm chart for Kubernetes
name: starter
type: application
version: 0.1.0

56
.helm/starter/README.md Normal file
View File

@@ -0,0 +1,56 @@
# AWX Operator Helm Chart
This chart installs the AWX Operator resources configured in [this](https://github.com/ansible/awx-operator) repository.
## Getting Started
To configure your AWX resource using this chart, create your own `yaml` values file. The name is up to personal preference since it will explicitly be passed into the helm chart. Helm will merge whatever values you specify in your file with the default `values.yaml`, overriding any settings you've changed while allowing you to fall back on defaults. Because of this functionality, `values.yaml` should not be edited directly.
In your values config, enable `AWX.enable` and add `AWX.spec` values based on the awx operator's [documentation](https://github.com/ansible/awx-operator/blob/devel/README.md). Consult the docs below for additional functionality.
### Installing
The operator's [helm install](https://github.com/ansible/awx-operator/blob/devel/README.md#helm-install-on-existing-cluster) guide provides key installation instructions.
Example:
```
helm install my-awx-operator awx-operator/awx-operator -n awx --create-namespace -f myvalues.yaml
```
Argument breakdown:
* `-f` passes in the file with your custom values
* `-n` sets the namespace to be installed in
* This value is accessed by `{{ $.Release.Namespace }}` in the templates
* Acts as the default namespace for all unspecified resources
* `--create-namespace` specifies that helm should create the namespace before installing
To update an existing installation, use `helm upgrade` instead of `install`. The rest of the syntax remains the same.
## Configuration
The goal of adding helm configurations is to abstract out and simplify the creation of multi-resource configs. The `AWX.spec` field maps directly to the spec configs of the `AWX` resource that the operator provides, which are detailed in the [main README](https://github.com/ansible/awx-operator/blob/devel/README.md). Other sub-config can be added with the goal of simplifying more involved setups that require additional resources to be specified.
These sub-headers aim to be a more intuitive entrypoint into customizing your deployment, and are easier to manage in the long-term. By design, the helm templates will defer to the manually defined specs to avoid configuration conflicts. For example, if `AWX.spec.postgres_configuration_secret` is being used, the `AWX.postgres` settings will not be applied, even if enabled.
### External Postgres
The `AWX.postgres` section simplifies the creation of the external postgres secret. If enabled, the configs provided will automatically be placed in a `postgres-config` secret and linked to the `AWX` resource. For proper secret management, the `AWX.postgres.password` value, and any other sensitive values, can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`.
## Values Summary
### AWX
| Value | Description | Default |
|---|---|---|
| `AWX.enabled` | Enable this AWX resource configuration | `false` |
| `AWX.name` | The name of the AWX resource and default prefix for other resources | `"awx"` |
| `AWX.spec` | specs to directly configure the AWX resource | `{}` |
| `AWX.postgres` | configurations for the external postgres secret | - |
# Contributing
## Adding abstracted sections
Where possible, defer to `AWX.spec` configs before applying the abstracted configs to avoid collision. This can be facilitated by the `(hasKey .spec what_i_will_abstract)` check.
## Building and Testing
This chart is built using the Makefile in the [awx-operator repo](https://github.com/ansible/awx-operator). Clone the repo and run `make helm-chart`. This will create the awx-operator chart in the `charts/awx-operator` directory. In this process, the contents of the `.helm/starter` directory will be added to the chart.
## Future Goals
All values under the `AWX` header are focused on configurations that use the operator. Configurations that relate to the Operator itself could be placed under an `Operator` heading, but that may add a layer of complication over current development.

6
.helm/starter/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,6 @@
{{/*
Generate the name of the postgres secret, expects AWX context passed in
*/}}
{{- define "postgres.secretName" -}}
{{ default (printf "%s-postgres-configuration" .Values.AWX.name) .Values.AWX.postgres.secretName }}
{{- end }}

24
.helm/starter/templates/awx-deploy.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- if $.Values.AWX.enabled }}
{{- with .Values.AWX }}
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: {{ .name }}
namespace: {{ $.Release.Namespace }}
spec:
{{- /* Include raw map from the values file spec */}}
{{ .spec | toYaml | indent 2 }}
{{- /* Provide security context defaults */}}
{{- if not (hasKey .spec "security_context_settings") }}
security_context_settings:
runAsGroup: 0
runAsUser: 0
fsGroup: 0
fsGroupChangePolicy: OnRootMismatch
{{- end }}
{{- /* Postgres configs if enabled and not already present */}}
{{- if and .postgres.enabled (not (hasKey .spec "postgres_configuration_secret")) }}
postgres_configuration_secret: {{ include "postgres.secretName" $ }}
{{- end }}
{{- end }}
{{- end }}

18
.helm/starter/templates/postgres-config.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and $.Values.AWX.enabled $.Values.AWX.postgres.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "postgres.secretName" . }}
namespace: {{ $.Release.Namespace }}
{{- with $.Values.AWX.postgres }}
stringData:
host: {{ .host }}
port: {{ .port | quote }}
database: {{ .dbName }}
username: {{ .username }}
password: {{ .password }}
sslmode: {{ .sslmode }}
type: {{ .type }}
type: Opaque
{{- end }}
{{- end }}

19
.helm/starter/values.yaml Normal file
View File

@@ -0,0 +1,19 @@
AWX:
# enable use of awx-deploy template
enabled: false
name: awx
spec:
admin_user: admin
# configurations for external postgres instance
postgres:
enabled: false
host: Unset
port: 5678
dbName: Unset
username: admin
# for secret management, pass in the password independently of this file
# at the command line, use --set AWX.postgres.password
password: Unset
sslmode: prefer
type: unmanaged

6
.yamllint
View File

@@ -6,8 +6,14 @@ ignore: |
kustomization.yaml
awx-operator.clusterserviceversion.yaml
bundle
.helm/starter
rules:
truthy: disable
line-length:
max: 170
document-start: disable
comments-indentation: disable
indentation:
level: warning
indent-sequences: consistent

9
CHANGELOG.md
View File

@@ -2,7 +2,14 @@
This is a list of high-level changes for each release of `awx-operator`. A full list of commits can be found at `https://github.com/ansible/awx-operator/releases/tag/<version>`.
# 0.14.0 (TBA)
# 0.19.0 (Mar 23, 2022)
- Fix corrupted spec for the service with nodeport type (kurokobo) - dbaf64e
- Add ability to deploy with OLM & added logo (Christian Adams) - 86c31a4
- Fix backup & restore issues with special characters in the postgres password (kurokobo) - 589a375
- Use centos:stream8 container where applicable (Shane McDonald)- 12a58d7
# 0.14.0 (Oct 03, 2021)
- Starting with awx-operator 0.14.0, the project is now based on operator-sdk 1.x.
- To avoid a headache, you probably want to delete your existing operator Deployment and follow the README.

9
Dockerfile
View File

@@ -1,7 +1,9 @@
FROM quay.io/operator-framework/ansible-operator:v1.12.0
FROM quay.io/operator-framework/ansible-operator:v1.22.2
ARG DEFAULT_AWX_VERSION
ARG OPERATOR_VERSION
ENV DEFAULT_AWX_VERSION=${DEFAULT_AWX_VERSION}
ENV OPERATOR_VERSION=${OPERATOR_VERSION}
COPY requirements.yml ${HOME}/requirements.yml
RUN ansible-galaxy collection install -r ${HOME}/requirements.yml \
@@ -10,3 +12,8 @@ RUN ansible-galaxy collection install -r ${HOME}/requirements.yml \
COPY watches.yaml ${HOME}/watches.yaml
COPY roles/ ${HOME}/roles/
COPY playbooks/ ${HOME}/playbooks/
ENTRYPOINT ["/tini", "--", "/usr/local/bin/ansible-operator", "run", \
"--watches-file=./watches.yaml", \
"--reconcile-period=0s" \
]

182
Makefile
View File

@@ -7,6 +7,13 @@ VERSION ?= $(shell git describe --tags)
CONTAINER_CMD ?= docker
# GNU vs BSD in-place sed
ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
SED_I := sed -i
else
SED_I := sed -i ''
endif
# CHANNELS define the bundle channels used in the bundle.
# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
# To re-generate a bundle for other specific channels without changing the standard setup, you can:
@@ -37,10 +44,30 @@ IMAGE_TAG_BASE ?= quay.io/ansible/awx-operator
# You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
# BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command
BUNDLE_GEN_FLAGS ?= -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
# USE_IMAGE_DIGESTS defines if images are resolved via tags or digests
# You can enable this value if you would like to use SHA Based Digests
# To enable set flag to true
USE_IMAGE_DIGESTS ?= false
ifeq ($(USE_IMAGE_DIGESTS), true)
BUNDLE_GEN_FLAGS += --use-image-digests
endif
# Image URL to use all building/pushing image targets
IMG ?= $(IMAGE_TAG_BASE):$(VERSION)
NAMESPACE ?= awx
# Helm variables
CHART_NAME ?= awx-operator
CHART_DESCRIPTION ?= A Helm chart for the AWX Operator
CHART_OWNER ?= $(GH_REPO_OWNER)
CHART_REPO ?= awx-operator
CHART_BRANCH ?= gh-pages
CHART_INDEX ?= index.yaml
.PHONY: all
all: docker-build
##@ General
@@ -56,43 +83,54 @@ all: docker-build
# More info on the awk command:
# http://linuxcommand.org/lc3_adv_awk.php
.PHONY: help
help: ## Display this help.
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
##@ Build
.PHONY: run
run: ansible-operator ## Run against the configured Kubernetes cluster in ~/.kube/config
ANSIBLE_ROLES_PATH="$(ANSIBLE_ROLES_PATH):$(shell pwd)/roles" $(ANSIBLE_OPERATOR) run
.PHONY: docker-build
docker-build: ## Build docker image with the manager.
${CONTAINER_CMD} build $(BUILD_ARGS) -t ${IMG} .
.PHONY: docker-push
docker-push: ## Push docker image with the manager.
${CONTAINER_CMD} push ${IMG}
##@ Deployment
.PHONY: install
install: kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.
$(KUSTOMIZE) build config/crd | kubectl apply -f -
.PHONY: uninstall
uninstall: kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config.
$(KUSTOMIZE) build config/crd | kubectl delete -f -
.PHONY: gen-resources
gen-resources: kustomize ## Generate resources for controller and print to stdout
@cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
@$(KUSTOMIZE) build config/default
.PHONY: deploy
deploy: kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
@cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
@$(KUSTOMIZE) build config/default | kubectl apply -f -
.PHONY: undeploy
undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
$(KUSTOMIZE) build config/default | kubectl delete -f -
OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
ARCH := $(shell uname -m | sed 's/x86_64/amd64/')
ARCHA := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
ARCHX := $(shell uname -m | sed -e 's/amd64/x86_64/' -e 's/aarch64/arm64/')
.PHONY: kustomize
KUSTOMIZE = $(shell pwd)/bin/kustomize
@@ -102,7 +140,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(KUSTOMIZE)) ;\
curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.8.7/kustomize_v3.8.7_$(OS)_$(ARCH).tar.gz | \
curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.2/kustomize_v4.5.2_$(OS)_$(ARCHA).tar.gz | \
tar xzf - -C bin/ ;\
}
else
@@ -118,7 +156,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.12.0/ansible-operator_$(OS)_$(ARCH) ;\
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.22.2/ansible-operator_$(OS)_$(ARCHA) ;\
chmod +x $(ANSIBLE_OPERATOR) ;\
}
else
@@ -131,7 +169,6 @@ bundle: kustomize ## Generate bundle manifests and metadata, then validate gener
operator-sdk generate kustomize manifests -q
cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
$(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
cd config/manifests/bases && python inject-csv-config.py
operator-sdk bundle validate ./bundle
.PHONY: bundle-build
@@ -150,7 +187,7 @@ ifeq (,$(shell which opm 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(OPM)) ;\
curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCH)-opm ;\
curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$(OS)-$(ARCHA)-opm ;\
chmod +x $(OPM) ;\
}
else
@@ -181,3 +218,138 @@ catalog-build: opm ## Build a catalog image.
.PHONY: catalog-push
catalog-push: ## Push a catalog image.
$(MAKE) docker-push IMG=$(CATALOG_IMG)
.PHONY: kubectl-slice
KUBECTL_SLICE = $(shell pwd)/bin/kubectl-slice
kubectl-slice: ## Download kubectl-slice locally if necessary.
ifeq (,$(wildcard $(KUBECTL_SLICE)))
ifeq (,$(shell which kubectl-slice 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(KUBECTL_SLICE)) ;\
curl -sSLo - https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.1.0/kubectl-slice_1.1.0_$(OS)_$(ARCHX).tar.gz | \
tar xzf - -C bin/ kubectl-slice ;\
}
else
KUBECTL_SLICE = $(shell which kubectl-slice)
endif
endif
.PHONY: helm
HELM = $(shell pwd)/bin/helm
helm: ## Download helm locally if necessary.
ifeq (,$(wildcard $(HELM)))
ifeq (,$(shell which helm 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(HELM)) ;\
curl -sSLo - https://get.helm.sh/helm-v3.8.0-$(OS)-$(ARCHA).tar.gz | \
tar xzf - -C bin/ $(OS)-$(ARCHA)/helm ;\
mv bin/$(OS)-$(ARCHA)/helm bin/helm ;\
rmdir bin/$(OS)-$(ARCHA) ;\
}
else
HELM = $(shell which helm)
endif
endif
.PHONY: yq
YQ = $(shell pwd)/bin/yq
yq: ## Download yq locally if necessary.
ifeq (,$(wildcard $(YQ)))
ifeq (,$(shell which yq 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(HELM)) ;\
curl -sSLo - https://github.com/mikefarah/yq/releases/download/v4.20.2/yq_$(OS)_$(ARCHA).tar.gz | \
tar xzf - -C bin/ ;\
mv bin/yq_$(OS)_$(ARCHA) bin/yq ;\
}
else
YQ = $(shell which yq)
endif
endif
PHONY: cr
CR = $(shell pwd)/bin/cr
cr: ## Download cr locally if necessary.
ifeq (,$(wildcard $(CR)))
ifeq (,$(shell which cr 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(CR)) ;\
curl -sSLo - https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_$(OS)_$(ARCHA).tar.gz | \
tar xzf - -C bin/ cr ;\
}
else
CR = $(shell which cr)
endif
endif
charts:
mkdir -p $@
.PHONY: helm-chart
helm-chart: helm-chart-generate helm-chart-slice
.PHONY: helm-chart-generate
helm-chart-generate: kustomize helm kubectl-slice yq charts
@echo "== KUSTOMIZE (image and namespace) =="
cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
@echo "== HELM =="
cd charts && \
$(HELM) create awx-operator --starter $(shell pwd)/.helm/starter ;\
$(YQ) -i '.version = "$(VERSION)"' $(CHART_NAME)/Chart.yaml ;\
$(YQ) -i '.appVersion = "$(VERSION)" | .appVersion style="double"' $(CHART_NAME)/Chart.yaml ;\
$(YQ) -i '.description = "$(CHART_DESCRIPTION)"' $(CHART_NAME)/Chart.yaml ;\
@cat charts/$(CHART_NAME)/Chart.yaml
@echo "== KUSTOMIZE (annotation) =="
cd config/manager && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
cd config/default && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
@echo "== SLICE =="
$(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone config/default | \
$(KUBECTL_SLICE) --input-file=- \
--output-dir=charts/$(CHART_NAME)/templates \
--sort-by-kind
@echo "AWX Operator installed with Helm Chart version $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
# clean old crds dir before copying in newly generated CRDs
rm -rf charts/$(CHART_NAME)/crds
mkdir charts/$(CHART_NAME)/crds
mv charts/$(CHART_NAME)/templates/customresourcedefinition* charts/$(CHART_NAME)/crds
.PHONY: helm-chart-edit
helm-chart-slice:
@echo "== EDIT =="
$(foreach file, $(wildcard charts/$(CHART_NAME)/templates/*),$(YQ) -i 'del(.. | select(has("namespace")).namespace)' $(file);)
$(foreach file, $(wildcard charts/$(CHART_NAME)/templates/*rolebinding*),$(YQ) -i '.subjects[0].namespace = "{{ .Release.Namespace }}"' $(file);)
rm -f charts/$(CHART_NAME)/templates/namespace*.yaml
.PHONY: helm-package
helm-package: cr helm-chart
@echo "== CHART RELEASER (package) =="
$(CR) package ./charts/awx-operator
# The actual release happens in ansible/helm-release.yml
# until https://github.com/helm/chart-releaser/issues/122 happens
.PHONY: helm-index
helm-index: cr helm-chart
@echo "== CHART RELEASER (httpsorigin) =="
git remote add httpsorigin "https://github.com/$(CHART_OWNER)/$(CHART_REPO).git"
git fetch httpsorigin
@echo "== CHART RELEASER (index) =="
$(CR) index \
--owner "$(CHART_OWNER)" \
--git-repo "$(CHART_REPO)" \
--token "$(CR_TOKEN)" \
--pages-branch "$(CHART_BRANCH)" \
--index-path "./charts/$(CHART_INDEX)" \
--charts-repo "https://$(CHART_OWNER).github.io/$(CHART_REPO)/$(CHART_INDEX)" \
--remote httpsorigin \
--release-name-template="{{ .Version }}" \
--push

14
PROJECT
View File

@@ -13,4 +13,18 @@ resources:
group: awx
kind: AWX
version: v1beta1
- api:
crdVersion: v1
namespaced: true
domain: ansible.com
group: awx
kind: AWXBackup
version: v1beta1
- api:
crdVersion: v1
namespaced: true
domain: ansible.com
group: awx
kind: AWXRestore
version: v1beta1
version: "3"

601
README.md
View File

@@ -1,17 +1,24 @@
# AWX Operator
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Build Status](https://github.com/ansible/awx-operator/workflows/CI/badge.svg?event=push)](https://github.com/ansible/awx-operator/actions)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
[![Build Status](https://github.com/ansible/awx-operator/workflows/CI/badge.svg?event=push)](https://github.com/ansible/awx-operator/actions)
[![Code of Conduct](https://img.shields.io/badge/code%20of%20conduct-Ansible-yellow.svg)](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html)
[![AWX Mailing List](https://img.shields.io/badge/mailing%20list-AWX-orange.svg)](https://groups.google.com/g/awx-project)
[![IRC Chat - #ansible-awx](https://img.shields.io/badge/IRC-%23ansible--awx-blueviolet.svg)](https://libera.chat)
An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built with [Operator SDK](https://github.com/operator-framework/operator-sdk) and Ansible.
# Table of Contents
<!-- Regenerate this table of contents using https://github.com/ekalinin/github-markdown-toc -->
<!-- gh-md-toc --insert README.md -->
<!--ts-->
* [AWX Operator](#awx-operator)
* [Table of Contents](#table-of-contents)
* [Purpose](#purpose)
* [Usage](#usage)
* [Creating a minikube cluster for testing](#creating-a-minikube-cluster-for-testing)
* [Basic Install](#basic-install)
* [Helm Install on existing cluster](#helm-install-on-existing-cluster)
* [Admin user account configuration](#admin-user-account-configuration)
* [Network and TLS Configuration](#network-and-tls-configuration)
* [Service Type](#service-type)
@@ -22,22 +29,40 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
* [Managed PostgreSQL Service](#managed-postgresql-service)
* [Advanced Configuration](#advanced-configuration)
* [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
* [Redis container capabilities](#redis-container-capabilities)
* [Privileged Tasks](#privileged-tasks)
* [Containers Resource Requirements](#containers-resource-requirements)
* [Priority Classes](#priority-classes)
* [Assigning AWX pods to specific nodes](#assigning-awx-pods-to-specific-nodes)
* [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
* [Enabling LDAP Integration at AWX bootstrap](#enabling-ldap-integration-at-awx-bootstrap)
* [Persisting Projects Directory](#persisting-projects-directory)
* [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
* [Default execution environments from private registries](#default-execution-environments-from-private-registries)
* [Control plane ee from private registry](#control-plane-ee-from-private-registry)
* [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
* [CSRF Cookie Secure Setting](#csrf-cookie-secure-setting)
* [Session Cookie Secure Setting](#session-cookie-secure-setting)
* [Extra Settings](#extra-settings)
* [Configure no_log](#no-log)
* [Auto Upgrade](#auto-upgrade)
* [Upgrade of instances without auto upgrade](#upgrade-of-instances-without-auto-upgrade)
* [Service Account](#service-account)
* [Uninstall](#uninstall)
* [Upgrading](#upgrading)
* [Upgrading](#upgrading)
* [Backup](#backup)
* [v0.14.0](#v0140)
* [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations)
* [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project)
* [Steps to upgrade](#steps-to-upgrade)
* [Contributing](#contributing)
* [Release Process](#release-process)
* [Verifiy Functionality](#verify-functionality)
* [Update Version](#update-version)
* [Commit / Create Release](#commit--create-release)
* [Author](#author)
* [Code of Conduct](#code-of-conduct)
* [Get Involved](#get-involved)
<!-- Created by https://github.com/ekalinin/github-markdown-toc -->
<!--te-->
## Purpose
@@ -46,11 +71,11 @@ This operator is meant to provide a more Kubernetes-native installation method f
## Usage
### Basic Install
This Kubernetes Operator is meant to be deployed in your Kubernetes cluster(s) and can manage one or more AWX instances in any namespace.
For testing purposes, the `awx-operator` can be deployed on a [Minikube](https://minikube.sigs.k8s.io/docs/) cluster. Due to different OS and hardware environments, please refer to the official Minikube documentation for further information.
### Creating a minikube cluster for testing
If you do not have an existing cluster, the `awx-operator` can be deployed on a [Minikube](https://minikube.sigs.k8s.io/docs/) cluster for testing purposes. Due to different OS and hardware environments, please refer to the official Minikube documentation for further information.
```
$ minikube start --cpus=4 --memory=6g --addons=ingress
@@ -99,26 +124,47 @@ Let's create an alias for easier usage:
$ alias kubectl="minikube kubectl --"
```
Now you need to deploy AWX Operator into your cluster. Clone this repo and `git checkout` the latest version from https://github.com/ansible/awx-operator/releases, and then run the following command:
### Basic Install
Once you have a running Kubernetes cluster, you can deploy AWX Operator into your cluster using [Kustomize](https://kubectl.docs.kubernetes.io/guides/introduction/kustomize/). Follow the instructions here to install the latest version of Kustomize: https://kubectl.docs.kubernetes.io/installation/kustomize/
First, create a file called `kustomization.yaml` with the following content:
```yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Find the latest tag here: https://github.com/ansible/awx-operator/releases
- github.com/ansible/awx-operator/config/default?ref=<tag>
# Set the image tags to match the git version from above
images:
- name: quay.io/ansible/awx-operator
newTag: <tag>
# Specify a custom namespace in which to install AWX
namespace: awx
```
> **TIP:** If you need to change any of the default settings for the operator (such as resources.limits), you can add [patches](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patches/) at the bottom of your kustomization.yaml file.
Install the manifests by running this:
```
$ export NAMESPACE=my-namespace
$ make deploy
cd config/manager && /home/user/awx-operator/bin/kustomize edit set image controller=quay.io/ansible/awx-operator:0.14.0
/home/user/awx-operator/bin/kustomize build config/default | kubectl apply -f -
namespace/my-namespace created
$ kustomize build . | kubectl apply -f -
namespace/awx created
customresourcedefinition.apiextensions.k8s.io/awxbackups.awx.ansible.com created
customresourcedefinition.apiextensions.k8s.io/awxrestores.awx.ansible.com created
customresourcedefinition.apiextensions.k8s.io/awxs.awx.ansible.com created
serviceaccount/awx-operator-controller-manager created
role.rbac.authorization.k8s.io/awx-operator-awx-manager-role created
role.rbac.authorization.k8s.io/awx-operator-leader-election-role created
role.rbac.authorization.k8s.io/awx-operator-manager-role created
clusterrole.rbac.authorization.k8s.io/awx-operator-metrics-reader created
clusterrole.rbac.authorization.k8s.io/awx-operator-proxy-role created
rolebinding.rbac.authorization.k8s.io/awx-operator-awx-manager-rolebinding created
rolebinding.rbac.authorization.k8s.io/awx-operator-leader-election-rolebinding created
rolebinding.rbac.authorization.k8s.io/awx-operator-manager-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/awx-operator-proxy-rolebinding created
configmap/awx-operator-manager-config created
configmap/awx-operator-awx-manager-config created
service/awx-operator-controller-manager-metrics-service created
deployment.apps/awx-operator-controller-manager created
```
@@ -126,18 +172,18 @@ deployment.apps/awx-operator-controller-manager created
Wait a bit and you should have the `awx-operator` running:
```
$ kubectl get pods -n $NAMESPACE
$ kubectl get pods -n awx
NAME READY STATUS RESTARTS AGE
awx-operator-controller-manager-66ccd8f997-rhd4z 2/2 Running 0 11s
```
So we don't have to keep repeating `-n $NAMESPACE`, let's set the current namespace for `kubectl`:
So we don't have to keep repeating `-n awx`, let's set the current namespace for `kubectl`:
```
$ kubectl config set-context --current --namespace=$NAMESPACE
$ kubectl config set-context --current --namespace=awx
```
Next, create a file named `awx-demo.yml` with the suggested content below. The `metadata.name` you provide, will be the name of the resulting AWX deployment.
Next, create a file named `awx-demo.yaml` in the same folder with the suggested content below. The `metadata.name` you provide will be the name of the resulting AWX deployment.
**Note:** If you deploy more than one AWX instance to the same namespace, be sure to use unique names.
@@ -149,13 +195,27 @@ metadata:
name: awx-demo
spec:
service_type: nodeport
# default nodeport_port is 30080
nodeport_port: <nodeport_port>
```
Finally, use `kubectl` to create the awx instance in your cluster:
> It may make sense to create and specify your own secret key for your deployment so that if the k8s secret gets deleted, it can be re-created if needed. If it is not provided, one will be auto-generated, but cannot be recovered if lost. Read more [here](#secret-key-configuration).
Make sure to add this new file to the list of "resources" in your `kustomization.yaml` file:
```yaml
...
resources:
- github.com/ansible/awx-operator/config/default?ref=<tag>
# Add this extra line:
- awx-demo.yaml
...
```
Finally, run `kustomize` again to create the AWX instance in your cluster:
```
$ kubectl apply -f awx-demo.yml
awx.awx.ansible.com/awx-demo created
kustomize build . | kubectl apply -f -
```
After a few minutes, the new AWX instance will be deployed. You can look at the operator pod logs in order to know where the installation process is at:
@@ -195,17 +255,46 @@ You just completed the most basic install of an AWX instance via this operator.
For an example using the Nginx Controller in Minukube, don't miss our [demo video](https://asciinema.org/a/416946).
[![asciicast](https://raw.githubusercontent.com/ansible/awx-operator/devel/docs/awx-demo.svg)](https://asciinema.org/a/416946)
### Helm Install on existing cluster
For those that wish to use [Helm](https://helm.sh/) to install the awx-operator to an existing K8s cluster:
The helm chart is generated from the `helm-chart` Makefile section using the starter files in `.helm/starter`. Consult [the documentation](.helm/starter/README.md) on how to customize the AWX resource with your own values.
```bash
$ helm repo add awx-operator https://ansible.github.io/awx-operator/
"awx-operator" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "awx-operator" chart repository
Update Complete. ⎈Happy Helming!⎈
$ helm search repo awx-operator
NAME CHART VERSION APP VERSION DESCRIPTION
awx-operator/awx-operator 0.17.1 0.17.1 A Helm chart for the AWX Operator
$ helm install -n awx --create-namespace my-awx-operator awx-operator/awx-operator
NAME: my-awx-operator
LAST DEPLOYED: Thu Feb 17 22:09:05 2022
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Helm Chart 0.17.1
```
### Admin user account configuration
There are three variables that are customizable for the admin user account creation.
| Name | Description | Default |
| --------------------------- | -------------------------------------------- | ---------------- |
| admin_user | Name of the admin user | admin |
| admin_email | Email of the admin user | test@example.com |
| admin_password_secret | Secret that contains the admin user password | Empty string |
| Name | Description | Default |
| --------------------- | -------------------------------------------- | ---------------- |
| admin_user | Name of the admin user | admin |
| admin_email | Email of the admin user | test@example.com |
| admin_password_secret | Secret that contains the admin user password | Empty string |
> :warning: **admin_password_secret must be a Kubernetes secret and not your text clear password**.
@@ -228,6 +317,41 @@ stringData:
```
### Secret Key Configuration
This key is used to encrypt sensitive data in the database.
| Name | Description | Default |
| ----------------- | ----------------------------------------------------- | ---------------- |
| secret_key_secret | Secret that contains the symmetric key for encryption | Generated |
> :warning: **secret_key_secret must be a Kubernetes secret and not your text clear secret value**.
If `secret_key_secret` is not provided, the operator will look for a secret named `<resourcename>-secret-key` for the secret key. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-secret-key`. It is important to not delete this secret as it will be needed for upgrades and if the pods get scaled down at any point. If you are using a GitOps flow, you will want to pass a secret key secret.
The secret should be formatted as follow:
```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: custom-awx-secret-key
namespace: <target namespace>
stringData:
secret_key: supersecuresecretkey
```
Then specify the secret name on the AWX spec:
```yaml
---
spec:
...
secret_key_secret: custom-awx-secret-key
```
### Network and TLS Configuration
#### Service Type
@@ -238,15 +362,18 @@ The `service_type` supported options are: `ClusterIP`, `LoadBalancer` and `NodeP
The following variables are customizable for any `service_type`
| Name | Description | Default |
| ------------------------------------- | --------------------------------------------- | --------------------------------- |
| service_labels | Add custom labels | Empty string |
| Name | Description | Default |
| ------------------- | ----------------------- | ------------ |
| service_labels | Add custom labels | Empty string |
| service_annotations | Add service annotations | Empty string |
```yaml
---
spec:
...
service_type: ClusterIP
service_annotations: |
environment: testing
service_labels: |
environment: testing
```
@@ -255,11 +382,10 @@ spec:
The following variables are customizable only when `service_type=LoadBalancer`
| Name | Description | Default |
| ------------------------------ | ---------------------------------------- | ------------- |
| loadbalancer_annotations | LoadBalancer annotations | Empty string |
| loadbalancer_protocol | Protocol to use for Loadbalancer ingress | http |
| loadbalancer_port | Port used for Loadbalancer ingress | 80 |
| Name | Description | Default |
| --------------------- | ---------------------------------------- | ------- |
| loadbalancer_protocol | Protocol to use for Loadbalancer ingress | http |
| loadbalancer_port | Port used for Loadbalancer ingress | 80 |
```yaml
---
@@ -268,7 +394,7 @@ spec:
service_type: LoadBalancer
loadbalancer_protocol: https
loadbalancer_port: 443
loadbalancer_annotations: |
service_annotations: |
environment: testing
service_labels: |
environment: testing
@@ -282,9 +408,9 @@ The HTTPS Load Balancer also uses SSL termination at the Load Balancer level and
The following variables are customizable only when `service_type=NodePort`
| Name | Description | Default |
| ------------------------------ | ---------------------------------------- | ------------- |
| nodeport_port | Port used for NodePort | 30080 |
| Name | Description | Default |
| ------------- | ---------------------- | ------- |
| nodeport_port | Port used for NodePort | 30080 |
```yaml
---
@@ -312,13 +438,13 @@ spec:
The following variables are customizable when `ingress_type=ingress`. The `ingress` type creates an Ingress resource as [documented](https://kubernetes.io/docs/concepts/services-networking/ingress/) which can be shared with many other Ingress Controllers as [listed](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/).
| Name | Description | Default |
| -------------------------- | ---------------------------------------- | ---------------------------- |
| ingress_annotations | Ingress annotations | Empty string |
| ingress_tls_secret | Secret that contains the TLS information | Empty string |
| hostname | Define the FQDN | {{ meta.name }}.example.com |
| ingress_path | Define the ingress path to the service | / |
| ingress_path_type | Define the type of the path (for LBs) | Prefix |
| Name | Description | Default |
| ------------------- | ---------------------------------------- | --------------------------- |
| ingress_annotations | Ingress annotations | Empty string |
| ingress_tls_secret | Secret that contains the TLS information | Empty string |
| hostname | Define the FQDN | {{ meta.name }}.example.com |
| ingress_path | Define the ingress path to the service | / |
| ingress_path_type | Define the type of the path (for LBs) | Prefix |
```yaml
---
@@ -334,8 +460,8 @@ spec:
The following variables are customizable when `ingress_type=route`
| Name | Description | Default |
| ------------------------------------- | --------------------------------------------- | --------------------------------------------------------|
| Name | Description | Default |
| ------------------------------- | --------------------------------------------- | ------------------------------------------------------- |
| route_host | Common name the route answers for | `<instance-name>-<namespace>-<routerCanonicalHostname>` |
| route_tls_termination_mechanism | TLS Termination mechanism (Edge, Passthrough) | Edge |
| route_tls_secret | Secret that contains the TLS information | Empty string |
@@ -354,7 +480,7 @@ spec:
#### External PostgreSQL Service
In order for the AWX instance to rely on an external database, the Custom Resource needs to know about the connection details. Those connection details should be stored as a secret and either specified as `postgres_configuration_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-postgres-configuration`.
To configure AWX to use an external database, the Custom Resource needs to know about the connection details. To do this, create a k8s secret with those connection details and specify the name of the secret as `postgres_configuration_secret` at the CR spec level.
The secret should be formatted as follows:
@@ -377,12 +503,21 @@ stringData:
type: Opaque
```
> Please ensure that the value for the variable "password" is wrapped in quotes if the password contains any special characters.
> Please ensure that the value for the variable `password` should _not_ contain single or double quotes (`'`, `"`) or backslashes (`\`) to avoid any issues during deployment, [backup](https://github.com/ansible/awx-operator/tree/devel/roles/backup) or [restoration](https://github.com/ansible/awx-operator/tree/devel/roles/restore).
> It is possible to set a specific username, password, port, or database, but still have the database managed by the operator. In this case, when creating the postgres-configuration secret, the `type: managed` field should be added.
**Note**: The variable `sslmode` is valid for `external` databases only. The allowed values are: `prefer`, `disable`, `allow`, `require`, `verify-ca`, `verify-full`.
Once the secret is created, you can specify it on your spec:
```yaml
---
spec:
...
postgres_configuration_secret: <name-of-your-secret>
```
#### Migrating data from an old AWX instance
For instructions on how to migrate from an older version of AWX, see [migration.md](./docs/migration.md).
@@ -393,13 +528,15 @@ If you don't have access to an external PostgreSQL service, the AWX operator can
The following variables are customizable for the managed PostgreSQL service
| Name | Description | Default |
| ------------------------------------ | ------------------------------------------ | --------------------------------- |
| postgres_image | Path of the image to pull | postgres:12 |
| postgres_resource_requirements | PostgreSQL container resource requirements | Empty object |
| postgres_storage_requirements | PostgreSQL container storage requirements | requests: {storage: 8Gi} |
| postgres_storage_class | PostgreSQL PV storage class | Empty string |
| postgres_data_path | PostgreSQL data path | `/var/lib/postgresql/data/pgdata` |
| Name | Description | Default |
| --------------------------------------------- | --------------------------------------------- | ---------------------------------- |
| postgres_image | Path of the image to pull | postgres:12 |
| postgres_init_container_resource_requirements | Database init container resource requirements | requests: {cpu: 10m, memory: 64Mi} |
| postgres_resource_requirements | PostgreSQL container resource requirements | requests: {cpu: 10m, memory: 64Mi} |
| postgres_storage_requirements | PostgreSQL container storage requirements | requests: {storage: 8Gi} |
| postgres_storage_class | PostgreSQL PV storage class | Empty string |
| postgres_data_path | PostgreSQL data path | `/var/lib/postgresql/data/pgdata` |
| postgres_priority_class | Priority class used for PostgreSQL pod | Empty string |
Example of customization could be:
@@ -433,15 +570,15 @@ spec:
There are a few variables that are customizable for awx the image management.
| Name | Description |
| --------------------------| -------------------------- |
| image | Path of the image to pull |
| image_version | Image version to pull |
| image_pull_policy | The pull policy to adopt |
| image_pull_secret | The pull secret to use |
| ee_images | A list of EEs to register |
| redis_image | Path of the image to pull |
| redis_image_version | Image version to pull |
| Name | Description | Default |
| ------------------- | ------------------------- | -------------------------------------- |
| image | Path of the image to pull | quay.io/ansible/awx |
| image_version | Image version to pull | value of DEFAULT_AWX_VERSION or latest |
| image_pull_policy | The pull policy to adopt | IfNotPresent |
| image_pull_secrets | The pull secrets to use | None |
| ee_images | A list of EEs to register | quay.io/ansible/awx-ee:latest |
| redis_image | Path of the image to pull | docker.io/redis |
| redis_image_version | Image version to pull | latest |
Example of customization could be:
@@ -452,7 +589,8 @@ spec:
image: myorg/my-custom-awx
image_version: latest
image_pull_policy: Always
image_pull_secret: pull_secret_name
image_pull_secrets:
- pull_secret_name
ee_images:
- name: my-custom-awx-ee
image: myorg/my-custom-awx-ee
@@ -498,11 +636,11 @@ Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to
The resource requirements for both, the task and the web containers are configurable - both the lower end (requests) and the upper end (limits).
| Name | Description | Default |
| -------------------------------- | ------------------------------------------------ | ----------------------------------- |
| web_resource_requirements | Web container resource requirements | requests: {cpu: 1000m, memory: 2Gi} |
| task_resource_requirements | Task container resource requirements | requests: {cpu: 500m, memory: 1Gi} |
| ee_resource_requirements | EE control plane container resource requirements | requests: {cpu: 500m, memory: 1Gi} |
| Name | Description | Default |
| -------------------------- | ------------------------------------------------ | ------------------------------------ |
| web_resource_requirements | Web container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
| task_resource_requirements | Task container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
| ee_resource_requirements | EE control plane container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
Example of customization could be:
@@ -512,44 +650,63 @@ spec:
...
web_resource_requirements:
requests:
cpu: 1000m
cpu: 250m
memory: 2Gi
limits:
cpu: 2000m
cpu: 1000m
memory: 4Gi
task_resource_requirements:
requests:
cpu: 500m
cpu: 250m
memory: 1Gi
limits:
cpu: 1000m
cpu: 2000m
memory: 2Gi
ee_resource_requirements:
requests:
cpu: 500m
memory: 1Gi
cpu: 250m
memory: 100Mi
limits:
cpu: 1000m
cpu: 500m
memory: 2Gi
```
#### Priority Classes
The AWX and Postgres pods can be assigned a custom PriorityClass to rank their importance compared to other pods in your cluster, which determines which pods get evicted first if resources are running low.
First, [create your PriorityClass](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) if needed.
Then set the name of your priority class to the control plane and postgres pods as shown below.
```yaml
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx-demo
spec:
...
control_plane_priority_class: awx-demo-high-priority
postgres_priority_class: awx-demo-medium-priority
```
#### Assigning AWX pods to specific nodes
You can constrain the AWX pods created by the operator to run on a certain subset of nodes. `node_selector` and `postgres_selector` constrains
the AWX pods to run only on the nodes that match all the specified key/value pairs. `tolerations` and `postgres_tolerations` allow the AWX
pods to be scheduled onto nodes with matching taints.
The ability to specify topologySpreadConstraints is also allowed through `topology_spread_constraints`
The ability to specify topologySpreadConstraints is also allowed through `topology_spread_constraints`
| Name | Description | Default |
| -------------------------------| ---------------------------------------- | ------- |
| postgres_image | Path of the image to pull | 12 |
| postgres_image_version | Image version to pull | 12 |
| node_selector | AWX pods' nodeSelector | '' |
| topology_spread_constraints | AWX pods' topologySpreadConstraints | '' |
| tolerations | AWX pods' tolerations | '' |
| postgres_selector | Postgres pods' nodeSelector | '' |
| postgres_tolerations | Postgres pods' tolerations | '' |
| Name | Description | Default |
| --------------------------- | ----------------------------------- | ------- |
| postgres_image | Path of the image to pull | postgres |
| postgres_image_version | Image version to pull | 13 |
| node_selector | AWX pods' nodeSelector | '' |
| topology_spread_constraints | AWX pods' topologySpreadConstraints | '' |
| tolerations | AWX pods' tolerations | '' |
| annotations | AWX pods' annotations | '' |
| postgres_selector | Postgres pods' nodeSelector | '' |
| postgres_tolerations | Postgres pods' tolerations | '' |
Example of customization could be:
@@ -594,8 +751,8 @@ Trusting a custom Certificate Authority allows the AWX to access network service
| Name | Description | Default |
| -------------------------------- | ---------------------------------------- | --------|
| ldap_cacert_secret | LDAP Certificate Authority secret name | '' |
| ldap_password_secret | LDAP BIND DN Password secret name | '' |
| bundle_cacert_secret | Certificate Authority secret name | '' |
Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter.
Example of customization could be:
@@ -605,10 +762,13 @@ Example of customization could be:
spec:
...
ldap_cacert_secret: <resourcename>-custom-certs
ldap_password_secret: <resourcename>-ldap-password
bundle_cacert_secret: <resourcename>-custom-certs
```
To create the secret, you can use the command below:
To create the secrets, you can use the commands below:
* Certificate Authority secret
```
# kubectl create secret generic <resourcename>-custom-certs \
@@ -616,17 +776,77 @@ To create the secret, you can use the command below:
--from-file=bundle-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
```
* LDAP BIND DN Password secret
```
# kubectl create secret generic <resourcename>-ldap-password \
--from-literal=ldap-password=<your_ldap_dn_password>
```
#### Enabling LDAP Integration at AWX bootstrap
A sample of extra settings can be found as below:
```yaml
- setting: AUTH_LDAP_SERVER_URI
value: >-
"ldaps://ad01.abc.com:636 ldaps://ad02.abc.com:636"
- setting: AUTH_LDAP_BIND_DN
value: >-
"CN=LDAP User,OU=Service Accounts,DC=abc,DC=com"
- setting: AUTH_LDAP_USER_SEARCH
value: 'LDAPSearch("DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(sAMAccountName=%(user)s)",)'
- setting: AUTH_LDAP_GROUP_SEARCH
value: 'LDAPSearch("OU=Groups,DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(objectClass=group)",)'
- setting: AUTH_LDAP_USER_ATTR_MAP
value: '{"first_name": "givenName","last_name": "sn","email": "mail"}'
- setting: AUTH_LDAP_REQUIRE_GROUP
value: >-
"CN=operators,OU=Groups,DC=abc,DC=com"
- setting: AUTH_LDAP_USER_FLAGS_BY_GROUP
value: {
"is_superuser": [
"CN=admin,OU=Groups,DC=abc,DC=com"
]
}
- setting: AUTH_LDAP_ORGANIZATION_MAP
value: {
"abc": {
"admins": "CN=admin,OU=Groups,DC=abc,DC=com",
"remove_users": false,
"remove_admins": false,
"users": true
}
}
- setting: AUTH_LDAP_TEAM_MAP
value: {
"admin": {
"remove": true,
"users": "CN=admin,OU=Groups,DC=abc,DC=com",
"organization": "abc"
}
}
```
#### Persisting Projects Directory
In cases which you want to persist the `/var/lib/projects` directory, there are few variables that are customizable for the `awx-operator`.
| Name | Description | Default |
| -----------------------------------| ---------------------------------------------------------------------------------------------------- | ---------------|
| projects_persistence | Whether or not the /var/lib/projects directory will be persistent | false |
| projects_storage_class | Define the PersistentVolume storage class | '' |
| projects_storage_size | Define the PersistentVolume size | 8Gi |
| projects_storage_access_mode | Define the PersistentVolume access mode | ReadWriteMany |
| projects_existing_claim | Define an existing PersistentVolumeClaim to use (cannot be combined with `projects_storage_*`) | '' |
| Name | Description | Default |
| ---------------------------- | ---------------------------------------------------------------------------------------------- | ------------- |
| projects_persistence | Whether or not the /var/lib/projects directory will be persistent | false |
| projects_storage_class | Define the PersistentVolume storage class | '' |
| projects_storage_size | Define the PersistentVolume size | 8Gi |
| projects_storage_access_mode | Define the PersistentVolume access mode | ReadWriteMany |
| projects_existing_claim | Define an existing PersistentVolumeClaim to use (cannot be combined with `projects_storage_*`) | '' |
Example of customization when the `awx-operator` automatically handles the persistent volume could be:
@@ -643,14 +863,14 @@ spec:
In a scenario where custom volumes and volume mounts are required to either overwrite defaults or mount configuration files.
| Name | Description | Default |
| --------------------------------- | -------------------------------------------------------- | ------- |
| extra_volumes | Specify extra volumes to add to the application pod | '' |
| web_extra_volume_mounts | Specify volume mounts to be added to Web container | '' |
| task_extra_volume_mounts | Specify volume mounts to be added to Task container | '' |
| ee_extra_volume_mounts | Specify volume mounts to be added to Execution container | '' |
| init_container_extra_volume_mounts| Specify volume mounts to be added to Init container | '' |
| init_container_extra_commands | Specify additional commands for Init container | '' |
| Name | Description | Default |
| ---------------------------------- | -------------------------------------------------------- | ------- |
| extra_volumes | Specify extra volumes to add to the application pod | '' |
| web_extra_volume_mounts | Specify volume mounts to be added to Web container | '' |
| task_extra_volume_mounts | Specify volume mounts to be added to Task container | '' |
| ee_extra_volume_mounts | Specify volume mounts to be added to Execution container | '' |
| init_container_extra_volume_mounts | Specify volume mounts to be added to Init container | '' |
| init_container_extra_commands | Specify additional commands for Init container | '' |
> :warning: The `ee_extra_volume_mounts` and `extra_volumes` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
@@ -727,7 +947,7 @@ Example spec file for volumes and volume mounts
In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments.
The secret should be formated as follows:
The secret should be formatted as follows:
```yaml
---
@@ -745,13 +965,13 @@ type: Opaque
```
##### Control plane ee from private registry
The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time.
The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secrets` to provide a list of k8s pull secrets to access it. Currently the same secret is used for any of these images supplied at install time.
You can create `image_pull_secret`
```
kubectl create secret <resoucename>-cp-pull-credentials regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
```
If you need more control (for example, to set a namespace or a label on the new secret) then you can customise the Secret before storing it
If you need more control (for example, to set a namespace or a label on the new secret) then you can customize the Secret before storing it
Example spec file extra-config
@@ -771,11 +991,11 @@ type: kubernetes.io/dockerconfigjson
If you need to export custom environment variables to your containers.
| Name | Description | Default |
| ----------------------------- | -------------------------------------------------------- | ------- |
| task_extra_env | Environment variables to be added to Task container | '' |
| web_extra_env | Environment variables to be added to Web container | '' |
| ee_extra_env | Environment variables to be added to EE container | '' |
| Name | Description | Default |
| -------------- | --------------------------------------------------- | ------- |
| task_extra_env | Environment variables to be added to Task container | '' |
| web_extra_env | Environment variables to be added to Web container | '' |
| ee_extra_env | Environment variables to be added to EE container | '' |
> :warning: The `ee_extra_env` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
@@ -794,13 +1014,43 @@ Example configuration of environment variables
value: foo
```
#### CSRF Cookie Secure Setting
With `csrf_cookie_secure`, you can pass the value for `CSRF_COOKIE_SECURE` to `/etc/tower/settings.py`
| Name | Description | Default |
| ------------------ | ------------------ | ------- |
| csrf_cookie_secure | CSRF Cookie Secure | '' |
Example configuration of the `csrf_cookie_secure` setting:
```yaml
spec:
csrf_cookie_secure: 'False'
```
#### Session Cookie Secure Setting
With `session_cookie_secure`, you can pass the value for `SESSION_COOKIE_SECURE` to `/etc/tower/settings.py`
| Name | Description | Default |
| --------------------- | --------------------- | ------- |
| session_cookie_secure | Session Cookie Secure | '' |
Example configuration of the `session_cookie_secure` setting:
```yaml
spec:
session_cookie_secure: 'False'
```
#### Extra Settings
With`extra_settings`, you can pass multiple custom settings via the `awx-operator`. The parameter `extra_settings` will be appended to the `/etc/tower/settings.py` and can be an alternative to the `extra_volumes` parameter.
| Name | Description | Default |
| ----------------------------- | -------------------------------------------------------- | ------- |
| extra_settings | Extra settings | '' |
| Name | Description | Default |
| -------------- | -------------- | ------- |
| extra_settings | Extra settings | '' |
Example configuration of `extra_settings` parameter
@@ -814,13 +1064,64 @@ Example configuration of `extra_settings` parameter
value: "cn=admin,dc=example,dc=com"
```
#### No Log
Configure no_log for tasks with no_log
| Name | Description | Default |
| ------ | -------------------- | ------- |
| no_log | No log configuration | 'true' |
Example configuration of `no_log` parameter
```yaml
spec:
no_log: 'true'
```
#### Auto upgrade
With this parameter you can influence the behavior during an operator upgrade.
If set to `true`, the operator will upgrade the specific instance directly.
When the value is set to `false`, and we have a running deployment, the operator will not update the AWX instance.
This can be useful when you have multiple AWX instances which you want to upgrade step by step instead of all at once.
| Name | Description | Default |
| -------------| ---------------------------------- | ------- |
| auto_upgrade | Automatic upgrade of AWX instances | true |
Example configuration of `auto_upgrade` parameter
```yaml
spec:
auto_upgrade: true
```
##### Upgrade of instances without auto upgrade
There are two ways to upgrade instances which are marked with the 'auto_upgrade: false' flag.
Changing flags:
- change the auto_upgrade flag on your AWX object to true
- wait until the upgrade process of that instance is finished
- change the auto_upgrade flag on your AWX object back to false
Delete the deployment:
- delete the deployment object of your AWX instance
```
$ kubectl -n awx delete deployment <yourInstanceName>
```
- wait until the instance gets redeployed
#### Service Account
If you need to modify some `ServiceAccount` proprieties
| Name | Description | Default |
| ----------------------------- | -------------------------------------------------------- | ------- |
| service_account_annotations | Annotations to the ServiceAccount | '' |
| Name | Description | Default |
| --------------------------- | --------------------------------- | ------- |
| service_account_annotations | Annotations to the ServiceAccount | '' |
Example configuration of environment variables
@@ -842,12 +1143,31 @@ awx.awx.ansible.com "awx-demo" deleted
Deleting an AWX instance will remove all related deployments and statefulsets, however, persistent volumes and secrets will remain. To enforce secrets also getting removed, you can use `garbage_collect_secrets: true`.
**Note**: If you ever intend to recover an AWX from an existing database you will need a copy of the secrets in order to perform a successful recovery.
### Upgrading
To upgrade AWX, it is recommended to upgrade the awx-operator to the version that maps to the desired version of AWX. To find the version of AWX that will be installed by the awx-operator by default, check the version specified in the `image_version` variable in `roles/installer/defaults/main.yml` for that particular release.
Apply the awx-operator.yml for that release to upgrade the operator, and in turn also upgrade your AWX deployment.
#### Backup
The first part of any upgrade should be a backup. Note, there are secrets in the pod which work in conjunction with the database. Having just a database backup without the required secrets will not be sufficient for recovering from an issue when upgrading to a new version. See the [backup role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/backup) for information on how to backup your database and secrets. In the event you need to recover the backup see the [restore role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/restore).
#### PostgreSQL Upgrade Considerations
If there is a PostgreSQL major version upgrade, after the data directory on the PVC is migrated to the new version, the old PVC is kept by default.
This provides the ability to roll back if needed, but can take up extra storage space in your cluster unnecessarily. You can configure it to be deleted automatically
after a successful upgrade by setting the following variable on the AWX spec.
```yaml
spec:
postgres_keep_pvc_after_upgrade: False
```
#### v0.14.0
##### Cluster-scope to Namespace-scope considerations
@@ -859,6 +1179,21 @@ delete your existing `awx-operator` service account, role and role binding.
Starting with awx-operator 0.14.0, the project is now based on operator-sdk 1.x. You may need to manually delete your old operator Deployment to avoid issues.
##### Steps to upgrade
Delete your old AWX Operator and existing `awx-operator` service account, role and role binding in `default` namespace first:
```
$ kubectl -n default delete deployment awx-operator
$ kubectl -n default delete serviceaccount awx-operator
$ kubectl -n default delete clusterrolebinding awx-operator
$ kubectl -n default delete clusterrole awx-operator
```
Then install the new AWX Operator by following the instructions in [Basic Install](#basic-install-on-existing-cluster). The `NAMESPACE` environment variable have to be the name of the namespace in which your old AWX instance resides.
Once the new AWX Operator is up and running, your AWX deployment will also be upgraded.
## Contributing
Please visit [our contributing guidelines](https://github.com/ansible/awx-operator/blob/devel/CONTRIBUTING.md).
@@ -866,12 +1201,26 @@ Please visit [our contributing guidelines](https://github.com/ansible/awx-operat
## Release Process
The first step is to create a draft release. Typically this will happen in the [Stage Release](https://github.com/ansible/awx/blob/devel/.github/workflows/stage.yml) workflow for AWX and you dont need to do it as a separate step.
The first step is to create a draft release. Typically this will happen in the [Stage Release](https://github.com/ansible/awx/blob/devel/.github/workflows/stage.yml) workflow for AWX and you don't need to do it as a separate step.
If you need to do an independent release of the operator, you can run the [Stage Release](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/stage.yml) in the awx-operator repo. Both of these workflows will run smoke tests, so there is no need to do this manually.
After the draft release is created, publish it and the [Promote AWX Operator image](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/promote.yaml) will run, publishing the image to Quay.
After the draft release is created, publish it and the [Promote AWX Operator image](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/promote.yaml) will run, which will:
- Publish image to Quay
- Release Helm chart
## Author
This operator was originally built in 2019 by [Jeff Geerling](https://www.jeffgeerling.com) and is now maintained by the Ansible Team
## Code of Conduct
We ask all of our community members and contributors to adhere to the [Ansible code of conduct](http://docs.ansible.com/ansible/latest/community/code_of_conduct.html). If you have questions or need assistance, please reach out to our community team at [codeofconduct@ansible.com](mailto:codeofconduct@ansible.com)
## Get Involved
We welcome your feedback and ideas. The AWX operator uses the same mailing list and IRC channel as AWX itself. Here's how to reach us with feedback and questions:
- Join the `#ansible-awx` channel on irc.libera.chat
- Join the [mailing list](https://groups.google.com/forum/#!forum/awx-project)

3
SECURITY.md Normal file
View File

@@ -0,0 +1,3 @@
For all security related bugs, email security@ansible.com instead of using this issue tracker and you will receive a prompt response.
For more information on the Ansible community's practices regarding responsible disclosure, see https://www.ansible.com/security

47
ansible/helm-release.yml Normal file
View File

@@ -0,0 +1,47 @@
---
- hosts: localhost
vars:
chart_repo: awx-operator
tasks:
- name: Look up release
uri:
url: "https://api.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/tags/{{ tag }}"
register: release
ignore_errors: yes
- fail:
msg: |
Release must exist before running this playbook
when: release is not success
- name: Build and package helm chart
command: |
make helm-package
environment:
VERSION: "{{ tag }}"
IMAGE_TAG_BASE: "{{ operator_image }}"
args:
chdir: "{{ playbook_dir }}/../"
# Move to chart releaser after https://github.com/helm/chart-releaser/issues/122 exists
- name: Upload helm chart
uri:
url: "https://uploads.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/{{ release.json.id }}/assets?name=awx-operator-{{ tag }}.tgz"
src: "{{ playbook_dir }}/../.cr-release-packages/awx-operator-{{ tag }}.tgz"
headers:
Authorization: "token {{ gh_token }}"
Content-Type: "application/octet-stream"
status_code:
- 200
- 201
register: asset_upload
changed_when: asset_upload.json.state == "uploaded"
- name: Publish helm index
command: |
make helm-index
environment:
CHART_OWNER: "{{ chart_owner }}"
CR_TOKEN: "{{ gh_token }}"
args:
chdir: "{{ playbook_dir }}/../"

102
config/crd/bases/awx.ansible.com_awxbackups.yaml Normal file
View File

@@ -0,0 +1,102 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: awxbackups.awx.ansible.com
spec:
group: awx.ansible.com
names:
kind: AWXBackup
listKind: AWXBackupList
plural: awxbackups
singular: awxbackup
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
description: Schema validation for the AWXBackup CRD
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- deployment_name
properties:
deployment_name:
description: Name of the deployment to be backed up
type: string
backup_pvc:
description: Name of the backup PVC
type: string
backup_pvc_namespace:
description: (Deprecated) Namespace the PVC is in
type: string
backup_storage_requirements:
description: Storage requirements for backup PVC (may be similar to existing postgres PVC backing up from)
type: string
backup_storage_class:
description: Storage class to use when creating PVC for backup
type: string
clean_backup_on_delete:
description: Flag to indicate if backup should be deleted on PVC if AWXBackup object is deleted
type: boolean
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string
postgres_image:
description: Registry path to the PostgreSQL container to use
type: string
postgres_image_version:
description: PostgreSQL container image version to use
type: string
no_log:
description: Configure no_log for no_log tasks
type: string
set_self_labels:
description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
type: boolean
default: true
status:
type: object
x-kubernetes-preserve-unknown-fields: true
properties:
conditions:
description: The resulting conditions when a Service Telemetry is instantiated
items:
properties:
lastTransitionTime:
type: string
reason:
type: string
status:
type: string
type:
type: string
type: object
type: array
backupDirectory:
description: Backup directory name on the specified pvc
type: string
backupClaim:
description: Backup persistent volume claim
type: string

101
config/crd/bases/awx.ansible.com_awxrestores.yaml Normal file
View File

@@ -0,0 +1,101 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: awxrestores.awx.ansible.com
spec:
group: awx.ansible.com
names:
kind: AWXRestore
listKind: AWXRestoreList
plural: awxrestores
singular: awxrestore
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
description: Schema validation for the AWXRestore CRD
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
properties:
backup_source:
description: Backup source
type: string
enum:
- CR
- PVC
deployment_name:
description: Name of the restored deployment. This should be different from the original deployment name
if the original deployment still exists.
type: string
backup_name:
description: AWXBackup object name
type: string
backup_pvc:
description: Name of the PVC to be restored from, set as a status found on the awxbackup object (backupClaim)
type: string
backup_pvc_namespace:
description: (Deprecated) Namespace the PVC is in
type: string
backup_dir:
description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
type: string
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string
postgres_image:
description: Registry path to the PostgreSQL container to use
type: string
postgres_image_version:
description: PostgreSQL container image version to use
type: string
no_log:
description: Configure no_log for no_log tasks
type: string
set_self_labels:
description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
type: boolean
default: true
status:
type: object
x-kubernetes-preserve-unknown-fields: true
properties:
conditions:
description: The resulting conditions when a Service Telemetry is instantiated
items:
properties:
lastTransitionTime:
type: string
reason:
type: string
status:
type: string
type:
type: string
type: object
type: array
restoreComplete:
description: Restore process complete
type: boolean

992
config/crd/bases/awx.ansible.com_awxs.yaml
View File

File diff suppressed because it is too large Load Diff

77
config/crd/bases/awxbackup.ansible.com_awxbackups.yaml
View File

@@ -1,77 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: awxbackups.awx.ansible.com
spec:
group: awx.ansible.com
names:
kind: AWXBackup
listKind: AWXBackupList
plural: awxbackups
singular: awxbackup
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
description: Schema validation for the AWXBackup CRD
properties:
spec:
type: object
required:
- deployment_name
properties:
deployment_name:
description: Name of the deployment to be backed up
type: string
backup_pvc:
description: Name of the PVC to be used for storing the backup
type: string
backup_pvc_namespace:
description: Namespace the PVC is in
type: string
backup_storage_requirements:
description: Storage requirements for the PostgreSQL container
type: string
backup_storage_class:
description: Storage class to use when creating PVC for backup
type: string
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string
postgres_image:
description: Registry path to the PostgreSQL container to use
type: string
postgres_image_version:
description: PostgreSQL container image version to use
type: string
status:
type: object
properties:
conditions:
description: The resulting conditions when a Service Telemetry is instantiated
items:
properties:
lastTransitionTime:
type: string
reason:
type: string
status:
type: string
type:
type: string
type: object
type: array
backupDirectory:
description: Backup directory name on the specified pvc
type: string
backupClaim:
description: Backup persistent volume claim
type: string

78
config/crd/bases/awxrestore.ansible.com_awxrestores.yaml
View File

@@ -1,78 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: awxrestores.awx.ansible.com
spec:
group: awx.ansible.com
names:
kind: AWXRestore
listKind: AWXRestoreList
plural: awxrestores
singular: awxrestore
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
description: Schema validation for the AWXRestore CRD
properties:
spec:
type: object
properties:
backup_source:
description: Backup source
type: string
enum:
- CR
- PVC
deployment_name:
description: Name of the deployment to be restored to
type: string
backup_name:
description: AWXBackup object name
type: string
backup_pvc:
description: Name of the PVC to be restored from, set as a status found on the awxbackup object (backupClaim)
type: string
backup_pvc_namespace:
description: Namespace the PVC is in
type: string
backup_dir:
description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
type: string
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string
postgres_image:
description: Registry path to the PostgreSQL container to use
type: string
postgres_image_version:
description: PostgreSQL container image version to use
type: string
status:
type: object
properties:
conditions:
description: The resulting conditions when a Service Telemetry is instantiated
items:
properties:
lastTransitionTime:
type: string
reason:
type: string
status:
type: string
type:
type: string
type: object
type: array
restoreComplete:
description: Restore process complete
type: boolean

9
config/crd/kustomization.yaml
View File

@@ -1,9 +1,8 @@
---
# This kustomization.yaml is not intended to be run by itself,
# since it depends on service name and namespace that are out of this kustomize package.
# It should be run by config/default
resources:
- bases/awx.ansible.com_awxs.yaml
- bases/awxbackup.ansible.com_awxbackups.yaml
- bases/awxrestore.ansible.com_awxrestores.yaml
# +kubebuilder:scaffold:crdkustomizeresource
- bases/awx.ansible.com_awxs.yaml
- bases/awx.ansible.com_awxbackups.yaml
- bases/awx.ansible.com_awxrestores.yaml
#+kubebuilder:scaffold:crdkustomizeresource

30
config/default/kustomization.yaml
View File

@@ -1,24 +1,30 @@
# Adds namespace to all resources.
namespace: awx
# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace
# field above.
namePrefix: awx-operator-
# Labels to add to all resources and selectors.
# commonLabels:
# someName: someValue
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
# - ../prometheus
# Protect the /metrics endpoint by putting it behind auth.
# If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, please comment the following line.
patchesStrategicMerge:
- manager_auth_proxy_patch.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
#commonLabels:
# someName: someValue
bases:
- ../crd
- ../rbac
- ../manager
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
#- ../prometheus
patchesStrategicMerge:
# Protect the /metrics endpoint by putting it behind auth.
# If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, please comment the following line.
- manager_auth_proxy_patch.yaml
# Mount the controller config file for loading manager configurations
# through a ComponentConfig type
#- manager_config_patch.yaml

48
config/default/manager_auth_proxy_patch.yaml
View File

@@ -1,4 +1,3 @@
---
# This patch inject a sidecar container which is a HTTP proxy for the
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
@@ -10,20 +9,33 @@ spec:
template:
spec:
containers:
- name: kube-rbac-proxy
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=10"
ports:
- containerPort: 8443
protocol: TCP
name: https
- name: awx-manager
args:
- "--health-probe-bind-address=:6789"
- "--metrics-bind-address=127.0.0.1:8080"
- "--leader-elect"
- "--leader-election-id=awx-operator"
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=0"
ports:
- containerPort: 8443
protocol: TCP
name: https
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
- name: awx-manager
args:
- "--health-probe-bind-address=:6789"
- "--metrics-bind-address=127.0.0.1:8080"
- "--leader-elect"
- "--leader-election-id=awx-operator"

21
config/default/manager_config_patch.yaml
View File

@@ -1,4 +1,3 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -8,14 +7,14 @@ spec:
template:
spec:
containers:
- name: awx-manager
args:
- "--config=controller_manager_config.yaml"
volumeMounts:
- name: awx-manager-config
mountPath: /controller_manager_config.yaml
subPath: controller_manager_config.yaml
volumes:
- name: awx-manager
args:
- "--config=controller_manager_config.yaml"
volumeMounts:
- name: awx-manager-config
configMap:
name: awx-manager-config
mountPath: /controller_manager_config.yaml
subPath: controller_manager_config.yaml
volumes:
- name: awx-manager-config
configMap:
name: awx-manager-config

14
config/manager/controller_manager_config.yaml
View File

@@ -1,10 +1,20 @@
---
apiVersion: controller-runtime.sigs.k8s.io/v1beta1
apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
kind: ControllerManagerConfig
health:
healthProbeBindAddress: :6789
metrics:
bindAddress: 127.0.0.1:8080
leaderElection:
leaderElect: true
resourceName: 811c9dc5.ansible.com
# leaderElectionReleaseOnCancel defines if the leader should step down volume
# when the Manager ends. This requires the binary to immediately end when the
# Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
# speeds up voluntary leader transitions as the new leader don't have to wait
# LeaseDuration time first.
# In the default scaffold provided, the program ends immediately after
# the manager stops, so would be fine to enable this option. However,
# if you are doing or is intended to do any operation such as perform cleanups
# after the manager stops then its usage might be unsafe.
# leaderElectionReleaseOnCancel: true

7
config/manager/kustomization.yaml
View File

@@ -1,11 +1,14 @@
resources:
- manager.yaml
generatorOptions:
disableNameSuffixHash: true
configMapGenerator:
- files:
- name: awx-manager-config
files:
- controller_manager_config.yaml
name: awx-manager-config
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
images:

79
config/manager/manager.yaml
View File

@@ -20,39 +20,62 @@ spec:
replicas: 1
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: manager
labels:
control-plane: controller-manager
spec:
securityContext:
runAsNonRoot: true
# For common cases that do not require escalating privileges
# it is recommended to ensure that all your Pods/Containers are restrictive.
# More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
# Please uncomment the following code if your project does NOT have to work on old Kubernetes
# versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
# seccompProfile:
# type: RuntimeDefault
containers:
- args:
- --leader-elect
- --leader-election-id=awx-operator
image: controller:latest
name: awx-manager
env:
- name: ANSIBLE_GATHERING
value: explicit
- name: ANSIBLE_DEBUG_LOGS
value: 'false'
- name: WATCH_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
livenessProbe:
httpGet:
path: /healthz
port: 6789
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 6789
initialDelaySeconds: 5
periodSeconds: 10
- args:
- --leader-elect
- --leader-election-id=awx-operator
image: controller:latest
name: awx-manager
env:
- name: ANSIBLE_GATHERING
value: explicit
- name: ANSIBLE_DEBUG_LOGS
value: 'false'
- name: WATCH_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
capabilities:
drop:
- "ALL"
livenessProbe:
httpGet:
path: /healthz
port: 6789
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 6789
initialDelaySeconds: 5
periodSeconds: 10
# More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources:
requests:
memory: "32Mi"
cpu: "50m"
limits:
memory: "4096Mi"
cpu: "2000m"
serviceAccountName: controller-manager
imagePullSecrets:
- name: redhat-operators-pull-secret
terminationGracePeriodSeconds: 10

648
config/manifests/bases/awx-operator.clusterserviceversion.yaml
View File

File diff suppressed because one or more lines are too long

24
config/manifests/bases/inject-csv-config.py
View File

@@ -1,24 +0,0 @@
'''
After generating the CSV file, inject custom configuration such as
OLM parameters, relatedImages, etc.
'''
import yaml
csv_path = "../../../bundle/manifests/awx-operator.clusterserviceversion.yaml"
existing_csv = open(csv_path, 'r')
csv = yaml.safe_load(existing_csv)
raw_olm_params = open("olm-parameters.yaml")
olm_params = yaml.safe_load(raw_olm_params)
# Inject OLM parameters for Customer Resource Objects
csv['spec']['customresourcedefinitions']['owned'] = olm_params
csv['metadata']['annotations']['alm-examples'] = ''
file_content = yaml.safe_dump(csv, default_flow_style=False, explicit_start=True)
with open(csv_path, 'w') as f:
f.write(file_content)

599
config/manifests/bases/olm-parameters.yaml
View File

@@ -1,599 +0,0 @@
---
- displayName: AWX Backup
description: Back up a deployment of the awx, including jobs, inventories, and credentials
kind: AWXBackup
name: awxbackups.awx.ansible.com
version: v1beta1
specDescriptors:
- displayName: Deployment name
path: deployment_name
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Backup persistent volume claim
path: backup_pvc
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Backup persistent volume claim namespace
path: backup_pvc_namespace
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Backup PVC storage requirements
path: backup_storage_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Backup PVC storage class
path: backup_storage_class
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Database backup label selector
path: postgres_label_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image
path: postgres_image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image Version
path: postgres_image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
statusDescriptors:
- description: The persistent volume claim name used during backup
displayName: Backup claim
path: backupClaim
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- description: The directory data is backed up to on the PVC
displayName: Backup directory
path: backupDirectory
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: AWX Restore
description: Restore a previous awx deployment into the namespace
kind: AWXRestore
name: awxrestores.awx.ansible.com
version: v1beta1
specDescriptors:
- displayName: Backup source to restore ?
path: backup_source
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:select:CR
- urn:alm:descriptor:com.tectonic.ui:select:PVC
- displayName: Backup name
path: backup_name
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:CR
- displayName: Name of newly restored deployment
path: deployment_name
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Backup persistent volume claim
path: backup_pvc
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
- displayName: Backup namespace
path: backup_pvc_namespace
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Backup directory in the persistent volume claim
path: backup_dir
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
- displayName: Database restore label selector
path: postgres_label_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image
path: postgres_image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image Version
path: postgres_image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
statusDescriptors:
- description: The state of the restore
displayName: Restore status
path: restoreComplete
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- description: Deploy a new instance of AWX
displayName: AWX
kind: AWX
name: awxs.awx.ansible.com
version: v1beta1
specDescriptors:
- displayName: Hostname
path: hostname
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Admin account username
path: admin_user
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Admin email address
path: admin_email
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Admin password secret
path: admin_password_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Database configuration secret
path: postgres_configuration_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Old Database configuration secret
path: old_postgres_configuration_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Secret key secret
path: secret_key_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Broadcast Websocket Secret
path: broadcast_websocket_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Service Account Annotations
path: service_account_annotations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Tower Service Type
path: service_type
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:ClusterIP
- urn:alm:descriptor:com.tectonic.ui:select:LoadBalancer
- urn:alm:descriptor:com.tectonic.ui:select:NodePort
- displayName: Tower Ingress Type
path: ingress_type
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:none
- urn:alm:descriptor:com.tectonic.ui:select:Ingress
- urn:alm:descriptor:com.tectonic.ui:select:Route
- displayName: Ingress Path
path: ingress_path
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
- displayName: Ingress Path Type
path: ingress_path_type
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
- displayName: Tower Ingress Annotations
path: ingress_annotations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
- displayName: Tower Ingress TLS Secret
path: ingress_tls_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
- displayName: Tower LoadBalancer Annotations
path: loadbalancer_annotations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:service_type:LoadBalancer
- displayName: Tower LoadBalancer Protocol
path: loadbalancer_protocol
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:http
- urn:alm:descriptor:com.tectonic.ui:select:https
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:service_type:LoadBalancer
- displayName: Tower LoadBalancer Port
path: loadbalancer_port
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:number
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:service_type:LoadBalancer
- displayName: Route DNS host
path: route_host
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Route
- displayName: Route TLS termination mechanism
path: route_tls_termination_mechanism
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:Edge
- urn:alm:descriptor:com.tectonic.ui:select:Passthrough
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Route
- displayName: Route TLS credential secret
path: route_tls_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Route
- displayName: Image Pull Policy
path: image_pull_policy
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:imagePullPolicy
- displayName: Image Pull Secret
path: image_pull_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Web container resource requirements
path: web_resource_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: Task container resource requirements
path: task_resource_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: EE Control Plane container resource requirements
path: ee_resource_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: PostgreSQL container resource requirements (when using a managed
instance)
path: postgres_resource_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: PostgreSQL container storage requirements (when using a managed
instance)
path: postgres_storage_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: Replicas
path: replicas
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:number
- displayName: Remove used secrets on instance removal ?
path: garbage_collect_secrets
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- displayName: Preload instance with data upon creation ?
path: create_preload_data
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- displayName: Deploy the instance in development mode ?
path: development_mode
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Should the task container deployed with privileged level ?
path: task_privileged
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Deployment Type
path: deployment_type
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Deployment Kind
path: kind
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Deployment apiVersion
path: api_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Image
path: image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Image Version
path: image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Redis Image
path: redis_image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Redis Image Version
path: redis_image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Redis Capabilities
path: redis_capabilities
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image
path: postgres_image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image Version
path: postgres_image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Postgres Selector
path: postgres_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Postgres Label Selector
path: postgres_label_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Postgres Tolerations
path: postgres_tolerations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Postgres Storage Class
path: postgres_storage_class
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Postgres Datapath
path: postgres_data_path
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Certificate Authorirty Trust Bundle
path: ca_trust_bundle
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: LDAP Certificate Authority Trust Bundle
path: ldap_cacert_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Task Args
path: task_args
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Enable persistence for /var/lib/projects directory?
path: projects_persistence
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- displayName: Use existing Persistent Claim?
path: projects_use_existing_claim
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:_Yes_
- urn:alm:descriptor:com.tectonic.ui:select:_No_
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_persistence:true
- displayName: Projects Existing Persistent Claim
path: projects_existing_claim
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_Yes_
- urn:alm:descriptor:io.kubernetes:PersistentVolumeClaim
- description: Projects Storage Class Name. If not present, the default storage
class will be used.
displayName: Projects Storage Class Name
path: projects_storage_class
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_No_
- urn:alm:descriptor:com.tectonic.ui:text
- description: Projects Storage Size
displayName: Projects Storage Size
path: projects_storage_size
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_No_
- urn:alm:descriptor:com.tectonic.ui:text
- description: Projects Storage Access Mode
displayName: Projects Storage Access Mode
path: projects_storage_access_mode
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_No_
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Task Command
path: task_command
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Environment variables to be added to Task container
displayName: Task Extra Env
path: task_extra_env
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Specify volume mounts to be added to Execution container
displayName: EE Extra Volume Mounts
path: ee_extra_volume_mounts
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Registry path to the Execution Environment container to use
displayName: EE Images
path: ee_images
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Environment variables to be added to EE container
displayName: EE Extra Env
path: ee_extra_env
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Registry path to the Execution Environment container to use on
control plane pods
displayName: Control Plane EE Image
path: control_plane_ee_image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: EE Images Pull Credentials Secret
displayName: EE Images Pull Credentials Secret
path: ee_pull_credentials_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- description: Specify volume mounts to be added to Task container
displayName: Task Extra Volume Mounts
path: task_extra_volume_mounts
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Web Args
path: web_args
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Web Command
path: web_command
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Environment variables to be added to Web container
displayName: Web Extra Env
path: web_extra_env
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Specify volume mounts to be added to Web container
displayName: Web Extra Volume Mounts
path: web_extra_volume_mounts
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Specify extra volumes to add to the application pod
displayName: Extra Volumes
path: extra_volumes
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Node Selector
path: node_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Topology Spread Constraints
path: topology_spread_constraints
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Service Labels
path: service_labels
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tolerations
path: tolerations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: API Extra Settings
path: extra_settings
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Security Context Settings
path: security_context_settings
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Registry path to the init container to use
displayName: Init Container Image
path: init_container_image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Init container image version to use
displayName: Init Container Image Version
path: init_container_image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Specify Extra commands for the Init container
displayName: Init Container Extra Commands
path: init_container_extra_commands
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Specify volume mounts to be added to Init container
displayName: Init Container Extra Volume Mounts
path: init_container_extra_volume_mounts
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Secret where can be found the trusted Certificate Authority Bundle
path: bundle_cacert_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Nodeport Port
path: nodeport_port
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
statusDescriptors:
- description: Route to access the instance deployed
displayName: URL
path: URL
x-descriptors:
- urn:alm:descriptor:org.w3:link
- description: Admin user for the instance deployed
displayName: Admin User
path: adminUser
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- description: Admin password for the instance deployed
displayName: Admin Password
path: adminPasswordSecret
x-descriptors:
- urn:alm:descriptor:io.kubernetes:Secret
- description: Version of the instance deployed
displayName: Version
path: version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- description: Image of the instance deployed
displayName: Image
path: image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text

9
config/manifests/kustomization.yaml
View File

@@ -1,8 +1,7 @@
---
# These resources constitute the fully configured set of manifests
# used to generate the 'manifests/' directory in a bundle.
resources:
- bases/awx-operator.clusterserviceversion.yaml
- ../default
- ../samples
- ../scorecard
- bases/awx-operator.clusterserviceversion.yaml
- ../default
- ../samples
- ../scorecard

3
config/prometheus/kustomization.yaml
View File

@@ -1,3 +1,2 @@
---
resources:
- monitor.yaml
- monitor.yaml

1
config/prometheus/monitor.yaml
View File

@@ -1,4 +1,3 @@
---
# Prometheus Monitor Service (Metrics)
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor

9
config/rbac/auth_proxy_client_clusterrole.yaml
View File

@@ -1,10 +1,9 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: metrics-reader
rules:
- nonResourceURLs:
- "/metrics"
verbs:
- get
- nonResourceURLs:
- "/metrics"
verbs:
- get

25
config/rbac/auth_proxy_role.yaml
View File

@@ -1,18 +1,17 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: proxy-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create

7
config/rbac/auth_proxy_role_binding.yaml
View File

@@ -1,4 +1,3 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@@ -8,6 +7,6 @@ roleRef:
kind: ClusterRole
name: proxy-role
subjects:
- kind: ServiceAccount
name: controller-manager
namespace: system
- kind: ServiceAccount
name: controller-manager
namespace: system

9
config/rbac/auth_proxy_service.yaml
View File

@@ -1,4 +1,3 @@
---
apiVersion: v1
kind: Service
metadata:
@@ -8,9 +7,9 @@ metadata:
namespace: system
spec:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: https
- name: https
port: 8443
protocol: TCP
targetPort: https
selector:
control-plane: controller-manager

37
config/rbac/awx_editor_role.yaml
View File

@@ -1,25 +1,24 @@
---
# permissions for end users to edit awxs.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: awx-editor-role
rules:
- apiGroups:
- awx.ansible.com
resources:
- awxs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- awx.ansible.com
resources:
- awxs/status
verbs:
- get
- apiGroups:
- awx.ansible.com
resources:
- awxs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- awx.ansible.com
resources:
- awxs/status
verbs:
- get

29
config/rbac/awx_viewer_role.yaml
View File

@@ -1,21 +1,20 @@
---
# permissions for end users to view awxs.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: awx-viewer-role
rules:
- apiGroups:
- awx.ansible.com
resources:
- awxs
verbs:
- get
- list
- watch
- apiGroups:
- awx.ansible.com
resources:
- awxs/status
verbs:
- get
- apiGroups:
- awx.ansible.com
resources:
- awxs
verbs:
- get
- list
- watch
- apiGroups:
- awx.ansible.com
resources:
- awxs/status
verbs:
- get

24
config/rbac/awxbackup_editor_role.yaml Normal file
View File

@@ -0,0 +1,24 @@
# permissions for end users to edit awxbackups.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: awxbackup-editor-role
rules:
- apiGroups:
- awx.ansible.com
resources:
- awxbackups
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- awx.ansible.com
resources:
- awxbackups/status
verbs:
- get

20
config/rbac/awxbackup_viewer_role.yaml Normal file
View File

@@ -0,0 +1,20 @@
# permissions for end users to view awxbackups.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: awxbackup-viewer-role
rules:
- apiGroups:
- awx.ansible.com
resources:
- awxbackups
verbs:
- get
- list
- watch
- apiGroups:
- awx.ansible.com
resources:
- awxbackups/status
verbs:
- get

24
config/rbac/awxrestore_editor_role.yaml Normal file
View File

@@ -0,0 +1,24 @@
# permissions for end users to edit awxrestores.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: awxrestore-editor-role
rules:
- apiGroups:
- awx.ansible.com
resources:
- awxrestores
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- awx.ansible.com
resources:
- awxrestores/status
verbs:
- get

20
config/rbac/awxrestore_viewer_role.yaml Normal file
View File

@@ -0,0 +1,20 @@
# permissions for end users to view awxrestores.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: awxrestore-viewer-role
rules:
- apiGroups:
- awx.ansible.com
resources:
- awxrestores
verbs:
- get
- list
- watch
- apiGroups:
- awx.ansible.com
resources:
- awxrestores/status
verbs:
- get

35
config/rbac/kustomization.yaml
View File

@@ -1,19 +1,18 @@
---
resources:
# All RBAC will be applied under this service account in
# the deployment namespace. You may comment out this resource
# if your manager will use a service account that exists at
# runtime. Be sure to update RoleBinding and ClusterRoleBinding
# subjects if changing service account names.
- service_account.yaml
- role.yaml
- role_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
# Comment the following 4 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint.
- auth_proxy_service.yaml
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml
# All RBAC will be applied under this service account in
# the deployment namespace. You may comment out this resource
# if your manager will use a service account that exists at
# runtime. Be sure to update RoleBinding and ClusterRoleBinding
# subjects if changing service account names.
- service_account.yaml
- role.yaml
- role_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
# Comment the following 4 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint.
- auth_proxy_service.yaml
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml

63
config/rbac/leader_election_role.yaml
View File

@@ -1,38 +1,37 @@
---
# permissions to do leader election.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: leader-election-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch

7
config/rbac/leader_election_role_binding.yaml
View File

@@ -1,4 +1,3 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
@@ -8,6 +7,6 @@ roleRef:
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: controller-manager
namespace: system
- kind: ServiceAccount
name: controller-manager
namespace: system

1
config/rbac/service_account.yaml
View File

@@ -1,4 +1,3 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:

6
config/samples/awx_v1beta1_awx.yaml
View File

@@ -6,13 +6,13 @@ metadata:
spec:
web_resource_requirements:
requests:
cpu: 250m
cpu: 50m
memory: 128M
task_resource_requirements:
requests:
cpu: 250m
cpu: 50m
memory: 128M
ee_resource_requirements:
requests:
cpu: 200m
cpu: 50m
memory: 64M

6
config/samples/awx_v1beta1_awxbackup.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: awx.ansible.com/v1beta1
kind: AWXBackup
metadata:
name: example-awx-backup
spec:
deployment_name: example-awx

7
config/samples/awx_v1beta1_awxrestore.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: awx.ansible.com/v1beta1
kind: AWXRestore
metadata:
name: awxrestore-sample
spec:
deployment_name: example-awx-2
backup_name: example-awx-backup

7
config/samples/kustomization.yaml
View File

@@ -1,5 +1,6 @@
---
## Append samples you want in your CSV to this file as resources ##
resources:
- awx_v1beta1_awx.yaml
# +kubebuilder:scaffold:manifestskustomizesamples
- awx_v1beta1_awx.yaml
- awx_v1beta1_awxbackup.yaml
- awx_v1beta1_awxrestore.yaml
#+kubebuilder:scaffold:manifestskustomizesamples

5
config/scorecard/bases/config.yaml
View File

@@ -1,8 +1,7 @@
---
apiVersion: scorecard.operatorframework.io/v1alpha3
kind: Configuration
metadata:
name: config
stages:
- parallel: true
tests: []
- parallel: true
tests: []

29
config/scorecard/kustomization.yaml
View File

@@ -1,17 +1,16 @@
---
resources:
- bases/config.yaml
- bases/config.yaml
patchesJson6902:
- path: patches/basic.config.yaml
target:
group: scorecard.operatorframework.io
version: v1alpha3
kind: Configuration
name: config
- path: patches/olm.config.yaml
target:
group: scorecard.operatorframework.io
version: v1alpha3
kind: Configuration
name: config
# +kubebuilder:scaffold:patchesJson6902
- path: patches/basic.config.yaml
target:
group: scorecard.operatorframework.io
version: v1alpha3
kind: Configuration
name: config
- path: patches/olm.config.yaml
target:
group: scorecard.operatorframework.io
version: v1alpha3
kind: Configuration
name: config
#+kubebuilder:scaffold:patchesJson6902

7
config/scorecard/patches/basic.config.yaml
View File

@@ -1,11 +1,10 @@
---
- op: add
path: /stages/0/tests/-
value:
entrypoint:
- scorecard-test
- basic-check-spec
image: quay.io/operator-framework/scorecard-test:v1.12.0
- scorecard-test
- basic-check-spec
image: quay.io/operator-framework/scorecard-test:v1.22.2
labels:
suite: basic
test: basic-check-spec-test

31
config/scorecard/patches/olm.config.yaml
View File

@@ -1,11 +1,10 @@
---
- op: add
path: /stages/0/tests/-
value:
entrypoint:
- scorecard-test
- olm-bundle-validation
image: quay.io/operator-framework/scorecard-test:v1.12.0
- scorecard-test
- olm-bundle-validation
image: quay.io/operator-framework/scorecard-test:v1.22.2
labels:
suite: olm
test: olm-bundle-validation-test
@@ -13,9 +12,9 @@
path: /stages/0/tests/-
value:
entrypoint:
- scorecard-test
- olm-crds-have-validation
image: quay.io/operator-framework/scorecard-test:v1.12.0
- scorecard-test
- olm-crds-have-validation
image: quay.io/operator-framework/scorecard-test:v1.22.2
labels:
suite: olm
test: olm-crds-have-validation-test
@@ -23,9 +22,9 @@
path: /stages/0/tests/-
value:
entrypoint:
- scorecard-test
- olm-crds-have-resources
image: quay.io/operator-framework/scorecard-test:v1.12.0
- scorecard-test
- olm-crds-have-resources
image: quay.io/operator-framework/scorecard-test:v1.22.2
labels:
suite: olm
test: olm-crds-have-resources-test
@@ -33,9 +32,9 @@
path: /stages/0/tests/-
value:
entrypoint:
- scorecard-test
- olm-spec-descriptors
image: quay.io/operator-framework/scorecard-test:v1.12.0
- scorecard-test
- olm-spec-descriptors
image: quay.io/operator-framework/scorecard-test:v1.22.2
labels:
suite: olm
test: olm-spec-descriptors-test
@@ -43,9 +42,9 @@
path: /stages/0/tests/-
value:
entrypoint:
- scorecard-test
- olm-status-descriptors
image: quay.io/operator-framework/scorecard-test:v1.12.0
- scorecard-test
- olm-status-descriptors
image: quay.io/operator-framework/scorecard-test:v1.22.2
labels:
suite: olm
test: olm-status-descriptors-test

10
config/testing/kustomization.yaml
View File

@@ -1,13 +1,17 @@
# Adds namespace to all resources.
namespace: osdk-test
namePrefix: osdk-
# Labels to add to all resources and selectors.
# commonLabels:
# someName: someValue
#commonLabels:
# someName: someValue
patchesStrategicMerge:
- manager_image.yaml
- debug_logs_patch.yaml
- ../default/manager_auth_proxy_patch.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
@@ -17,5 +21,3 @@ resources:
images:
- name: testing
newName: testing-operator
patches:
- path: pull_policy/Never.yaml

51
docs/debugging.md Normal file
View File

@@ -0,0 +1,51 @@
# Iterating on the installer without deploying the operator
Go through the [normal basic install](https://github.com/ansible/awx-operator/blob/devel/README.md#basic-install) steps.
Install some dependencies:
```
$ ansible-galaxy collection install -r molecule/requirements.yml
$ pip install -r molecule/requirements.txt
```
To prevent the changes we're about to make from being overwritten, scale down any running instance of the operator:
```
$ kubectl scale deployment awx-operator-controller-manager --replicas=0
```
Create a playbook that invokes the installer role (the operator uses ansible-runner's role execution feature):
```yaml
# run.yml
---
- hosts: localhost
roles:
- installer
```
Create a vars file:
```yaml
# vars.yml
---
ansible_operator_meta:
name: awx
namespace: awx
service_type: nodeport
```
Run the installer:
```
$ ansible-playbook run.yml -e @vars.yml -v
```
Grab the URL and admin password:
```
$ minikube service awx-service --url -n awx
$ minikube kubectl get secret awx-admin-password -- -o jsonpath="{.data.password}" | base64 --decode
LU6lTfvnkjUvDwL240kXKy1sNhjakZmT
```

2
molecule/default/destroy.yml
View File

@@ -19,6 +19,6 @@
state: absent
- name: Unset pull policy
command: '{{ kustomize }} edit remove patch pull_policy/{{ operator_pull_policy }}.yaml'
command: '{{ kustomize }} edit remove patch --path pull_policy/{{ operator_pull_policy }}.yaml'
args:
chdir: '{{ config_dir }}/testing'

4
molecule/default/kustomize.yml
View File

@@ -1,7 +1,7 @@
---
- name: Build kustomize testing overlay
# load_restrictor must be set to none so we can load patch files from the default overlay
command: '{{ kustomize }} build --load_restrictor none .'
# load-restrictor must be set to none so we can load patch files from the default overlay
command: '{{ kustomize }} build --load-restrictor LoadRestrictionsNone .'
args:
chdir: '{{ config_dir }}/testing'
register: resources

10
molecule/default/tasks/awx_test.yml
View File

@@ -49,13 +49,13 @@
name: Demo Job Template
wait: yes
validate_certs: no
controller_host: localhost
controller_host: localhost/awx/
controller_username: admin
controller_password: "{{ admin_pw_secret.resources[0].data.password | b64decode }}"
rescue:
- name: Get list of project updates and jobs
uri:
url: "http://localhost/api/v2/{{ item }}/"
url: "http://localhost/awx/api/v2/{{ resource }}/"
user: admin
password: "{{ admin_pw_secret.resources[0].data.password | b64decode }}"
force_basic_auth: yes
@@ -63,15 +63,19 @@
loop:
- project_updates
- jobs
loop_control:
loop_var: resource
- name: Get all job and project details
uri:
url: "http://localhost{{ item }}"
url: "http://localhost{{ endpoint }}"
user: admin
password: "{{ admin_pw_secret.resources[0].data.password | b64decode }}"
force_basic_auth: yes
loop: |
{{ job_lists.results | map(attribute='json') | map(attribute='results') | flatten | map(attribute='url') }}
loop_control:
loop_var: endpoint
- name: Re-emit failure
vars:

18
molecule/default/tasks/awxbackup_test.yml Normal file
View File

@@ -0,0 +1,18 @@
---
# - name: Create the awx.ansible.com/v1beta1.AWXBackup
# k8s:
# state: present
# namespace: '{{ namespace }}'
# definition: "{{ lookup('template', '/'.join([samples_dir, cr_file])) | from_yaml }}"
# wait: yes
# wait_timeout: 300
# wait_condition:
# type: Successful
# status: "True"
# vars:
# cr_file: 'awx_v1beta1_awxbackup.yaml'
#
# - name: Add assertions here
# assert:
# that: false
# fail_msg: FIXME Add real assertions for your operator

18
molecule/default/tasks/awxrestore_test.yml Normal file
View File

@@ -0,0 +1,18 @@
---
# - name: Create the awx.ansible.com/v1beta1.AWXRestore
# k8s:
# state: present
# namespace: '{{ namespace }}'
# definition: "{{ lookup('template', '/'.join([samples_dir, cr_file])) | from_yaml }}"
# wait: yes
# wait_timeout: 300
# wait_condition:
# type: Successful
# status: "True"
# vars:
# cr_file: 'awx_v1beta1_awxrestore.yaml'
#
# - name: Add assertions here
# assert:
# that: false
# fail_msg: FIXME Add real assertions for your operator

16
molecule/default/templates/awx_cr_molecule.yml.j2
View File

@@ -11,17 +11,21 @@ spec:
image_version: {{ awx_version }}
{% endif %}
ingress_type: ingress
ingress_path: /awx
ingress_annotations: |
kubernetes.io/ingress.class: nginx
web_resource_requirements:
requests:
cpu: 250m
memory: 128M
cpu: 50m
memory: 32M
task_resource_requirements:
requests:
cpu: 250m
memory: 128M
cpu: 50m
memory: 32M
ee_resource_requirements:
requests:
cpu: 200m
memory: 64M
cpu: 50m
memory: 16M
postgres_resource_requirements: {}
postgres_init_container_resource_requirements: {}
redis_resource_requirements: {}

2
molecule/kind/destroy.yml
View File

@@ -11,6 +11,6 @@
command: kind delete cluster --name osdk-test --kubeconfig {{ kubeconfig }}
- name: Unset pull policy
command: '{{ kustomize }} edit remove patch pull_policy/{{ operator_pull_policy }}.yaml'
command: '{{ kustomize }} edit remove patch --path pull_policy/{{ operator_pull_policy }}.yaml'
args:
chdir: '{{ config_dir }}/testing'

2
molecule/requirements.txt
View File

@@ -2,6 +2,6 @@ molecule
molecule-docker
yamllint
ansible-lint
openshift
openshift!=0.13.0
jmespath
ansible-core

2
molecule/requirements.yml
View File

@@ -2,7 +2,7 @@
collections:
- name: community.general
- name: kubernetes.core
version: 1.2.1
version: 2.3.2
- name: operator_sdk.util
- name: community.docker
- name: awx.awx

0
projects/.gitkeep Executable file → Normal file
View File

2
requirements.yml
View File

@@ -1,6 +1,6 @@
---
collections:
- name: kubernetes.core
version: '==1.2.1'
version: '>=2.3.2'
- name: operator_sdk.util
version: "0.2.0"

13
roles/backup/README.md
View File

@@ -60,13 +60,7 @@ backup_storage_class: 'standard'
backup_storage_requirements: '20Gi'
```
By default, the backup pvc will be created in the same namespace the awxbackup object is created in. If you want your backup to be stored
in a specific namespace, you can do so by specifying `backup_pvc_namespace`. Keep in mind that you will
need to provide the same namespace when restoring.
```
backup_pvc_namespace: 'custom-namespace'
```
The backup pvc will be created in the same namespace the awxbackup object is created in.
If a custom postgres configuration secret was used when deploying AWX, it will automatically be used by the backup role.
To check the name of this secret, look at the postgresConfigurationSecret status on your AWX object.
@@ -74,7 +68,12 @@ To check the name of this secret, look at the postgresConfigurationSecret status
The postgresql pod for the old deployment is used when backing up data to the new postgresql pod. If your postgresql pod has a custom label,
you can pass that via the `postgres_label_selector` variable to make sure the postgresql pod can be found.
It is also possible to tie the lifetime of the backup files to that of the AWXBackup resource object. To do that you can set the
`clean_backup_on_delete` value to true. This will delete the `backupDirectory` on the pvc associated with the AWXBackup object deleted.
```
clean_backup_on_delete: true
```
Testing
----------------

15
roles/backup/defaults/main.yml
View File

@@ -10,3 +10,18 @@ backup_pvc_namespace: "{{ ansible_operator_meta.namespace }}"
# Size of backup PVC if created dynamically
backup_storage_requirements: ''
# Set no_log settings on certain tasks
no_log: 'true'
# Variable to set when you want backups to be cleaned up when the CRD object is deleted
clean_backup_on_delete: false
# Variable to signal that this role is being run as a finalizer
finalizer_run: false
# Allow additional parameters to be added to the pg_dump backup command
pg_dump_suffix: ''
# Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
set_self_labels: true

48
roles/backup/tasks/creation.yml Normal file
View File

@@ -0,0 +1,48 @@
---
- name: Patching labels to {{ kind }} kind
k8s:
state: present
definition:
apiVersion: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
metadata:
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
labels:
app.kubernetes.io/name: "{{ ansible_operator_meta.name }}"
app.kubernetes.io/part-of: "{{ ansible_operator_meta.name }}"
app.kubernetes.io/managed-by: "{{ deployment_type }}-operator"
app.kubernetes.io/component: "{{ deployment_type }}"
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
when: set_self_labels | bool
- name: Look up details for this backup object
k8s_info:
api_version: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
register: this_backup
- block:
- include_tasks: init.yml
- include_tasks: postgres.yml
- include_tasks: awx-cro.yml
- include_tasks: secrets.yml
- name: Set flag signifying this backup was successful
set_fact:
backup_complete: true
- include_tasks: cleanup.yml
when:
- this_backup['resources'][0]['status']['backupDirectory'] is not defined
- name: Update status variables
include_tasks: update_status.yml

7
roles/backup/tasks/delete_backup.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: Cleanup backup associated with this option if enabled
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ ansible_operator_meta.name }}-db-management"
command: >-
bash -c 'rm -rf {{ backup_dir }}'

6
roles/backup/tasks/dump_generated_secret.yml
View File

@@ -25,15 +25,15 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: "{{ _name }}"
register: _secret
no_log: true
no_log: "{{ no_log }}"
- name: Set secret data
set_fact:
_data: "{{ _secret['resources'][0]['data'] }}"
_type: "{{ _secret['resources'][0]['type'] }}"
no_log: true
no_log: "{{ no_log }}"
- name: Create and Add secret names and data to dictionary
set_fact:
secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data, 'type': _type }}) }}"
no_log: true
no_log: "{{ no_log }}"

6
roles/backup/tasks/dump_secret.yml
View File

@@ -13,16 +13,16 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: "{{ _name }}"
register: _secret
no_log: true
no_log: "{{ no_log }}"
- name: Set secret key
set_fact:
_data: "{{ _secret['resources'][0]['data'] }}"
_type: "{{ _secret['resources'][0]['type'] }}"
no_log: true
no_log: "{{ no_log }}"
- name: Create and Add secret names and data to dictionary
set_fact:
secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data, 'type': _type }}) }}"
no_log: true
no_log: "{{ no_log }}"
when: _name != ''

20
roles/backup/tasks/finalizer.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Look up details for this backup object
k8s_info:
api_version: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
register: this_backup
- block:
- include_tasks: init.yml
- include_tasks: delete_backup.yml
- include_tasks: cleanup.yml
vars:
backup_dir: "{{ this_backup['resources'][0]['status']['backupDirectory'] | default() }}"
when:
- clean_backup_on_delete
- backup_dir | length > 0

5
roles/backup/tasks/init.yml
View File

@@ -1,5 +1,4 @@
---
- name: Delete any existing management pod
k8s:
name: "{{ ansible_operator_meta.name }}-db-management"
@@ -57,8 +56,8 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: '{{ deployment_name }}-backup-claim'
namespace: '{{ backup_pvc_namespace }}'
name: "{{ deployment_name }}-backup-claim"
namespace: "{{ backup_pvc_namespace }}"
ownerReferences: null
when:
- backup_pvc == '' or backup_pvc is not defined

51
roles/backup/tasks/main.yml
View File

@@ -1,47 +1,8 @@
---
- name: Patching labels to {{ kind }} kind
k8s:
state: present
definition:
apiVersion: '{{ api_version }}'
kind: '{{ kind }}'
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
metadata:
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
- name: Run creation tasks
include_tasks: creation.yml
when: not finalizer_run
- name: Look up details for this backup object
k8s_info:
api_version: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
register: this_backup
- block:
- include_tasks: init.yml
- include_tasks: postgres.yml
- include_tasks: awx-cro.yml
- include_tasks: secrets.yml
- name: Set flag signifying this backup was successful
set_fact:
backup_complete: true
- include_tasks: cleanup.yml
when:
- this_backup['resources'][0]['status']['backupDirectory'] is not defined
- name: Update status variables
include_tasks: update_status.yml
- name: Run finalizer tasks
include_tasks: finalizer.yml
when: finalizer_run

16
roles/backup/tasks/postgres.yml
View File

@@ -6,7 +6,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"
register: pg_config
no_log: true
no_log: "{{ no_log }}"
- name: Fail if postgres configuration secret status does not exist
fail:
@@ -21,12 +21,12 @@
awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | default('unmanaged'|b64encode) | b64decode }}"
no_log: true
no_log: "{{ no_log }}"
- block:
- name: Delete pod to reload a resource configuration
set_fact:
postgres_label_selector: "app.kubernetes.io/instance=postgres-{{ deployment_name }}"
postgres_label_selector: "app.kubernetes.io/instance=postgres-{{ supported_pg_version }}-{{ deployment_name }}"
when: postgres_label_selector is not defined
- name: Get the postgres pod information
@@ -39,6 +39,7 @@
until:
- "postgres_pod['resources'] | length"
- "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
- "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
delay: 5
retries: 60
@@ -79,7 +80,7 @@
- name: Set full resolvable host name for postgres pod
set_fact:
resolvable_db_host: '{{ (awx_postgres_type == "managed") | ternary(awx_postgres_host + "." + ansible_operator_meta.namespace + ".svc.cluster.local", awx_postgres_host) }}' # yamllint disable-line rule:line-length
no_log: true
no_log: "{{ no_log }}"
- name: Set pg_dump command
set_fact:
@@ -90,7 +91,8 @@
-d {{ awx_postgres_database }}
-p {{ awx_postgres_port }}
-F custom
no_log: true
{{ pg_dump_suffix }}
no_log: "{{ no_log }}"
- name: Write pg_dump to backup on PVC
k8s_exec:
@@ -99,9 +101,9 @@
command: |
bash -c """
set -e -o pipefail
PGPASSWORD={{ awx_postgres_pass }} {{ pgdump }} > {{ backup_dir }}/tower.db
PGPASSWORD='{{ awx_postgres_pass }}' {{ pgdump }} > {{ backup_dir }}/tower.db
echo 'Successful'
"""
register: data_migration
no_log: true
no_log: "{{ no_log }}"
failed_when: "'Successful' not in data_migration.stdout"

18
roles/backup/tasks/secrets.yml
View File

@@ -21,13 +21,25 @@
- ingress_tls_secret
- ldap_cacert_secret
- bundle_cacert_secret
- image_pull_secret
- ee_pull_credentials_secret
# image_pull_secret is deprecated in favor of image_pull_secrets
- name: Dump image_pull_secret into file
include_tasks: dump_secret.yml
with_items:
- image_pull_secret
when: image_pull_secret is defined
- name: Dump image_pull_secrets into file
include_tasks: dump_secret.yml
with_items:
- image_pull_secrets
when: image_pull_secrets | default([]) | length
- name: Nest secrets under a single variable
set_fact:
secrets: {"secrets": '{{ secret_dict }}'}
no_log: true
no_log: "{{ no_log }}"
- name: Write postgres configuration to pvc
k8s_exec:
@@ -35,4 +47,4 @@
pod: "{{ ansible_operator_meta.name }}-db-management"
command: >-
bash -c "echo '{{ secrets | to_yaml }}' > {{ backup_dir }}/secrets.yml"
no_log: true
no_log: "{{ no_log }}"

3
roles/backup/vars/main.yml
View File

@@ -1,6 +1,7 @@
---
deployment_type: "awx"
_postgres_image: postgres
_postgres_image_version: 12
_postgres_image_version: 13
backup_complete: false
database_type: "unmanaged"
supported_pg_version: 13

69
roles/installer/defaults/main.yml
View File

@@ -36,7 +36,7 @@ ingress_tls_secret: ''
loadbalancer_protocol: 'http'
loadbalancer_port: '80'
loadbalancer_annotations: ''
service_annotations: ''
nodeport_port: '30080'
# The TLS termination mechanism to use to access
@@ -83,6 +83,12 @@ topology_spread_constraints: ''
# effect: "NoSchedule"
tolerations: ''
# Add annotations to awx pods. Specify as literal block. E.g.:
# annotations: |
# my.annotation/1: value
# my.annotation/2: value2
annotations: ''
admin_user: admin
admin_email: test@example.com
@@ -121,13 +127,13 @@ extra_volumes: ''
_image: quay.io/ansible/awx
_image_version: "{{ lookup('env', 'DEFAULT_AWX_VERSION') or 'latest' }}"
_redis_image: docker.io/redis
_redis_image_version: latest
_redis_image_version: 7
_postgres_image: postgres
_postgres_image_version: 12
_postgres_image_version: 13
_init_container_image: quay.io/centos/centos
_init_container_image_version: 8
_init_container_image_version: stream8
image_pull_policy: IfNotPresent
image_pull_secret: ''
image_pull_secrets: []
# Extra commands which will be appended to the initContainer
# Make sure that each command entered return an exit code 0
@@ -158,24 +164,36 @@ replicas: "1"
task_args:
- /usr/bin/launch_awx_task.sh
task_command: []
web_args: []
web_args:
- /usr/bin/launch_awx.sh
web_command: []
task_resource_requirements:
requests:
cpu: 500m
memory: 1Gi
cpu: 100m
memory: 128Mi
web_resource_requirements:
requests:
cpu: 1000m
memory: 2Gi
cpu: 100m
memory: 128Mi
ee_resource_requirements:
requests:
cpu: 500m
memory: 1Gi
cpu: 100m
memory: 64Mi
# Customize CSRF options
csrf_cookie_secure: False
session_cookie_secure: False
# Assign a preexisting priority class to the control plane pods
control_plane_priority_class: ''
redis_resource_requirements:
requests:
cpu: 50m
memory: 64Mi
# Add extra environment variables to the AWX task/web containers. Specify as
# literal block. E.g.:
# task_extra_env: |
@@ -205,6 +223,9 @@ ee_extra_volume_mounts: ''
# kubernetes.io/os: linux
postgres_selector: ''
# Specify whether or not to keep the old PVC after PostgreSQL upgrades
postgres_keep_pvc_after_upgrade: True
# Add node tolerations for the Postgres pods.
# Specify as literal block. E.g.:
# postgres_tolerations: |
@@ -216,7 +237,16 @@ postgres_tolerations: ''
postgres_storage_requirements:
requests:
storage: 8Gi
postgres_resource_requirements: {}
postgres_resource_requirements:
requests:
cpu: 10m
memory: 64Mi
postgres_init_container_resource_requirements:
requests:
cpu: 10m
memory: 64Mi
# Assign a preexisting priority class to the postgres pod
postgres_priority_class: ''
postgres_data_path: '/var/lib/postgresql/data/pgdata'
# Persistence to the AWX project data folder
@@ -240,6 +270,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
#
ldap_cacert_secret: ''
# Secret to lookup that provides the LDAP bind password
ldap_password_secret: ''
# Secret to lookup that provides the custom CA trusted bundle
bundle_cacert_secret: ''
@@ -251,3 +284,13 @@ garbage_collect_secrets: false
development_mode: false
security_context_settings: {}
# Set no_log settings on certain tasks
no_log: 'true'
# Should AWX instances be automatically upgraded when operator gets upgraded
#
auto_upgrade: true
# Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
set_self_labels: true

27
roles/installer/filter_plugins/cpu_string_to_decimal.py Normal file
View File

@@ -0,0 +1,27 @@
# Copyright (c) 2017 Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
from ansible.errors import AnsibleFilterError
__ERROR_MSG = "Not a valid cpu value. Cannot process value"
class FilterModule(object):
def filters(self):
return {
'cpu_string_to_decimal': self.cpu_string_to_decimal
}
def cpu_string_to_decimal(self, cpu_string):
# verify if task_output is a dict
if not isinstance(cpu_string, str):
raise AnsibleFilterError(__ERROR_MSG)
if cpu_string[-1] == 'm':
cpu = int(cpu_string[:-1])//1000
else:
cpu = int(cpu_string)
return cpu

16
roles/installer/tasks/admin_password_configuration.yml
View File

@@ -5,7 +5,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ admin_password_secret }}'
register: _custom_admin_password
no_log: true
no_log: "{{ no_log }}"
when: admin_password_secret | length
- name: Check for default admin password configuration
@@ -14,19 +14,19 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-admin-password'
register: _default_admin_password
no_log: true
no_log: "{{ no_log }}"
- name: Set admin password secret
set_fact:
_admin_password_secret: '{{ _custom_admin_password["resources"] | default([]) | length | ternary(_custom_admin_password, _default_admin_password) }}'
no_log: true
no_log: "{{ no_log }}"
- block:
- name: Create admin password secret
k8s:
apply: true
definition: "{{ lookup('template', 'admin_password_secret.yaml.j2') }}"
no_log: true
definition: "{{ lookup('template', 'secrets/admin_password_secret.yaml.j2') }}"
no_log: "{{ no_log }}"
- name: Read admin password secret
k8s_info:
@@ -34,16 +34,16 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-admin-password'
register: _generated_admin_password
no_log: true
no_log: "{{ no_log }}"
when: not _admin_password_secret['resources'] | default([]) | length
- name: Set admin password secret
set_fact:
__admin_password_secret: '{{ _generated_admin_password["resources"] | default([]) | length | ternary(_generated_admin_password, _admin_password_secret) }}'
no_log: true
no_log: "{{ no_log }}"
- name: Store admin password
set_fact:
admin_password: "{{ __admin_password_secret['resources'][0]['data']['password'] | b64decode }}"
no_log: true
no_log: "{{ no_log }}"

16
roles/installer/tasks/broadcast_websocket_configuration.yml
View File

@@ -5,7 +5,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ broadcast_websocket_secret }}'
register: _custom_broadcast_websocket
no_log: true
no_log: "{{ no_log }}"
when: broadcast_websocket_secret | length
- name: Check for default broadcast websocket secret configuration
@@ -14,20 +14,20 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-broadcast-websocket'
register: _default_broadcast_websocket
no_log: true
no_log: "{{ no_log }}"
- name: Set broadcast websocket secret
set_fact:
# yamllint disable-line rule:line-length
_broadcast_websocket_secret: '{{ _custom_broadcast_websocket["resources"] | default([]) | length | ternary(_custom_broadcast_websocket, _default_broadcast_websocket) }}' # noqa 204
no_log: true
no_log: "{{ no_log }}"
- block:
- name: Create broadcast websocket secret
k8s:
apply: true
definition: "{{ lookup('template', 'broadcast_websocket_secret.yaml.j2') }}"
no_log: true
definition: "{{ lookup('template', 'secrets/broadcast_websocket_secret.yaml.j2') }}"
no_log: "{{ no_log }}"
- name: Read broadcast websocket secret
k8s_info:
@@ -35,7 +35,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-broadcast-websocket'
register: _generated_broadcast_websocket
no_log: true
no_log: "{{ no_log }}"
when: not _broadcast_websocket_secret['resources'] | default([]) | length
@@ -43,9 +43,9 @@
set_fact:
# yamllint disable-line rule:line-length
__broadcast_websocket_secret: '{{ _generated_broadcast_websocket["resources"] | default([]) | length | ternary(_generated_broadcast_websocket, _broadcast_websocket_secret) }}' # noqa 204
no_log: true
no_log: "{{ no_log }}"
- name: Store broadcast websocket secret name
set_fact:
broadcast_websocket_secret_value: "{{ __broadcast_websocket_secret['resources'][0]['data']['secret'] | b64decode }}"
no_log: true
no_log: "{{ no_log }}"

2
roles/installer/tasks/cleanup.yml
View File

@@ -23,6 +23,6 @@
- '{{ _secret_key }}'
- '{{ _postgres_configuration }}'
- '{{ _broadcast_websocket_secret }}'
no_log: true
no_log: "{{ no_log }}"
when: not garbage_collect_secrets | bool

113
roles/installer/tasks/database_configuration.yml
View File

@@ -6,7 +6,7 @@
name: '{{ postgres_configuration_secret }}'
register: _custom_pg_config_resources
when: postgres_configuration_secret | length
no_log: true
no_log: "{{ no_log }}"
- name: Check for default PostgreSQL configuration
k8s_info:
@@ -14,7 +14,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-postgres-configuration'
register: _default_pg_config_resources
no_log: true
no_log: "{{ no_log }}"
- name: Check for specified old PostgreSQL configuration secret
k8s_info:
@@ -23,7 +23,7 @@
name: '{{ old_postgres_configuration_secret }}'
register: _custom_old_pg_config_resources
when: old_postgres_configuration_secret | length
no_log: true
no_log: "{{ no_log }}"
- name: Check for default old PostgreSQL configuration
k8s_info:
@@ -31,7 +31,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-old-postgres-configuration'
register: _default_old_pg_config_resources
no_log: true
no_log: "{{ no_log }}"
- name: Set old PostgreSQL configuration
set_fact:
@@ -45,7 +45,7 @@
when:
- old_pg_config['resources'] is defined
- old_pg_config['resources'] | length
no_log: true
no_log: "{{ no_log }}"
- name: Set default postgres image
set_fact:
@@ -54,7 +54,7 @@
- name: Set PostgreSQL configuration
set_fact:
_pg_config: '{{ _custom_pg_config_resources["resources"] | default([]) | length | ternary(_custom_pg_config_resources, _default_pg_config_resources) }}'
no_log: true
no_log: "{{ no_log }}"
- name: Set user provided postgres image
set_fact:
@@ -71,8 +71,8 @@
- name: Create Database configuration
k8s:
apply: true
definition: "{{ lookup('template', 'postgres_secret.yaml.j2') }}"
no_log: true
definition: "{{ lookup('template', 'secrets/postgres_secret.yaml.j2') }}"
no_log: "{{ no_log }}"
- name: Read Database Configuration
k8s_info:
@@ -80,23 +80,79 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-postgres-configuration'
register: _generated_pg_config_resources
no_log: true
no_log: "{{ no_log }}"
when: not _pg_config['resources'] | default([]) | length
- name: Set PostgreSQL Configuration
set_fact:
pg_config: '{{ _generated_pg_config_resources["resources"] | default([]) | length | ternary(_generated_pg_config_resources, _pg_config) }}'
no_log: true
no_log: "{{ no_log }}"
- name: Set actual postgres configuration secret used
set_fact:
__postgres_configuration_secret: "{{ pg_config['resources'][0]['metadata']['name'] }}"
- name: Store Database Configuration
set_fact:
awx_postgres_user: "{{ pg_config['resources'][0]['data']['username'] | b64decode }}"
awx_postgres_pass: "{{ pg_config['resources'][0]['data']['password'] | b64decode }}"
awx_postgres_database: "{{ pg_config['resources'][0]['data']['database'] | b64decode }}"
awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
awx_postgres_sslmode: "{{ pg_config['resources'][0]['data']['sslmode'] | default('prefer'|b64encode) | b64decode }}"
no_log: "{{ no_log }}"
- name: Set database as managed
set_fact:
managed_database: "{{ pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed' }}"
- name: Get the old postgres pod information
k8s_info:
kind: Pod
namespace: "{{ ansible_operator_meta.namespace }}"
name: "{{ ansible_operator_meta.name }}-postgres-0"
field_selectors:
- status.phase=Running
register: old_postgres_pod
- name: Look up details for this deployment
k8s_info:
api_version: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
register: this_awx
- name: Check if postgres pod is running and version 12
block:
- name: Set path to PG_VERSION file for given container image
set_fact:
path_to_pg_version: '{{ postgres_data_path }}/PG_VERSION'
- name: Get old PostgreSQL version
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ ansible_operator_meta.name }}-postgres-0"
command: |
bash -c """
cat {{ path_to_pg_version }}
"""
register: _old_pg_version
- name: Upgrade data dir from Postgres 12 to 13 if applicable
include_tasks: upgrade_postgres.yml
when:
- _old_pg_version.stdout | default('0') | trim == '12'
when:
- managed_database
- this_awx['resources'][0]['status']['upgradedPostgresVersion'] | default('none') != '12'
- old_postgres_pod['resources'] | length # upgrade is complete and old pg pod has been removed
- block:
- name: Create Database if no database is specified
k8s:
apply: true
definition: "{{ lookup('template', 'postgres.yaml.j2') }}"
definition: "{{ lookup('template', 'statefulsets/postgres.yaml.j2') }}"
register: create_statefulset_result
- name: Scale down Deployment for migration
@@ -111,7 +167,7 @@
kubernetes.core.k8s_scale:
api_version: apps/v1
kind: StatefulSet
name: "{{ ansible_operator_meta.name }}-postgres"
name: "{{ ansible_operator_meta.name }}-postgres-13"
namespace: "{{ ansible_operator_meta.namespace }}"
replicas: 0
wait: yes
@@ -121,7 +177,7 @@
state: absent
api_version: apps/v1
kind: StatefulSet
name: "{{ ansible_operator_meta.name }}-postgres"
name: "{{ ansible_operator_meta.name }}-postgres-13"
namespace: "{{ ansible_operator_meta.namespace }}"
wait: yes
when: create_statefulset_result.error == 422
@@ -129,33 +185,40 @@
- name: Recreate PostgreSQL statefulset with updated values
k8s:
apply: true
definition: "{{ lookup('template', 'postgres.yaml.j2') }}"
when: pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed'
definition: "{{ lookup('template', 'statefulsets/postgres.yaml.j2') }}"
when: managed_database
- name: Store Database Configuration
- name: Set Default label selector for custom resource generated postgres
set_fact:
awx_postgres_user: "{{ pg_config['resources'][0]['data']['username'] | b64decode }}"
awx_postgres_pass: "{{ pg_config['resources'][0]['data']['password'] | b64decode }}"
awx_postgres_database: "{{ pg_config['resources'][0]['data']['database'] | b64decode }}"
awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
awx_postgres_sslmode: "{{ pg_config['resources'][0]['data']['sslmode'] | default('prefer'|b64encode) | b64decode }}"
no_log: true
postgres_label_selector: "app.kubernetes.io/instance=postgres-{{ supported_pg_version }}-{{ ansible_operator_meta.name }}"
when: postgres_label_selector is not defined
- name: Get the postgres pod information
k8s_info:
kind: Pod
namespace: "{{ ansible_operator_meta.namespace }}"
label_selectors:
- "{{ postgres_label_selector }}"
field_selectors:
- status.phase=Running
register: postgres_pod
- name: Wait for Database to initialize if managed DB
k8s_info:
kind: Pod
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-postgres-0' # using name to keep compatibility
label_selectors:
- "{{ postgres_label_selector }}"
field_selectors:
- status.phase=Running
register: postgres_pod
until:
- "postgres_pod['resources'] | length"
- "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
- "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
delay: 5
retries: 60
when: pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed'
when: managed_database
- name: Look up details for this deployment
k8s_info:

43
roles/installer/tasks/initialize_django.yml
View File

@@ -13,18 +13,6 @@
register: users_result
changed_when: users_result.return_code > 0
- name: Update super user password via Django if it does exist (same password is a noop)
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage update_password --username '{{ admin_user }}' --password '{{ admin_password }}'"
register: update_pw_result
changed_when: users_result.stdout == 'Password not updated'
no_log: true
when: users_result.return_code == 0
- name: Create super user via Django if it doesn't exist.
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
@@ -34,20 +22,9 @@
bash -c "echo \"from django.contrib.auth.models import User;
User.objects.create_superuser('{{ admin_user }}', '{{ admin_email }}', '{{ admin_password }}')\"
| awx-manage shell"
no_log: true
no_log: "{{ no_log }}"
when: users_result.return_code > 0
- name: Create preload data if necessary. # noqa 305
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage create_preload_data"
register: cdo
changed_when: "'added' in cdo.stdout"
when: create_preload_data | bool
- name: Check if legacy queue is present
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
@@ -57,6 +34,7 @@
bash -c "awx-manage list_instances | grep '^\[tower capacity=[0-9]*\]'"
register: legacy_queue
changed_when: false
ignore_errors: true
- name: Unregister legacy queue
k8s_exec:
@@ -80,7 +58,7 @@
_execution_environments_pull_credentials: >-
{{ _custom_execution_environments_pull_credentials["resources"] | default([]) | length
| ternary(_custom_execution_environments_pull_credentials, []) }}
no_log: true
no_log: "{{ no_log }}"
- name: Register default execution environments (without authentication)
k8s_exec:
@@ -101,7 +79,7 @@
default_execution_environment_pull_credentials_url: "{{ _execution_environments_pull_credentials['resources'][0]['data']['url'] | b64decode }}"
default_execution_environment_pull_credentials_url_verify: >-
{{ _execution_environments_pull_credentials['resources'][0]['data']['ssl_verify'] | default("True"|b64encode) | b64decode }}
no_log: true
no_log: "{{ no_log }}"
- name: Register default execution environments (with authentication)
k8s_exec:
@@ -116,5 +94,16 @@
--verify-ssl='{{ default_execution_environment_pull_credentials_url_verify }}'"
register: ree
changed_when: "'changed: True' in ree.stdout"
no_log: true
no_log: "{{ no_log }}"
when: _execution_environments_pull_credentials['resources'] | default([]) | length
- name: Create preload data if necessary. # noqa 305
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage create_preload_data"
register: cdo
changed_when: "'added' in cdo.stdout"
when: create_preload_data | bool

Some files were not shown because too many files have changed in this diff Show More