Merge pull request #797 from kdelee/sky-is-the-limit

only set mem/cpu setting if limit is set

.github/issue_labeler.yml

@@ -0,0 +1,3 @@
+---
+needs_triage:
+  - '.*'

.github/workflows/triage_new.yml

@@ -0,0 +1,22 @@
+---
+name: Triage
+
+on:
+  issues:
+    types:
+      - opened
+
+jobs:
+  triage:
+    runs-on: ubuntu-latest
+    name: Label
+
+    steps:
+      - name: Label issues
+        uses: github/issue-labeler@v2.4.1
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          not-before: 2021-12-07T07:00:00Z
+          configuration-path: .github/issue_labeler.yml
+          enable-versioned-regex: 0
+        if: github.event_name == 'issues'

Makefile

@@ -89,10 +89,11 @@ deploy: kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/c
 	@$(KUSTOMIZE) build config/default | kubectl apply -f -
 
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
+	@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
 	$(KUSTOMIZE) build config/default | kubectl delete -f -
 
 OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
-ARCH := $(shell uname -m | sed 's/x86_64/amd64/')
+ARCH := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
 
 .PHONY: kustomize
 KUSTOMIZE = $(shell pwd)/bin/kustomize

README.md

@@ -11,7 +11,8 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
 * [Table of Contents](#table-of-contents)
    * [Purpose](#purpose)
    * [Usage](#usage)
-      * [Basic Install](#basic-install)
+      * [Basic Install on minikube (beginner or testing)](#basic-install-on-minikube-beginner-or-testing)
+      * [Basic Install on existing cluster](#basic-install-on-existing-cluster)
       * [Admin user account configuration](#admin-user-account-configuration)
       * [Network and TLS Configuration](#network-and-tls-configuration)
          * [Service Type](#service-type)
@@ -22,21 +23,22 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
          * [Managed PostgreSQL Service](#managed-postgresql-service)
       * [Advanced Configuration](#advanced-configuration)
          * [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
+         * [Redis container capabilities](#redis-container-capabilities)
          * [Privileged Tasks](#privileged-tasks)
          * [Containers Resource Requirements](#containers-resource-requirements)
+         * [Assigning AWX pods to specific nodes](#assigning-awx-pods-to-specific-nodes)
          * [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
          * [Persisting Projects Directory](#persisting-projects-directory)
          * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
+         * [Default execution environments from private registries](#default-execution-environments-from-private-registries)
          * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
          * [Extra Settings](#extra-settings)
          * [Service Account](#service-account)
       * [Uninstall](#uninstall)
-   * [Upgrading](#upgrading)
+      * [Upgrading](#upgrading)
+         * [v0.14.0](#v0140)
    * [Contributing](#contributing)
    * [Release Process](#release-process)
-      * [Verifiy Functionality](#verify-functionality)
-      * [Update Version](#update-version)
-      * [Commit / Create Release](#commit--create-release)
    * [Author](#author)
 <!--te-->
 
@@ -46,7 +48,7 @@ This operator is meant to provide a more Kubernetes-native installation method f
 
 ## Usage
 
-### Basic Install
+### Basic Install on minikube (beginner or testing)
 
 This Kubernetes Operator is meant to be deployed in your Kubernetes cluster(s) and can manage one or more AWX instances in any namespace.
 
@@ -197,6 +199,21 @@ For an example using the Nginx Controller in Minukube, don't miss our [demo vide
 
 [![asciicast](https://raw.githubusercontent.com/ansible/awx-operator/devel/docs/awx-demo.svg)](https://asciinema.org/a/416946)
 
+### Basic Install on existing cluster
+
+For those running a whole K8S Cluster the steps to set up the awx-operator are:
+
+```
+$ Prepare required files
+git clone https://github.com/ansible/awx-operator.git
+cd awx-operator
+git checkout {{ latest_released_version }} # replace variable by latest version number in releases
+
+$ Deploy new AWX Operator
+export NAMESPACE=<Name of the namespace where your AWX instanse exists>
+make deploy
+```
+
 ### Admin user account configuration
 
 There are three variables that are customizable for the admin user account creation.
@@ -241,12 +258,15 @@ The following variables are customizable for any `service_type`
 | Name                                  | Description                                   | Default                           |
 | ------------------------------------- | --------------------------------------------- | --------------------------------- |
 | service_labels                  | Add custom labels                             | Empty string                      |
+| service_annotations             | Add service annotations                 | Empty string  |
 
 ```yaml
 ---
 spec:
   ...
   service_type: ClusterIP
+  service_annotations: |
+    environment: testing
   service_labels: |
     environment: testing
 ```
@@ -257,7 +277,6 @@ The following variables are customizable only when `service_type=LoadBalancer`
 
 | Name                           | Description                              | Default       |
 | ------------------------------ | ---------------------------------------- | ------------- |
-| loadbalancer_annotations | LoadBalancer annotations                 | Empty string  |
 | loadbalancer_protocol    | Protocol to use for Loadbalancer ingress | http          |
 | loadbalancer_port        | Port used for Loadbalancer ingress       | 80            |
 
@@ -268,7 +287,7 @@ spec:
   service_type: LoadBalancer
   loadbalancer_protocol: https
   loadbalancer_port: 443
-  loadbalancer_annotations: |
+  service_annotations: |
     environment: testing
   service_labels: |
     environment: testing
@@ -859,6 +878,21 @@ delete your existing `awx-operator` service account, role and role binding.
 
 Starting with awx-operator 0.14.0, the project is now based on operator-sdk 1.x. You may need to manually delete your old operator Deployment to avoid issues.
 
+##### Steps to upgrade
+
+Delete your old AWX Operator and existing `awx-operator` service account, role and role binding in `default` namespace first:
+
+```
+$ kubectl -n default delete deployment awx-operator
+$ kubectl -n default delete serviceaccount awx-operator
+$ kubectl -n default delete clusterrolebinding awx-operator
+$ kubectl -n default delete clusterrole awx-operator
+```
+
+Then install the new AWX Operator by following the instructions in [Basic Install](#basic-install-on-existing-cluster). The `NAMESPACE` environment variable have to be the name of the namespace in which your old AWX instance resides.
+
+Once the new AWX Operator is up and running, your AWX deployment will also be upgraded.
+
 ## Contributing
 
 Please visit [our contributing guidelines](https://github.com/ansible/awx-operator/blob/devel/CONTRIBUTING.md).

config/crd/bases/awx.ansible.com_awxs.yaml

@@ -67,6 +67,9 @@ spec:
                 extra_volumes:
                   description: Specify extra volumes to add to the application pod
                   type: string
+                service_annotations:
+                  description: Annotations to add to the service
+                  type: string
                 service_type:
                   description: The service type to be used on the deployed instance
                   type: string
@@ -98,9 +101,6 @@ spec:
                 ingress_tls_secret:
                   description: Secret where the Ingress TLS secret can be found
                   type: string
-                loadbalancer_annotations:
-                  description: Annotations to add to the loadbalancer
-                  type: string
                 loadbalancer_protocol:
                   description: Protocol to use for the loadbalancer
                   type: string

config/manifests/bases/olm-parameters.yaml

@@ -199,7 +199,7 @@
         - urn:alm:descriptor:io.kubernetes:Secret
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
     - displayName: Tower LoadBalancer Annotations
-      path: loadbalancer_annotations
+      path: service_annotations
       x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:text
@@ -375,6 +375,11 @@
       x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+    - displayName: Postgres Extra Arguments
+      path: postgres_extra_args
+      x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
     - displayName: Certificate Authorirty Trust Bundle
       path: ca_trust_bundle
       x-descriptors:

molecule/default/tasks/awx_test.yml

@@ -55,7 +55,7 @@
   rescue:
     - name: Get list of project updates and jobs
       uri:
-        url: "http://localhost/api/v2/{{ item }}/"
+        url: "http://localhost/api/v2/{{ resource }}/"
         user: admin
         password: "{{ admin_pw_secret.resources[0].data.password | b64decode }}"
         force_basic_auth: yes
@@ -63,15 +63,19 @@
       loop:
         - project_updates
         - jobs
+      loop_control:
+        loop_var: resource
 
     - name: Get all job and project details
       uri:
-        url: "http://localhost{{ item }}"
+        url: "http://localhost{{ endpoint }}"
         user: admin
         password: "{{ admin_pw_secret.resources[0].data.password | b64decode }}"
         force_basic_auth: yes
       loop: |
         {{ job_lists.results | map(attribute='json') | map(attribute='results') | flatten | map(attribute='url') }}
+      loop_control:
+        loop_var: endpoint
 
     - name: Re-emit failure
       vars:

molecule/requirements.txt

@@ -2,6 +2,6 @@ molecule
 molecule-docker
 yamllint
 ansible-lint
-openshift
+openshift!=0.13.0
 jmespath
 ansible-core

roles/installer/defaults/main.yml

@@ -36,7 +36,7 @@ ingress_tls_secret: ''
 
 loadbalancer_protocol: 'http'
 loadbalancer_port: '80'
-loadbalancer_annotations: ''
+service_annotations: ''
 
 nodeport_port: '30080'
 # The TLS termination mechanism to use to access

roles/installer/tasks/database_configuration.yml

@@ -157,6 +157,10 @@
   retries: 60
   when: pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed'
 
+- name: Set database as managed
+  set_fact:
+    managed_database: "{{ pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed' }}"
+
 - name: Look up details for this deployment
   k8s_info:
     api_version: "{{ api_version }}"

roles/installer/tasks/resources_configuration.yml

@@ -60,7 +60,7 @@
 
 - name: Set Init image URL
   set_fact:
-    _init_container_image: |
+    _init_container_image: >-
       {{ _custom_init_container_image |
          default(lookup('env', 'RELATED_IMAGE_AWX_INIT_CONTAINER')) |
          default(_default_init_container_image, true) }}

roles/installer/templates/config.yaml.j2

@@ -18,6 +18,7 @@ data:
   settings: |
     import os
     import socket
+    from django_auth_ldap.config import LDAPSearch
     
     def get_secret():
         if os.path.exists("/etc/tower/SECRET_KEY"):
@@ -25,11 +26,22 @@ data:
     
     ADMINS = ()
     STATIC_ROOT = '/var/lib/awx/public/static'
+    STATIC_URL = '{{ (ingress_path + '/static/').replace('//', '/') }}'
     PROJECTS_ROOT = '/var/lib/awx/projects'
     JOBOUTPUT_ROOT = '/var/lib/awx/job_status'
 
     IS_K8S = True
 
+    # Set memory available based off of resource request/limit for the task pod
+    memory_limit = '{{ task_resource_requirements["limits"]["memory"] if "limits" in task_resource_requirements and "memory" in task_resource_requirements["limits"] }}'
+    if memory_limit:
+        SYSTEM_TASK_ABS_MEM = memory_limit
+
+    # Set cpu available based off of resource request/limit for the task pod
+    cpu_limit = '{{ task_resource_requirements["limits"]["cpu"] if "limits" in task_resource_requirements and "cpu" in task_resource_requirements["limits"] }}'
+    if cpu_limit:
+        SYSTEM_TASK_ABS_CPU = cpu_limit
+
     SECRET_KEY = get_secret()
     
     ALLOWED_HOSTS = ['*']
@@ -172,15 +184,15 @@ data:
                 deny all;
             }
     
-            location /static/ {
+            location {{ (ingress_path + '/static').replace('//', '/') }} {
                 alias /var/lib/awx/public/static/;
             }
     
-            location /favicon.ico {
+            location {{ (ingress_path + '/favicon.ico').replace('//', '/') }} {
                 alias /var/lib/awx/public/static/media/favicon.ico;
             }
     
-            location /websocket {
+            location {{ (ingress_path + '/websocket').replace('//', '/') }} {
                 # Pass request to the upstream alias
                 proxy_pass http://daphne;
                 # Require http version 1.1 to allow for upgrade requests
@@ -202,7 +214,7 @@ data:
                 proxy_set_header Connection $connection_upgrade;
             }
     
-            location / {
+            location {{ ingress_path }} {
                 # Add trailing / if missing
                 rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
                 uwsgi_read_timeout 120s;

roles/installer/templates/deployment.yaml.j2

@@ -33,8 +33,22 @@ spec:
       imagePullSecrets:
         - name: {{ image_pull_secret }}
 {% endif %}
-{% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
       initContainers:
+{% if managed_database %}
+        - name: database-check
+          image: '{{ _init_container_image }}'
+          imagePullPolicy: '{{ image_pull_policy }}'
+          command:
+            - /bin/sh
+            - -c
+            - |
+              [[ -d /check-db/pgsql/data ]] && rm -rf /check-db/data && mv /check-db/pgsql/data/ /check-db/data/ && rm -rf /check-db/pgsql || true
+          volumeMounts:
+            - name: check-db-pvc
+              mountPath: /check-db
+              subPath: ''
+{% endif %}
+{% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
         - name: init
           image: '{{ _init_container_image }}'
           imagePullPolicy: '{{ image_pull_policy }}'
@@ -169,6 +183,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            - name: UWSGI_MOUNT_PATH
+              value: "{{ ingress_path }}"
 {% if development_mode | bool %}
             - name: AWX_KUBE_DEVEL
               value: "1"
@@ -324,6 +340,11 @@ spec:
 {% endif %}
 {% endif %}
       volumes:
+{% if managed_database %}
+        - name: check-db-pvc
+          persistentVolumeClaim:
+            claimName: postgres-{{ ansible_operator_meta.name }}-postgres-0
+{% endif %}
 {% if bundle_ca_crt %}
         - name: "ca-trust-extracted"
           emptyDir: {}

roles/installer/templates/service.yaml.j2

@@ -11,9 +11,9 @@ metadata:
     app.kubernetes.io/component: '{{ deployment_type }}'
     app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
     {{ service_labels | indent(width=4) }}
-{% if service_type | lower == 'loadbalancer' and loadbalancer_annotations %}
+{% if service_annotations %}
   annotations:
-    {{ loadbalancer_annotations | indent(width=4) }}
+    {{ service_annotations | indent(width=4) }}
 {% endif %}
 spec:
   ports: