Use awx web launch script to pick up the correct supervisor config (#935 )

- reduce resource requests so that CI passes in resource constrained environments
Updated the Readme (#906 )
2026-03-27 05:43:11 +00:00 · 2022-06-01 19:11:25 -04:00 · 2022-05-09 17:24:43 -04:00 · 2022-05-04 16:45:18 -04:00 · 2022-05-03 08:53:45 -04:00 · 2022-05-02 14:38:24 -04:00
29 changed files with 769 additions and 159 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -10,9 +10,9 @@ on:
    branches: [devel]

 jobs:
-  pull_request:
+  molecule:
    runs-on: ubuntu-18.04
-    name: pull_request
+    name: molecule
    env:
      DOCKER_API_VERSION: "1.38"
    steps:
@@ -39,3 +39,28 @@ jobs:
          sudo rm -f $(which kustomize)
          make kustomize
          KUSTOMIZE_PATH=$(readlink -f bin/kustomize) molecule test -s kind
+  helm:
+    runs-on: ubuntu-18.04
+    name: helm
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Create k8s Kind Cluster
+        uses: helm/kind-action@v1.2.0
+
+      - name: Build operator image and load into kind
+        run: |
+          IMG=awx-operator-ci make docker-build
+          kind load docker-image --name chart-testing awx-operator-ci
+
+      - name: Patch pull policy for tests
+        run: |
+          kustomize edit add patch --path ../testing/pull_policy/Never.yaml
+        working-directory: config/default
+
+      - name: Build and install helm chart
+        run: |
+          IMG=awx-operator-ci make helm-chart
+          helm install --wait my-awx-operator ./charts/awx-operator
--- a/.github/workflows/promote.yaml
+++ b/.github/workflows/promote.yaml
@@ -8,6 +8,8 @@ jobs:
  promote:
    runs-on: ubuntu-latest
    steps:
+      - uses: actions/checkout@v2
+
      - name: Log in to GHCR
        run: |
          echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
@@ -23,3 +25,16 @@ jobs:
          docker tag ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} quay.io/${{ github.repository }}:latest
          docker push quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
          docker push quay.io/${{ github.repository }}:latest
+
+      - name: Configure git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Release Helm chart
+        run: |
+          ansible-playbook ansible/helm-release.yml -v \
+            -e operator_image=quay.io/${{ github.repository }} \
+            -e chart_owner=${{ github.repository_owner }} \
+            -e tag=${{ github.event.release.tag_name }} \
+            -e gh_token=${{ secrets.GITHUB_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,5 @@
 /bundle
 /bundle_tmp*
 /bundle.Dockerfile
+/charts
+/.cr-release-packages
--- a/.helm/starter/.helmignore
+++ b/.helm/starter/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/.helm/starter/Chart.yaml
+++ b/.helm/starter/Chart.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v2
+appVersion: 0.1.0
+description: A Helm chart for Kubernetes
+name: starter
+type: application
+version: 0.1.0
--- a/.helm/starter/values.yaml
+++ b/.helm/starter/values.yaml
--- a/146
+++ b/146
@@ -7,6 +7,13 @@ VERSION ?= $(shell git describe --tags)

 CONTAINER_CMD ?= docker

+# GNU vs BSD in-place sed
+ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
+	SED_I := sed -i
+else
+	SED_I := sed -i ''
+endif
+
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
 # To re-generate a bundle for other specific channels without changing the standard setup, you can:
@@ -41,6 +48,14 @@ BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
 IMG ?= $(IMAGE_TAG_BASE):$(VERSION)
 NAMESPACE ?= awx

+# Helm variables
+CHART_NAME ?= awx-operator
+CHART_DESCRIPTION ?= A Helm chart for the AWX Operator
+CHART_OWNER ?= $(GH_REPO_OWNER)
+CHART_REPO ?= awx-operator
+CHART_BRANCH ?= gh-pages
+CHART_INDEX ?= index.yaml
+
 all: docker-build

 ##@ General
@@ -93,7 +108,8 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/confi
 	$(KUSTOMIZE) build config/default | kubectl delete -f -

 OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
-ARCH := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
+ARCHA := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
+ARCHX := $(shell uname -m | sed -e 's/amd64/x86_64/' -e 's/aarch64/arm64/')

 .PHONY: kustomize
 KUSTOMIZE = $(shell pwd)/bin/kustomize
@@ -103,7 +119,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(KUSTOMIZE)) ;\
-	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.8.7/kustomize_v3.8.7_$(OS)_$(ARCH).tar.gz | \
+	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.2/kustomize_v4.5.2_$(OS)_$(ARCHA).tar.gz | \
 	tar xzf - -C bin/ ;\
 	}
 else
@@ -119,7 +135,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
-	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.12.0/ansible-operator_$(OS)_$(ARCH) ;\
+	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.12.0/ansible-operator_$(OS)_$(ARCHA) ;\
 	chmod +x $(ANSIBLE_OPERATOR) ;\
 	}
 else
@@ -150,7 +166,7 @@ ifeq (,$(shell which opm 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(OPM)) ;\
-	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCH)-opm ;\
+	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCHA)-opm ;\
 	chmod +x $(OPM) ;\
 	}
 else
@@ -181,3 +197,125 @@ catalog-build: opm ## Build a catalog image.
 .PHONY: catalog-push
 catalog-push: ## Push a catalog image.
 	$(MAKE) docker-push IMG=$(CATALOG_IMG)
+
+.PHONY: kubectl-slice
+KUBECTL_SLICE = $(shell pwd)/bin/kubectl-slice
+kubectl-slice: ## Download kubectl-slice locally if necessary.
+ifeq (,$(wildcard $(KUBECTL_SLICE)))
+ifeq (,$(shell which kubectl-slice 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(KUBECTL_SLICE)) ;\
+	curl -sSLo - https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.1.0/kubectl-slice_1.1.0_$(OS)_$(ARCHX).tar.gz | \
+	tar xzf - -C bin/ kubectl-slice ;\
+	}
+else
+KUBECTL_SLICE = $(shell which kubectl-slice)
+endif
+endif
+
+.PHONY: helm
+HELM = $(shell pwd)/bin/helm
+helm: ## Download helm locally if necessary.
+ifeq (,$(wildcard $(HELM)))
+ifeq (,$(shell which helm 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(HELM)) ;\
+	curl -sSLo - https://get.helm.sh/helm-v3.8.0-$(OS)-$(ARCHA).tar.gz | \
+	tar xzf - -C bin/ $(OS)-$(ARCHA)/helm ;\
+	mv bin/$(OS)-$(ARCHA)/helm bin/helm ;\
+	rmdir bin/$(OS)-$(ARCHA) ;\
+	}
+else
+HELM = $(shell which helm)
+endif
+endif
+
+.PHONY: yq
+YQ = $(shell pwd)/bin/yq
+yq: ## Download yq locally if necessary.
+ifeq (,$(wildcard $(YQ)))
+ifeq (,$(shell which yq 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(HELM)) ;\
+	curl -sSLo - https://github.com/mikefarah/yq/releases/download/v4.20.2/yq_$(OS)_$(ARCHA).tar.gz | \
+	tar xzf - -C bin/ ;\
+	mv bin/yq_$(OS)_$(ARCHA) bin/yq ;\
+	}
+else
+YQ = $(shell which yq)
+endif
+endif
+
+PHONY: cr
+CR = $(shell pwd)/bin/cr
+cr: ## Download cr locally if necessary.
+ifeq (,$(wildcard $(CR)))
+ifeq (,$(shell which cr 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(CR)) ;\
+	curl -sSLo - https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_$(OS)_$(ARCHA).tar.gz | \
+	tar xzf - -C bin/ cr ;\
+	}
+else
+CR = $(shell which cr)
+endif
+endif
+
+charts:
+	mkdir -p $@
+
+.PHONY: helm-chart
+helm-chart: kustomize helm kubectl-slice yq charts
+	@echo "== KUSTOMIZE (image and namespace) =="
+	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
+
+	@echo "== HELM =="
+	cd charts && \
+		$(HELM) create awx-operator --starter $(shell pwd)/.helm/starter ;\
+		$(YQ) -i '.version = "$(VERSION)"' $(CHART_NAME)/Chart.yaml ;\
+		$(YQ) -i '.appVersion = "$(VERSION)" | .appVersion style="double"' $(CHART_NAME)/Chart.yaml ;\
+		$(YQ) -i '.description = "$(CHART_DESCRIPTION)"' $(CHART_NAME)/Chart.yaml ;\
+
+	@cat charts/$(CHART_NAME)/Chart.yaml
+
+	@echo "== KUSTOMIZE (annotation) =="
+	cd config/manager && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
+	cd config/default && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
+
+	@echo "== SLICE =="
+	$(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone config/default | \
+		$(KUBECTL_SLICE) --input-file=- \
+			--output-dir=charts/$(CHART_NAME)/templates \
+			--sort-by-kind
+	@echo "Helm Chart $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
+
+
+.PHONY: helm-package
+helm-package: cr helm-chart
+	@echo "== CHART RELEASER (package) =="
+	$(CR) package ./charts/awx-operator
+
+# The actual release happens in ansible/helm-release.yml
+# until https://github.com/helm/chart-releaser/issues/122 happens
+.PHONY: helm-index
+helm-index: cr helm-chart
+	@echo "== CHART RELEASER (httpsorigin) =="
+	git remote add httpsorigin "https://github.com/$(CHART_OWNER)/$(CHART_REPO).git"
+	git fetch httpsorigin
+
+	@echo "== CHART RELEASER (index) =="
+	$(CR) index \
+		--owner "$(CHART_OWNER)" \
+		--git-repo "$(CHART_REPO)" \
+		--token "$(CR_TOKEN)" \
+		--pages-branch "$(CHART_BRANCH)" \
+		--index-path "./charts/$(CHART_INDEX)" \
+		--charts-repo "https://$(CHART_OWNER).github.io/$(CHART_REPO)/$(CHART_INDEX)" \
+		--remote httpsorigin \
+		--release-name-template="{{ .Version }}" \
+		--push
--- a/README.md
+++ b/README.md
@@ -5,14 +5,16 @@
 An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built with [Operator SDK](https://github.com/operator-framework/operator-sdk) and Ansible.

 # Table of Contents
-
+<!-- Regenerate this table of contents using https://github.com/ekalinin/github-markdown-toc -->
+<!-- gh-md-toc --insert README.md -->
 <!--ts-->
 * [AWX Operator](#awx-operator)
 * [Table of Contents](#table-of-contents)
   * [Purpose](#purpose)
   * [Usage](#usage)
-      * [Basic Install on minikube (beginner or testing)](#basic-install-on-minikube-beginner-or-testing)
-      * [Basic Install on existing cluster](#basic-install-on-existing-cluster)
+      * [Creating a minikube cluster for testing](#creating-a-minikube-cluster-for-testing)
+      * [Basic Install](#basic-install)
+      * [Helm Install on existing cluster](#helm-install-on-existing-cluster)
      * [Admin user account configuration](#admin-user-account-configuration)
      * [Network and TLS Configuration](#network-and-tls-configuration)
         * [Service Type](#service-type)
@@ -26,20 +28,31 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
         * [Redis container capabilities](#redis-container-capabilities)
         * [Privileged Tasks](#privileged-tasks)
         * [Containers Resource Requirements](#containers-resource-requirements)
+         * [Priority Classes](#priority-classes)
         * [Assigning AWX pods to specific nodes](#assigning-awx-pods-to-specific-nodes)
         * [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
+         * [Enabling LDAP Integration at AWX bootstrap](#enabling-ldap-integration-at-awx-bootstrap)
         * [Persisting Projects Directory](#persisting-projects-directory)
         * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
         * [Default execution environments from private registries](#default-execution-environments-from-private-registries)
+            * [Control plane ee from private registry](#control-plane-ee-from-private-registry)
         * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
+         * [CSRF Cookie Secure Setting](#csrf-cookie-secure-setting)
+         * [Session Cookie Secure Setting](#session-cookie-secure-setting)
         * [Extra Settings](#extra-settings)
         * [Service Account](#service-account)
      * [Uninstall](#uninstall)
      * [Upgrading](#upgrading)
         * [v0.14.0](#v0140)
+            * [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations)
+            * [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project)
+            * [Steps to upgrade](#steps-to-upgrade)
   * [Contributing](#contributing)
   * [Release Process](#release-process)
   * [Author](#author)
+
+<!-- Created by https://github.com/ekalinin/github-markdown-toc -->
+
 <!--te-->

 ## Purpose
@@ -48,11 +61,11 @@ This operator is meant to provide a more Kubernetes-native installation method f

 ## Usage

-### Basic Install on minikube (beginner or testing)
-
 This Kubernetes Operator is meant to be deployed in your Kubernetes cluster(s) and can manage one or more AWX instances in any namespace.

-For testing purposes, the `awx-operator` can be deployed on a [Minikube](https://minikube.sigs.k8s.io/docs/) cluster. Due to different OS and hardware environments, please refer to the official Minikube documentation for further information.
+### Creating a minikube cluster for testing
+
+If you do not have an existing cluster, the `awx-operator` can be deployed on a [Minikube](https://minikube.sigs.k8s.io/docs/) cluster for testing purposes. Due to different OS and hardware environments, please refer to the official Minikube documentation for further information.

 ```
 $ minikube start --cpus=4 --memory=6g --addons=ingress
@@ -101,46 +114,66 @@ Let's create an alias for easier usage:
 $ alias kubectl="minikube kubectl --"
 ```

-Now you need to deploy AWX Operator into your cluster. Clone this repo and `git checkout` the latest version from https://github.com/ansible/awx-operator/releases, and then run the following command:
+### Basic Install
+
+Once you have a running Kubernetes cluster, you can deploy AWX Operator into your cluster using [Kustomize](https://kubectl.docs.kubernetes.io/guides/introduction/kustomize/). Follow the instructions here to install the latest version of Kustomize: https://kubectl.docs.kubernetes.io/installation/kustomize/
+
+First, create a file called `kustomization.yaml` with the following content:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # Find the latest tag here: https://github.com/ansible/awx-operator/releases
+  - github.com/ansible/awx-operator/config/default?ref=<tag>
+
+# Set the image tags to match the git version from above
+images:
+  - name: quay.io/ansible/awx-operator
+    newTag: <tag>
+
+# Specify a custom namespace in which to install AWX
+namespace: awx
+```
+
+> **TIP:** If you need to change any of the default settings for the operator (such as resources.limits), you can add [patches](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patches/) at the bottom of your kustomization.yaml file.
+
+Install the manifests by running this:

 ```
-$ export NAMESPACE=my-namespace
-$ make deploy
-  /home/user/awx-operator/bin/kustomize build config/default | kubectl apply -f -
-  namespace/my-namespace created
-  customresourcedefinition.apiextensions.k8s.io/awxbackups.awx.ansible.com created
-  customresourcedefinition.apiextensions.k8s.io/awxrestores.awx.ansible.com created
-  customresourcedefinition.apiextensions.k8s.io/awxs.awx.ansible.com created
-  serviceaccount/awx-operator-controller-manager created
-  role.rbac.authorization.k8s.io/awx-operator-leader-election-role created
-  role.rbac.authorization.k8s.io/awx-operator-manager-role created
-  clusterrole.rbac.authorization.k8s.io/awx-operator-metrics-reader created
-  clusterrole.rbac.authorization.k8s.io/awx-operator-proxy-role created
-  rolebinding.rbac.authorization.k8s.io/awx-operator-leader-election-rolebinding created
-  rolebinding.rbac.authorization.k8s.io/awx-operator-manager-rolebinding created
-  clusterrolebinding.rbac.authorization.k8s.io/awx-operator-proxy-rolebinding created
-  configmap/awx-operator-manager-config created
-  service/awx-operator-controller-manager-metrics-service created
-  deployment.apps/awx-operator-controller-manager created
+$ kustomize build . | kubectl apply -f -
+namespace/awx created
+customresourcedefinition.apiextensions.k8s.io/awxbackups.awx.ansible.com created
+customresourcedefinition.apiextensions.k8s.io/awxrestores.awx.ansible.com created
+customresourcedefinition.apiextensions.k8s.io/awxs.awx.ansible.com created
+serviceaccount/awx-operator-controller-manager created
+role.rbac.authorization.k8s.io/awx-operator-awx-manager-role created
+role.rbac.authorization.k8s.io/awx-operator-leader-election-role created
+clusterrole.rbac.authorization.k8s.io/awx-operator-metrics-reader created
+clusterrole.rbac.authorization.k8s.io/awx-operator-proxy-role created
+rolebinding.rbac.authorization.k8s.io/awx-operator-awx-manager-rolebinding created
+rolebinding.rbac.authorization.k8s.io/awx-operator-leader-election-rolebinding created
+clusterrolebinding.rbac.authorization.k8s.io/awx-operator-proxy-rolebinding created
+configmap/awx-operator-awx-manager-config created
+service/awx-operator-controller-manager-metrics-service created
+deployment.apps/awx-operator-controller-manager created
 ```

 Wait a bit and you should have the `awx-operator` running:

 ```
-$ kubectl get pods -n $NAMESPACE
+$ kubectl get pods -n awx
 NAME                                               READY   STATUS    RESTARTS   AGE
 awx-operator-controller-manager-66ccd8f997-rhd4z   2/2     Running   0          11s
 ```

-So we don't have to keep repeating `-n $NAMESPACE`, let's set the current namespace for `kubectl`:
+So we don't have to keep repeating `-n awx`, let's set the current namespace for `kubectl`:

 ```
-$ kubectl config set-context --current --namespace=$NAMESPACE
+$ kubectl config set-context --current --namespace=awx
 ```

-It is important to know that when you do not set the default namespace to $NAMESPACE that the `awx-operator-controller-manager` might get confused.
-
-Next, create a file named `awx-demo.yml` with the suggested content below. The `metadata.name` you provide, will be the name of the resulting AWX deployment.
+Next, create a file named `awx-demo.yaml` in the same folder with the suggested content below. The `metadata.name` you provide will be the name of the resulting AWX deployment.

 **Note:** If you deploy more than one AWX instance to the same namespace, be sure to use unique names.

@@ -154,17 +187,21 @@ spec:
  service_type: nodeport
 ```

-Finally, use `kubectl` to create the awx instance in your cluster:
+Make sure to add this new file to the list of "resources" in your `kustomization.yaml` file:
+
+```yaml
+...
+resources:
+  - github.com/ansible/awx-operator/config/default?ref=<tag>
+  # Add this extra line:
+  - awx-demo.yaml
+...
+```
+
+Finally, run `kustomize` again to create the AWX instance in your cluster:

 ```
-$ kubectl apply -f awx-demo.yml
-awx.awx.ansible.com/awx-demo created
-```
-Or, when you haven't set a default namespace
-
-```
-$ kubectl apply -f awx-demo.yml --namespace=$NAMESPACE
-awx.awx.ansible.com/awx-demo created
+kustomize build . | kubectl apply -f -
 ```

 After a few minutes, the new AWX instance will be deployed. You can look at the operator pod logs in order to know where the installation process is at:
@@ -204,21 +241,33 @@ You just completed the most basic install of an AWX instance via this operator.

 For an example using the Nginx Controller in Minukube, don't miss our [demo video](https://asciinema.org/a/416946).

-[![asciicast](https://raw.githubusercontent.com/ansible/awx-operator/devel/docs/awx-demo.svg)](https://asciinema.org/a/416946)

-### Basic Install on existing cluster
+### Helm Install on existing cluster

-For those running a whole K8S Cluster the steps to set up the awx-operator are:
+For those that wish to use [Helm](https://helm.sh/) to install the awx-operator to an existing K8s cluster:

-```
-$ Prepare required files
-git clone https://github.com/ansible/awx-operator.git
-cd awx-operator
-git checkout {{ latest_released_version }} # replace variable by latest version number in releases
+```bash
+$ helm repo add awx-operator https://ansible.github.io/awx-operator/
+"awx-operator" has been added to your repositories

-$ Deploy new AWX Operator
-export NAMESPACE=<Name of the namespace where your AWX instanse exists>
-make deploy
+$ helm repo update
+Hang tight while we grab the latest from your chart repositories...
+...Successfully got an update from the "awx-operator" chart repository
+Update Complete. ⎈Happy Helming!⎈
+
+$ helm search repo awx-operator
+NAME                            CHART VERSION   APP VERSION     DESCRIPTION
+awx-operator/awx-operator       0.17.1          0.17.1          A Helm chart for the AWX Operator
+
+$ helm install my-awx-operator awx-operator/awx-operator
+NAME: my-awx-operator
+LAST DEPLOYED: Thu Feb 17 22:09:05 2022
+NAMESPACE: default
+STATUS: deployed
+REVISION: 1
+TEST SUITE: None
+NOTES:
+Helm Chart 0.17.1
 ```

 ### Admin user account configuration
@@ -380,7 +429,7 @@ spec:

 #### External PostgreSQL Service

-In order for the AWX instance to rely on an external database, the Custom Resource needs to know about the connection details. Those connection details should be stored as a secret and either specified as `postgres_configuration_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-postgres-configuration`.
+To configure AWX to use an external database, the Custom Resource needs to know about the connection details. To do this, create a k8s secret with those connection details and specify the name of the secret as `postgres_configuration_secret` at the CR spec level.


 The secret should be formatted as follows:
@@ -409,6 +458,15 @@ type: Opaque

 **Note**: The variable `sslmode` is valid for `external` databases only. The allowed values are: `prefer`, `disable`, `allow`, `require`, `verify-ca`, `verify-full`.

+Once the secret is created, you can specify it on your spec:
+
+```yaml
+---
+spec:
+  ...
+  postgres_configuration_secret: <name-of-your-secret>
+```
+
 #### Migrating data from an old AWX instance

 For instructions on how to migrate from an older version of AWX, see [migration.md](./docs/migration.md).
@@ -419,14 +477,15 @@ If you don't have access to an external PostgreSQL service, the AWX operator can

 The following variables are customizable for the managed PostgreSQL service

-| Name                                          | Description                                   | Default                           |
-| --------------------------------------------- | --------------------------------------------- | --------------------------------- |
-| postgres_image                                | Path of the image to pull                     | postgres:12                       |
-| postgres_init_container_resource_requirements | Database init container resource requirements | requests: {}                      |
-| postgres_resource_requirements                | PostgreSQL container resource requirements    | requests: {}                      |
-| postgres_storage_requirements                 | PostgreSQL container storage requirements     | requests: {storage: 8Gi}          |
-| postgres_storage_class                        | PostgreSQL PV storage class                   | Empty string                      |
-| postgres_data_path                            | PostgreSQL data path                          | `/var/lib/postgresql/data/pgdata` |
+| Name                                          | Description                                   | Default                            |
+| --------------------------------------------- | --------------------------------------------- | ---------------------------------- |
+| postgres_image                                | Path of the image to pull                     | postgres:12                        |
+| postgres_init_container_resource_requirements | Database init container resource requirements | requests: {cpu: 10m, memory: 64Mi} |
+| postgres_resource_requirements                | PostgreSQL container resource requirements    | requests: {cpu: 10m, memory: 64Mi} |
+| postgres_storage_requirements                 | PostgreSQL container storage requirements     | requests: {storage: 8Gi}           |
+| postgres_storage_class                        | PostgreSQL PV storage class                   | Empty string                       |
+| postgres_data_path                            | PostgreSQL data path                          | `/var/lib/postgresql/data/pgdata`  |
+| postgres_priority_class                       | Priority class used for PostgreSQL pod        | Empty string                       |

 Example of customization could be:

@@ -460,15 +519,15 @@ spec:

 There are a few variables that are customizable for awx the image management.

-| Name                | Description               |
-| ------------------- | ------------------------- |
-| image               | Path of the image to pull |
-| image_version       | Image version to pull     |
-| image_pull_policy   | The pull policy to adopt  |
-| image_pull_secret   | The pull secret to use    |
-| ee_images           | A list of EEs to register |
-| redis_image         | Path of the image to pull |
-| redis_image_version | Image version to pull     |
+| Name                | Description               | Default                                 |
+| ------------------- | ------------------------- | --------------------------------------  |
+| image               | Path of the image to pull | quay.io/ansible/awx                     |
+| image_version       | Image version to pull     | value of DEFAULT_AWX_VERSION or latest  |
+| image_pull_policy   | The pull policy to adopt  | IfNotPresent                            |
+| image_pull_secrets  | The pull secrets to use   | None                                    |
+| ee_images           | A list of EEs to register | quay.io/ansible/awx-ee:latest           |
+| redis_image         | Path of the image to pull | docker.io/redis                         |
+| redis_image_version | Image version to pull     | latest                                  |

 Example of customization could be:

@@ -479,7 +538,8 @@ spec:
  image: myorg/my-custom-awx
  image_version: latest
  image_pull_policy: Always
-  image_pull_secret: pull_secret_name
+  image_pull_secrets:
+    - pull_secret_name
  ee_images:
    - name: my-custom-awx-ee
      image: myorg/my-custom-awx-ee
@@ -525,11 +585,11 @@ Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to

 The resource requirements for both, the task and the web containers are configurable - both the lower end (requests) and the upper end (limits).

-| Name                       | Description                                      | Default                             |
-| -------------------------- | ------------------------------------------------ | ----------------------------------- |
-| web_resource_requirements  | Web container resource requirements              | requests: {cpu: 1000m, memory: 2Gi} |
-| task_resource_requirements | Task container resource requirements             | requests: {cpu: 500m, memory: 1Gi}  |
-| ee_resource_requirements   | EE control plane container resource requirements | requests: {cpu: 500m, memory: 1Gi}  |
+| Name                       | Description                                      | Default                              |
+| -------------------------- | ------------------------------------------------ | ------------------------------------ |
+| web_resource_requirements  | Web container resource requirements              | requests: {cpu: 100m, memory: 128Mi} |
+| task_resource_requirements | Task container resource requirements             | requests: {cpu: 100m, memory: 128Mi} |
+| ee_resource_requirements   | EE control plane container resource requirements | requests: {cpu: 100m, memory: 128Mi} |

 Example of customization could be:

@@ -539,33 +599,51 @@ spec:
  ...
  web_resource_requirements:
    requests:
-      cpu: 1000m
+      cpu: 250m
      memory: 2Gi
    limits:
-      cpu: 2000m
+      cpu: 1000m
      memory: 4Gi
  task_resource_requirements:
    requests:
-      cpu: 500m
+      cpu: 250m
      memory: 1Gi
    limits:
-      cpu: 1000m
+      cpu: 2000m
      memory: 2Gi
  ee_resource_requirements:
    requests:
-      cpu: 500m
-      memory: 1Gi
+      cpu: 250m
+      memory: 100Mi
    limits:
-      cpu: 1000m
+      cpu: 500m
      memory: 2Gi
 ```

+#### Priority Classes
+
+The AWX and Postgres pods can be assigned a custom PriorityClass to rank their importance compared to other pods in your cluster, which determines which pods get evicted first if resources are running low.
+First, [create your PriorityClass](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) if needed.
+Then set the name of your priority class to the control plane and postgres pods as shown below.
+
+```yaml
+---
+apiVersion: awx.ansible.com/v1beta1
+kind: AWX
+metadata:
+  name: awx-demo
+spec:
+  ...
+  control_plane_priority_class: awx-demo-high-priority
+  postgres_priority_class: awx-demo-medium-priority
+```
+
 #### Assigning AWX pods to specific nodes

 You can constrain the AWX pods created by the operator to run on a certain subset of nodes. `node_selector` and `postgres_selector` constrains
 the AWX pods to run only on the nodes that match all the specified key/value pairs. `tolerations` and `postgres_tolerations` allow the AWX
 pods to be scheduled onto nodes with matching taints.
-The ability to specify topologySpreadConstraints is also allowed through `topology_spread_constraints`  
+The ability to specify topologySpreadConstraints is also allowed through `topology_spread_constraints`


 | Name                        | Description                         | Default |
@@ -619,11 +697,11 @@ In cases which you need to trust a custom Certificate Authority, there are few v
 Trusting a custom Certificate Authority allows the AWX to access network services configured with SSL certificates issued locally, such as cloning a project from from an internal Git server via HTTPS. It is common for these scenarios, experiencing the error [unable to verify the first certificate](https://github.com/ansible/awx-operator/issues/376).


-| Name                 | Description                            | Default |
-| -------------------- | -------------------------------------- | ------- |
-| ldap_cacert_secret   | LDAP Certificate Authority secret name | ''      |
-| bundle_cacert_secret | Certificate Authority secret name      | ''      |
-
+| Name                             | Description                              | Default |
+| -------------------------------- | ---------------------------------------- | --------|
+| ldap_cacert_secret               | LDAP Certificate Authority secret name   |  ''     |
+| ldap_password_secret             | LDAP BIND DN Password secret name        |  ''     |
+| bundle_cacert_secret             | Certificate Authority secret name        |  ''     |
 Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter.

 Example of customization could be:
@@ -633,10 +711,13 @@ Example of customization could be:
 spec:
  ...
  ldap_cacert_secret: <resourcename>-custom-certs
+  ldap_password_secret: <resourcename>-ldap-password
  bundle_cacert_secret: <resourcename>-custom-certs
 ```

-To create the secret, you can use the command below:
+To create the secrets, you can use the commands below:
+
+* Certificate Authority secret

 ```
 # kubectl create secret generic <resourcename>-custom-certs \
@@ -644,6 +725,66 @@ To create the secret, you can use the command below:
    --from-file=bundle-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
 ```

+* LDAP BIND DN Password secret
+
+```
+# kubectl create secret generic <resourcename>-ldap-password \
+    --from-literal=ldap-password=<your_ldap_dn_password>
+```
+
+#### Enabling LDAP Integration at AWX bootstrap
+
+A sample of extra settings can be found as below:
+
+```yaml
+    - setting: AUTH_LDAP_SERVER_URI
+      value: >-
+        "ldaps://ad01.abc.com:636 ldaps://ad02.abc.com:636"
+
+    - setting: AUTH_LDAP_BIND_DN
+      value: >-
+        "CN=LDAP User,OU=Service Accounts,DC=abc,DC=com"
+
+    - setting: AUTH_LDAP_USER_SEARCH
+      value: 'LDAPSearch("DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(sAMAccountName=%(user)s)",)'
+
+    - setting: AUTH_LDAP_GROUP_SEARCH
+      value: 'LDAPSearch("OU=Groups,DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(objectClass=group)",)'
+
+    - setting: AUTH_LDAP_USER_ATTR_MAP
+      value: '{"first_name": "givenName","last_name": "sn","email": "mail"}'
+
+    - setting: AUTH_LDAP_REQUIRE_GROUP
+      value: >-
+        "CN=operators,OU=Groups,DC=abc,DC=com"
+    - setting: AUTH_LDAP_USER_FLAGS_BY_GROUP
+      value: {
+        "is_superuser": [
+          "CN=admin,OU=Groups,DC=abc,DC=com"
+        ]
+      }
+
+
+    - setting: AUTH_LDAP_ORGANIZATION_MAP
+      value: {
+        "abc": {
+          "admins": "CN=admin,OU=Groups,DC=abc,DC=com",
+          "remove_users": false,
+          "remove_admins": false,
+          "users": true
+        }
+      }
+
+    - setting: AUTH_LDAP_TEAM_MAP
+      value: {
+        "admin": {
+          "remove": true,
+          "users": "CN=admin,OU=Groups,DC=abc,DC=com",
+          "organization": "abc"
+        }
+      }
+```
+
 #### Persisting Projects Directory

 In cases which you want to persist the `/var/lib/projects` directory, there are few variables that are customizable for the `awx-operator`.
@@ -773,7 +914,7 @@ type: Opaque
 ```

 ##### Control plane ee from private registry
-The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time.
+The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secrets` to provide a list of k8s pull secrets to access it. Currently the same secret is used for any of these images supplied at install time.

 You can create `image_pull_secret`
 ```
@@ -822,6 +963,36 @@ Example configuration of environment variables
        value: foo
 ```

+#### CSRF Cookie Secure Setting
+
+With `csrf_cookie_secure`, you can pass the value for `CSRF_COOKIE_SECURE` to `/etc/tower/settings.py`
+
+| Name               | Description        | Default |
+| ------------------ | ------------------ | ------- |
+| csrf_cookie_secure | CSRF Cookie Secure | ''      |
+
+Example configuration of the `csrf_cookie_secure` setting:
+
+```yaml
+  spec:
+    csrf_cookie_secure: 'False'
+```
+
+#### Session Cookie Secure Setting
+
+With `session_cookie_secure`, you can pass the value for `SESSION_COOKIE_SECURE` to `/etc/tower/settings.py`
+
+| Name                  | Description           | Default |
+| --------------------- | --------------------- | ------- |
+| session_cookie_secure | Session Cookie Secure | ''      |
+
+Example configuration of the `session_cookie_secure` setting:
+
+```yaml
+  spec:
+    session_cookie_secure: 'False'
+```
+
 #### Extra Settings

 With`extra_settings`, you can pass multiple custom settings via the `awx-operator`. The parameter `extra_settings`  will be appended to the `/etc/tower/settings.py` and can be an alternative to the `extra_volumes` parameter.
@@ -913,7 +1084,10 @@ The first step is to create a draft release. Typically this will happen in the [

 If you need to do an independent release of the operator, you can run the [Stage Release](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/stage.yml) in the awx-operator repo. Both of these workflows will run smoke tests, so there is no need to do this manually.

-After the draft release is created, publish it and the [Promote AWX Operator image](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/promote.yaml) will run, publishing the image to Quay.
+After the draft release is created, publish it and the [Promote AWX Operator image](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/promote.yaml) will run, which will:
+
+- Publish image to Quay
+- Release Helm chart

 ## Author

--- a/ansible/helm-release.yml
+++ b/ansible/helm-release.yml
@@ -0,0 +1,47 @@
+---
+- hosts: localhost
+  vars:
+    chart_repo: awx-operator
+  tasks:
+    - name: Look up release
+      uri:
+        url: "https://api.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/tags/{{ tag }}"
+      register: release
+      ignore_errors: yes
+
+    - fail:
+        msg: |
+          Release must exist before running this playbook
+      when: release is not success
+
+    - name: Build and package helm chart
+      command: |
+        make helm-chart helm-package
+      environment:
+        VERSION: "{{ tag }}"
+        IMAGE_TAG_BASE: "{{ operator_image }}"
+      args:
+        chdir: "{{ playbook_dir }}/../"
+
+    # Move to chart releaser after https://github.com/helm/chart-releaser/issues/122 exists
+    - name: Upload helm chart
+      uri:
+        url: "https://uploads.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/{{ release.json.id }}/assets?name=awx-operator-{{ tag }}.tgz"
+        src: "{{ playbook_dir }}/../.cr-release-packages/awx-operator-{{ tag }}.tgz"
+        headers:
+          Authorization: "token {{ gh_token }}"
+          Content-Type: "application/octet-stream"
+        status_code:
+          - 200
+          - 201
+      register: asset_upload
+      changed_when: asset_upload.json.state == "uploaded"
+
+    - name: Publish helm index
+      command: |
+        make helm-index
+      environment:
+        CHART_OWNER: "{{ chart_owner }}"
+        CR_TOKEN: "{{ gh_token }}"
+      args:
+        chdir: "{{ playbook_dir }}/../"
--- a/config/crd/bases/awx.ansible.com_awxs.yaml
+++ b/config/crd/bases/awx.ansible.com_awxs.yaml
@@ -165,6 +165,9 @@ spec:
                control_plane_ee_image:
                  description: Registry path to the Execution Environment container image to use on control plane pods
                  type: string
+                control_plane_priority_class:
+                  description: Assign a preexisting priority class to the control plane pods
+                  type: string
                ee_pull_credentials_secret:
                  description: Secret where pull credentials for registered ees can be found
                  type: string
@@ -179,8 +182,13 @@ spec:
                    - never
                    - IfNotPresent
                    - ifnotpresent
-                image_pull_secret:
-                  description: The image pull secret
+                image_pull_secrets:
+                  description: Image pull secrets for app and database containers
+                  type: array
+                  items:
+                    type: string
+                image_pull_secret:  # deprecated
+                  description: (Deprecated) Image pull secret for app and database containers
                  type: string
                task_resource_requirements:
                  description: Resource requirements for the task container
@@ -270,6 +278,28 @@ spec:
                          type: string
                      type: object
                  type: object
+                redis_resource_requirements:
+                  description: Resource requirements for the redis container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                service_account_annotations:
                  description: ServiceAccount annotations
                  type: string
@@ -387,6 +417,9 @@ spec:
                postgres_storage_class:
                  description: Storage class to use for the PostgreSQL PVC
                  type: string
+                postgres_priority_class:
+                  description: Assign a preexisting priority class to the postgres pod
+                  type: string
                postgres_data_path:
                  description: Path where the PostgreSQL data are located
                  type: string
@@ -403,6 +436,9 @@ spec:
                ldap_cacert_secret:
                  description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                  type: string
+                ldap_password_secret:
+                  description: Secret where can be found the LDAP bind password
+                  type: string
                bundle_cacert_secret:
                  description: Secret where can be found the trusted Certificate Authority Bundle
                  type: string
@@ -430,6 +466,12 @@ spec:
                  description: AccessMode for the /var/lib/projects PersistentVolumeClaim
                  default: ReadWriteMany
                  type: string
+                csrf_cookie_secure:
+                  description: Set csrf cookie secure mode for web
+                  type: string
+                session_cookie_secure:
+                  description: Set session cookie secure mode for web
+                  type: string
                extra_settings:
                  description: Extra settings to specify for the API
                  items:
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -55,4 +55,6 @@ spec:
            initialDelaySeconds: 5
            periodSeconds: 10
      serviceAccountName: controller-manager
+      imagePullSecrets:
+        - name: redhat-operators-pull-secret
      terminationGracePeriodSeconds: 10
--- a/config/manifests/bases/awx-operator.clusterserviceversion.yaml
+++ b/config/manifests/bases/awx-operator.clusterserviceversion.yaml
@@ -252,8 +252,8 @@ spec:
        x-descriptors:
        - urn:alm:descriptor:com.tectonic.ui:advanced
        - urn:alm:descriptor:com.tectonic.ui:imagePullPolicy
-      - displayName: Image Pull Secret
-        path: image_pull_secret
+      - displayName: Image Pull Secrets
+        path: image_pull_secrets
        x-descriptors:
        - urn:alm:descriptor:com.tectonic.ui:advanced
        - urn:alm:descriptor:io.kubernetes:Secret
@@ -278,6 +278,11 @@ spec:
        x-descriptors:
        - urn:alm:descriptor:com.tectonic.ui:advanced
        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
+      - displayName: Redis container resource requirements
+        path: redis_resource_requirements
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
      - displayName: PostgreSQL container resource requirements (when using a managed
          instance)
        path: postgres_resource_requirements
@@ -554,6 +559,16 @@ spec:
        x-descriptors:
        - urn:alm:descriptor:com.tectonic.ui:advanced
        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: CSRF cookie secure setting
+        path: csrf_cookie_secure
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Session cookie secure setting
+        path: session_cookie_secure
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
      - displayName: API Extra Settings
        path: extra_settings
        x-descriptors:
--- a/config/samples/awx_v1beta1_awx.yaml
+++ b/config/samples/awx_v1beta1_awx.yaml
@@ -6,13 +6,13 @@ metadata:
 spec:
  web_resource_requirements:
    requests:
-      cpu: 250m
+      cpu: 50m
      memory: 128M
  task_resource_requirements:
    requests:
-      cpu: 250m
+      cpu: 50m
      memory: 128M
  ee_resource_requirements:
    requests:
-      cpu: 200m
+      cpu: 50m
      memory: 64M
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -0,0 +1,51 @@
+# Iterating on the installer without deploying the operator
+
+Go through the [normal basic install](https://github.com/ansible/awx-operator/blob/devel/README.md#basic-install) steps.
+
+Install some dependencies:
+
+```
+$ ansible-galaxy collection install -r molecule/requirements.yml
+$ pip install -r molecule/requirements.txt
+```
+
+To prevent the changes we're about to make from being overwritten, scale down any running instance of the operator:
+
+```
+$ kubectl scale deployment awx-operator-controller-manager --replicas=0
+```
+
+Create a playbook that invokes the installer role (the operator uses ansible-runner's role execution feature):
+
+```yaml
+# run.yml
+---
+- hosts: localhost
+  roles:
+    - installer
+```
+
+Create a vars file:
+
+```yaml
+# vars.yml
+---
+ansible_operator_meta:
+  name: awx
+  namespace: awx
+service_type: nodeport
+```
+
+Run the installer:
+
+```
+$ ansible-playbook run.yml -e @vars.yml -v
+```
+
+Grab the URL and admin password:
+
+```
+$ minikube service awx-service --url -n awx
+$ minikube kubectl get secret awx-admin-password -- -o jsonpath="{.data.password}" | base64 --decode
+LU6lTfvnkjUvDwL240kXKy1sNhjakZmT
+```
--- a/molecule/default/kustomize.yml
+++ b/molecule/default/kustomize.yml
@@ -1,7 +1,7 @@
 ---
 - name: Build kustomize testing overlay
  # load_restrictor must be set to none so we can load patch files from the default overlay
-  command: '{{ kustomize }} build  --load_restrictor none .'
+  command: '{{ kustomize }} build  --load-restrictor LoadRestrictionsNone .'
  args:
    chdir: '{{ config_dir }}/testing'
  register: resources
--- a/molecule/default/templates/awx_cr_molecule.yml.j2
+++ b/molecule/default/templates/awx_cr_molecule.yml.j2
@@ -15,13 +15,16 @@ spec:
    kubernetes.io/ingress.class: nginx
  web_resource_requirements:
    requests:
-      cpu: 250m
-      memory: 128M
+      cpu: 50m
+      memory: 32M
  task_resource_requirements:
    requests:
-      cpu: 250m
-      memory: 128M
+      cpu: 50m
+      memory: 32M
  ee_resource_requirements:
    requests:
-      cpu: 200m
-      memory: 64M
+      cpu: 50m
+      memory: 16M
+  postgres_resource_requirements: {}
+  postgres_init_container_resource_requirements: {}
+  redis_resource_requirements: {}
--- a/roles/backup/tasks/postgres.yml
+++ b/roles/backup/tasks/postgres.yml
@@ -39,6 +39,7 @@
      until:
        - "postgres_pod['resources'] | length"
        - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+        - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
      delay: 5
      retries: 60

--- a/roles/backup/tasks/secrets.yml
+++ b/roles/backup/tasks/secrets.yml
@@ -21,9 +21,21 @@
    - ingress_tls_secret
    - ldap_cacert_secret
    - bundle_cacert_secret
-    - image_pull_secret
    - ee_pull_credentials_secret

+# image_pull_secret is deprecated in favor of image_pull_secrets
+- name: Dump image_pull_secret into file
+  include_tasks: dump_secret.yml
+  with_items:
+    - image_pull_secret
+  when: image_pull_secret is defined
+
+- name: Dump image_pull_secrets into file
+  include_tasks: dump_secret.yml
+  with_items:
+    - image_pull_secrets
+  when: image_pull_secrets | default([]) | length
+
 - name: Nest secrets under a single variable
  set_fact:
    secrets: {"secrets": '{{ secret_dict }}'}
--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -133,7 +133,7 @@ _postgres_image_version: 12
 _init_container_image: quay.io/centos/centos
 _init_container_image_version: stream8
 image_pull_policy: IfNotPresent
-image_pull_secret: ''
+image_pull_secrets: []

 # Extra commands which will be appended to the initContainer
 # Make sure that each command entered return an exit code 0
@@ -164,24 +164,36 @@ replicas: "1"
 task_args:
  - /usr/bin/launch_awx_task.sh
 task_command: []
-web_args: []
+web_args:
+  - /usr/bin/launch_awx.sh
 web_command: []

 task_resource_requirements:
  requests:
-    cpu: 500m
-    memory: 1Gi
+    cpu: 100m
+    memory: 128Mi

 web_resource_requirements:
  requests:
-    cpu: 1000m
-    memory: 2Gi
+    cpu: 100m
+    memory: 128Mi

 ee_resource_requirements:
  requests:
-    cpu: 500m
-    memory: 1Gi
+    cpu: 100m
+    memory: 64Mi

+# Customize CSRF options
+csrf_cookie_secure: False
+session_cookie_secure: False
+
+# Assign a preexisting priority class to the control plane pods
+control_plane_priority_class: ''
+
+redis_resource_requirements:
+  requests:
+    cpu: 50m
+    memory: 64Mi
 # Add extra environment variables to the AWX task/web containers. Specify as
 # literal block. E.g.:
 # task_extra_env: |
@@ -222,8 +234,16 @@ postgres_tolerations: ''
 postgres_storage_requirements:
  requests:
    storage: 8Gi
-postgres_init_container_resource_requirements: {}
-postgres_resource_requirements: {}
+postgres_resource_requirements:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+postgres_init_container_resource_requirements:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+# Assign a preexisting priority class to the postgres pod
+postgres_priority_class: ''
 postgres_data_path: '/var/lib/postgresql/data/pgdata'

 # Persistence to the AWX project data folder
@@ -247,6 +267,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
 #
 ldap_cacert_secret: ''

+# Secret to lookup that provides the LDAP bind password
+ldap_password_secret: ''
+
 # Secret to lookup that provides the custom CA trusted bundle
 bundle_cacert_secret: ''

--- a/roles/installer/tasks/database_configuration.yml
+++ b/roles/installer/tasks/database_configuration.yml
@@ -153,6 +153,7 @@
  until:
    - "postgres_pod['resources'] | length"
    - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+    - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
  delay: 5
  retries: 60
  when: pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed'
--- a/roles/installer/tasks/initialize_django.yml
+++ b/roles/installer/tasks/initialize_django.yml
@@ -13,18 +13,6 @@
  register: users_result
  changed_when: users_result.return_code > 0

- name: Update super user password via Django if it does exist (same password is a noop)
-  k8s_exec:
-    namespace: "{{ ansible_operator_meta.namespace }}"
-    pod: "{{ tower_pod_name }}"
-    container: "{{ ansible_operator_meta.name }}-task"
-    command: >-
-      bash -c "awx-manage update_password --username '{{ admin_user }}' --password '{{ admin_password }}'"
-  register: update_pw_result
-  changed_when: users_result.stdout == 'Password not updated'
-  no_log: true
-  when: users_result.return_code == 0
-
 - name: Create super user via Django if it doesn't exist.
  k8s_exec:
    namespace: "{{ ansible_operator_meta.namespace }}"
@@ -37,17 +25,6 @@
  no_log: true
  when: users_result.return_code > 0

- name: Create preload data if necessary.  # noqa 305
-  k8s_exec:
-    namespace: "{{ ansible_operator_meta.namespace }}"
-    pod: "{{ tower_pod_name }}"
-    container: "{{ ansible_operator_meta.name }}-task"
-    command: >-
-      bash -c "awx-manage create_preload_data"
-  register: cdo
-  changed_when: "'added' in cdo.stdout"
-  when: create_preload_data | bool
-
 - name: Check if legacy queue is present
  k8s_exec:
    namespace: "{{ ansible_operator_meta.namespace }}"
@@ -118,3 +95,14 @@
      changed_when: "'changed: True' in ree.stdout"
      no_log: true
  when: _execution_environments_pull_credentials['resources'] | default([]) | length
+
+- name: Create preload data if necessary.  # noqa 305
+  k8s_exec:
+    namespace: "{{ ansible_operator_meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ ansible_operator_meta.name }}-task"
+    command: >-
+      bash -c "awx-manage create_preload_data"
+  register: cdo
+  changed_when: "'added' in cdo.stdout"
+  when: create_preload_data | bool
--- a/roles/installer/tasks/load_ldap_password_secret.yml
+++ b/roles/installer/tasks/load_ldap_password_secret.yml
@@ -0,0 +1,14 @@
+---
+- name: Retrieve LDAP bind password Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: '{{ ldap_password_secret }}'
+  register: ldap_password
+  no_log: true
+
+- name: Load LDAP bind password Secret content
+  set_fact:
+    ldap_bind_password: '{{ ldap_password["resources"][0]["data"]["ldap-password"] | b64decode }}'
+  no_log: true
+  when: '"ldap-password" in ldap_password["resources"][0]["data"]'
--- a/roles/installer/tasks/main.yml
+++ b/roles/installer/tasks/main.yml
@@ -25,6 +25,11 @@
  when:
    - ldap_cacert_secret != ''

+- name: Load ldap bind password
+  include_tasks: load_ldap_password_secret.yml
+  when:
+    - ldap_password_secret != ''
+
 - name: Load bundle certificate authority certificate
  include_tasks: load_bundle_cacert_secret.yml
  when:
--- a/roles/installer/tasks/migrate_data.yml
+++ b/roles/installer/tasks/migrate_data.yml
@@ -29,6 +29,7 @@
  until:
    - "postgres_pod['resources'] | length"
    - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+    - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
  delay: 5
  retries: 60

--- a/roles/installer/tasks/resources_configuration.yml
+++ b/roles/installer/tasks/resources_configuration.yml
@@ -17,6 +17,16 @@
  set_fact:
    tower_pod_name: "{{ tower_pods['resources'][0]['metadata']['name'] | default('') }}"

+- name: Set user provided control plane ee image
+  set_fact:
+    _custom_control_plane_ee_image: "{{ control_plane_ee_image }}"
+  when:
+    - control_plane_ee_image | default([]) | length
+
+- name: Set Control Plane EE image URL
+  set_fact:
+    _control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
+
 - name: Apply Resources
  k8s:
    apply: yes
@@ -62,16 +72,6 @@
  set_fact:
    _redis_image: "{{ _custom_redis_image | default(lookup('env', 'RELATED_IMAGE_AWX_REDIS')) | default(_default_redis_image, true) }}"

- name: Set user provided control plane ee image
-  set_fact:
-    _custom_control_plane_ee_image: "{{ control_plane_ee_image }}"
-  when:
-    - control_plane_ee_image | default([]) | length
-
- name: Set Control Plane EE image URL
-  set_fact:
-    _control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
-
 - name: Apply deployment resources
  k8s:
    apply: yes
--- a/roles/installer/templates/config.yaml.j2
+++ b/roles/installer/templates/config.yaml.j2
@@ -60,8 +60,8 @@ data:
    CLUSTER_HOST_ID = socket.gethostname()
    SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
    
-    CSRF_COOKIE_SECURE = False
-    SESSION_COOKIE_SECURE = False
+    CSRF_COOKIE_SECURE = {{ csrf_cookie_secure | bool }}
+    SESSION_COOKIE_SECURE = {{ session_cookie_secure | bool }}
    
    SERVER_EMAIL = 'root@localhost'
    DEFAULT_FROM_EMAIL = 'webmaster@localhost'
@@ -176,6 +176,8 @@ data:
    
            # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
            add_header X-Frame-Options "DENY";
+            # Protect against MIME content sniffing https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+            add_header X-Content-Type-Options nosniff;
    
            location /nginx_status {
                stub_status on;
@@ -229,6 +231,7 @@ data:
                add_header Strict-Transport-Security max-age=15768000;
                # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
                add_header X-Frame-Options "DENY";
+                add_header X-Content-Type-Options nosniff;
                add_header Cache-Control "no-cache, no-store, must-revalidate";
                add_header Expires "0";
                add_header Pragma "no-cache";
--- a/roles/installer/templates/deployment.yaml.j2
+++ b/roles/installer/templates/deployment.yaml.j2
@@ -33,9 +33,17 @@ spec:
 {% endif %}
    spec:
      serviceAccountName: '{{ ansible_operator_meta.name }}'
-{% if image_pull_secret %}
+{% if image_pull_secret is defined %}
      imagePullSecrets:
        - name: {{ image_pull_secret }}
+{% elif image_pull_secrets | length > 0 %}
+      imagePullSecrets:
+{% for secret in image_pull_secrets %}
+        - name: {{ secret }}
+{% endfor %}
+{% endif %}
+{% if control_plane_priority_class is defined %}
+      priorityClassName: '{{ control_plane_priority_class }}'
 {% endif %}
      initContainers:
 {% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
@@ -93,6 +101,7 @@ spec:
              mountPath: "/var/run/redis"
            - name: "{{ ansible_operator_meta.name }}-redis-data"
              mountPath: "/data"
+          resources: {{ redis_resource_requirements }}
        - image: '{{ _image }}'
          name: '{{ ansible_operator_meta.name }}-web'
 {% if web_command %}
--- a/roles/installer/templates/postgres.yaml.j2
+++ b/roles/installer/templates/postgres.yaml.j2
@@ -33,9 +33,17 @@ spec:
        app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
        app.kubernetes.io/managed-by: '{{ deployment_type }}-operator' 
    spec:
-{% if image_pull_secret %}
+{% if image_pull_secret is defined %}
      imagePullSecrets:
        - name: {{ image_pull_secret }}
+{% elif image_pull_secrets | length > 0 %}
+      imagePullSecrets:
+{% for secret in image_pull_secrets %}
+        - name: {{ secret }}
+{% endfor %}
+{% endif %}
+{% if postgres_priority_class is defined %}
+      priorityClassName: '{{ postgres_priority_class }}'
 {% endif %}
      initContainers:
        - name: database-check
--- a/roles/restore/tasks/postgres.yml
+++ b/roles/restore/tasks/postgres.yml
@@ -37,6 +37,7 @@
  until:
    - "postgres_pod['resources'] | length"
    - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+    - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
  delay: 5
  retries: 60
Author	SHA1	Message	Date
Christian Adams	0983220fba	Use awx web launch script to pick up the correct supervisor config (#935 ) - reduce resource requests so that CI passes in resource constrained environments	2022-06-01 19:11:25 -04:00
Paul Verhoeven	3ac0232e89	Updated the Readme (#906 ) * defaults in Deploying a specific version of AWX added * Update README.md updated the README clarified the defaults of Deploying a specific version of AWX	2022-05-09 17:24:43 -04:00
Christian Adams	75c7231afd	Remove unneeded olm-parameter template file (#901 )	2022-05-04 16:45:18 -04:00
Christian Adams	363aa3642b	added capability to set the redis container resources (#899 ) * added capability to set the redis container resources * Reduce resource requests so that it can be scheduled on GitHub workflows Co-authored-by: Cedric Morin <cedric.morin_ext@michelin.com>	2022-05-03 08:53:45 -04:00
Shane McDonald	bf74d5cc34	Merge pull request #799 from mamercad/helm Add Helm functionality	2022-05-02 14:38:24 -04:00
Shane McDonald	46586bd7b6	Rework helm release process This was mostly me working around a limitation in chart-releaser where it does not allow for uploading a chart to an existing release.	2022-05-02 14:12:59 -04:00
Shane McDonald	191be7bf3c	Run test helm install in CI	2022-05-02 14:12:59 -04:00
Shane McDonald	b7e5f235ad	Fix yq target Without this I was seeing: $ make yq tar: yq_linux_amd64: Not found in archive tar: Exiting with failure status due to previous errors make: *** [Makefile:240: yq] Error 2	2022-05-02 14:12:59 -04:00
Mark Mercado	6cbc6a7234	Set CHART_OWNER as ${{ github.repository_owner }}	2022-05-02 14:12:59 -04:00
Mark Mercado	beba6a900d	Update kustomize build args for v4+	2022-05-02 14:12:59 -04:00
Mark Mercado	7f72260445	Adding document-start markers	2022-05-02 14:12:59 -04:00
Mark Mercado	5b7baa106d	Adding CI for "make helm-chart"	2022-05-02 14:12:59 -04:00
Mark Mercado	9380686395	Handle amd64 versus x86_64	2022-05-02 14:12:59 -04:00
Mark Mercado	0de966153d	Fix kubectl-slice for amd64	2022-05-02 14:12:59 -04:00
Mark Mercado	efaa4718ec	Adding Helm functionality	2022-05-02 14:12:57 -04:00
Shane McDonald	e6a473b765	Merge pull request #887 from ansible/add-content-type-option-header-op Add the X-Content-Type-Options nosniff header	2022-05-02 08:25:48 -04:00
Christian Adams	859384e9f6	Changed default pull secret to agreed upon name (#896 )	2022-04-29 16:21:03 -04:00
Christian Adams	b66a16508f	Clarify docs on how to configure an External Database (#895 )	2022-04-29 15:35:07 -04:00
Christian Adams	3da427f31d	Look for a specific pull secret when deployed in certain cloud environments (#894 )	2022-04-27 15:44:10 -04:00
Shane McDonald	9f2b51a6a9	Fix mistake in debugging docs	2022-04-25 16:32:50 -04:00
Hung Tran	5b73ad172e	Load LDAP password from secret and update guideline (#659 ) * Load LDAP password from secret and update guideline * Add pod_labels for custom pod labels Signed-off-by: Loc Mai <lmai@axon.com> * Omit tls secret if using wildcard cert * Resolve conflicts * Remove the ingress changes * Remove the config changes * Load LDAP password from secret and update guideline * Omit tls secret if using wildcard cert * Resolve conflicts * Remove the ingress changes * Remove the config changes Co-authored-by: hungts <hungts@axon.com> Co-authored-by: Loc Mai <lmai@axon.com> Co-authored-by: Max Bidlingmaier <Max-Florian.Bidlingmaier@sap.com> Co-authored-by: Max Bidlingmaier <maks@konsolan.de>	2022-04-25 16:16:10 -04:00
Shane McDonald	2227301707	Merge pull request #888 from shanemcd/debugging-docs Add docs/debugging.md	2022-04-25 16:11:21 -04:00
Shane McDonald	9f63fc0da5	Add docs/debugging.md	2022-04-25 16:02:30 -04:00
Seth Foster	322aea970d	Merge pull request #886 from fosterseth/make_csrf_settings_boolean Render cookie settings as a boolean	2022-04-25 15:45:42 -04:00
Seth Foster	c4bef95662	Render cookie settings as a boolean	2022-04-25 15:31:09 -04:00
Jeff Bradberry	fa705f6466	Add the X-Content-Type-Options nosniff header	2022-04-25 14:00:07 -04:00
Seth Foster	7fd5083c16	Merge pull request #862 from fosterseth/add_priorityclass_option Add priority class options to high priority pods	2022-04-21 15:40:55 -04:00
Christian M. Adams	daf15a93bf	Reduce the resources requests for CI runs * GitHub Workflows run in a resource constrained environment, we were asking too much of it, so pods never got scheduled.	2022-04-21 15:10:09 -04:00
Christian M. Adams	dfa0f6d45e	Add docs for priority classes & fix typo	2022-04-21 11:59:15 -04:00
Christian M. Adams	21062f0708	Add default resource requests for postgres containers	2022-04-18 12:30:02 -04:00
Seth Foster	5372771bac	Add priority class options to high priority pods - Add postgres_priority_class - Add control_plane_priority_class - Add default requests for postgres pod to ensure at a "Burstable" QoS	2022-04-18 12:29:54 -04:00
Mac Chaffee	8df0969e6a	Fix namespace name in readme (#868 ) Signed-off-by: Mac Chaffee <machaffe@renci.org>	2022-04-15 16:08:43 -04:00
Jeremy Kimber	5af7e7f4b9	Ensure custom control plane EE is defined prior to creation of application credentials (#873 ) Co-authored-by: Jeremy Kimber <jeremy.kimber@garmin.com>	2022-04-15 16:04:47 -04:00
Christian Adams	d8f91d112e	Stop updating the admin user password (#874 ) * This is overwriting changes the user makes to the admin password via the app itself	2022-04-14 16:35:37 -04:00
Christian Adams	379552218d	Add back image_pull_secret field for backwards compatibility (#870 )	2022-04-14 13:25:54 -04:00
David Luong	1686875321	Customize CSRF options (#825 )	2022-04-13 19:42:07 -04:00
Christian Adams	1b41d945e6	Check if image_pull_secrets variable is defined (#865 ) * Do not attempt to backup secret if none are defined	2022-04-11 11:10:09 -04:00
Dragutan Alexandr	5e81729bc9	Update README.md (#858 ) cut off svg-content, link preserverd.	2022-04-06 21:39:49 -04:00
Christian Adams	575e594314	Wait for the postgres pod to enter the ready state before starting containers (#861 )	2022-04-06 08:29:53 -04:00
Christian Adams	5f76d4917e	Enable setting a list of image_pull_secrets (#860 ) When there are e.g. multiple authenticated container registries used we need to be able to add multiple imagePullSecrets to the k8s resource Co-authored-by: Maximilian Meister <maximilian.meister@pm.me>	2022-04-05 11:51:21 -04:00
gamuniz	94c5c41a24	reording the django tasks to avoid race condition aap-2847 (#855 ) * Reorder the django init tasks to avoid race condition - aap-2847	2022-04-01 14:55:57 -04:00
Shane McDonald	ee84625107	Merge pull request #843 from mac-chaffee/kustomize-umbrella Add docs for proper kustomization installs	2022-03-28 16:56:01 -04:00
Mac Chaffee	add76c159b	Mention how to install Kustomize. It's recommended to install the standalone version of kustomize rather than using the version that ships with kubectl because that version is typically very old and doesn't match the docs.	2022-03-26 11:53:17 -04:00
Mac Chaffee	375031e1f8	Remove explicit tags to avoid need to bump versions Signed-off-by: Mac Chaffee <machaffe@renci.org>	2022-03-24 19:18:46 -04:00
Mac Chaffee	0a9e9722c5	Add docs for proper kustomization installs	2022-03-23 15:42:24 -04:00