Resolves #918 to make no_log configurable (#923)

.github folder maintainance

.github/CODE_OF_CONDUCT.md

@@ -0,0 +1,3 @@
+# Community Code of Conduct
+
+Please see the official [Ansible Community Code of Conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,39 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-title: ''
-labels: ''
-assignees: ''
-
----
-
-##### ISSUE TYPE
- - Bug Report
-
-##### SUMMARY
-<!-- Briefly describe the problem. -->
-
-##### ENVIRONMENT
-* AWX version: X.Y.Z
-* Operator version: X.Y.Z
-* Kubernetes version: 
-* AWX install method: openshift, minishift, docker on linux, docker for mac, boot2docker
-
-##### STEPS TO REPRODUCE
-
-<!-- Please describe exactly how to reproduce the problem. -->
-
-##### EXPECTED RESULTS
-
-<!-- What did you expect to happen when running the steps above? -->
-
-##### ACTUAL RESULTS
-
-<!-- What actually happened? -->
-
-##### ADDITIONAL INFORMATION
-
-<!-- Include any links to sosreport, database dumps, screenshots or other
-information. -->
-
-##### AWX-OPERATOR LOGS

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,125 @@
+---
+name: Bug Report
+description: "🐞 Create a report to help us improve"
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Bug Report issues are for **concrete, actionable bugs** only.
+        For debugging help or technical support, please see the [Get Involved section of our README](https://github.com/ansible/awx-operator#get-involved)
+
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Please confirm the following
+      options:
+        - label: I agree to follow this project's [code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
+          required: true
+        - label: I have checked the [current issues](https://github.com/ansible/awx-operator/issues) for duplicates.
+          required: true
+        - label: I understand that the AWX Operator is open source software provided for free and that I might not receive a timely response.
+          required: true
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Bug Summary
+      description: Briefly describe the problem.
+    validations:
+      required: false
+
+  - type: input
+    id: awx-operator-version
+    attributes:
+      label: AWX Operator version
+      description: What version of the AWX Operator are you running?
+    validations:
+      required: true
+
+  - type: input
+    id: awx-version
+    attributes:
+      label: AWX version
+      description: What version of AWX are you running?
+    validations:
+      required: true
+
+  - type: dropdown
+    id: platform
+    attributes:
+      label: Kubernetes platform
+      description: What platform did you install the Operator in?
+      multiple: false
+      options:
+        - kubernetes
+        - minikube
+        - openshift
+        - minishift
+        - docker development environment
+        - other (please specify in additional information)
+    validations:
+      required: true
+
+  - type: input
+    id: kube-version
+    attributes:
+      label: Kubernetes/Platform version
+      description: What version of your platform/kuberneties are you using?
+    validations:
+      required: true
+
+  - type: dropdown
+    id: modified-architecture
+    attributes:
+      label: Modifications
+      description: >-
+       Have you modified the installation, deployment topology, or container images in any way? If yes, please
+       explain in the "additional information" field at the bottom of the form.
+      multiple: false
+      options:
+        - "no"
+        - "yes"
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps-to-reproduce
+    attributes:
+      label: Steps to reproduce
+      description: >-
+        Starting from a new installation of the system, describe exactly how a developer or quality engineer can reproduce the bug
+        on infrastructure that isn't yours. Include any and all resources created, input values, test users, roles assigned, playbooks used, etc.
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected-results
+    attributes:
+      label: Expected results
+      description: What did you expect to happpen when running the steps above?
+    validations:
+      required: true
+
+  - type: textarea
+    id: actual-results
+    attributes:
+      label: Actual results
+      description: What actually happened?
+    validations:
+      required: true
+
+  - type: textarea
+    id: additional-information
+    attributes:
+      label: Additional information
+      description: Include any relevant log output, links to sosreport, database dumps, screenshots, AWX spec yaml, or other information.
+    validations:
+      required: false
+
+  - type: textarea
+    id: operator-logs
+    attributes:
+      label: Operator Logs
+      description: Include any relevant logs generated by the operator.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,12 @@
+---
+blank_issues_enabled: false
+contact_links:
+  - name: For debugging help or technical support
+    url: https://github.com/ansible/awx-operator#get-involved
+    about: For general debugging or technical support please see the Get Involved section of our readme.
+  - name: 📝 Ansible Code of Conduct
+    url: https://docs.ansible.com/ansible/latest/community/code_of_conduct.html?utm_medium=github&utm_source=issue_template_chooser
+    about: AWX uses the Ansible Code of Conduct; ❤ Be nice to other members of the community. ☮ Behave.
+  - name: 💼 For Enterprise
+    url: https://www.ansible.com/products/engine?utm_medium=github&utm_source=issue_template_chooser
+    about: Red Hat offers support for the Ansible Automation Platform

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,29 @@
+---
+name: ✨ Feature request
+description: Suggest an idea for this project
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Feature Request issues are for **feature requests** only.
+        For debugging help or technical support, please see the [Get Involved section of our README](https://github.com/ansible/awx-operator#get-involved)
+
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Please confirm the following
+      options:
+        - label: I agree to follow this project's [code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
+          required: true
+        - label: I have checked the [current issues](https://github.com/ansible/awx-operator/issues) for duplicates.
+          required: true
+        - label: I understand that AWX Operator is open source software provided for free and that I might not receive a timely response.
+          required: true
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Feature Summary
+      description: Briefly describe the desired enhancement.
+    validations:
+      required: true

.github/workflows/ci.yaml

@@ -10,9 +10,9 @@ on:
     branches: [devel]
 
 jobs:
-  pull_request:
+  molecule:
     runs-on: ubuntu-18.04
-    name: pull_request
+    name: molecule
     env:
       DOCKER_API_VERSION: "1.38"
     steps:
@@ -39,3 +39,28 @@ jobs:
           sudo rm -f $(which kustomize)
           make kustomize
           KUSTOMIZE_PATH=$(readlink -f bin/kustomize) molecule test -s kind
+  helm:
+    runs-on: ubuntu-18.04
+    name: helm
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Create k8s Kind Cluster
+        uses: helm/kind-action@v1.2.0
+
+      - name: Build operator image and load into kind
+        run: |
+          IMG=awx-operator-ci make docker-build
+          kind load docker-image --name chart-testing awx-operator-ci
+
+      - name: Patch pull policy for tests
+        run: |
+          kustomize edit add patch --path ../testing/pull_policy/Never.yaml
+        working-directory: config/default
+
+      - name: Build and install helm chart
+        run: |
+          IMG=awx-operator-ci make helm-chart
+          helm install --wait my-awx-operator ./charts/awx-operator

.github/workflows/promote.yaml

@@ -8,6 +8,8 @@ jobs:
   promote:
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/checkout@v2
+
       - name: Log in to GHCR
         run: |
           echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
@@ -23,3 +25,16 @@ jobs:
           docker tag ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} quay.io/${{ github.repository }}:latest
           docker push quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
           docker push quay.io/${{ github.repository }}:latest
+
+      - name: Configure git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Release Helm chart
+        run: |
+          ansible-playbook ansible/helm-release.yml -v \
+            -e operator_image=quay.io/${{ github.repository }} \
+            -e chart_owner=${{ github.repository_owner }} \
+            -e tag=${{ github.event.release.tag_name }} \
+            -e gh_token=${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -4,3 +4,5 @@
 /bundle
 /bundle_tmp*
 /bundle.Dockerfile
+/charts
+/.cr-release-packages

.helm/starter/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

.helm/starter/Chart.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v2
+appVersion: 0.1.0
+description: A Helm chart for Kubernetes
+name: starter
+type: application
+version: 0.1.0

Makefile

@@ -7,6 +7,13 @@ VERSION ?= $(shell git describe --tags)
 
 CONTAINER_CMD ?= docker
 
+# GNU vs BSD in-place sed
+ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
+	SED_I := sed -i
+else
+	SED_I := sed -i ''
+endif
+
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
 # To re-generate a bundle for other specific channels without changing the standard setup, you can:
@@ -41,6 +48,14 @@ BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
 IMG ?= $(IMAGE_TAG_BASE):$(VERSION)
 NAMESPACE ?= awx
 
+# Helm variables
+CHART_NAME ?= awx-operator
+CHART_DESCRIPTION ?= A Helm chart for the AWX Operator
+CHART_OWNER ?= $(GH_REPO_OWNER)
+CHART_REPO ?= awx-operator
+CHART_BRANCH ?= gh-pages
+CHART_INDEX ?= index.yaml
+
 all: docker-build
 
 ##@ General
@@ -93,7 +108,8 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/confi
 	$(KUSTOMIZE) build config/default | kubectl delete -f -
 
 OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
-ARCH := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
+ARCHA := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
+ARCHX := $(shell uname -m | sed -e 's/amd64/x86_64/' -e 's/aarch64/arm64/')
 
 .PHONY: kustomize
 KUSTOMIZE = $(shell pwd)/bin/kustomize
@@ -103,7 +119,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(KUSTOMIZE)) ;\
-	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.8.7/kustomize_v3.8.7_$(OS)_$(ARCH).tar.gz | \
+	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.2/kustomize_v4.5.2_$(OS)_$(ARCHA).tar.gz | \
 	tar xzf - -C bin/ ;\
 	}
 else
@@ -119,7 +135,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
-	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.12.0/ansible-operator_$(OS)_$(ARCH) ;\
+	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.12.0/ansible-operator_$(OS)_$(ARCHA) ;\
 	chmod +x $(ANSIBLE_OPERATOR) ;\
 	}
 else
@@ -150,7 +166,7 @@ ifeq (,$(shell which opm 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(OPM)) ;\
-	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCH)-opm ;\
+	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCHA)-opm ;\
 	chmod +x $(OPM) ;\
 	}
 else
@@ -181,3 +197,125 @@ catalog-build: opm ## Build a catalog image.
 .PHONY: catalog-push
 catalog-push: ## Push a catalog image.
 	$(MAKE) docker-push IMG=$(CATALOG_IMG)
+
+.PHONY: kubectl-slice
+KUBECTL_SLICE = $(shell pwd)/bin/kubectl-slice
+kubectl-slice: ## Download kubectl-slice locally if necessary.
+ifeq (,$(wildcard $(KUBECTL_SLICE)))
+ifeq (,$(shell which kubectl-slice 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(KUBECTL_SLICE)) ;\
+	curl -sSLo - https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.1.0/kubectl-slice_1.1.0_$(OS)_$(ARCHX).tar.gz | \
+	tar xzf - -C bin/ kubectl-slice ;\
+	}
+else
+KUBECTL_SLICE = $(shell which kubectl-slice)
+endif
+endif
+
+.PHONY: helm
+HELM = $(shell pwd)/bin/helm
+helm: ## Download helm locally if necessary.
+ifeq (,$(wildcard $(HELM)))
+ifeq (,$(shell which helm 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(HELM)) ;\
+	curl -sSLo - https://get.helm.sh/helm-v3.8.0-$(OS)-$(ARCHA).tar.gz | \
+	tar xzf - -C bin/ $(OS)-$(ARCHA)/helm ;\
+	mv bin/$(OS)-$(ARCHA)/helm bin/helm ;\
+	rmdir bin/$(OS)-$(ARCHA) ;\
+	}
+else
+HELM = $(shell which helm)
+endif
+endif
+
+.PHONY: yq
+YQ = $(shell pwd)/bin/yq
+yq: ## Download yq locally if necessary.
+ifeq (,$(wildcard $(YQ)))
+ifeq (,$(shell which yq 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(HELM)) ;\
+	curl -sSLo - https://github.com/mikefarah/yq/releases/download/v4.20.2/yq_$(OS)_$(ARCHA).tar.gz | \
+	tar xzf - -C bin/ ;\
+	mv bin/yq_$(OS)_$(ARCHA) bin/yq ;\
+	}
+else
+YQ = $(shell which yq)
+endif
+endif
+
+PHONY: cr
+CR = $(shell pwd)/bin/cr
+cr: ## Download cr locally if necessary.
+ifeq (,$(wildcard $(CR)))
+ifeq (,$(shell which cr 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(CR)) ;\
+	curl -sSLo - https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_$(OS)_$(ARCHA).tar.gz | \
+	tar xzf - -C bin/ cr ;\
+	}
+else
+CR = $(shell which cr)
+endif
+endif
+
+charts:
+	mkdir -p $@
+
+.PHONY: helm-chart
+helm-chart: kustomize helm kubectl-slice yq charts
+	@echo "== KUSTOMIZE (image and namespace) =="
+	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
+
+	@echo "== HELM =="
+	cd charts && \
+		$(HELM) create awx-operator --starter $(shell pwd)/.helm/starter ;\
+		$(YQ) -i '.version = "$(VERSION)"' $(CHART_NAME)/Chart.yaml ;\
+		$(YQ) -i '.appVersion = "$(VERSION)" | .appVersion style="double"' $(CHART_NAME)/Chart.yaml ;\
+		$(YQ) -i '.description = "$(CHART_DESCRIPTION)"' $(CHART_NAME)/Chart.yaml ;\
+
+	@cat charts/$(CHART_NAME)/Chart.yaml
+
+	@echo "== KUSTOMIZE (annotation) =="
+	cd config/manager && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
+	cd config/default && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
+
+	@echo "== SLICE =="
+	$(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone config/default | \
+		$(KUBECTL_SLICE) --input-file=- \
+			--output-dir=charts/$(CHART_NAME)/templates \
+			--sort-by-kind
+	@echo "Helm Chart $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
+
+
+.PHONY: helm-package
+helm-package: cr helm-chart
+	@echo "== CHART RELEASER (package) =="
+	$(CR) package ./charts/awx-operator
+
+# The actual release happens in ansible/helm-release.yml
+# until https://github.com/helm/chart-releaser/issues/122 happens
+.PHONY: helm-index
+helm-index: cr helm-chart
+	@echo "== CHART RELEASER (httpsorigin) =="
+	git remote add httpsorigin "https://github.com/$(CHART_OWNER)/$(CHART_REPO).git"
+	git fetch httpsorigin
+
+	@echo "== CHART RELEASER (index) =="
+	$(CR) index \
+		--owner "$(CHART_OWNER)" \
+		--git-repo "$(CHART_REPO)" \
+		--token "$(CR_TOKEN)" \
+		--pages-branch "$(CHART_BRANCH)" \
+		--index-path "./charts/$(CHART_INDEX)" \
+		--charts-repo "https://$(CHART_OWNER).github.io/$(CHART_REPO)/$(CHART_INDEX)" \
+		--remote httpsorigin \
+		--release-name-template="{{ .Version }}" \
+		--push

README.md

@@ -1,18 +1,24 @@
 # AWX Operator
 
-[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Build Status](https://github.com/ansible/awx-operator/workflows/CI/badge.svg?event=push)](https://github.com/ansible/awx-operator/actions)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+[![Build Status](https://github.com/ansible/awx-operator/workflows/CI/badge.svg?event=push)](https://github.com/ansible/awx-operator/actions)
+[![Code of Conduct](https://img.shields.io/badge/code%20of%20conduct-Ansible-yellow.svg)](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html) 
+[![AWX Mailing List](https://img.shields.io/badge/mailing%20list-AWX-orange.svg)](https://groups.google.com/g/awx-project)
+[![IRC Chat - #ansible-awx](https://img.shields.io/badge/IRC-%23ansible--awx-blueviolet.svg)](https://libera.chat)
 
 An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built with [Operator SDK](https://github.com/operator-framework/operator-sdk) and Ansible.
 
 # Table of Contents
-
+<!-- Regenerate this table of contents using https://github.com/ekalinin/github-markdown-toc -->
+<!-- gh-md-toc --insert README.md -->
 <!--ts-->
 * [AWX Operator](#awx-operator)
 * [Table of Contents](#table-of-contents)
    * [Purpose](#purpose)
    * [Usage](#usage)
-      * [Basic Install on minikube (beginner or testing)](#basic-install-on-minikube-beginner-or-testing)
-      * [Basic Install on existing cluster](#basic-install-on-existing-cluster)
+      * [Creating a minikube cluster for testing](#creating-a-minikube-cluster-for-testing)
+      * [Basic Install](#basic-install)
+      * [Helm Install on existing cluster](#helm-install-on-existing-cluster)
       * [Admin user account configuration](#admin-user-account-configuration)
       * [Network and TLS Configuration](#network-and-tls-configuration)
          * [Service Type](#service-type)
@@ -26,20 +32,34 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
          * [Redis container capabilities](#redis-container-capabilities)
          * [Privileged Tasks](#privileged-tasks)
          * [Containers Resource Requirements](#containers-resource-requirements)
+         * [Priority Classes](#priority-classes)
          * [Assigning AWX pods to specific nodes](#assigning-awx-pods-to-specific-nodes)
          * [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
+         * [Enabling LDAP Integration at AWX bootstrap](#enabling-ldap-integration-at-awx-bootstrap)
          * [Persisting Projects Directory](#persisting-projects-directory)
          * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
          * [Default execution environments from private registries](#default-execution-environments-from-private-registries)
+            * [Control plane ee from private registry](#control-plane-ee-from-private-registry)
          * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
+         * [CSRF Cookie Secure Setting](#csrf-cookie-secure-setting)
+         * [Session Cookie Secure Setting](#session-cookie-secure-setting)
          * [Extra Settings](#extra-settings)
+         * [Configure no_log](#no-log)
          * [Service Account](#service-account)
       * [Uninstall](#uninstall)
       * [Upgrading](#upgrading)
          * [v0.14.0](#v0140)
+            * [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations)
+            * [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project)
+            * [Steps to upgrade](#steps-to-upgrade)
    * [Contributing](#contributing)
    * [Release Process](#release-process)
    * [Author](#author)
+   * [Code of Conduct](#code-of-conduct)
+   * [Get Involved](#get-involved)
+
+<!-- Created by https://github.com/ekalinin/github-markdown-toc -->
+
 <!--te-->
 
 ## Purpose
@@ -48,11 +68,11 @@ This operator is meant to provide a more Kubernetes-native installation method f
 
 ## Usage
 
-### Basic Install on minikube (beginner or testing)
-
 This Kubernetes Operator is meant to be deployed in your Kubernetes cluster(s) and can manage one or more AWX instances in any namespace.
 
-For testing purposes, the `awx-operator` can be deployed on a [Minikube](https://minikube.sigs.k8s.io/docs/) cluster. Due to different OS and hardware environments, please refer to the official Minikube documentation for further information.
+### Creating a minikube cluster for testing
+
+If you do not have an existing cluster, the `awx-operator` can be deployed on a [Minikube](https://minikube.sigs.k8s.io/docs/) cluster for testing purposes. Due to different OS and hardware environments, please refer to the official Minikube documentation for further information.
 
 ```
 $ minikube start --cpus=4 --memory=6g --addons=ingress
@@ -101,46 +121,66 @@ Let's create an alias for easier usage:
 $ alias kubectl="minikube kubectl --"
 ```
 
-Now you need to deploy AWX Operator into your cluster. Clone this repo and `git checkout` the latest version from https://github.com/ansible/awx-operator/releases, and then run the following command:
+### Basic Install
+
+Once you have a running Kubernetes cluster, you can deploy AWX Operator into your cluster using [Kustomize](https://kubectl.docs.kubernetes.io/guides/introduction/kustomize/). Follow the instructions here to install the latest version of Kustomize: https://kubectl.docs.kubernetes.io/installation/kustomize/
+
+First, create a file called `kustomization.yaml` with the following content:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # Find the latest tag here: https://github.com/ansible/awx-operator/releases
+  - github.com/ansible/awx-operator/config/default?ref=<tag>
+
+# Set the image tags to match the git version from above
+images:
+  - name: quay.io/ansible/awx-operator
+    newTag: <tag>
+
+# Specify a custom namespace in which to install AWX
+namespace: awx
+```
+
+> **TIP:** If you need to change any of the default settings for the operator (such as resources.limits), you can add [patches](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patches/) at the bottom of your kustomization.yaml file.
+
+Install the manifests by running this:
 
 ```
-$ export NAMESPACE=my-namespace
-$ make deploy
-  /home/user/awx-operator/bin/kustomize build config/default | kubectl apply -f -
-  namespace/my-namespace created
-  customresourcedefinition.apiextensions.k8s.io/awxbackups.awx.ansible.com created
-  customresourcedefinition.apiextensions.k8s.io/awxrestores.awx.ansible.com created
-  customresourcedefinition.apiextensions.k8s.io/awxs.awx.ansible.com created
-  serviceaccount/awx-operator-controller-manager created
-  role.rbac.authorization.k8s.io/awx-operator-leader-election-role created
-  role.rbac.authorization.k8s.io/awx-operator-manager-role created
-  clusterrole.rbac.authorization.k8s.io/awx-operator-metrics-reader created
-  clusterrole.rbac.authorization.k8s.io/awx-operator-proxy-role created
-  rolebinding.rbac.authorization.k8s.io/awx-operator-leader-election-rolebinding created
-  rolebinding.rbac.authorization.k8s.io/awx-operator-manager-rolebinding created
-  clusterrolebinding.rbac.authorization.k8s.io/awx-operator-proxy-rolebinding created
-  configmap/awx-operator-manager-config created
-  service/awx-operator-controller-manager-metrics-service created
-  deployment.apps/awx-operator-controller-manager created
+$ kustomize build . | kubectl apply -f -
+namespace/awx created
+customresourcedefinition.apiextensions.k8s.io/awxbackups.awx.ansible.com created
+customresourcedefinition.apiextensions.k8s.io/awxrestores.awx.ansible.com created
+customresourcedefinition.apiextensions.k8s.io/awxs.awx.ansible.com created
+serviceaccount/awx-operator-controller-manager created
+role.rbac.authorization.k8s.io/awx-operator-awx-manager-role created
+role.rbac.authorization.k8s.io/awx-operator-leader-election-role created
+clusterrole.rbac.authorization.k8s.io/awx-operator-metrics-reader created
+clusterrole.rbac.authorization.k8s.io/awx-operator-proxy-role created
+rolebinding.rbac.authorization.k8s.io/awx-operator-awx-manager-rolebinding created
+rolebinding.rbac.authorization.k8s.io/awx-operator-leader-election-rolebinding created
+clusterrolebinding.rbac.authorization.k8s.io/awx-operator-proxy-rolebinding created
+configmap/awx-operator-awx-manager-config created
+service/awx-operator-controller-manager-metrics-service created
+deployment.apps/awx-operator-controller-manager created
 ```
 
 Wait a bit and you should have the `awx-operator` running:
 
 ```
-$ kubectl get pods -n $NAMESPACE
+$ kubectl get pods -n awx
 NAME                                               READY   STATUS    RESTARTS   AGE
 awx-operator-controller-manager-66ccd8f997-rhd4z   2/2     Running   0          11s
 ```
 
-So we don't have to keep repeating `-n $NAMESPACE`, let's set the current namespace for `kubectl`:
+So we don't have to keep repeating `-n awx`, let's set the current namespace for `kubectl`:
 
 ```
-$ kubectl config set-context --current --namespace=$NAMESPACE
+$ kubectl config set-context --current --namespace=awx
 ```
 
-It is important to know that when you do not set the default namespace to $NAMESPACE that the `awx-operator-controller-manager` might get confused.
-
-Next, create a file named `awx-demo.yml` with the suggested content below. The `metadata.name` you provide, will be the name of the resulting AWX deployment.
+Next, create a file named `awx-demo.yaml` in the same folder with the suggested content below. The `metadata.name` you provide will be the name of the resulting AWX deployment.
 
 **Note:** If you deploy more than one AWX instance to the same namespace, be sure to use unique names.
 
@@ -154,17 +194,21 @@ spec:
   service_type: nodeport
 ```
 
-Finally, use `kubectl` to create the awx instance in your cluster:
+Make sure to add this new file to the list of "resources" in your `kustomization.yaml` file:
+
+```yaml
+...
+resources:
+  - github.com/ansible/awx-operator/config/default?ref=<tag>
+  # Add this extra line:
+  - awx-demo.yaml
+...
+```
+
+Finally, run `kustomize` again to create the AWX instance in your cluster:
 
 ```
-$ kubectl apply -f awx-demo.yml
-awx.awx.ansible.com/awx-demo created
-```
-Or, when you haven't set a default namespace
-
-```
-$ kubectl apply -f awx-demo.yml --namespace=$NAMESPACE
-awx.awx.ansible.com/awx-demo created
+kustomize build . | kubectl apply -f -
 ```
 
 After a few minutes, the new AWX instance will be deployed. You can look at the operator pod logs in order to know where the installation process is at:
@@ -204,21 +248,33 @@ You just completed the most basic install of an AWX instance via this operator.
 
 For an example using the Nginx Controller in Minukube, don't miss our [demo video](https://asciinema.org/a/416946).
 
-[![asciicast](https://raw.githubusercontent.com/ansible/awx-operator/devel/docs/awx-demo.svg)](https://asciinema.org/a/416946)
 
-### Basic Install on existing cluster
+### Helm Install on existing cluster
 
-For those running a whole K8S Cluster the steps to set up the awx-operator are:
+For those that wish to use [Helm](https://helm.sh/) to install the awx-operator to an existing K8s cluster:
 
-```
-$ Prepare required files
-git clone https://github.com/ansible/awx-operator.git
-cd awx-operator
-git checkout {{ latest_released_version }} # replace variable by latest version number in releases
+```bash
+$ helm repo add awx-operator https://ansible.github.io/awx-operator/
+"awx-operator" has been added to your repositories
 
-$ Deploy new AWX Operator
-export NAMESPACE=<Name of the namespace where your AWX instanse exists>
-make deploy
+$ helm repo update
+Hang tight while we grab the latest from your chart repositories...
+...Successfully got an update from the "awx-operator" chart repository
+Update Complete. ⎈Happy Helming!⎈
+
+$ helm search repo awx-operator
+NAME                            CHART VERSION   APP VERSION     DESCRIPTION
+awx-operator/awx-operator       0.17.1          0.17.1          A Helm chart for the AWX Operator
+
+$ helm install my-awx-operator awx-operator/awx-operator
+NAME: my-awx-operator
+LAST DEPLOYED: Thu Feb 17 22:09:05 2022
+NAMESPACE: default
+STATUS: deployed
+REVISION: 1
+TEST SUITE: None
+NOTES:
+Helm Chart 0.17.1
 ```
 
 ### Admin user account configuration
@@ -380,7 +436,7 @@ spec:
 
 #### External PostgreSQL Service
 
-In order for the AWX instance to rely on an external database, the Custom Resource needs to know about the connection details. Those connection details should be stored as a secret and either specified as `postgres_configuration_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-postgres-configuration`.
+To configure AWX to use an external database, the Custom Resource needs to know about the connection details. To do this, create a k8s secret with those connection details and specify the name of the secret as `postgres_configuration_secret` at the CR spec level.
 
 
 The secret should be formatted as follows:
@@ -409,6 +465,15 @@ type: Opaque
 
 **Note**: The variable `sslmode` is valid for `external` databases only. The allowed values are: `prefer`, `disable`, `allow`, `require`, `verify-ca`, `verify-full`.
 
+Once the secret is created, you can specify it on your spec:
+
+```yaml
+---
+spec:
+  ...
+  postgres_configuration_secret: <name-of-your-secret>
+```
+
 #### Migrating data from an old AWX instance
 
 For instructions on how to migrate from an older version of AWX, see [migration.md](./docs/migration.md).
@@ -419,14 +484,15 @@ If you don't have access to an external PostgreSQL service, the AWX operator can
 
 The following variables are customizable for the managed PostgreSQL service
 
-| Name                                          | Description                                   | Default                           |
-| --------------------------------------------- | --------------------------------------------- | --------------------------------- |
-| postgres_image                                | Path of the image to pull                     | postgres:12                       |
-| postgres_init_container_resource_requirements | Database init container resource requirements | requests: {}                      |
-| postgres_resource_requirements                | PostgreSQL container resource requirements    | requests: {}                      |
-| postgres_storage_requirements                 | PostgreSQL container storage requirements     | requests: {storage: 8Gi}          |
-| postgres_storage_class                        | PostgreSQL PV storage class                   | Empty string                      |
-| postgres_data_path                            | PostgreSQL data path                          | `/var/lib/postgresql/data/pgdata` |
+| Name                                          | Description                                   | Default                            |
+| --------------------------------------------- | --------------------------------------------- | ---------------------------------- |
+| postgres_image                                | Path of the image to pull                     | postgres:12                        |
+| postgres_init_container_resource_requirements | Database init container resource requirements | requests: {cpu: 10m, memory: 64Mi} |
+| postgres_resource_requirements                | PostgreSQL container resource requirements    | requests: {cpu: 10m, memory: 64Mi} |
+| postgres_storage_requirements                 | PostgreSQL container storage requirements     | requests: {storage: 8Gi}           |
+| postgres_storage_class                        | PostgreSQL PV storage class                   | Empty string                       |
+| postgres_data_path                            | PostgreSQL data path                          | `/var/lib/postgresql/data/pgdata`  |
+| postgres_priority_class                       | Priority class used for PostgreSQL pod        | Empty string                       |
 
 Example of customization could be:
 
@@ -460,15 +526,15 @@ spec:
 
 There are a few variables that are customizable for awx the image management.
 
-| Name                | Description               |
-| ------------------- | ------------------------- |
-| image               | Path of the image to pull |
-| image_version       | Image version to pull     |
-| image_pull_policy   | The pull policy to adopt  |
-| image_pull_secret   | The pull secret to use    |
-| ee_images           | A list of EEs to register |
-| redis_image         | Path of the image to pull |
-| redis_image_version | Image version to pull     |
+| Name                | Description               | Default                                 |
+| ------------------- | ------------------------- | --------------------------------------  |
+| image               | Path of the image to pull | quay.io/ansible/awx                     |
+| image_version       | Image version to pull     | value of DEFAULT_AWX_VERSION or latest  |
+| image_pull_policy   | The pull policy to adopt  | IfNotPresent                            |
+| image_pull_secrets  | The pull secrets to use   | None                                    |
+| ee_images           | A list of EEs to register | quay.io/ansible/awx-ee:latest           |
+| redis_image         | Path of the image to pull | docker.io/redis                         |
+| redis_image_version | Image version to pull     | latest                                  |
 
 Example of customization could be:
 
@@ -479,7 +545,8 @@ spec:
   image: myorg/my-custom-awx
   image_version: latest
   image_pull_policy: Always
-  image_pull_secret: pull_secret_name
+  image_pull_secrets:
+    - pull_secret_name
   ee_images:
     - name: my-custom-awx-ee
       image: myorg/my-custom-awx-ee
@@ -525,11 +592,11 @@ Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to
 
 The resource requirements for both, the task and the web containers are configurable - both the lower end (requests) and the upper end (limits).
 
-| Name                       | Description                                      | Default                             |
-| -------------------------- | ------------------------------------------------ | ----------------------------------- |
-| web_resource_requirements  | Web container resource requirements              | requests: {cpu: 1000m, memory: 2Gi} |
-| task_resource_requirements | Task container resource requirements             | requests: {cpu: 500m, memory: 1Gi}  |
-| ee_resource_requirements   | EE control plane container resource requirements | requests: {cpu: 500m, memory: 1Gi}  |
+| Name                       | Description                                      | Default                              |
+| -------------------------- | ------------------------------------------------ | ------------------------------------ |
+| web_resource_requirements  | Web container resource requirements              | requests: {cpu: 100m, memory: 128Mi} |
+| task_resource_requirements | Task container resource requirements             | requests: {cpu: 100m, memory: 128Mi} |
+| ee_resource_requirements   | EE control plane container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
 
 Example of customization could be:
 
@@ -539,33 +606,51 @@ spec:
   ...
   web_resource_requirements:
     requests:
-      cpu: 1000m
+      cpu: 250m
       memory: 2Gi
     limits:
-      cpu: 2000m
+      cpu: 1000m
       memory: 4Gi
   task_resource_requirements:
     requests:
-      cpu: 500m
+      cpu: 250m
       memory: 1Gi
     limits:
-      cpu: 1000m
+      cpu: 2000m
       memory: 2Gi
   ee_resource_requirements:
     requests:
-      cpu: 500m
-      memory: 1Gi
+      cpu: 250m
+      memory: 100Mi
     limits:
-      cpu: 1000m
+      cpu: 500m
       memory: 2Gi
 ```
 
+#### Priority Classes
+
+The AWX and Postgres pods can be assigned a custom PriorityClass to rank their importance compared to other pods in your cluster, which determines which pods get evicted first if resources are running low.
+First, [create your PriorityClass](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) if needed.
+Then set the name of your priority class to the control plane and postgres pods as shown below.
+
+```yaml
+---
+apiVersion: awx.ansible.com/v1beta1
+kind: AWX
+metadata:
+  name: awx-demo
+spec:
+  ...
+  control_plane_priority_class: awx-demo-high-priority
+  postgres_priority_class: awx-demo-medium-priority
+```
+
 #### Assigning AWX pods to specific nodes
 
 You can constrain the AWX pods created by the operator to run on a certain subset of nodes. `node_selector` and `postgres_selector` constrains
 the AWX pods to run only on the nodes that match all the specified key/value pairs. `tolerations` and `postgres_tolerations` allow the AWX
 pods to be scheduled onto nodes with matching taints.
-The ability to specify topologySpreadConstraints is also allowed through `topology_spread_constraints`  
+The ability to specify topologySpreadConstraints is also allowed through `topology_spread_constraints`
 
 
 | Name                        | Description                         | Default |
@@ -619,11 +704,11 @@ In cases which you need to trust a custom Certificate Authority, there are few v
 Trusting a custom Certificate Authority allows the AWX to access network services configured with SSL certificates issued locally, such as cloning a project from from an internal Git server via HTTPS. It is common for these scenarios, experiencing the error [unable to verify the first certificate](https://github.com/ansible/awx-operator/issues/376).
 
 
-| Name                 | Description                            | Default |
-| -------------------- | -------------------------------------- | ------- |
-| ldap_cacert_secret   | LDAP Certificate Authority secret name | ''      |
-| bundle_cacert_secret | Certificate Authority secret name      | ''      |
-
+| Name                             | Description                              | Default |
+| -------------------------------- | ---------------------------------------- | --------|
+| ldap_cacert_secret               | LDAP Certificate Authority secret name   |  ''     |
+| ldap_password_secret             | LDAP BIND DN Password secret name        |  ''     |
+| bundle_cacert_secret             | Certificate Authority secret name        |  ''     |
 Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter.
 
 Example of customization could be:
@@ -633,10 +718,13 @@ Example of customization could be:
 spec:
   ...
   ldap_cacert_secret: <resourcename>-custom-certs
+  ldap_password_secret: <resourcename>-ldap-password
   bundle_cacert_secret: <resourcename>-custom-certs
 ```
 
-To create the secret, you can use the command below:
+To create the secrets, you can use the commands below:
+
+* Certificate Authority secret
 
 ```
 # kubectl create secret generic <resourcename>-custom-certs \
@@ -644,6 +732,66 @@ To create the secret, you can use the command below:
     --from-file=bundle-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
 ```
 
+* LDAP BIND DN Password secret
+
+```
+# kubectl create secret generic <resourcename>-ldap-password \
+    --from-literal=ldap-password=<your_ldap_dn_password>
+```
+
+#### Enabling LDAP Integration at AWX bootstrap
+
+A sample of extra settings can be found as below:
+
+```yaml
+    - setting: AUTH_LDAP_SERVER_URI
+      value: >-
+        "ldaps://ad01.abc.com:636 ldaps://ad02.abc.com:636"
+
+    - setting: AUTH_LDAP_BIND_DN
+      value: >-
+        "CN=LDAP User,OU=Service Accounts,DC=abc,DC=com"
+
+    - setting: AUTH_LDAP_USER_SEARCH
+      value: 'LDAPSearch("DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(sAMAccountName=%(user)s)",)'
+
+    - setting: AUTH_LDAP_GROUP_SEARCH
+      value: 'LDAPSearch("OU=Groups,DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(objectClass=group)",)'
+
+    - setting: AUTH_LDAP_USER_ATTR_MAP
+      value: '{"first_name": "givenName","last_name": "sn","email": "mail"}'
+
+    - setting: AUTH_LDAP_REQUIRE_GROUP
+      value: >-
+        "CN=operators,OU=Groups,DC=abc,DC=com"
+    - setting: AUTH_LDAP_USER_FLAGS_BY_GROUP
+      value: {
+        "is_superuser": [
+          "CN=admin,OU=Groups,DC=abc,DC=com"
+        ]
+      }
+
+
+    - setting: AUTH_LDAP_ORGANIZATION_MAP
+      value: {
+        "abc": {
+          "admins": "CN=admin,OU=Groups,DC=abc,DC=com",
+          "remove_users": false,
+          "remove_admins": false,
+          "users": true
+        }
+      }
+
+    - setting: AUTH_LDAP_TEAM_MAP
+      value: {
+        "admin": {
+          "remove": true,
+          "users": "CN=admin,OU=Groups,DC=abc,DC=com",
+          "organization": "abc"
+        }
+      }
+```
+
 #### Persisting Projects Directory
 
 In cases which you want to persist the `/var/lib/projects` directory, there are few variables that are customizable for the `awx-operator`.
@@ -773,7 +921,7 @@ type: Opaque
 ```
 
 ##### Control plane ee from private registry
-The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time.
+The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secrets` to provide a list of k8s pull secrets to access it. Currently the same secret is used for any of these images supplied at install time.
 
 You can create `image_pull_secret`
 ```
@@ -822,6 +970,36 @@ Example configuration of environment variables
         value: foo
 ```
 
+#### CSRF Cookie Secure Setting
+
+With `csrf_cookie_secure`, you can pass the value for `CSRF_COOKIE_SECURE` to `/etc/tower/settings.py`
+
+| Name               | Description        | Default |
+| ------------------ | ------------------ | ------- |
+| csrf_cookie_secure | CSRF Cookie Secure | ''      |
+
+Example configuration of the `csrf_cookie_secure` setting:
+
+```yaml
+  spec:
+    csrf_cookie_secure: 'False'
+```
+
+#### Session Cookie Secure Setting
+
+With `session_cookie_secure`, you can pass the value for `SESSION_COOKIE_SECURE` to `/etc/tower/settings.py`
+
+| Name                  | Description           | Default |
+| --------------------- | --------------------- | ------- |
+| session_cookie_secure | Session Cookie Secure | ''      |
+
+Example configuration of the `session_cookie_secure` setting:
+
+```yaml
+  spec:
+    session_cookie_secure: 'False'
+```
+
 #### Extra Settings
 
 With`extra_settings`, you can pass multiple custom settings via the `awx-operator`. The parameter `extra_settings`  will be appended to the `/etc/tower/settings.py` and can be an alternative to the `extra_volumes` parameter.
@@ -842,6 +1020,21 @@ Example configuration of `extra_settings` parameter
         value: "cn=admin,dc=example,dc=com"
 ```
 
+#### No Log
+Configure no_log for tasks with no_log
+
+| Name   | Description          | Default |
+| ------ | -------------------- | ------- |
+| no_log | No log configuration | 'true'  |
+
+Example configuration of `no_log` parameter
+
+```yaml
+  spec:
+    no_log: 'true'
+```
+
+
 #### Service Account
 
 If you need to modify some `ServiceAccount` proprieties
@@ -913,8 +1106,23 @@ The first step is to create a draft release. Typically this will happen in the [
 
 If you need to do an independent release of the operator, you can run the [Stage Release](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/stage.yml) in the awx-operator repo. Both of these workflows will run smoke tests, so there is no need to do this manually.
 
-After the draft release is created, publish it and the [Promote AWX Operator image](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/promote.yaml) will run, publishing the image to Quay.
+After the draft release is created, publish it and the [Promote AWX Operator image](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/promote.yaml) will run, which will:
+
+- Publish image to Quay
+- Release Helm chart
 
 ## Author
 
 This operator was originally built in 2019 by [Jeff Geerling](https://www.jeffgeerling.com) and is now maintained by the Ansible Team
+
+## Code of Conduct
+
+We ask all of our community members and contributors to adhere to the [Ansible code of conduct](http://docs.ansible.com/ansible/latest/community/code_of_conduct.html). If you have questions or need assistance, please reach out to our community team at [codeofconduct@ansible.com](mailto:codeofconduct@ansible.com)
+
+## Get Involved
+
+We welcome your feedback and ideas. The AWX operator uses the same mailing list and IRC chanel as AWX itself. Here's how to reach us with feedback and questions:
+
+- Join the `#ansible-awx` channel on irc.libera.chat
+- Join the [mailing list](https://groups.google.com/forum/#!forum/awx-project)
+

SECURITY.md

@@ -0,0 +1,3 @@
+For all security related bugs, email security@ansible.com instead of using this issue tracker and you will receive a prompt response.
+
+For more information on the Ansible community's practices regarding responsible disclosure, see https://www.ansible.com/security

ansible/helm-release.yml

@@ -0,0 +1,47 @@
+---
+- hosts: localhost
+  vars:
+    chart_repo: awx-operator
+  tasks:
+    - name: Look up release
+      uri:
+        url: "https://api.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/tags/{{ tag }}"
+      register: release
+      ignore_errors: yes
+
+    - fail:
+        msg: |
+          Release must exist before running this playbook
+      when: release is not success
+
+    - name: Build and package helm chart
+      command: |
+        make helm-chart helm-package
+      environment:
+        VERSION: "{{ tag }}"
+        IMAGE_TAG_BASE: "{{ operator_image }}"
+      args:
+        chdir: "{{ playbook_dir }}/../"
+
+    # Move to chart releaser after https://github.com/helm/chart-releaser/issues/122 exists
+    - name: Upload helm chart
+      uri:
+        url: "https://uploads.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/{{ release.json.id }}/assets?name=awx-operator-{{ tag }}.tgz"
+        src: "{{ playbook_dir }}/../.cr-release-packages/awx-operator-{{ tag }}.tgz"
+        headers:
+          Authorization: "token {{ gh_token }}"
+          Content-Type: "application/octet-stream"
+        status_code:
+          - 200
+          - 201
+      register: asset_upload
+      changed_when: asset_upload.json.state == "uploaded"
+
+    - name: Publish helm index
+      command: |
+        make helm-index
+      environment:
+        CHART_OWNER: "{{ chart_owner }}"
+        CR_TOKEN: "{{ gh_token }}"
+      args:
+        chdir: "{{ playbook_dir }}/../"

config/crd/bases/awx.ansible.com_awxs.yaml

@@ -165,6 +165,9 @@ spec:
                 control_plane_ee_image:
                   description: Registry path to the Execution Environment container image to use on control plane pods
                   type: string
+                control_plane_priority_class:
+                  description: Assign a preexisting priority class to the control plane pods
+                  type: string
                 ee_pull_credentials_secret:
                   description: Secret where pull credentials for registered ees can be found
                   type: string
@@ -179,8 +182,13 @@ spec:
                     - never
                     - IfNotPresent
                     - ifnotpresent
-                image_pull_secret:
-                  description: The image pull secret
+                image_pull_secrets:
+                  description: Image pull secrets for app and database containers
+                  type: array
+                  items:
+                    type: string
+                image_pull_secret:  # deprecated
+                  description: (Deprecated) Image pull secret for app and database containers
                   type: string
                 task_resource_requirements:
                   description: Resource requirements for the task container
@@ -270,6 +278,28 @@ spec:
                           type: string
                       type: object
                   type: object
+                redis_resource_requirements:
+                  description: Resource requirements for the redis container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                 service_account_annotations:
                   description: ServiceAccount annotations
                   type: string
@@ -387,6 +417,9 @@ spec:
                 postgres_storage_class:
                   description: Storage class to use for the PostgreSQL PVC
                   type: string
+                postgres_priority_class:
+                  description: Assign a preexisting priority class to the postgres pod
+                  type: string
                 postgres_data_path:
                   description: Path where the PostgreSQL data are located
                   type: string
@@ -403,6 +436,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                ldap_password_secret:
+                  description: Secret where can be found the LDAP bind password
+                  type: string
                 bundle_cacert_secret:
                   description: Secret where can be found the trusted Certificate Authority Bundle
                   type: string
@@ -430,6 +466,12 @@ spec:
                   description: AccessMode for the /var/lib/projects PersistentVolumeClaim
                   default: ReadWriteMany
                   type: string
+                csrf_cookie_secure:
+                  description: Set csrf cookie secure mode for web
+                  type: string
+                session_cookie_secure:
+                  description: Set session cookie secure mode for web
+                  type: string
                 extra_settings:
                   description: Extra settings to specify for the API
                   items:
@@ -440,6 +482,9 @@ spec:
                         x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
+                no_log:
+                  description: Configure no_log for no_log tasks
+                  type: string
                 security_context_settings:
                   description: Key/values that will be set under the pod-level securityContext field
                   type: object

config/crd/bases/awxbackup.ansible.com_awxbackups.yaml

@@ -52,6 +52,9 @@ spec:
                 postgres_image_version:
                   description: PostgreSQL container image version to use
                   type: string
+                no_log:
+                  description: Configure no_log for no_log tasks
+                  type: string
             status:
               type: object
               properties:

config/crd/bases/awxrestore.ansible.com_awxrestores.yaml

@@ -56,6 +56,9 @@ spec:
                 postgres_image_version:
                   description: PostgreSQL container image version to use
                   type: string
+                no_log:
+                  description: Configure no_log for no_log tasks
+                  type: string
             status:
               type: object
               properties:

config/manager/manager.yaml

@@ -55,4 +55,6 @@ spec:
             initialDelaySeconds: 5
             periodSeconds: 10
       serviceAccountName: controller-manager
+      imagePullSecrets:
+        - name: redhat-operators-pull-secret
       terminationGracePeriodSeconds: 10

config/manifests/bases/awx-operator.clusterserviceversion.yaml

@@ -252,8 +252,8 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:imagePullPolicy
-      - displayName: Image Pull Secret
-        path: image_pull_secret
+      - displayName: Image Pull Secrets
+        path: image_pull_secrets
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:io.kubernetes:Secret
@@ -278,6 +278,11 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
+      - displayName: Redis container resource requirements
+        path: redis_resource_requirements
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
       - displayName: PostgreSQL container resource requirements (when using a managed
           instance)
         path: postgres_resource_requirements
@@ -554,11 +559,26 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: CSRF cookie secure setting
+        path: csrf_cookie_secure
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Session cookie secure setting
+        path: session_cookie_secure
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - displayName: API Extra Settings
         path: extra_settings
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: No Log Configuration
+        path: no_log
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - displayName: Security Context Settings
         path: security_context_settings
         x-descriptors:

config/samples/awx_v1beta1_awx.yaml

@@ -6,13 +6,13 @@ metadata:
 spec:
   web_resource_requirements:
     requests:
-      cpu: 250m
+      cpu: 50m
       memory: 128M
   task_resource_requirements:
     requests:
-      cpu: 250m
+      cpu: 50m
       memory: 128M
   ee_resource_requirements:
     requests:
-      cpu: 200m
+      cpu: 50m
       memory: 64M

docs/debugging.md

@@ -0,0 +1,51 @@
+# Iterating on the installer without deploying the operator
+
+Go through the [normal basic install](https://github.com/ansible/awx-operator/blob/devel/README.md#basic-install) steps.
+
+Install some dependencies:
+
+```
+$ ansible-galaxy collection install -r molecule/requirements.yml
+$ pip install -r molecule/requirements.txt
+```
+
+To prevent the changes we're about to make from being overwritten, scale down any running instance of the operator:
+
+```
+$ kubectl scale deployment awx-operator-controller-manager --replicas=0
+```
+
+Create a playbook that invokes the installer role (the operator uses ansible-runner's role execution feature):
+
+```yaml
+# run.yml
+---
+- hosts: localhost
+  roles:
+    - installer
+```
+
+Create a vars file:
+
+```yaml
+# vars.yml
+---
+ansible_operator_meta:
+  name: awx
+  namespace: awx
+service_type: nodeport
+```
+
+Run the installer:
+
+```
+$ ansible-playbook run.yml -e @vars.yml -v
+```
+
+Grab the URL and admin password:
+
+```
+$ minikube service awx-service --url -n awx
+$ minikube kubectl get secret awx-admin-password -- -o jsonpath="{.data.password}" | base64 --decode
+LU6lTfvnkjUvDwL240kXKy1sNhjakZmT
+```

molecule/default/kustomize.yml

@@ -1,7 +1,7 @@
 ---
 - name: Build kustomize testing overlay
   # load_restrictor must be set to none so we can load patch files from the default overlay
-  command: '{{ kustomize }} build  --load_restrictor none .'
+  command: '{{ kustomize }} build  --load-restrictor LoadRestrictionsNone .'
   args:
     chdir: '{{ config_dir }}/testing'
   register: resources

molecule/default/templates/awx_cr_molecule.yml.j2

@@ -15,13 +15,16 @@ spec:
     kubernetes.io/ingress.class: nginx
   web_resource_requirements:
     requests:
-      cpu: 250m
-      memory: 128M
+      cpu: 50m
+      memory: 32M
   task_resource_requirements:
     requests:
-      cpu: 250m
-      memory: 128M
+      cpu: 50m
+      memory: 32M
   ee_resource_requirements:
     requests:
-      cpu: 200m
-      memory: 64M
+      cpu: 50m
+      memory: 16M
+  postgres_resource_requirements: {}
+  postgres_init_container_resource_requirements: {}
+  redis_resource_requirements: {}

roles/backup/defaults/main.yml

@@ -10,3 +10,6 @@ backup_pvc_namespace: "{{ ansible_operator_meta.namespace }}"
 
 # Size of backup PVC if created dynamically
 backup_storage_requirements: ''
+
+# Set no_log settings on certain tasks
+no_log: 'true'

roles/backup/tasks/dump_generated_secret.yml

@@ -25,15 +25,15 @@
       namespace: '{{ ansible_operator_meta.namespace }}'
       name: "{{ _name }}"
   register: _secret
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Set secret data
   set_fact:
       _data: "{{ _secret['resources'][0]['data'] }}"
       _type: "{{ _secret['resources'][0]['type'] }}"
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Create and Add secret names and data to dictionary
   set_fact:
       secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data, 'type': _type }}) }}"
-  no_log: true
+  no_log: "{{ no_log }}"

roles/backup/tasks/dump_secret.yml

@@ -13,16 +13,16 @@
             namespace: '{{ ansible_operator_meta.namespace }}'
             name: "{{ _name }}"
         register: _secret
-        no_log: true
+        no_log: "{{ no_log }}"
 
       - name: Set secret key
         set_fact:
             _data: "{{ _secret['resources'][0]['data'] }}"
             _type: "{{ _secret['resources'][0]['type'] }}"
-        no_log: true
+        no_log: "{{ no_log }}"
 
       - name: Create and Add secret names and data to dictionary
         set_fact:
             secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data, 'type': _type }}) }}"
-        no_log: true
+        no_log: "{{ no_log }}"
   when: _name != ''

roles/backup/tasks/postgres.yml

@@ -6,7 +6,7 @@
     namespace: '{{ ansible_operator_meta.namespace }}'
     name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"
   register: pg_config
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Fail if postgres configuration secret status does not exist
   fail:
@@ -21,7 +21,7 @@
     awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
     awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | default('unmanaged'|b64encode) | b64decode }}"
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - block:
     - name: Delete pod to reload a resource configuration
@@ -39,6 +39,7 @@
       until:
         - "postgres_pod['resources'] | length"
         - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+        - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
       delay: 5
       retries: 60
 
@@ -79,7 +80,7 @@
 - name: Set full resolvable host name for postgres pod
   set_fact:
     resolvable_db_host: '{{ (awx_postgres_type == "managed") | ternary(awx_postgres_host + "." + ansible_operator_meta.namespace + ".svc.cluster.local", awx_postgres_host) }}'  # yamllint disable-line rule:line-length
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Set pg_dump command
   set_fact:
@@ -90,7 +91,7 @@
       -d {{ awx_postgres_database }}
       -p {{ awx_postgres_port }}
       -F custom
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Write pg_dump to backup on PVC
   k8s_exec:
@@ -103,5 +104,5 @@
       echo 'Successful'
       """
   register: data_migration
-  no_log: true
+  no_log: "{{ no_log }}"
   failed_when: "'Successful' not in data_migration.stdout"

roles/backup/tasks/secrets.yml

@@ -21,13 +21,25 @@
     - ingress_tls_secret
     - ldap_cacert_secret
     - bundle_cacert_secret
-    - image_pull_secret
     - ee_pull_credentials_secret
 
+# image_pull_secret is deprecated in favor of image_pull_secrets
+- name: Dump image_pull_secret into file
+  include_tasks: dump_secret.yml
+  with_items:
+    - image_pull_secret
+  when: image_pull_secret is defined
+
+- name: Dump image_pull_secrets into file
+  include_tasks: dump_secret.yml
+  with_items:
+    - image_pull_secrets
+  when: image_pull_secrets | default([]) | length
+
 - name: Nest secrets under a single variable
   set_fact:
     secrets: {"secrets": '{{ secret_dict }}'}
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Write postgres configuration to pvc
   k8s_exec:
@@ -35,4 +47,4 @@
     pod: "{{ ansible_operator_meta.name }}-db-management"
     command: >-
       bash -c "echo '{{ secrets | to_yaml }}' > {{ backup_dir }}/secrets.yml"
-  no_log: true
+  no_log: "{{ no_log }}"

roles/installer/defaults/main.yml

@@ -133,7 +133,7 @@ _postgres_image_version: 12
 _init_container_image: quay.io/centos/centos
 _init_container_image_version: stream8
 image_pull_policy: IfNotPresent
-image_pull_secret: ''
+image_pull_secrets: []
 
 # Extra commands which will be appended to the initContainer
 # Make sure that each command entered return an exit code 0
@@ -164,24 +164,36 @@ replicas: "1"
 task_args:
   - /usr/bin/launch_awx_task.sh
 task_command: []
-web_args: []
+web_args:
+  - /usr/bin/launch_awx.sh
 web_command: []
 
 task_resource_requirements:
   requests:
-    cpu: 500m
-    memory: 1Gi
+    cpu: 100m
+    memory: 128Mi
 
 web_resource_requirements:
   requests:
-    cpu: 1000m
-    memory: 2Gi
+    cpu: 100m
+    memory: 128Mi
 
 ee_resource_requirements:
   requests:
-    cpu: 500m
-    memory: 1Gi
+    cpu: 100m
+    memory: 64Mi
 
+# Customize CSRF options
+csrf_cookie_secure: False
+session_cookie_secure: False
+
+# Assign a preexisting priority class to the control plane pods
+control_plane_priority_class: ''
+
+redis_resource_requirements:
+  requests:
+    cpu: 50m
+    memory: 64Mi
 # Add extra environment variables to the AWX task/web containers. Specify as
 # literal block. E.g.:
 # task_extra_env: |
@@ -222,8 +234,16 @@ postgres_tolerations: ''
 postgres_storage_requirements:
   requests:
     storage: 8Gi
-postgres_init_container_resource_requirements: {}
-postgres_resource_requirements: {}
+postgres_resource_requirements:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+postgres_init_container_resource_requirements:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+# Assign a preexisting priority class to the postgres pod
+postgres_priority_class: ''
 postgres_data_path: '/var/lib/postgresql/data/pgdata'
 
 # Persistence to the AWX project data folder
@@ -247,6 +267,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
 #
 ldap_cacert_secret: ''
 
+# Secret to lookup that provides the LDAP bind password
+ldap_password_secret: ''
+
 # Secret to lookup that provides the custom CA trusted bundle
 bundle_cacert_secret: ''
 
@@ -258,3 +281,6 @@ garbage_collect_secrets: false
 development_mode: false
 
 security_context_settings: {}
+
+# Set no_log settings on certain tasks
+no_log: 'true'

roles/installer/tasks/admin_password_configuration.yml

@@ -5,7 +5,7 @@
     namespace: '{{ ansible_operator_meta.namespace }}'
     name: '{{ admin_password_secret }}'
   register: _custom_admin_password
-  no_log: true
+  no_log: "{{ no_log }}"
   when: admin_password_secret | length
 
 - name: Check for default admin password configuration
@@ -14,19 +14,19 @@
     namespace: '{{ ansible_operator_meta.namespace }}'
     name: '{{ ansible_operator_meta.name }}-admin-password'
   register: _default_admin_password
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Set admin password secret
   set_fact:
     _admin_password_secret: '{{ _custom_admin_password["resources"] | default([]) | length | ternary(_custom_admin_password, _default_admin_password) }}'
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - block:
     - name: Create admin password secret
       k8s:
         apply: true
         definition: "{{ lookup('template', 'admin_password_secret.yaml.j2') }}"
-      no_log: true
+      no_log: "{{ no_log }}"
 
     - name: Read admin password secret
       k8s_info:
@@ -34,16 +34,16 @@
         namespace: '{{ ansible_operator_meta.namespace }}'
         name: '{{ ansible_operator_meta.name }}-admin-password'
       register: _generated_admin_password
-      no_log: true
+      no_log: "{{ no_log }}"
 
   when: not _admin_password_secret['resources'] | default([]) | length
 
 - name: Set admin password secret
   set_fact:
     __admin_password_secret: '{{ _generated_admin_password["resources"] | default([]) | length | ternary(_generated_admin_password, _admin_password_secret) }}'
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Store admin password
   set_fact:
     admin_password: "{{ __admin_password_secret['resources'][0]['data']['password'] | b64decode }}"
-  no_log: true
+  no_log: "{{ no_log }}"

roles/installer/tasks/broadcast_websocket_configuration.yml

@@ -5,7 +5,7 @@
     namespace: '{{ ansible_operator_meta.namespace }}'
     name: '{{ broadcast_websocket_secret }}'
   register: _custom_broadcast_websocket
-  no_log: true
+  no_log: "{{ no_log }}"
   when: broadcast_websocket_secret | length
 
 - name: Check for default broadcast websocket secret configuration
@@ -14,20 +14,20 @@
     namespace: '{{ ansible_operator_meta.namespace }}'
     name: '{{ ansible_operator_meta.name }}-broadcast-websocket'
   register: _default_broadcast_websocket
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Set broadcast websocket secret
   set_fact:
     # yamllint disable-line rule:line-length
     _broadcast_websocket_secret: '{{ _custom_broadcast_websocket["resources"] | default([]) | length | ternary(_custom_broadcast_websocket, _default_broadcast_websocket) }}'  # noqa 204
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - block:
     - name: Create broadcast websocket secret
       k8s:
         apply: true
         definition: "{{ lookup('template', 'broadcast_websocket_secret.yaml.j2') }}"
-      no_log: true
+      no_log: "{{ no_log }}"
 
     - name: Read broadcast websocket secret
       k8s_info:
@@ -35,7 +35,7 @@
         namespace: '{{ ansible_operator_meta.namespace }}'
         name: '{{ ansible_operator_meta.name }}-broadcast-websocket'
       register: _generated_broadcast_websocket
-      no_log: true
+      no_log: "{{ no_log }}"
 
   when: not _broadcast_websocket_secret['resources'] | default([]) | length
 
@@ -43,9 +43,9 @@
   set_fact:
     # yamllint disable-line rule:line-length
     __broadcast_websocket_secret: '{{ _generated_broadcast_websocket["resources"] | default([]) | length | ternary(_generated_broadcast_websocket, _broadcast_websocket_secret)  }}'  # noqa 204
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Store broadcast websocket secret name
   set_fact:
     broadcast_websocket_secret_value: "{{ __broadcast_websocket_secret['resources'][0]['data']['secret'] | b64decode }}"
-  no_log: true
+  no_log: "{{ no_log }}"

roles/installer/tasks/cleanup.yml

@@ -23,6 +23,6 @@
         - '{{ _secret_key }}'
         - '{{ _postgres_configuration }}'
         - '{{ _broadcast_websocket_secret }}'
-      no_log: true
+      no_log: "{{ no_log }}"
 
   when: not garbage_collect_secrets | bool

roles/installer/tasks/database_configuration.yml

@@ -6,7 +6,7 @@
     name: '{{ postgres_configuration_secret }}'
   register: _custom_pg_config_resources
   when: postgres_configuration_secret | length
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Check for default PostgreSQL configuration
   k8s_info:
@@ -14,7 +14,7 @@
     namespace: '{{ ansible_operator_meta.namespace }}'
     name: '{{ ansible_operator_meta.name }}-postgres-configuration'
   register: _default_pg_config_resources
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Check for specified old PostgreSQL configuration secret
   k8s_info:
@@ -23,7 +23,7 @@
     name: '{{ old_postgres_configuration_secret }}'
   register: _custom_old_pg_config_resources
   when: old_postgres_configuration_secret | length
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Check for default old PostgreSQL configuration
   k8s_info:
@@ -31,7 +31,7 @@
     namespace: '{{ ansible_operator_meta.namespace }}'
     name: '{{ ansible_operator_meta.name }}-old-postgres-configuration'
   register: _default_old_pg_config_resources
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Set old PostgreSQL configuration
   set_fact:
@@ -45,7 +45,7 @@
   when:
     - old_pg_config['resources'] is defined
     - old_pg_config['resources'] | length
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Set default postgres image
   set_fact:
@@ -54,7 +54,7 @@
 - name: Set PostgreSQL configuration
   set_fact:
     _pg_config: '{{ _custom_pg_config_resources["resources"] | default([]) | length | ternary(_custom_pg_config_resources, _default_pg_config_resources) }}'
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Set user provided postgres image
   set_fact:
@@ -72,7 +72,7 @@
       k8s:
         apply: true
         definition: "{{ lookup('template', 'postgres_secret.yaml.j2') }}"
-      no_log: true
+      no_log: "{{ no_log }}"
 
     - name: Read Database Configuration
       k8s_info:
@@ -80,13 +80,13 @@
         namespace: '{{ ansible_operator_meta.namespace }}'
         name: '{{ ansible_operator_meta.name }}-postgres-configuration'
       register: _generated_pg_config_resources
-      no_log: true
+      no_log: "{{ no_log }}"
   when: not _pg_config['resources'] | default([]) | length
 
 - name: Set PostgreSQL Configuration
   set_fact:
     pg_config: '{{ _generated_pg_config_resources["resources"] | default([]) | length | ternary(_generated_pg_config_resources, _pg_config) }}'
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Set actual postgres configuration secret used
   set_fact:
@@ -140,7 +140,7 @@
     awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
     awx_postgres_sslmode: "{{ pg_config['resources'][0]['data']['sslmode'] |  default('prefer'|b64encode) | b64decode }}"
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Wait for Database to initialize if managed DB
   k8s_info:
@@ -153,6 +153,7 @@
   until:
     - "postgres_pod['resources'] | length"
     - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+    - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
   delay: 5
   retries: 60
   when: pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed'

roles/installer/tasks/initialize_django.yml

@@ -13,18 +13,6 @@
   register: users_result
   changed_when: users_result.return_code > 0
 
-- name: Update super user password via Django if it does exist (same password is a noop)
-  k8s_exec:
-    namespace: "{{ ansible_operator_meta.namespace }}"
-    pod: "{{ tower_pod_name }}"
-    container: "{{ ansible_operator_meta.name }}-task"
-    command: >-
-      bash -c "awx-manage update_password --username '{{ admin_user }}' --password '{{ admin_password }}'"
-  register: update_pw_result
-  changed_when: users_result.stdout == 'Password not updated'
-  no_log: true
-  when: users_result.return_code == 0
-
 - name: Create super user via Django if it doesn't exist.
   k8s_exec:
     namespace: "{{ ansible_operator_meta.namespace }}"
@@ -34,20 +22,9 @@
       bash -c "echo \"from django.contrib.auth.models import User;
       User.objects.create_superuser('{{ admin_user }}', '{{ admin_email }}', '{{ admin_password }}')\"
       | awx-manage shell"
-  no_log: true
+  no_log: "{{ no_log }}"
   when: users_result.return_code > 0
 
-- name: Create preload data if necessary.  # noqa 305
-  k8s_exec:
-    namespace: "{{ ansible_operator_meta.namespace }}"
-    pod: "{{ tower_pod_name }}"
-    container: "{{ ansible_operator_meta.name }}-task"
-    command: >-
-      bash -c "awx-manage create_preload_data"
-  register: cdo
-  changed_when: "'added' in cdo.stdout"
-  when: create_preload_data | bool
-
 - name: Check if legacy queue is present
   k8s_exec:
     namespace: "{{ ansible_operator_meta.namespace }}"
@@ -80,7 +57,7 @@
     _execution_environments_pull_credentials: >-
       {{ _custom_execution_environments_pull_credentials["resources"] | default([]) | length
       | ternary(_custom_execution_environments_pull_credentials, []) }}
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Register default execution environments (without authentication)
   k8s_exec:
@@ -101,7 +78,7 @@
         default_execution_environment_pull_credentials_url: "{{ _execution_environments_pull_credentials['resources'][0]['data']['url'] | b64decode }}"
         default_execution_environment_pull_credentials_url_verify: >-
           {{ _execution_environments_pull_credentials['resources'][0]['data']['ssl_verify'] | default("True"|b64encode) | b64decode }}
-      no_log: true
+      no_log: "{{ no_log }}"
 
     - name: Register default execution environments (with authentication)
       k8s_exec:
@@ -116,5 +93,16 @@
           --verify-ssl='{{ default_execution_environment_pull_credentials_url_verify }}'"
       register: ree
       changed_when: "'changed: True' in ree.stdout"
-      no_log: true
+      no_log: "{{ no_log }}"
   when: _execution_environments_pull_credentials['resources'] | default([]) | length
+
+- name: Create preload data if necessary.  # noqa 305
+  k8s_exec:
+    namespace: "{{ ansible_operator_meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ ansible_operator_meta.name }}-task"
+    command: >-
+      bash -c "awx-manage create_preload_data"
+  register: cdo
+  changed_when: "'added' in cdo.stdout"
+  when: create_preload_data | bool

roles/installer/tasks/load_bundle_cacert_secret.yml

@@ -5,10 +5,10 @@
     namespace: '{{ ansible_operator_meta.namespace }}'
     name: '{{ bundle_cacert_secret }}'
   register: bundle_cacert
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Load bundle Certificate Authority Secret content
   set_fact:
     bundle_ca_crt: '{{ bundle_cacert["resources"][0]["data"]["bundle-ca.crt"] | b64decode }}'
-  no_log: true
+  no_log: "{{ no_log }}"
   when: '"bundle-ca.crt" in bundle_cacert["resources"][0]["data"]'

roles/installer/tasks/load_ldap_cacert_secret.yml

@@ -5,10 +5,10 @@
     namespace: '{{ ansible_operator_meta.namespace }}'
     name: '{{ ldap_cacert_secret }}'
   register: ldap_cacert
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Load LDAP CA Certificate Secret content
   set_fact:
     ldap_cacert_ca_crt: '{{ ldap_cacert["resources"][0]["data"]["ldap-ca.crt"] | b64decode }}'
-  no_log: true
+  no_log: "{{ no_log }}"
   when: '"ldap-ca.crt" in ldap_cacert["resources"][0]["data"]'

roles/installer/tasks/load_ldap_password_secret.yml

@@ -0,0 +1,14 @@
+---
+- name: Retrieve LDAP bind password Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: '{{ ldap_password_secret }}'
+  register: ldap_password
+  no_log: "{{ no_log }}"
+
+- name: Load LDAP bind password Secret content
+  set_fact:
+    ldap_bind_password: '{{ ldap_password["resources"][0]["data"]["ldap-password"] | b64decode }}'
+  no_log: "{{ no_log }}"
+  when: '"ldap-password" in ldap_password["resources"][0]["data"]'

roles/installer/tasks/load_route_tls_secret.yml

@@ -5,16 +5,16 @@
     namespace: '{{ ansible_operator_meta.namespace }}'
     name: '{{ route_tls_secret }}'
   register: route_tls
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Load Route TLS Secret content
   set_fact:
     route_tls_key: '{{ route_tls["resources"][0]["data"]["tls.key"] | b64decode }}'
     route_tls_crt: '{{ route_tls["resources"][0]["data"]["tls.crt"] | b64decode }}'
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Load Route TLS Secret content
   set_fact:
     route_ca_crt: '{{ route_tls["resources"][0]["data"]["ca.crt"] | b64decode }}'
-  no_log: true
+  no_log: "{{ no_log }}"
   when: '"ca.crt" in route_tls["resources"][0]["data"]'

roles/installer/tasks/main.yml

@@ -25,6 +25,11 @@
   when:
     - ldap_cacert_secret != ''
 
+- name: Load ldap bind password
+  include_tasks: load_ldap_password_secret.yml
+  when:
+    - ldap_password_secret != ''
+
 - name: Load bundle certificate authority certificate
   include_tasks: load_bundle_cacert_secret.yml
   when:

roles/installer/tasks/migrate_data.yml

@@ -11,7 +11,7 @@
     awx_old_postgres_database: "{{ old_pg_config['resources'][0]['data']['database'] | b64decode }}"
     awx_old_postgres_port: "{{ old_pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_old_postgres_host: "{{ old_pg_config['resources'][0]['data']['host'] | b64decode }}"
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Default label selector to custom resource generated postgres
   set_fact:
@@ -29,6 +29,7 @@
   until:
     - "postgres_pod['resources'] | length"
     - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+    - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
   delay: 5
   retries: 60
 
@@ -48,7 +49,7 @@
       -d {{ awx_old_postgres_database }}
       -p {{ awx_old_postgres_port }}
       -F custom
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Set pg_restore command
   set_fact:
@@ -56,7 +57,7 @@
       pg_restore --clean --if-exists
       -U {{ database_username }}
       -d {{ database_name }}
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Stream backup from pg_dump to the new postgresql container
   k8s_exec:
@@ -68,7 +69,7 @@
       PGPASSWORD='{{ awx_old_postgres_pass }}' {{ pgdump }} | PGPASSWORD='{{ awx_postgres_pass }}' {{ pg_restore }}
       echo 'Successful'
       """
-  no_log: true
+  no_log: "{{ no_log }}"
   register: data_migration
   failed_when: "'Successful' not in data_migration.stdout"
 

roles/installer/tasks/resources_configuration.yml

@@ -17,6 +17,16 @@
   set_fact:
     tower_pod_name: "{{ tower_pods['resources'][0]['metadata']['name'] | default('') }}"
 
+- name: Set user provided control plane ee image
+  set_fact:
+    _custom_control_plane_ee_image: "{{ control_plane_ee_image }}"
+  when:
+    - control_plane_ee_image | default([]) | length
+
+- name: Set Control Plane EE image URL
+  set_fact:
+    _control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
+
 - name: Apply Resources
   k8s:
     apply: yes
@@ -30,7 +40,7 @@
     - 'persistent'
     - 'service'
     - 'ingress'
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Set default awx app image
   set_fact:
@@ -62,16 +72,6 @@
   set_fact:
     _redis_image: "{{ _custom_redis_image | default(lookup('env', 'RELATED_IMAGE_AWX_REDIS')) | default(_default_redis_image, true) }}"
 
-- name: Set user provided control plane ee image
-  set_fact:
-    _custom_control_plane_ee_image: "{{ control_plane_ee_image }}"
-  when:
-    - control_plane_ee_image | default([]) | length
-
-- name: Set Control Plane EE image URL
-  set_fact:
-    _control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
-
 - name: Apply deployment resources
   k8s:
     apply: yes

roles/installer/tasks/secret_key_configuration.yml

@@ -5,7 +5,7 @@
     namespace: '{{ ansible_operator_meta.namespace }}'
     name: '{{ secret_key_secret }}'
   register: _custom_secret_key
-  no_log: true
+  no_log: "{{ no_log }}"
   when: secret_key_secret | length
 
 - name: Check for default secret key configuration
@@ -14,19 +14,19 @@
     namespace: '{{ ansible_operator_meta.namespace }}'
     name: '{{ ansible_operator_meta.name }}-secret-key'
   register: _default_secret_key
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Set secret key secret
   set_fact:
     _secret_key_secret: '{{ _custom_secret_key["resources"] | default([]) | length | ternary(_custom_secret_key, _default_secret_key) }}'
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - block:
     - name: Create secret key secret
       k8s:
         apply: true
         definition: "{{ lookup('template', 'secret_key.yaml.j2') }}"
-      no_log: true
+      no_log: "{{ no_log }}"
 
     - name: Read secret key secret
       k8s_info:
@@ -34,16 +34,16 @@
         namespace: '{{ ansible_operator_meta.namespace }}'
         name: '{{ ansible_operator_meta.name }}-secret-key'
       register: _generated_secret_key
-      no_log: true
+      no_log: "{{ no_log }}"
 
   when: not _secret_key_secret['resources'] | default([]) | length
 
 - name: Set secret key secret
   set_fact:
     __secret_key_secret: '{{ _generated_secret_key["resources"] | default([]) | length | ternary(_generated_secret_key, _secret_key_secret)  }}'
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Store secret key secret name
   set_fact:
     secret_key_secret_name: "{{ __secret_key_secret['resources'][0]['metadata']['name'] }}"
-  no_log: true
+  no_log: "{{ no_log }}"

roles/installer/templates/config.yaml.j2

@@ -60,8 +60,8 @@ data:
     CLUSTER_HOST_ID = socket.gethostname()
     SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
     
-    CSRF_COOKIE_SECURE = False
-    SESSION_COOKIE_SECURE = False
+    CSRF_COOKIE_SECURE = {{ csrf_cookie_secure | bool }}
+    SESSION_COOKIE_SECURE = {{ session_cookie_secure | bool }}
     
     SERVER_EMAIL = 'root@localhost'
     DEFAULT_FROM_EMAIL = 'webmaster@localhost'
@@ -176,6 +176,8 @@ data:
     
             # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
             add_header X-Frame-Options "DENY";
+            # Protect against MIME content sniffing https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+            add_header X-Content-Type-Options nosniff;
     
             location /nginx_status {
                 stub_status on;
@@ -229,6 +231,7 @@ data:
                 add_header Strict-Transport-Security max-age=15768000;
                 # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
                 add_header X-Frame-Options "DENY";
+                add_header X-Content-Type-Options nosniff;
                 add_header Cache-Control "no-cache, no-store, must-revalidate";
                 add_header Expires "0";
                 add_header Pragma "no-cache";

roles/installer/templates/deployment.yaml.j2

@@ -33,9 +33,17 @@ spec:
 {% endif %}
     spec:
       serviceAccountName: '{{ ansible_operator_meta.name }}'
-{% if image_pull_secret %}
+{% if image_pull_secret is defined %}
       imagePullSecrets:
         - name: {{ image_pull_secret }}
+{% elif image_pull_secrets | length > 0 %}
+      imagePullSecrets:
+{% for secret in image_pull_secrets %}
+        - name: {{ secret }}
+{% endfor %}
+{% endif %}
+{% if control_plane_priority_class is defined %}
+      priorityClassName: '{{ control_plane_priority_class }}'
 {% endif %}
       initContainers:
 {% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
@@ -93,6 +101,7 @@ spec:
               mountPath: "/var/run/redis"
             - name: "{{ ansible_operator_meta.name }}-redis-data"
               mountPath: "/data"
+          resources: {{ redis_resource_requirements }}
         - image: '{{ _image }}'
           name: '{{ ansible_operator_meta.name }}-web'
 {% if web_command %}

roles/installer/templates/postgres.yaml.j2

@@ -33,9 +33,17 @@ spec:
         app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
         app.kubernetes.io/managed-by: '{{ deployment_type }}-operator' 
     spec:
-{% if image_pull_secret %}
+{% if image_pull_secret is defined %}
       imagePullSecrets:
         - name: {{ image_pull_secret }}
+{% elif image_pull_secrets | length > 0 %}
+      imagePullSecrets:
+{% for secret in image_pull_secrets %}
+        - name: {{ secret }}
+{% endfor %}
+{% endif %}
+{% if postgres_priority_class is defined %}
+      priorityClassName: '{{ postgres_priority_class }}'
 {% endif %}
       initContainers:
         - name: database-check

roles/restore/defaults/main.yml

@@ -10,3 +10,6 @@ backup_pvc_namespace: '{{ ansible_operator_meta.namespace }}'
 
 # Required: backup name, found on the awxbackup object
 backup_dir: ''
+
+# Set no_log settings on certain tasks
+no_log: 'true'

roles/restore/tasks/cleanup.yml

@@ -22,7 +22,7 @@
     - '{{ admin_password_secret }}'
     - '{{ broadcast_websocket_secret }}'
     - '{{ postgres_configuration_secret }}'
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Cleanup temp spec file
   file:

roles/restore/tasks/postgres.yml

@@ -10,7 +10,7 @@
     namespace: '{{ ansible_operator_meta.namespace }}'
     name: '{{ postgres_configuration_secret }}'
   register: pg_config
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Store Database Configuration
   set_fact:
@@ -20,7 +20,7 @@
     awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
     awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | b64decode | default('unmanaged') }}"
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Default label selector to custom resource generated postgres
   set_fact:
@@ -37,6 +37,7 @@
   until:
     - "postgres_pod['resources'] | length"
     - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+    - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
   delay: 5
   retries: 60
 
@@ -65,7 +66,7 @@
 - name: Set full resolvable host name for postgres pod
   set_fact:
     resolvable_db_host: "{{ awx_postgres_host }}.{{ ansible_operator_meta.namespace }}.svc.cluster.local"
-  no_log: true
+  no_log: "{{ no_log }}"
   when: awx_postgres_type == 'managed'
 
 - name: Set pg_restore command
@@ -77,7 +78,7 @@
       -U {{ awx_postgres_user }}
       -d {{ awx_postgres_database }}
       -p {{ awx_postgres_port }}
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Restore database dump to the new postgresql container
   k8s_exec:
@@ -90,5 +91,5 @@
       echo 'Successful'
       """
   register: data_migration
-  no_log: true
+  no_log: "{{ no_log }}"
   failed_when: "'Successful' not in data_migration.stdout"

roles/restore/tasks/secrets.yml

@@ -7,7 +7,7 @@
     command: >-
       bash -c "cat '{{ backup_dir }}/secrets.yml'"
   register: _secrets
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Create Temporary secrets file
   tempfile:
@@ -20,38 +20,38 @@
     dest: "{{ tmp_secrets.path }}"
     content: "{{ _secrets.stdout }}"
     mode: 0640
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Include secret vars from backup
   include_vars: "{{ tmp_secrets.path }}"
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: If deployment is managed, set the database_host in the pg config secret
   block:
     - name: Set new database host
       set_fact:
         database_host: "{{ deployment_name }}-postgres"
-      no_log: true
+      no_log: "{{ no_log }}"
 
     - name: Set tmp postgres secret dict
       set_fact:
         _pg_secret: "{{ secrets['postgresConfigurationSecret'] }}"
-      no_log: true
+      no_log: "{{ no_log }}"
 
     - name: Change postgres host value
       set_fact:
         _pg_data: "{{ _pg_secret['data'] | combine({'host': database_host | b64encode }) }}"
-      no_log: true
+      no_log: "{{ no_log }}"
 
     - name: Create a postgres secret with the new host value
       set_fact:
         _pg_secret: "{{ _pg_secret | combine({'data': _pg_data}) }}"
-      no_log: true
+      no_log: "{{ no_log }}"
 
     - name: Create a new dict of secrets with the new postgres secret
       set_fact:
         secrets: "{{ secrets | combine({'postgresConfigurationSecret': _pg_secret}) }}"
-      no_log: true
+      no_log: "{{ no_log }}"
   when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed'
 
 - name: Apply secret
@@ -61,7 +61,7 @@
     apply: yes
     wait: yes
     definition: "{{ lookup('template', 'secrets.yml.j2') }}"
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Remove ownerReference on restored secrets
   k8s:
@@ -73,4 +73,4 @@
         namespace: '{{ ansible_operator_meta.namespace }}'
         ownerReferences: null
   loop: "{{ secrets | dict2items }}"
-  no_log: true
+  no_log: "{{ no_log }}"