Add doc note about extra_settings being read-only in AWX UI

Co-authored-by: Christian Adams <rooftopcellist@gmail.com>

.github/CODE_OF_CONDUCT.md

@@ -0,0 +1,3 @@
+# Community Code of Conduct
+
+Please see the official [Ansible Community Code of Conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,39 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-title: ''
-labels: ''
-assignees: ''
-
----
-
-##### ISSUE TYPE
- - Bug Report
-
-##### SUMMARY
-<!-- Briefly describe the problem. -->
-
-##### ENVIRONMENT
-* AWX version: X.Y.Z
-* Operator version: X.Y.Z
-* Kubernetes version: 
-* AWX install method: openshift, minishift, docker on linux, docker for mac, boot2docker
-
-##### STEPS TO REPRODUCE
-
-<!-- Please describe exactly how to reproduce the problem. -->
-
-##### EXPECTED RESULTS
-
-<!-- What did you expect to happen when running the steps above? -->
-
-##### ACTUAL RESULTS
-
-<!-- What actually happened? -->
-
-##### ADDITIONAL INFORMATION
-
-<!-- Include any links to sosreport, database dumps, screenshots or other
-information. -->
-
-##### AWX-OPERATOR LOGS

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,125 @@
+---
+name: Bug Report
+description: "🐞 Create a report to help us improve"
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Bug Report issues are for **concrete, actionable bugs** only.
+        For debugging help or technical support, please see the [Get Involved section of our README](https://github.com/ansible/awx-operator#get-involved)
+
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Please confirm the following
+      options:
+        - label: I agree to follow this project's [code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
+          required: true
+        - label: I have checked the [current issues](https://github.com/ansible/awx-operator/issues) for duplicates.
+          required: true
+        - label: I understand that the AWX Operator is open source software provided for free and that I might not receive a timely response.
+          required: true
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Bug Summary
+      description: Briefly describe the problem.
+    validations:
+      required: false
+
+  - type: input
+    id: awx-operator-version
+    attributes:
+      label: AWX Operator version
+      description: What version of the AWX Operator are you running?
+    validations:
+      required: true
+
+  - type: input
+    id: awx-version
+    attributes:
+      label: AWX version
+      description: What version of AWX are you running?
+    validations:
+      required: true
+
+  - type: dropdown
+    id: platform
+    attributes:
+      label: Kubernetes platform
+      description: What platform did you install the Operator in?
+      multiple: false
+      options:
+        - kubernetes
+        - minikube
+        - openshift
+        - minishift
+        - docker development environment
+        - other (please specify in additional information)
+    validations:
+      required: true
+
+  - type: input
+    id: kube-version
+    attributes:
+      label: Kubernetes/Platform version
+      description: What version of your platform/kuberneties are you using?
+    validations:
+      required: true
+
+  - type: dropdown
+    id: modified-architecture
+    attributes:
+      label: Modifications
+      description: >-
+       Have you modified the installation, deployment topology, or container images in any way? If yes, please
+       explain in the "additional information" field at the bottom of the form.
+      multiple: false
+      options:
+        - "no"
+        - "yes"
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps-to-reproduce
+    attributes:
+      label: Steps to reproduce
+      description: >-
+        Starting from a new installation of the system, describe exactly how a developer or quality engineer can reproduce the bug
+        on infrastructure that isn't yours. Include any and all resources created, input values, test users, roles assigned, playbooks used, etc.
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected-results
+    attributes:
+      label: Expected results
+      description: What did you expect to happpen when running the steps above?
+    validations:
+      required: true
+
+  - type: textarea
+    id: actual-results
+    attributes:
+      label: Actual results
+      description: What actually happened?
+    validations:
+      required: true
+
+  - type: textarea
+    id: additional-information
+    attributes:
+      label: Additional information
+      description: Include any relevant log output, links to sosreport, database dumps, screenshots, AWX spec yaml, or other information.
+    validations:
+      required: false
+
+  - type: textarea
+    id: operator-logs
+    attributes:
+      label: Operator Logs
+      description: Include any relevant logs generated by the operator.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,12 @@
+---
+blank_issues_enabled: false
+contact_links:
+  - name: For debugging help or technical support
+    url: https://github.com/ansible/awx-operator#get-involved
+    about: For general debugging or technical support please see the Get Involved section of our readme.
+  - name: 📝 Ansible Code of Conduct
+    url: https://docs.ansible.com/ansible/latest/community/code_of_conduct.html?utm_medium=github&utm_source=issue_template_chooser
+    about: AWX uses the Ansible Code of Conduct; ❤ Be nice to other members of the community. ☮ Behave.
+  - name: 💼 For Enterprise
+    url: https://www.ansible.com/products/engine?utm_medium=github&utm_source=issue_template_chooser
+    about: Red Hat offers support for the Ansible Automation Platform

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,29 @@
+---
+name: ✨ Feature request
+description: Suggest an idea for this project
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Feature Request issues are for **feature requests** only.
+        For debugging help or technical support, please see the [Get Involved section of our README](https://github.com/ansible/awx-operator#get-involved)
+
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Please confirm the following
+      options:
+        - label: I agree to follow this project's [code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
+          required: true
+        - label: I have checked the [current issues](https://github.com/ansible/awx-operator/issues) for duplicates.
+          required: true
+        - label: I understand that AWX Operator is open source software provided for free and that I might not receive a timely response.
+          required: true
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Feature Summary
+      description: Briefly describe the desired enhancement.
+    validations:
+      required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,26 @@
+##### SUMMARY
+<!--- Describe the change, including rationale and design decisions -->
+
+<!---
+If you are fixing an existing issue, please include "fixes #nnn" in your
+commit message and your description; but you should still explain what
+the change does.
+-->
+
+##### ISSUE TYPE
+<!--- Pick one below and delete the rest: -->
+ - Breaking Change 
+ - New or Enhanced Feature
+ - Bug, Docs Fix or other nominal change
+
+##### ADDITIONAL INFORMATION
+<!---
+Include additional information to help people understand the change here.
+For bugs that don't have a linked bug report, a step-by-step reproduction
+of the problem is helpful.
+-->
+
+<!--- Paste verbatim command output below, e.g. before and after your change -->
+```
+
+```

.github/workflows/ci.yaml

@@ -10,11 +10,11 @@ on:
     branches: [devel]
 
 jobs:
-  pull_request:
-    runs-on: ubuntu-18.04
-    name: pull_request
+  molecule:
+    runs-on: ubuntu-latest
+    name: molecule
     env:
-      DOCKER_API_VERSION: "1.38"
+      DOCKER_API_VERSION: "1.41"
     steps:
       - uses: actions/checkout@v2
 
@@ -39,3 +39,61 @@ jobs:
           sudo rm -f $(which kustomize)
           make kustomize
           KUSTOMIZE_PATH=$(readlink -f bin/kustomize) molecule test -s kind
+  helm:
+    runs-on: ubuntu-latest
+    name: helm
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Create k8s Kind Cluster
+        uses: helm/kind-action@v1.2.0
+
+      - name: Build operator image and load into kind
+        run: |
+          IMG=awx-operator-ci make docker-build
+          kind load docker-image --name chart-testing awx-operator-ci
+
+      - name: Patch pull policy for tests
+        run: |
+          kustomize edit add patch --path ../testing/pull_policy/Never.yaml
+        working-directory: config/default
+
+      - name: Build and lint helm chart
+        run: |
+          IMG=awx-operator-ci make helm-chart
+          helm lint ./charts/awx-operator
+
+      - name: Install kubeval
+        run: |
+          mkdir tmp && cd tmp
+          wget https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz
+          tar xf kubeval-linux-amd64.tar.gz
+          sudo cp kubeval /usr/local/bin
+        working-directory: ./charts
+
+      - name: Run kubeval
+        run: |
+          helm template -n awx awx-operator > tmp/test.yaml
+          kubeval --strict --force-color --ignore-missing-schemas tmp/test.yaml
+        working-directory: ./charts
+
+      - name: Install helm chart
+        run: |
+          helm install --wait my-awx-operator --namespace awx --create-namespace ./charts/awx-operator
+  no-log:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v2
+
+      - name: Check no_log statements
+        run: |
+          set +e
+          no_log=$(grep -nr ' no_log:' roles | grep -v '"{{ no_log }}"')
+          if [ -n "${no_log}" ]; then
+            echo 'Please update the following no_log statement(s) with the "{{ no_log }}" value'
+            echo "${no_log}"
+            exit 1
+          fi

.github/workflows/devel.yaml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   release:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     name: Push devel image
     steps:
       - uses: actions/checkout@v2

.github/workflows/feature.yml

@@ -0,0 +1,75 @@
+---
+
+name: Feature Branch Image Build and Push
+
+on:
+  push:
+    branches: [feature_*]
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    name: Push devel image
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # needed so that git describe --tag works
+
+      - name: Set VERSION
+        run: |
+          echo "VERSION=$(git describe --tags)" >>${GITHUB_ENV}
+
+      - name: Set lower case owner name
+        run: |
+          echo "OWNER_LC=${OWNER,,}" >>${GITHUB_ENV}
+        env:
+          OWNER: '${{ github.repository_owner }}'
+
+      - name: Set IMAGE_TAG_BASE
+        run: |
+          echo "IMAGE_TAG_BASE=ghcr.io/${OWNER_LC}/awx-operator" >>${GITHUB_ENV}
+
+      - name: Set ARCH environment variable
+        run: |
+          echo "ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac)" >>${GITHUB_ENV}
+
+      - name: Set OS environment variable
+        run: |
+          echo "OS=$(uname | awk '{print tolower($0)}')" >>${GITHUB_ENV}
+
+      - name: Install operator-sdk
+        run: |
+          echo "Installing operator-sdk ${OPERATOR_SDK_DL_URL}" && \
+          curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH} && \
+          chmod +x operator-sdk_${OS}_${ARCH} && \
+          sudo mkdir -p /usr/local/bin/ && \
+          sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk && \
+          operator-sdk version
+        env:
+          OPERATOR_SDK_DL_URL: https://github.com/operator-framework/operator-sdk/releases/download/v1.26.0
+
+      - name: Log in to registry
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Build and Push awx-operator Image
+        run: |
+          make docker-build docker-push
+          docker tag ${IMAGE_TAG_BASE}:${VERSION} ${IMAGE_TAG_BASE}:${GITHUB_REF##*/}
+          docker push ${IMAGE_TAG_BASE}:${GITHUB_REF##*/}
+
+      - name: Build bundle manifests
+        run: |
+          make bundle
+
+      - name: Build and Push awx-operator Bundle
+        run: |
+          make bundle-build bundle-push
+          docker tag ${IMAGE_TAG_BASE}-bundle:v${VERSION} ${IMAGE_TAG_BASE}-bundle:${GITHUB_REF##*/}
+          docker push ${IMAGE_TAG_BASE}-bundle:${GITHUB_REF##*/}
+
+      - name: Build and Push awx-operator Catalog
+        run: |
+          make catalog-build catalog-push
+          docker tag ${IMAGE_TAG_BASE}-catalog:v${VERSION} ${IMAGE_TAG_BASE}-catalog:${GITHUB_REF##*/}
+          docker push ${IMAGE_TAG_BASE}-catalog:${GITHUB_REF##*/}

.github/workflows/label_issue.yml

@@ -0,0 +1,54 @@
+---
+name: Label Issues
+
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+
+jobs:
+  triage:
+    runs-on: ubuntu-latest
+    name: Label
+
+    steps:
+      - name: Label Issue - Needs Triage
+        uses: github/issue-labeler@v2.4.1
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          not-before: 2021-12-07T07:00:00Z
+          configuration-path: .github/issue_labeler.yml
+          enable-versioned-regex: 0
+        if: github.event_name == 'issues'
+
+  community:
+    runs-on: ubuntu-latest
+    name: Label Issue - Community
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v4
+      - name: Install python requests
+        run: pip install requests
+      - name: Check if user is a member of Ansible org
+        uses: jannekem/run-python-script-action@v1
+        id: check_user
+        with:
+          script: |
+            import requests
+            headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
+            response = requests.get('${{ fromJson(toJson(github.event.issue.user.url)) }}/orgs?per_page=100', headers=headers)
+            is_member = False
+            for org in response.json():
+              if org['login'] == 'ansible':
+                is_member = True
+            if is_member:
+                print("User is member")
+            else:
+                print("User is community")
+      - name: Add community label if not a member
+        if: contains(steps.check_user.outputs.stdout, 'community')
+        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
+        with:
+          add-labels: "community"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/label_pr.yml

@@ -0,0 +1,40 @@
+name: Label PR
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+jobs:
+  community:
+    runs-on: ubuntu-latest
+    name: Label PR - Community
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v4
+      - name: Install python requests
+        run: pip install requests
+      - name: Check if user is a member of Ansible org
+        uses: jannekem/run-python-script-action@v1
+        id: check_user
+        with:
+          script: |
+            import requests
+            headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
+            response = requests.get('${{ fromJson(toJson(github.event.pull_request.user.url)) }}/orgs?per_page=100', headers=headers)
+            is_member = False
+            for org in response.json():
+              if org['login'] == 'ansible':
+                is_member = True
+            if is_member:
+                print("User is member")
+            else:
+                print("User is community")
+      - name: Add community label if not a member
+        if: contains(steps.check_user.outputs.stdout, 'community')
+        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
+        with:
+          add-labels: "community"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr_body_check.yml

@@ -0,0 +1,37 @@
+---
+name: PR Check
+env:
+  BRANCH: ${{ github.base_ref || 'devel' }}
+on:
+  pull_request:
+    types: [opened, edited, reopened, synchronize]
+jobs:
+  pr-check:
+    name: Scan PR description for semantic versioning keywords
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Check for each of the lines
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
+        run: |
+          echo "$PR_BODY" | grep "Bug, Docs Fix or other nominal change" > Z
+          echo "$PR_BODY" | grep "New or Enhanced Feature" > Y
+          echo "$PR_BODY" | grep "Breaking Change" > X
+          exit 0
+        # We exit 0 and set the shell to prevent the returns from the greps from failing this step
+        # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
+        shell: bash {0}
+
+      - name: Check for exactly one item
+        run: |
+          if [ $(cat X Y Z | wc -l) != 1 ] ; then
+            echo "The PR body must contain exactly one of [ 'Bug, Docs Fix or other nominal change', 'New or Enhanced Feature', 'Breaking Change' ]"
+            echo "We counted $(cat X Y Z | wc -l)"
+            echo "See the default PR body for examples"
+            exit 255;
+          else
+            exit 0;
+          fi

.github/workflows/promote.yaml

@@ -8,6 +8,10 @@ jobs:
   promote:
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/checkout@v3
+        with:
+          depth: 0
+
       - name: Log in to GHCR
         run: |
           echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
@@ -23,3 +27,13 @@ jobs:
           docker tag ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} quay.io/${{ github.repository }}:latest
           docker push quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
           docker push quay.io/${{ github.repository }}:latest
+
+      - name: Release Helm chart
+        run: |
+          ansible-playbook ansible/helm-release.yml -v \
+            -e operator_image=quay.io/${{ github.repository }} \
+            -e chart_owner=${{ github.repository_owner }} \
+            -e tag=${{ github.event.release.tag_name }} \
+            -e gh_token=${{ secrets.GITHUB_TOKEN }} \
+            -e gh_user=${{ github.actor }} \
+            -e repo_type=https

.github/workflows/publish-helm.yml

@@ -0,0 +1,26 @@
+---
+name: Re-publish helm chart
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag'
+        required: true
+        type: string
+jobs:
+  promote:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          depth: 0
+
+      - name: Release Helm chart
+        run: |
+          ansible-playbook ansible/helm-release.yml -v \
+            -e operator_image=quay.io/${{ github.repository }} \
+            -e chart_owner=${{ github.repository_owner }} \
+            -e tag=${{ inputs.tag }} \
+            -e gh_token=${{ secrets.GITHUB_TOKEN }} \
+            -e gh_user=${{ github.actor }} \
+            -e repo_type=https

.github/workflows/triage_new.yml

@@ -1,22 +0,0 @@
----
-name: Triage
-
-on:
-  issues:
-    types:
-      - opened
-
-jobs:
-  triage:
-    runs-on: ubuntu-latest
-    name: Label
-
-    steps:
-      - name: Label issues
-        uses: github/issue-labeler@v2.4.1
-        with:
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
-          not-before: 2021-12-07T07:00:00Z
-          configuration-path: .github/issue_labeler.yml
-          enable-versioned-regex: 0
-        if: github.event_name == 'issues'

.gitignore

@@ -1,6 +1,11 @@
 *~
+gh-pages/
 .cache/
 /bin
 /bundle
 /bundle_tmp*
 /bundle.Dockerfile
+/charts
+/.cr-release-packages
+.vscode/
+__pycache__

.helm/starter/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

.helm/starter/Chart.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v2
+appVersion: 0.1.0
+description: A Helm chart for Kubernetes
+name: starter
+type: application
+version: 0.1.0

.helm/starter/README.md

@@ -0,0 +1,67 @@
+# AWX Operator Helm Chart
+
+This chart installs the AWX Operator resources configured in [this](https://github.com/ansible/awx-operator) repository.
+
+## Getting Started
+To configure your AWX resource using this chart, create your own `yaml` values file. The name is up to personal preference since it will explicitly be passed into the helm chart. Helm will merge whatever values you specify in your file with the default `values.yaml`, overriding any settings you've changed while allowing you to fall back on defaults. Because of this functionality, `values.yaml` should not be edited directly.
+
+In your values config, enable `AWX.enabled` and add `AWX.spec` values based on the awx operator's [documentation](https://github.com/ansible/awx-operator/blob/devel/README.md). Consult the docs below for additional functionality.
+
+### Installing
+The operator's [helm install](https://github.com/ansible/awx-operator/blob/devel/README.md#helm-install-on-existing-cluster) guide provides key installation instructions.
+
+Example:
+```
+helm install my-awx-operator awx-operator/awx-operator -n awx --create-namespace -f myvalues.yaml
+```
+
+Argument breakdown:
+* `-f` passes in the file with your custom values
+* `-n` sets the namespace to be installed in
+  * This value is accessed by `{{ $.Release.Namespace }}` in the templates
+  * Acts as the default namespace for all unspecified resources
+* `--create-namespace` specifies that helm should create the namespace before installing
+
+To update an existing installation, use `helm upgrade` instead of `install`. The rest of the syntax remains the same.
+
+## Configuration
+The goal of adding helm configurations is to abstract out and simplify the creation of multi-resource configs. The `AWX.spec` field maps directly to the spec configs of the `AWX` resource that the operator provides, which are detailed in the [main README](https://github.com/ansible/awx-operator/blob/devel/README.md). Other sub-config can be added with the goal of simplifying more involved setups that require additional resources to be specified.
+
+These sub-headers aim to be a more intuitive entrypoint into customizing your deployment, and are easier to manage in the long-term. By design, the helm templates will defer to the manually defined specs to avoid configuration conflicts. For example, if `AWX.spec.postgres_configuration_secret` is being used, the `AWX.postgres` settings will not be applied, even if enabled.
+
+### External Postgres
+The `AWX.postgres` section simplifies the creation of the external postgres secret. If enabled, the configs provided will automatically be placed in a `postgres-config` secret and linked to the `AWX` resource. For proper secret management, the `AWX.postgres.password` value, and any other sensitive values, can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`. Supplying the password this way is not recommended for production use, but may be helpful for initial PoC.
+
+
+## Values Summary
+
+### AWX
+| Value | Description | Default |
+|---|---|---|
+| `AWX.enabled` | Enable this AWX resource configuration | `false` |
+| `AWX.name` | The name of the AWX resource and default prefix for other resources | `"awx"` |
+| `AWX.spec` | specs to directly configure the AWX resource | `{}` |
+| `AWX.postgres` | configurations for the external postgres secret | - |
+
+
+# Contributing
+
+## Adding abstracted sections
+Where possible, defer to `AWX.spec` configs before applying the abstracted configs to avoid collision. This can be facilitated by the `(hasKey .spec what_i_will_abstract)` check.
+
+## Building and Testing
+This chart is built using the Makefile in the [awx-operator repo](https://github.com/ansible/awx-operator). Clone the repo and run `make helm-chart`. This will create the awx-operator chart in the `charts/awx-operator` directory. In this process, the contents of the `.helm/starter` directory will be added to the chart.
+
+## Future Goals
+All values under the `AWX` header are focused on configurations that use the operator. Configurations that relate to the Operator itself could be placed under an `Operator` heading, but that may add a layer of complication over current development.
+
+
+# Chart Publishing
+
+The chart is currently hosted on the gh-pages branch of the repo. During the release pipeline, the `index.yaml` stored in that branch is generated with helm chart entries from all valid tags. We are currently unable to use the `chart-releaser` pipeline due to the fact that the complete helm chart is not committed to the repo and is instead built during the release process. Therefore, the cr action is unable to compare against previous versions.
+
+Instead of CR, we use `helm repo index` to generate an index from all locally pulled chart versions. Since we build from scratch every time, the timestamps of all entries will be updated. This could be improved by using yq or something similar to detect which tags are already in the index.yaml file, and only merge in tags that are not present.
+
+Not using CR could be addressed in the future by keeping the chart built as a part of releases, as long as CR compares the chart to previous release packages rather than previous commits. If the latter is the case, then we would not have the necessary history for comparison.
+
+

.helm/starter/templates/_helpers.tpl

@@ -0,0 +1,6 @@
+{{/*
+Generate the name of the postgres secret, expects AWX context passed in
+*/}}
+{{- define "postgres.secretName" -}}
+{{ default (printf "%s-postgres-configuration" .Values.AWX.name) .Values.AWX.postgres.secretName }}
+{{- end }}

.helm/starter/templates/awx-deploy.yaml

@@ -0,0 +1,24 @@
+{{- if $.Values.AWX.enabled }}
+{{- with .Values.AWX }}
+apiVersion: awx.ansible.com/v1beta1
+kind: AWX
+metadata:
+  name: {{ .name }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+{{- /* Include raw map from the values file spec */}}
+{{ .spec | toYaml | indent 2 }}
+{{- /* Provide security context defaults */}}
+  {{- if not (hasKey .spec "security_context_settings") }}
+  security_context_settings:
+    runAsGroup: 0
+    runAsUser: 0
+    fsGroup: 0
+    fsGroupChangePolicy: OnRootMismatch
+  {{- end }}
+{{- /* Postgres configs if enabled and not already present */}}
+  {{- if and .postgres.enabled (not (hasKey .spec "postgres_configuration_secret")) }}
+  postgres_configuration_secret: {{ include "postgres.secretName" $ }}
+  {{- end }}
+{{- end }}
+{{- end }}

.helm/starter/templates/postgres-config.yaml

@@ -0,0 +1,18 @@
+{{- if and $.Values.AWX.enabled $.Values.AWX.postgres.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "postgres.secretName" . }}
+  namespace: {{ $.Release.Namespace }}
+{{- with $.Values.AWX.postgres }}
+stringData:
+  host: {{ .host }}
+  port: {{ .port | quote }}
+  database: {{ .dbName }}
+  username: {{ .username }}
+  password: {{ .password }}
+  sslmode: {{ .sslmode }}
+  type: {{ .type }}
+type: Opaque
+{{- end }}
+{{- end }}

.helm/starter/values.yaml

@@ -0,0 +1,19 @@
+AWX:
+  # enable use of awx-deploy template
+  enabled: false
+  name: awx
+  spec:
+    admin_user: admin
+
+  # configurations for external postgres instance
+  postgres:
+    enabled: false
+    host: Unset
+    port: 5678
+    dbName: Unset
+    username: admin
+    # for secret management, pass in the password independently of this file
+    # at the command line, use --set AWX.postgres.password
+    password: Unset
+    sslmode: prefer
+    type: unmanaged

.yamllint

@@ -6,8 +6,15 @@ ignore: |
   kustomization.yaml
   awx-operator.clusterserviceversion.yaml
   bundle
+  .helm/starter
+  hacking/
 
 rules:
   truthy: disable
   line-length:
     max: 170
+  document-start: disable
+  comments-indentation: disable
+  indentation:
+    level: warning
+    indent-sequences: consistent

CONTRIBUTING.md

@@ -31,7 +31,7 @@ Have questions about this document or anything not covered here? Please file a n
 ```
 2. Make your changes.
 3. Test your changes according described on the Testing section.
-4. If everylooks looks correct, commit your changes.
+4. If everything looks correct, commit your changes.
 ```sh
 #> git add <FILES>
 #> git commit -m "My message here"
@@ -56,14 +56,17 @@ Running `molecule test` sets up a clean environment, builds the operator, runs a
 
 If you want to actively develop the operator, use `molecule converge`, which does everything but tear down the environment at the end.
 
-#### Testing in Docker
+#### Testing in Kind
+
+Testing with a kind cluster is the recommended way to test the awx-operator locally. First, you need to install kind if you haven't already. Please see these docs for setting that up:
+* https://kind.sigs.k8s.io/docs/user/quick-start/
+
+To run the tests, from the root of your checkout, run the following command:
 
 ```sh
-#> molecule test -s test-local
+#> molecule test -s kind
 ```
 
-This environment is meant for headless testing (e.g. in a CI environment, or when making smaller changes which don't need to be verified through a web interface). It is difficult to test things like AWX's web UI or to connect other applications on your local machine to the services running inside the cluster, since it is inside a Docker container with no static IP address.
-
 #### Testing in Minikube
 
 ```sh
@@ -137,4 +140,4 @@ Applying this template will do it. Once the CatalogSource is in a READY state, t
 
 ## Reporting Issues
 
-We welcome your feedback, and encourage you to file an issue when you run into a problem.
+We welcome your feedback, and encourage you to file an issue when you run into a problem.

Dockerfile

@@ -1,4 +1,10 @@
-FROM quay.io/operator-framework/ansible-operator:v1.12.0
+FROM quay.io/operator-framework/ansible-operator:v1.28.1
+
+USER 0
+
+RUN dnf install -y openssl
+
+USER 1001
 
 ARG DEFAULT_AWX_VERSION
 ARG OPERATOR_VERSION
@@ -12,3 +18,8 @@ RUN ansible-galaxy collection install -r ${HOME}/requirements.yml \
 COPY watches.yaml ${HOME}/watches.yaml
 COPY roles/ ${HOME}/roles/
 COPY playbooks/ ${HOME}/playbooks/
+
+ENTRYPOINT ["/tini", "--", "/usr/local/bin/ansible-operator", "run", \
+    "--watches-file=./watches.yaml", \
+    "--reconcile-period=0s" \
+    ]

Makefile

@@ -7,6 +7,13 @@ VERSION ?= $(shell git describe --tags)
 
 CONTAINER_CMD ?= docker
 
+# GNU vs BSD in-place sed
+ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
+	SED_I := sed -i
+else
+	SED_I := sed -i ''
+endif
+
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
 # To re-generate a bundle for other specific channels without changing the standard setup, you can:
@@ -37,10 +44,31 @@ IMAGE_TAG_BASE ?= quay.io/ansible/awx-operator
 # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
 BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
 
+# BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command
+BUNDLE_GEN_FLAGS ?= -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
+
+# USE_IMAGE_DIGESTS defines if images are resolved via tags or digests
+# You can enable this value if you would like to use SHA Based Digests
+# To enable set flag to true
+USE_IMAGE_DIGESTS ?= false
+ifeq ($(USE_IMAGE_DIGESTS), true)
+       BUNDLE_GEN_FLAGS += --use-image-digests
+endif
+
 # Image URL to use all building/pushing image targets
 IMG ?= $(IMAGE_TAG_BASE):$(VERSION)
 NAMESPACE ?= awx
 
+# Helm variables
+CHART_NAME ?= awx-operator
+CHART_DESCRIPTION ?= A Helm chart for the AWX Operator
+CHART_OWNER ?= $(GH_REPO_OWNER)
+CHART_REPO ?= awx-operator
+CHART_BRANCH ?= gh-pages
+CHART_DIR ?= gh-pages
+CHART_INDEX ?= index.yaml
+
+.PHONY: all
 all: docker-build
 
 ##@ General
@@ -56,44 +84,54 @@ all: docker-build
 # More info on the awk command:
 # http://linuxcommand.org/lc3_adv_awk.php
 
+.PHONY: help
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
 ##@ Build
 
+.PHONY: run
 run: ansible-operator ## Run against the configured Kubernetes cluster in ~/.kube/config
 	ANSIBLE_ROLES_PATH="$(ANSIBLE_ROLES_PATH):$(shell pwd)/roles" $(ANSIBLE_OPERATOR) run
 
+.PHONY: docker-build
 docker-build: ## Build docker image with the manager.
 	${CONTAINER_CMD} build $(BUILD_ARGS) -t ${IMG} .
 
+.PHONY: docker-push
 docker-push: ## Push docker image with the manager.
 	${CONTAINER_CMD} push ${IMG}
 
 ##@ Deployment
 
+.PHONY: install
 install: kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/crd | kubectl apply -f -
 
+.PHONY: uninstall
 uninstall: kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/crd | kubectl delete -f -
 
+.PHONY: gen-resources
 gen-resources: kustomize ## Generate resources for controller and print to stdout
 	@cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
 	@$(KUSTOMIZE) build config/default
 
+.PHONY: deploy
 deploy: kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
 	@cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
 	@$(KUSTOMIZE) build config/default | kubectl apply -f -
 
+.PHONY: undeploy
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
 	@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
 	$(KUSTOMIZE) build config/default | kubectl delete -f -
 
 OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
-ARCH := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
+ARCHA := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
+ARCHX := $(shell uname -m | sed -e 's/amd64/x86_64/' -e 's/aarch64/arm64/')
 
 .PHONY: kustomize
 KUSTOMIZE = $(shell pwd)/bin/kustomize
@@ -103,7 +141,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(KUSTOMIZE)) ;\
-	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.8.7/kustomize_v3.8.7_$(OS)_$(ARCH).tar.gz | \
+	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.0.1/kustomize_v5.0.1_$(OS)_$(ARCHA).tar.gz | \
 	tar xzf - -C bin/ ;\
 	}
 else
@@ -119,7 +157,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
-	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.12.0/ansible-operator_$(OS)_$(ARCH) ;\
+	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.26.0/ansible-operator_$(OS)_$(ARCHA) ;\
 	chmod +x $(ANSIBLE_OPERATOR) ;\
 	}
 else
@@ -150,7 +188,7 @@ ifeq (,$(shell which opm 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(OPM)) ;\
-	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCH)-opm ;\
+	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.26.0/$(OS)-$(ARCHA)-opm ;\
 	chmod +x $(OPM) ;\
 	}
 else
@@ -181,3 +219,180 @@ catalog-build: opm ## Build a catalog image.
 .PHONY: catalog-push
 catalog-push: ## Push a catalog image.
 	$(MAKE) docker-push IMG=$(CATALOG_IMG)
+
+.PHONY: kubectl-slice
+KUBECTL_SLICE = $(shell pwd)/bin/kubectl-slice
+kubectl-slice: ## Download kubectl-slice locally if necessary.
+ifeq (,$(wildcard $(KUBECTL_SLICE)))
+ifeq (,$(shell which kubectl-slice 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(KUBECTL_SLICE)) ;\
+	curl -sSLo - https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.6/kubectl-slice_$(OS)_$(ARCHX).tar.gz | \
+	tar xzf - -C bin/ kubectl-slice ;\
+	}
+else
+KUBECTL_SLICE = $(shell which kubectl-slice)
+endif
+endif
+
+.PHONY: helm
+HELM = $(shell pwd)/bin/helm
+helm: ## Download helm locally if necessary.
+ifeq (,$(wildcard $(HELM)))
+ifeq (,$(shell which helm 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(HELM)) ;\
+	curl -sSLo - https://get.helm.sh/helm-v3.8.0-$(OS)-$(ARCHA).tar.gz | \
+	tar xzf - -C bin/ $(OS)-$(ARCHA)/helm ;\
+	mv bin/$(OS)-$(ARCHA)/helm bin/helm ;\
+	rmdir bin/$(OS)-$(ARCHA) ;\
+	}
+else
+HELM = $(shell which helm)
+endif
+endif
+
+.PHONY: yq
+YQ = $(shell pwd)/bin/yq
+yq: ## Download yq locally if necessary.
+ifeq (,$(wildcard $(YQ)))
+ifeq (,$(shell which yq 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(HELM)) ;\
+	curl -sSLo - https://github.com/mikefarah/yq/releases/download/v4.20.2/yq_$(OS)_$(ARCHA).tar.gz | \
+	tar xzf - -C bin/ ;\
+	mv bin/yq_$(OS)_$(ARCHA) bin/yq ;\
+	}
+else
+YQ = $(shell which yq)
+endif
+endif
+
+PHONY: cr
+CR = $(shell pwd)/bin/cr
+cr: ## Download cr locally if necessary.
+ifeq (,$(wildcard $(CR)))
+ifeq (,$(shell which cr 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(CR)) ;\
+	curl -sSLo - https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_$(OS)_$(ARCHA).tar.gz | \
+	tar xzf - -C bin/ cr ;\
+	}
+else
+CR = $(shell which cr)
+endif
+endif
+
+charts:
+	mkdir -p $@
+
+.PHONY: helm-chart
+helm-chart: helm-chart-generate
+
+.PHONY: helm-chart-generate
+helm-chart-generate: kustomize helm kubectl-slice yq charts
+	@echo "== KUSTOMIZE: Set image and chart label =="
+	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	cd config/manager && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
+	cd config/default && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
+
+	@echo "== Gather Helm Chart Metadata =="
+	# remove the existing chart if it exists
+	rm -rf charts/$(CHART_NAME)
+	# create new chart metadata in Chart.yaml
+	cd charts && \
+		$(HELM) create awx-operator --starter $(shell pwd)/.helm/starter ;\
+		$(YQ) -i '.version = "$(VERSION)"' $(CHART_NAME)/Chart.yaml ;\
+		$(YQ) -i '.appVersion = "$(VERSION)" | .appVersion style="double"' $(CHART_NAME)/Chart.yaml ;\
+		$(YQ) -i '.description = "$(CHART_DESCRIPTION)"' $(CHART_NAME)/Chart.yaml ;\
+
+	@echo "Generated chart metadata:"
+	@cat charts/$(CHART_NAME)/Chart.yaml
+
+	@echo "== KUSTOMIZE: Generate resources and slice into templates =="
+	# place in raw-files directory so they can be modified while they are valid yaml - as soon as they are in templates/,
+	# wild cards pick up the actual templates, which are not real yaml and can't have yq run on them.
+	$(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone config/default | \
+		$(KUBECTL_SLICE) --input-file=- \
+			--output-dir=charts/$(CHART_NAME)/raw-files \
+			--sort-by-kind
+
+	@echo "== GIT: Reset kustomize configs =="
+	# reset kustomize configs following kustomize build
+	git checkout -f config/.
+
+	@echo "== Build Templates and CRDS =="
+	# Delete metadata.namespace, release namespace will be automatically inserted by helm
+	for file in charts/$(CHART_NAME)/raw-files/*; do\
+		$(YQ) -i 'del(.metadata.namespace)' $${file};\
+	done
+	# Correct namespace for rolebinding to be release namespace, this must be explicit
+	for file in charts/$(CHART_NAME)/raw-files/*rolebinding*; do\
+		$(YQ) -i '.subjects[0].namespace = "{{ .Release.Namespace }}"' $${file};\
+	done
+	# move all custom resource definitions to crds folder
+	mkdir charts/$(CHART_NAME)/crds
+	mv charts/$(CHART_NAME)/raw-files/customresourcedefinition*.yaml charts/$(CHART_NAME)/crds/.
+	# remove any namespace definitions
+	rm -f charts/$(CHART_NAME)/raw-files/namespace*.yaml
+	# move remaining resources to helm templates
+	mv charts/$(CHART_NAME)/raw-files/* charts/$(CHART_NAME)/templates/.
+	# remove the raw-files folder
+	rm -rf charts/$(CHART_NAME)/raw-files
+
+	# create and populate NOTES.txt
+	@echo "AWX Operator installed with Helm Chart version $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
+
+	@echo "Helm chart successfully configured for $(CHART_NAME) version $(VERSION)"
+
+
+.PHONY: helm-package
+helm-package: helm-chart
+	@echo "== Package Current Chart Version =="
+	mkdir -p .cr-release-packages
+	# package the chart and put it in .cr-release-packages dir
+	$(HELM) package ./charts/awx-operator -d .cr-release-packages/$(VERSION)
+
+# List all tags oldest to newest.
+TAGS := $(shell git ls-remote --tags --sort=version:refname --refs -q | cut -d/ -f3)
+
+# The actual release happens in ansible/helm-release.yml, which calls this targer
+# until https://github.com/helm/chart-releaser/issues/122 happens, chart-releaser is not ideal for a chart
+# that is contained within a larger repo, where a tag may not require a new chart version
+.PHONY: helm-index
+helm-index:
+	# when running in CI the gh-pages branch is checked out by the ansible playbook
+	# TODO: test if gh-pages directory exists and if not exist
+
+	@echo "== GENERATE INDEX FILE =="
+	# This step to workaround issues with old releases being dropped.
+	# Until https://github.com/helm/chart-releaser/issues/133 happens
+	@echo "== CHART FETCH previous releases =="
+	# Download all old releases
+	mkdir -p .cr-release-packages
+
+	for tag in $(TAGS); do\
+		dl_url="https://github.com/$(CHART_OWNER)/$(CHART_REPO)/releases/download/$${tag}/$(CHART_REPO)-$${tag}.tgz";\
+		echo "Downloading $${tag} from $${dl_url}";\
+		curl -RLOs -z "$(CHART_REPO)-$${tag}.tgz" --fail $${dl_url};\
+		result=$$?;\
+		if [ $${result} -eq 0 ]; then\
+			echo "Downloaded $${dl_url}";\
+			mkdir -p .cr-release-packages/$${tag};\
+			mv ./$(CHART_REPO)-$${tag}.tgz .cr-release-packages/$${tag};\
+		else\
+			echo "Skipping release $${tag}; No helm chart present";\
+			rm -rf "$(CHART_REPO)-$${tag}.tgz";\
+		fi;\
+	done;\
+
+	# generate the index file in the root of the gh-pages branch
+	# --merge will leave any values in index.yaml that don't get generated by this command, but
+	# it is likely that all values are overridden
+	$(HELM) repo index .cr-release-packages --url https://github.com/$(CHART_OWNER)/$(CHART_REPO)/releases/download/ --merge $(CHART_DIR)/index.yaml
+
+	mv .cr-release-packages/index.yaml $(CHART_DIR)/index.yaml

PROJECT

@@ -13,4 +13,18 @@ resources:
   group: awx
   kind: AWX
   version: v1beta1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: ansible.com
+  group: awx
+  kind: AWXBackup
+  version: v1beta1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: ansible.com
+  group: awx
+  kind: AWXRestore
+  version: v1beta1
 version: "3"

SECURITY.md

@@ -0,0 +1,3 @@
+For all security related bugs, email security@ansible.com instead of using this issue tracker and you will receive a prompt response.
+
+For more information on the Ansible community's practices regarding responsible disclosure, see https://www.ansible.com/security

ansible/helm-release.yml

@@ -0,0 +1,122 @@
+---
+- hosts: localhost
+  vars:
+    chart_repo: awx-operator
+  environment:
+    CHART_OWNER: "{{ chart_owner }}"
+  tasks:
+    - name: Look up release
+      uri:
+        url: "https://api.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/tags/{{ tag }}"
+      register: release
+      ignore_errors: yes
+
+    - fail:
+        msg: |
+          Release must exist before running this playbook
+      when: release is not success
+
+    - name: Set helm filename and commit message
+      set_fact:
+        asset_already_attached: False
+        helm_file_name: "awx-operator-{{ tag }}.tgz"
+        commit_message: "Updated index.yaml for release {{ release.json.tag_name }}"
+
+    - name: See if file is already attached
+      set_fact:
+        asset_already_attached: True
+      loop: "{{ release.json.get('assets', []) }}"
+      loop_control:
+        label: "{{ item.name }}"
+      when: item.name == helm_file_name
+
+    - when: not asset_already_attached
+      block:
+        - name: Build and package helm chart
+          command: |
+            make helm-package
+          environment:
+            VERSION: "{{ tag }}"
+            IMAGE_TAG_BASE: "{{ operator_image }}"
+          args:
+            chdir: "{{ playbook_dir }}/../"
+
+        # Move to chart releaser after https://github.com/helm/chart-releaser/issues/122 exists
+        - name: Upload helm chart
+          uri:
+            url: "https://uploads.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/{{ release.json.id }}/assets?name={{ helm_file_name }}"
+            src: "{{ playbook_dir }}/../.cr-release-packages/{{ tag }}/awx-operator-{{ tag }}.tgz"
+            headers:
+              Authorization: "token {{ gh_token }}"
+              Content-Type: "application/octet-stream"
+            status_code:
+              - 200
+              - 201
+          register: asset_upload
+          changed_when: asset_upload.json.state == "uploaded"
+
+    - name: Ensure gh-pages exists
+      file:
+        state: directory
+        path: "{{ playbook_dir }}/../gh-pages"
+
+    - name: Check if we have published the release
+      command:
+        cmd: "git log --grep='{{ commit_message }}'"
+        chdir: "{{ playbook_dir }}/../gh-pages"
+      register: commits_for_release
+
+    - when: commits_for_release.stdout == ''
+      block:
+        - name: Make a temp dir
+          tempfile:
+            state: directory
+          register: temp_dir
+
+        - name: Clone the gh-pages branch from {{ chart_owner }}
+          git:
+            repo: "{{ ((repo_type | default('http')) == 'ssh') | ternary(ssh_repo, http_repo) }}"
+            dest: "{{ temp_dir.path }}"
+            single_branch: yes
+            version: gh-pages
+          vars:
+            http_repo: "https://github.com/{{ chart_owner }}/{{ chart_repo }}"
+            ssh_repo: "git@github.com:{{ chart_owner }}/{{ chart_repo }}.git"
+
+        - name: Publish helm index
+          ansible.builtin.command:
+            cmd: make helm-index
+          environment:
+            CHART_OWNER: "{{ chart_owner }}"
+            CR_TOKEN: "{{ gh_token }}"
+            CHART_DIR: "{{ temp_dir.path }}"
+          args:
+            chdir: "{{ playbook_dir }}/.."
+
+        - name: Set url base swap in gitconfig
+          command:
+            cmd: "git config --local url.https://{{ gh_user }}:{{ gh_token }}@github.com/.insteadOf https://github.com/"
+          args:
+            chdir: "{{ temp_dir.path }}/"
+          no_log: true
+
+        - name: Stage and Push commit to gh-pages branch
+          command:
+            cmd: "{{ item }}"
+          loop:
+            - git add index.yaml
+            - git commit -m "{{ commit_message }}"
+            - git push
+          args:
+            chdir: "{{ temp_dir.path }}/"
+          environment:
+            GIT_AUTHOR_NAME: "{{ gh_user }}"
+            GIT_AUTHOR_EMAIL: "{{ gh_user }}@users.noreply.github.com"
+            GIT_COMMITTER_NAME: "{{ gh_user }}"
+            GIT_COMMITTER_EMAIL: "{{ gh_user }}@users.noreply.github.com"
+
+      always:
+        - name: Remove temp dir
+          file:
+            path: "{{ temp_dir.path }}"
+            state: absent

ansible/instantiate-awx-deployment.yml

@@ -26,6 +26,7 @@
             image_version: "{{ image_version | default(omit) }}"
             development_mode: "{{ development_mode | default(omit) | bool }}"
             image_pull_policy: "{{ image_pull_policy | default(omit) }}"
+            nodeport_port: "{{ nodeport_port | default(omit) }}"
             # ee_images:
             #   - name: test-ee
             #     image: quay.io/<user>/awx-ee

config/crd/bases/awx.ansible.com_awxbackups.yaml

@@ -0,0 +1,132 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: awxbackups.awx.ansible.com
+spec:
+  group: awx.ansible.com
+  names:
+    kind: AWXBackup
+    listKind: AWXBackupList
+    plural: awxbackups
+    singular: awxbackup
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        type: object
+        description: Schema validation for the AWXBackup CRD
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+            required:
+            - deployment_name
+            properties:
+              deployment_name:
+                description: Name of the deployment to be backed up
+                type: string
+              backup_pvc:
+                description: Name of the backup PVC
+                type: string
+              backup_pvc_namespace:
+                description: (Deprecated) Namespace the PVC is in
+                type: string
+              backup_storage_requirements:
+                description: Storage requirements for backup PVC (may be similar to existing postgres PVC backing up from)
+                type: string
+              backup_resource_requirements:
+                description: Resource requirements for the management pod used to create a backup
+                properties:
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                type: object
+              backup_storage_class:
+                description: Storage class to use when creating PVC for backup
+                type: string
+              clean_backup_on_delete:
+                description: Flag to indicate if backup should be deleted on PVC if AWXBackup object is deleted
+                type: boolean
+              pg_dump_suffix:
+                description: Additional parameters for the pg_dump command
+                type: string
+              postgres_label_selector:
+                description: Label selector used to identify postgres pod for backing up data
+                type: string
+              postgres_image:
+                description: Registry path to the PostgreSQL container to use
+                type: string
+              postgres_image_version:
+                description: PostgreSQL container image version to use
+                type: string
+              db_management_pod_node_selector:
+                description: nodeSelector for the Postgres pods to backup
+                type: string
+              no_log:
+                description: Configure no_log for no_log tasks
+                type: boolean
+                default: true
+              additional_labels:
+                description: Additional labels defined on the resource, which should be propagated to child resources
+                type: array
+                items:
+                  type: string
+              set_self_labels:
+                description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
+                type: boolean
+                default: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+            properties:
+              conditions:
+                description: The resulting conditions when a Service Telemetry is instantiated
+                items:
+                  properties:
+                    lastTransitionTime:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  type: object
+                type: array
+              backupDirectory:
+                description: Backup directory name on the specified pvc
+                type: string
+              backupClaim:
+                description: Backup persistent volume claim
+                type: string

config/crd/bases/awx.ansible.com_awxrestores.yaml

@@ -0,0 +1,133 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: awxrestores.awx.ansible.com
+spec:
+  group: awx.ansible.com
+  names:
+    kind: AWXRestore
+    listKind: AWXRestoreList
+    plural: awxrestores
+    singular: awxrestore
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        type: object
+        description: Schema validation for the AWXRestore CRD
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+            required:
+            - deployment_name
+            properties:
+              backup_source:
+                description: Backup source
+                type: string
+                enum:
+                - Backup CR
+                - PVC
+              deployment_name:
+                description: Name of the restored deployment. This should be different from the original deployment name
+                  if the original deployment still exists.
+                type: string
+              cluster_name:
+                description: Cluster name
+                type: string
+              backup_name:
+                description: AWXBackup object name
+                type: string
+              backup_pvc:
+                description: Name of the PVC to be restored from, set as a status found on the awxbackup object (backupClaim)
+                type: string
+              backup_pvc_namespace:
+                description: (Deprecated) Namespace the PVC is in
+                type: string
+              backup_dir:
+                description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
+                type: string
+              restore_resource_requirements:
+                description: Resource requirements for the management pod that restores AWX from a backup
+                properties:
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                type: object
+              postgres_label_selector:
+                description: Label selector used to identify postgres pod for backing up data
+                type: string
+              postgres_image:
+                description: Registry path to the PostgreSQL container to use
+                type: string
+              postgres_image_version:
+                description: PostgreSQL container image version to use
+                type: string
+              db_management_pod_node_selector:
+                description: nodeSelector for the Postgres pods to backup
+                type: string
+              no_log:
+                description: Configure no_log for no_log tasks
+                type: boolean
+                default: true
+              additional_labels:
+                description: Additional labels defined on the resource, which should be propagated to child resources
+                type: array
+                items:
+                  type: string
+              set_self_labels:
+                description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
+                type: boolean
+                default: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+            properties:
+              conditions:
+                description: The resulting conditions when a Service Telemetry is instantiated
+                items:
+                  properties:
+                    lastTransitionTime:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  type: object
+                type: array
+              restoreComplete:
+                description: Restore process complete
+                type: boolean

config/crd/bases/awxbackup.ansible.com_awxbackups.yaml

@@ -1,77 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: awxbackups.awx.ansible.com
-spec:
-  group: awx.ansible.com
-  names:
-    kind: AWXBackup
-    listKind: AWXBackupList
-    plural: awxbackups
-    singular: awxbackup
-  scope: Namespaced
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-      subresources:
-        status: {}
-      schema:
-        openAPIV3Schema:
-          type: object
-          x-kubernetes-preserve-unknown-fields: true
-          description: Schema validation for the AWXBackup CRD
-          properties:
-            spec:
-              type: object
-              required:
-                - deployment_name
-              properties:
-                deployment_name:
-                  description: Name of the deployment to be backed up
-                  type: string
-                backup_pvc:
-                  description: Name of the PVC to be used for storing the backup
-                  type: string
-                backup_pvc_namespace:
-                  description: Namespace the PVC is in
-                  type: string
-                backup_storage_requirements:
-                  description: Storage requirements for the PostgreSQL container
-                  type: string
-                backup_storage_class:
-                  description: Storage class to use when creating PVC for backup
-                  type: string
-                postgres_label_selector:
-                  description: Label selector used to identify postgres pod for backing up data
-                  type: string
-                postgres_image:
-                  description: Registry path to the PostgreSQL container to use
-                  type: string
-                postgres_image_version:
-                  description: PostgreSQL container image version to use
-                  type: string
-            status:
-              type: object
-              properties:
-                conditions:
-                  description: The resulting conditions when a Service Telemetry is instantiated
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    type: object
-                  type: array
-                backupDirectory:
-                  description: Backup directory name on the specified pvc
-                  type: string
-                backupClaim:
-                  description: Backup persistent volume claim
-                  type: string

config/crd/bases/awxrestore.ansible.com_awxrestores.yaml

@@ -1,78 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: awxrestores.awx.ansible.com
-spec:
-  group: awx.ansible.com
-  names:
-    kind: AWXRestore
-    listKind: AWXRestoreList
-    plural: awxrestores
-    singular: awxrestore
-  scope: Namespaced
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-      subresources:
-        status: {}
-      schema:
-        openAPIV3Schema:
-          type: object
-          x-kubernetes-preserve-unknown-fields: true
-          description: Schema validation for the AWXRestore CRD
-          properties:
-            spec:
-              type: object
-              properties:
-                backup_source:
-                  description: Backup source
-                  type: string
-                  enum:
-                    - CR
-                    - PVC
-                deployment_name:
-                  description: Name of the deployment to be restored to
-                  type: string
-                backup_name:
-                  description: AWXBackup object name
-                  type: string
-                backup_pvc:
-                  description: Name of the PVC to be restored from, set as a status found on the awxbackup object (backupClaim)
-                  type: string
-                backup_pvc_namespace:
-                  description: Namespace the PVC is in
-                  type: string
-                backup_dir:
-                  description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
-                  type: string
-                postgres_label_selector:
-                  description: Label selector used to identify postgres pod for backing up data
-                  type: string
-                postgres_image:
-                  description: Registry path to the PostgreSQL container to use
-                  type: string
-                postgres_image_version:
-                  description: PostgreSQL container image version to use
-                  type: string
-            status:
-              type: object
-              properties:
-                conditions:
-                  description: The resulting conditions when a Service Telemetry is instantiated
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    type: object
-                  type: array
-                restoreComplete:
-                  description: Restore process complete
-                  type: boolean

config/crd/kustomization.yaml

@@ -1,9 +1,8 @@
----
 # This kustomization.yaml is not intended to be run by itself,
 # since it depends on service name and namespace that are out of this kustomize package.
 # It should be run by config/default
 resources:
-  - bases/awx.ansible.com_awxs.yaml
-  - bases/awxbackup.ansible.com_awxbackups.yaml
-  - bases/awxrestore.ansible.com_awxrestores.yaml
-# +kubebuilder:scaffold:crdkustomizeresource
+- bases/awx.ansible.com_awxs.yaml
+- bases/awx.ansible.com_awxbackups.yaml
+- bases/awx.ansible.com_awxrestores.yaml
+#+kubebuilder:scaffold:crdkustomizeresource

config/default/kustomization.yaml

@@ -1,24 +1,30 @@
 # Adds namespace to all resources.
 namespace: awx
+
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
 namePrefix: awx-operator-
+
 # Labels to add to all resources and selectors.
-# commonLabels:
-#   someName: someValue
-  # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
-  # - ../prometheus
-  # Protect the /metrics endpoint by putting it behind auth.
-  # If you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z, please comment the following line.
-patchesStrategicMerge:
-- manager_auth_proxy_patch.yaml
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
+#labels:
+#- includeSelectors: true
+#  pairs:
+#    someName: someValue
+
 resources:
 - ../crd
 - ../rbac
 - ../manager
+# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
+#- ../prometheus
+
+# Protect the /metrics endpoint by putting it behind auth.
+# If you want your controller-manager to expose the /metrics
+# endpoint w/o any authn/z, please comment the following line.
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+patches:
+- path: manager_auth_proxy_patch.yaml

config/default/manager_auth_proxy_patch.yaml

@@ -1,4 +1,3 @@
----
 # This patch inject a sidecar container which is a HTTP proxy for the
 # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
 apiVersion: apps/v1
@@ -10,20 +9,32 @@ spec:
   template:
     spec:
       containers:
-        - name: kube-rbac-proxy
-          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
-          args:
-            - "--secure-listen-address=0.0.0.0:8443"
-            - "--upstream=http://127.0.0.1:8080/"
-            - "--logtostderr=true"
-            - "--v=10"
-          ports:
-            - containerPort: 8443
-              protocol: TCP
-              name: https
-        - name: awx-manager
-          args:
-            - "--health-probe-bind-address=:6789"
-            - "--metrics-bind-address=127.0.0.1:8080"
-            - "--leader-elect"
-            - "--leader-election-id=awx-operator"
+      - name: kube-rbac-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - "ALL"
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=0"
+        ports:
+        - containerPort: 8443
+          protocol: TCP
+          name: https
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 5m
+            memory: 64Mi
+      - name: awx-manager
+        args:
+        - "--health-probe-bind-address=:6789"
+        - "--metrics-bind-address=127.0.0.1:8080"
+        - "--leader-elect"
+        - "--leader-election-id=awx-operator"

config/default/manager_config_patch.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -8,14 +7,14 @@ spec:
   template:
     spec:
       containers:
-        - name: awx-manager
-          args:
-            - "--config=controller_manager_config.yaml"
-          volumeMounts:
-            - name: awx-manager-config
-              mountPath: /controller_manager_config.yaml
-              subPath: controller_manager_config.yaml
-      volumes:
+      - name: awx-manager
+        args:
+        - "--config=controller_manager_config.yaml"
+        volumeMounts:
         - name: awx-manager-config
-          configMap:
-            name: awx-manager-config
+          mountPath: /controller_manager_config.yaml
+          subPath: controller_manager_config.yaml
+      volumes:
+      - name: awx-manager-config
+        configMap:
+          name: awx-manager-config

config/manager/controller_manager_config.yaml

@@ -1,10 +1,20 @@
----
-apiVersion: controller-runtime.sigs.k8s.io/v1beta1
+apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
 kind: ControllerManagerConfig
 health:
   healthProbeBindAddress: :6789
 metrics:
   bindAddress: 127.0.0.1:8080
+
 leaderElection:
   leaderElect: true
   resourceName: 811c9dc5.ansible.com
+# leaderElectionReleaseOnCancel defines if the leader should step down volume
+# when the Manager ends. This requires the binary to immediately end when the
+# Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+# speeds up voluntary leader transitions as the new leader don't have to wait
+# LeaseDuration time first.
+# In the default scaffold provided, the program ends immediately after
+# the manager stops, so would be fine to enable this option. However,
+# if you are doing or is intended to do any operation such as perform cleanups
+# after the manager stops then its usage might be unsafe.
+# leaderElectionReleaseOnCancel: true

config/manager/kustomization.yaml

@@ -1,11 +1,14 @@
 resources:
 - manager.yaml
+
 generatorOptions:
   disableNameSuffixHash: true
+
 configMapGenerator:
-- files:
+- name: awx-manager-config
+  files:
   - controller_manager_config.yaml
-  name: awx-manager-config
+
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:

config/manager/manager.yaml

@@ -20,39 +20,61 @@ spec:
   replicas: 1
   template:
     metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: awx-manager
       labels:
         control-plane: controller-manager
     spec:
       securityContext:
         runAsNonRoot: true
+        # For common cases that do not require escalating privileges
+        # it is recommended to ensure that all your Pods/Containers are restrictive.
+        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
+        # Please uncomment the following code if your project does NOT have to work on old Kubernetes
+        # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
+        # seccompProfile:
+        #   type: RuntimeDefault
       containers:
-        - args:
-            - --leader-elect
-            - --leader-election-id=awx-operator
-          image: controller:latest
-          name: awx-manager
-          env:
-            - name: ANSIBLE_GATHERING
-              value: explicit
-            - name: ANSIBLE_DEBUG_LOGS
-              value: 'false'
-            - name: WATCH_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 6789
-            initialDelaySeconds: 15
-            periodSeconds: 20
-          readinessProbe:
-            httpGet:
-              path: /readyz
-              port: 6789
-            initialDelaySeconds: 5
-            periodSeconds: 10
+      - args:
+        - --leader-elect
+        - --leader-election-id=awx-operator
+        image: controller:latest
+        name: awx-manager
+        env:
+        - name: ANSIBLE_GATHERING
+          value: explicit
+        - name: ANSIBLE_DEBUG_LOGS
+          value: 'false'
+        - name: WATCH_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - "ALL"
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 6789
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 6789
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+        resources:
+          requests:
+            memory: "32Mi"
+            cpu: "50m"
+          limits:
+            memory: "4096Mi"
+            cpu: "2000m"
       serviceAccountName: controller-manager
+      imagePullSecrets:
+      - name: redhat-operators-pull-secret
       terminationGracePeriodSeconds: 10

config/manifests/kustomization.yaml

@@ -1,8 +1,7 @@
----
 # These resources constitute the fully configured set of manifests
 # used to generate the 'manifests/' directory in a bundle.
 resources:
-  - bases/awx-operator.clusterserviceversion.yaml
-  - ../default
-  - ../samples
-  - ../scorecard
+- bases/awx-operator.clusterserviceversion.yaml
+- ../default
+- ../samples
+- ../scorecard

config/prometheus/kustomization.yaml

@@ -1,3 +1,2 @@
----
 resources:
-  - monitor.yaml
+- monitor.yaml

config/prometheus/monitor.yaml

@@ -1,4 +1,3 @@
----
 # Prometheus Monitor Service (Metrics)
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor

config/rbac/auth_proxy_client_clusterrole.yaml

@@ -1,10 +1,9 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: metrics-reader
 rules:
-  - nonResourceURLs:
-      - "/metrics"
-    verbs:
-      - get
+- nonResourceURLs:
+  - "/metrics"
+  verbs:
+  - get

config/rbac/auth_proxy_role.yaml

@@ -1,18 +1,17 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: proxy-role
 rules:
-  - apiGroups:
-      - authentication.k8s.io
-    resources:
-      - tokenreviews
-    verbs:
-      - create
-  - apiGroups:
-      - authorization.k8s.io
-    resources:
-      - subjectaccessreviews
-    verbs:
-      - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create

config/rbac/auth_proxy_role_binding.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -8,6 +7,6 @@ roleRef:
   kind: ClusterRole
   name: proxy-role
 subjects:
-  - kind: ServiceAccount
-    name: controller-manager
-    namespace: system
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system

config/rbac/auth_proxy_service.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: Service
 metadata:
@@ -8,9 +7,9 @@ metadata:
   namespace: system
 spec:
   ports:
-    - name: https
-      port: 8443
-      protocol: TCP
-      targetPort: https
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: https
   selector:
     control-plane: controller-manager

config/rbac/awx_editor_role.yaml

@@ -1,25 +1,24 @@
----
 # permissions for end users to edit awxs.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: awx-editor-role
 rules:
-  - apiGroups:
-      - awx.ansible.com
-    resources:
-      - awxs
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-  - apiGroups:
-      - awx.ansible.com
-    resources:
-      - awxs/status
-    verbs:
-      - get
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxs/status
+  verbs:
+  - get

config/rbac/awx_viewer_role.yaml

@@ -1,21 +1,20 @@
----
 # permissions for end users to view awxs.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: awx-viewer-role
 rules:
-  - apiGroups:
-      - awx.ansible.com
-    resources:
-      - awxs
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - awx.ansible.com
-    resources:
-      - awxs/status
-    verbs:
-      - get
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxs/status
+  verbs:
+  - get

config/rbac/awxbackup_editor_role.yaml

@@ -0,0 +1,24 @@
+# permissions for end users to edit awxbackups.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: awxbackup-editor-role
+rules:
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxbackups
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxbackups/status
+  verbs:
+  - get

config/rbac/awxbackup_viewer_role.yaml

@@ -0,0 +1,20 @@
+# permissions for end users to view awxbackups.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: awxbackup-viewer-role
+rules:
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxbackups
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxbackups/status
+  verbs:
+  - get

config/rbac/awxrestore_editor_role.yaml

@@ -0,0 +1,24 @@
+# permissions for end users to edit awxrestores.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: awxrestore-editor-role
+rules:
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxrestores
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxrestores/status
+  verbs:
+  - get

config/rbac/awxrestore_viewer_role.yaml

@@ -0,0 +1,20 @@
+# permissions for end users to view awxrestores.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: awxrestore-viewer-role
+rules:
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxrestores
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxrestores/status
+  verbs:
+  - get

config/rbac/kustomization.yaml

@@ -1,19 +1,18 @@
----
 resources:
-  # All RBAC will be applied under this service account in
-  # the deployment namespace. You may comment out this resource
-  # if your manager will use a service account that exists at
-  # runtime. Be sure to update RoleBinding and ClusterRoleBinding
-  # subjects if changing service account names.
-  - service_account.yaml
-  - role.yaml
-  - role_binding.yaml
-  - leader_election_role.yaml
-  - leader_election_role_binding.yaml
-  # Comment the following 4 lines if you want to disable
-  # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-  # which protects your /metrics endpoint.
-  - auth_proxy_service.yaml
-  - auth_proxy_role.yaml
-  - auth_proxy_role_binding.yaml
-  - auth_proxy_client_clusterrole.yaml
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- service_account.yaml
+- role.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+# Comment the following 4 lines if you want to disable
+# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+# which protects your /metrics endpoint.
+- auth_proxy_service.yaml
+- auth_proxy_role.yaml
+- auth_proxy_role_binding.yaml
+- auth_proxy_client_clusterrole.yaml

config/rbac/leader_election_role.yaml

@@ -1,38 +1,37 @@
----
 # permissions to do leader election.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: leader-election-role
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - get
-      - list
-      - watch
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - coordination.k8s.io
-    resources:
-      - leases
-    verbs:
-      - get
-      - list
-      - watch
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch

config/rbac/leader_election_role_binding.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -8,6 +7,6 @@ roleRef:
   kind: Role
   name: leader-election-role
 subjects:
-  - kind: ServiceAccount
-    name: controller-manager
-    namespace: system
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system

config/rbac/role.yaml

@@ -20,7 +20,6 @@ rules:
       - watch
   - apiGroups:
       - ""
-      - "rbac.authorization.k8s.io"
     resources:
       - pods
       - services
@@ -31,6 +30,17 @@ rules:
       - events
       - configmaps
       - secrets
+    verbs:
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - "rbac.authorization.k8s.io"
+    resources:
       - roles
       - rolebindings
     verbs:
@@ -43,12 +53,22 @@ rules:
       - watch
   - apiGroups:
       - apps
-      - networking.k8s.io
     resources:
       - deployments
       - daemonsets
       - replicasets
       - statefulsets
+    verbs:
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
       - ingresses
     verbs:
       - get

config/rbac/service_account.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: ServiceAccount
 metadata:

config/samples/awx_v1beta1_awx.yaml

@@ -6,13 +6,13 @@ metadata:
 spec:
   web_resource_requirements:
     requests:
-      cpu: 250m
+      cpu: 50m
       memory: 128M
   task_resource_requirements:
     requests:
-      cpu: 250m
+      cpu: 50m
       memory: 128M
   ee_resource_requirements:
     requests:
-      cpu: 200m
+      cpu: 50m
       memory: 64M

config/samples/awx_v1beta1_awxbackup.yaml

@@ -0,0 +1,13 @@
+apiVersion: awx.ansible.com/v1beta1
+kind: AWXBackup
+metadata:
+  name: example-awx-backup
+spec:
+  deployment_name: example-awx
+  backup_resource_requirements:
+    limits:
+      cpu: "1000m"
+      memory: "4096Mi"
+    requests:
+      cpu: "25m"
+      memory: "32Mi"

config/samples/awx_v1beta1_awxrestore.yaml

@@ -0,0 +1,14 @@
+apiVersion: awx.ansible.com/v1beta1
+kind: AWXRestore
+metadata:
+  name: awxrestore-sample
+spec:
+  deployment_name: example-awx-2
+  backup_name: example-awx-backup
+  restore_resource_requirements:
+    limits:
+      cpu: "1000m"
+      memory: "4096Mi"
+    requests:
+      cpu: "25m"
+      memory: "32Mi"

config/samples/kustomization.yaml

@@ -1,5 +1,6 @@
----
 ## Append samples you want in your CSV to this file as resources ##
 resources:
-  - awx_v1beta1_awx.yaml
-# +kubebuilder:scaffold:manifestskustomizesamples
+- awx_v1beta1_awx.yaml
+- awx_v1beta1_awxbackup.yaml
+- awx_v1beta1_awxrestore.yaml
+#+kubebuilder:scaffold:manifestskustomizesamples

config/scorecard/bases/config.yaml

@@ -1,8 +1,7 @@
----
 apiVersion: scorecard.operatorframework.io/v1alpha3
 kind: Configuration
 metadata:
   name: config
 stages:
-  - parallel: true
-    tests: []
+- parallel: true
+  tests: []

config/scorecard/kustomization.yaml

@@ -1,17 +1,16 @@
----
 resources:
-  - bases/config.yaml
+- bases/config.yaml
 patchesJson6902:
-  - path: patches/basic.config.yaml
-    target:
-      group: scorecard.operatorframework.io
-      version: v1alpha3
-      kind: Configuration
-      name: config
-  - path: patches/olm.config.yaml
-    target:
-      group: scorecard.operatorframework.io
-      version: v1alpha3
-      kind: Configuration
-      name: config
-# +kubebuilder:scaffold:patchesJson6902
+- path: patches/basic.config.yaml
+  target:
+    group: scorecard.operatorframework.io
+    version: v1alpha3
+    kind: Configuration
+    name: config
+- path: patches/olm.config.yaml
+  target:
+    group: scorecard.operatorframework.io
+    version: v1alpha3
+    kind: Configuration
+    name: config
+#+kubebuilder:scaffold:patchesJson6902

config/scorecard/patches/basic.config.yaml

@@ -1,11 +1,10 @@
----
 - op: add
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - basic-check-spec
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - basic-check-spec
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: basic
       test: basic-check-spec-test

config/scorecard/patches/olm.config.yaml

@@ -1,11 +1,10 @@
----
 - op: add
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - olm-bundle-validation
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - olm-bundle-validation
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: olm
       test: olm-bundle-validation-test
@@ -13,9 +12,9 @@
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - olm-crds-have-validation
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - olm-crds-have-validation
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: olm
       test: olm-crds-have-validation-test
@@ -23,9 +22,9 @@
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - olm-crds-have-resources
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - olm-crds-have-resources
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: olm
       test: olm-crds-have-resources-test
@@ -33,9 +32,9 @@
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - olm-spec-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - olm-spec-descriptors
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: olm
       test: olm-spec-descriptors-test
@@ -43,9 +42,9 @@
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - olm-status-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - olm-status-descriptors
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: olm
       test: olm-status-descriptors-test

config/testing/kustomization.yaml

@@ -1,13 +1,13 @@
 # Adds namespace to all resources.
 namespace: osdk-test
+
 namePrefix: osdk-
+
 # Labels to add to all resources and selectors.
-# commonLabels:
-#   someName: someValue
-patchesStrategicMerge:
-- manager_image.yaml
-- debug_logs_patch.yaml
-- ../default/manager_auth_proxy_patch.yaml
+#commonLabels:
+#  someName: someValue
+
+
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
@@ -18,4 +18,6 @@ images:
 - name: testing
   newName: testing-operator
 patches:
-- path: pull_policy/Never.yaml
+- path: manager_image.yaml
+- path: debug_logs_patch.yaml
+- path: ../default/manager_auth_proxy_patch.yaml

docs/debugging.md

@@ -0,0 +1,127 @@
+# Debugging the AWX Operator
+
+## General Debugging
+
+When the operator is deploying AWX, it is running the `installer` role inside the operator container. If the AWX CR's status is `Failed`, it is often useful to look at the awx-operator container logs, which shows the output of the installer role. To see these logs, run:
+
+```
+kubectl logs deployments/awx-operator-controller-manager -c awx-manager -f
+```
+
+### Inspect k8s Resources
+
+Past that, it is often useful to inspect various resources the AWX Operator manages like:
+* awx
+* awxbackup
+* awxrestore
+* pod
+* deployment
+* pvc
+* service
+* ingress
+* route
+* secrets
+* serviceaccount
+
+And if installing via OperatorHub and OLM:
+* subscription
+* csv
+* installPlan
+* catalogSource
+
+To inspect these resources you can use these commands
+
+```
+# Inspecting k8s resources
+kubectl describe -n <namespace> <resource> <resource-name>
+kubectl get -n <namespace> <resource> <resource-name> -o yaml
+kubectl logs -n <namespace> <resource> <resource-name>
+
+# Inspecting Pods
+kubectl exec -it -n <namespace> <pod> <pod-name>
+```
+
+
+### Configure No Log
+
+It is possible to show task output for debugging by setting no_log to false on the AWX CR spec.
+This will show output in the awx-operator logs for any failed tasks where no_log was set to true.
+
+For example:
+
+```
+---
+apiVersion: awx.ansible.com/v1beta1
+kind: AWX
+metadata:
+  name: awx-demo
+spec:
+  service_type: nodeport
+  no_log: false                  # <------------
+
+```
+
+## Iterating on the installer without deploying the operator
+
+Go through the [normal basic install](https://github.com/ansible/awx-operator/blob/devel/README.md#basic-install) steps.
+
+Install some dependencies:
+
+```
+$ ansible-galaxy collection install -r molecule/requirements.yml
+$ pip install -r molecule/requirements.txt
+```
+
+To prevent the changes we're about to make from being overwritten, scale down any running instance of the operator:
+
+```
+$ kubectl scale deployment awx-operator-controller-manager --replicas=0
+```
+
+Create a playbook that invokes the installer role (the operator uses ansible-runner's role execution feature):
+
+```yaml
+# run.yml
+---
+- hosts: localhost
+  roles:
+    - installer
+```
+
+Create a vars file:
+
+```yaml
+# vars.yml
+---
+ansible_operator_meta:
+  name: awx
+  namespace: awx
+service_type: nodeport
+```
+The vars file will replace the awx resource so any value that you wish to over ride using the awx resource, put in the vars file. For example, if you wish to use your own image, version and pull policy, you can specify it like below:
+
+```yaml
+# vars.yml
+---
+ansible_operator_meta:
+  name: awx
+  namespace: awx
+service_type: nodeport
+image: $DEV_DOCKER_TAG_BASE/awx_kube_devel
+image_pull_policy: Always
+image_version: $COMPOSE_TAG
+```
+
+Run the installer:
+
+```
+$ ansible-playbook run.yml -e @vars.yml -v
+```
+
+Grab the URL and admin password:
+
+```
+$ minikube service awx-service --url -n awx
+$ minikube kubectl get secret awx-admin-password -- -o jsonpath="{.data.password}" | base64 --decode
+LU6lTfvnkjUvDwL240kXKy1sNhjakZmT
+```

docs/doc-proposal.md

@@ -0,0 +1,29 @@
+# Docs Breakdown for AWX Operator
+
+## Introduction
+
+This table below is aimed at breaking down the ReadME documentation for Ansible AWX Operator and structure it in the way it can be moved to the Read The Docs module.
+
+From the ReadMe file, the documentation can be classified into six distinct segments which are:
+
+
+- Introduction/Getting Started
+- Installation
+- User Guide
+- Upgrade
+- Uninstall
+- Contributors Guide
+
+Using these listed segments, we can do a proper breakdown of all the topics in the ReadMe and place each one in the segment they fall into. This table is open to any form of refactoring or modifications.
+
+| Segments           | Topics                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Introduction       | - [Purpose](https://github.com/ansible/awx-operator#purpose)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+| Installation       | - [Creating a minikube cluster for testing](https://github.com/ansible/awx-operator#creating-a-minikube-cluster-for-testing)<br>- [Basic Install](https://github.com/ansible/awx-operator#basic-install)<br>- [Helm Install on existing cluster](https://github.com/ansible/awx-operator#helm-install-on-existing-cluster)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| User Guide     | - [Admin user account configuration](https://github.com/ansible/awx-operator#admin-user-account-configuration)<br>- [Network and TLS Configuration](https://github.com/ansible/awx-operator#network-and-tls-configuration)<br>    * [Service Type](https://github.com/ansible/awx-operator#service-type)<br>    * [Ingress Type](https://github.com/ansible/awx-operator#ingress-type)<br>- [Database Configuration](https://github.com/ansible/awx-operator#database-configuration)<br>    * [External PostgreSQL Service](https://github.com/ansible/awx-operator#external-postgresql-service)<br>    * [Migrating data from an old AWX instance](https://github.com/ansible/awx-operator#migrating-data-from-an-old-awx-instance)<br>    * [Managed PostgreSQL Service](https://github.com/ansible/awx-operator#managed-postgresql-service)<br>- [Advanced Configuration](https://github.com/ansible/awx-operator#advanced-configuration)<br>    * [Deploying a specific version of AWX](https://github.com/ansible/awx-operator#deploying-a-specific-version-of-awx)<br>    * [Redis container capabilities](https://github.com/ansible/awx-operator#redis-container-capabilities)<br>    * [Privileged Tasks](https://github.com/ansible/awx-operator#privileged-tasks)<br>    * [Containers Resource Requirements](https://github.com/ansible/awx-operator#containers-resource-requirements)<br>    * [Priority Classes](https://github.com/ansible/awx-operator#priority-classes)<br>    * [Assigning AWX pods to specific nodes](https://github.com/ansible/awx-operator#assigning-awx-pods-to-specific-nodes)<br>    * [Trusting a Custom Certificate Authority](https://github.com/ansible/awx-operator#trusting-a-custom-certificate-authority)<br>    * [Enabling LDAP Integration at AWX bootstrap](https://github.com/ansible/awx-operator#enabling-ldap-integration-at-awx-bootstrap)<br>    * [Persisting Projects Directory](https://github.com/ansible/awx-operator#persisting-projects-directory)<br>    * [Custom Volume and Volume Mount Options](https://github.com/ansible/awx-operator#custom-volume-and-volume-mount-options)<br>    * [Default execution environments from private registries](https://github.com/ansible/awx-operator#default-execution-environments-from-private-registries)<br>        * * [Control plane ee from private registry](https://github.com/ansible/awx-operator#control-plane-ee-from-private-registry)<br>    * [Exporting Environment Variables to Containers](https://github.com/ansible/awx-operator#exporting-environment-variables-to-containers)<br>    * [CSRF Cookie Secure Setting](https://github.com/ansible/awx-operator#csrf-cookie-secure-setting)<br>    * [Session Cookie Secure Setting](https://github.com/ansible/awx-operator#session-cookie-secure-setting)<br>    * [Extra Settings](https://github.com/ansible/awx-operator#extra-settings)<br>    * [Configure no_log](https://github.com/ansible/awx-operator#no-log)<br>    * [Auto Upgrade](https://github.com/ansible/awx-operator#auto-upgrade)<br>        ** [Upgrade of instances without auto upgrade](https://github.com/ansible/awx-operator#upgrade-of-instances-without-auto-upgrade)<br>    * [Service Account](https://github.com/ansible/awx-operator#service-account)<br>    * [Labeling operator managed objects](https://github.com/ansible/awx-operator#labeling-operator-managed-objects)<br>    * [Pods termination grace period](https://github.com/ansible/awx-operator#pods-termination-grace-period)<br>    * [Disable IPV6](https://github.com/ansible/awx-operator#disable-ipv6)<br>    * [Add Execution Nodes](https://github.com/ansible/awx-operator#adding-execution-nodes)<br>        ** [Custom Receptor CA](https://github.com/ansible/awx-operator#custom-receptor-ca)<br>    * [Debugging](https://github.com/ansible/awx-operator/blob/devel/docs/debugging.md)<br>    * [Migration](https://github.com/ansible/awx-operator/blob/devel/docs/migration.md) |
+| Upgrade            | - [Upgrading](https://github.com/ansible/awx-operator#upgrading)<br>    * [Backup](https://github.com/ansible/awx-operator#backup)<br>    * [v0.14.0](https://github.com/ansible/awx-operator#v0140)<br>        ** [Cluster-scope to Namespace-scope considerations](https://github.com/ansible/awx-operator#cluster-scope-to-namespace-scope-considerations)<br>        ** [Project is now based on v1.x of the operator-sdk project](https://github.com/ansible/awx-operator#project-is-now-based-on-v1x-of-the-operator-sdk-project)<br>        ** [Steps to upgrade](https://github.com/ansible/awx-operator#steps-to-upgrade)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| Uninstall          | - [Uninstall](https://github.com/ansible/awx-operator#uninstall)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| Contributors Guide | - [Contributing](https://github.com/ansible/awx-operator#contributing)<br>- [Release Process](https://github.com/ansible/awx-operator#release-process)<br>- [Author](https://github.com/ansible/awx-operator#author)<br>- [Code of Conduct](https://github.com/ansible/awx-operator#code-of-conduct)<br>- [Get Involved](https://github.com/ansible/awx-operator#get-involved)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+
+
+Note: I could not get the multi-level bullet point list to work in the table so I used single asterisk `*` for one level down and double asterisk `**` for two level down.

docs/migration.md

@@ -34,7 +34,7 @@ metadata:
   namespace: <target namespace>
 stringData:
   host: <external ip or url resolvable by the cluster>
-  port: <external port, this usually defaults to 5432>
+  port: "<external port, this usually defaults to 5432>"    # quotes are required
   database: <desired database name>
   username: <username to connect as>
   password: <password to connect with>

molecule/default/destroy.yml

@@ -19,6 +19,6 @@
         state: absent
 
     - name: Unset pull policy
-      command: '{{ kustomize }} edit remove patch pull_policy/{{ operator_pull_policy }}.yaml'
+      command: '{{ kustomize }} edit remove patch --path pull_policy/{{ operator_pull_policy }}.yaml'
       args:
         chdir: '{{ config_dir }}/testing'

molecule/default/kustomize.yml

@@ -1,7 +1,7 @@
 ---
 - name: Build kustomize testing overlay
-  # load_restrictor must be set to none so we can load patch files from the default overlay
-  command: '{{ kustomize }} build  --load_restrictor none .'
+  # load-restrictor must be set to none so we can load patch files from the default overlay
+  command: '{{ kustomize }} build  --load-restrictor LoadRestrictionsNone .'
   args:
     chdir: '{{ config_dir }}/testing'
   register: resources

molecule/default/tasks/awx_test.yml

@@ -19,19 +19,36 @@
   register: admin_pw_secret
 
 - block:
-    - name: Get pod details
+    - name: Get web pod details
       k8s_info:
         namespace: '{{ namespace }}'
         kind: Pod
         label_selectors:
-          - app.kubernetes.io/name = example-awx
-      register: awx_pod
+          - app.kubernetes.io/name = example-awx-web
+      register: awx_web_pod
       when: not awx_version
 
-    - name: Exract tags from images
+    - name: Get task pod details
+      k8s_info:
+        namespace: '{{ namespace }}'
+        kind: Pod
+        label_selectors:
+          - app.kubernetes.io/name = example-awx-task
+      register: awx_task_pod
+      when: not awx_version
+
+    - name: Extract tags from images from web pod
       set_fact:
-        image_tags: |
-          {{ awx_pod.resources[0].spec.containers |
+        web_image_tags: |
+          {{ awx_web_pod.resources[0].spec.containers |
+             map(attribute='image') |
+             map('regex_search', default_awx_version) }}
+      when: not awx_version
+
+    - name: Extract tags from images from task pod
+      set_fact:
+        task_image_tags: |
+          {{ awx_task_pod.resources[0].spec.containers |
              map(attribute='image') |
              map('regex_search', default_awx_version) }}
       when: not awx_version
@@ -42,20 +59,21 @@
           This is an environment variable that is set via build arg when releasing awx-operator.
       when:
         - not awx_version
-        - default_awx_version not in image_tags
+        - default_awx_version not in web_image_tags
+        - default_awx_version not in task_image_tags
 
     - name: Launch Demo Job Template
       awx.awx.job_launch:
         name: Demo Job Template
         wait: yes
         validate_certs: no
-        controller_host: localhost
+        controller_host: localhost/awx/
         controller_username: admin
         controller_password: "{{ admin_pw_secret.resources[0].data.password | b64decode }}"
   rescue:
     - name: Get list of project updates and jobs
       uri:
-        url: "http://localhost/api/v2/{{ resource }}/"
+        url: "http://localhost/awx/api/v2/{{ resource }}/"
         user: admin
         password: "{{ admin_pw_secret.resources[0].data.password | b64decode }}"
         force_basic_auth: yes
@@ -83,3 +101,96 @@
           result: '{{ ansible_failed_result }}'
       fail:
         msg: '{{ failed_task }}'
+
+- block:
+    - name: Look up details for this AWX instance
+      k8s_info:
+        namespace: "{{ namespace }}"
+        api_version: "awx.ansible.com/v1beta1"
+        kind: AWX
+        name: example-awx
+      register: this_awx
+
+    - name: Get web pod details
+      k8s_info:
+        namespace: '{{ namespace }}'
+        kind: Pod
+        label_selectors:
+          - app.kubernetes.io/name = example-awx-web
+      register: awx_web_pod
+
+    - name: Get task pod details
+      k8s_info:
+        namespace: '{{ namespace }}'
+        kind: Pod
+        label_selectors:
+          - app.kubernetes.io/name = example-awx-task
+      register: awx_task_pod
+
+    - name: Extract additional_labels from AWX spec
+      set_fact:
+        awx_additional_labels: >-
+          {{ this_awx.resources[0].metadata.labels
+             | dict2items | selectattr('key', 'in', this_awx.resources[0].spec.additional_labels)
+             | list
+          }}
+
+    - name: Extract additional_labels from AWX web Pod
+      set_fact:
+        awx_web_pod_additional_labels: >-
+          {{ awx_web_pod.resources[0].metadata.labels
+             | dict2items | selectattr('key', 'in', this_awx.resources[0].spec.additional_labels)
+             | list
+          }}
+
+    - name: Extract additional_labels from AWX task Pod
+      set_fact:
+        awx_task_pod_additional_labels: >-
+          {{ awx_task_pod.resources[0].metadata.labels
+              | dict2items | selectattr('key', 'in', this_awx.resources[0].spec.additional_labels)
+              | list
+          }}
+
+    - name: Assert AWX web Pod contains additional_labels
+      ansible.builtin.assert:
+        that:
+          - awx_web_pod_additional_labels == awx_additional_labels
+
+    - name: Assert AWX task Pod contains additional_labels
+      ansible.builtin.assert:
+        that:
+          - awx_task_pod_additional_labels == awx_additional_labels
+
+    - name: Extract web Pod labels which shouldn't have been propagated to it from AWX
+      set_fact:
+        awx_web_pod_extra_labels: >-
+          {{ awx_web_pod.resources[0].metadata.labels
+             | dict2items | selectattr('key', 'in', ["my/do-not-inherit"])
+             | list
+          }}
+
+    - name: AWX web Pod doesn't contain AWX labels not in additional_labels
+      ansible.builtin.assert:
+        that:
+          - awx_web_pod_extra_labels == []
+
+    - name: Extract task Pod labels which shouldn't have been propagated to it from AWX
+      set_fact:
+        awx_task_pod_extra_labels: >-
+          {{ awx_task_pod.resources[0].metadata.labels
+             | dict2items | selectattr('key', 'in', ["my/do-not-inherit"])
+             | list
+          }}
+
+    - name: AWX task Pod doesn't contain AWX labels not in additional_labels
+      ansible.builtin.assert:
+        that:
+          - awx_task_pod_extra_labels == []
+
+  rescue:
+    - name: Re-emit failure
+      vars:
+        failed_task:
+          result: '{{ ansible_failed_result }}'
+      fail:
+        msg: '{{ failed_task }}'

molecule/default/tasks/awxbackup_test.yml

@@ -0,0 +1,18 @@
+---
+# - name: Create the awx.ansible.com/v1beta1.AWXBackup
+#   k8s:
+#     state: present
+#     namespace: '{{ namespace }}'
+#     definition: "{{ lookup('template', '/'.join([samples_dir, cr_file])) | from_yaml }}"
+#     wait: yes
+#     wait_timeout: 300
+#     wait_condition:
+#       type: Successful
+#       status: "True"
+#   vars:
+#     cr_file: 'awx_v1beta1_awxbackup.yaml'
+#
+# - name: Add assertions here
+#   assert:
+#     that: false
+#     fail_msg: FIXME Add real assertions for your operator

molecule/default/tasks/awxrestore_test.yml

@@ -0,0 +1,18 @@
+---
+# - name: Create the awx.ansible.com/v1beta1.AWXRestore
+#   k8s:
+#     state: present
+#     namespace: '{{ namespace }}'
+#     definition: "{{ lookup('template', '/'.join([samples_dir, cr_file])) | from_yaml }}"
+#     wait: yes
+#     wait_timeout: 300
+#     wait_condition:
+#       type: Successful
+#       status: "True"
+#   vars:
+#     cr_file: 'awx_v1beta1_awxrestore.yaml'
+#
+# - name: Add assertions here
+#   assert:
+#     that: false
+#     fail_msg: FIXME Add real assertions for your operator

molecule/default/templates/awx_cr_molecule.yml.j2

@@ -3,6 +3,10 @@ apiVersion: awx.ansible.com/v1beta1
 kind: AWX
 metadata:
   name: example-awx
+  labels:
+    my/team: "foo"
+    my/service: "bar"
+    my/do-not-inherit: "yes"
 spec:
 {% if awx_image %}
   image: {{ awx_image }}
@@ -11,17 +15,25 @@ spec:
   image_version: {{ awx_version }}
 {% endif %}
   ingress_type: ingress
+  ingress_path: /awx
   ingress_annotations: |
     kubernetes.io/ingress.class: nginx
   web_resource_requirements:
     requests:
-      cpu: 250m
-      memory: 128M
+      cpu: 50m
+      memory: 32M
   task_resource_requirements:
     requests:
-      cpu: 250m
-      memory: 128M
+      cpu: 50m
+      memory: 32M
   ee_resource_requirements:
     requests:
-      cpu: 200m
-      memory: 64M
+      cpu: 50m
+      memory: 16M
+  no_log: false
+  postgres_resource_requirements: {}
+  postgres_init_container_resource_requirements: {}
+  redis_resource_requirements: {}
+  additional_labels:
+  - my/team
+  - my/service

molecule/kind/converge.yml

@@ -5,8 +5,20 @@
   gather_facts: no
 
   tasks:
+    # Remove after this if fixed: https://github.com/ansible-collections/community.docker/issues/611
+    - name: Install docker
+      become: yes
+      pip:
+        name:
+          - websocket-client==0.59.0
+          - requests==2.28.2
+          - urllib3==1.26.15
+          - docker
+          - docker-compose
+        state: present
+
     - name: Build operator image
-      docker_image:
+      community.docker.docker_image:
         build:
           path: '{{ project_dir }}'
           pull: no

molecule/kind/destroy.yml

@@ -11,6 +11,6 @@
       command: kind delete cluster --name osdk-test --kubeconfig {{ kubeconfig }}
 
     - name: Unset pull policy
-      command: '{{ kustomize }} edit remove patch pull_policy/{{ operator_pull_policy }}.yaml'
+      command: '{{ kustomize }} edit remove patch --path pull_policy/{{ operator_pull_policy }}.yaml'
       args:
         chdir: '{{ config_dir }}/testing'

molecule/requirements.txt

@@ -1,7 +1,8 @@
-molecule
+molecule<4.0.2
 molecule-docker
 yamllint
 ansible-lint
 openshift!=0.13.0
 jmespath
 ansible-core
+ansible-compat<4  # https://github.com/ansible-community/molecule/issues/3903

molecule/requirements.yml

@@ -2,7 +2,8 @@
 collections:
   - name: community.general
   - name: kubernetes.core
-    version: 1.2.1
+    version: 2.3.2
   - name: operator_sdk.util
   - name: community.docker
+    version: 3.4.4
   - name: awx.awx

playbooks/awx.yml

@@ -0,0 +1,31 @@
+---
+- hosts: localhost
+  gather_facts: no
+  collections:
+    - kubernetes.core
+    - operator_sdk.util
+  vars:
+    no_log: true
+  pre_tasks:
+    - name: Verify imagePullSecrets
+      k8s_info:
+        kind: Secret
+        namespace: '{{ ansible_operator_meta.namespace }}'
+        name: redhat-operators-pull-secret
+      register: _rh_ops_secret
+      no_log: "{{ no_log }}"
+    - name: Create imagePullSecret
+      k8s:
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: redhat-operators-pull-secret
+            namespace: '{{ ansible_operator_meta.namespace }}'
+          stringData:
+            operator: awx
+      when:
+        - (_rh_ops_secret is not defined) or not (_rh_ops_secret['resources'] | length)
+  roles:
+    - installer

requirements.yml

@@ -1,6 +1,6 @@
 ---
 collections:
   - name: kubernetes.core
-    version: '==1.2.1'
+    version: '>=2.3.2'
   - name: operator_sdk.util
-    version: "0.2.0"
+    version: "0.4.0"

roles/backup/README.md

@@ -45,7 +45,7 @@ The resulting pvc will contain a backup tar that can be used to restore to a new
 Role Variables
 --------------
 
-A custom, pre-created pvc can be used by setting the following variables.  
+A custom, pre-created pvc can be used by setting the following variables.
 
 ```
 backup_pvc: 'awx-backup-volume-claim'
@@ -62,18 +62,42 @@ backup_storage_requirements: '20Gi'
 
 By default, the backup pvc will be created in the same namespace the awxbackup object is created in.  If you want your backup to be stored
 in a specific namespace, you can do so by specifying `backup_pvc_namespace`.  Keep in mind that you will
-need to provide the same namespace when restoring.  
+need to provide the same namespace when restoring.
 
 ```
 backup_pvc_namespace: 'custom-namespace'
 ```
+The backup pvc will be created in the same namespace the awxbackup object is created in.
 
-If a custom postgres configuration secret was used when deploying AWX, it will automatically be used by the backup role.  
-To check the name of this secret, look at the postgresConfigurationSecret status on your AWX object.  
+If a custom postgres configuration secret was used when deploying AWX, it will automatically be used by the backup role.
+To check the name of this secret, look at the postgresConfigurationSecret status on your AWX object.
 
 The postgresql pod for the old deployment is used when backing up data to the new postgresql pod.  If your postgresql pod has a custom label,
 you can pass that via the `postgres_label_selector` variable to make sure the postgresql pod can be found.
 
+It is also possible to tie the lifetime of the backup files to that of the AWXBackup resource object. To do that you can set the
+`clean_backup_on_delete` value to true. This will delete the `backupDirectory` on the pvc associated with the AWXBackup object deleted.
+
+```
+clean_backup_on_delete: true
+```
+
+Variable to define resources limits and request for backup CR.
+```
+backup_resource_requirements:
+  limits:
+    cpu: "1000m"
+    memory: "4096Mi"
+  requests:
+    cpu: "25m"
+    memory: "32Mi"
+```
+
+To customize the pg_dump command that will be executed on a backup use the `pg_dump_suffix` variable. This variable will append your provided pg_dump parameters to the end of the 'standard' command. For example to exclude the data from 'main_jobevent' and 'main_job' to decrease the size of the backup use:
+
+```
+pg_dump_suffix: "--exclude-table-data 'main_jobevent*' --exclude-table-data 'main_job'"
+```
 
 Testing
 ----------------

roles/backup/defaults/main.yml

@@ -10,3 +10,38 @@ backup_pvc_namespace: "{{ ansible_operator_meta.namespace }}"
 
 # Size of backup PVC if created dynamically
 backup_storage_requirements: ''
+
+# Set no_log settings on certain tasks
+no_log: true
+
+# Variable to set when you want backups to be cleaned up when the CRD object is deleted
+clean_backup_on_delete: false
+
+
+# Add a nodeSelector for the Postgres pods to backup.
+# Specify as literal block. E.g.:
+# db_management_pod_node_selector: |
+#   kubernetes.io/arch: amd64
+#   kubernetes.io/os: linux
+db_management_pod_node_selector: ''
+
+# Variable to signal that this role is being run as a finalizer
+finalizer_run: false
+
+# Default resource requirements
+backup_resource_requirements:
+  limits:
+    cpu: "1000m"
+    memory: "4096Mi"
+  requests:
+    cpu: "25m"
+    memory: "32Mi"
+# Allow additional parameters to be added to the pg_dump backup command
+pg_dump_suffix: ''
+
+# Labels defined on the resource, which should be propagated to child resources
+additional_labels: []
+
+# Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
+set_self_labels: true
+...

roles/backup/meta/main.yml

@@ -24,7 +24,8 @@ galaxy_info:
     - backup
     - automation
 
-dependencies: []
+dependencies:
+  - role: common
 
 collections:
   - kubernetes.core

roles/backup/tasks/awx-cro.yml

@@ -25,10 +25,11 @@
   set_fact:
     awx_spec:
       spec: "{{ _awx }}"
+      previous_deployment_name: "{{ this_awx['resources'][0]['metadata']['name'] }}"
 
 - name: Write awx object to pvc
-  k8s_exec:
+  k8s_cp:
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ ansible_operator_meta.name }}-db-management"
-    command: >-
-      bash -c 'echo "$0" > {{ backup_dir  }}/awx_object' {{ awx_spec | to_yaml | quote  }}
+    remote_path: "{{ backup_dir  }}/awx_object"
+    content: "{{ awx_spec | to_yaml }}"

roles/backup/tasks/creation.yml

@@ -0,0 +1,53 @@
+---
+- name: Patching labels to {{ kind }} kind
+  k8s:
+    state: present
+    definition:
+      apiVersion: "{{ api_version }}"
+      kind: "{{ kind }}"
+      name: "{{ ansible_operator_meta.name }}"
+      namespace: "{{ ansible_operator_meta.namespace }}"
+      metadata:
+        name: "{{ ansible_operator_meta.name }}"
+        namespace: "{{ ansible_operator_meta.namespace }}"
+        labels: '{{ lookup("template", "../common/templates/labels/common.yaml.j2") | from_yaml }}'
+  when: set_self_labels | bool
+
+- name: Look up details for this backup object
+  k8s_info:
+    api_version: "{{ api_version }}"
+    kind: "{{ kind }}"
+    name: "{{ ansible_operator_meta.name }}"
+    namespace: "{{ ansible_operator_meta.namespace }}"
+  register: this_backup
+
+- name: Build `additional_labels_items` labels from `additional_labels`
+  set_fact:
+    additional_labels_items: >-
+      {{ this_backup['resources'][0]['metadata']['labels']
+         | dict2items | selectattr('key', 'in', additional_labels)
+      }}
+  when:
+  - additional_labels | length
+  - this_backup['resources'][0]['metadata']['labels']
+
+- block:
+  - include_tasks: init.yml
+
+  - include_tasks: postgres.yml
+
+  - include_tasks: awx-cro.yml
+
+  - include_tasks: secrets.yml
+
+  - name: Set flag signifying this backup was successful
+    set_fact:
+      backup_complete: true
+
+  - include_tasks: cleanup.yml
+
+  when:
+  - this_backup['resources'][0]['status']['backupDirectory'] is not defined
+
+- name: Update status variables
+  include_tasks: update_status.yml

roles/backup/tasks/delete_backup.yml

@@ -0,0 +1,7 @@
+---
+- name: Cleanup backup associated with this option if enabled
+  k8s_exec:
+    namespace: "{{ backup_pvc_namespace }}"
+    pod: "{{ ansible_operator_meta.name }}-db-management"
+    command: >-
+      bash -c 'rm -rf {{ backup_dir  }}'

roles/backup/tasks/dump_generated_secret.yml

@@ -25,15 +25,15 @@
       namespace: '{{ ansible_operator_meta.namespace }}'
       name: "{{ _name }}"
   register: _secret
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Set secret data
   set_fact:
       _data: "{{ _secret['resources'][0]['data'] }}"
       _type: "{{ _secret['resources'][0]['type'] }}"
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Create and Add secret names and data to dictionary
   set_fact:
       secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data, 'type': _type }}) }}"
-  no_log: true
+  no_log: "{{ no_log }}"

roles/backup/tasks/dump_receptor_secrets.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Get secret
+  k8s_info:
+    version: v1
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: "{{ item }}"
+  register: _secret
+  no_log: "{{ no_log }}"
+
+- name: Backup secret if exists
+  block:
+    - name: Set secret key
+      set_fact:
+        _data: "{{ _secret['resources'][0]['data'] }}"
+        _type: "{{ _secret['resources'][0]['type'] }}"
+      no_log: "{{ no_log }}"
+
+    - name: Create and Add secret names and data to dictionary
+      set_fact:
+        secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': item, 'data': _data, 'type': _type }}) }}"
+      no_log: "{{ no_log }}"
+  when: _secret | length

roles/backup/tasks/dump_secret.yml

@@ -13,16 +13,16 @@
             namespace: '{{ ansible_operator_meta.namespace }}'
             name: "{{ _name }}"
         register: _secret
-        no_log: true
+        no_log: "{{ no_log }}"
 
       - name: Set secret key
         set_fact:
             _data: "{{ _secret['resources'][0]['data'] }}"
             _type: "{{ _secret['resources'][0]['type'] }}"
-        no_log: true
+        no_log: "{{ no_log }}"
 
       - name: Create and Add secret names and data to dictionary
         set_fact:
             secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data, 'type': _type }}) }}"
-        no_log: true
+        no_log: "{{ no_log }}"
   when: _name != ''

roles/backup/tasks/finalizer.yml

@@ -0,0 +1,20 @@
+---
+- name: Look up details for this backup object
+  k8s_info:
+    api_version: "{{ api_version }}"
+    kind: "{{ kind }}"
+    name: "{{ ansible_operator_meta.name }}"
+    namespace: "{{ ansible_operator_meta.namespace }}"
+  register: this_backup
+
+- block:
+    - include_tasks: init.yml
+
+    - include_tasks: delete_backup.yml
+
+    - include_tasks: cleanup.yml
+  vars:
+    backup_dir: "{{ this_backup['resources'][0]['status']['backupDirectory'] | default() }}"
+  when:
+    - clean_backup_on_delete
+    - backup_dir | length > 0

roles/backup/tasks/init.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Delete any existing management pod
   k8s:
     name: "{{ ansible_operator_meta.name }}-db-management"
@@ -57,8 +56,8 @@
           apiVersion: v1
           kind: PersistentVolumeClaim
           metadata:
-            name: '{{ deployment_name }}-backup-claim'
-            namespace: '{{ backup_pvc_namespace }}'
+            name: "{{ deployment_name }}-backup-claim"
+            namespace: "{{ backup_pvc_namespace }}"
             ownerReferences: null
   when:
     - backup_pvc == '' or backup_pvc is not defined

roles/backup/tasks/main.yml

@@ -1,47 +1,8 @@
 ---
-- name: Patching labels to {{ kind }} kind
-  k8s:
-    state: present
-    definition:
-      apiVersion: '{{ api_version }}'
-      kind: '{{ kind }}'
-      name: '{{ ansible_operator_meta.name }}'
-      namespace: '{{ ansible_operator_meta.namespace }}'
-      metadata:
-        name: '{{ ansible_operator_meta.name }}'
-        namespace: '{{ ansible_operator_meta.namespace }}'
-        labels:
-          app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
-          app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
-          app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-          app.kubernetes.io/component: '{{ deployment_type }}'
-          app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+- name: Run creation tasks
+  include_tasks: creation.yml
+  when: not finalizer_run
 
-- name: Look up details for this backup object
-  k8s_info:
-    api_version: "{{ api_version }}"
-    kind: "{{ kind }}"
-    name: "{{ ansible_operator_meta.name }}"
-    namespace: "{{ ansible_operator_meta.namespace }}"
-  register: this_backup
-
-- block:
-    - include_tasks: init.yml
-
-    - include_tasks: postgres.yml
-
-    - include_tasks: awx-cro.yml
-
-    - include_tasks: secrets.yml
-
-    - name: Set flag signifying this backup was successful
-      set_fact:
-        backup_complete: true
-
-    - include_tasks: cleanup.yml
-
-  when:
-    - this_backup['resources'][0]['status']['backupDirectory'] is not defined
-
-- name: Update status variables
-  include_tasks: update_status.yml
+- name: Run finalizer tasks
+  include_tasks: finalizer.yml
+  when: finalizer_run