Use awx web launch script to pick up the correct supervisor config (#935)

- reduce resource requests so that CI passes in resource constrained
    environments

.github/workflows/ci.yaml

@@ -10,9 +10,9 @@ on:
     branches: [devel]
 
 jobs:
-  pull_request:
+  molecule:
     runs-on: ubuntu-18.04
-    name: pull_request
+    name: molecule
     env:
       DOCKER_API_VERSION: "1.38"
     steps:
@@ -39,3 +39,28 @@ jobs:
           sudo rm -f $(which kustomize)
           make kustomize
           KUSTOMIZE_PATH=$(readlink -f bin/kustomize) molecule test -s kind
+  helm:
+    runs-on: ubuntu-18.04
+    name: helm
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Create k8s Kind Cluster
+        uses: helm/kind-action@v1.2.0
+
+      - name: Build operator image and load into kind
+        run: |
+          IMG=awx-operator-ci make docker-build
+          kind load docker-image --name chart-testing awx-operator-ci
+
+      - name: Patch pull policy for tests
+        run: |
+          kustomize edit add patch --path ../testing/pull_policy/Never.yaml
+        working-directory: config/default
+
+      - name: Build and install helm chart
+        run: |
+          IMG=awx-operator-ci make helm-chart
+          helm install --wait my-awx-operator ./charts/awx-operator

.github/workflows/promote.yaml

@@ -8,6 +8,8 @@ jobs:
   promote:
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/checkout@v2
+
       - name: Log in to GHCR
         run: |
           echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
@@ -23,3 +25,16 @@ jobs:
           docker tag ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} quay.io/${{ github.repository }}:latest
           docker push quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
           docker push quay.io/${{ github.repository }}:latest
+
+      - name: Configure git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Release Helm chart
+        run: |
+          ansible-playbook ansible/helm-release.yml -v \
+            -e operator_image=quay.io/${{ github.repository }} \
+            -e chart_owner=${{ github.repository_owner }} \
+            -e tag=${{ github.event.release.tag_name }} \
+            -e gh_token=${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -4,3 +4,5 @@
 /bundle
 /bundle_tmp*
 /bundle.Dockerfile
+/charts
+/.cr-release-packages

.helm/starter/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

.helm/starter/Chart.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v2
+appVersion: 0.1.0
+description: A Helm chart for Kubernetes
+name: starter
+type: application
+version: 0.1.0

Makefile

@@ -7,6 +7,13 @@ VERSION ?= $(shell git describe --tags)
 
 CONTAINER_CMD ?= docker
 
+# GNU vs BSD in-place sed
+ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
+	SED_I := sed -i
+else
+	SED_I := sed -i ''
+endif
+
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
 # To re-generate a bundle for other specific channels without changing the standard setup, you can:
@@ -41,6 +48,14 @@ BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
 IMG ?= $(IMAGE_TAG_BASE):$(VERSION)
 NAMESPACE ?= awx
 
+# Helm variables
+CHART_NAME ?= awx-operator
+CHART_DESCRIPTION ?= A Helm chart for the AWX Operator
+CHART_OWNER ?= $(GH_REPO_OWNER)
+CHART_REPO ?= awx-operator
+CHART_BRANCH ?= gh-pages
+CHART_INDEX ?= index.yaml
+
 all: docker-build
 
 ##@ General
@@ -93,7 +108,8 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/confi
 	$(KUSTOMIZE) build config/default | kubectl delete -f -
 
 OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
-ARCH := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
+ARCHA := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
+ARCHX := $(shell uname -m | sed -e 's/amd64/x86_64/' -e 's/aarch64/arm64/')
 
 .PHONY: kustomize
 KUSTOMIZE = $(shell pwd)/bin/kustomize
@@ -103,7 +119,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(KUSTOMIZE)) ;\
-	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.8.7/kustomize_v3.8.7_$(OS)_$(ARCH).tar.gz | \
+	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.2/kustomize_v4.5.2_$(OS)_$(ARCHA).tar.gz | \
 	tar xzf - -C bin/ ;\
 	}
 else
@@ -119,7 +135,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
-	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.12.0/ansible-operator_$(OS)_$(ARCH) ;\
+	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.12.0/ansible-operator_$(OS)_$(ARCHA) ;\
 	chmod +x $(ANSIBLE_OPERATOR) ;\
 	}
 else
@@ -150,7 +166,7 @@ ifeq (,$(shell which opm 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(OPM)) ;\
-	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCH)-opm ;\
+	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCHA)-opm ;\
 	chmod +x $(OPM) ;\
 	}
 else
@@ -181,3 +197,125 @@ catalog-build: opm ## Build a catalog image.
 .PHONY: catalog-push
 catalog-push: ## Push a catalog image.
 	$(MAKE) docker-push IMG=$(CATALOG_IMG)
+
+.PHONY: kubectl-slice
+KUBECTL_SLICE = $(shell pwd)/bin/kubectl-slice
+kubectl-slice: ## Download kubectl-slice locally if necessary.
+ifeq (,$(wildcard $(KUBECTL_SLICE)))
+ifeq (,$(shell which kubectl-slice 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(KUBECTL_SLICE)) ;\
+	curl -sSLo - https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.1.0/kubectl-slice_1.1.0_$(OS)_$(ARCHX).tar.gz | \
+	tar xzf - -C bin/ kubectl-slice ;\
+	}
+else
+KUBECTL_SLICE = $(shell which kubectl-slice)
+endif
+endif
+
+.PHONY: helm
+HELM = $(shell pwd)/bin/helm
+helm: ## Download helm locally if necessary.
+ifeq (,$(wildcard $(HELM)))
+ifeq (,$(shell which helm 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(HELM)) ;\
+	curl -sSLo - https://get.helm.sh/helm-v3.8.0-$(OS)-$(ARCHA).tar.gz | \
+	tar xzf - -C bin/ $(OS)-$(ARCHA)/helm ;\
+	mv bin/$(OS)-$(ARCHA)/helm bin/helm ;\
+	rmdir bin/$(OS)-$(ARCHA) ;\
+	}
+else
+HELM = $(shell which helm)
+endif
+endif
+
+.PHONY: yq
+YQ = $(shell pwd)/bin/yq
+yq: ## Download yq locally if necessary.
+ifeq (,$(wildcard $(YQ)))
+ifeq (,$(shell which yq 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(HELM)) ;\
+	curl -sSLo - https://github.com/mikefarah/yq/releases/download/v4.20.2/yq_$(OS)_$(ARCHA).tar.gz | \
+	tar xzf - -C bin/ ;\
+	mv bin/yq_$(OS)_$(ARCHA) bin/yq ;\
+	}
+else
+YQ = $(shell which yq)
+endif
+endif
+
+PHONY: cr
+CR = $(shell pwd)/bin/cr
+cr: ## Download cr locally if necessary.
+ifeq (,$(wildcard $(CR)))
+ifeq (,$(shell which cr 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(CR)) ;\
+	curl -sSLo - https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_$(OS)_$(ARCHA).tar.gz | \
+	tar xzf - -C bin/ cr ;\
+	}
+else
+CR = $(shell which cr)
+endif
+endif
+
+charts:
+	mkdir -p $@
+
+.PHONY: helm-chart
+helm-chart: kustomize helm kubectl-slice yq charts
+	@echo "== KUSTOMIZE (image and namespace) =="
+	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
+
+	@echo "== HELM =="
+	cd charts && \
+		$(HELM) create awx-operator --starter $(shell pwd)/.helm/starter ;\
+		$(YQ) -i '.version = "$(VERSION)"' $(CHART_NAME)/Chart.yaml ;\
+		$(YQ) -i '.appVersion = "$(VERSION)" | .appVersion style="double"' $(CHART_NAME)/Chart.yaml ;\
+		$(YQ) -i '.description = "$(CHART_DESCRIPTION)"' $(CHART_NAME)/Chart.yaml ;\
+
+	@cat charts/$(CHART_NAME)/Chart.yaml
+
+	@echo "== KUSTOMIZE (annotation) =="
+	cd config/manager && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
+	cd config/default && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
+
+	@echo "== SLICE =="
+	$(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone config/default | \
+		$(KUBECTL_SLICE) --input-file=- \
+			--output-dir=charts/$(CHART_NAME)/templates \
+			--sort-by-kind
+	@echo "Helm Chart $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
+
+
+.PHONY: helm-package
+helm-package: cr helm-chart
+	@echo "== CHART RELEASER (package) =="
+	$(CR) package ./charts/awx-operator
+
+# The actual release happens in ansible/helm-release.yml
+# until https://github.com/helm/chart-releaser/issues/122 happens
+.PHONY: helm-index
+helm-index: cr helm-chart
+	@echo "== CHART RELEASER (httpsorigin) =="
+	git remote add httpsorigin "https://github.com/$(CHART_OWNER)/$(CHART_REPO).git"
+	git fetch httpsorigin
+
+	@echo "== CHART RELEASER (index) =="
+	$(CR) index \
+		--owner "$(CHART_OWNER)" \
+		--git-repo "$(CHART_REPO)" \
+		--token "$(CR_TOKEN)" \
+		--pages-branch "$(CHART_BRANCH)" \
+		--index-path "./charts/$(CHART_INDEX)" \
+		--charts-repo "https://$(CHART_OWNER).github.io/$(CHART_REPO)/$(CHART_INDEX)" \
+		--remote httpsorigin \
+		--release-name-template="{{ .Version }}" \
+		--push

README.md

@@ -14,6 +14,7 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
    * [Usage](#usage)
       * [Creating a minikube cluster for testing](#creating-a-minikube-cluster-for-testing)
       * [Basic Install](#basic-install)
+      * [Helm Install on existing cluster](#helm-install-on-existing-cluster)
       * [Admin user account configuration](#admin-user-account-configuration)
       * [Network and TLS Configuration](#network-and-tls-configuration)
          * [Service Type](#service-type)
@@ -27,13 +28,17 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
          * [Redis container capabilities](#redis-container-capabilities)
          * [Privileged Tasks](#privileged-tasks)
          * [Containers Resource Requirements](#containers-resource-requirements)
+         * [Priority Classes](#priority-classes)
          * [Assigning AWX pods to specific nodes](#assigning-awx-pods-to-specific-nodes)
          * [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
+         * [Enabling LDAP Integration at AWX bootstrap](#enabling-ldap-integration-at-awx-bootstrap)
          * [Persisting Projects Directory](#persisting-projects-directory)
          * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
          * [Default execution environments from private registries](#default-execution-environments-from-private-registries)
             * [Control plane ee from private registry](#control-plane-ee-from-private-registry)
          * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
+         * [CSRF Cookie Secure Setting](#csrf-cookie-secure-setting)
+         * [Session Cookie Secure Setting](#session-cookie-secure-setting)
          * [Extra Settings](#extra-settings)
          * [Service Account](#service-account)
       * [Uninstall](#uninstall)
@@ -45,6 +50,9 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
    * [Contributing](#contributing)
    * [Release Process](#release-process)
    * [Author](#author)
+
+<!-- Created by https://github.com/ekalinin/github-markdown-toc -->
+
 <!--te-->
 
 ## Purpose
@@ -134,7 +142,7 @@ Install the manifests by running this:
 
 ```
 $ kustomize build . | kubectl apply -f -
-namespace/machaffe created
+namespace/awx created
 customresourcedefinition.apiextensions.k8s.io/awxbackups.awx.ansible.com created
 customresourcedefinition.apiextensions.k8s.io/awxrestores.awx.ansible.com created
 customresourcedefinition.apiextensions.k8s.io/awxs.awx.ansible.com created
@@ -233,8 +241,34 @@ You just completed the most basic install of an AWX instance via this operator.
 
 For an example using the Nginx Controller in Minukube, don't miss our [demo video](https://asciinema.org/a/416946).
 
-[![asciicast](https://raw.githubusercontent.com/ansible/awx-operator/devel/docs/awx-demo.svg)](https://asciinema.org/a/416946)
 
+### Helm Install on existing cluster
+
+For those that wish to use [Helm](https://helm.sh/) to install the awx-operator to an existing K8s cluster:
+
+```bash
+$ helm repo add awx-operator https://ansible.github.io/awx-operator/
+"awx-operator" has been added to your repositories
+
+$ helm repo update
+Hang tight while we grab the latest from your chart repositories...
+...Successfully got an update from the "awx-operator" chart repository
+Update Complete. ⎈Happy Helming!⎈
+
+$ helm search repo awx-operator
+NAME                            CHART VERSION   APP VERSION     DESCRIPTION
+awx-operator/awx-operator       0.17.1          0.17.1          A Helm chart for the AWX Operator
+
+$ helm install my-awx-operator awx-operator/awx-operator
+NAME: my-awx-operator
+LAST DEPLOYED: Thu Feb 17 22:09:05 2022
+NAMESPACE: default
+STATUS: deployed
+REVISION: 1
+TEST SUITE: None
+NOTES:
+Helm Chart 0.17.1
+```
 
 ### Admin user account configuration
 
@@ -395,7 +429,7 @@ spec:
 
 #### External PostgreSQL Service
 
-In order for the AWX instance to rely on an external database, the Custom Resource needs to know about the connection details. Those connection details should be stored as a secret and either specified as `postgres_configuration_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-postgres-configuration`.
+To configure AWX to use an external database, the Custom Resource needs to know about the connection details. To do this, create a k8s secret with those connection details and specify the name of the secret as `postgres_configuration_secret` at the CR spec level.
 
 
 The secret should be formatted as follows:
@@ -424,6 +458,15 @@ type: Opaque
 
 **Note**: The variable `sslmode` is valid for `external` databases only. The allowed values are: `prefer`, `disable`, `allow`, `require`, `verify-ca`, `verify-full`.
 
+Once the secret is created, you can specify it on your spec:
+
+```yaml
+---
+spec:
+  ...
+  postgres_configuration_secret: <name-of-your-secret>
+```
+
 #### Migrating data from an old AWX instance
 
 For instructions on how to migrate from an older version of AWX, see [migration.md](./docs/migration.md).
@@ -434,14 +477,15 @@ If you don't have access to an external PostgreSQL service, the AWX operator can
 
 The following variables are customizable for the managed PostgreSQL service
 
-| Name                                          | Description                                   | Default                           |
-| --------------------------------------------- | --------------------------------------------- | --------------------------------- |
-| postgres_image                                | Path of the image to pull                     | postgres:12                       |
-| postgres_init_container_resource_requirements | Database init container resource requirements | requests: {}                      |
-| postgres_resource_requirements                | PostgreSQL container resource requirements    | requests: {}                      |
-| postgres_storage_requirements                 | PostgreSQL container storage requirements     | requests: {storage: 8Gi}          |
-| postgres_storage_class                        | PostgreSQL PV storage class                   | Empty string                      |
-| postgres_data_path                            | PostgreSQL data path                          | `/var/lib/postgresql/data/pgdata` |
+| Name                                          | Description                                   | Default                            |
+| --------------------------------------------- | --------------------------------------------- | ---------------------------------- |
+| postgres_image                                | Path of the image to pull                     | postgres:12                        |
+| postgres_init_container_resource_requirements | Database init container resource requirements | requests: {cpu: 10m, memory: 64Mi} |
+| postgres_resource_requirements                | PostgreSQL container resource requirements    | requests: {cpu: 10m, memory: 64Mi} |
+| postgres_storage_requirements                 | PostgreSQL container storage requirements     | requests: {storage: 8Gi}           |
+| postgres_storage_class                        | PostgreSQL PV storage class                   | Empty string                       |
+| postgres_data_path                            | PostgreSQL data path                          | `/var/lib/postgresql/data/pgdata`  |
+| postgres_priority_class                       | Priority class used for PostgreSQL pod        | Empty string                       |
 
 Example of customization could be:
 
@@ -475,15 +519,15 @@ spec:
 
 There are a few variables that are customizable for awx the image management.
 
-| Name                | Description               |
-| ------------------- | ------------------------- |
-| image               | Path of the image to pull |
-| image_version       | Image version to pull     |
-| image_pull_policy   | The pull policy to adopt  |
-| image_pull_secret   | The pull secret to use    |
-| ee_images           | A list of EEs to register |
-| redis_image         | Path of the image to pull |
-| redis_image_version | Image version to pull     |
+| Name                | Description               | Default                                 |
+| ------------------- | ------------------------- | --------------------------------------  |
+| image               | Path of the image to pull | quay.io/ansible/awx                     |
+| image_version       | Image version to pull     | value of DEFAULT_AWX_VERSION or latest  |
+| image_pull_policy   | The pull policy to adopt  | IfNotPresent                            |
+| image_pull_secrets  | The pull secrets to use   | None                                    |
+| ee_images           | A list of EEs to register | quay.io/ansible/awx-ee:latest           |
+| redis_image         | Path of the image to pull | docker.io/redis                         |
+| redis_image_version | Image version to pull     | latest                                  |
 
 Example of customization could be:
 
@@ -494,7 +538,8 @@ spec:
   image: myorg/my-custom-awx
   image_version: latest
   image_pull_policy: Always
-  image_pull_secret: pull_secret_name
+  image_pull_secrets:
+    - pull_secret_name
   ee_images:
     - name: my-custom-awx-ee
       image: myorg/my-custom-awx-ee
@@ -540,11 +585,11 @@ Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to
 
 The resource requirements for both, the task and the web containers are configurable - both the lower end (requests) and the upper end (limits).
 
-| Name                       | Description                                      | Default                             |
-| -------------------------- | ------------------------------------------------ | ----------------------------------- |
-| web_resource_requirements  | Web container resource requirements              | requests: {cpu: 1000m, memory: 2Gi} |
-| task_resource_requirements | Task container resource requirements             | requests: {cpu: 500m, memory: 1Gi}  |
-| ee_resource_requirements   | EE control plane container resource requirements | requests: {cpu: 500m, memory: 1Gi}  |
+| Name                       | Description                                      | Default                              |
+| -------------------------- | ------------------------------------------------ | ------------------------------------ |
+| web_resource_requirements  | Web container resource requirements              | requests: {cpu: 100m, memory: 128Mi} |
+| task_resource_requirements | Task container resource requirements             | requests: {cpu: 100m, memory: 128Mi} |
+| ee_resource_requirements   | EE control plane container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
 
 Example of customization could be:
 
@@ -554,27 +599,45 @@ spec:
   ...
   web_resource_requirements:
     requests:
-      cpu: 1000m
+      cpu: 250m
       memory: 2Gi
     limits:
-      cpu: 2000m
+      cpu: 1000m
       memory: 4Gi
   task_resource_requirements:
     requests:
-      cpu: 500m
+      cpu: 250m
       memory: 1Gi
     limits:
-      cpu: 1000m
+      cpu: 2000m
       memory: 2Gi
   ee_resource_requirements:
     requests:
-      cpu: 500m
-      memory: 1Gi
+      cpu: 250m
+      memory: 100Mi
     limits:
-      cpu: 1000m
+      cpu: 500m
       memory: 2Gi
 ```
 
+#### Priority Classes
+
+The AWX and Postgres pods can be assigned a custom PriorityClass to rank their importance compared to other pods in your cluster, which determines which pods get evicted first if resources are running low.
+First, [create your PriorityClass](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) if needed.
+Then set the name of your priority class to the control plane and postgres pods as shown below.
+
+```yaml
+---
+apiVersion: awx.ansible.com/v1beta1
+kind: AWX
+metadata:
+  name: awx-demo
+spec:
+  ...
+  control_plane_priority_class: awx-demo-high-priority
+  postgres_priority_class: awx-demo-medium-priority
+```
+
 #### Assigning AWX pods to specific nodes
 
 You can constrain the AWX pods created by the operator to run on a certain subset of nodes. `node_selector` and `postgres_selector` constrains
@@ -634,11 +697,11 @@ In cases which you need to trust a custom Certificate Authority, there are few v
 Trusting a custom Certificate Authority allows the AWX to access network services configured with SSL certificates issued locally, such as cloning a project from from an internal Git server via HTTPS. It is common for these scenarios, experiencing the error [unable to verify the first certificate](https://github.com/ansible/awx-operator/issues/376).
 
 
-| Name                 | Description                            | Default |
-| -------------------- | -------------------------------------- | ------- |
-| ldap_cacert_secret   | LDAP Certificate Authority secret name | ''      |
-| bundle_cacert_secret | Certificate Authority secret name      | ''      |
-
+| Name                             | Description                              | Default |
+| -------------------------------- | ---------------------------------------- | --------|
+| ldap_cacert_secret               | LDAP Certificate Authority secret name   |  ''     |
+| ldap_password_secret             | LDAP BIND DN Password secret name        |  ''     |
+| bundle_cacert_secret             | Certificate Authority secret name        |  ''     |
 Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter.
 
 Example of customization could be:
@@ -648,10 +711,13 @@ Example of customization could be:
 spec:
   ...
   ldap_cacert_secret: <resourcename>-custom-certs
+  ldap_password_secret: <resourcename>-ldap-password
   bundle_cacert_secret: <resourcename>-custom-certs
 ```
 
-To create the secret, you can use the command below:
+To create the secrets, you can use the commands below:
+
+* Certificate Authority secret
 
 ```
 # kubectl create secret generic <resourcename>-custom-certs \
@@ -659,6 +725,66 @@ To create the secret, you can use the command below:
     --from-file=bundle-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
 ```
 
+* LDAP BIND DN Password secret
+
+```
+# kubectl create secret generic <resourcename>-ldap-password \
+    --from-literal=ldap-password=<your_ldap_dn_password>
+```
+
+#### Enabling LDAP Integration at AWX bootstrap
+
+A sample of extra settings can be found as below:
+
+```yaml
+    - setting: AUTH_LDAP_SERVER_URI
+      value: >-
+        "ldaps://ad01.abc.com:636 ldaps://ad02.abc.com:636"
+
+    - setting: AUTH_LDAP_BIND_DN
+      value: >-
+        "CN=LDAP User,OU=Service Accounts,DC=abc,DC=com"
+
+    - setting: AUTH_LDAP_USER_SEARCH
+      value: 'LDAPSearch("DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(sAMAccountName=%(user)s)",)'
+
+    - setting: AUTH_LDAP_GROUP_SEARCH
+      value: 'LDAPSearch("OU=Groups,DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(objectClass=group)",)'
+
+    - setting: AUTH_LDAP_USER_ATTR_MAP
+      value: '{"first_name": "givenName","last_name": "sn","email": "mail"}'
+
+    - setting: AUTH_LDAP_REQUIRE_GROUP
+      value: >-
+        "CN=operators,OU=Groups,DC=abc,DC=com"
+    - setting: AUTH_LDAP_USER_FLAGS_BY_GROUP
+      value: {
+        "is_superuser": [
+          "CN=admin,OU=Groups,DC=abc,DC=com"
+        ]
+      }
+
+
+    - setting: AUTH_LDAP_ORGANIZATION_MAP
+      value: {
+        "abc": {
+          "admins": "CN=admin,OU=Groups,DC=abc,DC=com",
+          "remove_users": false,
+          "remove_admins": false,
+          "users": true
+        }
+      }
+
+    - setting: AUTH_LDAP_TEAM_MAP
+      value: {
+        "admin": {
+          "remove": true,
+          "users": "CN=admin,OU=Groups,DC=abc,DC=com",
+          "organization": "abc"
+        }
+      }
+```
+
 #### Persisting Projects Directory
 
 In cases which you want to persist the `/var/lib/projects` directory, there are few variables that are customizable for the `awx-operator`.
@@ -788,7 +914,7 @@ type: Opaque
 ```
 
 ##### Control plane ee from private registry
-The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time.
+The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secrets` to provide a list of k8s pull secrets to access it. Currently the same secret is used for any of these images supplied at install time.
 
 You can create `image_pull_secret`
 ```
@@ -837,6 +963,36 @@ Example configuration of environment variables
         value: foo
 ```
 
+#### CSRF Cookie Secure Setting
+
+With `csrf_cookie_secure`, you can pass the value for `CSRF_COOKIE_SECURE` to `/etc/tower/settings.py`
+
+| Name               | Description        | Default |
+| ------------------ | ------------------ | ------- |
+| csrf_cookie_secure | CSRF Cookie Secure | ''      |
+
+Example configuration of the `csrf_cookie_secure` setting:
+
+```yaml
+  spec:
+    csrf_cookie_secure: 'False'
+```
+
+#### Session Cookie Secure Setting
+
+With `session_cookie_secure`, you can pass the value for `SESSION_COOKIE_SECURE` to `/etc/tower/settings.py`
+
+| Name                  | Description           | Default |
+| --------------------- | --------------------- | ------- |
+| session_cookie_secure | Session Cookie Secure | ''      |
+
+Example configuration of the `session_cookie_secure` setting:
+
+```yaml
+  spec:
+    session_cookie_secure: 'False'
+```
+
 #### Extra Settings
 
 With`extra_settings`, you can pass multiple custom settings via the `awx-operator`. The parameter `extra_settings`  will be appended to the `/etc/tower/settings.py` and can be an alternative to the `extra_volumes` parameter.
@@ -928,7 +1084,10 @@ The first step is to create a draft release. Typically this will happen in the [
 
 If you need to do an independent release of the operator, you can run the [Stage Release](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/stage.yml) in the awx-operator repo. Both of these workflows will run smoke tests, so there is no need to do this manually.
 
-After the draft release is created, publish it and the [Promote AWX Operator image](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/promote.yaml) will run, publishing the image to Quay.
+After the draft release is created, publish it and the [Promote AWX Operator image](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/promote.yaml) will run, which will:
+
+- Publish image to Quay
+- Release Helm chart
 
 ## Author
 

ansible/helm-release.yml

@@ -0,0 +1,47 @@
+---
+- hosts: localhost
+  vars:
+    chart_repo: awx-operator
+  tasks:
+    - name: Look up release
+      uri:
+        url: "https://api.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/tags/{{ tag }}"
+      register: release
+      ignore_errors: yes
+
+    - fail:
+        msg: |
+          Release must exist before running this playbook
+      when: release is not success
+
+    - name: Build and package helm chart
+      command: |
+        make helm-chart helm-package
+      environment:
+        VERSION: "{{ tag }}"
+        IMAGE_TAG_BASE: "{{ operator_image }}"
+      args:
+        chdir: "{{ playbook_dir }}/../"
+
+    # Move to chart releaser after https://github.com/helm/chart-releaser/issues/122 exists
+    - name: Upload helm chart
+      uri:
+        url: "https://uploads.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/{{ release.json.id }}/assets?name=awx-operator-{{ tag }}.tgz"
+        src: "{{ playbook_dir }}/../.cr-release-packages/awx-operator-{{ tag }}.tgz"
+        headers:
+          Authorization: "token {{ gh_token }}"
+          Content-Type: "application/octet-stream"
+        status_code:
+          - 200
+          - 201
+      register: asset_upload
+      changed_when: asset_upload.json.state == "uploaded"
+
+    - name: Publish helm index
+      command: |
+        make helm-index
+      environment:
+        CHART_OWNER: "{{ chart_owner }}"
+        CR_TOKEN: "{{ gh_token }}"
+      args:
+        chdir: "{{ playbook_dir }}/../"

config/crd/bases/awx.ansible.com_awxs.yaml

@@ -165,6 +165,9 @@ spec:
                 control_plane_ee_image:
                   description: Registry path to the Execution Environment container image to use on control plane pods
                   type: string
+                control_plane_priority_class:
+                  description: Assign a preexisting priority class to the control plane pods
+                  type: string
                 ee_pull_credentials_secret:
                   description: Secret where pull credentials for registered ees can be found
                   type: string
@@ -179,8 +182,13 @@ spec:
                     - never
                     - IfNotPresent
                     - ifnotpresent
-                image_pull_secret:
-                  description: The image pull secret
+                image_pull_secrets:
+                  description: Image pull secrets for app and database containers
+                  type: array
+                  items:
+                    type: string
+                image_pull_secret:  # deprecated
+                  description: (Deprecated) Image pull secret for app and database containers
                   type: string
                 task_resource_requirements:
                   description: Resource requirements for the task container
@@ -270,6 +278,28 @@ spec:
                           type: string
                       type: object
                   type: object
+                redis_resource_requirements:
+                  description: Resource requirements for the redis container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                 service_account_annotations:
                   description: ServiceAccount annotations
                   type: string
@@ -387,6 +417,9 @@ spec:
                 postgres_storage_class:
                   description: Storage class to use for the PostgreSQL PVC
                   type: string
+                postgres_priority_class:
+                  description: Assign a preexisting priority class to the postgres pod
+                  type: string
                 postgres_data_path:
                   description: Path where the PostgreSQL data are located
                   type: string
@@ -403,6 +436,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                ldap_password_secret:
+                  description: Secret where can be found the LDAP bind password
+                  type: string
                 bundle_cacert_secret:
                   description: Secret where can be found the trusted Certificate Authority Bundle
                   type: string
@@ -430,6 +466,12 @@ spec:
                   description: AccessMode for the /var/lib/projects PersistentVolumeClaim
                   default: ReadWriteMany
                   type: string
+                csrf_cookie_secure:
+                  description: Set csrf cookie secure mode for web
+                  type: string
+                session_cookie_secure:
+                  description: Set session cookie secure mode for web
+                  type: string
                 extra_settings:
                   description: Extra settings to specify for the API
                   items:

config/manager/manager.yaml

@@ -55,4 +55,6 @@ spec:
             initialDelaySeconds: 5
             periodSeconds: 10
       serviceAccountName: controller-manager
+      imagePullSecrets:
+        - name: redhat-operators-pull-secret
       terminationGracePeriodSeconds: 10

config/manifests/bases/awx-operator.clusterserviceversion.yaml

@@ -252,8 +252,8 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:imagePullPolicy
-      - displayName: Image Pull Secret
-        path: image_pull_secret
+      - displayName: Image Pull Secrets
+        path: image_pull_secrets
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:io.kubernetes:Secret
@@ -278,6 +278,11 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
+      - displayName: Redis container resource requirements
+        path: redis_resource_requirements
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
       - displayName: PostgreSQL container resource requirements (when using a managed
           instance)
         path: postgres_resource_requirements
@@ -554,6 +559,16 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: CSRF cookie secure setting
+        path: csrf_cookie_secure
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Session cookie secure setting
+        path: session_cookie_secure
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - displayName: API Extra Settings
         path: extra_settings
         x-descriptors:

config/samples/awx_v1beta1_awx.yaml

@@ -6,13 +6,13 @@ metadata:
 spec:
   web_resource_requirements:
     requests:
-      cpu: 250m
+      cpu: 50m
       memory: 128M
   task_resource_requirements:
     requests:
-      cpu: 250m
+      cpu: 50m
       memory: 128M
   ee_resource_requirements:
     requests:
-      cpu: 200m
+      cpu: 50m
       memory: 64M

docs/debugging.md

@@ -0,0 +1,51 @@
+# Iterating on the installer without deploying the operator
+
+Go through the [normal basic install](https://github.com/ansible/awx-operator/blob/devel/README.md#basic-install) steps.
+
+Install some dependencies:
+
+```
+$ ansible-galaxy collection install -r molecule/requirements.yml
+$ pip install -r molecule/requirements.txt
+```
+
+To prevent the changes we're about to make from being overwritten, scale down any running instance of the operator:
+
+```
+$ kubectl scale deployment awx-operator-controller-manager --replicas=0
+```
+
+Create a playbook that invokes the installer role (the operator uses ansible-runner's role execution feature):
+
+```yaml
+# run.yml
+---
+- hosts: localhost
+  roles:
+    - installer
+```
+
+Create a vars file:
+
+```yaml
+# vars.yml
+---
+ansible_operator_meta:
+  name: awx
+  namespace: awx
+service_type: nodeport
+```
+
+Run the installer:
+
+```
+$ ansible-playbook run.yml -e @vars.yml -v
+```
+
+Grab the URL and admin password:
+
+```
+$ minikube service awx-service --url -n awx
+$ minikube kubectl get secret awx-admin-password -- -o jsonpath="{.data.password}" | base64 --decode
+LU6lTfvnkjUvDwL240kXKy1sNhjakZmT
+```

molecule/default/kustomize.yml

@@ -1,7 +1,7 @@
 ---
 - name: Build kustomize testing overlay
   # load_restrictor must be set to none so we can load patch files from the default overlay
-  command: '{{ kustomize }} build  --load_restrictor none .'
+  command: '{{ kustomize }} build  --load-restrictor LoadRestrictionsNone .'
   args:
     chdir: '{{ config_dir }}/testing'
   register: resources

molecule/default/templates/awx_cr_molecule.yml.j2

@@ -15,13 +15,16 @@ spec:
     kubernetes.io/ingress.class: nginx
   web_resource_requirements:
     requests:
-      cpu: 250m
-      memory: 128M
+      cpu: 50m
+      memory: 32M
   task_resource_requirements:
     requests:
-      cpu: 250m
-      memory: 128M
+      cpu: 50m
+      memory: 32M
   ee_resource_requirements:
     requests:
-      cpu: 200m
-      memory: 64M
+      cpu: 50m
+      memory: 16M
+  postgres_resource_requirements: {}
+  postgres_init_container_resource_requirements: {}
+  redis_resource_requirements: {}

roles/backup/tasks/postgres.yml

@@ -39,6 +39,7 @@
       until:
         - "postgres_pod['resources'] | length"
         - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+        - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
       delay: 5
       retries: 60
 

roles/backup/tasks/secrets.yml

@@ -21,9 +21,21 @@
     - ingress_tls_secret
     - ldap_cacert_secret
     - bundle_cacert_secret
-    - image_pull_secret
     - ee_pull_credentials_secret
 
+# image_pull_secret is deprecated in favor of image_pull_secrets
+- name: Dump image_pull_secret into file
+  include_tasks: dump_secret.yml
+  with_items:
+    - image_pull_secret
+  when: image_pull_secret is defined
+
+- name: Dump image_pull_secrets into file
+  include_tasks: dump_secret.yml
+  with_items:
+    - image_pull_secrets
+  when: image_pull_secrets | default([]) | length
+
 - name: Nest secrets under a single variable
   set_fact:
     secrets: {"secrets": '{{ secret_dict }}'}

roles/installer/defaults/main.yml

@@ -133,7 +133,7 @@ _postgres_image_version: 12
 _init_container_image: quay.io/centos/centos
 _init_container_image_version: stream8
 image_pull_policy: IfNotPresent
-image_pull_secret: ''
+image_pull_secrets: []
 
 # Extra commands which will be appended to the initContainer
 # Make sure that each command entered return an exit code 0
@@ -164,24 +164,36 @@ replicas: "1"
 task_args:
   - /usr/bin/launch_awx_task.sh
 task_command: []
-web_args: []
+web_args:
+  - /usr/bin/launch_awx.sh
 web_command: []
 
 task_resource_requirements:
   requests:
-    cpu: 500m
-    memory: 1Gi
+    cpu: 100m
+    memory: 128Mi
 
 web_resource_requirements:
   requests:
-    cpu: 1000m
-    memory: 2Gi
+    cpu: 100m
+    memory: 128Mi
 
 ee_resource_requirements:
   requests:
-    cpu: 500m
-    memory: 1Gi
+    cpu: 100m
+    memory: 64Mi
 
+# Customize CSRF options
+csrf_cookie_secure: False
+session_cookie_secure: False
+
+# Assign a preexisting priority class to the control plane pods
+control_plane_priority_class: ''
+
+redis_resource_requirements:
+  requests:
+    cpu: 50m
+    memory: 64Mi
 # Add extra environment variables to the AWX task/web containers. Specify as
 # literal block. E.g.:
 # task_extra_env: |
@@ -222,8 +234,16 @@ postgres_tolerations: ''
 postgres_storage_requirements:
   requests:
     storage: 8Gi
-postgres_init_container_resource_requirements: {}
-postgres_resource_requirements: {}
+postgres_resource_requirements:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+postgres_init_container_resource_requirements:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+# Assign a preexisting priority class to the postgres pod
+postgres_priority_class: ''
 postgres_data_path: '/var/lib/postgresql/data/pgdata'
 
 # Persistence to the AWX project data folder
@@ -247,6 +267,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
 #
 ldap_cacert_secret: ''
 
+# Secret to lookup that provides the LDAP bind password
+ldap_password_secret: ''
+
 # Secret to lookup that provides the custom CA trusted bundle
 bundle_cacert_secret: ''
 

roles/installer/tasks/database_configuration.yml

@@ -153,6 +153,7 @@
   until:
     - "postgres_pod['resources'] | length"
     - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+    - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
   delay: 5
   retries: 60
   when: pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed'

roles/installer/tasks/initialize_django.yml

@@ -13,18 +13,6 @@
   register: users_result
   changed_when: users_result.return_code > 0
 
-- name: Update super user password via Django if it does exist (same password is a noop)
-  k8s_exec:
-    namespace: "{{ ansible_operator_meta.namespace }}"
-    pod: "{{ tower_pod_name }}"
-    container: "{{ ansible_operator_meta.name }}-task"
-    command: >-
-      bash -c "awx-manage update_password --username '{{ admin_user }}' --password '{{ admin_password }}'"
-  register: update_pw_result
-  changed_when: users_result.stdout == 'Password not updated'
-  no_log: true
-  when: users_result.return_code == 0
-
 - name: Create super user via Django if it doesn't exist.
   k8s_exec:
     namespace: "{{ ansible_operator_meta.namespace }}"
@@ -37,17 +25,6 @@
   no_log: true
   when: users_result.return_code > 0
 
-- name: Create preload data if necessary.  # noqa 305
-  k8s_exec:
-    namespace: "{{ ansible_operator_meta.namespace }}"
-    pod: "{{ tower_pod_name }}"
-    container: "{{ ansible_operator_meta.name }}-task"
-    command: >-
-      bash -c "awx-manage create_preload_data"
-  register: cdo
-  changed_when: "'added' in cdo.stdout"
-  when: create_preload_data | bool
-
 - name: Check if legacy queue is present
   k8s_exec:
     namespace: "{{ ansible_operator_meta.namespace }}"
@@ -118,3 +95,14 @@
       changed_when: "'changed: True' in ree.stdout"
       no_log: true
   when: _execution_environments_pull_credentials['resources'] | default([]) | length
+
+- name: Create preload data if necessary.  # noqa 305
+  k8s_exec:
+    namespace: "{{ ansible_operator_meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ ansible_operator_meta.name }}-task"
+    command: >-
+      bash -c "awx-manage create_preload_data"
+  register: cdo
+  changed_when: "'added' in cdo.stdout"
+  when: create_preload_data | bool

roles/installer/tasks/load_ldap_password_secret.yml

@@ -0,0 +1,14 @@
+---
+- name: Retrieve LDAP bind password Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: '{{ ldap_password_secret }}'
+  register: ldap_password
+  no_log: true
+
+- name: Load LDAP bind password Secret content
+  set_fact:
+    ldap_bind_password: '{{ ldap_password["resources"][0]["data"]["ldap-password"] | b64decode }}'
+  no_log: true
+  when: '"ldap-password" in ldap_password["resources"][0]["data"]'

roles/installer/tasks/main.yml

@@ -25,6 +25,11 @@
   when:
     - ldap_cacert_secret != ''
 
+- name: Load ldap bind password
+  include_tasks: load_ldap_password_secret.yml
+  when:
+    - ldap_password_secret != ''
+
 - name: Load bundle certificate authority certificate
   include_tasks: load_bundle_cacert_secret.yml
   when:

roles/installer/tasks/migrate_data.yml

@@ -29,6 +29,7 @@
   until:
     - "postgres_pod['resources'] | length"
     - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+    - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
   delay: 5
   retries: 60
 

roles/installer/tasks/resources_configuration.yml

@@ -17,6 +17,16 @@
   set_fact:
     tower_pod_name: "{{ tower_pods['resources'][0]['metadata']['name'] | default('') }}"
 
+- name: Set user provided control plane ee image
+  set_fact:
+    _custom_control_plane_ee_image: "{{ control_plane_ee_image }}"
+  when:
+    - control_plane_ee_image | default([]) | length
+
+- name: Set Control Plane EE image URL
+  set_fact:
+    _control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
+
 - name: Apply Resources
   k8s:
     apply: yes
@@ -62,16 +72,6 @@
   set_fact:
     _redis_image: "{{ _custom_redis_image | default(lookup('env', 'RELATED_IMAGE_AWX_REDIS')) | default(_default_redis_image, true) }}"
 
-- name: Set user provided control plane ee image
-  set_fact:
-    _custom_control_plane_ee_image: "{{ control_plane_ee_image }}"
-  when:
-    - control_plane_ee_image | default([]) | length
-
-- name: Set Control Plane EE image URL
-  set_fact:
-    _control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
-
 - name: Apply deployment resources
   k8s:
     apply: yes

roles/installer/templates/config.yaml.j2

@@ -60,8 +60,8 @@ data:
     CLUSTER_HOST_ID = socket.gethostname()
     SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
     
-    CSRF_COOKIE_SECURE = False
-    SESSION_COOKIE_SECURE = False
+    CSRF_COOKIE_SECURE = {{ csrf_cookie_secure | bool }}
+    SESSION_COOKIE_SECURE = {{ session_cookie_secure | bool }}
     
     SERVER_EMAIL = 'root@localhost'
     DEFAULT_FROM_EMAIL = 'webmaster@localhost'
@@ -176,6 +176,8 @@ data:
     
             # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
             add_header X-Frame-Options "DENY";
+            # Protect against MIME content sniffing https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+            add_header X-Content-Type-Options nosniff;
     
             location /nginx_status {
                 stub_status on;
@@ -229,6 +231,7 @@ data:
                 add_header Strict-Transport-Security max-age=15768000;
                 # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
                 add_header X-Frame-Options "DENY";
+                add_header X-Content-Type-Options nosniff;
                 add_header Cache-Control "no-cache, no-store, must-revalidate";
                 add_header Expires "0";
                 add_header Pragma "no-cache";

roles/installer/templates/deployment.yaml.j2

@@ -33,9 +33,17 @@ spec:
 {% endif %}
     spec:
       serviceAccountName: '{{ ansible_operator_meta.name }}'
-{% if image_pull_secret %}
+{% if image_pull_secret is defined %}
       imagePullSecrets:
         - name: {{ image_pull_secret }}
+{% elif image_pull_secrets | length > 0 %}
+      imagePullSecrets:
+{% for secret in image_pull_secrets %}
+        - name: {{ secret }}
+{% endfor %}
+{% endif %}
+{% if control_plane_priority_class is defined %}
+      priorityClassName: '{{ control_plane_priority_class }}'
 {% endif %}
       initContainers:
 {% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
@@ -93,6 +101,7 @@ spec:
               mountPath: "/var/run/redis"
             - name: "{{ ansible_operator_meta.name }}-redis-data"
               mountPath: "/data"
+          resources: {{ redis_resource_requirements }}
         - image: '{{ _image }}'
           name: '{{ ansible_operator_meta.name }}-web'
 {% if web_command %}

roles/installer/templates/postgres.yaml.j2

@@ -33,9 +33,17 @@ spec:
         app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
         app.kubernetes.io/managed-by: '{{ deployment_type }}-operator' 
     spec:
-{% if image_pull_secret %}
+{% if image_pull_secret is defined %}
       imagePullSecrets:
         - name: {{ image_pull_secret }}
+{% elif image_pull_secrets | length > 0 %}
+      imagePullSecrets:
+{% for secret in image_pull_secrets %}
+        - name: {{ secret }}
+{% endfor %}
+{% endif %}
+{% if postgres_priority_class is defined %}
+      priorityClassName: '{{ postgres_priority_class }}'
 {% endif %}
       initContainers:
         - name: database-check

roles/restore/tasks/postgres.yml

@@ -37,6 +37,7 @@
   until:
     - "postgres_pod['resources'] | length"
     - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+    - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
   delay: 5
   retries: 60