Look for a specific pull secret when deployed in certain cloud environments (#894 )

Fix mistake in debugging docs
Load LDAP password from secret and update guideline (#659 )
2026-03-27 22:03:11 +00:00 · 2022-04-27 15:44:10 -04:00 · 2022-04-25 16:32:50 -04:00 · 2022-04-25 16:16:10 -04:00 · 2022-04-25 16:11:21 -04:00 · 2022-04-25 16:02:30 -04:00
19 changed files with 380 additions and 125 deletions
--- a/README.md
+++ b/README.md
@@ -8,43 +8,46 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
 <!-- Regenerate this table of contents using https://github.com/ekalinin/github-markdown-toc -->
 <!-- gh-md-toc --insert README.md -->
 <!--ts-->
-* [AWX Operator](#awx-operator)
-* [Table of Contents](#table-of-contents)
-   * [Purpose](#purpose)
-   * [Usage](#usage)
-      * [Creating a minikube cluster for testing](#creating-a-minikube-cluster-for-testing)
-      * [Basic Install](#basic-install)
-      * [Admin user account configuration](#admin-user-account-configuration)
-      * [Network and TLS Configuration](#network-and-tls-configuration)
-         * [Service Type](#service-type)
-         * [Ingress Type](#ingress-type)
-      * [Database Configuration](#database-configuration)
-         * [External PostgreSQL Service](#external-postgresql-service)
-         * [Migrating data from an old AWX instance](#migrating-data-from-an-old-awx-instance)
-         * [Managed PostgreSQL Service](#managed-postgresql-service)
-      * [Advanced Configuration](#advanced-configuration)
-         * [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
-         * [Redis container capabilities](#redis-container-capabilities)
-         * [Privileged Tasks](#privileged-tasks)
-         * [Containers Resource Requirements](#containers-resource-requirements)
-         * [Assigning AWX pods to specific nodes](#assigning-awx-pods-to-specific-nodes)
-         * [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
-         * [Persisting Projects Directory](#persisting-projects-directory)
-         * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
-         * [Default execution environments from private registries](#default-execution-environments-from-private-registries)
-            * [Control plane ee from private registry](#control-plane-ee-from-private-registry)
-         * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
-         * [Extra Settings](#extra-settings)
-         * [Service Account](#service-account)
-      * [Uninstall](#uninstall)
-      * [Upgrading](#upgrading)
-         * [v0.14.0](#v0140)
-            * [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations)
-            * [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project)
-            * [Steps to upgrade](#steps-to-upgrade)
-   * [Contributing](#contributing)
-   * [Release Process](#release-process)
-   * [Author](#author)
+- [AWX Operator](#awx-operator)
+- [Table of Contents](#table-of-contents)
+  - [Purpose](#purpose)
+  - [Usage](#usage)
+    - [Creating a minikube cluster for testing](#creating-a-minikube-cluster-for-testing)
+    - [Basic Install](#basic-install)
+    - [Admin user account configuration](#admin-user-account-configuration)
+    - [Network and TLS Configuration](#network-and-tls-configuration)
+      - [Service Type](#service-type)
+      - [Ingress Type](#ingress-type)
+    - [Database Configuration](#database-configuration)
+      - [External PostgreSQL Service](#external-postgresql-service)
+      - [Migrating data from an old AWX instance](#migrating-data-from-an-old-awx-instance)
+      - [Managed PostgreSQL Service](#managed-postgresql-service)
+    - [Advanced Configuration](#advanced-configuration)
+      - [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
+      - [Redis container capabilities](#redis-container-capabilities)
+      - [Privileged Tasks](#privileged-tasks)
+      - [Containers Resource Requirements](#containers-resource-requirements)
+      - [Assigning AWX pods to specific nodes](#assigning-awx-pods-to-specific-nodes)
+      - [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
+      - [Enabling LDAP Integration at AWX bootstrap](#enabling-ldap-integration-at-awx-bootstrap)
+      - [Persisting Projects Directory](#persisting-projects-directory)
+      - [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
+      - [Default execution environments from private registries](#default-execution-environments-from-private-registries)
+        - [Control plane ee from private registry](#control-plane-ee-from-private-registry)
+      - [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
+      - [Extra Settings](#extra-settings)
+      - [Service Account](#service-account)
+    - [Uninstall](#uninstall)
+    - [Upgrading](#upgrading)
+      - [v0.14.0](#v0140)
+        - [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations)
+        - [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project)
+        - [Steps to upgrade](#steps-to-upgrade)
+  - [Contributing](#contributing)
+  - [Release Process](#release-process)
+  - [Author](#author)
+
+<!-- Created by https://github.com/ekalinin/github-markdown-toc -->
 <!--te-->

 ## Purpose
@@ -134,7 +137,7 @@ Install the manifests by running this:

 ```
 $ kustomize build . | kubectl apply -f -
-namespace/machaffe created
+namespace/awx created
 customresourcedefinition.apiextensions.k8s.io/awxbackups.awx.ansible.com created
 customresourcedefinition.apiextensions.k8s.io/awxrestores.awx.ansible.com created
 customresourcedefinition.apiextensions.k8s.io/awxs.awx.ansible.com created
@@ -233,8 +236,6 @@ You just completed the most basic install of an AWX instance via this operator.

 For an example using the Nginx Controller in Minukube, don't miss our [demo video](https://asciinema.org/a/416946).

-[![asciicast](https://raw.githubusercontent.com/ansible/awx-operator/devel/docs/awx-demo.svg)](https://asciinema.org/a/416946)
-

 ### Admin user account configuration

@@ -434,14 +435,15 @@ If you don't have access to an external PostgreSQL service, the AWX operator can

 The following variables are customizable for the managed PostgreSQL service

-| Name                                          | Description                                   | Default                           |
-| --------------------------------------------- | --------------------------------------------- | --------------------------------- |
-| postgres_image                                | Path of the image to pull                     | postgres:12                       |
-| postgres_init_container_resource_requirements | Database init container resource requirements | requests: {}                      |
-| postgres_resource_requirements                | PostgreSQL container resource requirements    | requests: {}                      |
-| postgres_storage_requirements                 | PostgreSQL container storage requirements     | requests: {storage: 8Gi}          |
-| postgres_storage_class                        | PostgreSQL PV storage class                   | Empty string                      |
-| postgres_data_path                            | PostgreSQL data path                          | `/var/lib/postgresql/data/pgdata` |
+| Name                                          | Description                                   | Default                            |
+| --------------------------------------------- | --------------------------------------------- | ---------------------------------- |
+| postgres_image                                | Path of the image to pull                     | postgres:12                        |
+| postgres_init_container_resource_requirements | Database init container resource requirements | requests: {cpu: 10m, memory: 64Mi} |
+| postgres_resource_requirements                | PostgreSQL container resource requirements    | requests: {cpu: 10m, memory: 64Mi} |
+| postgres_storage_requirements                 | PostgreSQL container storage requirements     | requests: {storage: 8Gi}           |
+| postgres_storage_class                        | PostgreSQL PV storage class                   | Empty string                       |
+| postgres_data_path                            | PostgreSQL data path                          | `/var/lib/postgresql/data/pgdata`  |
+| postgres_priority_class                       | Priority class used for PostgreSQL pod        | Empty string                       |

 Example of customization could be:

@@ -480,7 +482,7 @@ There are a few variables that are customizable for awx the image management.
 | image               | Path of the image to pull |
 | image_version       | Image version to pull     |
 | image_pull_policy   | The pull policy to adopt  |
-| image_pull_secret   | The pull secret to use    |
+| image_pull_secrets  | The pull secrets to use   |
 | ee_images           | A list of EEs to register |
 | redis_image         | Path of the image to pull |
 | redis_image_version | Image version to pull     |
@@ -494,7 +496,8 @@ spec:
  image: myorg/my-custom-awx
  image_version: latest
  image_pull_policy: Always
-  image_pull_secret: pull_secret_name
+  image_pull_secrets:
+    - pull_secret_name
  ee_images:
    - name: my-custom-awx-ee
      image: myorg/my-custom-awx-ee
@@ -540,11 +543,11 @@ Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to

 The resource requirements for both, the task and the web containers are configurable - both the lower end (requests) and the upper end (limits).

-| Name                       | Description                                      | Default                             |
-| -------------------------- | ------------------------------------------------ | ----------------------------------- |
-| web_resource_requirements  | Web container resource requirements              | requests: {cpu: 1000m, memory: 2Gi} |
-| task_resource_requirements | Task container resource requirements             | requests: {cpu: 500m, memory: 1Gi}  |
-| ee_resource_requirements   | EE control plane container resource requirements | requests: {cpu: 500m, memory: 1Gi}  |
+| Name                       | Description                                      | Default                              |
+| -------------------------- | ------------------------------------------------ | ------------------------------------ |
+| web_resource_requirements  | Web container resource requirements              | requests: {cpu: 100m, memory: 128Mi} |
+| task_resource_requirements | Task container resource requirements             | requests: {cpu: 100m, memory: 128Mi} |
+| ee_resource_requirements   | EE control plane container resource requirements | requests: {cpu: 100m, memory: 128Mi} |

 Example of customization could be:

@@ -554,27 +557,45 @@ spec:
  ...
  web_resource_requirements:
    requests:
-      cpu: 1000m
+      cpu: 250m
      memory: 2Gi
    limits:
-      cpu: 2000m
+      cpu: 1000m
      memory: 4Gi
  task_resource_requirements:
    requests:
-      cpu: 500m
+      cpu: 250m
      memory: 1Gi
    limits:
-      cpu: 1000m
+      cpu: 2000m
      memory: 2Gi
  ee_resource_requirements:
    requests:
-      cpu: 500m
-      memory: 1Gi
+      cpu: 250m
+      memory: 100Mi
    limits:
-      cpu: 1000m
+      cpu: 500m
      memory: 2Gi
 ```

+#### Priority Classes
+
+The AWX and Postgres pods can be assigned a custom PriorityClass to rank their importance compared to other pods in your cluster, which determines which pods get evicted first if resources are running low.
+First, [create your PriorityClass](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) if needed.
+Then set the name of your priority class to the control plane and postgres pods as shown below.  
+
+```yaml
+---
+apiVersion: awx.ansible.com/v1beta1
+kind: AWX
+metadata:
+  name: awx-demo
+spec:
+  ...
+  control_plane_priority_class: awx-demo-high-priority
+  postgres_priority_class: awx-demo-medium-priority
+```
+
 #### Assigning AWX pods to specific nodes

 You can constrain the AWX pods created by the operator to run on a certain subset of nodes. `node_selector` and `postgres_selector` constrains
@@ -634,11 +655,11 @@ In cases which you need to trust a custom Certificate Authority, there are few v
 Trusting a custom Certificate Authority allows the AWX to access network services configured with SSL certificates issued locally, such as cloning a project from from an internal Git server via HTTPS. It is common for these scenarios, experiencing the error [unable to verify the first certificate](https://github.com/ansible/awx-operator/issues/376).


-| Name                 | Description                            | Default |
-| -------------------- | -------------------------------------- | ------- |
-| ldap_cacert_secret   | LDAP Certificate Authority secret name | ''      |
-| bundle_cacert_secret | Certificate Authority secret name      | ''      |
-
+| Name                             | Description                              | Default |
+| -------------------------------- | ---------------------------------------- | --------|
+| ldap_cacert_secret               | LDAP Certificate Authority secret name   |  ''     |
+| ldap_password_secret             | LDAP BIND DN Password secret name        |  ''     |
+| bundle_cacert_secret             | Certificate Authority secret name        |  ''     |
 Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter.

 Example of customization could be:
@@ -648,10 +669,13 @@ Example of customization could be:
 spec:
  ...
  ldap_cacert_secret: <resourcename>-custom-certs
+  ldap_password_secret: <resourcename>-ldap-password
  bundle_cacert_secret: <resourcename>-custom-certs
 ```

-To create the secret, you can use the command below:
+To create the secrets, you can use the commands below:
+
+* Certificate Authority secret

 ```
 # kubectl create secret generic <resourcename>-custom-certs \
@@ -659,6 +683,66 @@ To create the secret, you can use the command below:
    --from-file=bundle-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
 ```

+* LDAP BIND DN Password secret
+
+```
+# kubectl create secret generic <resourcename>-ldap-password \
+    --from-literal=ldap-password=<your_ldap_dn_password>
+```
+
+#### Enabling LDAP Integration at AWX bootstrap
+
+A sample of extra settings can be found as below:
+
+```yaml
+    - setting: AUTH_LDAP_SERVER_URI
+      value: >-
+        "ldaps://ad01.abc.com:636 ldaps://ad02.abc.com:636"
+
+    - setting: AUTH_LDAP_BIND_DN
+      value: >-
+        "CN=LDAP User,OU=Service Accounts,DC=abc,DC=com"
+
+    - setting: AUTH_LDAP_USER_SEARCH
+      value: 'LDAPSearch("DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(sAMAccountName=%(user)s)",)'
+
+    - setting: AUTH_LDAP_GROUP_SEARCH
+      value: 'LDAPSearch("OU=Groups,DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(objectClass=group)",)'
+
+    - setting: AUTH_LDAP_USER_ATTR_MAP
+      value: '{"first_name": "givenName","last_name": "sn","email": "mail"}'
+
+    - setting: AUTH_LDAP_REQUIRE_GROUP
+      value: >-
+        "CN=operators,OU=Groups,DC=abc,DC=com"
+    - setting: AUTH_LDAP_USER_FLAGS_BY_GROUP
+      value: {
+        "is_superuser": [
+          "CN=admin,OU=Groups,DC=abc,DC=com"
+        ]
+      }
+
+
+    - setting: AUTH_LDAP_ORGANIZATION_MAP
+      value: {
+        "abc": {
+          "admins": "CN=admin,OU=Groups,DC=abc,DC=com",
+          "remove_users": false,
+          "remove_admins": false,
+          "users": true
+        }
+      }
+
+    - setting: AUTH_LDAP_TEAM_MAP
+      value: {
+        "admin": {
+          "remove": true,
+          "users": "CN=admin,OU=Groups,DC=abc,DC=com",
+          "organization": "abc"
+        }
+      }
+```
+
 #### Persisting Projects Directory

 In cases which you want to persist the `/var/lib/projects` directory, there are few variables that are customizable for the `awx-operator`.
@@ -788,7 +872,7 @@ type: Opaque
 ```

 ##### Control plane ee from private registry
-The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time.
+The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secrets` to provide a list of k8s pull secrets to access it. Currently the same secret is used for any of these images supplied at install time.

 You can create `image_pull_secret`
 ```
@@ -837,6 +921,36 @@ Example configuration of environment variables
        value: foo
 ```

+#### CSRF Cookie Secure Setting
+
+With `csrf_cookie_secure`, you can pass the value for `CSRF_COOKIE_SECURE` to `/etc/tower/settings.py`
+
+| Name               | Description        | Default |
+| ------------------ | ------------------ | ------- |
+| csrf_cookie_secure | CSRF Cookie Secure | ''      |
+
+Example configuration of the `csrf_cookie_secure` setting:
+
+```yaml
+  spec:
+    csrf_cookie_secure: 'False'
+```
+
+#### Session Cookie Secure Setting
+
+With `session_cookie_secure`, you can pass the value for `SESSION_COOKIE_SECURE` to `/etc/tower/settings.py`
+
+| Name                  | Description           | Default |
+| --------------------- | --------------------- | ------- |
+| session_cookie_secure | Session Cookie Secure | ''      |
+
+Example configuration of the `session_cookie_secure` setting:
+
+```yaml
+  spec:
+    session_cookie_secure: 'False'
+```
+
 #### Extra Settings

 With`extra_settings`, you can pass multiple custom settings via the `awx-operator`. The parameter `extra_settings`  will be appended to the `/etc/tower/settings.py` and can be an alternative to the `extra_volumes` parameter.
--- a/config/crd/bases/awx.ansible.com_awxs.yaml
+++ b/config/crd/bases/awx.ansible.com_awxs.yaml
@@ -165,6 +165,9 @@ spec:
                control_plane_ee_image:
                  description: Registry path to the Execution Environment container image to use on control plane pods
                  type: string
+                control_plane_priority_class:
+                  description: Assign a preexisting priority class to the control plane pods
+                  type: string
                ee_pull_credentials_secret:
                  description: Secret where pull credentials for registered ees can be found
                  type: string
@@ -179,8 +182,13 @@ spec:
                    - never
                    - IfNotPresent
                    - ifnotpresent
-                image_pull_secret:
-                  description: The image pull secret
+                image_pull_secrets:
+                  description: Image pull secrets for app and database containers
+                  type: array
+                  items:
+                    type: string
+                image_pull_secret:  # deprecated
+                  description: (Deprecated) Image pull secret for app and database containers
                  type: string
                task_resource_requirements:
                  description: Resource requirements for the task container
@@ -387,6 +395,9 @@ spec:
                postgres_storage_class:
                  description: Storage class to use for the PostgreSQL PVC
                  type: string
+                postgres_priority_class:
+                  description: Assign a preexisting priority class to the postgres pod
+                  type: string
                postgres_data_path:
                  description: Path where the PostgreSQL data are located
                  type: string
@@ -403,6 +414,9 @@ spec:
                ldap_cacert_secret:
                  description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                  type: string
+                ldap_password_secret:
+                  description: Secret where can be found the LDAP bind password
+                  type: string
                bundle_cacert_secret:
                  description: Secret where can be found the trusted Certificate Authority Bundle
                  type: string
@@ -430,6 +444,12 @@ spec:
                  description: AccessMode for the /var/lib/projects PersistentVolumeClaim
                  default: ReadWriteMany
                  type: string
+                csrf_cookie_secure:
+                  description: Set csrf cookie secure mode for web
+                  type: string
+                session_cookie_secure:
+                  description: Set session cookie secure mode for web
+                  type: string
                extra_settings:
                  description: Extra settings to specify for the API
                  items:
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -55,4 +55,6 @@ spec:
            initialDelaySeconds: 5
            periodSeconds: 10
      serviceAccountName: controller-manager
+      imagePullSecrets:
+        - name: ansible-deployment-pull-secret
      terminationGracePeriodSeconds: 10
--- a/config/manifests/bases/awx-operator.clusterserviceversion.yaml
+++ b/config/manifests/bases/awx-operator.clusterserviceversion.yaml
@@ -252,8 +252,8 @@ spec:
        x-descriptors:
        - urn:alm:descriptor:com.tectonic.ui:advanced
        - urn:alm:descriptor:com.tectonic.ui:imagePullPolicy
-      - displayName: Image Pull Secret
-        path: image_pull_secret
+      - displayName: Image Pull Secrets
+        path: image_pull_secrets
        x-descriptors:
        - urn:alm:descriptor:com.tectonic.ui:advanced
        - urn:alm:descriptor:io.kubernetes:Secret
@@ -554,6 +554,16 @@ spec:
        x-descriptors:
        - urn:alm:descriptor:com.tectonic.ui:advanced
        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: CSRF cookie secure setting
+        path: csrf_cookie_secure
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Session cookie secure setting
+        path: session_cookie_secure
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
      - displayName: API Extra Settings
        path: extra_settings
        x-descriptors:
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -0,0 +1,51 @@
+# Iterating on the installer without deploying the operator
+
+Go through the [normal basic install](https://github.com/ansible/awx-operator/blob/devel/README.md#basic-install) steps.
+
+Install some dependencies:
+
+```
+$ ansible-galaxy collection install -r molecule/requirements.yml
+$ pip install -r molecule/requirements.txt
+```
+
+To prevent the changes we're about to make from being overwritten, scale down any running instance of the operator:
+
+```
+$ kubectl scale deployment awx-operator-controller-manager --replicas=0
+```
+
+Create a playbook that invokes the installer role (the operator uses ansible-runner's role execution feature):
+
+```yaml
+# run.yml
+---
+- hosts: localhost
+  roles:
+    - installer
+```
+
+Create a vars file:
+
+```yaml
+# vars.yml
+---
+ansible_operator_meta:
+  name: awx
+  namespace: awx
+service_type: nodeport
+```
+
+Run the installer:
+
+```
+$ ansible-playbook run.yml -e @vars.yml -v
+```
+
+Grab the URL and admin password:
+
+```
+$ minikube service awx-service --url -n awx
+$ minikube kubectl get secret awx-admin-password -- -o jsonpath="{.data.password}" | base64 --decode
+LU6lTfvnkjUvDwL240kXKy1sNhjakZmT
+```
--- a/molecule/default/templates/awx_cr_molecule.yml.j2
+++ b/molecule/default/templates/awx_cr_molecule.yml.j2
@@ -15,13 +15,15 @@ spec:
    kubernetes.io/ingress.class: nginx
  web_resource_requirements:
    requests:
-      cpu: 250m
-      memory: 128M
+      cpu: 100m
+      memory: 32M
  task_resource_requirements:
    requests:
-      cpu: 250m
-      memory: 128M
+      cpu: 100m
+      memory: 32M
  ee_resource_requirements:
    requests:
      cpu: 200m
-      memory: 64M
+      memory: 32M
+  postgres_resource_requirements: {}
+  postgres_init_container_resource_requirements: {}
--- a/roles/backup/tasks/postgres.yml
+++ b/roles/backup/tasks/postgres.yml
@@ -39,6 +39,7 @@
      until:
        - "postgres_pod['resources'] | length"
        - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+        - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
      delay: 5
      retries: 60

--- a/roles/backup/tasks/secrets.yml
+++ b/roles/backup/tasks/secrets.yml
@@ -21,9 +21,21 @@
    - ingress_tls_secret
    - ldap_cacert_secret
    - bundle_cacert_secret
-    - image_pull_secret
    - ee_pull_credentials_secret

+# image_pull_secret is deprecated in favor of image_pull_secrets
+- name: Dump image_pull_secret into file
+  include_tasks: dump_secret.yml
+  with_items:
+    - image_pull_secret
+  when: image_pull_secret is defined
+
+- name: Dump image_pull_secrets into file
+  include_tasks: dump_secret.yml
+  with_items:
+    - image_pull_secrets
+  when: image_pull_secrets | default([]) | length
+
 - name: Nest secrets under a single variable
  set_fact:
    secrets: {"secrets": '{{ secret_dict }}'}
--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -133,7 +133,7 @@ _postgres_image_version: 12
 _init_container_image: quay.io/centos/centos
 _init_container_image_version: stream8
 image_pull_policy: IfNotPresent
-image_pull_secret: ''
+image_pull_secrets: []

 # Extra commands which will be appended to the initContainer
 # Make sure that each command entered return an exit code 0
@@ -169,19 +169,25 @@ web_command: []

 task_resource_requirements:
  requests:
-    cpu: 500m
-    memory: 1Gi
+    cpu: 100m
+    memory: 128Mi

 web_resource_requirements:
  requests:
-    cpu: 1000m
-    memory: 2Gi
+    cpu: 100m
+    memory: 128Mi

 ee_resource_requirements:
  requests:
-    cpu: 500m
-    memory: 1Gi
+    cpu: 100m
+    memory: 64Mi

+# Customize CSRF options
+csrf_cookie_secure: False
+session_cookie_secure: False
+
+# Assign a preexisting priority class to the control plane pods
+control_plane_priority_class: ''
 # Add extra environment variables to the AWX task/web containers. Specify as
 # literal block. E.g.:
 # task_extra_env: |
@@ -222,8 +228,16 @@ postgres_tolerations: ''
 postgres_storage_requirements:
  requests:
    storage: 8Gi
-postgres_init_container_resource_requirements: {}
-postgres_resource_requirements: {}
+postgres_resource_requirements:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+postgres_init_container_resource_requirements:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+# Assign a preexisting priority class to the postgres pod
+postgres_priority_class: ''
 postgres_data_path: '/var/lib/postgresql/data/pgdata'

 # Persistence to the AWX project data folder
@@ -247,6 +261,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
 #
 ldap_cacert_secret: ''

+# Secret to lookup that provides the LDAP bind password
+ldap_password_secret: ''
+
 # Secret to lookup that provides the custom CA trusted bundle
 bundle_cacert_secret: ''

--- a/roles/installer/tasks/database_configuration.yml
+++ b/roles/installer/tasks/database_configuration.yml
@@ -153,6 +153,7 @@
  until:
    - "postgres_pod['resources'] | length"
    - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+    - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
  delay: 5
  retries: 60
  when: pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed'
--- a/roles/installer/tasks/initialize_django.yml
+++ b/roles/installer/tasks/initialize_django.yml
@@ -13,18 +13,6 @@
  register: users_result
  changed_when: users_result.return_code > 0

- name: Update super user password via Django if it does exist (same password is a noop)
-  k8s_exec:
-    namespace: "{{ ansible_operator_meta.namespace }}"
-    pod: "{{ tower_pod_name }}"
-    container: "{{ ansible_operator_meta.name }}-task"
-    command: >-
-      bash -c "awx-manage update_password --username '{{ admin_user }}' --password '{{ admin_password }}'"
-  register: update_pw_result
-  changed_when: users_result.stdout == 'Password not updated'
-  no_log: true
-  when: users_result.return_code == 0
-
 - name: Create super user via Django if it doesn't exist.
  k8s_exec:
    namespace: "{{ ansible_operator_meta.namespace }}"
@@ -37,17 +25,6 @@
  no_log: true
  when: users_result.return_code > 0

- name: Create preload data if necessary.  # noqa 305
-  k8s_exec:
-    namespace: "{{ ansible_operator_meta.namespace }}"
-    pod: "{{ tower_pod_name }}"
-    container: "{{ ansible_operator_meta.name }}-task"
-    command: >-
-      bash -c "awx-manage create_preload_data"
-  register: cdo
-  changed_when: "'added' in cdo.stdout"
-  when: create_preload_data | bool
-
 - name: Check if legacy queue is present
  k8s_exec:
    namespace: "{{ ansible_operator_meta.namespace }}"
@@ -118,3 +95,14 @@
      changed_when: "'changed: True' in ree.stdout"
      no_log: true
  when: _execution_environments_pull_credentials['resources'] | default([]) | length
+
+- name: Create preload data if necessary.  # noqa 305
+  k8s_exec:
+    namespace: "{{ ansible_operator_meta.namespace }}"
+    pod: "{{ tower_pod_name }}"
+    container: "{{ ansible_operator_meta.name }}-task"
+    command: >-
+      bash -c "awx-manage create_preload_data"
+  register: cdo
+  changed_when: "'added' in cdo.stdout"
+  when: create_preload_data | bool
--- a/roles/installer/tasks/load_ldap_password_secret.yml
+++ b/roles/installer/tasks/load_ldap_password_secret.yml
@@ -0,0 +1,14 @@
+---
+- name: Retrieve LDAP bind password Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: '{{ ldap_password_secret }}'
+  register: ldap_password
+  no_log: true
+
+- name: Load LDAP bind password Secret content
+  set_fact:
+    ldap_bind_password: '{{ ldap_password["resources"][0]["data"]["ldap-password"] | b64decode }}'
+  no_log: true
+  when: '"ldap-password" in ldap_password["resources"][0]["data"]'
--- a/roles/installer/tasks/main.yml
+++ b/roles/installer/tasks/main.yml
@@ -25,6 +25,11 @@
  when:
    - ldap_cacert_secret != ''

+- name: Load ldap bind password
+  include_tasks: load_ldap_password_secret.yml
+  when:
+    - ldap_password_secret != ''
+
 - name: Load bundle certificate authority certificate
  include_tasks: load_bundle_cacert_secret.yml
  when:
--- a/roles/installer/tasks/migrate_data.yml
+++ b/roles/installer/tasks/migrate_data.yml
@@ -29,6 +29,7 @@
  until:
    - "postgres_pod['resources'] | length"
    - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+    - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
  delay: 5
  retries: 60

--- a/roles/installer/tasks/resources_configuration.yml
+++ b/roles/installer/tasks/resources_configuration.yml
@@ -17,6 +17,16 @@
  set_fact:
    tower_pod_name: "{{ tower_pods['resources'][0]['metadata']['name'] | default('') }}"

+- name: Set user provided control plane ee image
+  set_fact:
+    _custom_control_plane_ee_image: "{{ control_plane_ee_image }}"
+  when:
+    - control_plane_ee_image | default([]) | length
+
+- name: Set Control Plane EE image URL
+  set_fact:
+    _control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
+
 - name: Apply Resources
  k8s:
    apply: yes
@@ -62,16 +72,6 @@
  set_fact:
    _redis_image: "{{ _custom_redis_image | default(lookup('env', 'RELATED_IMAGE_AWX_REDIS')) | default(_default_redis_image, true) }}"

- name: Set user provided control plane ee image
-  set_fact:
-    _custom_control_plane_ee_image: "{{ control_plane_ee_image }}"
-  when:
-    - control_plane_ee_image | default([]) | length
-
- name: Set Control Plane EE image URL
-  set_fact:
-    _control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
-
 - name: Apply deployment resources
  k8s:
    apply: yes
--- a/roles/installer/templates/config.yaml.j2
+++ b/roles/installer/templates/config.yaml.j2
@@ -60,8 +60,8 @@ data:
    CLUSTER_HOST_ID = socket.gethostname()
    SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
    
-    CSRF_COOKIE_SECURE = False
-    SESSION_COOKIE_SECURE = False
+    CSRF_COOKIE_SECURE = {{ csrf_cookie_secure | bool }}
+    SESSION_COOKIE_SECURE = {{ session_cookie_secure | bool }}
    
    SERVER_EMAIL = 'root@localhost'
    DEFAULT_FROM_EMAIL = 'webmaster@localhost'
--- a/roles/installer/templates/deployment.yaml.j2
+++ b/roles/installer/templates/deployment.yaml.j2
@@ -33,9 +33,17 @@ spec:
 {% endif %}
    spec:
      serviceAccountName: '{{ ansible_operator_meta.name }}'
-{% if image_pull_secret %}
+{% if image_pull_secret is defined %}
      imagePullSecrets:
        - name: {{ image_pull_secret }}
+{% elif image_pull_secrets | length > 0 %}
+      imagePullSecrets:
+{% for secret in image_pull_secrets %}
+        - name: {{ secret }}
+{% endfor %}
+{% endif %}
+{% if control_plane_priority_class is defined %}
+      priorityClassName: '{{ control_plane_priority_class }}'
 {% endif %}
      initContainers:
 {% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
--- a/roles/installer/templates/postgres.yaml.j2
+++ b/roles/installer/templates/postgres.yaml.j2
@@ -33,9 +33,17 @@ spec:
        app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
        app.kubernetes.io/managed-by: '{{ deployment_type }}-operator' 
    spec:
-{% if image_pull_secret %}
+{% if image_pull_secret is defined %}
      imagePullSecrets:
        - name: {{ image_pull_secret }}
+{% elif image_pull_secrets | length > 0 %}
+      imagePullSecrets:
+{% for secret in image_pull_secrets %}
+        - name: {{ secret }}
+{% endfor %}
+{% endif %}
+{% if postgres_priority_class is defined %}
+      priorityClassName: '{{ postgres_priority_class }}'
 {% endif %}
      initContainers:
        - name: database-check
--- a/roles/restore/tasks/postgres.yml
+++ b/roles/restore/tasks/postgres.yml
@@ -37,6 +37,7 @@
  until:
    - "postgres_pod['resources'] | length"
    - "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+    - "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
  delay: 5
  retries: 60
Author	SHA1	Message	Date
Christian Adams	3da427f31d	Look for a specific pull secret when deployed in certain cloud environments (#894 )	2022-04-27 15:44:10 -04:00
Shane McDonald	9f2b51a6a9	Fix mistake in debugging docs	2022-04-25 16:32:50 -04:00
Hung Tran	5b73ad172e	Load LDAP password from secret and update guideline (#659 ) * Load LDAP password from secret and update guideline * Add pod_labels for custom pod labels Signed-off-by: Loc Mai <lmai@axon.com> * Omit tls secret if using wildcard cert * Resolve conflicts * Remove the ingress changes * Remove the config changes * Load LDAP password from secret and update guideline * Omit tls secret if using wildcard cert * Resolve conflicts * Remove the ingress changes * Remove the config changes Co-authored-by: hungts <hungts@axon.com> Co-authored-by: Loc Mai <lmai@axon.com> Co-authored-by: Max Bidlingmaier <Max-Florian.Bidlingmaier@sap.com> Co-authored-by: Max Bidlingmaier <maks@konsolan.de>	2022-04-25 16:16:10 -04:00
Shane McDonald	2227301707	Merge pull request #888 from shanemcd/debugging-docs Add docs/debugging.md	2022-04-25 16:11:21 -04:00
Shane McDonald	9f63fc0da5	Add docs/debugging.md	2022-04-25 16:02:30 -04:00
Seth Foster	322aea970d	Merge pull request #886 from fosterseth/make_csrf_settings_boolean Render cookie settings as a boolean	2022-04-25 15:45:42 -04:00
Seth Foster	c4bef95662	Render cookie settings as a boolean	2022-04-25 15:31:09 -04:00
Seth Foster	7fd5083c16	Merge pull request #862 from fosterseth/add_priorityclass_option Add priority class options to high priority pods	2022-04-21 15:40:55 -04:00
Christian M. Adams	daf15a93bf	Reduce the resources requests for CI runs * GitHub Workflows run in a resource constrained environment, we were asking too much of it, so pods never got scheduled.	2022-04-21 15:10:09 -04:00
Christian M. Adams	dfa0f6d45e	Add docs for priority classes & fix typo	2022-04-21 11:59:15 -04:00
Christian M. Adams	21062f0708	Add default resource requests for postgres containers	2022-04-18 12:30:02 -04:00
Seth Foster	5372771bac	Add priority class options to high priority pods - Add postgres_priority_class - Add control_plane_priority_class - Add default requests for postgres pod to ensure at a "Burstable" QoS	2022-04-18 12:29:54 -04:00
Mac Chaffee	8df0969e6a	Fix namespace name in readme (#868 ) Signed-off-by: Mac Chaffee <machaffe@renci.org>	2022-04-15 16:08:43 -04:00
Jeremy Kimber	5af7e7f4b9	Ensure custom control plane EE is defined prior to creation of application credentials (#873 ) Co-authored-by: Jeremy Kimber <jeremy.kimber@garmin.com>	2022-04-15 16:04:47 -04:00
Christian Adams	d8f91d112e	Stop updating the admin user password (#874 ) * This is overwriting changes the user makes to the admin password via the app itself	2022-04-14 16:35:37 -04:00
Christian Adams	379552218d	Add back image_pull_secret field for backwards compatibility (#870 )	2022-04-14 13:25:54 -04:00
David Luong	1686875321	Customize CSRF options (#825 )	2022-04-13 19:42:07 -04:00
Christian Adams	1b41d945e6	Check if image_pull_secrets variable is defined (#865 ) * Do not attempt to backup secret if none are defined	2022-04-11 11:10:09 -04:00
Dragutan Alexandr	5e81729bc9	Update README.md (#858 ) cut off svg-content, link preserverd.	2022-04-06 21:39:49 -04:00
Christian Adams	575e594314	Wait for the postgres pod to enter the ready state before starting containers (#861 )	2022-04-06 08:29:53 -04:00
Christian Adams	5f76d4917e	Enable setting a list of image_pull_secrets (#860 ) When there are e.g. multiple authenticated container registries used we need to be able to add multiple imagePullSecrets to the k8s resource Co-authored-by: Maximilian Meister <maximilian.meister@pm.me>	2022-04-05 11:51:21 -04:00
gamuniz	94c5c41a24	reording the django tasks to avoid race condition aap-2847 (#855 ) * Reorder the django init tasks to avoid race condition - aap-2847	2022-04-01 14:55:57 -04:00