Look for a specific pull secret when deployed in certain cloud environments (#894)

* Load LDAP password from secret and update guideline

* Add pod_labels for custom pod labels

Signed-off-by: Loc Mai <lmai@axon.com>

* Omit tls secret if using wildcard cert

* Resolve conflicts

* Remove the ingress changes

* Remove the config changes

* Load LDAP password from secret and update guideline

* Omit tls secret if using wildcard cert

* Resolve conflicts

* Remove the ingress changes

* Remove the config changes

Co-authored-by: hungts <hungts@axon.com>
Co-authored-by: Loc Mai <lmai@axon.com>
Co-authored-by: Max Bidlingmaier <Max-Florian.Bidlingmaier@sap.com>
Co-authored-by: Max Bidlingmaier <maks@konsolan.de>

README.md

@@ -8,45 +8,46 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
 <!-- Regenerate this table of contents using https://github.com/ekalinin/github-markdown-toc -->
 <!-- gh-md-toc --insert README.md -->
 <!--ts-->
-* [AWX Operator](#awx-operator)
-* [Table of Contents](#table-of-contents)
-   * [Purpose](#purpose)
-   * [Usage](#usage)
-      * [Creating a minikube cluster for testing](#creating-a-minikube-cluster-for-testing)
-      * [Basic Install](#basic-install)
-      * [Admin user account configuration](#admin-user-account-configuration)
-      * [Network and TLS Configuration](#network-and-tls-configuration)
-         * [Service Type](#service-type)
-         * [Ingress Type](#ingress-type)
-      * [Database Configuration](#database-configuration)
-         * [External PostgreSQL Service](#external-postgresql-service)
-         * [Migrating data from an old AWX instance](#migrating-data-from-an-old-awx-instance)
-         * [Managed PostgreSQL Service](#managed-postgresql-service)
-      * [Advanced Configuration](#advanced-configuration)
-         * [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
-         * [Redis container capabilities](#redis-container-capabilities)
-         * [Privileged Tasks](#privileged-tasks)
-         * [Containers Resource Requirements](#containers-resource-requirements)
-         * [Assigning AWX pods to specific nodes](#assigning-awx-pods-to-specific-nodes)
-         * [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
-         * [Persisting Projects Directory](#persisting-projects-directory)
-         * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
-         * [Default execution environments from private registries](#default-execution-environments-from-private-registries)
-            * [Control plane ee from private registry](#control-plane-ee-from-private-registry)
-         * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
-         * [CSRF Cookie Secure](#csrf-cookie-secure-setting)
-         * [Session Cookie Secure](#session-cookie-secure-setting)
-         * [Extra Settings](#extra-settings)
-         * [Service Account](#service-account)
-      * [Uninstall](#uninstall)
-      * [Upgrading](#upgrading)
-         * [v0.14.0](#v0140)
-            * [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations)
-            * [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project)
-            * [Steps to upgrade](#steps-to-upgrade)
-   * [Contributing](#contributing)
-   * [Release Process](#release-process)
-   * [Author](#author)
+- [AWX Operator](#awx-operator)
+- [Table of Contents](#table-of-contents)
+  - [Purpose](#purpose)
+  - [Usage](#usage)
+    - [Creating a minikube cluster for testing](#creating-a-minikube-cluster-for-testing)
+    - [Basic Install](#basic-install)
+    - [Admin user account configuration](#admin-user-account-configuration)
+    - [Network and TLS Configuration](#network-and-tls-configuration)
+      - [Service Type](#service-type)
+      - [Ingress Type](#ingress-type)
+    - [Database Configuration](#database-configuration)
+      - [External PostgreSQL Service](#external-postgresql-service)
+      - [Migrating data from an old AWX instance](#migrating-data-from-an-old-awx-instance)
+      - [Managed PostgreSQL Service](#managed-postgresql-service)
+    - [Advanced Configuration](#advanced-configuration)
+      - [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
+      - [Redis container capabilities](#redis-container-capabilities)
+      - [Privileged Tasks](#privileged-tasks)
+      - [Containers Resource Requirements](#containers-resource-requirements)
+      - [Assigning AWX pods to specific nodes](#assigning-awx-pods-to-specific-nodes)
+      - [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
+      - [Enabling LDAP Integration at AWX bootstrap](#enabling-ldap-integration-at-awx-bootstrap)
+      - [Persisting Projects Directory](#persisting-projects-directory)
+      - [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
+      - [Default execution environments from private registries](#default-execution-environments-from-private-registries)
+        - [Control plane ee from private registry](#control-plane-ee-from-private-registry)
+      - [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
+      - [Extra Settings](#extra-settings)
+      - [Service Account](#service-account)
+    - [Uninstall](#uninstall)
+    - [Upgrading](#upgrading)
+      - [v0.14.0](#v0140)
+        - [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations)
+        - [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project)
+        - [Steps to upgrade](#steps-to-upgrade)
+  - [Contributing](#contributing)
+  - [Release Process](#release-process)
+  - [Author](#author)
+
+<!-- Created by https://github.com/ekalinin/github-markdown-toc -->
 <!--te-->
 
 ## Purpose
@@ -654,11 +655,11 @@ In cases which you need to trust a custom Certificate Authority, there are few v
 Trusting a custom Certificate Authority allows the AWX to access network services configured with SSL certificates issued locally, such as cloning a project from from an internal Git server via HTTPS. It is common for these scenarios, experiencing the error [unable to verify the first certificate](https://github.com/ansible/awx-operator/issues/376).
 
 
-| Name                 | Description                            | Default |
-| -------------------- | -------------------------------------- | ------- |
-| ldap_cacert_secret   | LDAP Certificate Authority secret name | ''      |
-| bundle_cacert_secret | Certificate Authority secret name      | ''      |
-
+| Name                             | Description                              | Default |
+| -------------------------------- | ---------------------------------------- | --------|
+| ldap_cacert_secret               | LDAP Certificate Authority secret name   |  ''     |
+| ldap_password_secret             | LDAP BIND DN Password secret name        |  ''     |
+| bundle_cacert_secret             | Certificate Authority secret name        |  ''     |
 Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter.
 
 Example of customization could be:
@@ -668,10 +669,13 @@ Example of customization could be:
 spec:
   ...
   ldap_cacert_secret: <resourcename>-custom-certs
+  ldap_password_secret: <resourcename>-ldap-password
   bundle_cacert_secret: <resourcename>-custom-certs
 ```
 
-To create the secret, you can use the command below:
+To create the secrets, you can use the commands below:
+
+* Certificate Authority secret
 
 ```
 # kubectl create secret generic <resourcename>-custom-certs \
@@ -679,6 +683,66 @@ To create the secret, you can use the command below:
     --from-file=bundle-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
 ```
 
+* LDAP BIND DN Password secret
+
+```
+# kubectl create secret generic <resourcename>-ldap-password \
+    --from-literal=ldap-password=<your_ldap_dn_password>
+```
+
+#### Enabling LDAP Integration at AWX bootstrap
+
+A sample of extra settings can be found as below:
+
+```yaml
+    - setting: AUTH_LDAP_SERVER_URI
+      value: >-
+        "ldaps://ad01.abc.com:636 ldaps://ad02.abc.com:636"
+
+    - setting: AUTH_LDAP_BIND_DN
+      value: >-
+        "CN=LDAP User,OU=Service Accounts,DC=abc,DC=com"
+
+    - setting: AUTH_LDAP_USER_SEARCH
+      value: 'LDAPSearch("DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(sAMAccountName=%(user)s)",)'
+
+    - setting: AUTH_LDAP_GROUP_SEARCH
+      value: 'LDAPSearch("OU=Groups,DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(objectClass=group)",)'
+
+    - setting: AUTH_LDAP_USER_ATTR_MAP
+      value: '{"first_name": "givenName","last_name": "sn","email": "mail"}'
+
+    - setting: AUTH_LDAP_REQUIRE_GROUP
+      value: >-
+        "CN=operators,OU=Groups,DC=abc,DC=com"
+    - setting: AUTH_LDAP_USER_FLAGS_BY_GROUP
+      value: {
+        "is_superuser": [
+          "CN=admin,OU=Groups,DC=abc,DC=com"
+        ]
+      }
+
+
+    - setting: AUTH_LDAP_ORGANIZATION_MAP
+      value: {
+        "abc": {
+          "admins": "CN=admin,OU=Groups,DC=abc,DC=com",
+          "remove_users": false,
+          "remove_admins": false,
+          "users": true
+        }
+      }
+
+    - setting: AUTH_LDAP_TEAM_MAP
+      value: {
+        "admin": {
+          "remove": true,
+          "users": "CN=admin,OU=Groups,DC=abc,DC=com",
+          "organization": "abc"
+        }
+      }
+```
+
 #### Persisting Projects Directory
 
 In cases which you want to persist the `/var/lib/projects` directory, there are few variables that are customizable for the `awx-operator`.

config/crd/bases/awx.ansible.com_awxs.yaml

@@ -414,6 +414,9 @@ spec:
                 ldap_cacert_secret:
                   description: Secret where can be found the LDAP trusted Certificate Authority Bundle
                   type: string
+                ldap_password_secret:
+                  description: Secret where can be found the LDAP bind password
+                  type: string
                 bundle_cacert_secret:
                   description: Secret where can be found the trusted Certificate Authority Bundle
                   type: string

config/manager/manager.yaml

@@ -55,4 +55,6 @@ spec:
             initialDelaySeconds: 5
             periodSeconds: 10
       serviceAccountName: controller-manager
+      imagePullSecrets:
+        - name: ansible-deployment-pull-secret
       terminationGracePeriodSeconds: 10

docs/debugging.md

@@ -0,0 +1,51 @@
+# Iterating on the installer without deploying the operator
+
+Go through the [normal basic install](https://github.com/ansible/awx-operator/blob/devel/README.md#basic-install) steps.
+
+Install some dependencies:
+
+```
+$ ansible-galaxy collection install -r molecule/requirements.yml
+$ pip install -r molecule/requirements.txt
+```
+
+To prevent the changes we're about to make from being overwritten, scale down any running instance of the operator:
+
+```
+$ kubectl scale deployment awx-operator-controller-manager --replicas=0
+```
+
+Create a playbook that invokes the installer role (the operator uses ansible-runner's role execution feature):
+
+```yaml
+# run.yml
+---
+- hosts: localhost
+  roles:
+    - installer
+```
+
+Create a vars file:
+
+```yaml
+# vars.yml
+---
+ansible_operator_meta:
+  name: awx
+  namespace: awx
+service_type: nodeport
+```
+
+Run the installer:
+
+```
+$ ansible-playbook run.yml -e @vars.yml -v
+```
+
+Grab the URL and admin password:
+
+```
+$ minikube service awx-service --url -n awx
+$ minikube kubectl get secret awx-admin-password -- -o jsonpath="{.data.password}" | base64 --decode
+LU6lTfvnkjUvDwL240kXKy1sNhjakZmT
+```

roles/installer/defaults/main.yml

@@ -261,6 +261,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
 #
 ldap_cacert_secret: ''
 
+# Secret to lookup that provides the LDAP bind password
+ldap_password_secret: ''
+
 # Secret to lookup that provides the custom CA trusted bundle
 bundle_cacert_secret: ''
 

roles/installer/tasks/load_ldap_password_secret.yml

@@ -0,0 +1,14 @@
+---
+- name: Retrieve LDAP bind password Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: '{{ ldap_password_secret }}'
+  register: ldap_password
+  no_log: true
+
+- name: Load LDAP bind password Secret content
+  set_fact:
+    ldap_bind_password: '{{ ldap_password["resources"][0]["data"]["ldap-password"] | b64decode }}'
+  no_log: true
+  when: '"ldap-password" in ldap_password["resources"][0]["data"]'

roles/installer/tasks/main.yml

@@ -25,6 +25,11 @@
   when:
     - ldap_cacert_secret != ''
 
+- name: Load ldap bind password
+  include_tasks: load_ldap_password_secret.yml
+  when:
+    - ldap_password_secret != ''
+
 - name: Load bundle certificate authority certificate
   include_tasks: load_bundle_cacert_secret.yml
   when:

roles/installer/templates/config.yaml.j2

@@ -60,8 +60,8 @@ data:
     CLUSTER_HOST_ID = socket.gethostname()
     SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
     
-    CSRF_COOKIE_SECURE = '{{ csrf_cookie_secure }}'
-    SESSION_COOKIE_SECURE = '{{ session_cookie_secure }}'
+    CSRF_COOKIE_SECURE = {{ csrf_cookie_secure | bool }}
+    SESSION_COOKIE_SECURE = {{ session_cookie_secure | bool }}
     
     SERVER_EMAIL = 'root@localhost'
     DEFAULT_FROM_EMAIL = 'webmaster@localhost'