csv: Fix metrics utility fields (#1783)

The metrics utility fields were configured under the statusDescriptors
section rather than specDescriptors so displaying those fields in the
UI wasn't done correctly (not under the Advanced section nor using the
correct field type).

This also changes the `metrics_utility_configmap` descriptor from
`urn:alm:descriptor:com.tectonic.ui:selector:core:v1:ConfigMap` to
`urn:alm:descriptor:io.kubernetes:ConfigMap` because the first value
doesn't work.

Finally, all metrics utility fields are only displayed (in the Advanced
section) when `metrics_utility_enabled` is enabled (not default).

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>

.github/CODE_OF_CONDUCT.md

@@ -0,0 +1,3 @@
+# Community Code of Conduct
+
+Please see the official [Ansible Community Code of Conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,39 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-title: ''
-labels: ''
-assignees: ''
-
----
-
-##### ISSUE TYPE
- - Bug Report
-
-##### SUMMARY
-<!-- Briefly describe the problem. -->
-
-##### ENVIRONMENT
-* AWX version: X.Y.Z
-* Operator version: X.Y.Z
-* Kubernetes version: 
-* AWX install method: openshift, minishift, docker on linux, docker for mac, boot2docker
-
-##### STEPS TO REPRODUCE
-
-<!-- Please describe exactly how to reproduce the problem. -->
-
-##### EXPECTED RESULTS
-
-<!-- What did you expect to happen when running the steps above? -->
-
-##### ACTUAL RESULTS
-
-<!-- What actually happened? -->
-
-##### ADDITIONAL INFORMATION
-
-<!-- Include any links to sosreport, database dumps, screenshots or other
-information. -->
-
-##### AWX-OPERATOR LOGS

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,125 @@
+---
+name: Bug Report
+description: "🐞 Create a report to help us improve"
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Bug Report issues are for **concrete, actionable bugs** only.
+        For debugging help or technical support, please see the [Get Involved section of our README](https://github.com/ansible/awx-operator#get-involved)
+
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Please confirm the following
+      options:
+        - label: I agree to follow this project's [code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
+          required: true
+        - label: I have checked the [current issues](https://github.com/ansible/awx-operator/issues) for duplicates.
+          required: true
+        - label: I understand that the AWX Operator is open source software provided for free and that I might not receive a timely response.
+          required: true
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Bug Summary
+      description: Briefly describe the problem.
+    validations:
+      required: false
+
+  - type: input
+    id: awx-operator-version
+    attributes:
+      label: AWX Operator version
+      description: What version of the AWX Operator are you running?
+    validations:
+      required: true
+
+  - type: input
+    id: awx-version
+    attributes:
+      label: AWX version
+      description: What version of AWX are you running?
+    validations:
+      required: true
+
+  - type: dropdown
+    id: platform
+    attributes:
+      label: Kubernetes platform
+      description: What platform did you install the Operator in?
+      multiple: false
+      options:
+        - kubernetes
+        - minikube
+        - openshift
+        - minishift
+        - docker development environment
+        - other (please specify in additional information)
+    validations:
+      required: true
+
+  - type: input
+    id: kube-version
+    attributes:
+      label: Kubernetes/Platform version
+      description: What version of your platform/kuberneties are you using?
+    validations:
+      required: true
+
+  - type: dropdown
+    id: modified-architecture
+    attributes:
+      label: Modifications
+      description: >-
+       Have you modified the installation, deployment topology, or container images in any way? If yes, please
+       explain in the "additional information" field at the bottom of the form.
+      multiple: false
+      options:
+        - "no"
+        - "yes"
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps-to-reproduce
+    attributes:
+      label: Steps to reproduce
+      description: >-
+        Starting from a new installation of the system, describe exactly how a developer or quality engineer can reproduce the bug
+        on infrastructure that isn't yours. Include any and all resources created, input values, test users, roles assigned, playbooks used, etc.
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected-results
+    attributes:
+      label: Expected results
+      description: What did you expect to happpen when running the steps above?
+    validations:
+      required: true
+
+  - type: textarea
+    id: actual-results
+    attributes:
+      label: Actual results
+      description: What actually happened?
+    validations:
+      required: true
+
+  - type: textarea
+    id: additional-information
+    attributes:
+      label: Additional information
+      description: Include any relevant log output, links to sosreport, database dumps, screenshots, AWX spec yaml, or other information.
+    validations:
+      required: false
+
+  - type: textarea
+    id: operator-logs
+    attributes:
+      label: Operator Logs
+      description: Include any relevant logs generated by the operator.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,12 @@
+---
+blank_issues_enabled: false
+contact_links:
+  - name: For debugging help or technical support
+    url: https://github.com/ansible/awx-operator#get-involved
+    about: For general debugging or technical support please see the Get Involved section of our readme.
+  - name: 📝 Ansible Code of Conduct
+    url: https://docs.ansible.com/ansible/latest/community/code_of_conduct.html?utm_medium=github&utm_source=issue_template_chooser
+    about: AWX uses the Ansible Code of Conduct; ❤ Be nice to other members of the community. ☮ Behave.
+  - name: 💼 For Enterprise
+    url: https://www.ansible.com/products/engine?utm_medium=github&utm_source=issue_template_chooser
+    about: Red Hat offers support for the Ansible Automation Platform

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,29 @@
+---
+name: ✨ Feature request
+description: Suggest an idea for this project
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Feature Request issues are for **feature requests** only.
+        For debugging help or technical support, please see the [Get Involved section of our README](https://github.com/ansible/awx-operator#get-involved)
+
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Please confirm the following
+      options:
+        - label: I agree to follow this project's [code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
+          required: true
+        - label: I have checked the [current issues](https://github.com/ansible/awx-operator/issues) for duplicates.
+          required: true
+        - label: I understand that AWX Operator is open source software provided for free and that I might not receive a timely response.
+          required: true
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Feature Summary
+      description: Briefly describe the desired enhancement.
+    validations:
+      required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,26 @@
+##### SUMMARY
+<!--- Describe the change, including rationale and design decisions -->
+
+<!---
+If you are fixing an existing issue, please include "fixes #nnn" in your
+commit message and your description; but you should still explain what
+the change does.
+-->
+
+##### ISSUE TYPE
+<!--- Pick one below and delete the rest: -->
+ - Breaking Change 
+ - New or Enhanced Feature
+ - Bug, Docs Fix or other nominal change
+
+##### ADDITIONAL INFORMATION
+<!---
+Include additional information to help people understand the change here.
+For bugs that don't have a linked bug report, a step-by-step reproduction
+of the problem is helpful.
+-->
+
+<!--- Paste verbatim command output below, e.g. before and after your change -->
+```
+
+```

.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/docs"
+    groups:
+      dependencies:
+        patterns:
+          - "*"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "component:docs"
+      - "dependencies"

.github/workflows/ci.yaml

@@ -4,21 +4,23 @@ name: CI
 
 on:
   pull_request:
-    branches: [devel]
-
   push:
-    branches: [devel]
 
 jobs:
-  pull_request:
-    runs-on: ubuntu-18.04
-    name: pull_request
+  molecule:
+    runs-on: ubuntu-latest
+    name: molecule
+    strategy:
+      matrix:
+        ansible_args:
+          - --skip-tags=replicas
+          - -t replicas
     env:
-      DOCKER_API_VERSION: "1.38"
+      DOCKER_API_VERSION: "1.41"
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v4
         with:
           python-version: "3.8"
 
@@ -38,4 +40,62 @@ jobs:
         run: |
           sudo rm -f $(which kustomize)
           make kustomize
-          KUSTOMIZE_PATH=$(readlink -f bin/kustomize) molecule test -s kind
+          KUSTOMIZE_PATH=$(readlink -f bin/kustomize) molecule test -s kind -- ${{ matrix.ansible_args }}
+  helm:
+    runs-on: ubuntu-latest
+    name: helm
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Create k8s Kind Cluster
+        uses: helm/kind-action@v1.8.0
+
+      - name: Build operator image and load into kind
+        run: |
+          IMG=awx-operator-ci make docker-build
+          kind load docker-image --name chart-testing awx-operator-ci
+
+      - name: Patch pull policy for tests
+        run: |
+          kustomize edit add patch --path ../testing/pull_policy/Never.yaml
+        working-directory: config/default
+
+      - name: Build and lint helm chart
+        run: |
+          IMG=awx-operator-ci make helm-chart
+          helm lint ./charts/awx-operator
+
+      - name: Install kubeval
+        run: |
+          mkdir tmp && cd tmp
+          wget https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz
+          tar xf kubeval-linux-amd64.tar.gz
+          sudo cp kubeval /usr/local/bin
+        working-directory: ./charts
+
+      - name: Run kubeval
+        run: |
+          helm template -n awx awx-operator > tmp/test.yaml
+          kubeval --strict --force-color --ignore-missing-schemas tmp/test.yaml
+        working-directory: ./charts
+
+      - name: Install helm chart
+        run: |
+          helm install --wait my-awx-operator --namespace awx --create-namespace ./charts/awx-operator
+  no-log:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v3
+
+      - name: Check no_log statements
+        run: |
+          set +e
+          no_log=$(grep -nr ' no_log:' roles | grep -v '"{{ no_log }}"')
+          if [ -n "${no_log}" ]; then
+            echo 'Please update the following no_log statement(s) with the "{{ no_log }}" value'
+            echo "${no_log}"
+            exit 1
+          fi

.github/workflows/devel.yaml

@@ -8,20 +8,41 @@ on:
 
 jobs:
   release:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     name: Push devel image
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
-      - name: Build Image
+      - name: Fail if QUAY_REGISTRY not set
         run: |
-          IMG=awx-operator:devel make docker-build
+          if [[ -z "${{ vars.QUAY_REGISTRY }}" ]]; then
+            echo "QUAY_REGISTRY not set. Please set QUAY_REGISTRY in variable GitHub Actions variables."
+            exit 1
+          fi
 
-      - name: Push To Quay
-        uses: redhat-actions/push-to-registry@v2.1.1
+      - name: Log into registry ghcr.io
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d    # v3.0.0
         with:
-          image: awx-operator
-          tags: devel
-          registry: quay.io/ansible/
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+
+      - name: Log into registry quay.io
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d    # v3.0.0
+        with:
+          registry: ${{ vars.QUAY_REGISTRY }}
           username: ${{ secrets.QUAY_USER }}
           password: ${{ secrets.QUAY_TOKEN }}
+
+
+      - name: Build and Store Image @ghcr
+        run: |
+          IMG=ghcr.io/${{ github.repository }}:${{ github.sha }} make docker-buildx
+
+
+      - name: Publish Image to quay.io
+        run: |
+          docker buildx imagetools create \
+            ghcr.io/${{ github.repository }}:${{ github.sha }} \
+            --tag ${{ vars.QUAY_REGISTRY }}/awx-operator:devel

.github/workflows/feature.yml

@@ -0,0 +1,56 @@
+---
+
+name: Feature Branch Image Build and Push
+
+on:
+  push:
+    branches: [feature_*]
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    name: Push devel image
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # needed so that git describe --tag works
+
+      - name: Set VERSION
+        run: |
+          echo "VERSION=$(git describe --tags)" >>${GITHUB_ENV}
+
+      - name: Set lower case owner name
+        run: |
+          echo "OWNER_LC=${OWNER,,}" >>${GITHUB_ENV}
+        env:
+          OWNER: '${{ github.repository_owner }}'
+
+      - name: Set IMAGE_TAG_BASE
+        run: |
+          echo "IMAGE_TAG_BASE=ghcr.io/${OWNER_LC}/awx-operator" >>${GITHUB_ENV}
+
+      - name: Log in to registry
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Build and Push awx-operator Image
+        run: |
+          make docker-build docker-push
+          docker tag ${IMAGE_TAG_BASE}:${VERSION} ${IMAGE_TAG_BASE}:${GITHUB_REF##*/}
+          docker push ${IMAGE_TAG_BASE}:${GITHUB_REF##*/}
+
+      - name: Build bundle manifests
+        run: |
+          make bundle
+
+      - name: Build and Push awx-operator Bundle
+        run: |
+          make bundle-build bundle-push
+          docker tag ${IMAGE_TAG_BASE}-bundle:v${VERSION} ${IMAGE_TAG_BASE}-bundle:${GITHUB_REF##*/}
+          docker push ${IMAGE_TAG_BASE}-bundle:${GITHUB_REF##*/}
+
+      - name: Build and Push awx-operator Catalog
+        run: |
+          make catalog-build catalog-push
+          docker tag ${IMAGE_TAG_BASE}-catalog:v${VERSION} ${IMAGE_TAG_BASE}-catalog:${GITHUB_REF##*/}
+          docker push ${IMAGE_TAG_BASE}-catalog:${GITHUB_REF##*/}

.github/workflows/label_issue.yml

@@ -0,0 +1,54 @@
+---
+name: Label Issues
+
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+
+jobs:
+  triage:
+    runs-on: ubuntu-latest
+    name: Label
+
+    steps:
+      - name: Label Issue - Needs Triage
+        uses: github/issue-labeler@v2.4.1
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          not-before: 2021-12-07T07:00:00Z
+          configuration-path: .github/issue_labeler.yml
+          enable-versioned-regex: 0
+        if: github.event_name == 'issues'
+
+  community:
+    runs-on: ubuntu-latest
+    name: Label Issue - Community
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+      - name: Install python requests
+        run: pip install requests
+      - name: Check if user is a member of Ansible org
+        uses: jannekem/run-python-script-action@v1
+        id: check_user
+        with:
+          script: |
+            import requests
+            headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
+            response = requests.get('${{ fromJson(toJson(github.event.issue.user.url)) }}/orgs?per_page=100', headers=headers)
+            is_member = False
+            for org in response.json():
+              if org['login'] == 'ansible':
+                is_member = True
+            if is_member:
+                print("User is member")
+            else:
+                print("User is community")
+      - name: Add community label if not a member
+        if: contains(steps.check_user.outputs.stdout, 'community')
+        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
+        with:
+          add-labels: "community"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/label_pr.yml

@@ -0,0 +1,40 @@
+name: Label PR
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+jobs:
+  community:
+    runs-on: ubuntu-latest
+    name: Label PR - Community
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+      - name: Install python requests
+        run: pip install requests
+      - name: Check if user is a member of Ansible org
+        uses: jannekem/run-python-script-action@v1
+        id: check_user
+        with:
+          script: |
+            import requests
+            headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
+            response = requests.get('${{ fromJson(toJson(github.event.pull_request.user.url)) }}/orgs?per_page=100', headers=headers)
+            is_member = False
+            for org in response.json():
+              if org['login'] == 'ansible':
+                is_member = True
+            if is_member:
+                print("User is member")
+            else:
+                print("User is community")
+      - name: Add community label if not a member
+        if: contains(steps.check_user.outputs.stdout, 'community')
+        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
+        with:
+          add-labels: "community"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr_body_check.yml

@@ -0,0 +1,37 @@
+---
+name: PR Check
+env:
+  BRANCH: ${{ github.base_ref || 'devel' }}
+on:
+  pull_request:
+    types: [opened, edited, reopened, synchronize]
+jobs:
+  pr-check:
+    name: Scan PR description for semantic versioning keywords
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Check for each of the lines
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
+        run: |
+          echo "$PR_BODY" | grep "Bug, Docs Fix or other nominal change" > Z
+          echo "$PR_BODY" | grep "New or Enhanced Feature" > Y
+          echo "$PR_BODY" | grep "Breaking Change" > X
+          exit 0
+        # We exit 0 and set the shell to prevent the returns from the greps from failing this step
+        # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
+        shell: bash {0}
+
+      - name: Check for exactly one item
+        run: |
+          if [ $(cat X Y Z | wc -l) != 1 ] ; then
+            echo "The PR body must contain exactly one of [ 'Bug, Docs Fix or other nominal change', 'New or Enhanced Feature', 'Breaking Change' ]"
+            echo "We counted $(cat X Y Z | wc -l)"
+            echo "See the default PR body for examples"
+            exit 255;
+          else
+            exit 0;
+          fi

.github/workflows/promote.yaml

@@ -3,23 +3,81 @@ name: Promote AWX Operator image
 on:
   release:
     types: [published]
+  workflow_dispatch:
+    inputs:
+      tag_name:
+        description: 'Name for the tag of the release.'
+        required: true
+      quay_registry:
+        description: 'Quay registry to push to.'
+        default: 'quay.io/ansible'
+
+env:
+  QUAY_REGISTRY: ${{ vars.QUAY_REGISTRY }}
 
 jobs:
   promote:
     runs-on: ubuntu-latest
     steps:
-      - name: Log in to GHCR
+      - name: Set GitHub Env vars for workflow_dispatch event
+        if: ${{ github.event_name == 'workflow_dispatch' }}
         run: |
-          echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+          echo "TAG_NAME=${{ github.event.inputs.tag_name }}" >> $GITHUB_ENV
+          echo "QUAY_REGISTRY=${{ github.event.inputs.quay_registry }}" >> $GITHUB_ENV
 
-      - name: Log in to Quay
+      - name: Set GitHub Env vars if release event
+        if: ${{ github.event_name == 'release' }}
         run: |
-          echo ${{ secrets.QUAY_TOKEN }} | docker login quay.io -u ${{ secrets.QUAY_USER }} --password-stdin
+          echo "TAG_NAME=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
 
-      - name: Re-tag and promote awx-operator image
+      - name: Fail if QUAY_REGISTRY not set
         run: |
-          docker pull ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }}
-          docker tag ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
-          docker tag ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} quay.io/${{ github.repository }}:latest
-          docker push quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
-          docker push quay.io/${{ github.repository }}:latest
+          if [[ -z "${{ env.QUAY_REGISTRY }}" ]]; then
+            echo "QUAY_REGISTRY not set. Please set QUAY_REGISTRY in variable GitHub Actions variables."
+            exit 1
+          fi
+
+      - uses: actions/checkout@v3
+        with:
+          depth: 0
+
+
+      - name: Log into registry ghcr.io
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d    # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+
+      - name: Log into registry quay.io
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d    # v3.0.0
+        with:
+          registry: ${{ env.QUAY_REGISTRY }}
+          username: ${{ secrets.QUAY_USER }}
+          password: ${{ secrets.QUAY_TOKEN }}
+
+
+      - name: Pull Tagged Staged Image and Publish to quay.io
+        run: |
+          docker buildx imagetools create \
+            ghcr.io/${{ github.repository }}:${{ env.TAG_NAME }} \
+            --tag ${{ env.QUAY_REGISTRY }}/awx-operator:${{ env.TAG_NAME }}
+
+
+      - name: Pull Staged Image and Publish to quay.io/${{ github.repository }}:latest
+        run: |
+          docker buildx imagetools create \
+            ghcr.io/${{ github.repository }}:${{ env.TAG_NAME }} \
+            --tag ${{ env.QUAY_REGISTRY }}/awx-operator:latest
+
+
+      - name: Release Helm chart
+        run: |
+          ansible-playbook ansible/helm-release.yml -v \
+            -e operator_image=${{ env.QUAY_REGISTRY }}/awx-operator \
+            -e chart_owner=${{ github.repository_owner }} \
+            -e tag=${{ env.TAG_NAME }} \
+            -e gh_token=${{ secrets.GITHUB_TOKEN }} \
+            -e gh_user=${{ github.actor }} \
+            -e repo_type=https

.github/workflows/publish-helm.yml

@@ -0,0 +1,26 @@
+---
+name: Re-publish helm chart
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag'
+        required: true
+        type: string
+jobs:
+  promote:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          depth: 0
+
+      - name: Release Helm chart
+        run: |
+          ansible-playbook ansible/helm-release.yml -v \
+            -e operator_image=quay.io/${{ github.repository }} \
+            -e chart_owner=${{ github.repository_owner }} \
+            -e tag=${{ inputs.tag }} \
+            -e gh_token=${{ secrets.GITHUB_TOKEN }} \
+            -e gh_user=${{ github.actor }} \
+            -e repo_type=https

.github/workflows/publish-operator-hub.yaml

@@ -0,0 +1,86 @@
+name: Publish AWX Operator on operator-hub
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      tag_name:
+        description: 'Name for the tag of the release.'
+        required: true
+      operator_hub_fork:
+        description: 'Fork of operator-hub where the PR will be created from. default: awx-auto'
+        required: true
+        default: 'awx-auto'
+      image_registry:
+        description: 'Image registry where the image is published to. default: quay.io'
+        required: true
+        default: 'quay.io'
+      image_registry_organization:
+        description: 'Image registry organization where the image is published to. default: ansible'
+        required: true
+        default: 'ansible'
+      community_operator_github_org:
+        description: 'Github organization for community-opeartor project. default: k8s-operatorhub'
+        required: true
+        default: 'k8s-operatorhub'
+      community_operator_prod_github_org:
+        description: 'GitHub organization for community-operator-prod project. default: redhat-openshift-ecosystem'
+        required: true
+        default: 'redhat-openshift-ecosystem'
+jobs:
+  promote:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set GITHUB_ENV from workflow_dispatch event
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        run: |
+          echo "VERSION=${{ github.event.inputs.tag_name }}" >> $GITHUB_ENV
+          echo "IMAGE_REGISTRY=${{ github.event.inputs.image_registry }}" >> $GITHUB_ENV
+          echo "IMAGE_REGISTRY_ORGANIZATION=${{ github.event.inputs.image_registry_organization }}" >> $GITHUB_ENV
+          echo "COMMUNITY_OPERATOR_GITHUB_ORG=${{ github.event.inputs.community_operator_github_org }}" >> $GITHUB_ENV
+          echo "COMMUNITY_OPERATOR_PROD_GITHUB_ORG=${{ github.event.inputs.community_operator_prod_github_org }}" >> $GITHUB_ENV
+
+      - name: Set GITHUB_ENV for release event
+        if: ${{ github.event_name == 'release' }}
+        run: |
+          echo "VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
+          echo "IMAGE_REGISTRY=quay.io" >> $GITHUB_ENV
+          echo "IMAGE_REGISTRY_ORGANIZATION=ansible" >> $GITHUB_ENV
+          echo "COMMUNITY_OPERATOR_GITHUB_ORG=k8s-operatorhub" >> $GITHUB_ENV
+          echo "COMMUNITY_OPERATOR_PROD_GITHUB_ORG=redhat-openshift-ecosystem" >> $GITHUB_ENV
+
+      - name: Log in to image registry
+        run: |
+          echo ${{ secrets.QUAY_TOKEN }} | docker login ${{ env.IMAGE_REGISTRY }} -u ${{ secrets.QUAY_USER }} --password-stdin
+
+      - name: Checkout awx-operator at workflow branch
+        uses: actions/checkout@v4
+        with:
+          path: awx-operator
+
+      - name: Checkout awx-opearator at ${{ env.VERSION }}
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+          ref: ${{ env.VERSION }}
+          path: awx-operator-${{ env.VERSION }}
+          fetch-depth: 0  # fetch all history so that git describe works
+
+      - name: Copy scripts to awx-operator-${{ env.VERSION }}
+        run: |
+          cp -f \
+            awx-operator/hack/publish-to-operator-hub.sh \
+            awx-operator-${{ env.VERSION }}/hack/publish-to-operator-hub.sh
+          cp -f \
+            awx-operator/Makefile \
+            awx-operator-${{ env.VERSION }}/Makefile
+
+      - name: Build and publish bundle to operator-hub
+        working-directory: awx-operator-${{ env.VERSION }}
+        env:
+          IMG_REPOSITORY: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REGISTRY_ORGANIZATION }}
+          GITHUB_TOKEN: ${{ secrets.AWX_AUTO_GITHUB_TOKEN }}
+        run: |
+          git config --global user.email "awx-automation@redhat.com"
+          git config --global user.name "AWX Automation"
+          ./hack/publish-to-operator-hub.sh

.github/workflows/stage.yml

@@ -37,14 +37,8 @@ jobs:
 
           exit 0
 
-      - name: Checkout awx
-        uses: actions/checkout@v2
-        with:
-          repository: ${{ github.repository_owner }}/awx
-          path: awx
-
       - name: Checkout awx-operator
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           repository: ${{ github.repository_owner }}/awx-operator
           path: awx-operator
@@ -53,17 +47,20 @@ jobs:
         run: |
           python3 -m pip install docker
 
-      - name: Log in to GHCR
-        run: |
-          echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+      - name: Log into registry ghcr.io
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d    # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and stage awx-operator
+      - name: Stage awx-operator
         working-directory: awx-operator
         run: |
           BUILD_ARGS="--build-arg DEFAULT_AWX_VERSION=${{ github.event.inputs.default_awx_version }} \
-                      --build-arg OPERATOR_VERSION=${{ github.event.inputs.version }}" \
-          IMAGE_TAG_BASE=ghcr.io/${{ github.repository_owner }}/awx-operator \
-          VERSION=${{ github.event.inputs.version }} make docker-build docker-push
+              --build-arg OPERATOR_VERSION=${{ github.event.inputs.version }}" \
+          IMG=ghcr.io/${{ github.repository }}:${{ github.event.inputs.version }} \
+          make docker-buildx
 
       - name: Run test deployment
         working-directory: awx-operator
@@ -76,10 +73,12 @@ jobs:
         env:
           AWX_TEST_VERSION: ${{ github.event.inputs.default_awx_version }}
 
-      - name: Create draft release
-        working-directory: awx
-        run: |
-          ansible-playbook tools/ansible/stage.yml \
-            -e version=${{ github.event.inputs.version }} \
-            -e repo=${{ github.repository_owner }}/awx-operator \
-            -e github_token=${{ secrets.GITHUB_TOKEN }}
+      - name: Create Draft Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.event.inputs.version }}
+          release_name: Release ${{ github.event.inputs.version }}
+          draft: true

.github/workflows/triage_new.yml

@@ -1,22 +0,0 @@
----
-name: Triage
-
-on:
-  issues:
-    types:
-      - opened
-
-jobs:
-  triage:
-    runs-on: ubuntu-latest
-    name: Label
-
-    steps:
-      - name: Label issues
-        uses: github/issue-labeler@v2.4.1
-        with:
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
-          not-before: 2021-12-07T07:00:00Z
-          configuration-path: .github/issue_labeler.yml
-          enable-versioned-regex: 0
-        if: github.event_name == 'issues'

.gitignore

@@ -1,6 +1,13 @@
 *~
+gh-pages/
 .cache/
 /bin
 /bundle
 /bundle_tmp*
 /bundle.Dockerfile
+/charts
+/.cr-release-packages
+.vscode/
+__pycache__
+/site
+venv/*

.helm/starter/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

.helm/starter/Chart.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v2
+appVersion: 0.1.0
+description: A Helm chart for Kubernetes
+name: starter
+type: application
+version: 0.1.0

.helm/starter/README.md

@@ -0,0 +1,366 @@
+# AWX Operator Helm Chart
+
+This chart installs the AWX Operator resources configured in [this](https://github.com/ansible/awx-operator) repository.
+
+## Getting Started
+To configure your AWX resource using this chart, create your own `yaml` values file. The name is up to personal preference since it will explicitly be passed into the helm chart. Helm will merge whatever values you specify in your file with the default `values.yaml`, overriding any settings you've changed while allowing you to fall back on defaults. Because of this functionality, `values.yaml` should not be edited directly.
+
+In your values config, enable `AWX.enabled` and add `AWX.spec` values based on the awx operator's [documentation](https://github.com/ansible/awx-operator/blob/devel/README.md). Consult the docs below for additional functionality.
+
+### Installing
+
+The operator's [helm install](https://ansible.readthedocs.io/projects/awx-operator/en/latest/installation/helm-install-on-existing-cluster.html) guide provides key installation instructions.
+
+Example:
+
+```bash
+helm install my-awx-operator awx-operator/awx-operator -n awx --create-namespace -f myvalues.yaml
+```
+
+Argument breakdown:
+* `-f` passes in the file with your custom values
+* `-n` sets the namespace to be installed in
+  * This value is accessed by `{{ $.Release.Namespace }}` in the templates
+  * Acts as the default namespace for all unspecified resources
+* `--create-namespace` specifies that helm should create the namespace before installing
+
+To update an existing installation, use `helm upgrade` instead of `install`. The rest of the syntax remains the same.
+
+### Caveats on upgrading existing installation
+
+There is no support at this time for upgrading or deleting CRDs using Helm.  See [helm documentation](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations) for additional detail.
+
+When upgrading to releases with CRD changes use the following command to update the CRDs
+
+```bash
+kubectl apply --server-side -k github.com/ansible/awx-operator/config/crd?ref=<VERSION>
+```
+
+If running above command results in an error like below:
+
+```text
+Apply failed with 1 conflict: conflict with "helm" using apiextensions.k8s.io/v1: .spec.versions
+Please review the fields above--they currently have other managers. Here
+are the ways you can resolve this warning:
+* If you intend to manage all of these fields, please re-run the apply
+  command with the `--force-conflicts` flag.
+* If you do not intend to manage all of the fields, please edit your
+  manifest to remove references to the fields that should keep their
+  current managers.
+* You may co-own fields by updating your manifest to match the existing
+  value; in this case, you'll become the manager if the other manager(s)
+  stop managing the field (remove it from their configuration).
+See https://kubernetes.io/docs/reference/using-api/server-side-apply/#conflicts
+```
+
+Use `--force-conflicts` flag to resolve the conflict.
+
+```bash
+kubectl apply --server-side --force-conflicts -k github.com/ansible/awx-operator/config/crd?ref=<VERSION>
+```
+
+## Configuration
+The goal of adding helm configurations is to abstract out and simplify the creation of multi-resource configs. The `AWX.spec` field maps directly to the spec configs of the `AWX` resource that the operator provides, which are detailed in the [main README](https://github.com/ansible/awx-operator/blob/devel/README.md). Other sub-config can be added with the goal of simplifying more involved setups that require additional resources to be specified.
+
+These sub-headers aim to be a more intuitive entrypoint into customizing your deployment, and are easier to manage in the long-term. By design, the helm templates will defer to the manually defined specs to avoid configuration conflicts. For example, if `AWX.spec.postgres_configuration_secret` is being used, the `AWX.postgres` settings will not be applied, even if enabled.
+
+### External Postgres
+The `AWX.postgres` section simplifies the creation of the external postgres secret. If enabled, the configs provided will automatically be placed in a `postgres-config` secret and linked to the `AWX` resource. For proper secret management, the `AWX.postgres.password` value, and any other sensitive values, can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`. Supplying the password this way is not recommended for production use, but may be helpful for initial PoC.
+
+### Additional Kubernetes Resources
+The `AWX.extraDeploy` section allows the creation of additional Kubernetes resources. This simplifies setups requiring additional objects that are used by AWX, e.g. using `ExternalSecrets` to create Kubernetes secrets.
+
+Resources are passed as an array, either as YAML or strings (literal "|"). The resources are passed through `tpl`, so templating is possible. Example:
+
+```yaml
+AWX:
+  # enable use of awx-deploy template
+  ...
+
+  # configurations for external postgres instance
+  postgres:
+    enabled: false
+    ...
+
+extraDeploy:
+  - |
+    apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+      name: {{ .Release.Name }}-postgres-secret-string-example
+      namespace: {{ .Release.Namespace }}
+      labels:
+        app: {{ .Release.Name }}
+    spec:
+      secretStoreRef:
+        name: vault
+        kind: ClusterSecretStore
+      refreshInterval: "1h"
+      target:
+        name: postgres-configuration-secret-string-example
+        creationPolicy: "Owner"
+        deletionPolicy: "Delete"
+      dataFrom:
+        - extract:
+            key: awx/postgres-configuration-secret
+
+  - apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+      name: "{{ .Release.Name }}-postgres-secret-yaml-example"
+      namespace: "{{ .Release.Namespace }}"
+      labels:
+        app: "{{ .Release.Name }}"
+    spec:
+      secretStoreRef:
+        name: vault
+        kind: ClusterSecretStore
+      refreshInterval: "1h"
+      target:
+        name: postgres-configuration-secret-yaml-example
+        creationPolicy: "Owner"
+        deletionPolicy: "Delete"
+      dataFrom:
+        - extract:
+            key: awx/postgres-configuration-secret
+```
+
+### Custom secrets
+The `customSecrets` section simplifies the creation of our custom secrets used during AWX deployment. Supplying the passwords this way is not recommended for production use, but may be helpful for initial PoC.
+
+If enabled, the configs provided will automatically used to create the respective secrets and linked at the CR spec level. For proper secret management, the sensitive values can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`.
+
+Example:
+
+```yaml
+AWX:
+  # enable use of awx-deploy template
+  ...
+
+  # configurations for external postgres instance
+  postgres:
+    enabled: false
+    ...
+
+  customSecrets:
+    enabled: true
+    admin:
+      enabled: true
+      password: mysuperlongpassword
+      secretName: my-admin-password
+    secretKey:
+      enabled: true
+      key: supersecuresecretkey
+      secretName: my-awx-secret-key
+    ingressTls:
+      enabled: true
+      selfSignedCert: true
+      key: unset
+      certificate: unset
+    routeTls:
+      enabled: false
+      key: <contentoftheprivatekey>
+      certificate: <contentofthepublickey>
+    ldapCacert:
+      enabled: false
+      crt: <contentofmybundlecacrt>
+    ldap:
+      enabled: true
+      password: yourldapdnpassword
+    bundleCacert:
+      enabled: false
+      crt: <contentofmybundlecacrt>
+    eePullCredentials:
+      enabled: false
+      url: unset
+      username: unset
+      password: unset
+      sslVerify: true
+      secretName: my-ee-pull-credentials
+    cpPullCredentials:
+      enabled: false
+      dockerconfig:
+        - registry: https://index.docker.io/v1/
+          username: unset
+          password: unset
+      secretName: my-cp-pull-credentials
+```
+
+### Custom volumes
+The `customVolumes` section simplifies the creation of Persistent Volumes used when you want to store your databases and projects files on the cluster's Node. Since their backends are `hostPath`, the size specified are just like a label and there is no actual capacity limitation.
+
+You have to prepare directories for these volumes. For example:
+
+```bash
+sudo mkdir -p /data/postgres-13
+sudo mkdir -p /data/projects
+sudo chmod 755 /data/postgres-13
+sudo chown 1000:0 /data/projects
+```
+
+Example:
+
+```yaml
+AWX:
+  # enable use of awx-deploy template
+  ...
+
+  # configurations for external postgres instance
+  postgres:
+    enabled: false
+    ...
+
+  customVolumes:
+    postgres:
+      enabled: true
+      hostPath: /data/postgres-13
+    projects:
+      enabled: true
+      hostPath: /data/projects
+      size: 1Gi
+```
+
+## Values Summary
+
+### AWX
+| Value | Description | Default |
+|---|---|---|
+| `AWX.enabled` | Enable this AWX resource configuration | `false` |
+| `AWX.name` | The name of the AWX resource and default prefix for other resources | `"awx"` |
+| `AWX.spec` | specs to directly configure the AWX resource | `{}` |
+| `AWX.postgres` | configurations for the external postgres secret | - |
+
+### extraDeploy
+| Value | Description | Default |
+|---|---|---|
+| `extraDeploy` | array of additional resources to be deployed (supports YAML or literal "\|") | - |
+
+### customSecrets
+| Value | Description | Default |
+|---|---|---|
+| `customSecrets.enabled` | Enable the secret resources configuration | `false` |
+| `customSecrets.admin` | Configurations for the secret that contains the admin user password | - |
+| `customSecrets.secretKey` | Configurations for the secret that contains the symmetric key for encryption | - |
+| `customSecrets.ingressTls` | Configurations for the secret that contains the TLS information when `ingress_type=ingress` | - |
+| `customSecrets.routeTls` |  Configurations for the secret that contains the TLS information when `ingress_type=route` (`route_tls_secret`) | - |
+| `customSecrets.ldapCacert` | Configurations for the secret that contains the LDAP Certificate Authority | - |
+| `customSecrets.ldap` | Configurations for the secret that contains the LDAP BIND DN password | - |
+| `customSecrets.bundleCacert` | Configurations for the secret that contains the Certificate Authority | - |
+| `customSecrets.eePullCredentials` | Configurations for the secret that contains the pull credentials for registered ees can be found | - |
+| `customSecrets.cpPullCredentials` | Configurations for the secret that contains the image pull credentials for app and database containers | - |
+
+
+Below the addition variables to customize the secret configuration.
+
+#### Admin user password secret configuration
+| Value | Description | Default |
+|---|---|---|
+| `customSecrets.admin.enabled` | If `true`, secret will be created | `false` |
+| `customSecrets.admin.password` | Admin user password | - |
+| `customSecrets.admin.secretName` | Name of secret for `admin_password_secret` | `<resourcename>-admin-password>` |
+
+#### Secret Key secret configuration
+| Value | Description | Default |
+|---|---|---|
+| `customSecrets.secretKey.enabled` | If `true`, secret will be created | `false` |
+| `customSecrets.secretKey.key` | Key is used to encrypt sensitive data in the database | - |
+| `customSecrets.secretKey.secretName` | Name of secret for `secret_key_secret` | `<resourcename>-secret-key` |
+
+#### Ingress TLS secret configuration
+| Value | Description | Default |
+|---|---|---|
+| `customSecrets.ingressTls.enabled` | If `true`, secret will be created | `false` |
+| `customSecrets.ingressTls.selfSignedCert` | If `true`, an self-signed TLS certificate for `AWX.spec.hostname` will be create by helm | `false` |
+| `customSecrets.ingressTls.key` | Private key to use for TLS/SSL | - |
+| `customSecrets.ingressTls.certificate` | Certificate to use for TLS/SSL | - |
+| `customSecrets.ingressTls.secretName` | Name of secret for `ingress_tls_secret` | `<resourcename>-ingress-tls` |
+| `customSecrets.ingressTls.labels` | Array of labels for the secret | - |
+
+#### Route TLS secret configuration
+| Value | Description | Default |
+|---|---|---|
+| `customSecrets.routeTls.enabled` | If `true`, secret will be created | `false` |
+| `customSecrets.routeTls.key` | Private key to use for TLS/SSL | - |
+| `customSecrets.routeTls.certificate` | Certificate to use for TLS/SSL | - |
+| `customSecrets.routeTls.secretName` | Name of secret for `route_tls_secret` | `<resourcename>-route-tls` |
+
+#### LDAP Certificate Authority secret configuration
+| Value | Description | Default |
+|---|---|---|
+| `customSecrets.ldapCacert.enabled` | If `true`, secret will be created | `false` |
+| `customSecrets.ldapCacert.crt` | Bundle of CA Root Certificates | - |
+| `customSecrets.ldapCacert.secretName` | Name of secret for `ldap_cacert_secret` | `<resourcename>-custom-certs` |
+
+#### LDAP BIND DN Password secret configuration
+| Value | Description | Default |
+|---|---|---|
+| `customSecrets.ldap.enabled` | If `true`, secret will be created | `false` |
+| `customSecrets.ldap.password` | LDAP BIND DN password | - |
+| `customSecrets.ldap.secretName` | Name of secret for `ldap_password_secret` | `<resourcename>-ldap-password` |
+
+#### Certificate Authority secret configuration
+| Value | Description | Default |
+|---|---|---|
+| `customSecrets.bundleCacert.enabled` | If `true`, secret will be created | `false` |
+| `customSecrets.bundleCacert.crt` | Bundle of CA Root Certificates | - |
+| `customSecrets.bundleCacert.secretName` | Name of secret for `bundle_cacert_secret` | `<resourcename>-custom-certs` |
+
+#### Default EE pull secrets configuration
+| Value | Description | Default |
+|---|---|---|
+| `customSecrets.eePullCredentials.enabled` | If `true`, secret will be created | `false` |
+| `customSecrets.eePullCredentials.url` | Registry url | - |
+| `customSecrets.eePullCredentials.username` | Username to connect as | - |
+| `customSecrets.eePullCredentials.password` | Password to connect with | - |
+| `customSecrets.eePullCredentials.sslVerify` | Whether verify ssl connection or not. | `true` |
+| `customSecrets.eePullCredentials.secretName` | Name of secret for `ee_pull_credentials_secret` | `<resourcename>-ee-pull-credentials` |
+
+#### Control Plane pull secrets configuration
+| Value | Description | Default |
+|---|---|---|
+| `customSecrets.cpPullCredentials.enabled` | If `true`, secret will be created | `false` |
+| `customSecrets.cpPullCredentials.dockerconfig` | Array of configurations for the Docker credentials that are used for accessing a registry | - |
+| `customSecrets.cpPullCredentials.dockerconfig[].registry` | Server location for Docker registry | `https://index.docker.io/v1/` |
+| `customSecrets.cpPullCredentials.dockerconfig[].username` | Username to connect as | - |
+| `customSecrets.cpPullCredentials.dockerconfig[].password` | Password to connect with | - |
+| `customSecrets.cpPullCredentials.secretName` |  Name of secret for `image_pull_secrets`| `<resoucename>-cp-pull-credentials` |
+
+### customVolumes
+
+#### Persistent Volume for databases postgres
+| Value | Description | Default |
+|---|---|---|
+| `customVolumes.postgres.enabled` | Enable the PV resource configuration for the postgres databases | `false` |
+| `customVolumes.postgres.hostPath` | Directory location on host | - |
+| `customVolumes.postgres.size` | Size of the volume | `8Gi` |
+| `customVolumes.postgres.accessModes` | Volume access mode | `ReadWriteOnce` |
+| `customVolumes.postgres.storageClassName` | PersistentVolume storage class name for `postgres_storage_class` | `<resourcename>-postgres-volume` |
+
+#### Persistent Volume for projects files
+| Value | Description | Default |
+|---|---|---|
+| `customVolumes.projects.enabled` | Enable the PVC and PVC resources configuration for the projects files | `false` |
+| `customVolumes.projects.hostPath` | Directory location on host | - |
+| `customVolumes.projects.size` |  Size of the volume | `8Gi` |
+| `customVolumes.projects.accessModes` | Volume access mode | `ReadWriteOnce` |
+| `customVolumes.postgres.storageClassName` | PersistentVolume storage class name | `<resourcename>-projects-volume` |
+
+# Contributing
+
+## Adding abstracted sections
+Where possible, defer to `AWX.spec` configs before applying the abstracted configs to avoid collision. This can be facilitated by the `(hasKey .spec what_i_will_abstract)` check.
+
+## Building and Testing
+This chart is built using the Makefile in the [awx-operator repo](https://github.com/ansible/awx-operator). Clone the repo and run `make helm-chart`. This will create the awx-operator chart in the `charts/awx-operator` directory. In this process, the contents of the `.helm/starter` directory will be added to the chart.
+
+## Future Goals
+All values under the `AWX` header are focused on configurations that use the operator. Configurations that relate to the Operator itself could be placed under an `Operator` heading, but that may add a layer of complication over current development.
+
+
+# Chart Publishing
+
+The chart is currently hosted on the gh-pages branch of the repo. During the release pipeline, the `index.yaml` stored in that branch is generated with helm chart entries from all valid tags. We are currently unable to use the `chart-releaser` pipeline due to the fact that the complete helm chart is not committed to the repo and is instead built during the release process. Therefore, the cr action is unable to compare against previous versions.
+
+Instead of CR, we use `helm repo index` to generate an index from all locally pulled chart versions. Since we build from scratch every time, the timestamps of all entries will be updated. This could be improved by using yq or something similar to detect which tags are already in the index.yaml file, and only merge in tags that are not present.
+
+Not using CR could be addressed in the future by keeping the chart built as a part of releases, as long as CR compares the chart to previous release packages rather than previous commits. If the latter is the case, then we would not have the necessary history for comparison.

.helm/starter/templates/_helpers.tpl

@@ -0,0 +1,6 @@
+{{/*
+Generate the name of the postgres secret, expects AWX context passed in
+*/}}
+{{- define "postgres.secretName" -}}
+{{ default (printf "%s-postgres-configuration" .Values.AWX.name) .Values.AWX.postgres.secretName }}
+{{- end }}

.helm/starter/templates/awx-deploy.yaml

@@ -0,0 +1,28 @@
+{{- if $.Values.AWX.enabled }}
+{{- with .Values.AWX }}
+apiVersion: awx.ansible.com/v1beta1
+kind: AWX
+metadata:
+  name: {{ .name }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+{{- /* Provide custom persistent volumes configs if enabled */}}
+{{- include "spec.storageClassNames" $ }}
+{{- /* Provide custom secrets configs if enabled */}}
+{{- include "spec.secrets" $ }}
+{{- /* Include raw map from the values file spec */}}
+{{ .spec | toYaml | indent 2 }}
+{{- /* Provide security context defaults */}}
+  {{- if not (hasKey .spec "security_context_settings") }}
+  security_context_settings:
+    runAsGroup: 0
+    runAsUser: 0
+    fsGroup: 0
+    fsGroupChangePolicy: OnRootMismatch
+  {{- end }}
+{{- /* Postgres configs if enabled and not already present */}}
+  {{- if and .postgres.enabled (not (hasKey .spec "postgres_configuration_secret")) }}
+  postgres_configuration_secret: {{ include "postgres.secretName" $ }}
+  {{- end }}
+{{- end }}
+{{- end }}

.helm/starter/templates/extra-list.yaml

@@ -0,0 +1,8 @@
+{{- range .Values.extraDeploy }}
+---
+  {{- if typeIs "string" . }}
+    {{- tpl . $ }}
+  {{- else }}
+    {{- tpl (. | toYaml | nindent 0) $ }}
+  {{- end }}
+{{- end }}

.helm/starter/templates/postgres-config.yaml

@@ -0,0 +1,18 @@
+{{- if and $.Values.AWX.enabled $.Values.AWX.postgres.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "postgres.secretName" . }}
+  namespace: {{ $.Release.Namespace }}
+{{- with $.Values.AWX.postgres }}
+stringData:
+  host: {{ .host }}
+  port: {{ .port | quote }}
+  database: {{ .dbName }}
+  username: {{ .username }}
+  password: {{ .password }}
+  sslmode: {{ .sslmode }}
+  type: {{ .type }}
+type: Opaque
+{{- end }}
+{{- end }}

.helm/starter/templates/secrets/_helpers.tpl

@@ -0,0 +1,170 @@
+{{/*
+Generate certificates for ingress
+*/}}
+{{- define "ingress.gen-certs" -}}
+{{- $ca := genCA "ingress-ca" 365 -}}
+{{- $cert := genSignedCert ( $.Values.AWX.spec.hostname | required "AWX.spec.hostname is required!" ) nil nil 365 $ca -}}
+tls.crt: {{ $cert.Cert | b64enc }}
+tls.key: {{ $cert.Key | b64enc }}
+{{- end -}}
+
+{{/*
+Generate the name of the secret that contains the admin user password
+*/}}
+{{- define "admin.secretName" -}}
+{{ default (printf "%s-admin-password" $.Values.AWX.name) (default $.Values.customSecrets.admin.secretName $.Values.AWX.spec.admin_password_secret) }}
+{{- end }}
+
+{{/*
+Generate the name of the secret that contains the TLS information when ingress_type=route
+*/}}
+{{- define "routeTls.secretName" -}}
+{{ default (printf "%s-route-tls" $.Values.AWX.name) (default $.Values.customSecrets.routeTls.secretName $.Values.AWX.spec.route_tls_secret) }}
+{{- end }}
+
+{{/*
+Generate the name of the secret that contains the TLS information when ingress_type=ingress
+*/}}
+{{- define "ingressTls.secretName" -}}
+{{ default (printf "%s-ingress-tls" $.Values.AWX.name) (default $.Values.customSecrets.ingressTls.secretName $.Values.AWX.spec.ingress_tls_secret) }}
+{{- end }}
+
+{{/*
+Generate the name of the secret that contains the LDAP Certificate Authority
+*/}}
+{{- define "ldapCacert.secretName" -}}
+{{ default (printf "%s-custom-certs" $.Values.AWX.name) (default ($.Values.customSecrets.ldapCacert).secretName $.Values.AWX.spec.ldap_cacert_secret) }}
+{{- end }}
+
+{{/*
+Generate the name of the secret that contains the custom Certificate Authority
+*/}}
+{{- define "bundleCacert.secretName" -}}
+{{ default (printf "%s-custom-certs" $.Values.AWX.name) (default ($.Values.customSecrets.bundleCacert).secretName $.Values.AWX.spec.bundle_cacert_secret) }}
+{{- end }}
+
+{{/*
+Generate the name of the secret that contains the LDAP BIND DN password
+*/}}
+{{- define "ldap.secretName" -}}
+{{ default (printf "%s-ldap-password" $.Values.AWX.name) (default $.Values.customSecrets.ldap.secretName $.Values.AWX.spec.ldap_password_secret) }}
+{{- end }}
+
+{{/*
+Generate the name of the secret that contains the symmetric key for encryption
+*/}}
+{{- define "secretKey.secretName" -}}
+{{ default (printf "%s-secret-key" $.Values.AWX.name) (default $.Values.customSecrets.secretKey.secretName $.Values.AWX.spec.secret_key_secret) }}
+{{- end }}
+
+{{/*
+Generate the name of the secret that contains the default execution environment pull credentials
+*/}}
+{{- define "eePullCredentials.secretName" -}}
+{{ default (printf "%s-ee-pull-credentials" $.Values.AWX.name) (default $.Values.customSecrets.eePullCredentials.secretName $.Values.AWX.spec.ee_pull_credentials_secret) }}
+{{- end }}
+
+{{/*
+Generate the name of the secret that contains the default control plane pull credentials
+*/}}
+{{- define "cpPullCredentials.secretName" -}}
+{{ default (printf "%s-cp-pull-credentials" $.Values.AWX.name) (default $.Values.customSecrets.cpPullCredentials.secretName $.Values.AWX.spec.image_pull_secrets) }}
+{{- end }}
+
+{{/*
+Generate the .dockerconfigjson file unencoded.
+*/}}
+{{- define "dockerconfigjson.b64dec" }}
+  {{- print "{\"auths\":{" }}
+  {{- range $index, $item := . }}
+    {{- if $index }}
+      {{- print "," }}
+    {{- end }}
+    {{- printf "\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}" (default "https://index.docker.io/v1/" $item.registry) $item.username $item.password (default "" $item.email) (printf "%s:%s" $item.username $item.password | b64enc) }}
+  {{- end }}
+  {{- print "}}" }}
+{{- end }}
+
+{{/*
+Generate the base64-encoded .dockerconfigjson.
+*/}}
+{{- define "dockerconfigjson.b64enc" }}
+  {{- $list := ternary (list .) . (kindIs "map" .) }}
+  {{- include "dockerconfigjson.required" $list }}
+  {{- include "dockerconfigjson.b64dec" $list | b64enc }}
+{{- end }}
+
+{{/*
+Required values for .dockerconfigjson
+*/}}
+{{- define "dockerconfigjson.required" -}}
+  {{- range . -}}
+    {{- $_ := required "cpPullCredentials.dockerconfigjson[].username is required!" .username -}}
+    {{- $_ := required "cpPullCredentials.dockerconfigjson[].password is required!" .password -}}
+  {{- end -}}
+  {{/* Check for registry uniqueness */}}
+  {{- $registries := list -}}
+  {{- range . -}}
+    {{- $registries = append $registries (default "https://index.docker.io/v1/" .registry) -}}
+  {{- end -}}
+  {{- $_ := required "All cpPullCredentials.dockerconfigjson[].registry's must be unique!" (or (eq (len $registries) (len ($registries | uniq))) nil) -}}
+{{- end -}}
+
+{{/*
+Generate the name of the secrets
+*/}}
+{{- define "spec.secrets" -}}
+{{- /* secret configs if enabled */}}
+{{- if hasKey $.Values "customSecrets" }}
+{{- with $.Values.customSecrets }}
+{{- if .enabled }}
+  {{- if hasKey . "admin" }}
+  {{- if and (not (hasKey $.Values.AWX.spec "admin_password_secret")) .admin.enabled }}
+  admin_password_secret: {{ include "admin.secretName" $ }}
+  {{- end }}
+  {{- end }}
+  {{- if hasKey . "secretKey" }}
+  {{- if and (not (hasKey $.Values.AWX.spec "secret_key_secret")) .secretKey.enabled }}
+  secret_key_secret: {{ include "secretKey.secretName" $ }}
+  {{- end }}
+  {{- end }}
+  {{- if hasKey . "routeTls" }}
+  {{- if and (not (hasKey $.Values.AWX.spec "route_tls_secret")) .routeTls.enabled }}
+  route_tls_secret: {{ include "routeTls.secretName" $ }}
+  {{- end }}
+  {{- end }}
+  {{- if hasKey . "ingressTls" }}
+  {{- if and (not (hasKey $.Values.AWX.spec "ingress_tls_secret")) .ingressTls.enabled }}
+  ingress_tls_secret: {{ include "ingressTls.secretName" $ }}
+  {{- end }}
+  {{- end }}
+  {{- if hasKey . "ldapCacert" }}
+  {{- if and (not (hasKey $.Values.AWX.spec "ldap_cacert_secret")) .ldapCacert.enabled }}
+  ldap_cacert_secret: {{ include "ldapCacert.secretName" $ }}
+  {{- end }}
+  {{- end }}
+  {{- if hasKey . "bundleCacert" }}
+  {{- if and (not (hasKey $.Values.AWX.spec "bundle_cacert_secret")) .bundleCacert.enabled }}
+  bundle_cacert_secret: {{ include "bundleCacert.secretName" $ }}
+  {{- end }}
+  {{- end }}
+  {{- if hasKey . "ldap" }}
+  {{- if and (not (hasKey $.Values.AWX.spec "ldap_password_secret")) .ldap.enabled }}
+  ldap_password_secret: {{ include "ldap.secretName" $ }}
+  {{- end }}
+  {{- end }}
+  {{- if hasKey . "eePullCredentials" }}
+  {{- if and (not (hasKey $.Values.AWX.spec "ee_pull_credentials_secret")) .eePullCredentials.enabled }}
+  ee_pull_credentials_secret: {{ include "eePullCredentials.secretName" $ }}
+  {{- end }}
+  {{- end }}
+  {{- if hasKey . "cpPullCredentials" }}
+  {{- if and (not (hasKey $.Values.AWX.spec "image_pull_secrets")) .cpPullCredentials.enabled }}
+  image_pull_secrets:
+    - {{ include "cpPullCredentials.secretName" $ }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

.helm/starter/templates/secrets/admin-password-secret.yaml

@@ -0,0 +1,16 @@
+{{- if ($.Values.customSecrets).enabled }}
+{{- if hasKey .Values.customSecrets "admin" }}
+{{- with $.Values.customSecrets.admin }}
+{{- if .enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "admin.secretName" $ }}
+  namespace: {{ $.Release.Namespace }}
+type: Opaque
+data:
+  password: {{ .password | required "customSecrets.admin.password is required!" | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

.helm/starter/templates/secrets/cp-pull-credentials-secret.yaml

@@ -0,0 +1,16 @@
+{{- if ($.Values.customSecrets).enabled }}
+{{- if hasKey .Values.customSecrets "cpPullCredentials" }}
+{{- with $.Values.customSecrets.cpPullCredentials }}
+{{- if .enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "cpPullCredentials.secretName" $ }}
+  namespace: {{ $.Release.Namespace }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "dockerconfigjson.b64enc" .dockerconfig | required "customSecrets.cpPullCredentials.dockerconfig is required!" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

.helm/starter/templates/secrets/custom-certs-secret.yaml

@@ -0,0 +1,49 @@
+{{- if ($.Values.customSecrets).enabled }}
+{{- with .Values.customSecrets }}
+{{- $hasLdapCrt := (hasKey $.Values.customSecrets "ldapCacert") -}}
+{{- $hasBundleCrt := (hasKey . "bundleCacert") -}}
+{{- if or $hasLdapCrt $hasBundleCrt }}
+{{- $ldapCrtEnabled := ternary (.ldapCacert).enabled false $hasLdapCrt -}}
+{{- $bundleCrtEnabled := ternary (.bundleCacert).enabled false $hasBundleCrt -}}
+{{- $ldapSecretName := (include "ldapCacert.secretName" $) -}}
+{{- $bundleSecretName := (include "bundleCacert.secretName" $) -}}
+{{- if and (or $bundleCrtEnabled $ldapCrtEnabled) (eq $ldapSecretName $bundleSecretName) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $ldapSecretName }}
+  namespace: {{ $.Release.Namespace }}
+type: Opaque
+data:
+{{- if $ldapCrtEnabled }}
+  ldap-ca.crt: {{ .ldapCacert.crt | required "customSecrets.ldapCacert.crt is required!" | b64enc }}
+{{- end }}
+{{- if $bundleCrtEnabled }}
+  bundle-ca.crt: {{ .bundleCacert.crt | required "customSecrets.bundleCacert.crt is required!" | b64enc }}
+{{- end }}
+{{- else }}
+{{- if $ldapCrtEnabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $ldapSecretName }}
+  namespace: {{ $.Release.Namespace }}
+type: Opaque
+data:
+  ldap-ca.crt: {{ .ldapCacert.crt | required "customSecrets.ldapCacert.crt is required!" | b64enc }}
+{{- end }}
+{{- if $bundleCrtEnabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $bundleSecretName }}
+  namespace: {{ $.Release.Namespace }}
+type: Opaque
+data:
+  bundle-ca.crt: {{ .bundleCacert.crt | required "customSecrets.bundleCacert.crt is required!" | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

.helm/starter/templates/secrets/ee-pull-credentials-secret.yaml

@@ -0,0 +1,19 @@
+{{- if ($.Values.customSecrets).enabled }}
+{{- if hasKey .Values.customSecrets "eePullCredentials" }}
+{{- with $.Values.customSecrets.eePullCredentials }}
+{{- if .enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "eePullCredentials.secretName" $ }}
+  namespace: {{ $.Release.Namespace }}
+type: Opaque
+stringData:
+  url: {{ (required "customSecrets.eePullCredentials.url is required!" .url) | quote }}
+  username: {{ (required "customSecrets.eePullCredentials.username is required!" .username) | quote }}
+  password: {{ (required "customSecrets.eePullCredentials.password is required!" .password) | quote }}
+  ssl_verify: {{ or .sslVerify (eq (.sslVerify | toString) "<nil>") | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

.helm/starter/templates/secrets/ingress-tls-secret.yaml

@@ -0,0 +1,25 @@
+{{- if ($.Values.customSecrets).enabled }}
+{{- if hasKey .Values.customSecrets "ingressTls" }}
+{{- with $.Values.customSecrets.ingressTls }}
+{{- if .enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "ingressTls.secretName" $ }}
+  namespace: {{ $.Release.Namespace }}
+{{- if .labels }}
+  labels:
+{{ toYaml .labels | indent 4 }}
+{{- end }}
+type: kubernetes.io/tls
+data:
+{{- if .selfSignedCert }}
+{{ ( include "ingress.gen-certs" $ ) | indent 2 }}
+{{ else }}
+  tls.key: {{ (.key | required "customSecrets.ingressTls.key is required!") | b64enc }}
+  tls.crt: {{ (.certificate | required "customSecrets.ingressTls.certificate is required!") | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

.helm/starter/templates/secrets/ldap-password-secret.yaml

@@ -0,0 +1,16 @@
+{{- if ($.Values.customSecrets).enabled }}
+{{- if hasKey .Values.customSecrets "ldap" }}
+{{- with $.Values.customSecrets.ldap }}
+{{- if .enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "ldap.secretName" $ }}
+  namespace: {{ $.Release.Namespace }}
+type: Opaque
+data:
+  ldap-password: {{ .password | required "customSecrets.ldap.password is required!" | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

.helm/starter/templates/secrets/route-tls-secret.yaml

@@ -0,0 +1,17 @@
+{{- if ($.Values.customSecrets).enabled }}
+{{- if hasKey .Values.customSecrets "routeTls" }}
+{{- with $.Values.customSecrets.routeTls }}
+{{- if .enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "routeTls.secretName" $ }}
+  namespace: {{ $.Release.Namespace }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ (.key | required "customSecrets.routeTls.key is required!") | b64enc }}
+  tls.crt: {{ (.certificate | required "customSecrets.routeTls.certificate is required!") | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

.helm/starter/templates/secrets/secret-key-secret.yaml

@@ -0,0 +1,16 @@
+{{- if ($.Values.customSecrets).enabled }}
+{{- if hasKey .Values.customSecrets "secretKey" }}
+{{- with $.Values.customSecrets.secretKey }}
+{{- if .enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "secretKey.secretName" $ }}
+  namespace: {{ $.Release.Namespace }}
+type: Opaque
+stringData:
+  secret_key: {{ .key | required "customSecrets.secretKey.key is required!" | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

.helm/starter/templates/storage/_helpers.tpl

@@ -0,0 +1,57 @@
+{{/*
+Generate the name of the persistent volume for postgres folders
+*/}}
+{{- define "postgres.persistentVolumeName" -}}
+{{ printf "%s-postgres-volume" $.Values.AWX.name }}
+{{- end }}
+
+{{/*
+Generate the name of the persistent volume for projects folder
+*/}}
+{{- define "projects.persistentVolumeName" -}}
+{{ printf "%s-projects-volume" $.Values.AWX.name }}
+{{- end }}
+
+{{/*
+Generate the name of the persistent volume claim for the projects volume
+*/}}
+{{- define "projects.persistentVolumeClaim" -}}
+{{ printf "%s-projects-claim" $.Values.AWX.name }}
+{{- end }}
+
+{{/*
+Generate the name of the storage class to use for the postgres volume
+*/}}
+{{- define "postgres.storageClassName" -}}
+{{ default (printf "%s-postgres-volume" $.Values.AWX.name) (default $.Values.AWX.spec.postgres_storage_class (($.Values.customVolumes).postgres).storageClassName) }}
+{{- end }}
+
+{{/*
+Generate the name of the storage class to use for the projects volume
+*/}}
+{{- define "projects.storageClassName" -}}
+{{ default (printf "%s-projects-volume" $.Values.AWX.name) (default $.Values.AWX.spec.projects_storage_class (($.Values.customVolumes).projects).storageClassName) }}
+{{- end }}
+
+{{/*
+Generate the name of the storage class names, expects AWX context passed in
+*/}}
+{{- define "spec.storageClassNames" -}}
+{{- if and (not $.Values.AWX.postgres.enabled) (eq (($.Values.AWX.spec).postgres_configuration_secret | default "") "") -}}
+{{- if (($.Values.customVolumes).postgres).enabled -}}
+  {{- if not (hasKey $.Values.AWX.spec "postgres_storage_class") }}
+  postgres_storage_class: {{ include "postgres.storageClassName" $ }}    
+  {{- end }}
+  {{- if not (hasKey $.Values.AWX.spec "postgres_storage_requirements") }}
+  postgres_storage_requirements:
+    requests:
+      storage: {{ default "8Gi" $.Values.customVolumes.postgres.size | quote }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- if and ($.Values.AWX.spec.projects_persistence) (eq (($.Values.AWX.spec).projects_existing_claim | default "") "") -}}
+{{- if (($.Values.customVolumes).projects).enabled }}
+  projects_existing_claim: {{ include "projects.persistentVolumeClaim" $ }} 
+{{- end }}
+{{- end }}
+{{- end }}

.helm/starter/templates/storage/postgres-pv.yaml

@@ -0,0 +1,19 @@
+{{- if and (not $.Values.AWX.postgres.enabled) (eq (($.Values.AWX.spec).postgres_configuration_secret | default "") "") -}}
+{{- if (($.Values.customVolumes).postgres).enabled -}}
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: {{ include "postgres.persistentVolumeName" $ }}
+{{- with $.Values.customVolumes.postgres }}
+spec:
+  accessModes:
+    - {{ default "ReadWriteOnce" .accessModes }}
+  persistentVolumeReclaimPolicy: {{ default "Retain" .reclaimPolicy | quote }}
+  capacity:
+    storage: {{ default "8Gi" .size | quote }}
+  storageClassName: {{ include "postgres.storageClassName" $ }}
+  hostPath:
+    path: {{ required "customVolumes.postgres.hostPath or spec.postgres_data_path are required!" (default ($.Values.AWX.spec).postgres_data_path .hostPath) | quote }}
+{{- end }}
+{{- end }}
+{{- end }}

.helm/starter/templates/storage/projects-pv.yaml

@@ -0,0 +1,32 @@
+{{- if and ($.Values.AWX.spec.projects_persistence) (eq (($.Values.AWX.spec).projects_existing_claim | default "") "") -}}
+{{- if (($.Values.customVolumes).projects).enabled -}}
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: {{ include "projects.persistentVolumeName" $ }}
+{{- with $.Values.customVolumes.projects }}
+spec:
+  accessModes:
+    - {{ default "ReadWriteOnce" (default $.Values.AWX.spec.projects_storage_access_mode .accessModes) }}
+  persistentVolumeReclaimPolicy: {{ default "Retain" .reclaimPolicy | quote }}
+  capacity:
+    storage: {{ default "8Gi" (default $.Values.AWX.spec.projects_storage_size .size) | quote }}
+  storageClassName: {{ include "projects.storageClassName" $ }}
+  hostPath:
+    path: {{ required "customVolumes.projects.hostPath is required!" .hostPath | quote }}
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "projects.persistentVolumeClaim" $ }} 
+spec:
+  accessModes:
+    - {{ default "ReadWriteOnce" (default $.Values.AWX.spec.projects_storage_access_mode .accessModes) }}
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: {{ default "8Gi" (default $.Values.AWX.spec.projects_storage_size .size) | quote }}
+  storageClassName: {{ include "projects.storageClassName" $ }}
+{{- end }}  
+{{- end }}
+{{- end }}

.helm/starter/values.yaml

@@ -0,0 +1,19 @@
+AWX:
+  # enable use of awx-deploy template
+  enabled: false
+  name: awx
+  spec:
+    admin_user: admin
+
+  # configurations for external postgres instance
+  postgres:
+    enabled: false
+    host: Unset
+    port: 5678
+    dbName: Unset
+    username: admin
+    # for secret management, pass in the password independently of this file
+    # at the command line, use --set AWX.postgres.password
+    password: Unset
+    sslmode: prefer
+    type: unmanaged

.readthedocs.yml

@@ -0,0 +1,17 @@
+# Read the Docs configuration file
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# RTD API version
+version: 2
+
+build:
+  os: ubuntu-22.04
+  tools:
+    python: "3.11"
+
+mkdocs:
+  configuration: mkdocs.yml
+
+python:
+  install:
+  - requirements: ./docs/requirements.txt

.yamllint

@@ -6,8 +6,15 @@ ignore: |
   kustomization.yaml
   awx-operator.clusterserviceversion.yaml
   bundle
+  .helm/starter
+  hacking/
 
 rules:
   truthy: disable
   line-length:
     max: 170
+  document-start: disable
+  comments-indentation: disable
+  indentation:
+    level: warning
+    indent-sequences: consistent

CONTRIBUTING.md

@@ -6,13 +6,15 @@ Have questions about this document or anything not covered here? Please file a n
 
 ## Table of contents
 
-* [Things to know prior to submitting code](#things-to-know-prior-to-submitting-code)
-* [Submmiting your Work](#submitting-your-work)
-* [Testing](#testing)
-    * [Testing in Docker](#testing-in-docker)
-    * [Testing in Minikube](#testing-in-minikube)
-* [Generating a bundle](#generating-a-bundle)
-* [Reporting Issues](#reporting-issues)
+- [AWX-Operator Contributing Guidelines](#awx-operator-contributing-guidelines)
+  - [Table of contents](#table-of-contents)
+  - [Things to know prior to submitting code](#things-to-know-prior-to-submitting-code)
+  - [Submmiting your work](#submmiting-your-work)
+  - [Testing](#testing)
+      - [Testing in Kind](#testing-in-kind)
+      - [Testing in Minikube](#testing-in-minikube)
+  - [Generating a bundle](#generating-a-bundle)
+  - [Reporting Issues](#reporting-issues)
 
 
 ## Things to know prior to submitting code
@@ -25,13 +27,13 @@ Have questions about this document or anything not covered here? Please file a n
 
 
 ## Submmiting your work
-1. From your fork `devel` branch, create a new brach to stage your changes.
+1. From your fork `devel` branch, create a new branch to stage your changes.
 ```sh
 #> git checkout -b <branch-name>
 ```
 2. Make your changes.
 3. Test your changes according described on the Testing section.
-4. If everylooks looks correct, commit your changes.
+4. If everything looks correct, commit your changes.
 ```sh
 #> git add <FILES>
 #> git commit -m "My message here"
@@ -44,26 +46,29 @@ Have questions about this document or anything not covered here? Please file a n
 
 ## Testing
 
-This Operator includes a [Molecule](https://molecule.readthedocs.io/en/stable/)-based test environment, which can be executed standalone in Docker (e.g. in CI or in a single Docker container anywhere), or inside any kind of Kubernetes cluster (e.g. Minikube).
+This Operator includes a [Molecule](https://ansible.readthedocs.io/projects/molecule/)-based test environment, which can be executed standalone in Docker (e.g. in CI or in a single Docker container anywhere), or inside any kind of Kubernetes cluster (e.g. Minikube).
 
 You need to make sure you have Molecule installed before running the following commands. You can install Molecule with:
 
 ```sh
-#> pip install 'molecule[docker]'
+#> python -m pip install molecule-plugins[docker]
 ```
 
 Running `molecule test` sets up a clean environment, builds the operator, runs all configured tests on an example operator instance, then tears down the environment (at least in the case of Docker).
 
 If you want to actively develop the operator, use `molecule converge`, which does everything but tear down the environment at the end.
 
-#### Testing in Docker
+#### Testing in Kind
+
+Testing with a kind cluster is the recommended way to test the awx-operator locally. First, you need to install kind if you haven't already. Please see these docs for setting that up:
+* https://kind.sigs.k8s.io/docs/user/quick-start/
+
+To run the tests, from the root of your checkout, run the following command:
 
 ```sh
-#> molecule test -s test-local
+#> molecule test -s kind
 ```
 
-This environment is meant for headless testing (e.g. in a CI environment, or when making smaller changes which don't need to be verified through a web interface). It is difficult to test things like AWX's web UI or to connect other applications on your local machine to the services running inside the cluster, since it is inside a Docker container with no static IP address.
-
 #### Testing in Minikube
 
 ```sh
@@ -137,4 +142,4 @@ Applying this template will do it. Once the CatalogSource is in a READY state, t
 
 ## Reporting Issues
 
-We welcome your feedback, and encourage you to file an issue when you run into a problem.
+We welcome your feedback, and encourage you to file an issue when you run into a problem.

Dockerfile

@@ -1,4 +1,10 @@
-FROM quay.io/operator-framework/ansible-operator:v1.12.0
+FROM quay.io/operator-framework/ansible-operator:v1.34.0
+
+USER root
+RUN dnf update --security --bugfix -y && \
+    dnf install -y openssl
+
+USER 1001
 
 ARG DEFAULT_AWX_VERSION
 ARG OPERATOR_VERSION
@@ -12,3 +18,8 @@ RUN ansible-galaxy collection install -r ${HOME}/requirements.yml \
 COPY watches.yaml ${HOME}/watches.yaml
 COPY roles/ ${HOME}/roles/
 COPY playbooks/ ${HOME}/playbooks/
+
+ENTRYPOINT ["/tini", "--", "/usr/local/bin/ansible-operator", "run", \
+    "--watches-file=./watches.yaml", \
+    "--reconcile-period=0s" \
+    ]

Makefile

@@ -4,9 +4,17 @@
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
 VERSION ?= $(shell git describe --tags)
+PREV_VERSION ?= $(shell git describe --abbrev=0 --tags $(shell git rev-list --tags --skip=1 --max-count=1))
 
 CONTAINER_CMD ?= docker
 
+# GNU vs BSD in-place sed
+ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
+	SED_I := sed -i
+else
+	SED_I := sed -i ''
+endif
+
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
 # To re-generate a bundle for other specific channels without changing the standard setup, you can:
@@ -37,10 +45,31 @@ IMAGE_TAG_BASE ?= quay.io/ansible/awx-operator
 # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
 BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
 
+# BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command
+BUNDLE_GEN_FLAGS ?= -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
+
+# USE_IMAGE_DIGESTS defines if images are resolved via tags or digests
+# You can enable this value if you would like to use SHA Based Digests
+# To enable set flag to true
+USE_IMAGE_DIGESTS ?= false
+ifeq ($(USE_IMAGE_DIGESTS), true)
+       BUNDLE_GEN_FLAGS += --use-image-digests
+endif
+
 # Image URL to use all building/pushing image targets
 IMG ?= $(IMAGE_TAG_BASE):$(VERSION)
 NAMESPACE ?= awx
 
+# Helm variables
+CHART_NAME ?= awx-operator
+CHART_DESCRIPTION ?= A Helm chart for the AWX Operator
+CHART_OWNER ?= $(GH_REPO_OWNER)
+CHART_REPO ?= awx-operator
+CHART_BRANCH ?= gh-pages
+CHART_DIR ?= gh-pages
+CHART_INDEX ?= index.yaml
+
+.PHONY: all
 all: docker-build
 
 ##@ General
@@ -56,44 +85,73 @@ all: docker-build
 # More info on the awk command:
 # http://linuxcommand.org/lc3_adv_awk.php
 
+.PHONY: help
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
+.PHONY: print-%
+print-%: ## Print any variable from the Makefile. Use as `make print-VARIABLE`
+	@echo $($*)
+
 ##@ Build
 
+.PHONY: run
 run: ansible-operator ## Run against the configured Kubernetes cluster in ~/.kube/config
 	ANSIBLE_ROLES_PATH="$(ANSIBLE_ROLES_PATH):$(shell pwd)/roles" $(ANSIBLE_OPERATOR) run
 
+.PHONY: docker-build
 docker-build: ## Build docker image with the manager.
 	${CONTAINER_CMD} build $(BUILD_ARGS) -t ${IMG} .
 
+.PHONY: docker-push
 docker-push: ## Push docker image with the manager.
 	${CONTAINER_CMD} push ${IMG}
 
+# PLATFORMS defines the target platforms for  the manager image be build to provide support to multiple
+# architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to:
+# - able to use docker buildx . More info: https://docs.docker.com/build/buildx/
+# - have enable BuildKit, More info: https://docs.docker.com/develop/develop-images/build_enhancements/
+# - be able to push the image for your registry (i.e. if you do not inform a valid value via IMG=<myregistry/image:<tag>> than the export will fail)
+# To properly provided solutions that supports more than one platform you should use this option.
+PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
+.PHONY: docker-buildx
+docker-buildx: ## Build and push docker image for the manager for cross-platform support
+	- docker buildx create --name project-v3-builder
+	docker buildx use project-v3-builder
+	- docker buildx build --push $(BUILD_ARGS) --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile .
+	- docker buildx rm project-v3-builder
+
+
 ##@ Deployment
 
+.PHONY: install
 install: kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/crd | kubectl apply -f -
 
+.PHONY: uninstall
 uninstall: kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/crd | kubectl delete -f -
 
+.PHONY: gen-resources
 gen-resources: kustomize ## Generate resources for controller and print to stdout
 	@cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
 	@$(KUSTOMIZE) build config/default
 
+.PHONY: deploy
 deploy: kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
 	@cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
 	@$(KUSTOMIZE) build config/default | kubectl apply -f -
 
+.PHONY: undeploy
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
 	@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
 	$(KUSTOMIZE) build config/default | kubectl delete -f -
 
 OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
-ARCH := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
+ARCHA := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
+ARCHX := $(shell uname -m | sed -e 's/amd64/x86_64/' -e 's/aarch64/arm64/')
 
 .PHONY: kustomize
 KUSTOMIZE = $(shell pwd)/bin/kustomize
@@ -103,7 +161,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(KUSTOMIZE)) ;\
-	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.8.7/kustomize_v3.8.7_$(OS)_$(ARCH).tar.gz | \
+	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.0.1/kustomize_v5.0.1_$(OS)_$(ARCHA).tar.gz | \
 	tar xzf - -C bin/ ;\
 	}
 else
@@ -111,6 +169,22 @@ KUSTOMIZE = $(shell which kustomize)
 endif
 endif
 
+.PHONY: operator-sdk
+OPERATOR_SDK = $(shell pwd)/bin/operator-sdk
+operator-sdk: ## Download operator-sdk locally if necessary, preferring the $(pwd)/bin path over global if both exist.
+ifeq (,$(wildcard $(OPERATOR_SDK)))
+ifeq (,$(shell which operator-sdk 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(OPERATOR_SDK)) ;\
+	curl -sSLo $(OPERATOR_SDK) https://github.com/operator-framework/operator-sdk/releases/download/v1.33.0/operator-sdk_$(OS)_$(ARCHA) ;\
+	chmod +x $(OPERATOR_SDK) ;\
+	}
+else
+OPERATOR_SDK = $(shell which operator-sdk)
+endif
+endif
+
 .PHONY: ansible-operator
 ANSIBLE_OPERATOR = $(shell pwd)/bin/ansible-operator
 ansible-operator: ## Download ansible-operator locally if necessary, preferring the $(pwd)/bin path over global if both exist.
@@ -119,7 +193,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
-	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.12.0/ansible-operator_$(OS)_$(ARCH) ;\
+	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/ansible-operator-plugins/releases/download/v1.34.0/ansible-operator_$(OS)_$(ARCHA) ;\
 	chmod +x $(ANSIBLE_OPERATOR) ;\
 	}
 else
@@ -128,11 +202,11 @@ endif
 endif
 
 .PHONY: bundle
-bundle: kustomize ## Generate bundle manifests and metadata, then validate generated files.
-	operator-sdk generate kustomize manifests -q
+bundle: kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files.
+	$(OPERATOR_SDK) generate kustomize manifests -q
 	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
-	$(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
-	operator-sdk bundle validate ./bundle
+	$(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
+	$(OPERATOR_SDK) bundle validate ./bundle
 
 .PHONY: bundle-build
 bundle-build: ## Build the bundle image.
@@ -150,7 +224,7 @@ ifeq (,$(shell which opm 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(OPM)) ;\
-	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCH)-opm ;\
+	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.26.0/$(OS)-$(ARCHA)-opm ;\
 	chmod +x $(OPM) ;\
 	}
 else
@@ -181,3 +255,188 @@ catalog-build: opm ## Build a catalog image.
 .PHONY: catalog-push
 catalog-push: ## Push a catalog image.
 	$(MAKE) docker-push IMG=$(CATALOG_IMG)
+
+.PHONY: kubectl-slice
+KUBECTL_SLICE = $(shell pwd)/bin/kubectl-slice
+kubectl-slice: ## Download kubectl-slice locally if necessary.
+ifeq (,$(wildcard $(KUBECTL_SLICE)))
+ifeq (,$(shell which kubectl-slice 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(KUBECTL_SLICE)) ;\
+	curl -sSLo - https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.6/kubectl-slice_$(OS)_$(ARCHX).tar.gz | \
+	tar xzf - -C bin/ kubectl-slice ;\
+	}
+else
+KUBECTL_SLICE = $(shell which kubectl-slice)
+endif
+endif
+
+.PHONY: helm
+HELM = $(shell pwd)/bin/helm
+helm: ## Download helm locally if necessary.
+ifeq (,$(wildcard $(HELM)))
+ifeq (,$(shell which helm 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(HELM)) ;\
+	curl -sSLo - https://get.helm.sh/helm-v3.8.0-$(OS)-$(ARCHA).tar.gz | \
+	tar xzf - -C bin/ $(OS)-$(ARCHA)/helm ;\
+	mv bin/$(OS)-$(ARCHA)/helm bin/helm ;\
+	rmdir bin/$(OS)-$(ARCHA) ;\
+	}
+else
+HELM = $(shell which helm)
+endif
+endif
+
+.PHONY: yq
+YQ = $(shell pwd)/bin/yq
+yq: ## Download yq locally if necessary.
+ifeq (,$(wildcard $(YQ)))
+ifeq (,$(shell which yq 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(HELM)) ;\
+	curl -sSLo - https://github.com/mikefarah/yq/releases/download/v4.20.2/yq_$(OS)_$(ARCHA).tar.gz | \
+	tar xzf - -C bin/ ;\
+	mv bin/yq_$(OS)_$(ARCHA) bin/yq ;\
+	}
+else
+YQ = $(shell which yq)
+endif
+endif
+
+PHONY: cr
+CR = $(shell pwd)/bin/cr
+cr: ## Download cr locally if necessary.
+ifeq (,$(wildcard $(CR)))
+ifeq (,$(shell which cr 2>/dev/null))
+	@{ \
+	set -e ;\
+	mkdir -p $(dir $(CR)) ;\
+	curl -sSLo - https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_$(OS)_$(ARCHA).tar.gz | \
+	tar xzf - -C bin/ cr ;\
+	}
+else
+CR = $(shell which cr)
+endif
+endif
+
+charts:
+	mkdir -p $@
+
+.PHONY: helm-chart
+helm-chart: helm-chart-generate
+
+.PHONY: helm-chart-generate
+helm-chart-generate: kustomize helm kubectl-slice yq charts
+	@echo "== KUSTOMIZE: Set image and chart label =="
+	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	cd config/manager && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
+	cd config/default && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
+
+	@echo "== Gather Helm Chart Metadata =="
+	# remove the existing chart if it exists
+	rm -rf charts/$(CHART_NAME)
+	# create new chart metadata in Chart.yaml
+	cd charts && \
+		$(HELM) create awx-operator --starter $(shell pwd)/.helm/starter ;\
+		$(YQ) -i '.version = "$(VERSION)"' $(CHART_NAME)/Chart.yaml ;\
+		$(YQ) -i '.appVersion = "$(VERSION)" | .appVersion style="double"' $(CHART_NAME)/Chart.yaml ;\
+		$(YQ) -i '.description = "$(CHART_DESCRIPTION)"' $(CHART_NAME)/Chart.yaml ;\
+
+	@echo "Generated chart metadata:"
+	@cat charts/$(CHART_NAME)/Chart.yaml
+
+	@echo "== KUSTOMIZE: Generate resources and slice into templates =="
+	# place in raw-files directory so they can be modified while they are valid yaml - as soon as they are in templates/,
+	# wild cards pick up the actual templates, which are not real yaml and can't have yq run on them.
+	$(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone config/default | \
+		$(KUBECTL_SLICE) --input-file=- \
+			--output-dir=charts/$(CHART_NAME)/raw-files \
+			--sort-by-kind
+
+	@echo "== GIT: Reset kustomize configs =="
+	# reset kustomize configs following kustomize build
+	git checkout -f config/.
+
+	@echo "== Build Templates and CRDS =="
+	# Delete metadata.namespace, release namespace will be automatically inserted by helm
+	for file in charts/$(CHART_NAME)/raw-files/*; do\
+		$(YQ) -i 'del(.metadata.namespace)' $${file};\
+	done
+	# Correct namespace for rolebinding to be release namespace, this must be explicit
+	for file in charts/$(CHART_NAME)/raw-files/*rolebinding*; do\
+		$(YQ) -i '.subjects[0].namespace = "{{ .Release.Namespace }}"' $${file};\
+	done
+	# Correct .metadata.name for cluster scoped resources
+	cluster_scoped_files="charts/$(CHART_NAME)/raw-files/clusterrolebinding-awx-operator-proxy-rolebinding.yaml charts/$(CHART_NAME)/raw-files/clusterrole-awx-operator-metrics-reader.yaml charts/$(CHART_NAME)/raw-files/clusterrole-awx-operator-proxy-role.yaml";\
+	for file in $${cluster_scoped_files}; do\
+		$(YQ) -i '.metadata.name += "-{{ .Release.Name }}"' $${file};\
+	done
+
+	# Correct the reference for the clusterrolebinding
+	$(YQ) -i '.roleRef.name += "-{{ .Release.Name }}"' 'charts/$(CHART_NAME)/raw-files/clusterrolebinding-awx-operator-proxy-rolebinding.yaml'
+	# move all custom resource definitions to crds folder
+	mkdir charts/$(CHART_NAME)/crds
+	mv charts/$(CHART_NAME)/raw-files/customresourcedefinition*.yaml charts/$(CHART_NAME)/crds/.
+	# remove any namespace definitions
+	rm -f charts/$(CHART_NAME)/raw-files/namespace*.yaml
+	# move remaining resources to helm templates
+	mv charts/$(CHART_NAME)/raw-files/* charts/$(CHART_NAME)/templates/.
+	# remove the raw-files folder
+	rm -rf charts/$(CHART_NAME)/raw-files
+
+	# create and populate NOTES.txt
+	@echo "AWX Operator installed with Helm Chart version $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
+
+	@echo "Helm chart successfully configured for $(CHART_NAME) version $(VERSION)"
+
+
+.PHONY: helm-package
+helm-package: helm-chart
+	@echo "== Package Current Chart Version =="
+	mkdir -p .cr-release-packages
+	# package the chart and put it in .cr-release-packages dir
+	$(HELM) package ./charts/awx-operator -d .cr-release-packages/$(VERSION)
+
+# List all tags oldest to newest.
+TAGS := $(shell git ls-remote --tags --sort=version:refname --refs -q | cut -d/ -f3)
+
+# The actual release happens in ansible/helm-release.yml, which calls this targer
+# until https://github.com/helm/chart-releaser/issues/122 happens, chart-releaser is not ideal for a chart
+# that is contained within a larger repo, where a tag may not require a new chart version
+.PHONY: helm-index
+helm-index:
+	# when running in CI the gh-pages branch is checked out by the ansible playbook
+	# TODO: test if gh-pages directory exists and if not exist
+
+	@echo "== GENERATE INDEX FILE =="
+	# This step to workaround issues with old releases being dropped.
+	# Until https://github.com/helm/chart-releaser/issues/133 happens
+	@echo "== CHART FETCH previous releases =="
+	# Download all old releases
+	mkdir -p .cr-release-packages
+
+	for tag in $(TAGS); do\
+		dl_url="https://github.com/$(CHART_OWNER)/$(CHART_REPO)/releases/download/$${tag}/$(CHART_REPO)-$${tag}.tgz";\
+		echo "Downloading $${tag} from $${dl_url}";\
+		curl -RLOs -z "$(CHART_REPO)-$${tag}.tgz" --fail $${dl_url};\
+		result=$$?;\
+		if [ $${result} -eq 0 ]; then\
+			echo "Downloaded $${dl_url}";\
+			mkdir -p .cr-release-packages/$${tag};\
+			mv ./$(CHART_REPO)-$${tag}.tgz .cr-release-packages/$${tag};\
+		else\
+			echo "Skipping release $${tag}; No helm chart present";\
+			rm -rf "$(CHART_REPO)-$${tag}.tgz";\
+		fi;\
+	done;\
+
+	# generate the index file in the root of the gh-pages branch
+	# --merge will leave any values in index.yaml that don't get generated by this command, but
+	# it is likely that all values are overridden
+	$(HELM) repo index .cr-release-packages --url https://github.com/$(CHART_OWNER)/$(CHART_REPO)/releases/download/ --merge $(CHART_DIR)/index.yaml
+
+	mv .cr-release-packages/index.yaml $(CHART_DIR)/index.yaml

PROJECT

@@ -1,3 +1,7 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
 domain: ansible.com
 layout:
 - ansible.sdk.operatorframework.io/v1
@@ -13,4 +17,25 @@ resources:
   group: awx
   kind: AWX
   version: v1beta1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: ansible.com
+  group: awx
+  kind: AWXBackup
+  version: v1beta1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: ansible.com
+  group: awx
+  kind: AWXRestore
+  version: v1beta1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: ansible.com
+  group: awx
+  kind: AWXMeshIngress
+  version: v1alpha1
 version: "3"

SECURITY.md

@@ -0,0 +1,3 @@
+For all security related bugs, email security@ansible.com instead of using this issue tracker and you will receive a prompt response.
+
+For more information on the Ansible community's practices regarding responsible disclosure, see https://www.ansible.com/security

ansible/helm-release.yml

@@ -0,0 +1,122 @@
+---
+- hosts: localhost
+  vars:
+    chart_repo: awx-operator
+  environment:
+    CHART_OWNER: "{{ chart_owner }}"
+  tasks:
+    - name: Look up release
+      uri:
+        url: "https://api.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/tags/{{ tag }}"
+      register: release
+      ignore_errors: yes
+
+    - fail:
+        msg: |
+          Release must exist before running this playbook
+      when: release is not success
+
+    - name: Set helm filename and commit message
+      set_fact:
+        asset_already_attached: False
+        helm_file_name: "awx-operator-{{ tag }}.tgz"
+        commit_message: "Updated index.yaml for release {{ release.json.tag_name }}"
+
+    - name: See if file is already attached
+      set_fact:
+        asset_already_attached: True
+      loop: "{{ release.json.get('assets', []) }}"
+      loop_control:
+        label: "{{ item.name }}"
+      when: item.name == helm_file_name
+
+    - when: not asset_already_attached
+      block:
+        - name: Build and package helm chart
+          command: |
+            make helm-package
+          environment:
+            VERSION: "{{ tag }}"
+            IMAGE_TAG_BASE: "{{ operator_image }}"
+          args:
+            chdir: "{{ playbook_dir }}/../"
+
+        # Move to chart releaser after https://github.com/helm/chart-releaser/issues/122 exists
+        - name: Upload helm chart
+          uri:
+            url: "https://uploads.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/{{ release.json.id }}/assets?name={{ helm_file_name }}"
+            src: "{{ playbook_dir }}/../.cr-release-packages/{{ tag }}/awx-operator-{{ tag }}.tgz"
+            headers:
+              Authorization: "token {{ gh_token }}"
+              Content-Type: "application/octet-stream"
+            status_code:
+              - 200
+              - 201
+          register: asset_upload
+          changed_when: asset_upload.json.state == "uploaded"
+
+    - name: Ensure gh-pages exists
+      file:
+        state: directory
+        path: "{{ playbook_dir }}/../gh-pages"
+
+    - name: Check if we have published the release
+      command:
+        cmd: "git log --grep='{{ commit_message }}'"
+        chdir: "{{ playbook_dir }}/../gh-pages"
+      register: commits_for_release
+
+    - when: commits_for_release.stdout == ''
+      block:
+        - name: Make a temp dir
+          tempfile:
+            state: directory
+          register: temp_dir
+
+        - name: Clone the gh-pages branch from {{ chart_owner }}
+          git:
+            repo: "{{ ((repo_type | default('http')) == 'ssh') | ternary(ssh_repo, http_repo) }}"
+            dest: "{{ temp_dir.path }}"
+            single_branch: yes
+            version: gh-pages
+          vars:
+            http_repo: "https://github.com/{{ chart_owner }}/{{ chart_repo }}"
+            ssh_repo: "git@github.com:{{ chart_owner }}/{{ chart_repo }}.git"
+
+        - name: Publish helm index
+          ansible.builtin.command:
+            cmd: make helm-index
+          environment:
+            CHART_OWNER: "{{ chart_owner }}"
+            CR_TOKEN: "{{ gh_token }}"
+            CHART_DIR: "{{ temp_dir.path }}"
+          args:
+            chdir: "{{ playbook_dir }}/.."
+
+        - name: Set url base swap in gitconfig
+          command:
+            cmd: "git config --local url.https://{{ gh_user }}:{{ gh_token }}@github.com/.insteadOf https://github.com/"
+          args:
+            chdir: "{{ temp_dir.path }}/"
+          no_log: true
+
+        - name: Stage and Push commit to gh-pages branch
+          command:
+            cmd: "{{ item }}"
+          loop:
+            - git add index.yaml
+            - git commit -m "{{ commit_message }}"
+            - git push
+          args:
+            chdir: "{{ temp_dir.path }}/"
+          environment:
+            GIT_AUTHOR_NAME: "{{ gh_user }}"
+            GIT_AUTHOR_EMAIL: "{{ gh_user }}@users.noreply.github.com"
+            GIT_COMMITTER_NAME: "{{ gh_user }}"
+            GIT_COMMITTER_EMAIL: "{{ gh_user }}@users.noreply.github.com"
+
+      always:
+        - name: Remove temp dir
+          file:
+            path: "{{ temp_dir.path }}"
+            state: absent

ansible/instantiate-awx-deployment.yml

@@ -26,6 +26,7 @@
             image_version: "{{ image_version | default(omit) }}"
             development_mode: "{{ development_mode | default(omit) | bool }}"
             image_pull_policy: "{{ image_pull_policy | default(omit) }}"
+            nodeport_port: "{{ nodeport_port | default(omit) }}"
             # ee_images:
             #   - name: test-ee
             #     image: quay.io/<user>/awx-ee

awxmeshingress-demo.yml

@@ -0,0 +1,7 @@
+---
+apiVersion: awx.ansible.com/v1alpha1
+kind: AWXMeshIngress
+metadata:
+  name: awx-mesh-ingress-demo
+spec:
+  deployment_name: awx-demo

config/crd/bases/awx.ansible.com_awxbackups.yaml

@@ -0,0 +1,147 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: awxbackups.awx.ansible.com
+spec:
+  group: awx.ansible.com
+  names:
+    kind: AWXBackup
+    listKind: AWXBackupList
+    plural: awxbackups
+    singular: awxbackup
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        type: object
+        description: Schema validation for the AWXBackup CRD
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+            required:
+            - deployment_name
+            properties:
+              deployment_name:
+                description: Name of the deployment to be backed up
+                type: string
+              backup_pvc:
+                description: Name of the backup PVC
+                type: string
+              backup_pvc_namespace:
+                description: (Deprecated) Namespace the PVC is in
+                type: string
+              backup_storage_requirements:
+                description: Storage requirements for backup PVC (may be similar to existing postgres PVC backing up from)
+                type: string
+              backup_resource_requirements:
+                description: Resource requirements for the management pod used to create a backup
+                properties:
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                type: object
+              backup_storage_class:
+                description: Storage class to use when creating PVC for backup
+                type: string
+              clean_backup_on_delete:
+                description: Flag to indicate if backup should be deleted on PVC if AWXBackup object is deleted
+                type: boolean
+              pg_dump_suffix:
+                description: Additional parameters for the pg_dump command
+                type: string
+              postgres_label_selector:
+                description: Label selector used to identify postgres pod for backing up data
+                type: string
+              postgres_image:
+                description: Registry path to the PostgreSQL container to use
+                type: string
+              postgres_image_version:
+                description: PostgreSQL container image version to use
+                type: string
+              precreate_partition_hours:
+                description: Number of hours worth of events table partitions to precreate before backup to avoid pg_dump locks.
+                type: integer
+                format: int32
+              image_pull_policy:
+                description: The image pull policy
+                type: string
+                default: IfNotPresent
+                enum:
+                - Always
+                - always
+                - Never
+                - never
+                - IfNotPresent
+                - ifnotpresent
+              db_management_pod_node_selector:
+                description: nodeSelector for the Postgres pods to backup
+                type: string
+              no_log:
+                description: Configure no_log for no_log tasks
+                type: boolean
+                default: true
+              additional_labels:
+                description: Additional labels defined on the resource, which should be propagated to child resources
+                type: array
+                items:
+                  type: string
+              set_self_labels:
+                description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
+                type: boolean
+                default: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+            properties:
+              conditions:
+                description: The resulting conditions when a Service Telemetry is instantiated
+                items:
+                  properties:
+                    lastTransitionTime:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  type: object
+                type: array
+              backupDirectory:
+                description: Backup directory name on the specified pvc
+                type: string
+              backupClaim:
+                description: Backup persistent volume claim
+                type: string

config/crd/bases/awx.ansible.com_awxmeshingresses.yaml

@@ -0,0 +1,86 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: awxmeshingresses.awx.ansible.com
+spec:
+  group: awx.ansible.com
+  names:
+    kind: AWXMeshIngress
+    listKind: AWXMeshIngressList
+    plural: awxmeshingresses
+    singular: awxmeshingress
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: AWXMeshIngress is the Schema for the awxmeshingresses API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of AWXMeshIngress
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+            required:
+            - deployment_name
+            properties:
+              deployment_name:
+                description: Name of the AWX deployment to create the Mesh Ingress for.
+                type: string
+              image_pull_secrets:
+                description: Image pull secrets for Mesh Ingress containers.
+                type: array
+                items:
+                  type: string
+              external_hostname:
+                description: External hostname to use for the Mesh Ingress.
+                type: string
+              external_ipaddress:
+                description: External IP address to use for the Mesh Ingress.
+                type: string
+              ingress_type:
+                description: The ingress type to use to reach the deployed instance
+                type: string
+                enum:
+                - none
+                - Ingress
+                - ingress
+                - IngressRouteTCP
+                - ingressroutetcp
+                - Route
+                - route
+              ingress_api_version:
+                description: The Ingress API version to use
+                type: string
+              ingress_annotations:
+                description: Annotations to add to the Ingress Controller
+                type: string
+              ingress_class_name:
+                description: The name of ingress class to use instead of the cluster default.
+                type: string
+              ingress_controller:
+                description: Special configuration for specific Ingress Controllers
+                type: string
+          status:
+            description: Status defines the observed state of AWXMeshIngress
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/crd/bases/awx.ansible.com_awxrestores.yaml

@@ -0,0 +1,148 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: awxrestores.awx.ansible.com
+spec:
+  group: awx.ansible.com
+  names:
+    kind: AWXRestore
+    listKind: AWXRestoreList
+    plural: awxrestores
+    singular: awxrestore
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        type: object
+        description: Schema validation for the AWXRestore CRD
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+            required:
+            - deployment_name
+            properties:
+              backup_source:
+                description: Backup source
+                type: string
+                enum:
+                - Backup CR
+                - PVC
+              deployment_name:
+                description: Name of the restored deployment. This should be different from the original deployment name
+                  if the original deployment still exists.
+                type: string
+              cluster_name:
+                description: Cluster name
+                type: string
+              backup_name:
+                description: AWXBackup object name
+                type: string
+              backup_pvc:
+                description: Name of the PVC to be restored from, set as a status found on the awxbackup object (backupClaim)
+                type: string
+              backup_pvc_namespace:
+                description: (Deprecated) Namespace the PVC is in
+                type: string
+              backup_dir:
+                description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
+                type: string
+              restore_resource_requirements:
+                description: Resource requirements for the management pod that restores AWX from a backup
+                properties:
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                type: object
+              postgres_label_selector:
+                description: Label selector used to identify postgres pod for backing up data
+                type: string
+              postgres_image:
+                description: Registry path to the PostgreSQL container to use
+                type: string
+              postgres_image_version:
+                description: PostgreSQL container image version to use
+                type: string
+              image_pull_policy:
+                description: The image pull policy
+                type: string
+                default: IfNotPresent
+                enum:
+                - Always
+                - always
+                - Never
+                - never
+                - IfNotPresent
+                - ifnotpresent
+              db_management_pod_node_selector:
+                description: nodeSelector for the Postgres pods to backup
+                type: string
+              no_log:
+                description: Configure no_log for no_log tasks
+                type: boolean
+                default: true
+              additional_labels:
+                description: Additional labels defined on the resource, which should be propagated to child resources
+                type: array
+                items:
+                  type: string
+              set_self_labels:
+                description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
+                type: boolean
+                default: true
+              force_drop_db:
+                description: Force drop the database before restoring. USE WITH CAUTION!
+                type: boolean
+                default: false
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+            properties:
+              conditions:
+                description: The resulting conditions when a Service Telemetry is instantiated
+                items:
+                  properties:
+                    lastTransitionTime:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  type: object
+                type: array
+              restoreComplete:
+                description: Restore process complete
+                type: boolean

config/crd/bases/awxbackup.ansible.com_awxbackups.yaml

@@ -1,77 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: awxbackups.awx.ansible.com
-spec:
-  group: awx.ansible.com
-  names:
-    kind: AWXBackup
-    listKind: AWXBackupList
-    plural: awxbackups
-    singular: awxbackup
-  scope: Namespaced
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-      subresources:
-        status: {}
-      schema:
-        openAPIV3Schema:
-          type: object
-          x-kubernetes-preserve-unknown-fields: true
-          description: Schema validation for the AWXBackup CRD
-          properties:
-            spec:
-              type: object
-              required:
-                - deployment_name
-              properties:
-                deployment_name:
-                  description: Name of the deployment to be backed up
-                  type: string
-                backup_pvc:
-                  description: Name of the PVC to be used for storing the backup
-                  type: string
-                backup_pvc_namespace:
-                  description: Namespace the PVC is in
-                  type: string
-                backup_storage_requirements:
-                  description: Storage requirements for the PostgreSQL container
-                  type: string
-                backup_storage_class:
-                  description: Storage class to use when creating PVC for backup
-                  type: string
-                postgres_label_selector:
-                  description: Label selector used to identify postgres pod for backing up data
-                  type: string
-                postgres_image:
-                  description: Registry path to the PostgreSQL container to use
-                  type: string
-                postgres_image_version:
-                  description: PostgreSQL container image version to use
-                  type: string
-            status:
-              type: object
-              properties:
-                conditions:
-                  description: The resulting conditions when a Service Telemetry is instantiated
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    type: object
-                  type: array
-                backupDirectory:
-                  description: Backup directory name on the specified pvc
-                  type: string
-                backupClaim:
-                  description: Backup persistent volume claim
-                  type: string

config/crd/bases/awxrestore.ansible.com_awxrestores.yaml

@@ -1,78 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: awxrestores.awx.ansible.com
-spec:
-  group: awx.ansible.com
-  names:
-    kind: AWXRestore
-    listKind: AWXRestoreList
-    plural: awxrestores
-    singular: awxrestore
-  scope: Namespaced
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-      subresources:
-        status: {}
-      schema:
-        openAPIV3Schema:
-          type: object
-          x-kubernetes-preserve-unknown-fields: true
-          description: Schema validation for the AWXRestore CRD
-          properties:
-            spec:
-              type: object
-              properties:
-                backup_source:
-                  description: Backup source
-                  type: string
-                  enum:
-                    - CR
-                    - PVC
-                deployment_name:
-                  description: Name of the deployment to be restored to
-                  type: string
-                backup_name:
-                  description: AWXBackup object name
-                  type: string
-                backup_pvc:
-                  description: Name of the PVC to be restored from, set as a status found on the awxbackup object (backupClaim)
-                  type: string
-                backup_pvc_namespace:
-                  description: Namespace the PVC is in
-                  type: string
-                backup_dir:
-                  description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
-                  type: string
-                postgres_label_selector:
-                  description: Label selector used to identify postgres pod for backing up data
-                  type: string
-                postgres_image:
-                  description: Registry path to the PostgreSQL container to use
-                  type: string
-                postgres_image_version:
-                  description: PostgreSQL container image version to use
-                  type: string
-            status:
-              type: object
-              properties:
-                conditions:
-                  description: The resulting conditions when a Service Telemetry is instantiated
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    type: object
-                  type: array
-                restoreComplete:
-                  description: Restore process complete
-                  type: boolean

config/crd/kustomization.yaml

@@ -1,9 +1,9 @@
----
 # This kustomization.yaml is not intended to be run by itself,
 # since it depends on service name and namespace that are out of this kustomize package.
 # It should be run by config/default
 resources:
-  - bases/awx.ansible.com_awxs.yaml
-  - bases/awxbackup.ansible.com_awxbackups.yaml
-  - bases/awxrestore.ansible.com_awxrestores.yaml
-# +kubebuilder:scaffold:crdkustomizeresource
+- bases/awx.ansible.com_awxs.yaml
+- bases/awx.ansible.com_awxbackups.yaml
+- bases/awx.ansible.com_awxrestores.yaml
+- bases/awx.ansible.com_awxmeshingresses.yaml
+#+kubebuilder:scaffold:crdkustomizeresource

config/default/kustomization.yaml

@@ -1,24 +1,30 @@
 # Adds namespace to all resources.
 namespace: awx
+
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
 namePrefix: awx-operator-
+
 # Labels to add to all resources and selectors.
-# commonLabels:
-#   someName: someValue
-  # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
-  # - ../prometheus
-  # Protect the /metrics endpoint by putting it behind auth.
-  # If you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z, please comment the following line.
-patchesStrategicMerge:
-- manager_auth_proxy_patch.yaml
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
+#labels:
+#- includeSelectors: true
+#  pairs:
+#    someName: someValue
+
 resources:
 - ../crd
 - ../rbac
 - ../manager
+# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
+#- ../prometheus
+
+# Protect the /metrics endpoint by putting it behind auth.
+# If you want your controller-manager to expose the /metrics
+# endpoint w/o any authn/z, please comment the following line.
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+patches:
+- path: manager_auth_proxy_patch.yaml

config/default/manager_auth_proxy_patch.yaml

@@ -1,4 +1,3 @@
----
 # This patch inject a sidecar container which is a HTTP proxy for the
 # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
 apiVersion: apps/v1
@@ -10,20 +9,32 @@ spec:
   template:
     spec:
       containers:
-        - name: kube-rbac-proxy
-          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
-          args:
-            - "--secure-listen-address=0.0.0.0:8443"
-            - "--upstream=http://127.0.0.1:8080/"
-            - "--logtostderr=true"
-            - "--v=10"
-          ports:
-            - containerPort: 8443
-              protocol: TCP
-              name: https
-        - name: awx-manager
-          args:
-            - "--health-probe-bind-address=:6789"
-            - "--metrics-bind-address=127.0.0.1:8080"
-            - "--leader-elect"
-            - "--leader-election-id=awx-operator"
+      - name: kube-rbac-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - "ALL"
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=0"
+        ports:
+        - containerPort: 8443
+          protocol: TCP
+          name: https
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 5m
+            memory: 64Mi
+      - name: awx-manager
+        args:
+        - "--health-probe-bind-address=:6789"
+        - "--metrics-bind-address=127.0.0.1:8080"
+        - "--leader-elect"
+        - "--leader-election-id=awx-operator"

config/default/manager_config_patch.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -8,14 +7,14 @@ spec:
   template:
     spec:
       containers:
-        - name: awx-manager
-          args:
-            - "--config=controller_manager_config.yaml"
-          volumeMounts:
-            - name: awx-manager-config
-              mountPath: /controller_manager_config.yaml
-              subPath: controller_manager_config.yaml
-      volumes:
+      - name: awx-manager
+        args:
+        - "--config=controller_manager_config.yaml"
+        volumeMounts:
         - name: awx-manager-config
-          configMap:
-            name: awx-manager-config
+          mountPath: /controller_manager_config.yaml
+          subPath: controller_manager_config.yaml
+      volumes:
+      - name: awx-manager-config
+        configMap:
+          name: awx-manager-config

config/manager/controller_manager_config.yaml

@@ -1,10 +1,20 @@
----
-apiVersion: controller-runtime.sigs.k8s.io/v1beta1
+apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
 kind: ControllerManagerConfig
 health:
   healthProbeBindAddress: :6789
 metrics:
   bindAddress: 127.0.0.1:8080
+
 leaderElection:
   leaderElect: true
   resourceName: 811c9dc5.ansible.com
+# leaderElectionReleaseOnCancel defines if the leader should step down volume
+# when the Manager ends. This requires the binary to immediately end when the
+# Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+# speeds up voluntary leader transitions as the new leader don't have to wait
+# LeaseDuration time first.
+# In the default scaffold provided, the program ends immediately after
+# the manager stops, so would be fine to enable this option. However,
+# if you are doing or is intended to do any operation such as perform cleanups
+# after the manager stops then its usage might be unsafe.
+# leaderElectionReleaseOnCancel: true

config/manager/kustomization.yaml

@@ -1,11 +1,14 @@
 resources:
 - manager.yaml
+
 generatorOptions:
   disableNameSuffixHash: true
+
 configMapGenerator:
 - files:
   - controller_manager_config.yaml
   name: awx-manager-config
+
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:

config/manager/manager.yaml

@@ -20,39 +20,62 @@ spec:
   replicas: 1
   template:
     metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: awx-manager
       labels:
         control-plane: controller-manager
     spec:
       securityContext:
         runAsNonRoot: true
+        # For common cases that do not require escalating privileges
+        # it is recommended to ensure that all your Pods/Containers are restrictive.
+        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
+        # Please uncomment the following code if your project does NOT have to work on old Kubernetes
+        # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
+        # seccompProfile:
+        #   type: RuntimeDefault
       containers:
-        - args:
-            - --leader-elect
-            - --leader-election-id=awx-operator
-          image: controller:latest
-          name: awx-manager
-          env:
-            - name: ANSIBLE_GATHERING
-              value: explicit
-            - name: ANSIBLE_DEBUG_LOGS
-              value: 'false'
-            - name: WATCH_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 6789
-            initialDelaySeconds: 15
-            periodSeconds: 20
-          readinessProbe:
-            httpGet:
-              path: /readyz
-              port: 6789
-            initialDelaySeconds: 5
-            periodSeconds: 10
+      - args:
+        - --leader-elect
+        - --leader-election-id=awx-operator
+        image: controller:latest
+        imagePullPolicy: IfNotPresent
+        name: awx-manager
+        env:
+        - name: ANSIBLE_GATHERING
+          value: explicit
+        - name: ANSIBLE_DEBUG_LOGS
+          value: 'false'
+        - name: WATCH_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - "ALL"
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 6789
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 6789
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+        resources:
+          requests:
+            memory: "32Mi"
+            cpu: "50m"
+          limits:
+            memory: "960Mi"
+            cpu: "1500m"
       serviceAccountName: controller-manager
+      imagePullSecrets:
+      - name: redhat-operators-pull-secret
       terminationGracePeriodSeconds: 10

config/manifests/kustomization.yaml

@@ -1,8 +1,7 @@
----
 # These resources constitute the fully configured set of manifests
 # used to generate the 'manifests/' directory in a bundle.
 resources:
-  - bases/awx-operator.clusterserviceversion.yaml
-  - ../default
-  - ../samples
-  - ../scorecard
+- bases/awx-operator.clusterserviceversion.yaml
+- ../default
+- ../samples
+- ../scorecard

config/prometheus/kustomization.yaml

@@ -1,3 +1,2 @@
----
 resources:
-  - monitor.yaml
+- monitor.yaml

config/prometheus/monitor.yaml

@@ -1,4 +1,3 @@
----
 # Prometheus Monitor Service (Metrics)
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor

config/rbac/auth_proxy_client_clusterrole.yaml

@@ -1,10 +1,9 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: metrics-reader
 rules:
-  - nonResourceURLs:
-      - "/metrics"
-    verbs:
-      - get
+- nonResourceURLs:
+  - "/metrics"
+  verbs:
+  - get

config/rbac/auth_proxy_role.yaml

@@ -1,18 +1,17 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: proxy-role
 rules:
-  - apiGroups:
-      - authentication.k8s.io
-    resources:
-      - tokenreviews
-    verbs:
-      - create
-  - apiGroups:
-      - authorization.k8s.io
-    resources:
-      - subjectaccessreviews
-    verbs:
-      - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create

config/rbac/auth_proxy_role_binding.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -8,6 +7,6 @@ roleRef:
   kind: ClusterRole
   name: proxy-role
 subjects:
-  - kind: ServiceAccount
-    name: controller-manager
-    namespace: system
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system

config/rbac/auth_proxy_service.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: Service
 metadata:
@@ -8,9 +7,9 @@ metadata:
   namespace: system
 spec:
   ports:
-    - name: https
-      port: 8443
-      protocol: TCP
-      targetPort: https
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: https
   selector:
     control-plane: controller-manager

config/rbac/awx_editor_role.yaml

@@ -1,25 +1,24 @@
----
 # permissions for end users to edit awxs.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: awx-editor-role
 rules:
-  - apiGroups:
-      - awx.ansible.com
-    resources:
-      - awxs
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-  - apiGroups:
-      - awx.ansible.com
-    resources:
-      - awxs/status
-    verbs:
-      - get
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxs/status
+  verbs:
+  - get

config/rbac/awx_viewer_role.yaml

@@ -1,21 +1,20 @@
----
 # permissions for end users to view awxs.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: awx-viewer-role
 rules:
-  - apiGroups:
-      - awx.ansible.com
-    resources:
-      - awxs
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - awx.ansible.com
-    resources:
-      - awxs/status
-    verbs:
-      - get
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxs/status
+  verbs:
+  - get

config/rbac/awxbackup_editor_role.yaml

@@ -0,0 +1,24 @@
+# permissions for end users to edit awxbackups.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: awxbackup-editor-role
+rules:
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxbackups
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxbackups/status
+  verbs:
+  - get

config/rbac/awxbackup_viewer_role.yaml

@@ -0,0 +1,20 @@
+# permissions for end users to view awxbackups.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: awxbackup-viewer-role
+rules:
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxbackups
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxbackups/status
+  verbs:
+  - get

config/rbac/awxmeshingress_editor_role.yaml

@@ -0,0 +1,31 @@
+# permissions for end users to edit awxmeshingresses.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: awxmeshingress-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: awx-operator
+    app.kubernetes.io/part-of: awx-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: awxmeshingress-editor-role
+rules:
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxmeshingresses
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxmeshingresses/status
+  verbs:
+  - get

config/rbac/awxmeshingress_viewer_role.yaml

@@ -0,0 +1,27 @@
+# permissions for end users to view awxmeshingresses.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: awxmeshingress-viewer-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: awx-operator
+    app.kubernetes.io/part-of: awx-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: awxmeshingress-viewer-role
+rules:
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxmeshingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxmeshingresses/status
+  verbs:
+  - get

config/rbac/awxrestore_editor_role.yaml

@@ -0,0 +1,24 @@
+# permissions for end users to edit awxrestores.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: awxrestore-editor-role
+rules:
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxrestores
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxrestores/status
+  verbs:
+  - get

config/rbac/awxrestore_viewer_role.yaml

@@ -0,0 +1,20 @@
+# permissions for end users to view awxrestores.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: awxrestore-viewer-role
+rules:
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxrestores
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxrestores/status
+  verbs:
+  - get

config/rbac/kustomization.yaml

@@ -1,19 +1,18 @@
----
 resources:
-  # All RBAC will be applied under this service account in
-  # the deployment namespace. You may comment out this resource
-  # if your manager will use a service account that exists at
-  # runtime. Be sure to update RoleBinding and ClusterRoleBinding
-  # subjects if changing service account names.
-  - service_account.yaml
-  - role.yaml
-  - role_binding.yaml
-  - leader_election_role.yaml
-  - leader_election_role_binding.yaml
-  # Comment the following 4 lines if you want to disable
-  # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-  # which protects your /metrics endpoint.
-  - auth_proxy_service.yaml
-  - auth_proxy_role.yaml
-  - auth_proxy_role_binding.yaml
-  - auth_proxy_client_clusterrole.yaml
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- service_account.yaml
+- role.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+# Comment the following 4 lines if you want to disable
+# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+# which protects your /metrics endpoint.
+- auth_proxy_service.yaml
+- auth_proxy_role.yaml
+- auth_proxy_role_binding.yaml
+- auth_proxy_client_clusterrole.yaml

config/rbac/leader_election_role.yaml

@@ -1,38 +1,37 @@
----
 # permissions to do leader election.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: leader-election-role
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - get
-      - list
-      - watch
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - coordination.k8s.io
-    resources:
-      - leases
-    verbs:
-      - get
-      - list
-      - watch
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch

config/rbac/leader_election_role_binding.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -8,6 +7,6 @@ roleRef:
   kind: Role
   name: leader-election-role
 subjects:
-  - kind: ServiceAccount
-    name: controller-manager
-    namespace: system
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system

config/rbac/role.yaml

@@ -20,7 +20,6 @@ rules:
       - watch
   - apiGroups:
       - ""
-      - "rbac.authorization.k8s.io"
     resources:
       - pods
       - services
@@ -31,6 +30,17 @@ rules:
       - events
       - configmaps
       - secrets
+    verbs:
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - "rbac.authorization.k8s.io"
+    resources:
       - roles
       - rolebindings
     verbs:
@@ -43,12 +53,22 @@ rules:
       - watch
   - apiGroups:
       - apps
-      - networking.k8s.io
     resources:
       - deployments
       - daemonsets
       - replicasets
       - statefulsets
+    verbs:
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
       - ingresses
     verbs:
       - get
@@ -58,6 +78,18 @@ rules:
       - patch
       - update
       - watch
+  - apiGroups:
+      - batch
+    resources:
+      - cronjobs
+      - jobs
+    verbs:
+      - get
+      - list
+      - create
+      - patch
+      - update
+      - watch
   - apiGroups:
       - monitoring.coreos.com
     resources:
@@ -104,3 +136,16 @@ rules:
       - awxrestores
     verbs:
       - '*'
+  - apiGroups:
+      - traefik.containo.us
+      - traefik.io
+    resources:
+      - ingressroutetcps
+    verbs:
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch

config/rbac/service_account.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: ServiceAccount
 metadata:

config/samples/awx_v1alpha1_awxmeshingress.yaml

@@ -0,0 +1,8 @@
+# Placeholder to pass CI and allow bundle generation
+---
+apiVersion: awx.ansible.com/v1alpha1
+kind: AWXMeshIngress
+metadata:
+  name: example-awx-mesh-ingress
+spec:
+  deployment_name: example-awx

config/samples/awx_v1beta1_awx.yaml

@@ -6,13 +6,13 @@ metadata:
 spec:
   web_resource_requirements:
     requests:
-      cpu: 250m
+      cpu: 50m
       memory: 128M
   task_resource_requirements:
     requests:
-      cpu: 250m
+      cpu: 50m
       memory: 128M
   ee_resource_requirements:
     requests:
-      cpu: 200m
+      cpu: 50m
       memory: 64M

config/samples/awx_v1beta1_awx_resource_limits.yaml

@@ -0,0 +1,55 @@
+---
+apiVersion: awx.ansible.com/v1beta1
+kind: AWX
+metadata:
+  name: awx-with-limits
+spec:
+  task_resource_requirements:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 2000m
+      memory: 4Gi
+  web_resource_requirements:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 1000m
+      memory: 4Gi
+  ee_resource_requirements:
+    requests:
+      cpu: 100m
+      memory: 64Mi
+    limits:
+      cpu: 1000m
+      memory: 4Gi
+  redis_resource_requirements:
+    requests:
+      cpu: 50m
+      memory: 64Mi
+    limits:
+      cpu: 1000m
+      memory: 4Gi
+  rsyslog_resource_requirements:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 1000m
+      memory: 2Gi
+  init_container_resource_requirements:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 1000m
+      memory: 2Gi
+  postgres_init_container_resource_requirements:
+    requests:
+      cpu: 10m
+      memory: 64Mi
+    limits:
+      cpu: 1000m
+      memory: 2Gi

config/samples/awx_v1beta1_awxbackup.yaml

@@ -0,0 +1,13 @@
+apiVersion: awx.ansible.com/v1beta1
+kind: AWXBackup
+metadata:
+  name: example-awx-backup
+spec:
+  deployment_name: example-awx
+  backup_resource_requirements:
+    limits:
+      cpu: "1000m"
+      memory: "4096Mi"
+    requests:
+      cpu: "25m"
+      memory: "32Mi"

config/samples/awx_v1beta1_awxrestore.yaml

@@ -0,0 +1,14 @@
+apiVersion: awx.ansible.com/v1beta1
+kind: AWXRestore
+metadata:
+  name: awxrestore-sample
+spec:
+  deployment_name: example-awx-2
+  backup_name: example-awx-backup
+  restore_resource_requirements:
+    limits:
+      cpu: "1000m"
+      memory: "4096Mi"
+    requests:
+      cpu: "25m"
+      memory: "32Mi"

config/samples/kustomization.yaml

@@ -1,5 +1,7 @@
----
 ## Append samples you want in your CSV to this file as resources ##
 resources:
-  - awx_v1beta1_awx.yaml
-# +kubebuilder:scaffold:manifestskustomizesamples
+- awx_v1beta1_awx.yaml
+- awx_v1beta1_awxbackup.yaml
+- awx_v1beta1_awxrestore.yaml
+- awx_v1alpha1_awxmeshingress.yaml
+#+kubebuilder:scaffold:manifestskustomizesamples

config/scorecard/bases/config.yaml

@@ -1,8 +1,7 @@
----
 apiVersion: scorecard.operatorframework.io/v1alpha3
 kind: Configuration
 metadata:
   name: config
 stages:
-  - parallel: true
-    tests: []
+- parallel: true
+  tests: []

config/scorecard/kustomization.yaml

@@ -1,17 +1,16 @@
----
 resources:
-  - bases/config.yaml
+- bases/config.yaml
 patchesJson6902:
-  - path: patches/basic.config.yaml
-    target:
-      group: scorecard.operatorframework.io
-      version: v1alpha3
-      kind: Configuration
-      name: config
-  - path: patches/olm.config.yaml
-    target:
-      group: scorecard.operatorframework.io
-      version: v1alpha3
-      kind: Configuration
-      name: config
-# +kubebuilder:scaffold:patchesJson6902
+- path: patches/basic.config.yaml
+  target:
+    group: scorecard.operatorframework.io
+    version: v1alpha3
+    kind: Configuration
+    name: config
+- path: patches/olm.config.yaml
+  target:
+    group: scorecard.operatorframework.io
+    version: v1alpha3
+    kind: Configuration
+    name: config
+#+kubebuilder:scaffold:patchesJson6902

config/scorecard/patches/basic.config.yaml

@@ -1,11 +1,10 @@
----
 - op: add
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - basic-check-spec
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - basic-check-spec
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: basic
       test: basic-check-spec-test

config/scorecard/patches/olm.config.yaml

@@ -1,11 +1,10 @@
----
 - op: add
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - olm-bundle-validation
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - olm-bundle-validation
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: olm
       test: olm-bundle-validation-test
@@ -13,9 +12,9 @@
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - olm-crds-have-validation
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - olm-crds-have-validation
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: olm
       test: olm-crds-have-validation-test
@@ -23,9 +22,9 @@
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - olm-crds-have-resources
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - olm-crds-have-resources
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: olm
       test: olm-crds-have-resources-test
@@ -33,9 +32,9 @@
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - olm-spec-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - olm-spec-descriptors
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: olm
       test: olm-spec-descriptors-test
@@ -43,9 +42,9 @@
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - olm-status-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - olm-status-descriptors
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: olm
       test: olm-status-descriptors-test

config/testing/kustomization.yaml

@@ -1,13 +1,13 @@
 # Adds namespace to all resources.
 namespace: osdk-test
+
 namePrefix: osdk-
+
 # Labels to add to all resources and selectors.
-# commonLabels:
-#   someName: someValue
-patchesStrategicMerge:
-- manager_image.yaml
-- debug_logs_patch.yaml
-- ../default/manager_auth_proxy_patch.yaml
+#commonLabels:
+#  someName: someValue
+
+
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
@@ -18,4 +18,6 @@ images:
 - name: testing
   newName: testing-operator
 patches:
-- path: pull_policy/Never.yaml
+- path: manager_image.yaml
+- path: debug_logs_patch.yaml
+- path: ../default/manager_auth_proxy_patch.yaml

docs/README.md

@@ -0,0 +1,10 @@
+# Building the Ansible AWX Operator Docs
+
+To build the AWX Operator docs locally:
+
+1. Clone the AWX operator repository. 
+2. From the root directory:
+    a.  pip install --user -r docs/requirements.txt
+    b.  mkdocs build
+
+This will create a new directory called `site/` in the root of your clone containing the index.html and static files. To view the docs in your browser, navigate there in your file explorer and double-click on the `index.html` file. This should open the docs site in your browser.

docs/contributors-guide/author.md

@@ -0,0 +1,3 @@
+## Author
+
+This operator was originally built in 2019 by [Jeff Geerling](https://www.jeffgeerling.com) and is now maintained by the Ansible Team

docs/contributors-guide/code-of-conduct.md

@@ -0,0 +1,3 @@
+## Code of Conduct
+
+We ask all of our community members and contributors to adhere to the [Ansible code of conduct](http://docs.ansible.com/ansible/latest/community/code_of_conduct.html). If you have questions or need assistance, please reach out to our community team at [codeofconduct@ansible.com](mailto:codeofconduct@ansible.com)

docs/contributors-guide/contributing.md

@@ -0,0 +1,3 @@
+## Contributing
+
+Please visit [our contributing guidelines](https://github.com/ansible/awx-operator/blob/devel/CONTRIBUTING.md).

docs/contributors-guide/get-involved.md

@@ -0,0 +1,6 @@
+## Get Involved
+
+We welcome your feedback and ideas. The AWX operator uses the same mailing list and IRC channel as AWX itself. Here's how to reach us with feedback and questions:
+
+- Join the `#ansible-awx` channel on irc.libera.chat
+- Join the [mailing list](https://groups.google.com/forum/#!forum/awx-project)