internet/awx-operator
3
0
Fork 0
mirror of https://github.com/ansible/awx-operator.git synced 2026-03-27 22:03:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:0.20.2
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0
..
compare: internet:0.24.0
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0

46 Commits
0.20.2 ... 0.24.0

Author SHA1 Message Date
Shane McDonald
7697825944 Merge pull request #983 from shanemcd/ingress_path-test 
Add tests around ingress_path feature
 2022-07-11 19:55:28 -04:00
Shane McDonald
8a325293b1 Add tests around ingress_path feature 2022-07-11 19:45:11 -04:00
Shane McDonald
dd53a1d415 Merge pull request #980 from sdktr/958_pgdump_command_customization 
Fix 958: allow pg_dump backup command customization
 2022-07-11 19:30:30 -04:00
Shane McDonald
c5db0e7104 Merge pull request #954 from bewing/helm-namespace 
remove namespace from helm chart
 2022-07-11 19:18:08 -04:00
Stefan de Kooter
59036fc373 Add free format pg_dump backup parameter 2022-07-10 19:03:32 +00:00
Christian Adams
c45a7bd4d7 Add Docs notes for custom secret keys (#969) 2022-06-28 11:05:49 -04:00
Shane McDonald
34b6354001 Merge pull request #956 from Cl0udius/add_auto_upgrade_parameter 
added auto_upgrade flag
 2022-06-27 13:39:11 -04:00
Shane McDonald
801f392447 Merge pull request #964 from taishen/devel 
Add an example of the nodeport_port in readme
 2022-06-27 13:38:24 -04:00
Shane McDonald
779572e8ff Merge pull request #944 from viv-dev/backup-cleanup 
Option to delete backup dir on PV when AWXBackup object is deleted
 2022-06-27 13:35:57 -04:00
Shane McDonald
e7e48f92a0 Merge pull request #962 from rooftopcellist/operator-resource-defaults 
Add default resource requests for operator container
 2022-06-27 13:33:32 -04:00
Brandon Ewing
3cd9ddd8c6 remove namespace from helm chart 
Helm should be able to set the namespace for the operator at deploy time
via the --namespace option.  Use yq to remove all references to
namespaces in the helm chart prior to publishing.

Update CI process to create namespace during install.

Resolves #907
 2022-06-27 12:26:14 -05:00
taishen
4e6be0a82c Add an example of the nodeport_port in readme 2022-06-27 22:02:42 +08:00
Viviana Capote
05943687fe Added option to also delete backup directory on PVC when AWXBackup CRD object is deleted 2022-06-27 15:45:33 +10:00
Shane McDonald
9676ebc008 Merge pull request #955 from doanminhtu/tudoan/fix-ldap-password-secret-usage 
Fix ldap bind password secret usage: ldap_password_secret
 2022-06-26 10:45:26 -04:00
Christian M. Adams
8352237260 Add default resource requests for operator container 2022-06-24 16:40:45 -04:00
Alexander Stock
35d4954027 added auto_update flag 2022-06-23 15:05:05 +02:00
Shane McDonald
4d6a491766 Merge pull request #959 from mac-chaffee/no-latest 
Use specific version of redis image
 2022-06-23 08:16:21 -04:00
Shane McDonald
fa9eb53f92 Merge pull request #950 from basecom/feature/nginx-ipv6-support 
Enable ipv6 listening in nginx config
 2022-06-23 07:51:41 -04:00
Tu Doan
00c9f5fbd1 Fix ldap secret to secret file 2022-06-23 10:49:27 +07:00
Mac Chaffee
fe82e9259e Use specific version of redis image 
Signed-off-by: Mac Chaffee <machaffe@renci.org>
 2022-06-22 16:14:39 -04:00
Tu Doan
635d530dc9 Fix ldap bind password secret usage 2022-06-20 17:03:38 +07:00
David Luong
e966e9299f Resolves #918 to make no_log configurable (#923) 2022-06-16 01:03:13 -04:00
John Westcott IV
683d23dbea Adding feature requests issue type (#951) 2022-06-15 17:30:00 -04:00
Roger Sikorski
8b3a297086 enable ipv6 on nginx 2022-06-15 17:37:02 +02:00
John Westcott IV
15830e3536 Merge pull request #947 from john-westcott-iv/github_folder_maintainance 
.github folder maintainance
 2022-06-13 12:20:00 -04:00
John Westcott IV
ef46d7f49c Changes from PR review 2022-06-13 11:15:52 -04:00
John Westcott IV
a5328b1a09 .github folder maintainance 
Changing bug_report from markdown to yaml
Adding config.yml for new issues
Adding Code of Conduct and support to the README (along with tags at the
top of the readme)
Adding SECURITY.md
Adding CODE_OF_CONDUCT.md
 2022-06-13 08:22:40 -04:00
Christian Adams
0983220fba Use awx web launch script to pick up the correct supervisor config (#935) 
- reduce resource requests so that CI passes in resource constrained
    environments
 2022-06-01 19:11:25 -04:00
Paul Verhoeven
3ac0232e89 Updated the Readme (#906) 
* defaults in Deploying a specific version of AWX added

* Update README.md

updated the README clarified the defaults of Deploying a specific version of AWX
 2022-05-09 17:24:43 -04:00
Christian Adams
75c7231afd Remove unneeded olm-parameter template file (#901) 2022-05-04 16:45:18 -04:00
Christian Adams
363aa3642b added capability to set the redis container resources (#899) 
* added capability to set the redis container resources

* Reduce resource requests so that it can be scheduled on GitHub workflows

Co-authored-by: Cedric Morin <cedric.morin_ext@michelin.com>
 2022-05-03 08:53:45 -04:00
Shane McDonald
bf74d5cc34 Merge pull request #799 from mamercad/helm 
Add Helm functionality
 2022-05-02 14:38:24 -04:00
Shane McDonald
46586bd7b6 Rework helm release process 
This was mostly me working around a limitation in chart-releaser where it does not allow for uploading a chart to an existing release.
 2022-05-02 14:12:59 -04:00
Shane McDonald
191be7bf3c Run test helm install in CI 2022-05-02 14:12:59 -04:00
Shane McDonald
b7e5f235ad Fix yq target 
Without this I was seeing:

$ make yq
tar: yq_linux_amd64: Not found in archive
tar: Exiting with failure status due to previous errors
make: *** [Makefile:240: yq] Error 2
 2022-05-02 14:12:59 -04:00
Mark Mercado
6cbc6a7234 Set CHART_OWNER as ${{ github.repository_owner }} 2022-05-02 14:12:59 -04:00
Mark Mercado
beba6a900d Update kustomize build args for v4+ 2022-05-02 14:12:59 -04:00
Mark Mercado
7f72260445 Adding document-start markers 2022-05-02 14:12:59 -04:00
Mark Mercado
5b7baa106d Adding CI for "make helm-chart" 2022-05-02 14:12:59 -04:00
Mark Mercado
9380686395 Handle amd64 versus x86_64 2022-05-02 14:12:59 -04:00
Mark Mercado
0de966153d Fix kubectl-slice for amd64 2022-05-02 14:12:59 -04:00
Mark Mercado
efaa4718ec Adding Helm functionality 2022-05-02 14:12:57 -04:00
Shane McDonald
e6a473b765 Merge pull request #887 from ansible/add-content-type-option-header-op 
Add the X-Content-Type-Options nosniff header
 2022-05-02 08:25:48 -04:00
Christian Adams
859384e9f6 Changed default pull secret to agreed upon name (#896) 2022-04-29 16:21:03 -04:00
Christian Adams
b66a16508f Clarify docs on how to configure an External Database (#895) 2022-04-29 15:35:07 -04:00
Jeff Bradberry
fa705f6466 Add the X-Content-Type-Options nosniff header 2022-04-25 14:00:07 -04:00
59 changed files with 1022 additions and 321 deletions
Expand all files Collapse all files

3
.github/CODE_OF_CONDUCT.md vendored Normal file
View File

@@ -0,0 +1,3 @@
# Community Code of Conduct
Please see the official [Ansible Community Code of Conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).

39
.github/ISSUE_TEMPLATE/bug_report.md vendored
View File

@@ -1,39 +0,0 @@
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
---
##### ISSUE TYPE
- Bug Report
##### SUMMARY
<!-- Briefly describe the problem. -->
##### ENVIRONMENT
* AWX version: X.Y.Z
* Operator version: X.Y.Z
* Kubernetes version:
* AWX install method: openshift, minishift, docker on linux, docker for mac, boot2docker
##### STEPS TO REPRODUCE
<!-- Please describe exactly how to reproduce the problem. -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
##### ACTUAL RESULTS
<!-- What actually happened? -->
##### ADDITIONAL INFORMATION
<!-- Include any links to sosreport, database dumps, screenshots or other
information. -->
##### AWX-OPERATOR LOGS

125
.github/ISSUE_TEMPLATE/bug_report.yml vendored Normal file
View File

@@ -0,0 +1,125 @@
---
name: Bug Report
description: "🐞 Create a report to help us improve"
body:
- type: markdown
attributes:
value: |
Bug Report issues are for **concrete, actionable bugs** only.
For debugging help or technical support, please see the [Get Involved section of our README](https://github.com/ansible/awx-operator#get-involved)
- type: checkboxes
id: terms
attributes:
label: Please confirm the following
options:
- label: I agree to follow this project's [code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
required: true
- label: I have checked the [current issues](https://github.com/ansible/awx-operator/issues) for duplicates.
required: true
- label: I understand that the AWX Operator is open source software provided for free and that I might not receive a timely response.
required: true
- type: textarea
id: summary
attributes:
label: Bug Summary
description: Briefly describe the problem.
validations:
required: false
- type: input
id: awx-operator-version
attributes:
label: AWX Operator version
description: What version of the AWX Operator are you running?
validations:
required: true
- type: input
id: awx-version
attributes:
label: AWX version
description: What version of AWX are you running?
validations:
required: true
- type: dropdown
id: platform
attributes:
label: Kubernetes platform
description: What platform did you install the Operator in?
multiple: false
options:
- kubernetes
- minikube
- openshift
- minishift
- docker development environment
- other (please specify in additional information)
validations:
required: true
- type: input
id: kube-version
attributes:
label: Kubernetes/Platform version
description: What version of your platform/kuberneties are you using?
validations:
required: true
- type: dropdown
id: modified-architecture
attributes:
label: Modifications
description: >-
Have you modified the installation, deployment topology, or container images in any way? If yes, please
explain in the "additional information" field at the bottom of the form.
multiple: false
options:
- "no"
- "yes"
validations:
required: true
- type: textarea
id: steps-to-reproduce
attributes:
label: Steps to reproduce
description: >-
Starting from a new installation of the system, describe exactly how a developer or quality engineer can reproduce the bug
on infrastructure that isn't yours. Include any and all resources created, input values, test users, roles assigned, playbooks used, etc.
validations:
required: true
- type: textarea
id: expected-results
attributes:
label: Expected results
description: What did you expect to happpen when running the steps above?
validations:
required: true
- type: textarea
id: actual-results
attributes:
label: Actual results
description: What actually happened?
validations:
required: true
- type: textarea
id: additional-information
attributes:
label: Additional information
description: Include any relevant log output, links to sosreport, database dumps, screenshots, AWX spec yaml, or other information.
validations:
required: false
- type: textarea
id: operator-logs
attributes:
label: Operator Logs
description: Include any relevant logs generated by the operator.
validations:
required: false

12
.github/ISSUE_TEMPLATE/config.yml vendored Normal file
View File

@@ -0,0 +1,12 @@
---
blank_issues_enabled: false
contact_links:
- name: For debugging help or technical support
url: https://github.com/ansible/awx-operator#get-involved
about: For general debugging or technical support please see the Get Involved section of our readme.
- name: 📝 Ansible Code of Conduct
url: https://docs.ansible.com/ansible/latest/community/code_of_conduct.html?utm_medium=github&utm_source=issue_template_chooser
about: AWX uses the Ansible Code of Conduct; ❤ Be nice to other members of the community. ☮ Behave.
- name: 💼 For Enterprise
url: https://www.ansible.com/products/engine?utm_medium=github&utm_source=issue_template_chooser
about: Red Hat offers support for the Ansible Automation Platform

29
.github/ISSUE_TEMPLATE/feature_request.yml vendored Normal file
View File

@@ -0,0 +1,29 @@
---
name: ✨ Feature request
description: Suggest an idea for this project
body:
- type: markdown
attributes:
value: |
Feature Request issues are for **feature requests** only.
For debugging help or technical support, please see the [Get Involved section of our README](https://github.com/ansible/awx-operator#get-involved)
- type: checkboxes
id: terms
attributes:
label: Please confirm the following
options:
- label: I agree to follow this project's [code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
required: true
- label: I have checked the [current issues](https://github.com/ansible/awx-operator/issues) for duplicates.
required: true
- label: I understand that AWX Operator is open source software provided for free and that I might not receive a timely response.
required: true
- type: textarea
id: summary
attributes:
label: Feature Summary
description: Briefly describe the desired enhancement.
validations:
required: true

29
.github/workflows/ci.yaml vendored
View File

@@ -10,9 +10,9 @@ on:
branches: [devel]
jobs:
pull_request:
molecule:
runs-on: ubuntu-18.04
name: pull_request
name: molecule
env:
DOCKER_API_VERSION: "1.38"
steps:
@@ -39,3 +39,28 @@ jobs:
sudo rm -f $(which kustomize)
make kustomize
KUSTOMIZE_PATH=$(readlink -f bin/kustomize) molecule test -s kind
helm:
runs-on: ubuntu-18.04
name: helm
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Create k8s Kind Cluster
uses: helm/kind-action@v1.2.0
- name: Build operator image and load into kind
run: |
IMG=awx-operator-ci make docker-build
kind load docker-image --name chart-testing awx-operator-ci
- name: Patch pull policy for tests
run: |
kustomize edit add patch --path ../testing/pull_policy/Never.yaml
working-directory: config/default
- name: Build and install helm chart
run: |
IMG=awx-operator-ci make helm-chart
helm install --wait my-awx-operator --namespace awx --create-namespace ./charts/awx-operator

15
.github/workflows/promote.yaml vendored
View File

@@ -8,6 +8,8 @@ jobs:
promote:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Log in to GHCR
run: |
echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
@@ -23,3 +25,16 @@ jobs:
docker tag ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} quay.io/${{ github.repository }}:latest
docker push quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
docker push quay.io/${{ github.repository }}:latest
- name: Configure git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Release Helm chart
run: |
ansible-playbook ansible/helm-release.yml -v \
-e operator_image=quay.io/${{ github.repository }} \
-e chart_owner=${{ github.repository_owner }} \
-e tag=${{ github.event.release.tag_name }} \
-e gh_token=${{ secrets.GITHUB_TOKEN }}

2
.gitignore vendored
View File

@@ -4,3 +4,5 @@
/bundle
/bundle_tmp*
/bundle.Dockerfile
/charts
/.cr-release-packages

23
.helm/starter/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

7
.helm/starter/Chart.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
apiVersion: v2
appVersion: 0.1.0
description: A Helm chart for Kubernetes
name: starter
type: application
version: 0.1.0

0
.helm/starter/values.yaml Normal file
View File

148
Makefile
View File

@@ -7,6 +7,13 @@ VERSION ?= $(shell git describe --tags)
CONTAINER_CMD ?= docker
# GNU vs BSD in-place sed
ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
SED_I := sed -i
else
SED_I := sed -i ''
endif
# CHANNELS define the bundle channels used in the bundle.
# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
# To re-generate a bundle for other specific channels without changing the standard setup, you can:
@@ -41,6 +48,14 @@ BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
IMG ?= $(IMAGE_TAG_BASE):$(VERSION)
NAMESPACE ?= awx
# Helm variables
CHART_NAME ?= awx-operator
CHART_DESCRIPTION ?= A Helm chart for the AWX Operator
CHART_OWNER ?= $(GH_REPO_OWNER)
CHART_REPO ?= awx-operator
CHART_BRANCH ?= gh-pages
CHART_INDEX ?= index.yaml
all: docker-build
##@ General
@@ -93,7 +108,8 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/confi
$(KUSTOMIZE) build config/default | kubectl delete -f -
OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
ARCH := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
ARCHA := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
ARCHX := $(shell uname -m | sed -e 's/amd64/x86_64/' -e 's/aarch64/arm64/')
.PHONY: kustomize
KUSTOMIZE = $(shell pwd)/bin/kustomize
@@ -103,7 +119,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(KUSTOMIZE)) ;\
curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.8.7/kustomize_v3.8.7_$(OS)_$(ARCH).tar.gz | \
curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.2/kustomize_v4.5.2_$(OS)_$(ARCHA).tar.gz | \
tar xzf - -C bin/ ;\
}
else
@@ -119,7 +135,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.12.0/ansible-operator_$(OS)_$(ARCH) ;\
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.12.0/ansible-operator_$(OS)_$(ARCHA) ;\
chmod +x $(ANSIBLE_OPERATOR) ;\
}
else
@@ -150,7 +166,7 @@ ifeq (,$(shell which opm 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(OPM)) ;\
curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCH)-opm ;\
curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCHA)-opm ;\
chmod +x $(OPM) ;\
}
else
@@ -181,3 +197,127 @@ catalog-build: opm ## Build a catalog image.
.PHONY: catalog-push
catalog-push: ## Push a catalog image.
$(MAKE) docker-push IMG=$(CATALOG_IMG)
.PHONY: kubectl-slice
KUBECTL_SLICE = $(shell pwd)/bin/kubectl-slice
kubectl-slice: ## Download kubectl-slice locally if necessary.
ifeq (,$(wildcard $(KUBECTL_SLICE)))
ifeq (,$(shell which kubectl-slice 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(KUBECTL_SLICE)) ;\
curl -sSLo - https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.1.0/kubectl-slice_1.1.0_$(OS)_$(ARCHX).tar.gz | \
tar xzf - -C bin/ kubectl-slice ;\
}
else
KUBECTL_SLICE = $(shell which kubectl-slice)
endif
endif
.PHONY: helm
HELM = $(shell pwd)/bin/helm
helm: ## Download helm locally if necessary.
ifeq (,$(wildcard $(HELM)))
ifeq (,$(shell which helm 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(HELM)) ;\
curl -sSLo - https://get.helm.sh/helm-v3.8.0-$(OS)-$(ARCHA).tar.gz | \
tar xzf - -C bin/ $(OS)-$(ARCHA)/helm ;\
mv bin/$(OS)-$(ARCHA)/helm bin/helm ;\
rmdir bin/$(OS)-$(ARCHA) ;\
}
else
HELM = $(shell which helm)
endif
endif
.PHONY: yq
YQ = $(shell pwd)/bin/yq
yq: ## Download yq locally if necessary.
ifeq (,$(wildcard $(YQ)))
ifeq (,$(shell which yq 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(HELM)) ;\
curl -sSLo - https://github.com/mikefarah/yq/releases/download/v4.20.2/yq_$(OS)_$(ARCHA).tar.gz | \
tar xzf - -C bin/ ;\
mv bin/yq_$(OS)_$(ARCHA) bin/yq ;\
}
else
YQ = $(shell which yq)
endif
endif
PHONY: cr
CR = $(shell pwd)/bin/cr
cr: ## Download cr locally if necessary.
ifeq (,$(wildcard $(CR)))
ifeq (,$(shell which cr 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(CR)) ;\
curl -sSLo - https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_$(OS)_$(ARCHA).tar.gz | \
tar xzf - -C bin/ cr ;\
}
else
CR = $(shell which cr)
endif
endif
charts:
mkdir -p $@
.PHONY: helm-chart
helm-chart: kustomize helm kubectl-slice yq charts
@echo "== KUSTOMIZE (image and namespace) =="
cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
@echo "== HELM =="
cd charts && \
$(HELM) create awx-operator --starter $(shell pwd)/.helm/starter ;\
$(YQ) -i '.version = "$(VERSION)"' $(CHART_NAME)/Chart.yaml ;\
$(YQ) -i '.appVersion = "$(VERSION)" | .appVersion style="double"' $(CHART_NAME)/Chart.yaml ;\
$(YQ) -i '.description = "$(CHART_DESCRIPTION)"' $(CHART_NAME)/Chart.yaml ;\
@cat charts/$(CHART_NAME)/Chart.yaml
@echo "== KUSTOMIZE (annotation) =="
cd config/manager && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
cd config/default && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
@echo "== SLICE =="
$(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone config/default | \
$(KUBECTL_SLICE) --input-file=- \
--output-dir=charts/$(CHART_NAME)/templates \
--sort-by-kind
@echo "Helm Chart $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
$(foreach file, $(wildcard charts/$(CHART_NAME)/templates/*),$(YQ) -i 'del(.. | select(has("namespace")).namespace)' $(file);)
$(foreach file, $(wildcard charts/$(CHART_NAME)/templates/*rolebinding*),$(YQ) -i '.subjects[0].namespace = "{{ .Release.Namespace }}"' $(file);)
rm -f charts/$(CHART_NAME)/templates/namespace*.yaml
.PHONY: helm-package
helm-package: cr helm-chart
@echo "== CHART RELEASER (package) =="
$(CR) package ./charts/awx-operator
# The actual release happens in ansible/helm-release.yml
# until https://github.com/helm/chart-releaser/issues/122 happens
.PHONY: helm-index
helm-index: cr helm-chart
@echo "== CHART RELEASER (httpsorigin) =="
git remote add httpsorigin "https://github.com/$(CHART_OWNER)/$(CHART_REPO).git"
git fetch httpsorigin
@echo "== CHART RELEASER (index) =="
$(CR) index \
--owner "$(CHART_OWNER)" \
--git-repo "$(CHART_REPO)" \
--token "$(CR_TOKEN)" \
--pages-branch "$(CHART_BRANCH)" \
--index-path "./charts/$(CHART_INDEX)" \
--charts-repo "https://$(CHART_OWNER).github.io/$(CHART_REPO)/$(CHART_INDEX)" \
--remote httpsorigin \
--release-name-template="{{ .Version }}" \
--push

257
README.md
View File

@@ -1,6 +1,10 @@
# AWX Operator
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Build Status](https://github.com/ansible/awx-operator/workflows/CI/badge.svg?event=push)](https://github.com/ansible/awx-operator/actions)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
[![Build Status](https://github.com/ansible/awx-operator/workflows/CI/badge.svg?event=push)](https://github.com/ansible/awx-operator/actions)
[![Code of Conduct](https://img.shields.io/badge/code%20of%20conduct-Ansible-yellow.svg)](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html)
[![AWX Mailing List](https://img.shields.io/badge/mailing%20list-AWX-orange.svg)](https://groups.google.com/g/awx-project)
[![IRC Chat - #ansible-awx](https://img.shields.io/badge/IRC-%23ansible--awx-blueviolet.svg)](https://libera.chat)
An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built with [Operator SDK](https://github.com/operator-framework/operator-sdk) and Ansible.
@@ -8,46 +12,56 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
<!-- Regenerate this table of contents using https://github.com/ekalinin/github-markdown-toc -->
<!-- gh-md-toc --insert README.md -->
<!--ts-->
- [AWX Operator](#awx-operator)
- [Table of Contents](#table-of-contents)
- [Purpose](#purpose)
- [Usage](#usage)
- [Creating a minikube cluster for testing](#creating-a-minikube-cluster-for-testing)
- [Basic Install](#basic-install)
- [Admin user account configuration](#admin-user-account-configuration)
- [Network and TLS Configuration](#network-and-tls-configuration)
- [Service Type](#service-type)
- [Ingress Type](#ingress-type)
- [Database Configuration](#database-configuration)
- [External PostgreSQL Service](#external-postgresql-service)
- [Migrating data from an old AWX instance](#migrating-data-from-an-old-awx-instance)
- [Managed PostgreSQL Service](#managed-postgresql-service)
- [Advanced Configuration](#advanced-configuration)
- [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
- [Redis container capabilities](#redis-container-capabilities)
- [Privileged Tasks](#privileged-tasks)
- [Containers Resource Requirements](#containers-resource-requirements)
- [Assigning AWX pods to specific nodes](#assigning-awx-pods-to-specific-nodes)
- [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
- [Enabling LDAP Integration at AWX bootstrap](#enabling-ldap-integration-at-awx-bootstrap)
- [Persisting Projects Directory](#persisting-projects-directory)
- [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
- [Default execution environments from private registries](#default-execution-environments-from-private-registries)
- [Control plane ee from private registry](#control-plane-ee-from-private-registry)
- [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
- [Extra Settings](#extra-settings)
- [Service Account](#service-account)
- [Uninstall](#uninstall)
- [Upgrading](#upgrading)
- [v0.14.0](#v0140)
- [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations)
- [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project)
- [Steps to upgrade](#steps-to-upgrade)
- [Contributing](#contributing)
- [Release Process](#release-process)
- [Author](#author)
* [AWX Operator](#awx-operator)
* [Table of Contents](#table-of-contents)
* [Purpose](#purpose)
* [Usage](#usage)
* [Creating a minikube cluster for testing](#creating-a-minikube-cluster-for-testing)
* [Basic Install](#basic-install)
* [Helm Install on existing cluster](#helm-install-on-existing-cluster)
* [Admin user account configuration](#admin-user-account-configuration)
* [Network and TLS Configuration](#network-and-tls-configuration)
* [Service Type](#service-type)
* [Ingress Type](#ingress-type)
* [Database Configuration](#database-configuration)
* [External PostgreSQL Service](#external-postgresql-service)
* [Migrating data from an old AWX instance](#migrating-data-from-an-old-awx-instance)
* [Managed PostgreSQL Service](#managed-postgresql-service)
* [Advanced Configuration](#advanced-configuration)
* [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
* [Redis container capabilities](#redis-container-capabilities)
* [Privileged Tasks](#privileged-tasks)
* [Containers Resource Requirements](#containers-resource-requirements)
* [Priority Classes](#priority-classes)
* [Assigning AWX pods to specific nodes](#assigning-awx-pods-to-specific-nodes)
* [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
* [Enabling LDAP Integration at AWX bootstrap](#enabling-ldap-integration-at-awx-bootstrap)
* [Persisting Projects Directory](#persisting-projects-directory)
* [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
* [Default execution environments from private registries](#default-execution-environments-from-private-registries)
* [Control plane ee from private registry](#control-plane-ee-from-private-registry)
* [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
* [CSRF Cookie Secure Setting](#csrf-cookie-secure-setting)
* [Session Cookie Secure Setting](#session-cookie-secure-setting)
* [Extra Settings](#extra-settings)
* [Configure no_log](#no-log)
* [Auto Upgrade](#auto-upgrade)
* [Upgrade of instances without auto upgrade](#upgrade-of-instances-without-auto-upgrade)
* [Service Account](#service-account)
* [Uninstall](#uninstall)
* [Upgrading](#upgrading)
* [v0.14.0](#v0140)
* [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations)
* [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project)
* [Steps to upgrade](#steps-to-upgrade)
* [Contributing](#contributing)
* [Release Process](#release-process)
* [Author](#author)
* [Code of Conduct](#code-of-conduct)
* [Get Involved](#get-involved)
<!-- Created by https://github.com/ekalinin/github-markdown-toc -->
<!--te-->
## Purpose
@@ -180,8 +194,12 @@ metadata:
name: awx-demo
spec:
service_type: nodeport
# default nodeport_port is 30080
nodeport_port: <nodeport_port>
```
> It may make sense to create and specify your own secret key for your deployment so that if the k8s secret gets deleted, it can be re-created if needed. If it is not provided, one will be auto-generated, but cannot be recovered if lost. Read more [here](#secret-key-configuration).
Make sure to add this new file to the list of "resources" in your `kustomization.yaml` file:
```yaml
@@ -237,6 +255,34 @@ You just completed the most basic install of an AWX instance via this operator.
For an example using the Nginx Controller in Minukube, don't miss our [demo video](https://asciinema.org/a/416946).
### Helm Install on existing cluster
For those that wish to use [Helm](https://helm.sh/) to install the awx-operator to an existing K8s cluster:
```bash
$ helm repo add awx-operator https://ansible.github.io/awx-operator/
"awx-operator" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "awx-operator" chart repository
Update Complete. ⎈Happy Helming!⎈
$ helm search repo awx-operator
NAME CHART VERSION APP VERSION DESCRIPTION
awx-operator/awx-operator 0.17.1 0.17.1 A Helm chart for the AWX Operator
$ helm install my-awx-operator awx-operator/awx-operator
NAME: my-awx-operator
LAST DEPLOYED: Thu Feb 17 22:09:05 2022
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Helm Chart 0.17.1
```
### Admin user account configuration
There are three variables that are customizable for the admin user account creation.
@@ -268,6 +314,41 @@ stringData:
```
### Secret Key Configuration
This key is used to encrypt sensitive data in the database.
| Name | Description | Default |
| ----------------- | ----------------------------------------------------- | ---------------- |
| secret_key_secret | Secret that contains the symmetric key for encryption | Generated |
> :warning: **secret_key_secret must be a Kubernetes secret and not your text clear secret value**.
If `secret_key_secret` is not provided, the operator will look for a secret named `<resourcename>-secret-key` for the secret key. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-secret-key`. It is important to not delete this secret as it will be needed for upgrades and if the pods get scaled down at any point. If you are using a GitOps flow, you will want to pass a secret key secret.
The secret should be formatted as follow:
```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: custom-awx-secret-key
namespace: <target namespace>
stringData:
secret_key: supersecuresecretkey
```
Then specify the secret name on the AWX spec:
```yaml
---
spec:
...
secret_key_secret: custom-awx-secret-key
```
### Network and TLS Configuration
#### Service Type
@@ -396,7 +477,7 @@ spec:
#### External PostgreSQL Service
In order for the AWX instance to rely on an external database, the Custom Resource needs to know about the connection details. Those connection details should be stored as a secret and either specified as `postgres_configuration_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-postgres-configuration`.
To configure AWX to use an external database, the Custom Resource needs to know about the connection details. To do this, create a k8s secret with those connection details and specify the name of the secret as `postgres_configuration_secret` at the CR spec level.
The secret should be formatted as follows:
@@ -425,6 +506,15 @@ type: Opaque
**Note**: The variable `sslmode` is valid for `external` databases only. The allowed values are: `prefer`, `disable`, `allow`, `require`, `verify-ca`, `verify-full`.
Once the secret is created, you can specify it on your spec:
```yaml
---
spec:
...
postgres_configuration_secret: <name-of-your-secret>
```
#### Migrating data from an old AWX instance
For instructions on how to migrate from an older version of AWX, see [migration.md](./docs/migration.md).
@@ -477,15 +567,15 @@ spec:
There are a few variables that are customizable for awx the image management.
| Name | Description |
| ------------------- | ------------------------- |
| image | Path of the image to pull |
| image_version | Image version to pull |
| image_pull_policy | The pull policy to adopt |
| image_pull_secrets | The pull secrets to use |
| ee_images | A list of EEs to register |
| redis_image | Path of the image to pull |
| redis_image_version | Image version to pull |
| Name | Description | Default |
| ------------------- | ------------------------- | -------------------------------------- |
| image | Path of the image to pull | quay.io/ansible/awx |
| image_version | Image version to pull | value of DEFAULT_AWX_VERSION or latest |
| image_pull_policy | The pull policy to adopt | IfNotPresent |
| image_pull_secrets | The pull secrets to use | None |
| ee_images | A list of EEs to register | quay.io/ansible/awx-ee:latest |
| redis_image | Path of the image to pull | docker.io/redis |
| redis_image_version | Image version to pull | latest |
Example of customization could be:
@@ -582,7 +672,7 @@ spec:
The AWX and Postgres pods can be assigned a custom PriorityClass to rank their importance compared to other pods in your cluster, which determines which pods get evicted first if resources are running low.
First, [create your PriorityClass](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) if needed.
Then set the name of your priority class to the control plane and postgres pods as shown below.
Then set the name of your priority class to the control plane and postgres pods as shown below.
```yaml
---
@@ -971,6 +1061,57 @@ Example configuration of `extra_settings` parameter
value: "cn=admin,dc=example,dc=com"
```
#### No Log
Configure no_log for tasks with no_log
| Name | Description | Default |
| ------ | -------------------- | ------- |
| no_log | No log configuration | 'true' |
Example configuration of `no_log` parameter
```yaml
spec:
no_log: 'true'
```
#### Auto upgrade
With this parameter you can influence the behaviour during an operator upgrade.
If set to `true`, the operator will upgrade the specific instance directly.
When the value is set to `false`, and we have a running deployment, the operator will not update the AWX instance.
This can be useful when you have multiple AWX instances which you want to upgrade step by step instead of all at once.
| Name | Description | Default |
| -------------| ---------------------------------- | ------- |
| auto_upgrade | Automatic upgrade of AWX instances | true |
Example configuration of `auto_upgrade` parameter
```yaml
spec:
auto_upgrade: true
```
##### Upgrade of instances without auto upgrade
There are two ways to upgrade instances which are marked with the 'auto_upgrade: false' flag.
Changing flags:
- change the auto_upgrade flag on your AWX object to true
- wait until the upgrade process of that instance is finished
- change the auto_upgrade flag on your AWX object back to false
Delete the deployment:
- delete the deployment object of your AWX instance
```
$ kubectl -n awx delete deployment <yourInstanceName>
```
- wait until the instance gets redeployed
#### Service Account
If you need to modify some `ServiceAccount` proprieties
@@ -1042,8 +1183,22 @@ The first step is to create a draft release. Typically this will happen in the [
If you need to do an independent release of the operator, you can run the [Stage Release](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/stage.yml) in the awx-operator repo. Both of these workflows will run smoke tests, so there is no need to do this manually.
After the draft release is created, publish it and the [Promote AWX Operator image](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/promote.yaml) will run, publishing the image to Quay.
After the draft release is created, publish it and the [Promote AWX Operator image](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/promote.yaml) will run, which will:
- Publish image to Quay
- Release Helm chart
## Author
This operator was originally built in 2019 by [Jeff Geerling](https://www.jeffgeerling.com) and is now maintained by the Ansible Team
## Code of Conduct
We ask all of our community members and contributors to adhere to the [Ansible code of conduct](http://docs.ansible.com/ansible/latest/community/code_of_conduct.html). If you have questions or need assistance, please reach out to our community team at [codeofconduct@ansible.com](mailto:codeofconduct@ansible.com)
## Get Involved
We welcome your feedback and ideas. The AWX operator uses the same mailing list and IRC chanel as AWX itself. Here's how to reach us with feedback and questions:
- Join the `#ansible-awx` channel on irc.libera.chat
- Join the [mailing list](https://groups.google.com/forum/#!forum/awx-project)

3
SECURITY.md Normal file
View File

@@ -0,0 +1,3 @@
For all security related bugs, email security@ansible.com instead of using this issue tracker and you will receive a prompt response.
For more information on the Ansible community's practices regarding responsible disclosure, see https://www.ansible.com/security

47
ansible/helm-release.yml Normal file
View File

@@ -0,0 +1,47 @@
---
- hosts: localhost
vars:
chart_repo: awx-operator
tasks:
- name: Look up release
uri:
url: "https://api.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/tags/{{ tag }}"
register: release
ignore_errors: yes
- fail:
msg: |
Release must exist before running this playbook
when: release is not success
- name: Build and package helm chart
command: |
make helm-chart helm-package
environment:
VERSION: "{{ tag }}"
IMAGE_TAG_BASE: "{{ operator_image }}"
args:
chdir: "{{ playbook_dir }}/../"
# Move to chart releaser after https://github.com/helm/chart-releaser/issues/122 exists
- name: Upload helm chart
uri:
url: "https://uploads.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/{{ release.json.id }}/assets?name=awx-operator-{{ tag }}.tgz"
src: "{{ playbook_dir }}/../.cr-release-packages/awx-operator-{{ tag }}.tgz"
headers:
Authorization: "token {{ gh_token }}"
Content-Type: "application/octet-stream"
status_code:
- 200
- 201
register: asset_upload
changed_when: asset_upload.json.state == "uploaded"
- name: Publish helm index
command: |
make helm-index
environment:
CHART_OWNER: "{{ chart_owner }}"
CR_TOKEN: "{{ gh_token }}"
args:
chdir: "{{ playbook_dir }}/../"

29
config/crd/bases/awx.ansible.com_awxs.yaml
View File

@@ -278,6 +278,28 @@ spec:
type: string
type: object
type: object
redis_resource_requirements:
description: Resource requirements for the redis container
properties:
requests:
properties:
cpu:
type: string
memory:
type: string
storage:
type: string
type: object
limits:
properties:
cpu:
type: string
memory:
type: string
storage:
type: string
type: object
type: object
service_account_annotations:
description: ServiceAccount annotations
type: string
@@ -460,10 +482,17 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
no_log:
description: Configure no_log for no_log tasks
type: string
security_context_settings:
description: Key/values that will be set under the pod-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
auto_upgrade:
description: Should AWX instances be automatically upgraded when operator gets upgraded
type: boolean
default: true
type: object
status:
properties:

6
config/crd/bases/awxbackup.ansible.com_awxbackups.yaml
View File

@@ -43,6 +43,9 @@ spec:
backup_storage_class:
description: Storage class to use when creating PVC for backup
type: string
clean_backup_on_delete:
description: Flag to indicate if backup should be deleted on PVC if AWXBackup object is deleted
type: boolean
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string
@@ -52,6 +55,9 @@ spec:
postgres_image_version:
description: PostgreSQL container image version to use
type: string
no_log:
description: Configure no_log for no_log tasks
type: string
status:
type: object
properties:

3
config/crd/bases/awxrestore.ansible.com_awxrestores.yaml
View File

@@ -56,6 +56,9 @@ spec:
postgres_image_version:
description: PostgreSQL container image version to use
type: string
no_log:
description: Configure no_log for no_log tasks
type: string
status:
type: object
properties:

9
config/manager/manager.yaml
View File

@@ -54,7 +54,14 @@ spec:
port: 6789
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
memory: "32Mi"
cpu: "50m"
limits:
memory: "4096Mi"
cpu: "2000m"
serviceAccountName: controller-manager
imagePullSecrets:
- name: ansible-deployment-pull-secret
- name: redhat-operators-pull-secret
terminationGracePeriodSeconds: 10

10
config/manifests/bases/awx-operator.clusterserviceversion.yaml
View File

@@ -278,6 +278,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: Redis container resource requirements
path: redis_resource_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: PostgreSQL container resource requirements (when using a managed
instance)
path: postgres_resource_requirements
@@ -569,6 +574,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: No Log Configuration
path: no_log
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Security Context Settings
path: security_context_settings
x-descriptors:

6
config/samples/awx_v1beta1_awx.yaml
View File

@@ -6,13 +6,13 @@ metadata:
spec:
web_resource_requirements:
requests:
cpu: 250m
cpu: 50m
memory: 128M
task_resource_requirements:
requests:
cpu: 250m
cpu: 50m
memory: 128M
ee_resource_requirements:
requests:
cpu: 200m
cpu: 50m
memory: 64M

2
molecule/default/kustomize.yml
View File

@@ -1,7 +1,7 @@
---
- name: Build kustomize testing overlay
# load_restrictor must be set to none so we can load patch files from the default overlay
command: '{{ kustomize }} build --load_restrictor none .'
command: '{{ kustomize }} build --load-restrictor LoadRestrictionsNone .'
args:
chdir: '{{ config_dir }}/testing'
register: resources

4
molecule/default/tasks/awx_test.yml
View File

@@ -49,13 +49,13 @@
name: Demo Job Template
wait: yes
validate_certs: no
controller_host: localhost
controller_host: localhost/awx/
controller_username: admin
controller_password: "{{ admin_pw_secret.resources[0].data.password | b64decode }}"
rescue:
- name: Get list of project updates and jobs
uri:
url: "http://localhost/api/v2/{{ resource }}/"
url: "http://localhost/awx/api/v2/{{ resource }}/"
user: admin
password: "{{ admin_pw_secret.resources[0].data.password | b64decode }}"
force_basic_auth: yes

10
molecule/default/templates/awx_cr_molecule.yml.j2
View File

@@ -11,19 +11,21 @@ spec:
image_version: {{ awx_version }}
{% endif %}
ingress_type: ingress
ingress_path: /awx
ingress_annotations: |
kubernetes.io/ingress.class: nginx
web_resource_requirements:
requests:
cpu: 100m
cpu: 50m
memory: 32M
task_resource_requirements:
requests:
cpu: 100m
cpu: 50m
memory: 32M
ee_resource_requirements:
requests:
cpu: 200m
memory: 32M
cpu: 50m
memory: 16M
postgres_resource_requirements: {}
postgres_init_container_resource_requirements: {}
redis_resource_requirements: {}

0
projects/.gitkeep Executable file → Normal file
View File

5
roles/backup/README.md
View File

@@ -74,7 +74,12 @@ To check the name of this secret, look at the postgresConfigurationSecret status
The postgresql pod for the old deployment is used when backing up data to the new postgresql pod. If your postgresql pod has a custom label,
you can pass that via the `postgres_label_selector` variable to make sure the postgresql pod can be found.
It is also possible to tie the lifetime of the backup files to that of the AWXBackup resource object. To do that you can set the
`clean_backup_on_delete` value to true. This will delete the `backupDirectory` on the pvc associated with the AWXBackup object deleted.
```
clean_backup_on_delete: true
```
Testing
----------------

12
roles/backup/defaults/main.yml
View File

@@ -10,3 +10,15 @@ backup_pvc_namespace: "{{ ansible_operator_meta.namespace }}"
# Size of backup PVC if created dynamically
backup_storage_requirements: ''
# Set no_log settings on certain tasks
no_log: 'true'
# Variable to set when you want backups to be cleaned up when the CRD object is deleted
clean_backup_on_delete: false
# Variable to signal that this role is being run as a finalizer
finalizer_run: false
# Allow additional parameters to be added to the pg_dump backup command
pg_dump_suffix: ''

47
roles/backup/tasks/creation.yml Normal file
View File

@@ -0,0 +1,47 @@
---
- name: Patching labels to {{ kind }} kind
k8s:
state: present
definition:
apiVersion: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
metadata:
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
labels:
app.kubernetes.io/name: "{{ ansible_operator_meta.name }}"
app.kubernetes.io/part-of: "{{ ansible_operator_meta.name }}"
app.kubernetes.io/managed-by: "{{ deployment_type }}-operator"
app.kubernetes.io/component: "{{ deployment_type }}"
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
- name: Look up details for this backup object
k8s_info:
api_version: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
register: this_backup
- block:
- include_tasks: init.yml
- include_tasks: postgres.yml
- include_tasks: awx-cro.yml
- include_tasks: secrets.yml
- name: Set flag signifying this backup was successful
set_fact:
backup_complete: true
- include_tasks: cleanup.yml
when:
- this_backup['resources'][0]['status']['backupDirectory'] is not defined
- name: Update status variables
include_tasks: update_status.yml

7
roles/backup/tasks/delete_backup.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: Cleanup backup associated with this option if enabled
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ ansible_operator_meta.name }}-db-management"
command: >-
bash -c 'rm -rf {{ backup_dir }}'

6
roles/backup/tasks/dump_generated_secret.yml
View File

@@ -25,15 +25,15 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: "{{ _name }}"
register: _secret
no_log: true
no_log: "{{ no_log }}"
- name: Set secret data
set_fact:
_data: "{{ _secret['resources'][0]['data'] }}"
_type: "{{ _secret['resources'][0]['type'] }}"
no_log: true
no_log: "{{ no_log }}"
- name: Create and Add secret names and data to dictionary
set_fact:
secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data, 'type': _type }}) }}"
no_log: true
no_log: "{{ no_log }}"

6
roles/backup/tasks/dump_secret.yml
View File

@@ -13,16 +13,16 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: "{{ _name }}"
register: _secret
no_log: true
no_log: "{{ no_log }}"
- name: Set secret key
set_fact:
_data: "{{ _secret['resources'][0]['data'] }}"
_type: "{{ _secret['resources'][0]['type'] }}"
no_log: true
no_log: "{{ no_log }}"
- name: Create and Add secret names and data to dictionary
set_fact:
secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data, 'type': _type }}) }}"
no_log: true
no_log: "{{ no_log }}"
when: _name != ''

19
roles/backup/tasks/finalizer.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- name: Look up details for this backup object
k8s_info:
api_version: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
register: this_backup
- block:
- include_tasks: init.yml
- include_tasks: delete_backup.yml
- include_tasks: cleanup.yml
vars:
backup_dir: "{{ this_backup['resources'][0]['status']['backupDirectory'] }}"
when:
- clean_backup_on_delete and backup_dir is defined

5
roles/backup/tasks/init.yml
View File

@@ -1,5 +1,4 @@
---
- name: Delete any existing management pod
k8s:
name: "{{ ansible_operator_meta.name }}-db-management"
@@ -57,8 +56,8 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: '{{ deployment_name }}-backup-claim'
namespace: '{{ backup_pvc_namespace }}'
name: "{{ deployment_name }}-backup-claim"
namespace: "{{ backup_pvc_namespace }}"
ownerReferences: null
when:
- backup_pvc == '' or backup_pvc is not defined

51
roles/backup/tasks/main.yml
View File

@@ -1,47 +1,8 @@
---
- name: Patching labels to {{ kind }} kind
k8s:
state: present
definition:
apiVersion: '{{ api_version }}'
kind: '{{ kind }}'
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
metadata:
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
- name: Run creation tasks
include_tasks: creation.yml
when: not finalizer_run
- name: Look up details for this backup object
k8s_info:
api_version: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
register: this_backup
- block:
- include_tasks: init.yml
- include_tasks: postgres.yml
- include_tasks: awx-cro.yml
- include_tasks: secrets.yml
- name: Set flag signifying this backup was successful
set_fact:
backup_complete: true
- include_tasks: cleanup.yml
when:
- this_backup['resources'][0]['status']['backupDirectory'] is not defined
- name: Update status variables
include_tasks: update_status.yml
- name: Run finalizer tasks
include_tasks: finalizer.yml
when: finalizer_run

11
roles/backup/tasks/postgres.yml
View File

@@ -6,7 +6,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"
register: pg_config
no_log: true
no_log: "{{ no_log }}"
- name: Fail if postgres configuration secret status does not exist
fail:
@@ -21,7 +21,7 @@
awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | default('unmanaged'|b64encode) | b64decode }}"
no_log: true
no_log: "{{ no_log }}"
- block:
- name: Delete pod to reload a resource configuration
@@ -80,7 +80,7 @@
- name: Set full resolvable host name for postgres pod
set_fact:
resolvable_db_host: '{{ (awx_postgres_type == "managed") | ternary(awx_postgres_host + "." + ansible_operator_meta.namespace + ".svc.cluster.local", awx_postgres_host) }}' # yamllint disable-line rule:line-length
no_log: true
no_log: "{{ no_log }}"
- name: Set pg_dump command
set_fact:
@@ -91,7 +91,8 @@
-d {{ awx_postgres_database }}
-p {{ awx_postgres_port }}
-F custom
no_log: true
{{ pg_dump_suffix }}
no_log: "{{ no_log }}"
- name: Write pg_dump to backup on PVC
k8s_exec:
@@ -104,5 +105,5 @@
echo 'Successful'
"""
register: data_migration
no_log: true
no_log: "{{ no_log }}"
failed_when: "'Successful' not in data_migration.stdout"

4
roles/backup/tasks/secrets.yml
View File

@@ -39,7 +39,7 @@
- name: Nest secrets under a single variable
set_fact:
secrets: {"secrets": '{{ secret_dict }}'}
no_log: true
no_log: "{{ no_log }}"
- name: Write postgres configuration to pvc
k8s_exec:
@@ -47,4 +47,4 @@
pod: "{{ ansible_operator_meta.name }}-db-management"
command: >-
bash -c "echo '{{ secrets | to_yaml }}' > {{ backup_dir }}/secrets.yml"
no_log: true
no_log: "{{ no_log }}"

17
roles/installer/defaults/main.yml
View File

@@ -127,7 +127,7 @@ extra_volumes: ''
_image: quay.io/ansible/awx
_image_version: "{{ lookup('env', 'DEFAULT_AWX_VERSION') or 'latest' }}"
_redis_image: docker.io/redis
_redis_image_version: latest
_redis_image_version: 7
_postgres_image: postgres
_postgres_image_version: 12
_init_container_image: quay.io/centos/centos
@@ -164,7 +164,8 @@ replicas: "1"
task_args:
- /usr/bin/launch_awx_task.sh
task_command: []
web_args: []
web_args:
- /usr/bin/launch_awx.sh
web_command: []
task_resource_requirements:
@@ -188,6 +189,11 @@ session_cookie_secure: False
# Assign a preexisting priority class to the control plane pods
control_plane_priority_class: ''
redis_resource_requirements:
requests:
cpu: 50m
memory: 64Mi
# Add extra environment variables to the AWX task/web containers. Specify as
# literal block. E.g.:
# task_extra_env: |
@@ -275,3 +281,10 @@ garbage_collect_secrets: false
development_mode: false
security_context_settings: {}
# Set no_log settings on certain tasks
no_log: 'true'
# Should AWX instances be automatically upgraded when operator gets upgraded
#
auto_upgrade: true

14
roles/installer/tasks/admin_password_configuration.yml
View File

@@ -5,7 +5,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ admin_password_secret }}'
register: _custom_admin_password
no_log: true
no_log: "{{ no_log }}"
when: admin_password_secret | length
- name: Check for default admin password configuration
@@ -14,19 +14,19 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-admin-password'
register: _default_admin_password
no_log: true
no_log: "{{ no_log }}"
- name: Set admin password secret
set_fact:
_admin_password_secret: '{{ _custom_admin_password["resources"] | default([]) | length | ternary(_custom_admin_password, _default_admin_password) }}'
no_log: true
no_log: "{{ no_log }}"
- block:
- name: Create admin password secret
k8s:
apply: true
definition: "{{ lookup('template', 'admin_password_secret.yaml.j2') }}"
no_log: true
no_log: "{{ no_log }}"
- name: Read admin password secret
k8s_info:
@@ -34,16 +34,16 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-admin-password'
register: _generated_admin_password
no_log: true
no_log: "{{ no_log }}"
when: not _admin_password_secret['resources'] | default([]) | length
- name: Set admin password secret
set_fact:
__admin_password_secret: '{{ _generated_admin_password["resources"] | default([]) | length | ternary(_generated_admin_password, _admin_password_secret) }}'
no_log: true
no_log: "{{ no_log }}"
- name: Store admin password
set_fact:
admin_password: "{{ __admin_password_secret['resources'][0]['data']['password'] | b64decode }}"
no_log: true
no_log: "{{ no_log }}"

14
roles/installer/tasks/broadcast_websocket_configuration.yml
View File

@@ -5,7 +5,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ broadcast_websocket_secret }}'
register: _custom_broadcast_websocket
no_log: true
no_log: "{{ no_log }}"
when: broadcast_websocket_secret | length
- name: Check for default broadcast websocket secret configuration
@@ -14,20 +14,20 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-broadcast-websocket'
register: _default_broadcast_websocket
no_log: true
no_log: "{{ no_log }}"
- name: Set broadcast websocket secret
set_fact:
# yamllint disable-line rule:line-length
_broadcast_websocket_secret: '{{ _custom_broadcast_websocket["resources"] | default([]) | length | ternary(_custom_broadcast_websocket, _default_broadcast_websocket) }}' # noqa 204
no_log: true
no_log: "{{ no_log }}"
- block:
- name: Create broadcast websocket secret
k8s:
apply: true
definition: "{{ lookup('template', 'broadcast_websocket_secret.yaml.j2') }}"
no_log: true
no_log: "{{ no_log }}"
- name: Read broadcast websocket secret
k8s_info:
@@ -35,7 +35,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-broadcast-websocket'
register: _generated_broadcast_websocket
no_log: true
no_log: "{{ no_log }}"
when: not _broadcast_websocket_secret['resources'] | default([]) | length
@@ -43,9 +43,9 @@
set_fact:
# yamllint disable-line rule:line-length
__broadcast_websocket_secret: '{{ _generated_broadcast_websocket["resources"] | default([]) | length | ternary(_generated_broadcast_websocket, _broadcast_websocket_secret) }}' # noqa 204
no_log: true
no_log: "{{ no_log }}"
- name: Store broadcast websocket secret name
set_fact:
broadcast_websocket_secret_value: "{{ __broadcast_websocket_secret['resources'][0]['data']['secret'] | b64decode }}"
no_log: true
no_log: "{{ no_log }}"

2
roles/installer/tasks/cleanup.yml
View File

@@ -23,6 +23,6 @@
- '{{ _secret_key }}'
- '{{ _postgres_configuration }}'
- '{{ _broadcast_websocket_secret }}'
no_log: true
no_log: "{{ no_log }}"
when: not garbage_collect_secrets | bool

20
roles/installer/tasks/database_configuration.yml
View File

@@ -6,7 +6,7 @@
name: '{{ postgres_configuration_secret }}'
register: _custom_pg_config_resources
when: postgres_configuration_secret | length
no_log: true
no_log: "{{ no_log }}"
- name: Check for default PostgreSQL configuration
k8s_info:
@@ -14,7 +14,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-postgres-configuration'
register: _default_pg_config_resources
no_log: true
no_log: "{{ no_log }}"
- name: Check for specified old PostgreSQL configuration secret
k8s_info:
@@ -23,7 +23,7 @@
name: '{{ old_postgres_configuration_secret }}'
register: _custom_old_pg_config_resources
when: old_postgres_configuration_secret | length
no_log: true
no_log: "{{ no_log }}"
- name: Check for default old PostgreSQL configuration
k8s_info:
@@ -31,7 +31,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-old-postgres-configuration'
register: _default_old_pg_config_resources
no_log: true
no_log: "{{ no_log }}"
- name: Set old PostgreSQL configuration
set_fact:
@@ -45,7 +45,7 @@
when:
- old_pg_config['resources'] is defined
- old_pg_config['resources'] | length
no_log: true
no_log: "{{ no_log }}"
- name: Set default postgres image
set_fact:
@@ -54,7 +54,7 @@
- name: Set PostgreSQL configuration
set_fact:
_pg_config: '{{ _custom_pg_config_resources["resources"] | default([]) | length | ternary(_custom_pg_config_resources, _default_pg_config_resources) }}'
no_log: true
no_log: "{{ no_log }}"
- name: Set user provided postgres image
set_fact:
@@ -72,7 +72,7 @@
k8s:
apply: true
definition: "{{ lookup('template', 'postgres_secret.yaml.j2') }}"
no_log: true
no_log: "{{ no_log }}"
- name: Read Database Configuration
k8s_info:
@@ -80,13 +80,13 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-postgres-configuration'
register: _generated_pg_config_resources
no_log: true
no_log: "{{ no_log }}"
when: not _pg_config['resources'] | default([]) | length
- name: Set PostgreSQL Configuration
set_fact:
pg_config: '{{ _generated_pg_config_resources["resources"] | default([]) | length | ternary(_generated_pg_config_resources, _pg_config) }}'
no_log: true
no_log: "{{ no_log }}"
- name: Set actual postgres configuration secret used
set_fact:
@@ -140,7 +140,7 @@
awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
awx_postgres_sslmode: "{{ pg_config['resources'][0]['data']['sslmode'] | default('prefer'|b64encode) | b64decode }}"
no_log: true
no_log: "{{ no_log }}"
- name: Wait for Database to initialize if managed DB
k8s_info:

8
roles/installer/tasks/initialize_django.yml
View File

@@ -22,7 +22,7 @@
bash -c "echo \"from django.contrib.auth.models import User;
User.objects.create_superuser('{{ admin_user }}', '{{ admin_email }}', '{{ admin_password }}')\"
| awx-manage shell"
no_log: true
no_log: "{{ no_log }}"
when: users_result.return_code > 0
- name: Check if legacy queue is present
@@ -57,7 +57,7 @@
_execution_environments_pull_credentials: >-
{{ _custom_execution_environments_pull_credentials["resources"] | default([]) | length
| ternary(_custom_execution_environments_pull_credentials, []) }}
no_log: true
no_log: "{{ no_log }}"
- name: Register default execution environments (without authentication)
k8s_exec:
@@ -78,7 +78,7 @@
default_execution_environment_pull_credentials_url: "{{ _execution_environments_pull_credentials['resources'][0]['data']['url'] | b64decode }}"
default_execution_environment_pull_credentials_url_verify: >-
{{ _execution_environments_pull_credentials['resources'][0]['data']['ssl_verify'] | default("True"|b64encode) | b64decode }}
no_log: true
no_log: "{{ no_log }}"
- name: Register default execution environments (with authentication)
k8s_exec:
@@ -93,7 +93,7 @@
--verify-ssl='{{ default_execution_environment_pull_credentials_url_verify }}'"
register: ree
changed_when: "'changed: True' in ree.stdout"
no_log: true
no_log: "{{ no_log }}"
when: _execution_environments_pull_credentials['resources'] | default([]) | length
- name: Create preload data if necessary. # noqa 305

88
roles/installer/tasks/install.yml Normal file
View File

@@ -0,0 +1,88 @@
---
- name: Patching labels to AWX kind
k8s:
state: present
definition:
apiVersion: '{{ api_version }}'
kind: '{{ kind }}'
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
metadata:
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
- name: Include secret key configuration tasks
include_tasks: secret_key_configuration.yml
- name: Load LDAP CAcert certificate
include_tasks: load_ldap_cacert_secret.yml
when:
- ldap_cacert_secret != ''
- name: Load ldap bind password
include_tasks: load_ldap_password_secret.yml
when:
- ldap_password_secret != ''
- name: Load bundle certificate authority certificate
include_tasks: load_bundle_cacert_secret.yml
when:
- bundle_cacert_secret != ''
- name: Include admin password configuration tasks
include_tasks: admin_password_configuration.yml
- name: Include broadcast websocket configuration tasks
include_tasks: broadcast_websocket_configuration.yml
- name: Include set_images tasks
include_tasks: set_images.yml
- name: Include database configuration tasks
include_tasks: database_configuration.yml
- name: Load Route TLS certificate
include_tasks: load_route_tls_secret.yml
when:
- ingress_type | lower == 'route'
- route_tls_secret != ''
- name: Include resources configuration tasks
include_tasks: resources_configuration.yml
- name: Check for pending migrations
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage showmigrations | grep -v '[X]' | grep '[ ]' | wc -l"
changed_when: false
register: database_check
- name: Migrate the database if the K8s resources were updated. # noqa 305
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage migrate --noinput"
register: migrate_result
when:
- database_check is defined
- (database_check.stdout|trim) != '0'
- name: Initialize Django
include_tasks: initialize_django.yml
- name: Update status variables
include_tasks: update_status.yml
- name: Cleanup & Set garbage collection refs
include_tasks: cleanup.yml

4
roles/installer/tasks/load_bundle_cacert_secret.yml
View File

@@ -5,10 +5,10 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ bundle_cacert_secret }}'
register: bundle_cacert
no_log: true
no_log: "{{ no_log }}"
- name: Load bundle Certificate Authority Secret content
set_fact:
bundle_ca_crt: '{{ bundle_cacert["resources"][0]["data"]["bundle-ca.crt"] | b64decode }}'
no_log: true
no_log: "{{ no_log }}"
when: '"bundle-ca.crt" in bundle_cacert["resources"][0]["data"]'

4
roles/installer/tasks/load_ldap_cacert_secret.yml
View File

@@ -5,10 +5,10 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ldap_cacert_secret }}'
register: ldap_cacert
no_log: true
no_log: "{{ no_log }}"
- name: Load LDAP CA Certificate Secret content
set_fact:
ldap_cacert_ca_crt: '{{ ldap_cacert["resources"][0]["data"]["ldap-ca.crt"] | b64decode }}'
no_log: true
no_log: "{{ no_log }}"
when: '"ldap-ca.crt" in ldap_cacert["resources"][0]["data"]'

4
roles/installer/tasks/load_ldap_password_secret.yml
View File

@@ -5,10 +5,10 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ldap_password_secret }}'
register: ldap_password
no_log: true
no_log: "{{ no_log }}"
- name: Load LDAP bind password Secret content
set_fact:
ldap_bind_password: '{{ ldap_password["resources"][0]["data"]["ldap-password"] | b64decode }}'
no_log: true
no_log: "{{ no_log }}"
when: '"ldap-password" in ldap_password["resources"][0]["data"]'

6
roles/installer/tasks/load_route_tls_secret.yml
View File

@@ -5,16 +5,16 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ route_tls_secret }}'
register: route_tls
no_log: true
no_log: "{{ no_log }}"
- name: Load Route TLS Secret content
set_fact:
route_tls_key: '{{ route_tls["resources"][0]["data"]["tls.key"] | b64decode }}'
route_tls_crt: '{{ route_tls["resources"][0]["data"]["tls.crt"] | b64decode }}'
no_log: true
no_log: "{{ no_log }}"
- name: Load Route TLS Secret content
set_fact:
route_ca_crt: '{{ route_tls["resources"][0]["data"]["ca.crt"] | b64decode }}'
no_log: true
no_log: "{{ no_log }}"
when: '"ca.crt" in route_tls["resources"][0]["data"]'

95
roles/installer/tasks/main.yml
View File

@@ -1,88 +1,13 @@
---
- name: Patching labels to AWX kind
k8s:
state: present
definition:
apiVersion: '{{ api_version }}'
kind: '{{ kind }}'
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
metadata:
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
- name: Include secret key configuration tasks
include_tasks: secret_key_configuration.yml
- name: Load LDAP CAcert certificate
include_tasks: load_ldap_cacert_secret.yml
when:
- ldap_cacert_secret != ''
- name: Load ldap bind password
include_tasks: load_ldap_password_secret.yml
when:
- ldap_password_secret != ''
- name: Load bundle certificate authority certificate
include_tasks: load_bundle_cacert_secret.yml
when:
- bundle_cacert_secret != ''
- name: Include admin password configuration tasks
include_tasks: admin_password_configuration.yml
- name: Include broadcast websocket configuration tasks
include_tasks: broadcast_websocket_configuration.yml
- name: Include set_images tasks
include_tasks: set_images.yml
- name: Include database configuration tasks
include_tasks: database_configuration.yml
- name: Load Route TLS certificate
include_tasks: load_route_tls_secret.yml
when:
- ingress_type | lower == 'route'
- route_tls_secret != ''
- name: Include resources configuration tasks
include_tasks: resources_configuration.yml
- name: Check for pending migrations
k8s_exec:
- name: Check for presence of Deployment
k8s_info:
api_version: v1
kind: Deployment
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage showmigrations | grep -v '[X]' | grep '[ ]' | wc -l"
changed_when: false
register: database_check
register: tower_deployment
- name: Migrate the database if the K8s resources were updated. # noqa 305
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage migrate --noinput"
register: migrate_result
when:
- database_check is defined
- (database_check.stdout|trim) != '0'
- name: Initialize Django
include_tasks: initialize_django.yml
- name: Update status variables
include_tasks: update_status.yml
- name: Cleanup & Set garbage collection refs
include_tasks: cleanup.yml
# Just execute deployment steps when auto_upgrade is true or when no deployment exists
- name: Start installation
include_tasks: install.yml
when: (tower_deployment['resources'] | length > 0 and auto_upgrade | bool ) or (tower_deployment['resources'] | length == 0)

8
roles/installer/tasks/migrate_data.yml
View File

@@ -11,7 +11,7 @@
awx_old_postgres_database: "{{ old_pg_config['resources'][0]['data']['database'] | b64decode }}"
awx_old_postgres_port: "{{ old_pg_config['resources'][0]['data']['port'] | b64decode }}"
awx_old_postgres_host: "{{ old_pg_config['resources'][0]['data']['host'] | b64decode }}"
no_log: true
no_log: "{{ no_log }}"
- name: Default label selector to custom resource generated postgres
set_fact:
@@ -49,7 +49,7 @@
-d {{ awx_old_postgres_database }}
-p {{ awx_old_postgres_port }}
-F custom
no_log: true
no_log: "{{ no_log }}"
- name: Set pg_restore command
set_fact:
@@ -57,7 +57,7 @@
pg_restore --clean --if-exists
-U {{ database_username }}
-d {{ database_name }}
no_log: true
no_log: "{{ no_log }}"
- name: Stream backup from pg_dump to the new postgresql container
k8s_exec:
@@ -69,7 +69,7 @@
PGPASSWORD='{{ awx_old_postgres_pass }}' {{ pgdump }} | PGPASSWORD='{{ awx_postgres_pass }}' {{ pg_restore }}
echo 'Successful'
"""
no_log: true
no_log: "{{ no_log }}"
register: data_migration
failed_when: "'Successful' not in data_migration.stdout"

2
roles/installer/tasks/resources_configuration.yml
View File

@@ -40,7 +40,7 @@
- 'persistent'
- 'service'
- 'ingress'
no_log: true
no_log: "{{ no_log }}"
- name: Set default awx app image
set_fact:

14
roles/installer/tasks/secret_key_configuration.yml
View File

@@ -5,7 +5,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ secret_key_secret }}'
register: _custom_secret_key
no_log: true
no_log: "{{ no_log }}"
when: secret_key_secret | length
- name: Check for default secret key configuration
@@ -14,19 +14,19 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-secret-key'
register: _default_secret_key
no_log: true
no_log: "{{ no_log }}"
- name: Set secret key secret
set_fact:
_secret_key_secret: '{{ _custom_secret_key["resources"] | default([]) | length | ternary(_custom_secret_key, _default_secret_key) }}'
no_log: true
no_log: "{{ no_log }}"
- block:
- name: Create secret key secret
k8s:
apply: true
definition: "{{ lookup('template', 'secret_key.yaml.j2') }}"
no_log: true
no_log: "{{ no_log }}"
- name: Read secret key secret
k8s_info:
@@ -34,16 +34,16 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-secret-key'
register: _generated_secret_key
no_log: true
no_log: "{{ no_log }}"
when: not _secret_key_secret['resources'] | default([]) | length
- name: Set secret key secret
set_fact:
__secret_key_secret: '{{ _generated_secret_key["resources"] | default([]) | length | ternary(_generated_secret_key, _secret_key_secret) }}'
no_log: true
no_log: "{{ no_log }}"
- name: Store secret key secret name
set_fact:
secret_key_secret_name: "{{ __secret_key_secret['resources'][0]['metadata']['name'] }}"
no_log: true
no_log: "{{ no_log }}"

6
roles/installer/templates/config.yaml.j2
View File

@@ -145,6 +145,7 @@ data:
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
server {
listen 8052 default_server;
listen [::]:8052 default_server;
server_name _;
# Redirect all HTTP links to the matching HTTPS page
@@ -155,6 +156,7 @@ data:
server {
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
listen 8053 ssl;
listen [::]:8053 ssl;
ssl_certificate /etc/nginx/pki/web.crt;
ssl_certificate_key /etc/nginx/pki/web.key;
@@ -165,6 +167,7 @@ data:
ssl_prefer_server_ciphers on;
{% else %}
listen 8052 default_server;
listen [::]:8052 default_server;
{% endif %}
# If you have a domain name, this is where to add it
@@ -176,6 +179,8 @@ data:
# Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
add_header X-Frame-Options "DENY";
# Protect against MIME content sniffing https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff;
location /nginx_status {
stub_status on;
@@ -229,6 +234,7 @@ data:
add_header Strict-Transport-Security max-age=15768000;
# Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options nosniff;
add_header Cache-Control "no-cache, no-store, must-revalidate";
add_header Expires "0";
add_header Pragma "no-cache";

1
roles/installer/templates/deployment.yaml.j2
View File

@@ -101,6 +101,7 @@ spec:
mountPath: "/var/run/redis"
- name: "{{ ansible_operator_meta.name }}-redis-data"
mountPath: "/data"
resources: {{ redis_resource_requirements }}
- image: '{{ _image }}'
name: '{{ ansible_operator_meta.name }}-web'
{% if web_command %}

5
roles/installer/templates/ldap.py.j2
View File

@@ -4,3 +4,8 @@ AUTH_LDAP_GLOBAL_OPTIONS = {
ldap.OPT_X_TLS_CACERTFILE: "/etc/openldap/certs/ldap-ca.crt"
{% endif %}
}
# Load LDAP BIND password from Kubernetes secret if define
{% if ldap_password_secret -%}
AUTH_LDAP_BIND_PASSWORD = "{{ ldap_bind_password }}"
{% endif %}

3
roles/restore/defaults/main.yml
View File

@@ -10,3 +10,6 @@ backup_pvc_namespace: '{{ ansible_operator_meta.namespace }}'
# Required: backup name, found on the awxbackup object
backup_dir: ''
# Set no_log settings on certain tasks
no_log: 'true'

2
roles/restore/tasks/cleanup.yml
View File

@@ -22,7 +22,7 @@
- '{{ admin_password_secret }}'
- '{{ broadcast_websocket_secret }}'
- '{{ postgres_configuration_secret }}'
no_log: true
no_log: "{{ no_log }}"
- name: Cleanup temp spec file
file:

10
roles/restore/tasks/postgres.yml
View File

@@ -10,7 +10,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ postgres_configuration_secret }}'
register: pg_config
no_log: true
no_log: "{{ no_log }}"
- name: Store Database Configuration
set_fact:
@@ -20,7 +20,7 @@
awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | b64decode | default('unmanaged') }}"
no_log: true
no_log: "{{ no_log }}"
- name: Default label selector to custom resource generated postgres
set_fact:
@@ -66,7 +66,7 @@
- name: Set full resolvable host name for postgres pod
set_fact:
resolvable_db_host: "{{ awx_postgres_host }}.{{ ansible_operator_meta.namespace }}.svc.cluster.local"
no_log: true
no_log: "{{ no_log }}"
when: awx_postgres_type == 'managed'
- name: Set pg_restore command
@@ -78,7 +78,7 @@
-U {{ awx_postgres_user }}
-d {{ awx_postgres_database }}
-p {{ awx_postgres_port }}
no_log: true
no_log: "{{ no_log }}"
- name: Restore database dump to the new postgresql container
k8s_exec:
@@ -91,5 +91,5 @@
echo 'Successful'
"""
register: data_migration
no_log: true
no_log: "{{ no_log }}"
failed_when: "'Successful' not in data_migration.stdout"

20
roles/restore/tasks/secrets.yml
View File

@@ -7,7 +7,7 @@
command: >-
bash -c "cat '{{ backup_dir }}/secrets.yml'"
register: _secrets
no_log: true
no_log: "{{ no_log }}"
- name: Create Temporary secrets file
tempfile:
@@ -20,38 +20,38 @@
dest: "{{ tmp_secrets.path }}"
content: "{{ _secrets.stdout }}"
mode: 0640
no_log: true
no_log: "{{ no_log }}"
- name: Include secret vars from backup
include_vars: "{{ tmp_secrets.path }}"
no_log: true
no_log: "{{ no_log }}"
- name: If deployment is managed, set the database_host in the pg config secret
block:
- name: Set new database host
set_fact:
database_host: "{{ deployment_name }}-postgres"
no_log: true
no_log: "{{ no_log }}"
- name: Set tmp postgres secret dict
set_fact:
_pg_secret: "{{ secrets['postgresConfigurationSecret'] }}"
no_log: true
no_log: "{{ no_log }}"
- name: Change postgres host value
set_fact:
_pg_data: "{{ _pg_secret['data'] | combine({'host': database_host | b64encode }) }}"
no_log: true
no_log: "{{ no_log }}"
- name: Create a postgres secret with the new host value
set_fact:
_pg_secret: "{{ _pg_secret | combine({'data': _pg_data}) }}"
no_log: true
no_log: "{{ no_log }}"
- name: Create a new dict of secrets with the new postgres secret
set_fact:
secrets: "{{ secrets | combine({'postgresConfigurationSecret': _pg_secret}) }}"
no_log: true
no_log: "{{ no_log }}"
when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed'
- name: Apply secret
@@ -61,7 +61,7 @@
apply: yes
wait: yes
definition: "{{ lookup('template', 'secrets.yml.j2') }}"
no_log: true
no_log: "{{ no_log }}"
- name: Remove ownerReference on restored secrets
k8s:
@@ -73,4 +73,4 @@
namespace: '{{ ansible_operator_meta.namespace }}'
ownerReferences: null
loop: "{{ secrets | dict2items }}"
no_log: true
no_log: "{{ no_log }}"

5
watches.yaml
View File

@@ -11,6 +11,11 @@
kind: AWXBackup
role: backup
snakeCaseParameters: False
finalizer:
name: awx.ansible.com/finalizer
role: backup
vars:
finalizer_run: true
- version: v1beta1
group: awx.ansible.com