internet/awx-operator
3
0
Fork 0
mirror of https://github.com/ansible/awx-operator.git synced 2026-03-27 05:43:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:0.25.0
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0
..
compare: internet:pr-check-capacity-fix
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0

1 Commits
0.25.0 ... pr-check-c

Author SHA1 Message Date
Elijah DeLee
abe2cb86fe tweak settings for PR checks to have capacity 2022-02-15 15:27:46 -05:00
73 changed files with 1131 additions and 2289 deletions
Expand all files Collapse all files

3
.github/CODE_OF_CONDUCT.md vendored
View File

@@ -1,3 +0,0 @@
# Community Code of Conduct
Please see the official [Ansible Community Code of Conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).

39
.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View File

@@ -0,0 +1,39 @@
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
---
##### ISSUE TYPE
- Bug Report
##### SUMMARY
<!-- Briefly describe the problem. -->
##### ENVIRONMENT
* AWX version: X.Y.Z
* Operator version: X.Y.Z
* Kubernetes version:
* AWX install method: openshift, minishift, docker on linux, docker for mac, boot2docker
##### STEPS TO REPRODUCE
<!-- Please describe exactly how to reproduce the problem. -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
##### ACTUAL RESULTS
<!-- What actually happened? -->
##### ADDITIONAL INFORMATION
<!-- Include any links to sosreport, database dumps, screenshots or other
information. -->
##### AWX-OPERATOR LOGS

125
.github/ISSUE_TEMPLATE/bug_report.yml vendored
View File

@@ -1,125 +0,0 @@
---
name: Bug Report
description: "🐞 Create a report to help us improve"
body:
- type: markdown
attributes:
value: |
Bug Report issues are for **concrete, actionable bugs** only.
For debugging help or technical support, please see the [Get Involved section of our README](https://github.com/ansible/awx-operator#get-involved)
- type: checkboxes
id: terms
attributes:
label: Please confirm the following
options:
- label: I agree to follow this project's [code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
required: true
- label: I have checked the [current issues](https://github.com/ansible/awx-operator/issues) for duplicates.
required: true
- label: I understand that the AWX Operator is open source software provided for free and that I might not receive a timely response.
required: true
- type: textarea
id: summary
attributes:
label: Bug Summary
description: Briefly describe the problem.
validations:
required: false
- type: input
id: awx-operator-version
attributes:
label: AWX Operator version
description: What version of the AWX Operator are you running?
validations:
required: true
- type: input
id: awx-version
attributes:
label: AWX version
description: What version of AWX are you running?
validations:
required: true
- type: dropdown
id: platform
attributes:
label: Kubernetes platform
description: What platform did you install the Operator in?
multiple: false
options:
- kubernetes
- minikube
- openshift
- minishift
- docker development environment
- other (please specify in additional information)
validations:
required: true
- type: input
id: kube-version
attributes:
label: Kubernetes/Platform version
description: What version of your platform/kuberneties are you using?
validations:
required: true
- type: dropdown
id: modified-architecture
attributes:
label: Modifications
description: >-
Have you modified the installation, deployment topology, or container images in any way? If yes, please
explain in the "additional information" field at the bottom of the form.
multiple: false
options:
- "no"
- "yes"
validations:
required: true
- type: textarea
id: steps-to-reproduce
attributes:
label: Steps to reproduce
description: >-
Starting from a new installation of the system, describe exactly how a developer or quality engineer can reproduce the bug
on infrastructure that isn't yours. Include any and all resources created, input values, test users, roles assigned, playbooks used, etc.
validations:
required: true
- type: textarea
id: expected-results
attributes:
label: Expected results
description: What did you expect to happpen when running the steps above?
validations:
required: true
- type: textarea
id: actual-results
attributes:
label: Actual results
description: What actually happened?
validations:
required: true
- type: textarea
id: additional-information
attributes:
label: Additional information
description: Include any relevant log output, links to sosreport, database dumps, screenshots, AWX spec yaml, or other information.
validations:
required: false
- type: textarea
id: operator-logs
attributes:
label: Operator Logs
description: Include any relevant logs generated by the operator.
validations:
required: false

12
.github/ISSUE_TEMPLATE/config.yml vendored
View File

@@ -1,12 +0,0 @@
---
blank_issues_enabled: false
contact_links:
- name: For debugging help or technical support
url: https://github.com/ansible/awx-operator#get-involved
about: For general debugging or technical support please see the Get Involved section of our readme.
- name: 📝 Ansible Code of Conduct
url: https://docs.ansible.com/ansible/latest/community/code_of_conduct.html?utm_medium=github&utm_source=issue_template_chooser
about: AWX uses the Ansible Code of Conduct; ❤ Be nice to other members of the community. ☮ Behave.
- name: 💼 For Enterprise
url: https://www.ansible.com/products/engine?utm_medium=github&utm_source=issue_template_chooser
about: Red Hat offers support for the Ansible Automation Platform

29
.github/ISSUE_TEMPLATE/feature_request.yml vendored
View File

@@ -1,29 +0,0 @@
---
name: ✨ Feature request
description: Suggest an idea for this project
body:
- type: markdown
attributes:
value: |
Feature Request issues are for **feature requests** only.
For debugging help or technical support, please see the [Get Involved section of our README](https://github.com/ansible/awx-operator#get-involved)
- type: checkboxes
id: terms
attributes:
label: Please confirm the following
options:
- label: I agree to follow this project's [code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
required: true
- label: I have checked the [current issues](https://github.com/ansible/awx-operator/issues) for duplicates.
required: true
- label: I understand that AWX Operator is open source software provided for free and that I might not receive a timely response.
required: true
- type: textarea
id: summary
attributes:
label: Feature Summary
description: Briefly describe the desired enhancement.
validations:
required: true

47
.github/workflows/ci.yaml vendored
View File

@@ -10,9 +10,9 @@ on:
branches: [devel]
jobs:
molecule:
pull_request:
runs-on: ubuntu-18.04
name: molecule
name: pull_request
env:
DOCKER_API_VERSION: "1.38"
steps:
@@ -39,46 +39,3 @@ jobs:
sudo rm -f $(which kustomize)
make kustomize
KUSTOMIZE_PATH=$(readlink -f bin/kustomize) molecule test -s kind
helm:
runs-on: ubuntu-18.04
name: helm
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Create k8s Kind Cluster
uses: helm/kind-action@v1.2.0
- name: Build operator image and load into kind
run: |
IMG=awx-operator-ci make docker-build
kind load docker-image --name chart-testing awx-operator-ci
- name: Patch pull policy for tests
run: |
kustomize edit add patch --path ../testing/pull_policy/Never.yaml
working-directory: config/default
- name: Build and lint helm chart
run: |
IMG=awx-operator-ci make helm-chart
helm lint ./charts/awx-operator
- name: Install kubeval
run: |
mkdir tmp && cd tmp
wget https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz
tar xf kubeval-linux-amd64.tar.gz
sudo cp kubeval /usr/local/bin
working-directory: ./charts
- name: Run kubeval
run: |
helm template -n awx awx-operator > tmp/test.yaml
kubeval --strict --force-color --ignore-missing-schemas tmp/test.yaml
working-directory: ./charts
- name: Install helm chart
run: |
helm install --wait my-awx-operator --namespace awx --create-namespace ./charts/awx-operator

15
.github/workflows/promote.yaml vendored
View File

@@ -8,8 +8,6 @@ jobs:
promote:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Log in to GHCR
run: |
echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
@@ -25,16 +23,3 @@ jobs:
docker tag ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} quay.io/${{ github.repository }}:latest
docker push quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
docker push quay.io/${{ github.repository }}:latest
- name: Configure git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Release Helm chart
run: |
ansible-playbook ansible/helm-release.yml -v \
-e operator_image=quay.io/${{ github.repository }} \
-e chart_owner=${{ github.repository_owner }} \
-e tag=${{ github.event.release.tag_name }} \
-e gh_token=${{ secrets.GITHUB_TOKEN }}

3
.github/workflows/stage.yml vendored
View File

@@ -60,8 +60,7 @@ jobs:
- name: Build and stage awx-operator
working-directory: awx-operator
run: |
BUILD_ARGS="--build-arg DEFAULT_AWX_VERSION=${{ github.event.inputs.default_awx_version }} \
--build-arg OPERATOR_VERSION=${{ github.event.inputs.version }}" \
BUILD_ARGS="--build-arg DEFAULT_AWX_VERSION=${{ github.event.inputs.default_awx_version }}" \
IMAGE_TAG_BASE=ghcr.io/${{ github.repository_owner }}/awx-operator \
VERSION=${{ github.event.inputs.version }} make docker-build docker-push

3
.gitignore vendored
View File

@@ -4,6 +4,3 @@
/bundle
/bundle_tmp*
/bundle.Dockerfile
/charts
/.cr-release-packages
.vscode/

23
.helm/starter/.helmignore
View File

@@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

7
.helm/starter/Chart.yaml
View File

@@ -1,7 +0,0 @@
---
apiVersion: v2
appVersion: 0.1.0
description: A Helm chart for Kubernetes
name: starter
type: application
version: 0.1.0

56
.helm/starter/README.md
View File

@@ -1,56 +0,0 @@
# AWX Operator Helm Chart
This chart installs the AWX Operator resources configured in [this](https://github.com/ansible/awx-operator) repository.
## Getting Started
To configure your AWX resource using this chart, create your own `yaml` values file. The name is up to personal preference since it will explicitly be passed into the helm chart. Helm will merge whatever values you specify in your file with the default `values.yaml`, overriding any settings you've changed while allowing you to fall back on defaults. Because of this functionality, `values.yaml` should not be edited directly.
In your values config, enable `AWX.enable` and add `AWX.spec` values based on the awx operator's [documentation](https://github.com/ansible/awx-operator/blob/devel/README.md). Consult the docs below for additional functionality.
### Installing
The operator's [helm install](https://github.com/ansible/awx-operator/blob/devel/README.md#helm-install-on-existing-cluster) guide provides key installation instructions.
Example:
```
helm install my-awx-operator awx-operator/awx-operator -n awx --create-namespace -f myvalues.yaml
```
Argument breakdown:
* `-f` passes in the file with your custom values
* `-n` sets the namespace to be installed in
* This value is accessed by `{{ $.Release.Namespace }}` in the templates
* Acts as the default namespace for all unspecified resources
* `--create-namespace` specifies that helm should create the namespace before installing
To update an existing installation, use `helm upgrade` instead of `install`. The rest of the syntax remains the same.
## Configuration
The goal of adding helm configurations is to abstract out and simplify the creation of multi-resource configs. The `AWX.spec` field maps directly to the spec configs of the `AWX` resource that the operator provides, which are detailed in the [main README](https://github.com/ansible/awx-operator/blob/devel/README.md). Other sub-config can be added with the goal of simplifying more involved setups that require additional resources to be specified.
These sub-headers aim to be a more intuitive entrypoint into customizing your deployment, and are easier to manage in the long-term. By design, the helm templates will defer to the manually defined specs to avoid configuration conflicts. For example, if `AWX.spec.postgres_configuration_secret` is being used, the `AWX.postgres` settings will not be applied, even if enabled.
### External Postgres
The `AWX.postgres` section simplifies the creation of the external postgres secret. If enabled, the configs provided will automatically be placed in a `postgres-config` secret and linked to the `AWX` resource. For proper secret management, the `AWX.postgres.password` value, and any other sensitive values, can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`.
## Values Summary
### AWX
| Value | Description | Default |
|---|---|---|
| `AWX.enabled` | Enable this AWX resource configuration | `false` |
| `AWX.name` | The name of the AWX resource and default prefix for other resources | `"awx"` |
| `AWX.spec` | specs to directly configure the AWX resource | `{}` |
| `AWX.postgres` | configurations for the external postgres secret | - |
# Contributing
## Adding abstracted sections
Where possible, defer to `AWX.spec` configs before applying the abstracted configs to avoid collision. This can be facilitated by the `(hasKey .spec what_i_will_abstract)` check.
## Building and Testing
This chart is built using the Makefile in the [awx-operator repo](https://github.com/ansible/awx-operator). Clone the repo and run `make helm-chart`. This will create the awx-operator chart in the `charts/awx-operator` directory. In this process, the contents of the `.helm/starter` directory will be added to the chart.
## Future Goals
All values under the `AWX` header are focused on configurations that use the operator. Configurations that relate to the Operator itself could be placed under an `Operator` heading, but that may add a layer of complication over current development.

6
.helm/starter/templates/_helpers.tpl
View File

@@ -1,6 +0,0 @@
{{/*
Generate the name of the postgres secret, expects AWX context passed in
*/}}
{{- define "postgres.secretName" -}}
{{ default (printf "%s-postgres-configuration" .Values.AWX.name) .Values.AWX.postgres.secretName }}
{{- end }}

24
.helm/starter/templates/awx-deploy.yaml
View File

@@ -1,24 +0,0 @@
{{- if $.Values.AWX.enabled }}
{{- with .Values.AWX }}
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: {{ .name }}
namespace: {{ $.Release.Namespace }}
spec:
{{- /* Include raw map from the values file spec */}}
{{ .spec | toYaml | indent 2 }}
{{- /* Provide security context defaults */}}
{{- if not (hasKey .spec "security_context_settings") }}
security_context_settings:
runAsGroup: 0
runAsUser: 0
fsGroup: 0
fsGroupChangePolicy: OnRootMismatch
{{- end }}
{{- /* Postgres configs if enabled and not already present */}}
{{- if and .postgres.enabled (not (hasKey .spec "postgres_configuration_secret")) }}
postgres_configuration_secret: {{ include "postgres.secretName" $ }}
{{- end }}
{{- end }}
{{- end }}

18
.helm/starter/templates/postgres-config.yaml
View File

@@ -1,18 +0,0 @@
{{- if and $.Values.AWX.enabled $.Values.AWX.postgres.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "postgres.secretName" . }}
namespace: {{ $.Release.Namespace }}
{{- with $.Values.AWX.postgres }}
stringData:
host: {{ .host }}
port: {{ .port }}
database: {{ .dbName }}
username: {{ .username }}
password: {{ .password }}
sslmode: {{ .sslmode }}
type: {{ .type }}
type: Opaque
{{- end }}
{{- end }}

19
.helm/starter/values.yaml
View File

@@ -1,19 +0,0 @@
AWX:
# enable use of awx-deploy template
enabled: false
name: awx
spec:
admin_user: admin
# configurations for external postgres instance
postgres:
enabled: false
host: Unset
port: 5678
dbName: Unset
username: admin
# for secret management, pass in the password independently of this file
# at the command line, use --set AWX.postgres.password
password: Unset
sslmode: prefer
type: unmanaged

1
.yamllint
View File

@@ -6,7 +6,6 @@ ignore: |
kustomization.yaml
awx-operator.clusterserviceversion.yaml
bundle
.helm/starter
rules:
truthy: disable

9
CHANGELOG.md
View File

@@ -2,14 +2,7 @@
This is a list of high-level changes for each release of `awx-operator`. A full list of commits can be found at `https://github.com/ansible/awx-operator/releases/tag/<version>`.
# 0.19.0 (Mar 23, 2022)
- Fix corrupted spec for the service with nodeport type (kurokobo) - dbaf64e
- Add ability to deploy with OLM & added logo (Christian Adams) - 86c31a4
- Fix backup & restore issues with special characters in the postgres password (kurokobo) - 589a375
- Use centos:stream8 container where applicable (Shane McDonald)- 12a58d7
# 0.14.0 (Oct 03, 2021)
# 0.14.0 (TBA)
- Starting with awx-operator 0.14.0, the project is now based on operator-sdk 1.x.
- To avoid a headache, you probably want to delete your existing operator Deployment and follow the README.

2
Dockerfile
View File

@@ -1,9 +1,7 @@
FROM quay.io/operator-framework/ansible-operator:v1.12.0
ARG DEFAULT_AWX_VERSION
ARG OPERATOR_VERSION
ENV DEFAULT_AWX_VERSION=${DEFAULT_AWX_VERSION}
ENV OPERATOR_VERSION=${OPERATOR_VERSION}
COPY requirements.yml ${HOME}/requirements.yml
RUN ansible-galaxy collection install -r ${HOME}/requirements.yml \

149
Makefile
View File

@@ -7,13 +7,6 @@ VERSION ?= $(shell git describe --tags)
CONTAINER_CMD ?= docker
# GNU vs BSD in-place sed
ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
SED_I := sed -i
else
SED_I := sed -i ''
endif
# CHANNELS define the bundle channels used in the bundle.
# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
# To re-generate a bundle for other specific channels without changing the standard setup, you can:
@@ -48,14 +41,6 @@ BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
IMG ?= $(IMAGE_TAG_BASE):$(VERSION)
NAMESPACE ?= awx
# Helm variables
CHART_NAME ?= awx-operator
CHART_DESCRIPTION ?= A Helm chart for the AWX Operator
CHART_OWNER ?= $(GH_REPO_OWNER)
CHART_REPO ?= awx-operator
CHART_BRANCH ?= gh-pages
CHART_INDEX ?= index.yaml
all: docker-build
##@ General
@@ -108,8 +93,7 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/confi
$(KUSTOMIZE) build config/default | kubectl delete -f -
OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
ARCHA := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
ARCHX := $(shell uname -m | sed -e 's/amd64/x86_64/' -e 's/aarch64/arm64/')
ARCH := $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
.PHONY: kustomize
KUSTOMIZE = $(shell pwd)/bin/kustomize
@@ -119,7 +103,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(KUSTOMIZE)) ;\
curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.2/kustomize_v4.5.2_$(OS)_$(ARCHA).tar.gz | \
curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.8.7/kustomize_v3.8.7_$(OS)_$(ARCH).tar.gz | \
tar xzf - -C bin/ ;\
}
else
@@ -135,7 +119,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.12.0/ansible-operator_$(OS)_$(ARCHA) ;\
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.12.0/ansible-operator_$(OS)_$(ARCH) ;\
chmod +x $(ANSIBLE_OPERATOR) ;\
}
else
@@ -148,6 +132,7 @@ bundle: kustomize ## Generate bundle manifests and metadata, then validate gener
operator-sdk generate kustomize manifests -q
cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
$(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
cd config/manifests/bases && python inject-csv-config.py
operator-sdk bundle validate ./bundle
.PHONY: bundle-build
@@ -166,7 +151,7 @@ ifeq (,$(shell which opm 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(OPM)) ;\
curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCHA)-opm ;\
curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCH)-opm ;\
chmod +x $(OPM) ;\
}
else
@@ -197,127 +182,3 @@ catalog-build: opm ## Build a catalog image.
.PHONY: catalog-push
catalog-push: ## Push a catalog image.
$(MAKE) docker-push IMG=$(CATALOG_IMG)
.PHONY: kubectl-slice
KUBECTL_SLICE = $(shell pwd)/bin/kubectl-slice
kubectl-slice: ## Download kubectl-slice locally if necessary.
ifeq (,$(wildcard $(KUBECTL_SLICE)))
ifeq (,$(shell which kubectl-slice 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(KUBECTL_SLICE)) ;\
curl -sSLo - https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.1.0/kubectl-slice_1.1.0_$(OS)_$(ARCHX).tar.gz | \
tar xzf - -C bin/ kubectl-slice ;\
}
else
KUBECTL_SLICE = $(shell which kubectl-slice)
endif
endif
.PHONY: helm
HELM = $(shell pwd)/bin/helm
helm: ## Download helm locally if necessary.
ifeq (,$(wildcard $(HELM)))
ifeq (,$(shell which helm 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(HELM)) ;\
curl -sSLo - https://get.helm.sh/helm-v3.8.0-$(OS)-$(ARCHA).tar.gz | \
tar xzf - -C bin/ $(OS)-$(ARCHA)/helm ;\
mv bin/$(OS)-$(ARCHA)/helm bin/helm ;\
rmdir bin/$(OS)-$(ARCHA) ;\
}
else
HELM = $(shell which helm)
endif
endif
.PHONY: yq
YQ = $(shell pwd)/bin/yq
yq: ## Download yq locally if necessary.
ifeq (,$(wildcard $(YQ)))
ifeq (,$(shell which yq 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(HELM)) ;\
curl -sSLo - https://github.com/mikefarah/yq/releases/download/v4.20.2/yq_$(OS)_$(ARCHA).tar.gz | \
tar xzf - -C bin/ ;\
mv bin/yq_$(OS)_$(ARCHA) bin/yq ;\
}
else
YQ = $(shell which yq)
endif
endif
PHONY: cr
CR = $(shell pwd)/bin/cr
cr: ## Download cr locally if necessary.
ifeq (,$(wildcard $(CR)))
ifeq (,$(shell which cr 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(CR)) ;\
curl -sSLo - https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_$(OS)_$(ARCHA).tar.gz | \
tar xzf - -C bin/ cr ;\
}
else
CR = $(shell which cr)
endif
endif
charts:
mkdir -p $@
.PHONY: helm-chart
helm-chart: kustomize helm kubectl-slice yq charts
@echo "== KUSTOMIZE (image and namespace) =="
cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
@echo "== HELM =="
cd charts && \
$(HELM) create awx-operator --starter $(shell pwd)/.helm/starter ;\
$(YQ) -i '.version = "$(VERSION)"' $(CHART_NAME)/Chart.yaml ;\
$(YQ) -i '.appVersion = "$(VERSION)" | .appVersion style="double"' $(CHART_NAME)/Chart.yaml ;\
$(YQ) -i '.description = "$(CHART_DESCRIPTION)"' $(CHART_NAME)/Chart.yaml ;\
@cat charts/$(CHART_NAME)/Chart.yaml
@echo "== KUSTOMIZE (annotation) =="
cd config/manager && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
cd config/default && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
@echo "== SLICE =="
$(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone config/default | \
$(KUBECTL_SLICE) --input-file=- \
--output-dir=charts/$(CHART_NAME)/templates \
--sort-by-kind
@echo "AWX Operator installed with Helm Chart version $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
$(foreach file, $(wildcard charts/$(CHART_NAME)/templates/*),$(YQ) -i 'del(.. | select(has("namespace")).namespace)' $(file);)
$(foreach file, $(wildcard charts/$(CHART_NAME)/templates/*rolebinding*),$(YQ) -i '.subjects[0].namespace = "{{ .Release.Namespace }}"' $(file);)
rm -f charts/$(CHART_NAME)/templates/namespace*.yaml
.PHONY: helm-package
helm-package: cr helm-chart
@echo "== CHART RELEASER (package) =="
$(CR) package ./charts/awx-operator
# The actual release happens in ansible/helm-release.yml
# until https://github.com/helm/chart-releaser/issues/122 happens
.PHONY: helm-index
helm-index: cr helm-chart
@echo "== CHART RELEASER (httpsorigin) =="
git remote add httpsorigin "https://github.com/$(CHART_OWNER)/$(CHART_REPO).git"
git fetch httpsorigin
@echo "== CHART RELEASER (index) =="
$(CR) index \
--owner "$(CHART_OWNER)" \
--git-repo "$(CHART_REPO)" \
--token "$(CR_TOKEN)" \
--pages-branch "$(CHART_BRANCH)" \
--index-path "./charts/$(CHART_INDEX)" \
--charts-repo "https://$(CHART_OWNER).github.io/$(CHART_REPO)/$(CHART_INDEX)" \
--remote httpsorigin \
--release-name-template="{{ .Version }}" \
--push

555
README.md
View File

@@ -1,24 +1,18 @@
# AWX Operator
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
[![Build Status](https://github.com/ansible/awx-operator/workflows/CI/badge.svg?event=push)](https://github.com/ansible/awx-operator/actions)
[![Code of Conduct](https://img.shields.io/badge/code%20of%20conduct-Ansible-yellow.svg)](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html)
[![AWX Mailing List](https://img.shields.io/badge/mailing%20list-AWX-orange.svg)](https://groups.google.com/g/awx-project)
[![IRC Chat - #ansible-awx](https://img.shields.io/badge/IRC-%23ansible--awx-blueviolet.svg)](https://libera.chat)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Build Status](https://github.com/ansible/awx-operator/workflows/CI/badge.svg?event=push)](https://github.com/ansible/awx-operator/actions)
An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built with [Operator SDK](https://github.com/operator-framework/operator-sdk) and Ansible.
# Table of Contents
<!-- Regenerate this table of contents using https://github.com/ekalinin/github-markdown-toc -->
<!-- gh-md-toc --insert README.md -->
<!--ts-->
* [AWX Operator](#awx-operator)
* [Table of Contents](#table-of-contents)
* [Purpose](#purpose)
* [Usage](#usage)
* [Creating a minikube cluster for testing](#creating-a-minikube-cluster-for-testing)
* [Basic Install](#basic-install)
* [Helm Install on existing cluster](#helm-install-on-existing-cluster)
* [Basic Install on minikube (beginner or testing)](#basic-install-on-minikube-beginner-or-testing)
* [Basic Install on existing cluster](#basic-install-on-existing-cluster)
* [Admin user account configuration](#admin-user-account-configuration)
* [Network and TLS Configuration](#network-and-tls-configuration)
* [Service Type](#service-type)
@@ -32,36 +26,20 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
* [Redis container capabilities](#redis-container-capabilities)
* [Privileged Tasks](#privileged-tasks)
* [Containers Resource Requirements](#containers-resource-requirements)
* [Priority Classes](#priority-classes)
* [Assigning AWX pods to specific nodes](#assigning-awx-pods-to-specific-nodes)
* [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority)
* [Enabling LDAP Integration at AWX bootstrap](#enabling-ldap-integration-at-awx-bootstrap)
* [Persisting Projects Directory](#persisting-projects-directory)
* [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
* [Default execution environments from private registries](#default-execution-environments-from-private-registries)
* [Control plane ee from private registry](#control-plane-ee-from-private-registry)
* [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
* [CSRF Cookie Secure Setting](#csrf-cookie-secure-setting)
* [Session Cookie Secure Setting](#session-cookie-secure-setting)
* [Extra Settings](#extra-settings)
* [Configure no_log](#no-log)
* [Auto Upgrade](#auto-upgrade)
* [Upgrade of instances without auto upgrade](#upgrade-of-instances-without-auto-upgrade)
* [Service Account](#service-account)
* [Uninstall](#uninstall)
* [Upgrading](#upgrading)
* [v0.14.0](#v0140)
* [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations)
* [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project)
* [Steps to upgrade](#steps-to-upgrade)
* [Contributing](#contributing)
* [Release Process](#release-process)
* [Author](#author)
* [Code of Conduct](#code-of-conduct)
* [Get Involved](#get-involved)
<!-- Created by https://github.com/ekalinin/github-markdown-toc -->
<!--te-->
## Purpose
@@ -70,11 +48,11 @@ This operator is meant to provide a more Kubernetes-native installation method f
## Usage
### Basic Install on minikube (beginner or testing)
This Kubernetes Operator is meant to be deployed in your Kubernetes cluster(s) and can manage one or more AWX instances in any namespace.
### Creating a minikube cluster for testing
If you do not have an existing cluster, the `awx-operator` can be deployed on a [Minikube](https://minikube.sigs.k8s.io/docs/) cluster for testing purposes. Due to different OS and hardware environments, please refer to the official Minikube documentation for further information.
For testing purposes, the `awx-operator` can be deployed on a [Minikube](https://minikube.sigs.k8s.io/docs/) cluster. Due to different OS and hardware environments, please refer to the official Minikube documentation for further information.
```
$ minikube start --cpus=4 --memory=6g --addons=ingress
@@ -123,47 +101,26 @@ Let's create an alias for easier usage:
$ alias kubectl="minikube kubectl --"
```
### Basic Install
Once you have a running Kubernetes cluster, you can deploy AWX Operator into your cluster using [Kustomize](https://kubectl.docs.kubernetes.io/guides/introduction/kustomize/). Follow the instructions here to install the latest version of Kustomize: https://kubectl.docs.kubernetes.io/installation/kustomize/
First, create a file called `kustomization.yaml` with the following content:
```yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Find the latest tag here: https://github.com/ansible/awx-operator/releases
- github.com/ansible/awx-operator/config/default?ref=<tag>
# Set the image tags to match the git version from above
images:
- name: quay.io/ansible/awx-operator
newTag: <tag>
# Specify a custom namespace in which to install AWX
namespace: awx
```
> **TIP:** If you need to change any of the default settings for the operator (such as resources.limits), you can add [patches](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patches/) at the bottom of your kustomization.yaml file.
Install the manifests by running this:
Now you need to deploy AWX Operator into your cluster. Clone this repo and `git checkout` the latest version from https://github.com/ansible/awx-operator/releases, and then run the following command:
```
$ kustomize build . | kubectl apply -f -
namespace/awx created
$ export NAMESPACE=my-namespace
$ make deploy
cd config/manager && /home/user/awx-operator/bin/kustomize edit set image controller=quay.io/ansible/awx-operator:0.14.0
/home/user/awx-operator/bin/kustomize build config/default | kubectl apply -f -
namespace/my-namespace created
customresourcedefinition.apiextensions.k8s.io/awxbackups.awx.ansible.com created
customresourcedefinition.apiextensions.k8s.io/awxrestores.awx.ansible.com created
customresourcedefinition.apiextensions.k8s.io/awxs.awx.ansible.com created
serviceaccount/awx-operator-controller-manager created
role.rbac.authorization.k8s.io/awx-operator-awx-manager-role created
role.rbac.authorization.k8s.io/awx-operator-leader-election-role created
role.rbac.authorization.k8s.io/awx-operator-manager-role created
clusterrole.rbac.authorization.k8s.io/awx-operator-metrics-reader created
clusterrole.rbac.authorization.k8s.io/awx-operator-proxy-role created
rolebinding.rbac.authorization.k8s.io/awx-operator-awx-manager-rolebinding created
rolebinding.rbac.authorization.k8s.io/awx-operator-leader-election-rolebinding created
rolebinding.rbac.authorization.k8s.io/awx-operator-manager-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/awx-operator-proxy-rolebinding created
configmap/awx-operator-awx-manager-config created
configmap/awx-operator-manager-config created
service/awx-operator-controller-manager-metrics-service created
deployment.apps/awx-operator-controller-manager created
```
@@ -171,18 +128,18 @@ deployment.apps/awx-operator-controller-manager created
Wait a bit and you should have the `awx-operator` running:
```
$ kubectl get pods -n awx
$ kubectl get pods -n $NAMESPACE
NAME READY STATUS RESTARTS AGE
awx-operator-controller-manager-66ccd8f997-rhd4z 2/2 Running 0 11s
```
So we don't have to keep repeating `-n awx`, let's set the current namespace for `kubectl`:
So we don't have to keep repeating `-n $NAMESPACE`, let's set the current namespace for `kubectl`:
```
$ kubectl config set-context --current --namespace=awx
$ kubectl config set-context --current --namespace=$NAMESPACE
```
Next, create a file named `awx-demo.yaml` in the same folder with the suggested content below. The `metadata.name` you provide will be the name of the resulting AWX deployment.
Next, create a file named `awx-demo.yml` with the suggested content below. The `metadata.name` you provide, will be the name of the resulting AWX deployment.
**Note:** If you deploy more than one AWX instance to the same namespace, be sure to use unique names.
@@ -194,27 +151,13 @@ metadata:
name: awx-demo
spec:
service_type: nodeport
# default nodeport_port is 30080
nodeport_port: <nodeport_port>
```
> It may make sense to create and specify your own secret key for your deployment so that if the k8s secret gets deleted, it can be re-created if needed. If it is not provided, one will be auto-generated, but cannot be recovered if lost. Read more [here](#secret-key-configuration).
Make sure to add this new file to the list of "resources" in your `kustomization.yaml` file:
```yaml
...
resources:
- github.com/ansible/awx-operator/config/default?ref=<tag>
# Add this extra line:
- awx-demo.yaml
...
```
Finally, run `kustomize` again to create the AWX instance in your cluster:
Finally, use `kubectl` to create the awx instance in your cluster:
```
kustomize build . | kubectl apply -f -
$ kubectl apply -f awx-demo.yml
awx.awx.ansible.com/awx-demo created
```
After a few minutes, the new AWX instance will be deployed. You can look at the operator pod logs in order to know where the installation process is at:
@@ -254,46 +197,32 @@ You just completed the most basic install of an AWX instance via this operator.
For an example using the Nginx Controller in Minukube, don't miss our [demo video](https://asciinema.org/a/416946).
[![asciicast](https://raw.githubusercontent.com/ansible/awx-operator/devel/docs/awx-demo.svg)](https://asciinema.org/a/416946)
### Helm Install on existing cluster
### Basic Install on existing cluster
For those that wish to use [Helm](https://helm.sh/) to install the awx-operator to an existing K8s cluster:
For those running a whole K8S Cluster the steps to set up the awx-operator are:
The helm chart is generated from the `helm-chart` Makefile section using the starter files in `.helm/starter`. Consult [the documentation](.helm/starter/README.md) on how to customize the AWX resource with your own values.
```
$ Prepare required files
git clone https://github.com/ansible/awx-operator.git
cd awx-operator
git checkout {{ latest_released_version }} # replace variable by latest version number in releases
```bash
$ helm repo add awx-operator https://ansible.github.io/awx-operator/
"awx-operator" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "awx-operator" chart repository
Update Complete. ⎈Happy Helming!⎈
$ helm search repo awx-operator
NAME CHART VERSION APP VERSION DESCRIPTION
awx-operator/awx-operator 0.17.1 0.17.1 A Helm chart for the AWX Operator
$ helm install -n awx --create-namespace my-awx-operator awx-operator/awx-operator
NAME: my-awx-operator
LAST DEPLOYED: Thu Feb 17 22:09:05 2022
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Helm Chart 0.17.1
$ Deploy new AWX Operator
export NAMESPACE=<Name of the namespace where your AWX instanse exists>
make deploy
```
### Admin user account configuration
There are three variables that are customizable for the admin user account creation.
| Name | Description | Default |
| --------------------- | -------------------------------------------- | ---------------- |
| admin_user | Name of the admin user | admin |
| admin_email | Email of the admin user | test@example.com |
| admin_password_secret | Secret that contains the admin user password | Empty string |
| Name | Description | Default |
| --------------------------- | -------------------------------------------- | ---------------- |
| admin_user | Name of the admin user | admin |
| admin_email | Email of the admin user | test@example.com |
| admin_password_secret | Secret that contains the admin user password | Empty string |
> :warning: **admin_password_secret must be a Kubernetes secret and not your text clear password**.
@@ -316,41 +245,6 @@ stringData:
```
### Secret Key Configuration
This key is used to encrypt sensitive data in the database.
| Name | Description | Default |
| ----------------- | ----------------------------------------------------- | ---------------- |
| secret_key_secret | Secret that contains the symmetric key for encryption | Generated |
> :warning: **secret_key_secret must be a Kubernetes secret and not your text clear secret value**.
If `secret_key_secret` is not provided, the operator will look for a secret named `<resourcename>-secret-key` for the secret key. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-secret-key`. It is important to not delete this secret as it will be needed for upgrades and if the pods get scaled down at any point. If you are using a GitOps flow, you will want to pass a secret key secret.
The secret should be formatted as follow:
```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: custom-awx-secret-key
namespace: <target namespace>
stringData:
secret_key: supersecuresecretkey
```
Then specify the secret name on the AWX spec:
```yaml
---
spec:
...
secret_key_secret: custom-awx-secret-key
```
### Network and TLS Configuration
#### Service Type
@@ -361,10 +255,10 @@ The `service_type` supported options are: `ClusterIP`, `LoadBalancer` and `NodeP
The following variables are customizable for any `service_type`
| Name | Description | Default |
| ------------------- | ----------------------- | ------------ |
| service_labels | Add custom labels | Empty string |
| service_annotations | Add service annotations | Empty string |
| Name | Description | Default |
| ------------------------------------- | --------------------------------------------- | --------------------------------- |
| service_labels | Add custom labels | Empty string |
| service_annotations | Add service annotations | Empty string |
```yaml
---
@@ -381,10 +275,10 @@ spec:
The following variables are customizable only when `service_type=LoadBalancer`
| Name | Description | Default |
| --------------------- | ---------------------------------------- | ------- |
| loadbalancer_protocol | Protocol to use for Loadbalancer ingress | http |
| loadbalancer_port | Port used for Loadbalancer ingress | 80 |
| Name | Description | Default |
| ------------------------------ | ---------------------------------------- | ------------- |
| loadbalancer_protocol | Protocol to use for Loadbalancer ingress | http |
| loadbalancer_port | Port used for Loadbalancer ingress | 80 |
```yaml
---
@@ -407,9 +301,9 @@ The HTTPS Load Balancer also uses SSL termination at the Load Balancer level and
The following variables are customizable only when `service_type=NodePort`
| Name | Description | Default |
| ------------- | ---------------------- | ------- |
| nodeport_port | Port used for NodePort | 30080 |
| Name | Description | Default |
| ------------------------------ | ---------------------------------------- | ------------- |
| nodeport_port | Port used for NodePort | 30080 |
```yaml
---
@@ -437,13 +331,13 @@ spec:
The following variables are customizable when `ingress_type=ingress`. The `ingress` type creates an Ingress resource as [documented](https://kubernetes.io/docs/concepts/services-networking/ingress/) which can be shared with many other Ingress Controllers as [listed](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/).
| Name | Description | Default |
| ------------------- | ---------------------------------------- | --------------------------- |
| ingress_annotations | Ingress annotations | Empty string |
| ingress_tls_secret | Secret that contains the TLS information | Empty string |
| hostname | Define the FQDN | {{ meta.name }}.example.com |
| ingress_path | Define the ingress path to the service | / |
| ingress_path_type | Define the type of the path (for LBs) | Prefix |
| Name | Description | Default |
| -------------------------- | ---------------------------------------- | ---------------------------- |
| ingress_annotations | Ingress annotations | Empty string |
| ingress_tls_secret | Secret that contains the TLS information | Empty string |
| hostname | Define the FQDN | {{ meta.name }}.example.com |
| ingress_path | Define the ingress path to the service | / |
| ingress_path_type | Define the type of the path (for LBs) | Prefix |
```yaml
---
@@ -459,8 +353,8 @@ spec:
The following variables are customizable when `ingress_type=route`
| Name | Description | Default |
| ------------------------------- | --------------------------------------------- | ------------------------------------------------------- |
| Name | Description | Default |
| ------------------------------------- | --------------------------------------------- | --------------------------------------------------------|
| route_host | Common name the route answers for | `<instance-name>-<namespace>-<routerCanonicalHostname>` |
| route_tls_termination_mechanism | TLS Termination mechanism (Edge, Passthrough) | Edge |
| route_tls_secret | Secret that contains the TLS information | Empty string |
@@ -479,7 +373,7 @@ spec:
#### External PostgreSQL Service
To configure AWX to use an external database, the Custom Resource needs to know about the connection details. To do this, create a k8s secret with those connection details and specify the name of the secret as `postgres_configuration_secret` at the CR spec level.
In order for the AWX instance to rely on an external database, the Custom Resource needs to know about the connection details. Those connection details should be stored as a secret and either specified as `postgres_configuration_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-postgres-configuration`.
The secret should be formatted as follows:
@@ -502,21 +396,12 @@ stringData:
type: Opaque
```
> Please ensure that the value for the variable `password` should _not_ contain single or double quotes (`'`, `"`) or backslashes (`\`) to avoid any issues during deployment, backup or restoration.
> Please ensure that the value for the variable "password" is wrapped in quotes if the password contains any special characters.
> It is possible to set a specific username, password, port, or database, but still have the database managed by the operator. In this case, when creating the postgres-configuration secret, the `type: managed` field should be added.
**Note**: The variable `sslmode` is valid for `external` databases only. The allowed values are: `prefer`, `disable`, `allow`, `require`, `verify-ca`, `verify-full`.
Once the secret is created, you can specify it on your spec:
```yaml
---
spec:
...
postgres_configuration_secret: <name-of-your-secret>
```
#### Migrating data from an old AWX instance
For instructions on how to migrate from an older version of AWX, see [migration.md](./docs/migration.md).
@@ -527,15 +412,13 @@ If you don't have access to an external PostgreSQL service, the AWX operator can
The following variables are customizable for the managed PostgreSQL service
| Name | Description | Default |
| --------------------------------------------- | --------------------------------------------- | ---------------------------------- |
| postgres_image | Path of the image to pull | postgres:12 |
| postgres_init_container_resource_requirements | Database init container resource requirements | requests: {cpu: 10m, memory: 64Mi} |
| postgres_resource_requirements | PostgreSQL container resource requirements | requests: {cpu: 10m, memory: 64Mi} |
| postgres_storage_requirements | PostgreSQL container storage requirements | requests: {storage: 8Gi} |
| postgres_storage_class | PostgreSQL PV storage class | Empty string |
| postgres_data_path | PostgreSQL data path | `/var/lib/postgresql/data/pgdata` |
| postgres_priority_class | Priority class used for PostgreSQL pod | Empty string |
| Name | Description | Default |
| ------------------------------------ | ------------------------------------------ | --------------------------------- |
| postgres_image | Path of the image to pull | postgres:12 |
| postgres_resource_requirements | PostgreSQL container resource requirements | Empty object |
| postgres_storage_requirements | PostgreSQL container storage requirements | requests: {storage: 8Gi} |
| postgres_storage_class | PostgreSQL PV storage class | Empty string |
| postgres_data_path | PostgreSQL data path | `/var/lib/postgresql/data/pgdata` |
Example of customization could be:
@@ -569,15 +452,15 @@ spec:
There are a few variables that are customizable for awx the image management.
| Name | Description | Default |
| ------------------- | ------------------------- | -------------------------------------- |
| image | Path of the image to pull | quay.io/ansible/awx |
| image_version | Image version to pull | value of DEFAULT_AWX_VERSION or latest |
| image_pull_policy | The pull policy to adopt | IfNotPresent |
| image_pull_secrets | The pull secrets to use | None |
| ee_images | A list of EEs to register | quay.io/ansible/awx-ee:latest |
| redis_image | Path of the image to pull | docker.io/redis |
| redis_image_version | Image version to pull | latest |
| Name | Description |
| --------------------------| -------------------------- |
| image | Path of the image to pull |
| image_version | Image version to pull |
| image_pull_policy | The pull policy to adopt |
| image_pull_secret | The pull secret to use |
| ee_images | A list of EEs to register |
| redis_image | Path of the image to pull |
| redis_image_version | Image version to pull |
Example of customization could be:
@@ -588,8 +471,7 @@ spec:
image: myorg/my-custom-awx
image_version: latest
image_pull_policy: Always
image_pull_secrets:
- pull_secret_name
image_pull_secret: pull_secret_name
ee_images:
- name: my-custom-awx-ee
image: myorg/my-custom-awx-ee
@@ -635,11 +517,11 @@ Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to
The resource requirements for both, the task and the web containers are configurable - both the lower end (requests) and the upper end (limits).
| Name | Description | Default |
| -------------------------- | ------------------------------------------------ | ------------------------------------ |
| web_resource_requirements | Web container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
| task_resource_requirements | Task container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
| ee_resource_requirements | EE control plane container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
| Name | Description | Default |
| -------------------------------- | ------------------------------------------------ | ----------------------------------- |
| web_resource_requirements | Web container resource requirements | requests: {cpu: 1000m, memory: 2Gi} |
| task_resource_requirements | Task container resource requirements | requests: {cpu: 500m, memory: 1Gi} |
| ee_resource_requirements | EE control plane container resource requirements | requests: {cpu: 500m, memory: 1Gi} |
Example of customization could be:
@@ -649,63 +531,44 @@ spec:
...
web_resource_requirements:
requests:
cpu: 250m
cpu: 1000m
memory: 2Gi
limits:
cpu: 1000m
cpu: 2000m
memory: 4Gi
task_resource_requirements:
requests:
cpu: 250m
cpu: 500m
memory: 1Gi
limits:
cpu: 2000m
cpu: 1000m
memory: 2Gi
ee_resource_requirements:
requests:
cpu: 250m
memory: 100Mi
limits:
cpu: 500m
memory: 1Gi
limits:
cpu: 1000m
memory: 2Gi
```
#### Priority Classes
The AWX and Postgres pods can be assigned a custom PriorityClass to rank their importance compared to other pods in your cluster, which determines which pods get evicted first if resources are running low.
First, [create your PriorityClass](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) if needed.
Then set the name of your priority class to the control plane and postgres pods as shown below.
```yaml
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx-demo
spec:
...
control_plane_priority_class: awx-demo-high-priority
postgres_priority_class: awx-demo-medium-priority
```
#### Assigning AWX pods to specific nodes
You can constrain the AWX pods created by the operator to run on a certain subset of nodes. `node_selector` and `postgres_selector` constrains
the AWX pods to run only on the nodes that match all the specified key/value pairs. `tolerations` and `postgres_tolerations` allow the AWX
pods to be scheduled onto nodes with matching taints.
The ability to specify topologySpreadConstraints is also allowed through `topology_spread_constraints`
The ability to specify topologySpreadConstraints is also allowed through `topology_spread_constraints`
| Name | Description | Default |
| --------------------------- | ----------------------------------- | ------- |
| postgres_image | Path of the image to pull | 12 |
| postgres_image_version | Image version to pull | 12 |
| node_selector | AWX pods' nodeSelector | '' |
| topology_spread_constraints | AWX pods' topologySpreadConstraints | '' |
| tolerations | AWX pods' tolerations | '' |
| annotations | AWX pods' annotations | '' |
| postgres_selector | Postgres pods' nodeSelector | '' |
| postgres_tolerations | Postgres pods' tolerations | '' |
| Name | Description | Default |
| -------------------------------| ---------------------------------------- | ------- |
| postgres_image | Path of the image to pull | 12 |
| postgres_image_version | Image version to pull | 12 |
| node_selector | AWX pods' nodeSelector | '' |
| topology_spread_constraints | AWX pods' topologySpreadConstraints | '' |
| tolerations | AWX pods' tolerations | '' |
| postgres_selector | Postgres pods' nodeSelector | '' |
| postgres_tolerations | Postgres pods' tolerations | '' |
Example of customization could be:
@@ -750,8 +613,8 @@ Trusting a custom Certificate Authority allows the AWX to access network service
| Name | Description | Default |
| -------------------------------- | ---------------------------------------- | --------|
| ldap_cacert_secret | LDAP Certificate Authority secret name | '' |
| ldap_password_secret | LDAP BIND DN Password secret name | '' |
| bundle_cacert_secret | Certificate Authority secret name | '' |
Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter.
Example of customization could be:
@@ -761,13 +624,10 @@ Example of customization could be:
spec:
...
ldap_cacert_secret: <resourcename>-custom-certs
ldap_password_secret: <resourcename>-ldap-password
bundle_cacert_secret: <resourcename>-custom-certs
```
To create the secrets, you can use the commands below:
* Certificate Authority secret
To create the secret, you can use the command below:
```
# kubectl create secret generic <resourcename>-custom-certs \
@@ -775,77 +635,17 @@ To create the secrets, you can use the commands below:
--from-file=bundle-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
```
* LDAP BIND DN Password secret
```
# kubectl create secret generic <resourcename>-ldap-password \
--from-literal=ldap-password=<your_ldap_dn_password>
```
#### Enabling LDAP Integration at AWX bootstrap
A sample of extra settings can be found as below:
```yaml
- setting: AUTH_LDAP_SERVER_URI
value: >-
"ldaps://ad01.abc.com:636 ldaps://ad02.abc.com:636"
- setting: AUTH_LDAP_BIND_DN
value: >-
"CN=LDAP User,OU=Service Accounts,DC=abc,DC=com"
- setting: AUTH_LDAP_USER_SEARCH
value: 'LDAPSearch("DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(sAMAccountName=%(user)s)",)'
- setting: AUTH_LDAP_GROUP_SEARCH
value: 'LDAPSearch("OU=Groups,DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(objectClass=group)",)'
- setting: AUTH_LDAP_USER_ATTR_MAP
value: '{"first_name": "givenName","last_name": "sn","email": "mail"}'
- setting: AUTH_LDAP_REQUIRE_GROUP
value: >-
"CN=operators,OU=Groups,DC=abc,DC=com"
- setting: AUTH_LDAP_USER_FLAGS_BY_GROUP
value: {
"is_superuser": [
"CN=admin,OU=Groups,DC=abc,DC=com"
]
}
- setting: AUTH_LDAP_ORGANIZATION_MAP
value: {
"abc": {
"admins": "CN=admin,OU=Groups,DC=abc,DC=com",
"remove_users": false,
"remove_admins": false,
"users": true
}
}
- setting: AUTH_LDAP_TEAM_MAP
value: {
"admin": {
"remove": true,
"users": "CN=admin,OU=Groups,DC=abc,DC=com",
"organization": "abc"
}
}
```
#### Persisting Projects Directory
In cases which you want to persist the `/var/lib/projects` directory, there are few variables that are customizable for the `awx-operator`.
| Name | Description | Default |
| ---------------------------- | ---------------------------------------------------------------------------------------------- | ------------- |
| projects_persistence | Whether or not the /var/lib/projects directory will be persistent | false |
| projects_storage_class | Define the PersistentVolume storage class | '' |
| projects_storage_size | Define the PersistentVolume size | 8Gi |
| projects_storage_access_mode | Define the PersistentVolume access mode | ReadWriteMany |
| projects_existing_claim | Define an existing PersistentVolumeClaim to use (cannot be combined with `projects_storage_*`) | '' |
| Name | Description | Default |
| -----------------------------------| ---------------------------------------------------------------------------------------------------- | ---------------|
| projects_persistence | Whether or not the /var/lib/projects directory will be persistent | false |
| projects_storage_class | Define the PersistentVolume storage class | '' |
| projects_storage_size | Define the PersistentVolume size | 8Gi |
| projects_storage_access_mode | Define the PersistentVolume access mode | ReadWriteMany |
| projects_existing_claim | Define an existing PersistentVolumeClaim to use (cannot be combined with `projects_storage_*`) | '' |
Example of customization when the `awx-operator` automatically handles the persistent volume could be:
@@ -862,14 +662,14 @@ spec:
In a scenario where custom volumes and volume mounts are required to either overwrite defaults or mount configuration files.
| Name | Description | Default |
| ---------------------------------- | -------------------------------------------------------- | ------- |
| extra_volumes | Specify extra volumes to add to the application pod | '' |
| web_extra_volume_mounts | Specify volume mounts to be added to Web container | '' |
| task_extra_volume_mounts | Specify volume mounts to be added to Task container | '' |
| ee_extra_volume_mounts | Specify volume mounts to be added to Execution container | '' |
| init_container_extra_volume_mounts | Specify volume mounts to be added to Init container | '' |
| init_container_extra_commands | Specify additional commands for Init container | '' |
| Name | Description | Default |
| --------------------------------- | -------------------------------------------------------- | ------- |
| extra_volumes | Specify extra volumes to add to the application pod | '' |
| web_extra_volume_mounts | Specify volume mounts to be added to Web container | '' |
| task_extra_volume_mounts | Specify volume mounts to be added to Task container | '' |
| ee_extra_volume_mounts | Specify volume mounts to be added to Execution container | '' |
| init_container_extra_volume_mounts| Specify volume mounts to be added to Init container | '' |
| init_container_extra_commands | Specify additional commands for Init container | '' |
> :warning: The `ee_extra_volume_mounts` and `extra_volumes` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
@@ -964,7 +764,7 @@ type: Opaque
```
##### Control plane ee from private registry
The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secrets` to provide a list of k8s pull secrets to access it. Currently the same secret is used for any of these images supplied at install time.
The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time.
You can create `image_pull_secret`
```
@@ -990,11 +790,11 @@ type: kubernetes.io/dockerconfigjson
If you need to export custom environment variables to your containers.
| Name | Description | Default |
| -------------- | --------------------------------------------------- | ------- |
| task_extra_env | Environment variables to be added to Task container | '' |
| web_extra_env | Environment variables to be added to Web container | '' |
| ee_extra_env | Environment variables to be added to EE container | '' |
| Name | Description | Default |
| ----------------------------- | -------------------------------------------------------- | ------- |
| task_extra_env | Environment variables to be added to Task container | '' |
| web_extra_env | Environment variables to be added to Web container | '' |
| ee_extra_env | Environment variables to be added to EE container | '' |
> :warning: The `ee_extra_env` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
@@ -1013,43 +813,13 @@ Example configuration of environment variables
value: foo
```
#### CSRF Cookie Secure Setting
With `csrf_cookie_secure`, you can pass the value for `CSRF_COOKIE_SECURE` to `/etc/tower/settings.py`
| Name | Description | Default |
| ------------------ | ------------------ | ------- |
| csrf_cookie_secure | CSRF Cookie Secure | '' |
Example configuration of the `csrf_cookie_secure` setting:
```yaml
spec:
csrf_cookie_secure: 'False'
```
#### Session Cookie Secure Setting
With `session_cookie_secure`, you can pass the value for `SESSION_COOKIE_SECURE` to `/etc/tower/settings.py`
| Name | Description | Default |
| --------------------- | --------------------- | ------- |
| session_cookie_secure | Session Cookie Secure | '' |
Example configuration of the `session_cookie_secure` setting:
```yaml
spec:
session_cookie_secure: 'False'
```
#### Extra Settings
With`extra_settings`, you can pass multiple custom settings via the `awx-operator`. The parameter `extra_settings` will be appended to the `/etc/tower/settings.py` and can be an alternative to the `extra_volumes` parameter.
| Name | Description | Default |
| -------------- | -------------- | ------- |
| extra_settings | Extra settings | '' |
| Name | Description | Default |
| ----------------------------- | -------------------------------------------------------- | ------- |
| extra_settings | Extra settings | '' |
Example configuration of `extra_settings` parameter
@@ -1063,64 +833,13 @@ Example configuration of `extra_settings` parameter
value: "cn=admin,dc=example,dc=com"
```
#### No Log
Configure no_log for tasks with no_log
| Name | Description | Default |
| ------ | -------------------- | ------- |
| no_log | No log configuration | 'true' |
Example configuration of `no_log` parameter
```yaml
spec:
no_log: 'true'
```
#### Auto upgrade
With this parameter you can influence the behaviour during an operator upgrade.
If set to `true`, the operator will upgrade the specific instance directly.
When the value is set to `false`, and we have a running deployment, the operator will not update the AWX instance.
This can be useful when you have multiple AWX instances which you want to upgrade step by step instead of all at once.
| Name | Description | Default |
| -------------| ---------------------------------- | ------- |
| auto_upgrade | Automatic upgrade of AWX instances | true |
Example configuration of `auto_upgrade` parameter
```yaml
spec:
auto_upgrade: true
```
##### Upgrade of instances without auto upgrade
There are two ways to upgrade instances which are marked with the 'auto_upgrade: false' flag.
Changing flags:
- change the auto_upgrade flag on your AWX object to true
- wait until the upgrade process of that instance is finished
- change the auto_upgrade flag on your AWX object back to false
Delete the deployment:
- delete the deployment object of your AWX instance
```
$ kubectl -n awx delete deployment <yourInstanceName>
```
- wait until the instance gets redeployed
#### Service Account
If you need to modify some `ServiceAccount` proprieties
| Name | Description | Default |
| --------------------------- | --------------------------------- | ------- |
| service_account_annotations | Annotations to the ServiceAccount | '' |
| Name | Description | Default |
| ----------------------------- | -------------------------------------------------------- | ------- |
| service_account_annotations | Annotations to the ServiceAccount | '' |
Example configuration of environment variables
@@ -1185,22 +904,8 @@ The first step is to create a draft release. Typically this will happen in the [
If you need to do an independent release of the operator, you can run the [Stage Release](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/stage.yml) in the awx-operator repo. Both of these workflows will run smoke tests, so there is no need to do this manually.
After the draft release is created, publish it and the [Promote AWX Operator image](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/promote.yaml) will run, which will:
- Publish image to Quay
- Release Helm chart
After the draft release is created, publish it and the [Promote AWX Operator image](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/promote.yaml) will run, publishing the image to Quay.
## Author
This operator was originally built in 2019 by [Jeff Geerling](https://www.jeffgeerling.com) and is now maintained by the Ansible Team
## Code of Conduct
We ask all of our community members and contributors to adhere to the [Ansible code of conduct](http://docs.ansible.com/ansible/latest/community/code_of_conduct.html). If you have questions or need assistance, please reach out to our community team at [codeofconduct@ansible.com](mailto:codeofconduct@ansible.com)
## Get Involved
We welcome your feedback and ideas. The AWX operator uses the same mailing list and IRC chanel as AWX itself. Here's how to reach us with feedback and questions:
- Join the `#ansible-awx` channel on irc.libera.chat
- Join the [mailing list](https://groups.google.com/forum/#!forum/awx-project)

3
SECURITY.md
View File

@@ -1,3 +0,0 @@
For all security related bugs, email security@ansible.com instead of using this issue tracker and you will receive a prompt response.
For more information on the Ansible community's practices regarding responsible disclosure, see https://www.ansible.com/security

47
ansible/helm-release.yml
View File

@@ -1,47 +0,0 @@
---
- hosts: localhost
vars:
chart_repo: awx-operator
tasks:
- name: Look up release
uri:
url: "https://api.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/tags/{{ tag }}"
register: release
ignore_errors: yes
- fail:
msg: |
Release must exist before running this playbook
when: release is not success
- name: Build and package helm chart
command: |
make helm-chart helm-package
environment:
VERSION: "{{ tag }}"
IMAGE_TAG_BASE: "{{ operator_image }}"
args:
chdir: "{{ playbook_dir }}/../"
# Move to chart releaser after https://github.com/helm/chart-releaser/issues/122 exists
- name: Upload helm chart
uri:
url: "https://uploads.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/{{ release.json.id }}/assets?name=awx-operator-{{ tag }}.tgz"
src: "{{ playbook_dir }}/../.cr-release-packages/awx-operator-{{ tag }}.tgz"
headers:
Authorization: "token {{ gh_token }}"
Content-Type: "application/octet-stream"
status_code:
- 200
- 201
register: asset_upload
changed_when: asset_upload.json.state == "uploaded"
- name: Publish helm index
command: |
make helm-index
environment:
CHART_OWNER: "{{ chart_owner }}"
CR_TOKEN: "{{ gh_token }}"
args:
chdir: "{{ playbook_dir }}/../"

78
config/crd/bases/awx.ansible.com_awxs.yaml
View File

@@ -140,9 +140,6 @@ spec:
service_labels:
description: Additional labels to apply to the service
type: string
annotations:
description: annotations for the pods
type: string
tolerations:
description: node tolerations for the pods
type: string
@@ -165,9 +162,6 @@ spec:
control_plane_ee_image:
description: Registry path to the Execution Environment container image to use on control plane pods
type: string
control_plane_priority_class:
description: Assign a preexisting priority class to the control plane pods
type: string
ee_pull_credentials_secret:
description: Secret where pull credentials for registered ees can be found
type: string
@@ -182,13 +176,8 @@ spec:
- never
- IfNotPresent
- ifnotpresent
image_pull_secrets:
description: Image pull secrets for app and database containers
type: array
items:
type: string
image_pull_secret: # deprecated
description: (Deprecated) Image pull secret for app and database containers
image_pull_secret:
description: The image pull secret
type: string
task_resource_requirements:
description: Resource requirements for the task container
@@ -256,50 +245,6 @@ spec:
type: string
type: object
type: object
postgres_init_container_resource_requirements:
description: Resource requirements for the postgres init container
properties:
requests:
properties:
cpu:
type: string
memory:
type: string
storage:
type: string
type: object
limits:
properties:
cpu:
type: string
memory:
type: string
storage:
type: string
type: object
type: object
redis_resource_requirements:
description: Resource requirements for the redis container
properties:
requests:
properties:
cpu:
type: string
memory:
type: string
storage:
type: string
type: object
limits:
properties:
cpu:
type: string
memory:
type: string
storage:
type: string
type: object
type: object
service_account_annotations:
description: ServiceAccount annotations
type: string
@@ -417,9 +362,6 @@ spec:
postgres_storage_class:
description: Storage class to use for the PostgreSQL PVC
type: string
postgres_priority_class:
description: Assign a preexisting priority class to the postgres pod
type: string
postgres_data_path:
description: Path where the PostgreSQL data are located
type: string
@@ -436,9 +378,6 @@ spec:
ldap_cacert_secret:
description: Secret where can be found the LDAP trusted Certificate Authority Bundle
type: string
ldap_password_secret:
description: Secret where can be found the LDAP bind password
type: string
bundle_cacert_secret:
description: Secret where can be found the trusted Certificate Authority Bundle
type: string
@@ -466,12 +405,6 @@ spec:
description: AccessMode for the /var/lib/projects PersistentVolumeClaim
default: ReadWriteMany
type: string
csrf_cookie_secure:
description: Set csrf cookie secure mode for web
type: string
session_cookie_secure:
description: Set session cookie secure mode for web
type: string
extra_settings:
description: Extra settings to specify for the API
items:
@@ -482,17 +415,10 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
no_log:
description: Configure no_log for no_log tasks
type: string
security_context_settings:
description: Key/values that will be set under the pod-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
auto_upgrade:
description: Should AWX instances be automatically upgraded when operator gets upgraded
type: boolean
default: true
type: object
status:
properties:

6
config/crd/bases/awxbackup.ansible.com_awxbackups.yaml
View File

@@ -43,9 +43,6 @@ spec:
backup_storage_class:
description: Storage class to use when creating PVC for backup
type: string
clean_backup_on_delete:
description: Flag to indicate if backup should be deleted on PVC if AWXBackup object is deleted
type: boolean
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string
@@ -55,9 +52,6 @@ spec:
postgres_image_version:
description: PostgreSQL container image version to use
type: string
no_log:
description: Configure no_log for no_log tasks
type: string
status:
type: object
properties:

3
config/crd/bases/awxrestore.ansible.com_awxrestores.yaml
View File

@@ -56,9 +56,6 @@ spec:
postgres_image_version:
description: PostgreSQL container image version to use
type: string
no_log:
description: Configure no_log for no_log tasks
type: string
status:
type: object
properties:

9
config/manager/manager.yaml
View File

@@ -54,14 +54,5 @@ spec:
port: 6789
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
memory: "32Mi"
cpu: "50m"
limits:
memory: "4096Mi"
cpu: "2000m"
serviceAccountName: controller-manager
imagePullSecrets:
- name: redhat-operators-pull-secret
terminationGracePeriodSeconds: 10

646
config/manifests/bases/awx-operator.clusterserviceversion.yaml
View File

File diff suppressed because one or more lines are too long

24
config/manifests/bases/inject-csv-config.py Normal file
View File

@@ -0,0 +1,24 @@
'''
After generating the CSV file, inject custom configuration such as
OLM parameters, relatedImages, etc.
'''
import yaml
csv_path = "../../../bundle/manifests/awx-operator.clusterserviceversion.yaml"
existing_csv = open(csv_path, 'r')
csv = yaml.safe_load(existing_csv)
raw_olm_params = open("olm-parameters.yaml")
olm_params = yaml.safe_load(raw_olm_params)
# Inject OLM parameters for Customer Resource Objects
csv['spec']['customresourcedefinitions']['owned'] = olm_params
csv['metadata']['annotations']['alm-examples'] = ''
file_content = yaml.safe_dump(csv, default_flow_style=False, explicit_start=True)
with open(csv_path, 'w') as f:
f.write(file_content)

604
config/manifests/bases/olm-parameters.yaml Normal file
View File

@@ -0,0 +1,604 @@
---
- displayName: AWX Backup
description: Back up a deployment of the awx, including jobs, inventories, and credentials
kind: AWXBackup
name: awxbackups.awx.ansible.com
version: v1beta1
specDescriptors:
- displayName: Deployment name
path: deployment_name
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Backup persistent volume claim
path: backup_pvc
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Backup persistent volume claim namespace
path: backup_pvc_namespace
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Backup PVC storage requirements
path: backup_storage_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Backup PVC storage class
path: backup_storage_class
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Database backup label selector
path: postgres_label_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image
path: postgres_image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image Version
path: postgres_image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
statusDescriptors:
- description: The persistent volume claim name used during backup
displayName: Backup claim
path: backupClaim
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- description: The directory data is backed up to on the PVC
displayName: Backup directory
path: backupDirectory
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: AWX Restore
description: Restore a previous awx deployment into the namespace
kind: AWXRestore
name: awxrestores.awx.ansible.com
version: v1beta1
specDescriptors:
- displayName: Backup source to restore ?
path: backup_source
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:select:CR
- urn:alm:descriptor:com.tectonic.ui:select:PVC
- displayName: Backup name
path: backup_name
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:CR
- displayName: Name of newly restored deployment
path: deployment_name
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Backup persistent volume claim
path: backup_pvc
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
- displayName: Backup namespace
path: backup_pvc_namespace
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Backup directory in the persistent volume claim
path: backup_dir
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
- displayName: Database restore label selector
path: postgres_label_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image
path: postgres_image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image Version
path: postgres_image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
statusDescriptors:
- description: The state of the restore
displayName: Restore status
path: restoreComplete
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- description: Deploy a new instance of AWX
displayName: AWX
kind: AWX
name: awxs.awx.ansible.com
version: v1beta1
specDescriptors:
- displayName: Hostname
path: hostname
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Admin account username
path: admin_user
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Admin email address
path: admin_email
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Admin password secret
path: admin_password_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Database configuration secret
path: postgres_configuration_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Old Database configuration secret
path: old_postgres_configuration_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Secret key secret
path: secret_key_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Broadcast Websocket Secret
path: broadcast_websocket_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Service Account Annotations
path: service_account_annotations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Tower Service Type
path: service_type
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:ClusterIP
- urn:alm:descriptor:com.tectonic.ui:select:LoadBalancer
- urn:alm:descriptor:com.tectonic.ui:select:NodePort
- displayName: Tower Ingress Type
path: ingress_type
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:none
- urn:alm:descriptor:com.tectonic.ui:select:Ingress
- urn:alm:descriptor:com.tectonic.ui:select:Route
- displayName: Ingress Path
path: ingress_path
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
- displayName: Ingress Path Type
path: ingress_path_type
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
- displayName: Tower Ingress Annotations
path: ingress_annotations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
- displayName: Tower Ingress TLS Secret
path: ingress_tls_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
- displayName: Tower LoadBalancer Annotations
path: service_annotations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:service_type:LoadBalancer
- displayName: Tower LoadBalancer Protocol
path: loadbalancer_protocol
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:http
- urn:alm:descriptor:com.tectonic.ui:select:https
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:service_type:LoadBalancer
- displayName: Tower LoadBalancer Port
path: loadbalancer_port
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:number
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:service_type:LoadBalancer
- displayName: Route DNS host
path: route_host
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Route
- displayName: Route TLS termination mechanism
path: route_tls_termination_mechanism
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:Edge
- urn:alm:descriptor:com.tectonic.ui:select:Passthrough
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Route
- displayName: Route TLS credential secret
path: route_tls_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Route
- displayName: Image Pull Policy
path: image_pull_policy
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:imagePullPolicy
- displayName: Image Pull Secret
path: image_pull_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Web container resource requirements
path: web_resource_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: Task container resource requirements
path: task_resource_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: EE Control Plane container resource requirements
path: ee_resource_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: PostgreSQL container resource requirements (when using a managed
instance)
path: postgres_resource_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: PostgreSQL container storage requirements (when using a managed
instance)
path: postgres_storage_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: Replicas
path: replicas
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:number
- displayName: Remove used secrets on instance removal ?
path: garbage_collect_secrets
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- displayName: Preload instance with data upon creation ?
path: create_preload_data
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- displayName: Deploy the instance in development mode ?
path: development_mode
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Should the task container deployed with privileged level ?
path: task_privileged
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Deployment Type
path: deployment_type
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Deployment Kind
path: kind
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Deployment apiVersion
path: api_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Image
path: image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Image Version
path: image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Redis Image
path: redis_image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Redis Image Version
path: redis_image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Redis Capabilities
path: redis_capabilities
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image
path: postgres_image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image Version
path: postgres_image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Postgres Selector
path: postgres_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Postgres Label Selector
path: postgres_label_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Postgres Tolerations
path: postgres_tolerations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Postgres Storage Class
path: postgres_storage_class
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Postgres Datapath
path: postgres_data_path
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Postgres Extra Arguments
path: postgres_extra_args
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Certificate Authorirty Trust Bundle
path: ca_trust_bundle
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: LDAP Certificate Authority Trust Bundle
path: ldap_cacert_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Task Args
path: task_args
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Enable persistence for /var/lib/projects directory?
path: projects_persistence
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- displayName: Use existing Persistent Claim?
path: projects_use_existing_claim
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:_Yes_
- urn:alm:descriptor:com.tectonic.ui:select:_No_
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_persistence:true
- displayName: Projects Existing Persistent Claim
path: projects_existing_claim
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_Yes_
- urn:alm:descriptor:io.kubernetes:PersistentVolumeClaim
- description: Projects Storage Class Name. If not present, the default storage
class will be used.
displayName: Projects Storage Class Name
path: projects_storage_class
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_No_
- urn:alm:descriptor:com.tectonic.ui:text
- description: Projects Storage Size
displayName: Projects Storage Size
path: projects_storage_size
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_No_
- urn:alm:descriptor:com.tectonic.ui:text
- description: Projects Storage Access Mode
displayName: Projects Storage Access Mode
path: projects_storage_access_mode
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_No_
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Task Command
path: task_command
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Environment variables to be added to Task container
displayName: Task Extra Env
path: task_extra_env
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Specify volume mounts to be added to Execution container
displayName: EE Extra Volume Mounts
path: ee_extra_volume_mounts
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Registry path to the Execution Environment container to use
displayName: EE Images
path: ee_images
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Environment variables to be added to EE container
displayName: EE Extra Env
path: ee_extra_env
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Registry path to the Execution Environment container to use on
control plane pods
displayName: Control Plane EE Image
path: control_plane_ee_image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: EE Images Pull Credentials Secret
displayName: EE Images Pull Credentials Secret
path: ee_pull_credentials_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- description: Specify volume mounts to be added to Task container
displayName: Task Extra Volume Mounts
path: task_extra_volume_mounts
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Web Args
path: web_args
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Web Command
path: web_command
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Environment variables to be added to Web container
displayName: Web Extra Env
path: web_extra_env
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Specify volume mounts to be added to Web container
displayName: Web Extra Volume Mounts
path: web_extra_volume_mounts
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Specify extra volumes to add to the application pod
displayName: Extra Volumes
path: extra_volumes
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Node Selector
path: node_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Topology Spread Constraints
path: topology_spread_constraints
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Service Labels
path: service_labels
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tolerations
path: tolerations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: API Extra Settings
path: extra_settings
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Security Context Settings
path: security_context_settings
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Registry path to the init container to use
displayName: Init Container Image
path: init_container_image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Init container image version to use
displayName: Init Container Image Version
path: init_container_image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Specify Extra commands for the Init container
displayName: Init Container Extra Commands
path: init_container_extra_commands
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Specify volume mounts to be added to Init container
displayName: Init Container Extra Volume Mounts
path: init_container_extra_volume_mounts
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Secret where can be found the trusted Certificate Authority Bundle
path: bundle_cacert_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Nodeport Port
path: nodeport_port
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
statusDescriptors:
- description: Route to access the instance deployed
displayName: URL
path: URL
x-descriptors:
- urn:alm:descriptor:org.w3:link
- description: Admin user for the instance deployed
displayName: Admin User
path: adminUser
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- description: Admin password for the instance deployed
displayName: Admin Password
path: adminPasswordSecret
x-descriptors:
- urn:alm:descriptor:io.kubernetes:Secret
- description: Version of the instance deployed
displayName: Version
path: version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- description: Image of the instance deployed
displayName: Image
path: image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text

6
config/samples/awx_v1beta1_awx.yaml
View File

@@ -6,13 +6,13 @@ metadata:
spec:
web_resource_requirements:
requests:
cpu: 50m
cpu: 250m
memory: 128M
task_resource_requirements:
requests:
cpu: 50m
cpu: 250m
memory: 128M
ee_resource_requirements:
requests:
cpu: 50m
cpu: 200m
memory: 64M

51
docs/debugging.md
View File

@@ -1,51 +0,0 @@
# Iterating on the installer without deploying the operator
Go through the [normal basic install](https://github.com/ansible/awx-operator/blob/devel/README.md#basic-install) steps.
Install some dependencies:
```
$ ansible-galaxy collection install -r molecule/requirements.yml
$ pip install -r molecule/requirements.txt
```
To prevent the changes we're about to make from being overwritten, scale down any running instance of the operator:
```
$ kubectl scale deployment awx-operator-controller-manager --replicas=0
```
Create a playbook that invokes the installer role (the operator uses ansible-runner's role execution feature):
```yaml
# run.yml
---
- hosts: localhost
roles:
- installer
```
Create a vars file:
```yaml
# vars.yml
---
ansible_operator_meta:
name: awx
namespace: awx
service_type: nodeport
```
Run the installer:
```
$ ansible-playbook run.yml -e @vars.yml -v
```
Grab the URL and admin password:
```
$ minikube service awx-service --url -n awx
$ minikube kubectl get secret awx-admin-password -- -o jsonpath="{.data.password}" | base64 --decode
LU6lTfvnkjUvDwL240kXKy1sNhjakZmT
```

2
molecule/default/kustomize.yml
View File

@@ -1,7 +1,7 @@
---
- name: Build kustomize testing overlay
# load_restrictor must be set to none so we can load patch files from the default overlay
command: '{{ kustomize }} build --load-restrictor LoadRestrictionsNone .'
command: '{{ kustomize }} build --load_restrictor none .'
args:
chdir: '{{ config_dir }}/testing'
register: resources

4
molecule/default/tasks/awx_test.yml
View File

@@ -49,13 +49,13 @@
name: Demo Job Template
wait: yes
validate_certs: no
controller_host: localhost/awx/
controller_host: localhost
controller_username: admin
controller_password: "{{ admin_pw_secret.resources[0].data.password | b64decode }}"
rescue:
- name: Get list of project updates and jobs
uri:
url: "http://localhost/awx/api/v2/{{ resource }}/"
url: "http://localhost/api/v2/{{ resource }}/"
user: admin
password: "{{ admin_pw_secret.resources[0].data.password | b64decode }}"
force_basic_auth: yes

22
molecule/default/templates/awx_cr_molecule.yml.j2
View File

@@ -11,21 +11,23 @@ spec:
image_version: {{ awx_version }}
{% endif %}
ingress_type: ingress
ingress_path: /awx
ingress_annotations: |
kubernetes.io/ingress.class: nginx
web_resource_requirements:
requests:
cpu: 50m
memory: 32M
cpu: 250m
memory: 128M
task_resource_requirements:
requests:
cpu: 50m
memory: 32M
cpu: 250m
memory: 128M
ee_resource_requirements:
requests:
cpu: 50m
memory: 16M
postgres_resource_requirements: {}
postgres_init_container_resource_requirements: {}
redis_resource_requirements: {}
cpu: 200m
memory: 64M
extra_settings:
- setting: SYSTEM_TASK_FORKS_CPU
value: 1
- setting: SYSTEM_TASK_FORKS_MEM
value: 1

0
projects/.gitkeep Normal file → Executable file
View File

5
roles/backup/README.md
View File

@@ -74,12 +74,7 @@ To check the name of this secret, look at the postgresConfigurationSecret status
The postgresql pod for the old deployment is used when backing up data to the new postgresql pod. If your postgresql pod has a custom label,
you can pass that via the `postgres_label_selector` variable to make sure the postgresql pod can be found.
It is also possible to tie the lifetime of the backup files to that of the AWXBackup resource object. To do that you can set the
`clean_backup_on_delete` value to true. This will delete the `backupDirectory` on the pvc associated with the AWXBackup object deleted.
```
clean_backup_on_delete: true
```
Testing
----------------

12
roles/backup/defaults/main.yml
View File

@@ -10,15 +10,3 @@ backup_pvc_namespace: "{{ ansible_operator_meta.namespace }}"
# Size of backup PVC if created dynamically
backup_storage_requirements: ''
# Set no_log settings on certain tasks
no_log: 'true'
# Variable to set when you want backups to be cleaned up when the CRD object is deleted
clean_backup_on_delete: false
# Variable to signal that this role is being run as a finalizer
finalizer_run: false
# Allow additional parameters to be added to the pg_dump backup command
pg_dump_suffix: ''

47
roles/backup/tasks/creation.yml
View File

@@ -1,47 +0,0 @@
---
- name: Patching labels to {{ kind }} kind
k8s:
state: present
definition:
apiVersion: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
metadata:
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
labels:
app.kubernetes.io/name: "{{ ansible_operator_meta.name }}"
app.kubernetes.io/part-of: "{{ ansible_operator_meta.name }}"
app.kubernetes.io/managed-by: "{{ deployment_type }}-operator"
app.kubernetes.io/component: "{{ deployment_type }}"
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
- name: Look up details for this backup object
k8s_info:
api_version: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
register: this_backup
- block:
- include_tasks: init.yml
- include_tasks: postgres.yml
- include_tasks: awx-cro.yml
- include_tasks: secrets.yml
- name: Set flag signifying this backup was successful
set_fact:
backup_complete: true
- include_tasks: cleanup.yml
when:
- this_backup['resources'][0]['status']['backupDirectory'] is not defined
- name: Update status variables
include_tasks: update_status.yml

7
roles/backup/tasks/delete_backup.yml
View File

@@ -1,7 +0,0 @@
---
- name: Cleanup backup associated with this option if enabled
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ ansible_operator_meta.name }}-db-management"
command: >-
bash -c 'rm -rf {{ backup_dir }}'

6
roles/backup/tasks/dump_generated_secret.yml
View File

@@ -25,15 +25,15 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: "{{ _name }}"
register: _secret
no_log: "{{ no_log }}"
no_log: true
- name: Set secret data
set_fact:
_data: "{{ _secret['resources'][0]['data'] }}"
_type: "{{ _secret['resources'][0]['type'] }}"
no_log: "{{ no_log }}"
no_log: true
- name: Create and Add secret names and data to dictionary
set_fact:
secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data, 'type': _type }}) }}"
no_log: "{{ no_log }}"
no_log: true

6
roles/backup/tasks/dump_secret.yml
View File

@@ -13,16 +13,16 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: "{{ _name }}"
register: _secret
no_log: "{{ no_log }}"
no_log: true
- name: Set secret key
set_fact:
_data: "{{ _secret['resources'][0]['data'] }}"
_type: "{{ _secret['resources'][0]['type'] }}"
no_log: "{{ no_log }}"
no_log: true
- name: Create and Add secret names and data to dictionary
set_fact:
secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data, 'type': _type }}) }}"
no_log: "{{ no_log }}"
no_log: true
when: _name != ''

19
roles/backup/tasks/finalizer.yml
View File

@@ -1,19 +0,0 @@
---
- name: Look up details for this backup object
k8s_info:
api_version: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
register: this_backup
- block:
- include_tasks: init.yml
- include_tasks: delete_backup.yml
- include_tasks: cleanup.yml
vars:
backup_dir: "{{ this_backup['resources'][0]['status']['backupDirectory'] }}"
when:
- clean_backup_on_delete and backup_dir is defined

5
roles/backup/tasks/init.yml
View File

@@ -1,4 +1,5 @@
---
- name: Delete any existing management pod
k8s:
name: "{{ ansible_operator_meta.name }}-db-management"
@@ -56,8 +57,8 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: "{{ deployment_name }}-backup-claim"
namespace: "{{ backup_pvc_namespace }}"
name: '{{ deployment_name }}-backup-claim'
namespace: '{{ backup_pvc_namespace }}'
ownerReferences: null
when:
- backup_pvc == '' or backup_pvc is not defined

51
roles/backup/tasks/main.yml
View File

@@ -1,8 +1,47 @@
---
- name: Run creation tasks
include_tasks: creation.yml
when: not finalizer_run
- name: Patching labels to {{ kind }} kind
k8s:
state: present
definition:
apiVersion: '{{ api_version }}'
kind: '{{ kind }}'
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
metadata:
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
- name: Run finalizer tasks
include_tasks: finalizer.yml
when: finalizer_run
- name: Look up details for this backup object
k8s_info:
api_version: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
register: this_backup
- block:
- include_tasks: init.yml
- include_tasks: postgres.yml
- include_tasks: awx-cro.yml
- include_tasks: secrets.yml
- name: Set flag signifying this backup was successful
set_fact:
backup_complete: true
- include_tasks: cleanup.yml
when:
- this_backup['resources'][0]['status']['backupDirectory'] is not defined
- name: Update status variables
include_tasks: update_status.yml

14
roles/backup/tasks/postgres.yml
View File

@@ -6,7 +6,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"
register: pg_config
no_log: "{{ no_log }}"
no_log: true
- name: Fail if postgres configuration secret status does not exist
fail:
@@ -21,7 +21,7 @@
awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | default('unmanaged'|b64encode) | b64decode }}"
no_log: "{{ no_log }}"
no_log: true
- block:
- name: Delete pod to reload a resource configuration
@@ -39,7 +39,6 @@
until:
- "postgres_pod['resources'] | length"
- "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
- "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
delay: 5
retries: 60
@@ -80,7 +79,7 @@
- name: Set full resolvable host name for postgres pod
set_fact:
resolvable_db_host: '{{ (awx_postgres_type == "managed") | ternary(awx_postgres_host + "." + ansible_operator_meta.namespace + ".svc.cluster.local", awx_postgres_host) }}' # yamllint disable-line rule:line-length
no_log: "{{ no_log }}"
no_log: true
- name: Set pg_dump command
set_fact:
@@ -91,8 +90,7 @@
-d {{ awx_postgres_database }}
-p {{ awx_postgres_port }}
-F custom
{{ pg_dump_suffix }}
no_log: "{{ no_log }}"
no_log: true
- name: Write pg_dump to backup on PVC
k8s_exec:
@@ -101,9 +99,9 @@
command: |
bash -c """
set -e -o pipefail
PGPASSWORD='{{ awx_postgres_pass }}' {{ pgdump }} > {{ backup_dir }}/tower.db
PGPASSWORD={{ awx_postgres_pass }} {{ pgdump }} > {{ backup_dir }}/tower.db
echo 'Successful'
"""
register: data_migration
no_log: "{{ no_log }}"
no_log: true
failed_when: "'Successful' not in data_migration.stdout"

18
roles/backup/tasks/secrets.yml
View File

@@ -21,25 +21,13 @@
- ingress_tls_secret
- ldap_cacert_secret
- bundle_cacert_secret
- ee_pull_credentials_secret
# image_pull_secret is deprecated in favor of image_pull_secrets
- name: Dump image_pull_secret into file
include_tasks: dump_secret.yml
with_items:
- image_pull_secret
when: image_pull_secret is defined
- name: Dump image_pull_secrets into file
include_tasks: dump_secret.yml
with_items:
- image_pull_secrets
when: image_pull_secrets | default([]) | length
- ee_pull_credentials_secret
- name: Nest secrets under a single variable
set_fact:
secrets: {"secrets": '{{ secret_dict }}'}
no_log: "{{ no_log }}"
no_log: true
- name: Write postgres configuration to pvc
k8s_exec:
@@ -47,4 +35,4 @@
pod: "{{ ansible_operator_meta.name }}-db-management"
command: >-
bash -c "echo '{{ secrets | to_yaml }}' > {{ backup_dir }}/secrets.yml"
no_log: "{{ no_log }}"
no_log: true

59
roles/installer/defaults/main.yml
View File

@@ -83,12 +83,6 @@ topology_spread_constraints: ''
# effect: "NoSchedule"
tolerations: ''
# Add annotations to awx pods. Specify as literal block. E.g.:
# annotations: |
# my.annotation/1: value
# my.annotation/2: value2
annotations: ''
admin_user: admin
admin_email: test@example.com
@@ -127,13 +121,13 @@ extra_volumes: ''
_image: quay.io/ansible/awx
_image_version: "{{ lookup('env', 'DEFAULT_AWX_VERSION') or 'latest' }}"
_redis_image: docker.io/redis
_redis_image_version: 7
_redis_image_version: latest
_postgres_image: postgres
_postgres_image_version: 12
_init_container_image: quay.io/centos/centos
_init_container_image_version: stream8
_init_container_image_version: 8
image_pull_policy: IfNotPresent
image_pull_secrets: []
image_pull_secret: ''
# Extra commands which will be appended to the initContainer
# Make sure that each command entered return an exit code 0
@@ -164,36 +158,24 @@ replicas: "1"
task_args:
- /usr/bin/launch_awx_task.sh
task_command: []
web_args:
- /usr/bin/launch_awx.sh
web_args: []
web_command: []
task_resource_requirements:
requests:
cpu: 100m
memory: 128Mi
cpu: 500m
memory: 1Gi
web_resource_requirements:
requests:
cpu: 100m
memory: 128Mi
cpu: 1000m
memory: 2Gi
ee_resource_requirements:
requests:
cpu: 100m
memory: 64Mi
cpu: 500m
memory: 1Gi
# Customize CSRF options
csrf_cookie_secure: False
session_cookie_secure: False
# Assign a preexisting priority class to the control plane pods
control_plane_priority_class: ''
redis_resource_requirements:
requests:
cpu: 50m
memory: 64Mi
# Add extra environment variables to the AWX task/web containers. Specify as
# literal block. E.g.:
# task_extra_env: |
@@ -234,16 +216,7 @@ postgres_tolerations: ''
postgres_storage_requirements:
requests:
storage: 8Gi
postgres_resource_requirements:
requests:
cpu: 10m
memory: 64Mi
postgres_init_container_resource_requirements:
requests:
cpu: 10m
memory: 64Mi
# Assign a preexisting priority class to the postgres pod
postgres_priority_class: ''
postgres_resource_requirements: {}
postgres_data_path: '/var/lib/postgresql/data/pgdata'
# Persistence to the AWX project data folder
@@ -267,9 +240,6 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
#
ldap_cacert_secret: ''
# Secret to lookup that provides the LDAP bind password
ldap_password_secret: ''
# Secret to lookup that provides the custom CA trusted bundle
bundle_cacert_secret: ''
@@ -281,10 +251,3 @@ garbage_collect_secrets: false
development_mode: false
security_context_settings: {}
# Set no_log settings on certain tasks
no_log: 'true'
# Should AWX instances be automatically upgraded when operator gets upgraded
#
auto_upgrade: true

14
roles/installer/tasks/admin_password_configuration.yml
View File

@@ -5,7 +5,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ admin_password_secret }}'
register: _custom_admin_password
no_log: "{{ no_log }}"
no_log: true
when: admin_password_secret | length
- name: Check for default admin password configuration
@@ -14,19 +14,19 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-admin-password'
register: _default_admin_password
no_log: "{{ no_log }}"
no_log: true
- name: Set admin password secret
set_fact:
_admin_password_secret: '{{ _custom_admin_password["resources"] | default([]) | length | ternary(_custom_admin_password, _default_admin_password) }}'
no_log: "{{ no_log }}"
no_log: true
- block:
- name: Create admin password secret
k8s:
apply: true
definition: "{{ lookup('template', 'admin_password_secret.yaml.j2') }}"
no_log: "{{ no_log }}"
no_log: true
- name: Read admin password secret
k8s_info:
@@ -34,16 +34,16 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-admin-password'
register: _generated_admin_password
no_log: "{{ no_log }}"
no_log: true
when: not _admin_password_secret['resources'] | default([]) | length
- name: Set admin password secret
set_fact:
__admin_password_secret: '{{ _generated_admin_password["resources"] | default([]) | length | ternary(_generated_admin_password, _admin_password_secret) }}'
no_log: "{{ no_log }}"
no_log: true
- name: Store admin password
set_fact:
admin_password: "{{ __admin_password_secret['resources'][0]['data']['password'] | b64decode }}"
no_log: "{{ no_log }}"
no_log: true

14
roles/installer/tasks/broadcast_websocket_configuration.yml
View File

@@ -5,7 +5,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ broadcast_websocket_secret }}'
register: _custom_broadcast_websocket
no_log: "{{ no_log }}"
no_log: true
when: broadcast_websocket_secret | length
- name: Check for default broadcast websocket secret configuration
@@ -14,20 +14,20 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-broadcast-websocket'
register: _default_broadcast_websocket
no_log: "{{ no_log }}"
no_log: true
- name: Set broadcast websocket secret
set_fact:
# yamllint disable-line rule:line-length
_broadcast_websocket_secret: '{{ _custom_broadcast_websocket["resources"] | default([]) | length | ternary(_custom_broadcast_websocket, _default_broadcast_websocket) }}' # noqa 204
no_log: "{{ no_log }}"
no_log: true
- block:
- name: Create broadcast websocket secret
k8s:
apply: true
definition: "{{ lookup('template', 'broadcast_websocket_secret.yaml.j2') }}"
no_log: "{{ no_log }}"
no_log: true
- name: Read broadcast websocket secret
k8s_info:
@@ -35,7 +35,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-broadcast-websocket'
register: _generated_broadcast_websocket
no_log: "{{ no_log }}"
no_log: true
when: not _broadcast_websocket_secret['resources'] | default([]) | length
@@ -43,9 +43,9 @@
set_fact:
# yamllint disable-line rule:line-length
__broadcast_websocket_secret: '{{ _generated_broadcast_websocket["resources"] | default([]) | length | ternary(_generated_broadcast_websocket, _broadcast_websocket_secret) }}' # noqa 204
no_log: "{{ no_log }}"
no_log: true
- name: Store broadcast websocket secret name
set_fact:
broadcast_websocket_secret_value: "{{ __broadcast_websocket_secret['resources'][0]['data']['secret'] | b64decode }}"
no_log: "{{ no_log }}"
no_log: true

2
roles/installer/tasks/cleanup.yml
View File

@@ -23,6 +23,6 @@
- '{{ _secret_key }}'
- '{{ _postgres_configuration }}'
- '{{ _broadcast_websocket_secret }}'
no_log: "{{ no_log }}"
no_log: true
when: not garbage_collect_secrets | bool

21
roles/installer/tasks/database_configuration.yml
View File

@@ -6,7 +6,7 @@
name: '{{ postgres_configuration_secret }}'
register: _custom_pg_config_resources
when: postgres_configuration_secret | length
no_log: "{{ no_log }}"
no_log: true
- name: Check for default PostgreSQL configuration
k8s_info:
@@ -14,7 +14,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-postgres-configuration'
register: _default_pg_config_resources
no_log: "{{ no_log }}"
no_log: true
- name: Check for specified old PostgreSQL configuration secret
k8s_info:
@@ -23,7 +23,7 @@
name: '{{ old_postgres_configuration_secret }}'
register: _custom_old_pg_config_resources
when: old_postgres_configuration_secret | length
no_log: "{{ no_log }}"
no_log: true
- name: Check for default old PostgreSQL configuration
k8s_info:
@@ -31,7 +31,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-old-postgres-configuration'
register: _default_old_pg_config_resources
no_log: "{{ no_log }}"
no_log: true
- name: Set old PostgreSQL configuration
set_fact:
@@ -45,7 +45,7 @@
when:
- old_pg_config['resources'] is defined
- old_pg_config['resources'] | length
no_log: "{{ no_log }}"
no_log: true
- name: Set default postgres image
set_fact:
@@ -54,7 +54,7 @@
- name: Set PostgreSQL configuration
set_fact:
_pg_config: '{{ _custom_pg_config_resources["resources"] | default([]) | length | ternary(_custom_pg_config_resources, _default_pg_config_resources) }}'
no_log: "{{ no_log }}"
no_log: true
- name: Set user provided postgres image
set_fact:
@@ -72,7 +72,7 @@
k8s:
apply: true
definition: "{{ lookup('template', 'postgres_secret.yaml.j2') }}"
no_log: "{{ no_log }}"
no_log: true
- name: Read Database Configuration
k8s_info:
@@ -80,13 +80,13 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-postgres-configuration'
register: _generated_pg_config_resources
no_log: "{{ no_log }}"
no_log: true
when: not _pg_config['resources'] | default([]) | length
- name: Set PostgreSQL Configuration
set_fact:
pg_config: '{{ _generated_pg_config_resources["resources"] | default([]) | length | ternary(_generated_pg_config_resources, _pg_config) }}'
no_log: "{{ no_log }}"
no_log: true
- name: Set actual postgres configuration secret used
set_fact:
@@ -140,7 +140,7 @@
awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
awx_postgres_sslmode: "{{ pg_config['resources'][0]['data']['sslmode'] | default('prefer'|b64encode) | b64decode }}"
no_log: "{{ no_log }}"
no_log: true
- name: Wait for Database to initialize if managed DB
k8s_info:
@@ -153,7 +153,6 @@
until:
- "postgres_pod['resources'] | length"
- "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
- "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
delay: 5
retries: 60
when: pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed'

42
roles/installer/tasks/initialize_django.yml
View File

@@ -13,6 +13,18 @@
register: users_result
changed_when: users_result.return_code > 0
- name: Update super user password via Django if it does exist (same password is a noop)
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage update_password --username '{{ admin_user }}' --password '{{ admin_password }}'"
register: update_pw_result
changed_when: users_result.stdout == 'Password not updated'
no_log: true
when: users_result.return_code == 0
- name: Create super user via Django if it doesn't exist.
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
@@ -22,9 +34,20 @@
bash -c "echo \"from django.contrib.auth.models import User;
User.objects.create_superuser('{{ admin_user }}', '{{ admin_email }}', '{{ admin_password }}')\"
| awx-manage shell"
no_log: "{{ no_log }}"
no_log: true
when: users_result.return_code > 0
- name: Create preload data if necessary. # noqa 305
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage create_preload_data"
register: cdo
changed_when: "'added' in cdo.stdout"
when: create_preload_data | bool
- name: Check if legacy queue is present
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
@@ -57,7 +80,7 @@
_execution_environments_pull_credentials: >-
{{ _custom_execution_environments_pull_credentials["resources"] | default([]) | length
| ternary(_custom_execution_environments_pull_credentials, []) }}
no_log: "{{ no_log }}"
no_log: true
- name: Register default execution environments (without authentication)
k8s_exec:
@@ -78,7 +101,7 @@
default_execution_environment_pull_credentials_url: "{{ _execution_environments_pull_credentials['resources'][0]['data']['url'] | b64decode }}"
default_execution_environment_pull_credentials_url_verify: >-
{{ _execution_environments_pull_credentials['resources'][0]['data']['ssl_verify'] | default("True"|b64encode) | b64decode }}
no_log: "{{ no_log }}"
no_log: true
- name: Register default execution environments (with authentication)
k8s_exec:
@@ -93,16 +116,5 @@
--verify-ssl='{{ default_execution_environment_pull_credentials_url_verify }}'"
register: ree
changed_when: "'changed: True' in ree.stdout"
no_log: "{{ no_log }}"
no_log: true
when: _execution_environments_pull_credentials['resources'] | default([]) | length
- name: Create preload data if necessary. # noqa 305
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage create_preload_data"
register: cdo
changed_when: "'added' in cdo.stdout"
when: create_preload_data | bool

88
roles/installer/tasks/install.yml
View File

@@ -1,88 +0,0 @@
---
- name: Patching labels to AWX kind
k8s:
state: present
definition:
apiVersion: '{{ api_version }}'
kind: '{{ kind }}'
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
metadata:
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
- name: Include secret key configuration tasks
include_tasks: secret_key_configuration.yml
- name: Load LDAP CAcert certificate
include_tasks: load_ldap_cacert_secret.yml
when:
- ldap_cacert_secret != ''
- name: Load ldap bind password
include_tasks: load_ldap_password_secret.yml
when:
- ldap_password_secret != ''
- name: Load bundle certificate authority certificate
include_tasks: load_bundle_cacert_secret.yml
when:
- bundle_cacert_secret != ''
- name: Include admin password configuration tasks
include_tasks: admin_password_configuration.yml
- name: Include broadcast websocket configuration tasks
include_tasks: broadcast_websocket_configuration.yml
- name: Include set_images tasks
include_tasks: set_images.yml
- name: Include database configuration tasks
include_tasks: database_configuration.yml
- name: Load Route TLS certificate
include_tasks: load_route_tls_secret.yml
when:
- ingress_type | lower == 'route'
- route_tls_secret != ''
- name: Include resources configuration tasks
include_tasks: resources_configuration.yml
- name: Check for pending migrations
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage showmigrations | grep -v '[X]' | grep '[ ]' | wc -l"
changed_when: false
register: database_check
- name: Migrate the database if the K8s resources were updated. # noqa 305
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage migrate --noinput"
register: migrate_result
when:
- database_check is defined
- (database_check.stdout|trim) != '0'
- name: Initialize Django
include_tasks: initialize_django.yml
- name: Update status variables
include_tasks: update_status.yml
- name: Cleanup & Set garbage collection refs
include_tasks: cleanup.yml

4
roles/installer/tasks/load_bundle_cacert_secret.yml
View File

@@ -5,10 +5,10 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ bundle_cacert_secret }}'
register: bundle_cacert
no_log: "{{ no_log }}"
no_log: true
- name: Load bundle Certificate Authority Secret content
set_fact:
bundle_ca_crt: '{{ bundle_cacert["resources"][0]["data"]["bundle-ca.crt"] | b64decode }}'
no_log: "{{ no_log }}"
no_log: true
when: '"bundle-ca.crt" in bundle_cacert["resources"][0]["data"]'

4
roles/installer/tasks/load_ldap_cacert_secret.yml
View File

@@ -5,10 +5,10 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ldap_cacert_secret }}'
register: ldap_cacert
no_log: "{{ no_log }}"
no_log: true
- name: Load LDAP CA Certificate Secret content
set_fact:
ldap_cacert_ca_crt: '{{ ldap_cacert["resources"][0]["data"]["ldap-ca.crt"] | b64decode }}'
no_log: "{{ no_log }}"
no_log: true
when: '"ldap-ca.crt" in ldap_cacert["resources"][0]["data"]'

14
roles/installer/tasks/load_ldap_password_secret.yml
View File

@@ -1,14 +0,0 @@
---
- name: Retrieve LDAP bind password Secret
k8s_info:
kind: Secret
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ldap_password_secret }}'
register: ldap_password
no_log: "{{ no_log }}"
- name: Load LDAP bind password Secret content
set_fact:
ldap_bind_password: '{{ ldap_password["resources"][0]["data"]["ldap-password"] | b64decode }}'
no_log: "{{ no_log }}"
when: '"ldap-password" in ldap_password["resources"][0]["data"]'

6
roles/installer/tasks/load_route_tls_secret.yml
View File

@@ -5,16 +5,16 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ route_tls_secret }}'
register: route_tls
no_log: "{{ no_log }}"
no_log: true
- name: Load Route TLS Secret content
set_fact:
route_tls_key: '{{ route_tls["resources"][0]["data"]["tls.key"] | b64decode }}'
route_tls_crt: '{{ route_tls["resources"][0]["data"]["tls.crt"] | b64decode }}'
no_log: "{{ no_log }}"
no_log: true
- name: Load Route TLS Secret content
set_fact:
route_ca_crt: '{{ route_tls["resources"][0]["data"]["ca.crt"] | b64decode }}'
no_log: "{{ no_log }}"
no_log: true
when: '"ca.crt" in route_tls["resources"][0]["data"]'

89
roles/installer/tasks/main.yml
View File

@@ -1,13 +1,80 @@
---
- name: Check for presence of Deployment
k8s_info:
api_version: v1
kind: Deployment
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
register: tower_deployment
- name: Patching labels to AWX kind
k8s:
state: present
definition:
apiVersion: '{{ api_version }}'
kind: '{{ kind }}'
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
metadata:
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
# Just execute deployment steps when auto_upgrade is true or when no deployment exists
- name: Start installation
include_tasks: install.yml
when: (tower_deployment['resources'] | length > 0 and auto_upgrade | bool ) or (tower_deployment['resources'] | length == 0)
- name: Include secret key configuration tasks
include_tasks: secret_key_configuration.yml
- name: Load LDAP CAcert certificate
include_tasks: load_ldap_cacert_secret.yml
when:
- ldap_cacert_secret != ''
- name: Load bundle certificate authority certificate
include_tasks: load_bundle_cacert_secret.yml
when:
- bundle_cacert_secret != ''
- name: Include admin password configuration tasks
include_tasks: admin_password_configuration.yml
- name: Include broadcast websocket configuration tasks
include_tasks: broadcast_websocket_configuration.yml
- name: Include database configuration tasks
include_tasks: database_configuration.yml
- name: Load Route TLS certificate
include_tasks: load_route_tls_secret.yml
when:
- ingress_type | lower == 'route'
- route_tls_secret != ''
- name: Include resources configuration tasks
include_tasks: resources_configuration.yml
- name: Check for pending migrations
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage showmigrations | grep -v '[X]' | grep '[ ]' | wc -l"
changed_when: false
register: database_check
- name: Migrate the database if the K8s resources were updated. # noqa 305
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage migrate --noinput"
register: migrate_result
when:
- database_check is defined
- (database_check.stdout|trim) != '0'
- name: Initialize Django
include_tasks: initialize_django.yml
- name: Update status variables
include_tasks: update_status.yml
- name: Cleanup & Set garbage collection refs
include_tasks: cleanup.yml

11
roles/installer/tasks/migrate_data.yml
View File

@@ -11,7 +11,7 @@
awx_old_postgres_database: "{{ old_pg_config['resources'][0]['data']['database'] | b64decode }}"
awx_old_postgres_port: "{{ old_pg_config['resources'][0]['data']['port'] | b64decode }}"
awx_old_postgres_host: "{{ old_pg_config['resources'][0]['data']['host'] | b64decode }}"
no_log: "{{ no_log }}"
no_log: true
- name: Default label selector to custom resource generated postgres
set_fact:
@@ -29,7 +29,6 @@
until:
- "postgres_pod['resources'] | length"
- "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
- "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
delay: 5
retries: 60
@@ -49,7 +48,7 @@
-d {{ awx_old_postgres_database }}
-p {{ awx_old_postgres_port }}
-F custom
no_log: "{{ no_log }}"
no_log: true
- name: Set pg_restore command
set_fact:
@@ -57,7 +56,7 @@
pg_restore --clean --if-exists
-U {{ database_username }}
-d {{ database_name }}
no_log: "{{ no_log }}"
no_log: true
- name: Stream backup from pg_dump to the new postgresql container
k8s_exec:
@@ -66,10 +65,10 @@
command: |
bash -c """
set -e -o pipefail
PGPASSWORD='{{ awx_old_postgres_pass }}' {{ pgdump }} | PGPASSWORD='{{ awx_postgres_pass }}' {{ pg_restore }}
PGPASSWORD={{ awx_old_postgres_pass }} {{ pgdump }} | PGPASSWORD={{ awx_postgres_pass }} {{ pg_restore }}
echo 'Successful'
"""
no_log: "{{ no_log }}"
no_log: true
register: data_migration
failed_when: "'Successful' not in data_migration.stdout"

40
roles/installer/tasks/resources_configuration.yml
View File

@@ -17,16 +17,6 @@
set_fact:
tower_pod_name: "{{ tower_pods['resources'][0]['metadata']['name'] | default('') }}"
- name: Set user provided control plane ee image
set_fact:
_custom_control_plane_ee_image: "{{ control_plane_ee_image }}"
when:
- control_plane_ee_image | default([]) | length
- name: Set Control Plane EE image URL
set_fact:
_control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
- name: Apply Resources
k8s:
apply: yes
@@ -40,7 +30,7 @@
- 'persistent'
- 'service'
- 'ingress'
no_log: "{{ no_log }}"
no_log: true
- name: Set default awx app image
set_fact:
@@ -57,6 +47,24 @@
set_fact:
_image: "{{ _custom_image | default(lookup('env', 'RELATED_IMAGE_AWX')) | default(_default_image, true) }}"
- name: Set default awx init container image
set_fact:
_default_init_container_image: "{{ _init_container_image }}:{{ _init_container_image_version }}"
- name: Set user provided awx init image
set_fact:
_custom_init_container_image: "{{ init_container_image }}:{{ init_container_image_version }}"
when:
- init_container_image | default([]) | length
- init_container_image_version is defined or init_container_image_version != ''
- name: Set Init image URL
set_fact:
_init_container_image: >-
{{ _custom_init_container_image |
default(lookup('env', 'RELATED_IMAGE_AWX_INIT_CONTAINER')) |
default(_default_init_container_image, true) }}
- name: Set default redis image
set_fact:
_default_redis_image: "{{ _redis_image }}:{{ _redis_image_version }}"
@@ -72,6 +80,16 @@
set_fact:
_redis_image: "{{ _custom_redis_image | default(lookup('env', 'RELATED_IMAGE_AWX_REDIS')) | default(_default_redis_image, true) }}"
- name: Set user provided control plane ee image
set_fact:
_custom_control_plane_ee_image: "{{ control_plane_ee_image }}"
when:
- control_plane_ee_image | default([]) | length
- name: Set Control Plane EE image URL
set_fact:
_control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
- name: Apply deployment resources
k8s:
apply: yes

14
roles/installer/tasks/secret_key_configuration.yml
View File

@@ -5,7 +5,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ secret_key_secret }}'
register: _custom_secret_key
no_log: "{{ no_log }}"
no_log: true
when: secret_key_secret | length
- name: Check for default secret key configuration
@@ -14,19 +14,19 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-secret-key'
register: _default_secret_key
no_log: "{{ no_log }}"
no_log: true
- name: Set secret key secret
set_fact:
_secret_key_secret: '{{ _custom_secret_key["resources"] | default([]) | length | ternary(_custom_secret_key, _default_secret_key) }}'
no_log: "{{ no_log }}"
no_log: true
- block:
- name: Create secret key secret
k8s:
apply: true
definition: "{{ lookup('template', 'secret_key.yaml.j2') }}"
no_log: "{{ no_log }}"
no_log: true
- name: Read secret key secret
k8s_info:
@@ -34,16 +34,16 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-secret-key'
register: _generated_secret_key
no_log: "{{ no_log }}"
no_log: true
when: not _secret_key_secret['resources'] | default([]) | length
- name: Set secret key secret
set_fact:
__secret_key_secret: '{{ _generated_secret_key["resources"] | default([]) | length | ternary(_generated_secret_key, _secret_key_secret) }}'
no_log: "{{ no_log }}"
no_log: true
- name: Store secret key secret name
set_fact:
secret_key_secret_name: "{{ __secret_key_secret['resources'][0]['metadata']['name'] }}"
no_log: "{{ no_log }}"
no_log: true

19
roles/installer/tasks/set_images.yml
View File

@@ -1,19 +0,0 @@
# For disconnected environments, images must be set based on the values of `RELATED_IMAGE_` variables
---
- name: Set default awx init container image
set_fact:
_default_init_container_image: "{{ _init_container_image }}:{{ _init_container_image_version }}"
- name: Set user provided awx init image
set_fact:
_custom_init_container_image: "{{ init_container_image }}:{{ init_container_image_version }}"
when:
- init_container_image | default([]) | length
- init_container_image_version is defined or init_container_image_version != ''
- name: Set Init image URL
set_fact:
_init_container_image: >-
{{ _custom_init_container_image |
default(lookup('env', 'RELATED_IMAGE_AWX_INIT_CONTAINER')) |
default(_default_init_container_image, true) }}

18
roles/installer/templates/config.yaml.j2
View File

@@ -34,13 +34,13 @@ data:
# Set memory available based off of resource request/limit for the task pod
memory_limit = '{{ task_resource_requirements["limits"]["memory"] if "limits" in task_resource_requirements and "memory" in task_resource_requirements["limits"] }}'
if memory_limit:
SYSTEM_TASK_ABS_MEM = memory_limit
memory_request = '{{ task_resource_requirements["requests"]["memory"] if "requests" in task_resource_requirements and "memory" in task_resource_requirements["requests"] }}'
SYSTEM_TASK_ABS_MEM = memory_limit if memory_limit else memory_request
# Set cpu available based off of resource request/limit for the task pod
cpu_limit = '{{ task_resource_requirements["limits"]["cpu"] if "limits" in task_resource_requirements and "cpu" in task_resource_requirements["limits"] }}'
if cpu_limit:
SYSTEM_TASK_ABS_CPU = cpu_limit
cpu_request = '{{ task_resource_requirements["requests"]["cpu"] if "requests" in task_resource_requirements and "cpu" in task_resource_requirements["requests"] }}'
SYSTEM_TASK_ABS_CPU = cpu_limit if cpu_limit else cpu_request
SECRET_KEY = get_secret()
@@ -60,8 +60,8 @@ data:
CLUSTER_HOST_ID = socket.gethostname()
SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
CSRF_COOKIE_SECURE = {{ csrf_cookie_secure | bool }}
SESSION_COOKIE_SECURE = {{ session_cookie_secure | bool }}
CSRF_COOKIE_SECURE = False
SESSION_COOKIE_SECURE = False
SERVER_EMAIL = 'root@localhost'
DEFAULT_FROM_EMAIL = 'webmaster@localhost'
@@ -145,7 +145,6 @@ data:
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
server {
listen 8052 default_server;
listen [::]:8052 default_server;
server_name _;
# Redirect all HTTP links to the matching HTTPS page
@@ -156,7 +155,6 @@ data:
server {
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
listen 8053 ssl;
listen [::]:8053 ssl;
ssl_certificate /etc/nginx/pki/web.crt;
ssl_certificate_key /etc/nginx/pki/web.key;
@@ -167,7 +165,6 @@ data:
ssl_prefer_server_ciphers on;
{% else %}
listen 8052 default_server;
listen [::]:8052 default_server;
{% endif %}
# If you have a domain name, this is where to add it
@@ -179,8 +176,6 @@ data:
# Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
add_header X-Frame-Options "DENY";
# Protect against MIME content sniffing https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff;
location /nginx_status {
stub_status on;
@@ -234,7 +229,6 @@ data:
add_header Strict-Transport-Security max-age=15768000;
# Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options nosniff;
add_header Cache-Control "no-cache, no-store, must-revalidate";
add_header Expires "0";
add_header Pragma "no-cache";

34
roles/installer/templates/deployment.yaml.j2
View File

@@ -27,25 +27,27 @@ spec:
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
{% if annotations %}
annotations:
{{ annotations | indent(width=8) }}
{% endif %}
spec:
serviceAccountName: '{{ ansible_operator_meta.name }}'
{% if image_pull_secret is defined %}
{% if image_pull_secret %}
imagePullSecrets:
- name: {{ image_pull_secret }}
{% elif image_pull_secrets | length > 0 %}
imagePullSecrets:
{% for secret in image_pull_secrets %}
- name: {{ secret }}
{% endfor %}
{% endif %}
{% if control_plane_priority_class is defined %}
priorityClassName: '{{ control_plane_priority_class }}'
{% endif %}
initContainers:
{% if managed_database %}
- name: database-check
image: '{{ _init_container_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
command:
- /bin/sh
- -c
- |
[[ -d /check-db/pgsql/data ]] && rm -rf /check-db/data && mv /check-db/pgsql/data/ /check-db/data/ && rm -rf /check-db/pgsql || true
volumeMounts:
- name: check-db-pvc
mountPath: /check-db
subPath: ''
{% endif %}
{% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
- name: init
image: '{{ _init_container_image }}'
@@ -101,7 +103,6 @@ spec:
mountPath: "/var/run/redis"
- name: "{{ ansible_operator_meta.name }}-redis-data"
mountPath: "/data"
resources: {{ redis_resource_requirements }}
- image: '{{ _image }}'
name: '{{ ansible_operator_meta.name }}-web'
{% if web_command %}
@@ -339,6 +340,11 @@ spec:
{% endif %}
{% endif %}
volumes:
{% if managed_database %}
- name: check-db-pvc
persistentVolumeClaim:
claimName: postgres-{{ ansible_operator_meta.name }}-postgres-0
{% endif %}
{% if bundle_ca_crt %}
- name: "ca-trust-extracted"
emptyDir: {}

5
roles/installer/templates/ldap.py.j2
View File

@@ -4,8 +4,3 @@ AUTH_LDAP_GLOBAL_OPTIONS = {
ldap.OPT_X_TLS_CACERTFILE: "/etc/openldap/certs/ldap-ca.crt"
{% endif %}
}
# Load LDAP BIND password from Kubernetes secret if define
{% if ldap_password_secret -%}
AUTH_LDAP_BIND_PASSWORD = "{{ ldap_bind_password }}"
{% endif %}

24
roles/installer/templates/postgres.yaml.j2
View File

@@ -33,32 +33,10 @@ spec:
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
spec:
{% if image_pull_secret is defined %}
{% if image_pull_secret %}
imagePullSecrets:
- name: {{ image_pull_secret }}
{% elif image_pull_secrets | length > 0 %}
imagePullSecrets:
{% for secret in image_pull_secrets %}
- name: {{ secret }}
{% endfor %}
{% endif %}
{% if postgres_priority_class is defined %}
priorityClassName: '{{ postgres_priority_class }}'
{% endif %}
initContainers:
- name: database-check
image: '{{ _init_container_image }}'
resources: {{ postgres_init_container_resource_requirements }}
imagePullPolicy: '{{ image_pull_policy }}'
command:
- /bin/sh
- -c
- |
[[ -d /check-db/pgsql/data ]] && rm -rf /check-db/data && mv /check-db/pgsql/data/ /check-db/data/ && rm -rf /check-db/pgsql || exit 0
volumeMounts:
- name: postgres
mountPath: /check-db
subPath: ''
containers:
- image: '{{ _postgres_image }}'
imagePullPolicy: '{{ image_pull_policy }}'

15
roles/installer/templates/service.yaml.j2
View File

@@ -17,14 +17,7 @@ metadata:
{% endif %}
spec:
ports:
{% if service_type | lower == "nodeport" %}
- port: 80
protocol: TCP
targetPort: 8052
name: http
nodePort: {{ nodeport_port }}
{% elif service_type | lower != 'loadbalancer' and loadbalancer_protocol | lower != 'https' %}
{% if service_type | lower != 'loadbalancer' and loadbalancer_protocol | lower != 'https' %}
- port: 80
protocol: TCP
targetPort: 8052
@@ -51,10 +44,10 @@ spec:
app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
{% if service_type | lower == "nodeport" %}
type: NodePort
{% elif service_type | lower == "loadbalancer" %}
{% if service_type | lower == "loadbalancer" %}
type: LoadBalancer
{% elif service_type | lower == "nodeport" %}
type: NodePort
{% else %}
type: ClusterIP
{% endif %}

3
roles/restore/defaults/main.yml
View File

@@ -10,6 +10,3 @@ backup_pvc_namespace: '{{ ansible_operator_meta.namespace }}'
# Required: backup name, found on the awxbackup object
backup_dir: ''
# Set no_log settings on certain tasks
no_log: 'true'

2
roles/restore/tasks/cleanup.yml
View File

@@ -22,7 +22,7 @@
- '{{ admin_password_secret }}'
- '{{ broadcast_websocket_secret }}'
- '{{ postgres_configuration_secret }}'
no_log: "{{ no_log }}"
no_log: true
- name: Cleanup temp spec file
file:

13
roles/restore/tasks/postgres.yml
View File

@@ -10,7 +10,7 @@
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ postgres_configuration_secret }}'
register: pg_config
no_log: "{{ no_log }}"
no_log: true
- name: Store Database Configuration
set_fact:
@@ -20,7 +20,7 @@
awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | b64decode | default('unmanaged') }}"
no_log: "{{ no_log }}"
no_log: true
- name: Default label selector to custom resource generated postgres
set_fact:
@@ -37,7 +37,6 @@
until:
- "postgres_pod['resources'] | length"
- "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
- "postgres_pod['resources'][0]['status']['containerStatuses'][0]['ready'] == true"
delay: 5
retries: 60
@@ -66,7 +65,7 @@
- name: Set full resolvable host name for postgres pod
set_fact:
resolvable_db_host: "{{ awx_postgres_host }}.{{ ansible_operator_meta.namespace }}.svc.cluster.local"
no_log: "{{ no_log }}"
no_log: true
when: awx_postgres_type == 'managed'
- name: Set pg_restore command
@@ -78,7 +77,7 @@
-U {{ awx_postgres_user }}
-d {{ awx_postgres_database }}
-p {{ awx_postgres_port }}
no_log: "{{ no_log }}"
no_log: true
- name: Restore database dump to the new postgresql container
k8s_exec:
@@ -87,9 +86,9 @@
command: |
bash -c """
set -e -o pipefail
cat {{ backup_dir }}/tower.db | PGPASSWORD='{{ awx_postgres_pass }}' {{ pg_restore }}
cat {{ backup_dir }}/tower.db | PGPASSWORD={{ awx_postgres_pass }} {{ pg_restore }}
echo 'Successful'
"""
register: data_migration
no_log: "{{ no_log }}"
no_log: true
failed_when: "'Successful' not in data_migration.stdout"

20
roles/restore/tasks/secrets.yml
View File

@@ -7,7 +7,7 @@
command: >-
bash -c "cat '{{ backup_dir }}/secrets.yml'"
register: _secrets
no_log: "{{ no_log }}"
no_log: true
- name: Create Temporary secrets file
tempfile:
@@ -20,38 +20,38 @@
dest: "{{ tmp_secrets.path }}"
content: "{{ _secrets.stdout }}"
mode: 0640
no_log: "{{ no_log }}"
no_log: true
- name: Include secret vars from backup
include_vars: "{{ tmp_secrets.path }}"
no_log: "{{ no_log }}"
no_log: true
- name: If deployment is managed, set the database_host in the pg config secret
block:
- name: Set new database host
set_fact:
database_host: "{{ deployment_name }}-postgres"
no_log: "{{ no_log }}"
no_log: true
- name: Set tmp postgres secret dict
set_fact:
_pg_secret: "{{ secrets['postgresConfigurationSecret'] }}"
no_log: "{{ no_log }}"
no_log: true
- name: Change postgres host value
set_fact:
_pg_data: "{{ _pg_secret['data'] | combine({'host': database_host | b64encode }) }}"
no_log: "{{ no_log }}"
no_log: true
- name: Create a postgres secret with the new host value
set_fact:
_pg_secret: "{{ _pg_secret | combine({'data': _pg_data}) }}"
no_log: "{{ no_log }}"
no_log: true
- name: Create a new dict of secrets with the new postgres secret
set_fact:
secrets: "{{ secrets | combine({'postgresConfigurationSecret': _pg_secret}) }}"
no_log: "{{ no_log }}"
no_log: true
when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed'
- name: Apply secret
@@ -61,7 +61,7 @@
apply: yes
wait: yes
definition: "{{ lookup('template', 'secrets.yml.j2') }}"
no_log: "{{ no_log }}"
no_log: true
- name: Remove ownerReference on restored secrets
k8s:
@@ -73,4 +73,4 @@
namespace: '{{ ansible_operator_meta.namespace }}'
ownerReferences: null
loop: "{{ secrets | dict2items }}"
no_log: "{{ no_log }}"
no_log: true

5
watches.yaml
View File

@@ -11,11 +11,6 @@
kind: AWXBackup
role: backup
snakeCaseParameters: False
finalizer:
name: awx.ansible.com/finalizer
role: backup
vars:
finalizer_run: true
- version: v1beta1
group: awx.ansible.com