Pre-create dummy rh secret to avoid errors (#952)

Signed-off-by: Israel Blancas <iblancasa@gmail.com>

.gitignore

@@ -7,3 +7,4 @@
 /charts
 /.cr-release-packages
 .vscode/
+__pycache__

.helm/starter/README.md

@@ -5,7 +5,7 @@ This chart installs the AWX Operator resources configured in [this](https://gith
 ## Getting Started
 To configure your AWX resource using this chart, create your own `yaml` values file. The name is up to personal preference since it will explicitly be passed into the helm chart. Helm will merge whatever values you specify in your file with the default `values.yaml`, overriding any settings you've changed while allowing you to fall back on defaults. Because of this functionality, `values.yaml` should not be edited directly.
 
-In your values config, enable `AWX.enable` and add `AWX.spec` values based on the awx operator's [documentation](https://github.com/ansible/awx-operator/blob/devel/README.md). Consult the docs below for additional functionality.
+In your values config, enable `AWX.enabled` and add `AWX.spec` values based on the awx operator's [documentation](https://github.com/ansible/awx-operator/blob/devel/README.md). Consult the docs below for additional functionality.
 
 ### Installing
 The operator's [helm install](https://github.com/ansible/awx-operator/blob/devel/README.md#helm-install-on-existing-cluster) guide provides key installation instructions. 

Dockerfile

@@ -1,4 +1,10 @@
-FROM quay.io/operator-framework/ansible-operator:v1.22.2
+FROM quay.io/operator-framework/ansible-operator:v1.23.0
+
+USER 0
+
+RUN dnf install -y openssl
+
+USER 1001
 
 ARG DEFAULT_AWX_VERSION
 ARG OPERATOR_VERSION

Makefile

@@ -140,7 +140,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(KUSTOMIZE)) ;\
-	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.2/kustomize_v4.5.2_$(OS)_$(ARCHA).tar.gz | \
+	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.5/kustomize_v4.5.5_$(OS)_$(ARCHA).tar.gz | \
 	tar xzf - -C bin/ ;\
 	}
 else
@@ -156,7 +156,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
-	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.22.2/ansible-operator_$(OS)_$(ARCHA) ;\
+	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.23.0/ansible-operator_$(OS)_$(ARCHA) ;\
 	chmod +x $(ANSIBLE_OPERATOR) ;\
 	}
 else
@@ -290,43 +290,63 @@ charts:
 	mkdir -p $@
 
 .PHONY: helm-chart
-helm-chart: helm-chart-generate helm-chart-slice
+helm-chart: helm-chart-generate
 
 .PHONY: helm-chart-generate
 helm-chart-generate: kustomize helm kubectl-slice yq charts
-	@echo "== KUSTOMIZE (image and namespace) =="
+	@echo "== KUSTOMIZE: Set image and chart label =="
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	cd config/manager && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)-$(VERSION)
+	cd config/default && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)-$(VERSION)
 
-	@echo "== HELM =="
+	@echo "== Gather Helm Chart Metadata =="
+	# remove the existing chart if it exists
+	rm -rf charts/$(CHART_NAME)
+	# create new chart metadata in Chart.yaml
 	cd charts && \
 		$(HELM) create awx-operator --starter $(shell pwd)/.helm/starter ;\
 		$(YQ) -i '.version = "$(VERSION)"' $(CHART_NAME)/Chart.yaml ;\
 		$(YQ) -i '.appVersion = "$(VERSION)" | .appVersion style="double"' $(CHART_NAME)/Chart.yaml ;\
 		$(YQ) -i '.description = "$(CHART_DESCRIPTION)"' $(CHART_NAME)/Chart.yaml ;\
 
+	@echo "Generated chart metadata:"
 	@cat charts/$(CHART_NAME)/Chart.yaml
 
-	@echo "== KUSTOMIZE (annotation) =="
-	cd config/manager && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
-	cd config/default && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
-
-	@echo "== SLICE =="
+	@echo "== KUSTOMIZE: Generate resources and slice into templates =="
+	# place in raw-files directory so they can be modified while they are valid yaml - as soon as they are in templates/,
+	# wild cards pick up the actual templates, which are not real yaml and can't have yq run on them.
 	$(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone config/default | \
 		$(KUBECTL_SLICE) --input-file=- \
-			--output-dir=charts/$(CHART_NAME)/templates \
+			--output-dir=charts/$(CHART_NAME)/raw-files \
 			--sort-by-kind
-	@echo "AWX Operator installed with Helm Chart version $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
-	# clean old crds dir before copying in newly generated CRDs
-	rm -rf charts/$(CHART_NAME)/crds
-	mkdir charts/$(CHART_NAME)/crds
-	mv charts/$(CHART_NAME)/templates/customresourcedefinition* charts/$(CHART_NAME)/crds
 
-.PHONY: helm-chart-edit
-helm-chart-slice:
-	@echo "== EDIT =="
-	$(foreach file, $(wildcard charts/$(CHART_NAME)/templates/*),$(YQ) -i 'del(.. | select(has("namespace")).namespace)' $(file);)
-	$(foreach file, $(wildcard charts/$(CHART_NAME)/templates/*rolebinding*),$(YQ) -i '.subjects[0].namespace = "{{ .Release.Namespace }}"' $(file);)
-	rm -f charts/$(CHART_NAME)/templates/namespace*.yaml
+	@echo "== GIT: Reset kustomize configs =="
+	# reset kustomize configs following kustomize build
+	git checkout -f config/.
+
+	@echo "== Build Templates and CRDS =="
+	# Delete metadata.namespace, release namespace will be automatically inserted by helm
+	for file in charts/$(CHART_NAME)/raw-files/*; do\
+		$(YQ) -i 'del(.metadata.namespace)' $${file};\
+	done
+	# Correct namespace for rolebinding to be release namespace, this must be explicit
+	for file in charts/$(CHART_NAME)/raw-files/*rolebinding*; do\
+		$(YQ) -i '.subjects[0].namespace = "{{ .Release.Namespace }}"' $${file};\
+	done
+	# move all custom resource definitions to crds folder
+	mkdir charts/$(CHART_NAME)/crds
+	mv charts/$(CHART_NAME)/raw-files/customresourcedefinition*.yaml charts/$(CHART_NAME)/crds/.
+	# remove any namespace definitions
+	rm -f charts/$(CHART_NAME)/raw-files/namespace*.yaml
+	# move remaining resources to helm templates
+	mv charts/$(CHART_NAME)/raw-files/* charts/$(CHART_NAME)/templates/.
+	# remove the raw-files folder
+	rm -rf charts/$(CHART_NAME)/raw-files
+
+	# create and populate NOTES.txt
+	@echo "AWX Operator installed with Helm Chart version $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
+
+	@echo "Helm chart successfully configured for $(CHART_NAME) version $(VERSION)"
 
 
 .PHONY: helm-package

README.md

@@ -241,7 +241,7 @@ awx-demo-service    NodePort    10.109.40.38   <none>        80:31006/TCP   3m56
 Once deployed, the AWX instance will be accessible by running:
 
 ```
-$ minikube service awx-demo-service --url -n $NAMESPACE
+$ minikube service awx-demo-service --url
 ```
 
 By default, the admin user is `admin` and the password is available in the `<resourcename>-admin-password` secret. To retrieve the admin password, run:
@@ -442,6 +442,7 @@ The following variables are customizable when `ingress_type=ingress`. The `ingre
 | ------------------- | ---------------------------------------- | --------------------------- |
 | ingress_annotations | Ingress annotations                      | Empty string                |
 | ingress_tls_secret  | Secret that contains the TLS information | Empty string                |
+| ingress_class_name  | Define the ingress class name            | Cluster default             |
 | hostname            | Define the FQDN                          | {{ meta.name }}.example.com |
 | ingress_path        | Define the ingress path to the service   | /                           |
 | ingress_path_type   | Define the type of the path (for LBs)    | Prefix                      |
@@ -785,7 +786,9 @@ To create the secrets, you can use the commands below:
 
 #### Enabling LDAP Integration at AWX bootstrap
 
-A sample of extra settings can be found as below:
+A sample of extra settings can be found as below. All possible options can be found here: https://django-auth-ldap.readthedocs.io/en/latest/reference.html#settings
+
+> **NOTE:** These values are inserted into a Python file, so pay close attention to which values need quotes and which do not.
 
 ```yaml
     - setting: AUTH_LDAP_SERVER_URI
@@ -802,6 +805,9 @@ A sample of extra settings can be found as below:
     - setting: AUTH_LDAP_GROUP_SEARCH
       value: 'LDAPSearch("OU=Groups,DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(objectClass=group)",)'
 
+    - setting: AUTH_LDAP_GROUP_TYPE
+      value: 'GroupOfNamesType(name_attr="cn")'
+
     - setting: AUTH_LDAP_USER_ATTR_MAP
       value: '{"first_name": "givenName","last_name": "sn","email": "mail"}'
 

config/crd/bases/awx.ansible.com_awxbackups.yaml

@@ -54,6 +54,24 @@ spec:
               backup_storage_requirements:
                 description: Storage requirements for backup PVC (may be similar to existing postgres PVC backing up from)
                 type: string
+              backup_resource_requirements:
+                description: Resource requirements for the management pod used to create a backup
+                properties:
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                type: object
               backup_storage_class:
                 description: Storage class to use when creating PVC for backup
                 type: string

config/crd/bases/awx.ansible.com_awxrestores.yaml

@@ -62,6 +62,24 @@ spec:
               backup_dir:
                 description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
                 type: string
+              restore_resource_requirements:
+                description: Resource requirements for the management pod that restores AWX from a backup
+                properties:
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                type: object
               postgres_label_selector:
                 description: Label selector used to identify postgres pod for backing up data
                 type: string

config/crd/bases/awx.ansible.com_awxs.yaml

@@ -115,6 +115,9 @@ spec:
               ingress_tls_secret:
                 description: Secret where the Ingress TLS secret can be found
                 type: string
+              ingress_class_name:
+                description: The name of ingress class to use instead of the cluster default.
+                type: string
               loadbalancer_protocol:
                 description: Protocol to use for the loadbalancer
                 type: string

config/default/kustomization.yaml

@@ -9,10 +9,12 @@ namespace: awx
 namePrefix: awx-operator-
 
 # Labels to add to all resources and selectors.
-#commonLabels:
-#  someName: someValue
+#labels:
+#- includeSelectors: true
+#  pairs:
+#    someName: someValue
 
-bases:
+resources:
 - ../crd
 - ../rbac
 - ../manager

config/default/manager_auth_proxy_patch.yaml

@@ -16,7 +16,7 @@ spec:
         # capabilities:
         #   drop:
         #     - "ALL"
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"

config/manifests/bases/awx-operator.clusterserviceversion.yaml

@@ -34,6 +34,11 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
         - urn:alm:descriptor:com.tectonic.ui:advanced
+      - displayName: Backup management pod resource requirements
+        path: backup_resource_requirements
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
       - displayName: Backup PVC storage class
         path: backup_storage_class
         x-descriptors:
@@ -112,6 +117,11 @@ spec:
         path: postgres_image_version
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Restore management pod resource requirements
+        path: restore_resource_requirements
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
       statusDescriptors:
       - description: The state of the restore
         displayName: Restore status
@@ -183,6 +193,12 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:select:none
         - urn:alm:descriptor:com.tectonic.ui:select:Ingress
         - urn:alm:descriptor:com.tectonic.ui:select:Route
+      - displayName: Ingress Class Name
+        path: ingress_class_name
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:text
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
       - displayName: Ingress Path
         path: ingress_path
         x-descriptors:

config/samples/awx_v1beta1_awxbackup.yaml

@@ -4,3 +4,10 @@ metadata:
   name: example-awx-backup
 spec:
   deployment_name: example-awx
+  backup_resource_requirements:
+    limits:
+      cpu: "1000m"
+      memory: "4096Mi"
+    requests:
+      cpu: "25m"
+      memory: "32Mi"

config/samples/awx_v1beta1_awxrestore.yaml

@@ -5,3 +5,10 @@ metadata:
 spec:
   deployment_name: example-awx-2
   backup_name: example-awx-backup
+  restore_resource_requirements:
+    limits:
+      cpu: "1000m"
+      memory: "4096Mi"
+    requests:
+      cpu: "25m"
+      memory: "32Mi"

config/scorecard/patches/basic.config.yaml

@@ -4,7 +4,7 @@
     entrypoint:
     - scorecard-test
     - basic-check-spec
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
     labels:
       suite: basic
       test: basic-check-spec-test

config/scorecard/patches/olm.config.yaml

@@ -4,7 +4,7 @@
     entrypoint:
     - scorecard-test
     - olm-bundle-validation
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
     labels:
       suite: olm
       test: olm-bundle-validation-test
@@ -14,7 +14,7 @@
     entrypoint:
     - scorecard-test
     - olm-crds-have-validation
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
     labels:
       suite: olm
       test: olm-crds-have-validation-test
@@ -24,7 +24,7 @@
     entrypoint:
     - scorecard-test
     - olm-crds-have-resources
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
     labels:
       suite: olm
       test: olm-crds-have-resources-test
@@ -34,7 +34,7 @@
     entrypoint:
     - scorecard-test
     - olm-spec-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
     labels:
       suite: olm
       test: olm-spec-descriptors-test
@@ -44,7 +44,7 @@
     entrypoint:
     - scorecard-test
     - olm-status-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
     labels:
       suite: olm
       test: olm-status-descriptors-test

playbooks/awx.yml

@@ -0,0 +1,31 @@
+---
+- hosts: localhost
+  gather_facts: no
+  collections:
+    - kubernetes.core
+    - operator_sdk.util
+  vars:
+    no_log: true
+  pre_tasks:
+    - name: Verify imagePullSecrets
+      k8s_info:
+        kind: Secret
+        namespace: '{{ ansible_operator_meta.namespace }}'
+        name: redhat-operators-pull-secret
+      register: _rh_ops_secret
+      no_log: "{{ no_log }}"
+    - name: Create imagePullSecret
+      k8s:
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: redhat-operators-pull-secret
+            namespace: '{{ ansible_operator_meta.namespace }}'
+          stringData:
+            operator: awx
+      when:
+        - (_rh_ops_secret is not defined) or not (_rh_ops_secret['resources'] | length)
+  roles:
+    - installer

requirements.yml

@@ -3,4 +3,4 @@ collections:
   - name: kubernetes.core
     version: '>=2.3.2'
   - name: operator_sdk.util
-    version: "0.2.0"
+    version: "0.4.0"

roles/backup/README.md

@@ -45,7 +45,7 @@ The resulting pvc will contain a backup tar that can be used to restore to a new
 Role Variables
 --------------
 
-A custom, pre-created pvc can be used by setting the following variables.  
+A custom, pre-created pvc can be used by setting the following variables.
 
 ```
 backup_pvc: 'awx-backup-volume-claim'
@@ -60,10 +60,17 @@ backup_storage_class: 'standard'
 backup_storage_requirements: '20Gi'
 ```
 
+By default, the backup pvc will be created in the same namespace the awxbackup object is created in.  If you want your backup to be stored
+in a specific namespace, you can do so by specifying `backup_pvc_namespace`.  Keep in mind that you will
+need to provide the same namespace when restoring.
+
+```
+backup_pvc_namespace: 'custom-namespace'
+```
 The backup pvc will be created in the same namespace the awxbackup object is created in.
 
-If a custom postgres configuration secret was used when deploying AWX, it will automatically be used by the backup role.  
-To check the name of this secret, look at the postgresConfigurationSecret status on your AWX object.  
+If a custom postgres configuration secret was used when deploying AWX, it will automatically be used by the backup role.
+To check the name of this secret, look at the postgresConfigurationSecret status on your AWX object.
 
 The postgresql pod for the old deployment is used when backing up data to the new postgresql pod.  If your postgresql pod has a custom label,
 you can pass that via the `postgres_label_selector` variable to make sure the postgresql pod can be found.
@@ -74,6 +81,18 @@ It is also possible to tie the lifetime of the backup files to that of the AWXBa
 ```
 clean_backup_on_delete: true
 ```
+
+Variable to define resources limits and request for backup CR.
+```
+backup_resource_requirements:
+  limits:
+    cpu: "1000m"
+    memory: "4096Mi"
+  requests:
+    cpu: "25m"
+    memory: "32Mi"
+```
+
 Testing
 ----------------
 

roles/backup/defaults/main.yml

@@ -20,8 +20,17 @@ clean_backup_on_delete: false
 # Variable to signal that this role is being run as a finalizer
 finalizer_run: false
 
+# Default resource requirements
+backup_resource_requirements:
+  limits:
+    cpu: "1000m"
+    memory: "4096Mi"
+  requests:
+    cpu: "25m"
+    memory: "32Mi"
 # Allow additional parameters to be added to the pg_dump backup command
 pg_dump_suffix: ''
 
 # Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
 set_self_labels: true
+...

roles/backup/templates/management-pod.yml.j2

@@ -20,6 +20,10 @@ spec:
     - name: {{ ansible_operator_meta.name }}-backup
       mountPath: /backups
       readOnly: false
+{% if backup_resource_requirements is defined %}
+    resources:
+      {{ backup_resource_requirements | to_nice_yaml(indent=2) | indent(width=6, first=False) }}
+{%- endif %}
   volumes:
     - name: {{ ansible_operator_meta.name }}-backup
       persistentVolumeClaim:

roles/installer/defaults/main.yml

@@ -9,6 +9,7 @@ database_username: "{{ deployment_type }}"
 task_privileged: false
 service_type: ClusterIP
 ingress_type: none
+ingress_class_name: ''
 ingress_path: '/'
 ingress_path_type: 'Prefix'
 # Add annotations to the service account. Specify as literal block. E.g.:
@@ -130,8 +131,6 @@ _redis_image: docker.io/redis
 _redis_image_version: 7
 _postgres_image: postgres
 _postgres_image_version: 13
-_init_container_image: quay.io/centos/centos
-_init_container_image_version: stream8
 image_pull_policy: IfNotPresent
 image_pull_secrets: []
 
@@ -157,6 +156,9 @@ ee_images:
 
 _control_plane_ee_image: quay.io/ansible/awx-ee:latest
 
+_init_container_image: "{{ _control_plane_ee_image.split(':')[0] }}"
+_init_container_image_version: "{{ _control_plane_ee_image.split(':')[1] }}"
+
 create_preload_data: true
 
 replicas: "1"

roles/installer/tasks/install.yml

@@ -10,12 +10,7 @@
       metadata:
         name: '{{ ansible_operator_meta.name }}'
         namespace: '{{ ansible_operator_meta.namespace }}'
-        labels:
-          app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
-          app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
-          app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-          app.kubernetes.io/component: '{{ deployment_type }}'
-          app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+        labels: '{{ lookup("template", "labels/common.yaml.j2") | from_yaml }}'
   when: set_self_labels | bool
 
 - name: Include secret key configuration tasks

roles/installer/tasks/resources_configuration.yml

@@ -27,6 +27,95 @@
   set_fact:
     _control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
 
+- name: Check for Receptor CA Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: '{{ ansible_operator_meta.name }}-receptor-ca'
+  register: _receptor_ca
+  no_log: "{{ no_log }}"
+
+- name: Create Receptor Mesh CA
+  block:
+    - name: Create tempfile for receptor-ca.key
+      tempfile:
+        state: file
+        suffix: .key
+      register: _receptor_ca_key_file
+    - name: Generate Receptor CA key
+      command: |
+        openssl genrsa -out {{ _receptor_ca_key_file.path }} 4096
+      no_log: "{{ no_log }}"
+    - name: Create tempfile for receptor-ca.crt
+      tempfile:
+        state: file
+        suffix: .crt
+      register: _receptor_ca_crt_file
+    - name: Generate Receptor CA cert
+      command: |
+        openssl req -x509 -new -nodes -key {{ _receptor_ca_key_file.path }} \
+          -subj "/CN={{ ansible_operator_meta.name }} Receptor Root CA" \
+          -sha256 -days 3650 -out {{ _receptor_ca_crt_file.path }}
+      no_log: "{{ no_log }}"
+    - name: Create Receptor CA secret
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'secrets/receptor_ca_secret.yaml.j2') }}"
+      no_log: "{{ no_log }}"
+    - name: Remove tempfiles
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - "{{ _receptor_ca_key_file.path }}"
+        - "{{ _receptor_ca_crt_file.path }}"
+  when: not _receptor_ca['resources'] | default([]) | length
+
+- name: Check for Receptor work signing Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: '{{ ansible_operator_meta.name }}-receptor-work-signing'
+  register: _receptor_work_signing
+  no_log: "{{ no_log }}"
+
+- name: Generate Receptor work signing RSA key pair
+  block:
+    - name: Create tempfile for receptor work signing private key
+      tempfile:
+        state: file
+        suffix: .pem
+      register: _receptor_work_signing_private_key_file
+    - name: Generate Receptor work signing private key
+      command: |
+        openssl genrsa -out {{ _receptor_work_signing_private_key_file.path }} 4096
+      no_log: "{{ no_log }}"
+    - name: Create tempfile for receptor work signing public key
+      tempfile:
+        state: file
+        suffix: .pem
+      register: _receptor_work_signing_public_key_file
+    - name: Generate Receptor work signing public key
+      command: |
+        openssl rsa \
+          -in {{ _receptor_work_signing_private_key_file.path }} \
+          -out {{ _receptor_work_signing_public_key_file.path }} \
+          -outform PEM -pubout
+      no_log: "{{ no_log }}"
+    - name: Create Receptor work signing Secret
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'secrets/receptor_work_signing_secret.yaml.j2') }}"
+      no_log: "{{ no_log }}"
+    - name: Remove tempfiles
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - "{{ _receptor_work_signing_private_key_file.path }}"
+        - "{{ _receptor_work_signing_public_key_file.path }}"
+  when: not _receptor_work_signing['resources'] | default([]) | length
+
 - name: Apply Resources
   k8s:
     apply: yes

roles/installer/tasks/upgrade_postgres.yml

@@ -64,7 +64,7 @@
 
 - name: Set full resolvable host name for postgres pod
   set_fact:
-    resolvable_db_host: "{{ ansible_operator_meta.name }}-postgres.{{ ansible_operator_meta.namespace }}.svc.cluster.local"  # yamllint disable-line rule:line-length
+    resolvable_db_host: "{{ ansible_operator_meta.name }}-postgres.{{ ansible_operator_meta.namespace }}.svc"  # yamllint disable-line rule:line-length
   no_log: "{{ no_log }}"
 
 - name: Set pg_dump command

roles/installer/templates/configmaps/config.yaml.j2

@@ -18,7 +18,8 @@ data:
   settings: |
     import os
     import socket
-    from django_auth_ldap.config import LDAPSearch
+    # Import all so that extra_settings works properly
+    from django_auth_ldap.config import *
     
     def get_secret():
         if os.path.exists("/etc/tower/SECRET_KEY"):
@@ -235,30 +236,38 @@ data:
   receptor_conf: |
     ---
     - log-level: debug
-
+    - local-only: null
+    - node:
+       firewallrules:
+        - action: reject
+          tonode: HOSTNAME
+          toservice: control
     - control-service:
         service: control
         filename: /var/run/receptor/receptor.sock
-        permissions: 0660
-
-    - local-only:
-
+        permissions: '0660'
     - work-command:
         worktype: local
         command: ansible-runner
         params: worker
         allowruntimeparams: true
-
     - work-kubernetes:
         worktype: kubernetes-runtime-auth
         authmethod: runtime
         allowruntimeauth: true
         allowruntimepod: true
         allowruntimeparams: true
-
     - work-kubernetes:
         worktype: kubernetes-incluster-auth
         authmethod: incluster
         allowruntimeauth: true
         allowruntimepod: true
         allowruntimeparams: true
+    - tls-client:
+        cert: /etc/receptor/tls/receptor.crt
+        key: /etc/receptor/tls/receptor.key
+        name: tlsclient
+        rootcas: /etc/receptor/tls/ca/receptor-ca.crt
+    - work-signing:
+        privatekey: /etc/receptor/signing/work-private-key.pem
+        tokenexpiration: 1m

roles/installer/templates/deployments/deployment.yaml.j2

@@ -6,12 +6,8 @@ metadata:
   name: '{{ ansible_operator_meta.name }}'
   namespace: '{{ ansible_operator_meta.namespace }}'
   labels:
-    app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
-    app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '') }}'
-    app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+    {{ lookup("template", "labels/common.yaml.j2")  | indent(width=4) | trim }}
+    {{ lookup("template", "labels/version.yaml.j2") | indent(width=4) | trim }}
 spec:
   replicas: {{ replicas }}
   selector:
@@ -22,11 +18,8 @@ spec:
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
-        app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '') }}'
-        app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
-        app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-        app.kubernetes.io/component: '{{ deployment_type }}'
+        {{ lookup("template", "labels/common.yaml.j2")  | indent(width=8) | trim }}
+        {{ lookup("template", "labels/version.yaml.j2") | indent(width=8) | trim }}
 {% if annotations %}
       annotations:
         {{ annotations | indent(width=8) }}
@@ -46,7 +39,6 @@ spec:
       priorityClassName: '{{ control_plane_priority_class }}'
 {% endif %}
       initContainers:
-{% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
         - name: init
           image: '{{ _init_container_image }}'
           imagePullPolicy: '{{ image_pull_policy }}'
@@ -54,6 +46,9 @@ spec:
             - /bin/sh
             - -c
             - |
+              hostname=$MY_POD_NAME
+              receptor --cert-makereq bits=2048 commonname=$hostname dnsname=$hostname nodeid=$hostname outreq=/etc/receptor/tls/receptor.req outkey=/etc/receptor/tls/receptor.key
+              receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/receptor-ca.crt cakey=/etc/receptor/tls/ca/receptor-ca.key outcert=/etc/receptor/tls/receptor.crt verify=yes
 {% if bundle_ca_crt  %}
               mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
               update-ca-trust
@@ -65,7 +60,17 @@ spec:
 {% if init_container_extra_commands %}
               {{ init_container_extra_commands | indent(width=14) }}
 {% endif %}
+          env:
+            - name: MY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
           volumeMounts:
+            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+              mountPath: "/etc/receptor/tls/ca"
+              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-tls"
+              mountPath: "/etc/receptor/tls/"
 {% if bundle_ca_crt  %}
             - name: "ca-trust-extracted"
               mountPath: "/etc/pki/ca-trust/extracted"
@@ -79,8 +84,7 @@ spec:
               mountPath: "/var/lib/awx/projects"
 {% endif %}
 {% if init_container_extra_volume_mounts -%}
-            {{ init_container_extra_volume_mounts | indent(width=12, indentfirst=True) }}
-{% endif %}
+            {{ init_container_extra_volume_mounts | indent(width=12, first=True) }}
 {% endif %}
       containers:
         - image: '{{ _redis_image }}'
@@ -170,12 +174,19 @@ spec:
               mountPath: "/var/lib/awx/rsyslog"
             - name: "{{ ansible_operator_meta.name }}-projects"
               mountPath: "/var/lib/awx/projects"
+            - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
+              mountPath: "/etc/receptor/signing/work-public-key.pem"
+              subPath: "work-public-key.pem"
+              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+              mountPath: "/etc/receptor/tls/ca"
+              readOnly: true
 {% if development_mode | bool %}
             - name: awx-devel
               mountPath: "/awx_devel"
 {% endif %}
 {% if web_extra_volume_mounts -%}
-            {{ web_extra_volume_mounts | indent(width=12, indentfirst=True) }}
+            {{ web_extra_volume_mounts | indent(width=12, first=True) }}
 {% endif %}
           env:
             - name: MY_POD_NAMESPACE
@@ -189,7 +200,7 @@ spec:
               value: "1"
 {% endif %}
 {% if web_extra_env -%}
-            {{ web_extra_env | indent(width=12, indentfirst=True) }}
+            {{ web_extra_env | indent(width=12, first=True) }}
 {% endif %}
           resources: {{ web_resource_requirements }}
         - image: '{{ _image }}'
@@ -243,8 +254,10 @@ spec:
             - name: rsyslog-dir
               mountPath: "/var/lib/awx/rsyslog"
             - name: "{{ ansible_operator_meta.name }}-receptor-config"
-              mountPath: "/etc/receptor/receptor.conf"
-              subPath: receptor.conf
+              mountPath: "/etc/receptor/"
+            - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
+              mountPath: "/etc/receptor/signing/work-private-key.pem"
+              subPath: "work-private-key.pem"
               readOnly: true
             - name: receptor-socket
               mountPath: "/var/run/receptor"
@@ -255,7 +268,7 @@ spec:
               mountPath: "/awx_devel"
 {% endif %}
 {% if task_extra_volume_mounts -%}
-            {{ task_extra_volume_mounts | indent(width=12, indentfirst=True) }}
+            {{ task_extra_volume_mounts | indent(width=12, first=True) }}
 {% endif %}
           env:
             - name: SUPERVISOR_WEB_CONFIG_PATH
@@ -279,14 +292,22 @@ spec:
               value: "1"
 {% endif %}
 {% if task_extra_env -%}
-            {{ task_extra_env | indent(width=12, indentfirst=True) }}
+            {{ task_extra_env | indent(width=12, first=True) }}
 {% endif %}
           resources: {{ task_resource_requirements }}
         - image: '{{ _control_plane_ee_image }}'
           name: '{{ ansible_operator_meta.name }}-ee'
           imagePullPolicy: '{{ image_pull_policy }}'
           resources: {{ ee_resource_requirements }}
-          args: ['receptor', '--config', '/etc/receptor/receptor.conf']
+          args:
+            - /bin/sh
+            - -c
+            - |
+              if [ ! -f /etc/receptor/receptor.conf ]; then
+                cp /etc/receptor/receptor-default.conf /etc/receptor/receptor.conf
+                sed -i "s/HOSTNAME/$HOSTNAME/g" /etc/receptor/receptor.conf
+              fi
+              exec receptor --config /etc/receptor/receptor.conf
           volumeMounts:
 {% if bundle_ca_crt %}
             - name: "ca-trust-extracted"
@@ -296,16 +317,27 @@ spec:
               subPath: bundle-ca.crt
               readOnly: true
 {% endif %}
-            - name: "{{ ansible_operator_meta.name }}-receptor-config"
-              mountPath: "/etc/receptor/receptor.conf"
+            - name: "{{ ansible_operator_meta.name }}-default-receptor-config"
+              mountPath: "/etc/receptor/receptor-default.conf"
               subPath: receptor.conf
+            - name: "{{ ansible_operator_meta.name }}-receptor-config"
+              mountPath: "/etc/receptor/"
+            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+              mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
+              subPath: "receptor-ca.crt"
               readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
+              mountPath: "/etc/receptor/signing/work-private-key.pem"
+              subPath: "work-private-key.pem"
+              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-tls"
+              mountPath: "/etc/receptor/tls/"
             - name: receptor-socket
               mountPath: "/var/run/receptor"
             - name: "{{ ansible_operator_meta.name }}-projects"
               mountPath: "/var/lib/awx/projects"
 {% if ee_extra_volume_mounts -%}
-            {{ ee_extra_volume_mounts | indent(width=12, indentfirst=True) }}
+            {{ ee_extra_volume_mounts | indent(width=12, first=True) }}
 {% endif %}
           env:
 {% if development_mode | bool %}
@@ -315,7 +347,7 @@ spec:
                   fieldPath: status.podIP
 {% endif %}
 {% if ee_extra_env -%}
-            {{ ee_extra_env | indent(width=12, indentfirst=True) }}
+            {{ ee_extra_env | indent(width=12, first=True) }}
 {% endif %}
 {% if node_selector %}
       nodeSelector:
@@ -377,6 +409,14 @@ spec:
                 path: 'ldap.py'
               - key: execution_environments.py
                 path: 'execution_environments.py'
+        - name: "{{ ansible_operator_meta.name }}-receptor-tls"
+          emptyDir: {}
+        - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+          secret:
+            secretName: "{{ ansible_operator_meta.name }}-receptor-ca"
+        - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
+          secret:
+            secretName: "{{ ansible_operator_meta.name }}-receptor-work-signing"
         - name: "{{ secret_key_secret_name }}"
           secret:
             secretName: '{{ secret_key_secret_name }}'
@@ -414,6 +454,8 @@ spec:
         - name: rsyslog-dir
           emptyDir: {}
         - name: {{ ansible_operator_meta.name }}-receptor-config
+          emptyDir: {}
+        - name: {{ ansible_operator_meta.name }}-default-receptor-config
           configMap:
             name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap'
             items:
@@ -436,5 +478,5 @@ spec:
             path: /awx_devel
 {% endif %}
 {% if extra_volumes -%}
-        {{ extra_volumes | indent(width=8, indentfirst=True) }}
+        {{ extra_volumes | indent(width=8, first=True) }}
 {% endif %}

roles/installer/templates/labels/common.yaml.j2

@@ -0,0 +1,6 @@
+# https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/
+app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
+app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
+app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+app.kubernetes.io/component: '{{ deployment_type }}'
+app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'

roles/installer/templates/labels/version.yaml.j2

@@ -0,0 +1 @@
+app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '') }}'

roles/installer/templates/networking/ingress.yaml.j2

@@ -16,6 +16,9 @@ metadata:
     {{ ingress_annotations | indent(width=4) }}
 {% endif %}
 spec:
+{% if ingress_class_name %}
+  ingressClassName: '{{ ingress_class_name }}'
+{% endif %}
   rules:
     - http:
         paths:
@@ -61,12 +64,12 @@ spec:
     termination: {{ route_tls_termination_mechanism | lower }}
 {% if route_tls_termination_mechanism | lower == 'edge' and route_tls_secret != '' %}
     key: |-
-{{ route_tls_key | indent(width=6, indentfirst=True) }}
+{{ route_tls_key | indent(width=6, first=True) }}
     certificate: |-
-{{ route_tls_crt | indent(width=6, indentfirst=True) }}
+{{ route_tls_crt | indent(width=6, first=True) }}
 {% if route_ca_crt is defined %}
     caCertificate: |-
-{{ route_ca_crt | indent(width=6, indentfirst=True) }}
+{{ route_ca_crt | indent(width=6, first=True) }}
 {% endif %}
 {% endif %}
   to:

roles/installer/templates/secrets/receptor_ca_secret.yaml.j2

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: '{{ ansible_operator_meta.name }}-receptor-ca'
+  namespace: '{{ ansible_operator_meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
+    app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
+    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+data:
+  receptor-ca.crt: '{{ lookup('file', '{{ _receptor_ca_crt_file.path }}') | b64encode }}'
+  receptor-ca.key: '{{ lookup('file', '{{ _receptor_ca_key_file.path }}') | b64encode }}'

roles/installer/templates/secrets/receptor_work_signing_secret.yaml.j2

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: '{{ ansible_operator_meta.name }}-receptor-work-signing'
+  namespace: '{{ ansible_operator_meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
+    app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
+    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+data:
+  work-private-key.pem: '{{ lookup('file', '{{ _receptor_work_signing_private_key_file.path }}') | b64encode }}'
+  work-public-key.pem: '{{ lookup('file', '{{ _receptor_work_signing_public_key_file.path }}') | b64encode }}'

roles/restore/README.md

@@ -35,9 +35,9 @@ spec:
   backup_name: awxbackup-2021-04-22
 ```
 
-Note that the `deployment_name` above is the name of the AWX deployment you intend to create and restore to.  
+Note that the `deployment_name` above is the name of the AWX deployment you intend to create and restore to.
 
-The namespace specified is the namespace the resulting AWX deployment will be in.  The namespace you specified must be pre-created.  
+The namespace specified is the namespace the resulting AWX deployment will be in.  The namespace you specified must be pre-created.
 
 ```
 kubectl create ns my-namespace
@@ -57,7 +57,7 @@ This will create a new deployment and restore your backup to it.
 Role Variables
 --------------
 
-The name of the backup directory can be found as a status on your AWXBackup object.  This can be found in your cluster's console, or with the client as shown below.  
+The name of the backup directory can be found as a status on your AWXBackup object.  This can be found in your cluster's console, or with the client as shown below.
 
 ```bash
 $ kubectl get awxbackup awxbackup1 -o jsonpath="{.items[0].status.backupDirectory}"
@@ -69,7 +69,7 @@ backup_dir: '/backups/tower-openshift-backup-2021-04-02-03:25:08'
 ```
 
 
-The name of the PVC can also be found by looking at the backup object.  
+The name of the PVC can also be found by looking at the backup object.
 
 ```bash
 $ kubectl get awxbackup awxbackup1 -o jsonpath="{.items[0].status.backupClaim}"
@@ -95,6 +95,17 @@ backup_pvc: myoldtower-backup-claim
 backup_dir: /backups/tower-openshift-backup-2021-04-02-03:25:08
 ```
 
+Variable to define resources limits and request for restore CR.
+
+```
+restore_resource_requirements:
+  limits:
+    cpu: "1000m"
+    memory: "4096Mi"
+  requests:
+    cpu: "25m"
+    memory: "32Mi"
+```
 
 Testing
 ----------------

roles/restore/defaults/main.yml

@@ -14,5 +14,15 @@ backup_dir: ''
 # Set no_log settings on certain tasks
 no_log: 'true'
 
+# Default resource requirements
+restore_resource_requirements:
+  limits:
+    cpu: "1000m"
+    memory: "4096Mi"
+  requests:
+    cpu: "25m"
+    memory: "32Mi"
+
 # Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
 set_self_labels: true
+...

roles/restore/templates/management-pod.yml.j2

@@ -20,6 +20,10 @@ spec:
     - name: {{ ansible_operator_meta.name }}-backup
       mountPath: /backups
       readOnly: false
+{% if restore_resource_requirements is defined %}
+    resources:
+      {{ restore_resource_requirements | to_nice_yaml(indent=2) | indent(width=6, first=False) }}
+{%- endif %}
   volumes:
     - name: {{ ansible_operator_meta.name }}-backup
       persistentVolumeClaim:

watches.yaml

@@ -3,7 +3,7 @@
 - version: v1beta1
   group: awx.ansible.com
   kind: AWX
-  role: installer
+  playbook: playbooks/awx.yml
   snakeCaseParameters: False
 
 - version: v1beta1