internet/awx-operator
3
0
Fork 0
mirror of https://github.com/ansible/awx-operator.git synced 2026-03-27 05:43:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:0.27.0
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0
...
compare: internet:1.1.4
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0

79 Commits
0.27.0 ... 1.1.4

Author SHA1 Message Date
Miles
f6f58d5c6d Setup make index for testing (#1183) 
- Reconfigure index file generation
- checkout gh-pages branch in promote.yaml
- fix helm-index make target
- add gh-pages folder in .gitignore

Signed-off-by: Miles Wilson <wilson.mil@icloud.com>
Co-authored-by: Hao Liu <haoli@redhat.com>
Co-authored-by: Christian Adams <rooftopcellist@gmail.com>
 2023-01-18 17:53:57 -05:00
kurokobo
b1a547d2a6 fix: add quotes for PGPASSWORD in upgrade_postgres.yml (fixes #1166) (#1167) 2023-01-18 11:59:03 -05:00
Christian Adams
43f98eda77 Fix pr_body_check (#1187) 2023-01-11 22:16:58 -05:00
Christian Adams
007e47e35c Add pre-reqs to the backup and restore docs (#1186) 2023-01-11 17:18:49 -05:00
David Hageman
21eb83b052 Correct admin password updating (#1179) 
Corrects an issue with admin passwords failing to be updated due to shell escaping. This aligns the operator with the logic in the normal installer.
 2023-01-11 11:41:35 -05:00
Dimitri Savineau
1f8414b8cb molecule: set no_log to false (#1185) 
In order to get information during CI debugging then turning off the
no_log statement will help with non hidden output.

FAILED! => {"censored": "the output has been hidden due to the fact that
            'no_log: true' was specified for this result"}

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
 2023-01-11 11:21:53 -05:00
Shane McDonald
a199a8c104 Merge pull request #1172 from orcema/orcema-patch-readme-CA 
update Trusting a Custom Certificate Authority
 2023-01-04 13:18:37 +08:00
Orce MARINKOVSKI
fb1639a5d4 update Trusting a Custom Certificate Authority 
I had hard times to identify how to declare to include statement for a custom certifcate bundle within the Kustomize file.
The tricky part for me was to spot the option "disableNameSuffixHash: true" in order to avoid renaming the secret name with an has suffix
 2022-12-27 10:43:56 +01:00
Christian Adams
19c6c77c41 Add ability to configmap and include config files for nginx.conf (#1145) 2022-12-16 10:36:29 -05:00
Mathijsvw
4ee523ed69 Added pg_dump_suffix doc and crd property (#1006) 
* Added pg_dump_suffix crd property

Signed-off-by: Mathijs van Willigen <mathijs.vanwilligen@student.hu.nl>
 2022-12-14 14:56:40 -05:00
Stanislav Zaprudskiy
4c5bae69ef Add possibility specifying affinity of AWX Pods. (#1139) 
* Add an option to specify affinity rules for the awx pod

In some cases, you may want to use affinity rules instead of a
 node selector so you can have more flexbility. For example if you want
to have "soft" rules i.e. run my pod on this node if possible otherwise
run it anywhere

* Rename `node_affinity` to `affinity`
* Maintain defaults and CSV
* Add fields validation

Co-authored-by: Olivier <oliverf1ca@yahoo.com>
 2022-12-14 10:39:41 -05:00
Dax Kelson
9bf896e37c Update README.md (#1147) 
Use awx namespace whent getting AWX instance URL
 2022-12-07 14:31:34 -05:00
Christian Adams
cb50f4f3ac Add docs for Openshift install configuration (#1140) 2022-12-07 14:18:06 -05:00
Christian Adams
066e55e179 Bump Ansible Operator SDK version to v1.25.3 (#1146) 2022-12-05 16:04:04 -05:00
dru90i
f35bd7cf83 add default cluster name (#1129) 
* add default cluster name

* Update awx.ansible.com_awxrestores.yaml

Co-authored-by: Kirill Smirnov <kirilsmirnov@x5.ru>
 2022-11-30 14:29:52 -05:00
Karsten Heymann
95a1fc082b README.md: Add newline after decoded passwords (#1137) 
`base64 --decode` prints no new line after its output, resulting in the next shell prompt starting immediately after the password. This makes copying the password difficult. Adding an `echo` at the end of the command fixes this.
 2022-11-30 15:59:38 +00:00
dale-mittleman
dbd1e59a55 Added flag to disable ipv6 listener (#1135) 2022-11-30 10:38:44 -05:00
Christian Adams
61f45147f6 Set Minimum K8s cluster version we expect to work (#1126) 2022-11-18 10:27:47 -05:00
Michael Cristina
c20f9b4128 fix default container name (#1048) 2022-11-16 20:33:50 -05:00
Seth Foster
15568fe564 docs show extra setting double quotes (#1123) 2022-11-16 20:25:28 -05:00
Florian LAUNAY
1baf417504 remove helm chart version from labels (#1114) 2022-11-15 16:32:33 -05:00
janorn
7fbf1c42aa Get tags from remote. Local copy not complete. (#1075) 2022-11-10 00:25:51 -05:00
Christian Adams
a5e21b56ae Backup and restore receptor tls secret with expected generated name (#1107) 2022-11-07 11:04:22 -05:00
John Westcott IV
1399504142 Adding community labels on PRs and Issues (#1108) 2022-11-04 11:55:47 -04:00
Shane McDonald
e5896d15ed Merge pull request #1078 from FlorianLaunay/devel 
use dedicated image for projects persistence PVC init tasks
 2022-11-03 19:37:58 -04:00
Christian Adams
6b01ff09ce Amend permissions for backup dir (#1109) 2022-11-03 12:52:48 -04:00
Florian LAUNAY
c708cef4dc use dedicated image for projects persistence PVC init tasks 2022-11-03 17:26:00 +01:00
Christian Adams
1cf466def2 Add expected postgres version and usage docs (#1103) 2022-10-28 15:54:14 -04:00
sivateja04
0fc145b6aa Enable configuration of route and ingress api versions (#1098) 
* Introduce ingress_api_version and route_api_version
 2022-10-26 08:51:15 -04:00
Shane McDonald
e30d26cf7b Merge pull request #1100 from AlanCoding/still_not_fixed 
Version 4.0.3 still not fixed, pin to before
 2022-10-25 16:50:34 -04:00
Alan Rominger
7c4a731995 Version 4.0.3 still not fixed, pin to before 2022-10-25 16:10:33 -04:00
Dimitri Savineau
d2efea08e6 ci: Add check for no_log statement (#1096) 
Since e966e92 we're using the `no_log` variable to control the no_log
statement value.
This job will check if the no_log statements are correctly set.

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
 2022-10-24 14:37:27 -04:00
Julen Landa Alustiza
23e94f82c0 Merge pull request #1091 from Zokormazo/pin-molecule 
Avoid molecule 4.0.2
 2022-10-18 12:43:40 +02:00
Julen Landa Alustiza
de2e58f222 Avoid molecule 4.0.2 
Signed-off-by: Julen Landa Alustiza <jlanda@redhat.com>
 2022-10-18 12:29:19 +02:00
Christian Adams
1c7c89efb3 Use Task container resource requirements for init container (#1084) 2022-10-13 12:27:51 -04:00
Ompragash Viswanathan
096fe100f7 Update config/manifests/bases/awx-operator.clusterserviceversion.yaml (#1083) 2022-10-12 14:12:06 -04:00
Christian Adams
58ee2f0c74 Be consistent when naming form entries and with capitalization (#1082) 2022-10-12 11:52:45 -04:00
Shane McDonald
93f7484f38 Merge pull request #1077 from chris93111/patch-1 
fix templating config 0.30
 2022-10-06 19:37:42 -04:00
chris93111
225c47dbbc fix templating config 
indent the comment and remove last -
 2022-10-06 13:21:52 +02:00
Christian Adams
2daf8a1320 Add CSV description for OperatorHub (#1072) 2022-10-05 09:17:18 -04:00
Julen Landa Alustiza
5772c706d3 Merge pull request #1073 from Zokormazo/truncate-labels 
Fix version label truncating
 2022-10-05 11:02:26 +02:00
Julen Landa Alustiza
ae0a74bea3 Fix version label truncating 
Signed-off-by: Julen Landa Alustiza <jlanda@redhat.com>
 2022-10-05 10:49:47 +02:00
Christian Adams
97cd7a9b7a Clarify Restore options in Openshift UI interface (#924) 2022-10-05 00:40:40 -04:00
Dimitri Savineau
0975663a52 csv: Use booleanSwitch for no_log parameter (#1071) 
Set the no_log default value in the CRDs and switch from hidden to
boolean in the CSV file so this can be display properly in the UI.

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
 2022-10-04 23:59:43 -04:00
Dimitri Savineau
efdbd61860 csv: Add missing no_log to backup/restore (#1070) 
e966e92 adds the configurable no_log parameter to all CRDs (install, backup
and restore) but only once in the CSV file (for installer).

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
 2022-10-04 14:10:07 -04:00
Dimitri Savineau
13b45cbb12 Merge pull request #1069 from rooftopcellist/no_log_more 
More no_log default updates
 2022-10-04 11:49:54 -04:00
Christian M. Adams
d3ca9c57c9 One more no_log default update 2022-10-04 11:36:56 -04:00
Christian Adams
9b1b5e676d Change no_log type to boolean (#1068) 2022-10-04 10:48:51 -04:00
Hao Liu
17eb9cf8e8 Merge pull request #1061 from fosterseth/add_custom_ca_docs 
Add docs for adding execution nodes and custom CA
 2022-10-03 16:23:42 -04:00
Seth Foster
ed7e2b2a28 Add docs for adding execution nodes and custom CA 2022-09-29 15:54:29 -04:00
Hao Liu
5b7589accd Merge pull request #1063 from TheRealHaoLiu/receptor-ca-secret-alternative 2022-09-29 02:04:50 -04:00
janorn
a1e289e189 Add workaround to populate index.yaml (#1065) 
This will download all releases before cr index is being run.
fixes #1053
 2022-09-28 23:51:05 -04:00
Hao Liu
0611f3efaa add migration code for receptor ca secret 
Signed-off-by: Hao Liu <haoli@redhat.com>
 2022-09-28 16:22:20 -04:00
Hao Liu
a94a6f045d change receptor ca secret to tls secret 
change the type of secret use for receptor ca to tls secret, to be more "proper"

Signed-off-by: Hao Liu <haoli@redhat.com>
 2022-09-27 21:38:07 -04:00
Christian Adams
1892b8f0ea Explicitly set kind value to AWX (#1056) 2022-09-20 23:09:13 -04:00
Christian Adams
57b5795aab Determine if k8s or ocp and set var accordingly (#1051) 
* conditionally set fsGroup for projects_persistence based on cluster
    type
 2022-09-20 23:03:05 -04:00
Christian Adams
e8096a5f33 Pre-create dummy rh secret to avoid errors (#952) 2022-09-14 19:04:32 -04:00
Israel Blancas
271bce48bd Upgrade operator-sdk version from 1.22.2 to 1.23.0 (#1038) 
Signed-off-by: Israel Blancas <iblancasa@gmail.com>
 2022-09-12 10:04:07 -04:00
Hao Liu
d64c34f8a4 Add receptor firewall rules to control nodes (#1012) 
Support external execution nodes

- Allow receptor.conf to be editable at runtime
- Create CA cert and key as a k8s secret
- Create work signing RSA keypair as a k8s secret
- Setup volume mounts for containers to have access to the needed
  Receptor keys / certs to facilitate generating the install bundle
  for a new execution node
- added firewall rule, work signing and tls cert configuration to default receptor.conf

The volume mount changes in this PR fulfill the following:
- `receptor.conf` need to be shared between task container and ee container
  - **task** container writes the `receptor.conf`
  - **ee** consume the `receptor.conf`
- receptor ca cert/key need to be mounted by both ee container and web container
  - **ee** container need the ca cert
  - **web** container will need the ca key to sign client cert for remote execution node
  - **web** container will need the ca cert to generate install bundle for remote execution node
- receptor work private/public key need to be mounted by both ee container and web container
  - **ee** container need to private key to sign the work
  - **web** container need the public key to generate install bundle  for remote execution node
  - **task** container need the private key to sign the work

Signed-off-by: Hao Liu <haoli@redhat.com>
Co-Authored-By: Seth Foster <fosterbseth@gmail.com>
Co-Authored-By: Shane McDonald <me@shanemcd.com>

Signed-off-by: Hao Liu <haoli@redhat.com>
Co-authored-by: Shane McDonald <me@shanemcd.com>
Co-authored-by: Seth Foster <fosterbseth@gmail.com>
 2022-09-09 15:13:05 -04:00
Christian Adams
1bddb98476 Update requirements.yml and vendor new collections (#1045) 2022-08-31 18:46:33 -04:00
Christian Adams
5f183999d0 Fix restore resource requirements field name for management pod resources (#1044) 2022-08-31 17:06:01 -04:00
Shane McDonald
3769897131 Merge pull request #1041 from shanemcd/ignore-pycache 
Add __pycache__ to gitignore
 2022-08-30 11:26:02 -04:00
Shane McDonald
7f86231009 Add __pycache__ to gitignore 2022-08-30 11:14:49 -04:00
Shane McDonald
f59dac829a Merge pull request #1040 from shanemcd/reusable-labels 
Move labels into reusable templates
 2022-08-30 11:13:47 -04:00
Shane McDonald
edecf4d2fe Move labels into reusable templates 2022-08-30 11:00:43 -04:00
Shane McDonald
4120b5e2b0 Merge pull request #977 from somebadcode/add-ingress-class-name-to-ingress-template 
Adding ingress class name to ingress template (#716)
 2022-08-29 09:12:52 -04:00
Tobias Dahlberg
8dabca5418 Adding ingress class name to ingress template (#716) 2022-08-29 11:11:19 +02:00
Fedor V
1d341a21d0 feat(readme): remove use of NAMESPACE var (#1028) 
- it was used previously, but not anymore
 2022-08-25 16:21:58 -04:00
Shane McDonald
f8719db954 Merge pull request #1013 from miles-w-3/debug-helm 
Streamlined chart build
 2022-08-25 11:59:04 -04:00
SweetGeneral
89425826e8 AWX.enable corrected to AWX.enabled (#1035) 
Co-authored-by: sandesh.gupta <sandesh.gupta@olacabs.com>
 2022-08-25 09:26:26 -04:00
Shane McDonald
5c572a9ba6 Merge pull request #1033 from mateuszdrab/patch-1 
Remove reference to cluster.local
 2022-08-25 08:44:32 -04:00
Shane McDonald
b7bbfd432d Merge pull request #1034 from whitej6/jlw-jinj3-filter-update 
Fixes #1032 - Update filter to jinja 3.x format
 2022-08-25 08:42:42 -04:00
Shane McDonald
b17cd16fb7 Merge pull request #1008 from rooftopcellist/fix-helm-pkg-build 
Fix helm package build redundancy and release automation
 2022-08-25 08:38:09 -04:00
Mac Chaffee
dc6cbab501 Import all ldap config classes in settings.py (#961) 
* Import all ldap config classes in settings.py
* Add AUTH_LDAP_GROUP_TYPE example to readme

Signed-off-by: Mac Chaffee <machaffe@renci.org>
 2022-08-24 18:00:08 -04:00
Jeremy White
a81be586db update filter to jinja 3.x format 2022-08-24 14:56:08 -05:00
Mateusz Drab
f2a9e967cc Remove reference to cluster.local 2022-08-24 20:07:11 +01:00
Christian Adams
9f017d03e6 Make Backup & restore requests and limits configurable (#1030) 
* Add resource specification options to the backup objects
* Add resource specification options to the restore object

Co-authored-by: Ivan Aragonés <26822043+ivarmu@users.noreply.github.com>
Co-authored-by: silvinux <silvinux7@gmail.com>
Co-authored-by: Ivan Aragonés Muniesa <iaragone@redhat.com>
 2022-08-23 23:23:01 -04:00
Miles Wilson
8de6179ac7 Streamlined chart build 2022-08-03 22:48:27 -04:00
Christian M. Adams
bea05c97ee Fix helm package build redundancy and release automation 2022-08-01 16:00:51 -04:00
63 changed files with 1620 additions and 289 deletions
Expand all files Collapse all files

15
.github/workflows/ci.yaml vendored
View File

@@ -82,3 +82,18 @@ jobs:
- name: Install helm chart
run: |
helm install --wait my-awx-operator --namespace awx --create-namespace ./charts/awx-operator
no-log:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v2
- name: Check no_log statements
run: |
set +e
no_log=$(grep -nr ' no_log:' roles | grep -v '"{{ no_log }}"')
if [ -n "${no_log}" ]; then
echo 'Please update the following no_log statement(s) with the "{{ no_log }}" value'
echo "${no_log}"
exit 1
fi

54
.github/workflows/label_issue.yml vendored Normal file
View File

@@ -0,0 +1,54 @@
---
name: Label Issues
on:
issues:
types:
- opened
- reopened
jobs:
triage:
runs-on: ubuntu-latest
name: Label
steps:
- name: Label Issue - Needs Triage
uses: github/issue-labeler@v2.4.1
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
not-before: 2021-12-07T07:00:00Z
configuration-path: .github/issue_labeler.yml
enable-versioned-regex: 0
if: github.event_name == 'issues'
community:
runs-on: ubuntu-latest
name: Label Issue - Community
steps:
- uses: actions/checkout@v2
- uses: actions/setup-python@v4
- name: Install python requests
run: pip install requests
- name: Check if user is a member of Ansible org
uses: jannekem/run-python-script-action@v1
id: check_user
with:
script: |
import requests
headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
response = requests.get('${{ fromJson(toJson(github.event.issue.user.url)) }}/orgs?per_page=100', headers=headers)
is_member = False
for org in response.json():
if org['login'] == 'ansible':
is_member = True
if is_member:
print("User is member")
else:
print("User is community")
- name: Add community label if not a member
if: contains(steps.check_user.outputs.stdout, 'community')
uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
with:
add-labels: "community"
repo-token: ${{ secrets.GITHUB_TOKEN }}

40
.github/workflows/label_pr.yml vendored Normal file
View File

@@ -0,0 +1,40 @@
name: Label PR
on:
pull_request_target:
types:
- opened
- reopened
- synchronize
jobs:
community:
runs-on: ubuntu-latest
name: Label PR - Community
steps:
- uses: actions/checkout@v2
- uses: actions/setup-python@v4
- name: Install python requests
run: pip install requests
- name: Check if user is a member of Ansible org
uses: jannekem/run-python-script-action@v1
id: check_user
with:
script: |
import requests
headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
response = requests.get('${{ fromJson(toJson(github.event.pull_request.user.url)) }}/orgs?per_page=100', headers=headers)
is_member = False
for org in response.json():
if org['login'] == 'ansible':
is_member = True
if is_member:
print("User is member")
else:
print("User is community")
- name: Add community label if not a member
if: contains(steps.check_user.outputs.stdout, 'community')
uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
with:
add-labels: "community"
repo-token: ${{ secrets.GITHUB_TOKEN }}

18
.github/workflows/pr_body_check.yml vendored
View File

@@ -13,21 +13,13 @@ jobs:
packages: write
contents: read
steps:
- name: Write PR body to a file
run: |
cat >> pr.body << __SOME_RANDOM_PR_EOF__
${{ github.event.pull_request.body }}
__SOME_RANDOM_PR_EOF__
- name: Display the received body for troubleshooting
run: cat pr.body
# We want to write these out individually just incase the options were joined on a single line
- name: Check for each of the lines
env:
PR_BODY: ${{ github.event.pull_request.body }}
run: |
grep "Bug, Docs Fix or other nominal change" pr.body > Z
grep "New or Enhanced Feature" pr.body > Y
grep "Breaking Change" pr.body > X
echo $PR_BODY | grep "Bug, Docs Fix or other nominal change" > Z
echo $PR_BODY | grep "New or Enhanced Feature" > Y
echo $PR_BODY | grep "Breaking Change" > X
exit 0
# We exit 0 and set the shell to prevent the returns from the greps from failing this step
# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference

9
.github/workflows/promote.yaml vendored
View File

@@ -8,7 +8,14 @@ jobs:
promote:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
with:
depth: 0
- uses: actions/checkout@v3
with:
ref: gh-pages
path: gh-pages
- name: Log in to GHCR
run: |

22
.github/workflows/triage_new.yml vendored
View File

@@ -1,22 +0,0 @@
---
name: Triage
on:
issues:
types:
- opened
jobs:
triage:
runs-on: ubuntu-latest
name: Label
steps:
- name: Label issues
uses: github/issue-labeler@v2.4.1
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
not-before: 2021-12-07T07:00:00Z
configuration-path: .github/issue_labeler.yml
enable-versioned-regex: 0
if: github.event_name == 'issues'

2
.gitignore vendored
View File

@@ -1,4 +1,5 @@
*~
gh-pages/
.cache/
/bin
/bundle
@@ -7,3 +8,4 @@
/charts
/.cr-release-packages
.vscode/
__pycache__

25
.helm/starter/README.md
View File

@@ -1,14 +1,14 @@
# AWX Operator Helm Chart
This chart installs the AWX Operator resources configured in [this](https://github.com/ansible/awx-operator) repository.
This chart installs the AWX Operator resources configured in [this](https://github.com/ansible/awx-operator) repository.
## Getting Started
To configure your AWX resource using this chart, create your own `yaml` values file. The name is up to personal preference since it will explicitly be passed into the helm chart. Helm will merge whatever values you specify in your file with the default `values.yaml`, overriding any settings you've changed while allowing you to fall back on defaults. Because of this functionality, `values.yaml` should not be edited directly.
In your values config, enable `AWX.enable` and add `AWX.spec` values based on the awx operator's [documentation](https://github.com/ansible/awx-operator/blob/devel/README.md). Consult the docs below for additional functionality.
In your values config, enable `AWX.enabled` and add `AWX.spec` values based on the awx operator's [documentation](https://github.com/ansible/awx-operator/blob/devel/README.md). Consult the docs below for additional functionality.
### Installing
The operator's [helm install](https://github.com/ansible/awx-operator/blob/devel/README.md#helm-install-on-existing-cluster) guide provides key installation instructions.
The operator's [helm install](https://github.com/ansible/awx-operator/blob/devel/README.md#helm-install-on-existing-cluster) guide provides key installation instructions.
Example:
```
@@ -27,10 +27,10 @@ To update an existing installation, use `helm upgrade` instead of `install`. The
## Configuration
The goal of adding helm configurations is to abstract out and simplify the creation of multi-resource configs. The `AWX.spec` field maps directly to the spec configs of the `AWX` resource that the operator provides, which are detailed in the [main README](https://github.com/ansible/awx-operator/blob/devel/README.md). Other sub-config can be added with the goal of simplifying more involved setups that require additional resources to be specified.
These sub-headers aim to be a more intuitive entrypoint into customizing your deployment, and are easier to manage in the long-term. By design, the helm templates will defer to the manually defined specs to avoid configuration conflicts. For example, if `AWX.spec.postgres_configuration_secret` is being used, the `AWX.postgres` settings will not be applied, even if enabled.
These sub-headers aim to be a more intuitive entrypoint into customizing your deployment, and are easier to manage in the long-term. By design, the helm templates will defer to the manually defined specs to avoid configuration conflicts. For example, if `AWX.spec.postgres_configuration_secret` is being used, the `AWX.postgres` settings will not be applied, even if enabled.
### External Postgres
The `AWX.postgres` section simplifies the creation of the external postgres secret. If enabled, the configs provided will automatically be placed in a `postgres-config` secret and linked to the `AWX` resource. For proper secret management, the `AWX.postgres.password` value, and any other sensitive values, can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`.
The `AWX.postgres` section simplifies the creation of the external postgres secret. If enabled, the configs provided will automatically be placed in a `postgres-config` secret and linked to the `AWX` resource. For proper secret management, the `AWX.postgres.password` value, and any other sensitive values, can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`. Supplying the password this way is not recommended for production use, but may be helpful for initial PoC.
## Values Summary
@@ -44,13 +44,24 @@ The `AWX.postgres` section simplifies the creation of the external postgres secr
| `AWX.postgres` | configurations for the external postgres secret | - |
# Contributing
# Contributing
## Adding abstracted sections
Where possible, defer to `AWX.spec` configs before applying the abstracted configs to avoid collision. This can be facilitated by the `(hasKey .spec what_i_will_abstract)` check.
Where possible, defer to `AWX.spec` configs before applying the abstracted configs to avoid collision. This can be facilitated by the `(hasKey .spec what_i_will_abstract)` check.
## Building and Testing
This chart is built using the Makefile in the [awx-operator repo](https://github.com/ansible/awx-operator). Clone the repo and run `make helm-chart`. This will create the awx-operator chart in the `charts/awx-operator` directory. In this process, the contents of the `.helm/starter` directory will be added to the chart.
## Future Goals
All values under the `AWX` header are focused on configurations that use the operator. Configurations that relate to the Operator itself could be placed under an `Operator` heading, but that may add a layer of complication over current development.
# Chart Publishing
The chart is currently hosted on the gh-pages branch of the repo. During the release pipeline, the `index.yaml` stored in that branch is generated with helm chart entries from all valid tags. We are currently unable to use the `chart-releaser` pipeline due to the fact that the complete helm chart is not committed to the repo and is instead built during the release process. Therefore, the cr action is unable to compare against previous versions.
Instead of CR, we use `helm repo index` to generate an index from all locally pulled chart versions. Since we build from scratch every time, the timestamps of all entries will be updated. This could be improved by using yq or something similar to detect which tags are already in the index.yaml file, and only merge in tags that are not present.
Not using CR could be addressed in the future by keeping the chart built as a part of releases, as long as CR compares the chart to previous release packages rather than previous commits. If the latter is the case, then we would not have the necessary history for comparison.

8
Dockerfile
View File

@@ -1,4 +1,10 @@
FROM quay.io/operator-framework/ansible-operator:v1.22.2
FROM quay.io/operator-framework/ansible-operator:v1.25.3
USER 0
RUN dnf install -y openssl
USER 1001
ARG DEFAULT_AWX_VERSION
ARG OPERATOR_VERSION

132
Makefile
View File

@@ -140,7 +140,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(KUSTOMIZE)) ;\
curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.2/kustomize_v4.5.2_$(OS)_$(ARCHA).tar.gz | \
curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.7/kustomize_v4.5.7_$(OS)_$(ARCHA).tar.gz | \
tar xzf - -C bin/ ;\
}
else
@@ -156,7 +156,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.22.2/ansible-operator_$(OS)_$(ARCHA) ;\
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.25.3/ansible-operator_$(OS)_$(ARCHA) ;\
chmod +x $(ANSIBLE_OPERATOR) ;\
}
else
@@ -187,7 +187,7 @@ ifeq (,$(shell which opm 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(OPM)) ;\
curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$(OS)-$(ARCHA)-opm ;\
curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.25.3/$(OS)-$(ARCHA)-opm ;\
chmod +x $(OPM) ;\
}
else
@@ -290,66 +290,112 @@ charts:
mkdir -p $@
.PHONY: helm-chart
helm-chart: helm-chart-generate helm-chart-slice
helm-chart: helm-chart-generate
.PHONY: helm-chart-generate
helm-chart-generate: kustomize helm kubectl-slice yq charts
@echo "== KUSTOMIZE (image and namespace) =="
@echo "== KUSTOMIZE: Set image and chart label =="
cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
cd config/manager && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
cd config/default && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
@echo "== HELM =="
@echo "== Gather Helm Chart Metadata =="
# remove the existing chart if it exists
rm -rf charts/$(CHART_NAME)
# create new chart metadata in Chart.yaml
cd charts && \
$(HELM) create awx-operator --starter $(shell pwd)/.helm/starter ;\
$(YQ) -i '.version = "$(VERSION)"' $(CHART_NAME)/Chart.yaml ;\
$(YQ) -i '.appVersion = "$(VERSION)" | .appVersion style="double"' $(CHART_NAME)/Chart.yaml ;\
$(YQ) -i '.description = "$(CHART_DESCRIPTION)"' $(CHART_NAME)/Chart.yaml ;\
@echo "Generated chart metadata:"
@cat charts/$(CHART_NAME)/Chart.yaml
@echo "== KUSTOMIZE (annotation) =="
cd config/manager && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
cd config/default && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
@echo "== SLICE =="
@echo "== KUSTOMIZE: Generate resources and slice into templates =="
# place in raw-files directory so they can be modified while they are valid yaml - as soon as they are in templates/,
# wild cards pick up the actual templates, which are not real yaml and can't have yq run on them.
$(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone config/default | \
$(KUBECTL_SLICE) --input-file=- \
--output-dir=charts/$(CHART_NAME)/templates \
--output-dir=charts/$(CHART_NAME)/raw-files \
--sort-by-kind
@echo "AWX Operator installed with Helm Chart version $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
# clean old crds dir before copying in newly generated CRDs
rm -rf charts/$(CHART_NAME)/crds
mkdir charts/$(CHART_NAME)/crds
mv charts/$(CHART_NAME)/templates/customresourcedefinition* charts/$(CHART_NAME)/crds
.PHONY: helm-chart-edit
helm-chart-slice:
@echo "== EDIT =="
$(foreach file, $(wildcard charts/$(CHART_NAME)/templates/*),$(YQ) -i 'del(.. | select(has("namespace")).namespace)' $(file);)
$(foreach file, $(wildcard charts/$(CHART_NAME)/templates/*rolebinding*),$(YQ) -i '.subjects[0].namespace = "{{ .Release.Namespace }}"' $(file);)
rm -f charts/$(CHART_NAME)/templates/namespace*.yaml
@echo "== GIT: Reset kustomize configs =="
# reset kustomize configs following kustomize build
git checkout -f config/.
@echo "== Build Templates and CRDS =="
# Delete metadata.namespace, release namespace will be automatically inserted by helm
for file in charts/$(CHART_NAME)/raw-files/*; do\
$(YQ) -i 'del(.metadata.namespace)' $${file};\
done
# Correct namespace for rolebinding to be release namespace, this must be explicit
for file in charts/$(CHART_NAME)/raw-files/*rolebinding*; do\
$(YQ) -i '.subjects[0].namespace = "{{ .Release.Namespace }}"' $${file};\
done
# move all custom resource definitions to crds folder
mkdir charts/$(CHART_NAME)/crds
mv charts/$(CHART_NAME)/raw-files/customresourcedefinition*.yaml charts/$(CHART_NAME)/crds/.
# remove any namespace definitions
rm -f charts/$(CHART_NAME)/raw-files/namespace*.yaml
# move remaining resources to helm templates
mv charts/$(CHART_NAME)/raw-files/* charts/$(CHART_NAME)/templates/.
# remove the raw-files folder
rm -rf charts/$(CHART_NAME)/raw-files
# create and populate NOTES.txt
@echo "AWX Operator installed with Helm Chart version $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
@echo "Helm chart successfully configured for $(CHART_NAME) version $(VERSION)"
.PHONY: helm-package
helm-package: cr helm-chart
@echo "== CHART RELEASER (package) =="
$(CR) package ./charts/awx-operator
helm-package: helm-chart
@echo "== Package Current Chart Version =="
mkdir -p .cr-release-packages
# package the chart and put it in .cr-release-packages dir
$(HELM) package ./charts/awx-operator -d .cr-release-packages
# The actual release happens in ansible/helm-release.yml
# until https://github.com/helm/chart-releaser/issues/122 happens
# List all tags oldest to newest.
TAGS := $(shell git ls-remote --tags --sort=version:refname --refs -q | cut -d/ -f3)
# The actual release happens in ansible/helm-release.yml, which calls this targer
# until https://github.com/helm/chart-releaser/issues/122 happens, chart-releaser is not ideal for a chart
# that is contained within a larger repo, where a tag may not require a new chart version
.PHONY: helm-index
helm-index: cr helm-chart
@echo "== CHART RELEASER (httpsorigin) =="
git remote add httpsorigin "https://github.com/$(CHART_OWNER)/$(CHART_REPO).git"
git fetch httpsorigin
helm-index:
# when running in CI this gh-pages are already checked out with github action to 'gh-pages' directory
# TODO: test if gh-pages directory exists and if not exist
@echo "== CHART RELEASER (index) =="
$(CR) index \
--owner "$(CHART_OWNER)" \
--git-repo "$(CHART_REPO)" \
--token "$(CR_TOKEN)" \
--pages-branch "$(CHART_BRANCH)" \
--index-path "./charts/$(CHART_INDEX)" \
--charts-repo "https://$(CHART_OWNER).github.io/$(CHART_REPO)/$(CHART_INDEX)" \
--remote httpsorigin \
--release-name-template="{{ .Version }}" \
--push
@echo "== GENERATE INDEX FILE =="
# This step to workaround issues with old releases being dropped.
# Until https://github.com/helm/chart-releaser/issues/133 happens
@echo "== CHART FETCH previous releases =="
# Download all old releases
mkdir -p .cr-release-packages
for tag in $(TAGS); do\
dl_url="https://github.com/$(CHART_OWNER)/$(CHART_REPO)/releases/download/$${tag}/$(CHART_REPO)-$${tag}.tgz";\
echo "Downloading $${tag} from $${dl_url}";\
curl -RLOs -z ".cr-release-packages/$(CHART_REPO)-$${tag}.tgz" --fail $${dl_url};\
result=$$?;\
if [ $${result} -eq 0 ]; then\
echo "Downloaded $${dl_url}";\
else\
echo "Skipping release $${tag}; No helm chart present";\
rm -rf ".cr-release-packages/$(CHART_REPO)-$${tag}.tgz";\
fi;\
done;\
# generate the index file in the root of the gh-pages branch
# --merge will leave any values in index.yaml that don't get generated by this command, but
# it is likely that all values are overridden
$(HELM) repo index .cr-release-packages --url https://$(CHART_OWNER).github.io/awx-operator/ --merge gh-pages/index.yaml
mv .cr-release-packages/index.yaml gh-pages/index.yaml
@echo "== PUSH INDEX FILE =="
cd gh-pages;\
git add index.yaml;\
git commit -m "Updated index.yaml latest release";\
git push;\

152
README.md
View File

@@ -55,6 +55,8 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
* [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations)
* [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project)
* [Steps to upgrade](#steps-to-upgrade)
* [Add Execution Nodes](#adding-execution-nodes)
* [Custom Receptor CA](#custom-receptor-ca)
* [Contributing](#contributing)
* [Release Process](#release-process)
* [Author](#author)
@@ -201,6 +203,20 @@ spec:
> It may make sense to create and specify your own secret key for your deployment so that if the k8s secret gets deleted, it can be re-created if needed. If it is not provided, one will be auto-generated, but cannot be recovered if lost. Read more [here](#secret-key-configuration).
If you are on Openshift, you can take advantage of Routes by specifying the following your spec. This will automatically create a Route for you with a custom hostname. This can be found on the Route section of the Openshift Console.
```yaml
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx-demo
spec:
service_type: clusterip
ingress_type: Route
```
Make sure to add this new file to the list of "resources" in your `kustomization.yaml` file:
```yaml
@@ -241,13 +257,13 @@ awx-demo-service NodePort 10.109.40.38 <none> 80:31006/TCP 3m56
Once deployed, the AWX instance will be accessible by running:
```
$ minikube service awx-demo-service --url -n $NAMESPACE
$ minikube service -n awx awx-demo-service --url
```
By default, the admin user is `admin` and the password is available in the `<resourcename>-admin-password` secret. To retrieve the admin password, run:
```
$ kubectl get secret awx-demo-admin-password -o jsonpath="{.data.password}" | base64 --decode
$ kubectl get secret awx-demo-admin-password -o jsonpath="{.data.password}" | base64 --decode ; echo
yDL2Cx5Za94g9MvBP6B73nzVLlmfgPjR
```
@@ -301,7 +317,7 @@ There are three variables that are customizable for the admin user account creat
If `admin_password_secret` is not provided, the operator will look for a secret named `<resourcename>-admin-password` for the admin password. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-admin-password`.
To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode`
To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode ; echo`
The secret that is expected to be passed should be formatted as follow:
@@ -442,6 +458,7 @@ The following variables are customizable when `ingress_type=ingress`. The `ingre
| ------------------- | ---------------------------------------- | --------------------------- |
| ingress_annotations | Ingress annotations | Empty string |
| ingress_tls_secret | Secret that contains the TLS information | Empty string |
| ingress_class_name | Define the ingress class name | Cluster default |
| hostname | Define the FQDN | {{ meta.name }}.example.com |
| ingress_path | Define the ingress path to the service | / |
| ingress_path_type | Define the type of the path (for LBs) | Prefix |
@@ -478,6 +495,12 @@ spec:
### Database Configuration
#### Postgres Version
The default Postgres version for the version of AWX bundled with the latest version of the awx-operator is Postgres 13. You can find this default for a given version by at the default value for [_postgres_image_version](./roles/installer/defaults/main.yml#L138).
We only have coverage for the default version of Postgres. Newer versions of Postgres (14+) will likely work, but should only be configured as an external database. If your database is managed by the awx-operator (default if you don't specify a `postgres_configuration_secret`), then you should not override the default version as this may cause issues when awx-operator tries to upgrade your postgresql pod.
#### External PostgreSQL Service
To configure AWX to use an external database, the Custom Resource needs to know about the connection details. To do this, create a k8s secret with those connection details and specify the name of the secret as `postgres_configuration_secret` at the CR spec level.
@@ -695,18 +718,20 @@ You can constrain the AWX pods created by the operator to run on a certain subse
the AWX pods to run only on the nodes that match all the specified key/value pairs. `tolerations` and `postgres_tolerations` allow the AWX
pods to be scheduled onto nodes with matching taints.
The ability to specify topologySpreadConstraints is also allowed through `topology_spread_constraints`
If you want to use affinity rules for your AWX pod you can use the `affinity` option.
| Name | Description | Default |
| --------------------------- | ----------------------------------- | ------- |
| postgres_image | Path of the image to pull | postgres |
| postgres_image_version | Image version to pull | 13 |
| node_selector | AWX pods' nodeSelector | '' |
| topology_spread_constraints | AWX pods' topologySpreadConstraints | '' |
| tolerations | AWX pods' tolerations | '' |
| annotations | AWX pods' annotations | '' |
| postgres_selector | Postgres pods' nodeSelector | '' |
| postgres_tolerations | Postgres pods' tolerations | '' |
| Name | Description | Default |
| --------------------------- | ----------------------------------- | ------- |
| postgres_image | Path of the image to pull | postgres |
| postgres_image_version | Image version to pull | 13 |
| node_selector | AWX pods' nodeSelector | '' |
| topology_spread_constraints | AWX pods' topologySpreadConstraints | '' |
| affinity | AWX pods' affinity rules | '' |
| tolerations | AWX pods' tolerations | '' |
| annotations | AWX pods' annotations | '' |
| postgres_selector | Postgres pods' nodeSelector | '' |
| postgres_tolerations | Postgres pods' tolerations | '' |
Example of customization could be:
@@ -739,6 +764,28 @@ spec:
operator: "Equal"
value: "AWX"
effect: "NoSchedule"
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: another-node-label-key
operator: In
values:
- another-node-label-value
- another-node-label-value
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: security
operator: In
values:
- S2
topologyKey: topology.kubernetes.io/zone
```
#### Trusting a Custom Certificate Authority
@@ -766,7 +813,22 @@ spec:
bundle_cacert_secret: <resourcename>-custom-certs
```
To create the secrets, you can use the commands below:
Create the secret with `kustomization.yaml` file:
```yaml
....
secretGenerator:
- name: <resourcename>-custom-certs
files:
- bundle-ca.crt=<path+filename>
options:
disableNameSuffixHash: true
...
```
Create the secret with CLI:
* Certificate Authority secret
@@ -785,7 +847,9 @@ To create the secrets, you can use the commands below:
#### Enabling LDAP Integration at AWX bootstrap
A sample of extra settings can be found as below:
A sample of extra settings can be found as below. All possible options can be found here: https://django-auth-ldap.readthedocs.io/en/latest/reference.html#settings
> **NOTE:** These values are inserted into a Python file, so pay close attention to which values need quotes and which do not.
```yaml
- setting: AUTH_LDAP_SERVER_URI
@@ -802,6 +866,9 @@ A sample of extra settings can be found as below:
- setting: AUTH_LDAP_GROUP_SEARCH
value: 'LDAPSearch("OU=Groups,DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(objectClass=group)",)'
- setting: AUTH_LDAP_GROUP_TYPE
value: 'GroupOfNamesType(name_attr="cn")'
- setting: AUTH_LDAP_USER_ATTR_MAP
value: '{"first_name": "givenName","last_name": "sn","email": "mail"}'
@@ -943,6 +1010,17 @@ Example spec file for volumes and volume mounts
> :warning: **Volume and VolumeMount names cannot contain underscores(_)**
##### Custom Nginx Configuration
Using the [extra_volumes feature](#custom-volume-and-volume-mount-options), it is possible to extend the nginx.conf.
1. Create a ConfigMap with the extra settings you want to include in the nginx.conf
2. Create an extra_volumes entry in the AWX spec for this ConfigMap
3. Create an web_extra_volume_mounts entry in the AWX spec to mount this volume
The AWX nginx config automatically includes /etc/nginx/conf.d/*.conf if present.
#### Default execution environments from private registries
In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments.
@@ -1062,8 +1140,14 @@ Example configuration of `extra_settings` parameter
- setting: AUTH_LDAP_BIND_DN
value: "cn=admin,dc=example,dc=com"
- setting: LOG_AGGREGATOR_LEVEL
value: "'DEBUG'"
```
Note for some settings, such as `LOG_AGGREGATOR_LEVEL`, the value may need double quotes.
#### No Log
Configure no_log for tasks with no_log
@@ -1075,7 +1159,7 @@ Example configuration of `no_log` parameter
```yaml
spec:
no_log: 'true'
no_log: true
```
#### Auto upgrade
@@ -1153,7 +1237,14 @@ Apply the awx-operator.yml for that release to upgrade the operator, and in turn
#### Backup
The first part of any upgrade should be a backup. Note, there are secrets in the pod which work in conjunction with the database. Having just a database backup without the required secrets will not be sufficient for recovering from an issue when upgrading to a new version. See the [backup role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/backup) for information on how to backup your database and secrets. In the event you need to recover the backup see the [restore role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/restore).
The first part of any upgrade should be a backup. Note, there are secrets in the pod which work in conjunction with the database. Having just a database backup without the required secrets will not be sufficient for recovering from an issue when upgrading to a new version. See the [backup role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/backup) for information on how to backup your database and secrets.
In the event you need to recover the backup see the [restore role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/restore). *Before Restoring from a backup*, be sure to:
* delete the old existing AWX CR
* delete the persistent volume claim (PVC) for the database from the old deployment, which has a name like `postgres-13-<deployment-name>-postgres-13-0`
**Note**: Do not delete the namespace/project, as that will delete the backup and the backup's PVC as well.
#### PostgreSQL Upgrade Considerations
@@ -1194,6 +1285,33 @@ Then install the new AWX Operator by following the instructions in [Basic Instal
Once the new AWX Operator is up and running, your AWX deployment will also be upgraded.
### Adding Execution Nodes
Starting with AWX Operator v0.30.0 and AWX v21.7.0, standalone execution nodes can be added to your deployments.
See [AWX execution nodes docs](https://github.com/ansible/awx/blob/devel/docs/execution_nodes.md) for information about this feature.
#### Custom Receptor CA
The control nodes on the K8S cluster will communicate with execution nodes via mutual TLS TCP connections, running via Receptor.
Execution nodes will verify incoming connections by ensuring the x509 certificate was issued by a trusted Certificate Authority (CA).
A user may wish to provide their own CA for this validation. If no CA is provided, AWX Operator will automatically generate one using OpenSSL.
Given custom `ca.crt` and `ca.key` stored locally, run the following,
```bash
kubectl create secret tls awx-demo-receptor-ca \
--cert=/path/to/ca.crt --key=/path/to/ca.key
```
The secret should be named `{AWX Custom Resource name}-receptor-ca`. In the above the AWX CR name is "awx-demo". Please replace "awx-demo" with your AWX Custom Resource name.
If this secret is created after AWX is deployed, run the following to restart the deployment,
```bash
kubectl rollout restart deployment awx-demo
```
**Important Note**, changing the receptor CA will break connections to any existing execution nodes. These nodes will enter an `unavailable` state, and jobs will not be able to run on them. Users will need to download and re-run the install bundle for each execution node. This will replace the TLS certificate files with those signed by the new CA. The execution nodes should then appear in a `ready` state after a few minutes.
## Contributing
Please visit [our contributing guidelines](https://github.com/ansible/awx-operator/blob/devel/CONTRIBUTING.md).

24
config/crd/bases/awx.ansible.com_awxbackups.yaml
View File

@@ -54,12 +54,33 @@ spec:
backup_storage_requirements:
description: Storage requirements for backup PVC (may be similar to existing postgres PVC backing up from)
type: string
backup_resource_requirements:
description: Resource requirements for the management pod used to create a backup
properties:
requests:
properties:
cpu:
type: string
memory:
type: string
type: object
limits:
properties:
cpu:
type: string
memory:
type: string
type: object
type: object
backup_storage_class:
description: Storage class to use when creating PVC for backup
type: string
clean_backup_on_delete:
description: Flag to indicate if backup should be deleted on PVC if AWXBackup object is deleted
type: boolean
pg_dump_suffix:
description: Additional parameters for the pg_dump command
type: string
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string
@@ -71,7 +92,8 @@ spec:
type: string
no_log:
description: Configure no_log for no_log tasks
type: string
type: boolean
default: true
set_self_labels:
description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
type: boolean

24
config/crd/bases/awx.ansible.com_awxrestores.yaml
View File

@@ -50,6 +50,9 @@ spec:
description: Name of the restored deployment. This should be different from the original deployment name
if the original deployment still exists.
type: string
cluster_name:
description: Cluster name
type: string
backup_name:
description: AWXBackup object name
type: string
@@ -62,6 +65,24 @@ spec:
backup_dir:
description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
type: string
restore_resource_requirements:
description: Resource requirements for the management pod that restores AWX from a backup
properties:
requests:
properties:
cpu:
type: string
memory:
type: string
type: object
limits:
properties:
cpu:
type: string
memory:
type: string
type: object
type: object
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string
@@ -73,7 +94,8 @@ spec:
type: string
no_log:
description: Configure no_log for no_log tasks
type: string
type: boolean
default: true
set_self_labels:
description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
type: boolean

382
config/crd/bases/awx.ansible.com_awxs.yaml
View File

@@ -103,6 +103,9 @@ spec:
- ingress
- Route
- route
ingress_api_version:
description: The Ingress API version to use
type: string
ingress_path:
description: The ingress path used to reach the deployed service
type: string
@@ -115,6 +118,9 @@ spec:
ingress_tls_secret:
description: Secret where the Ingress TLS secret can be found
type: string
ingress_class_name:
description: The name of ingress class to use instead of the cluster default.
type: string
loadbalancer_protocol:
description: Protocol to use for the loadbalancer
type: string
@@ -138,6 +144,9 @@ spec:
- edge
- Passthrough
- passthrough
route_api_version:
description: The route API version to use
type: string
route_tls_secret:
description: Secret where the TLS related credentials are stored
type: string
@@ -151,6 +160,372 @@ spec:
topology_spread_constraints:
description: topology rule(s) for the pods
type: string
affinity:
description: If specified, the pod's scheduling constraints
properties:
nodeAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
preference:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
x-kubernetes-map-type: atomic
weight:
format: int32
type: integer
required:
- preference
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
properties:
nodeSelectorTerms:
items:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
x-kubernetes-map-type: atomic
type: array
required:
- nodeSelectorTerms
type: object
x-kubernetes-map-type: atomic
type: object
podAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
podAffinityTerm:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
weight:
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
type: array
type: object
podAntiAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
podAffinityTerm:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
weight:
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
type: array
type: object
type: object
service_labels:
description: Additional labels to apply to the service
type: string
@@ -501,7 +876,8 @@ spec:
type: array
no_log:
description: Configure no_log for no_log tasks
type: string
type: boolean
default: true
security_context_settings:
description: Key/values that will be set under the pod-level securityContext field
type: object
@@ -514,6 +890,10 @@ spec:
description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
type: boolean
default: true
ipv6_disabled:
description: Disable web container's nginx ipv6 listener
type: boolean
default: false
type: object
status:
properties:

8
config/default/kustomization.yaml
View File

@@ -9,10 +9,12 @@ namespace: awx
namePrefix: awx-operator-
# Labels to add to all resources and selectors.
#commonLabels:
# someName: someValue
#labels:
#- includeSelectors: true
# pairs:
# someName: someValue
bases:
resources:
- ../crd
- ../rbac
- ../manager

2
config/default/manager_auth_proxy_patch.yaml
View File

@@ -16,7 +16,7 @@ spec:
# capabilities:
# drop:
# - "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"

2
config/manager/manager.yaml
View File

@@ -21,7 +21,7 @@ spec:
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: manager
kubectl.kubernetes.io/default-container: awx-manager
labels:
control-plane: controller-manager
spec:

232
config/manifests/bases/awx-operator.clusterserviceversion.yaml
View File

File diff suppressed because one or more lines are too long

7
config/samples/awx_v1beta1_awxbackup.yaml
View File

@@ -4,3 +4,10 @@ metadata:
name: example-awx-backup
spec:
deployment_name: example-awx
backup_resource_requirements:
limits:
cpu: "1000m"
memory: "4096Mi"
requests:
cpu: "25m"
memory: "32Mi"

7
config/samples/awx_v1beta1_awxrestore.yaml
View File

@@ -5,3 +5,10 @@ metadata:
spec:
deployment_name: example-awx-2
backup_name: example-awx-backup
restore_resource_requirements:
limits:
cpu: "1000m"
memory: "4096Mi"
requests:
cpu: "25m"
memory: "32Mi"

2
config/scorecard/patches/basic.config.yaml
View File

@@ -4,7 +4,7 @@
entrypoint:
- scorecard-test
- basic-check-spec
image: quay.io/operator-framework/scorecard-test:v1.22.2
image: quay.io/operator-framework/scorecard-test:v1.25.3
labels:
suite: basic
test: basic-check-spec-test

10
config/scorecard/patches/olm.config.yaml
View File

@@ -4,7 +4,7 @@
entrypoint:
- scorecard-test
- olm-bundle-validation
image: quay.io/operator-framework/scorecard-test:v1.22.2
image: quay.io/operator-framework/scorecard-test:v1.25.3
labels:
suite: olm
test: olm-bundle-validation-test
@@ -14,7 +14,7 @@
entrypoint:
- scorecard-test
- olm-crds-have-validation
image: quay.io/operator-framework/scorecard-test:v1.22.2
image: quay.io/operator-framework/scorecard-test:v1.25.3
labels:
suite: olm
test: olm-crds-have-validation-test
@@ -24,7 +24,7 @@
entrypoint:
- scorecard-test
- olm-crds-have-resources
image: quay.io/operator-framework/scorecard-test:v1.22.2
image: quay.io/operator-framework/scorecard-test:v1.25.3
labels:
suite: olm
test: olm-crds-have-resources-test
@@ -34,7 +34,7 @@
entrypoint:
- scorecard-test
- olm-spec-descriptors
image: quay.io/operator-framework/scorecard-test:v1.22.2
image: quay.io/operator-framework/scorecard-test:v1.25.3
labels:
suite: olm
test: olm-spec-descriptors-test
@@ -44,7 +44,7 @@
entrypoint:
- scorecard-test
- olm-status-descriptors
image: quay.io/operator-framework/scorecard-test:v1.22.2
image: quay.io/operator-framework/scorecard-test:v1.25.3
labels:
suite: olm
test: olm-status-descriptors-test

1
molecule/default/templates/awx_cr_molecule.yml.j2
View File

@@ -26,6 +26,7 @@ spec:
requests:
cpu: 50m
memory: 16M
no_log: false
postgres_resource_requirements: {}
postgres_init_container_resource_requirements: {}
redis_resource_requirements: {}

2
molecule/requirements.txt
View File

@@ -1,4 +1,4 @@
molecule
molecule<4.0.2
molecule-docker
yamllint
ansible-lint

31
playbooks/awx.yml Normal file
View File

@@ -0,0 +1,31 @@
---
- hosts: localhost
gather_facts: no
collections:
- kubernetes.core
- operator_sdk.util
vars:
no_log: true
pre_tasks:
- name: Verify imagePullSecrets
k8s_info:
kind: Secret
namespace: '{{ ansible_operator_meta.namespace }}'
name: redhat-operators-pull-secret
register: _rh_ops_secret
no_log: "{{ no_log }}"
- name: Create imagePullSecret
k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: redhat-operators-pull-secret
namespace: '{{ ansible_operator_meta.namespace }}'
stringData:
operator: awx
when:
- (_rh_ops_secret is not defined) or not (_rh_ops_secret['resources'] | length)
roles:
- installer

2
requirements.yml
View File

@@ -3,4 +3,4 @@ collections:
- name: kubernetes.core
version: '>=2.3.2'
- name: operator_sdk.util
version: "0.2.0"
version: "0.4.0"

31
roles/backup/README.md
View File

@@ -45,7 +45,7 @@ The resulting pvc will contain a backup tar that can be used to restore to a new
Role Variables
--------------
A custom, pre-created pvc can be used by setting the following variables.
A custom, pre-created pvc can be used by setting the following variables.
```
backup_pvc: 'awx-backup-volume-claim'
@@ -60,10 +60,17 @@ backup_storage_class: 'standard'
backup_storage_requirements: '20Gi'
```
By default, the backup pvc will be created in the same namespace the awxbackup object is created in. If you want your backup to be stored
in a specific namespace, you can do so by specifying `backup_pvc_namespace`. Keep in mind that you will
need to provide the same namespace when restoring.
```
backup_pvc_namespace: 'custom-namespace'
```
The backup pvc will be created in the same namespace the awxbackup object is created in.
If a custom postgres configuration secret was used when deploying AWX, it will automatically be used by the backup role.
To check the name of this secret, look at the postgresConfigurationSecret status on your AWX object.
If a custom postgres configuration secret was used when deploying AWX, it will automatically be used by the backup role.
To check the name of this secret, look at the postgresConfigurationSecret status on your AWX object.
The postgresql pod for the old deployment is used when backing up data to the new postgresql pod. If your postgresql pod has a custom label,
you can pass that via the `postgres_label_selector` variable to make sure the postgresql pod can be found.
@@ -74,6 +81,24 @@ It is also possible to tie the lifetime of the backup files to that of the AWXBa
```
clean_backup_on_delete: true
```
Variable to define resources limits and request for backup CR.
```
backup_resource_requirements:
limits:
cpu: "1000m"
memory: "4096Mi"
requests:
cpu: "25m"
memory: "32Mi"
```
To customize the pg_dump command that will be executed on a backup use the `pg_dump_suffix` variable. This variable will append your provided pg_dump parameters to the end of the 'standard' command. For example to exclude the data from 'main_jobevent' and 'main_job' to decrease the size of the backup use:
```
pg_dump_suffix: "--exclude-table-data 'main_jobevent*' --exclude-table-data 'main_job'"
```
Testing
----------------

11
roles/backup/defaults/main.yml
View File

@@ -12,7 +12,7 @@ backup_pvc_namespace: "{{ ansible_operator_meta.namespace }}"
backup_storage_requirements: ''
# Set no_log settings on certain tasks
no_log: 'true'
no_log: true
# Variable to set when you want backups to be cleaned up when the CRD object is deleted
clean_backup_on_delete: false
@@ -20,8 +20,17 @@ clean_backup_on_delete: false
# Variable to signal that this role is being run as a finalizer
finalizer_run: false
# Default resource requirements
backup_resource_requirements:
limits:
cpu: "1000m"
memory: "4096Mi"
requests:
cpu: "25m"
memory: "32Mi"
# Allow additional parameters to be added to the pg_dump backup command
pg_dump_suffix: ''
# Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
set_self_labels: true
...

1
roles/backup/tasks/awx-cro.yml
View File

@@ -25,6 +25,7 @@
set_fact:
awx_spec:
spec: "{{ _awx }}"
previous_deployment_name: "{{ this_awx['resources'][0]['metadata']['name'] }}"
- name: Write awx object to pvc
k8s_exec:

24
roles/backup/tasks/dump_receptor_secrets.yml Normal file
View File

@@ -0,0 +1,24 @@
---
- name: Get secret
k8s_info:
version: v1
kind: Secret
namespace: '{{ ansible_operator_meta.namespace }}'
name: "{{ item }}"
register: _secret
no_log: "{{ no_log }}"
- name: Backup secret if exists
block:
- name: Set secret key
set_fact:
_data: "{{ _secret['resources'][0]['data'] }}"
_type: "{{ _secret['resources'][0]['type'] }}"
no_log: "{{ no_log }}"
- name: Create and Add secret names and data to dictionary
set_fact:
secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': item, 'data': _data, 'type': _type }}) }}"
no_log: "{{ no_log }}"
when: _secret | length

2
roles/backup/tasks/postgres.yml
View File

@@ -75,7 +75,7 @@
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ ansible_operator_meta.name }}-db-management"
command: >-
bash -c "chmod 0600 {{ backup_dir }}/tower.db && chown postgres:root {{ backup_dir }}/tower.db"
bash -c "chmod 660 {{ backup_dir }}/tower.db && chown :root {{ backup_dir }}/tower.db"
- name: Set full resolvable host name for postgres pod
set_fact:

12
roles/backup/tasks/secrets.yml
View File

@@ -1,11 +1,5 @@
---
- name: Create Temporary secrets file
tempfile:
state: file
suffix: .json
register: tmp_secrets
- name: Dump (generated) secret names from statuses and data into file
include_tasks: dump_generated_secret.yml
with_items:
@@ -23,6 +17,12 @@
- bundle_cacert_secret
- ee_pull_credentials_secret
- name: Dump receptor secret names and data into file
include_tasks: dump_receptor_secrets.yml
loop:
- '{{ deployment_name }}-receptor-ca'
- '{{ deployment_name }}-receptor-work-signing'
# image_pull_secret is deprecated in favor of image_pull_secrets
- name: Dump image_pull_secret into file
include_tasks: dump_secret.yml

4
roles/backup/templates/management-pod.yml.j2
View File

@@ -20,6 +20,10 @@ spec:
- name: {{ ansible_operator_meta.name }}-backup
mountPath: /backups
readOnly: false
{% if backup_resource_requirements is defined %}
resources:
{{ backup_resource_requirements | to_nice_yaml(indent=2) | indent(width=6, first=False) }}
{%- endif %}
volumes:
- name: {{ ansible_operator_meta.name }}-backup
persistentVolumeClaim:

8
roles/common/defaults/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
deployment_type: awx
kind: 'AWX'
api_version: '{{ deployment_type }}.ansible.com/v1beta1'
# Used to determine some cluster specific logic regarding projects_persistence pvc permissions
is_k8s: false
is_openshift: false

32
roles/common/meta/main.yml Normal file
View File

@@ -0,0 +1,32 @@
---
galaxy_info:
author: Ansible
description: AWX role for AWX Operator for Kubernetes.
company: Red Hat, Inc.
license: MIT
min_ansible_version: 2.8
platforms:
- name: EL
versions:
- all
- name: Debian
versions:
- all
galaxy_tags:
- tower
- awx
- ansible
- automation
- ci
- cd
- deployment
dependencies: []
collections:
- kubernetes.core
- operator_sdk.util

20
roles/common/tasks/main.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Get information about the cluster
set_fact:
api_groups: "{{ lookup('k8s', cluster_info='api_groups') }}"
when:
- not is_openshift | bool
- not is_k8s | bool
- name: Determine the cluster type
set_fact:
is_openshift: "{{ True if 'route.openshift.io' in api_groups else False }}"
is_k8s: "{{ False if 'route.openshift.io' in api_groups else True }}"
when:
- not is_openshift | bool
- not is_k8s | bool
# Indicate what kind of cluster we are in (OpenShift or Kubernetes).
- debug:
msg: "CLUSTER TYPE: is_openshift={{ is_openshift }}; is_k8s={{ is_k8s }}"

22
roles/installer/defaults/main.yml
View File

@@ -1,6 +1,6 @@
---
deployment_type: awx
kind: '{{ deployment_type | upper }}'
kind: 'AWX'
api_version: '{{ deployment_type }}.ansible.com/v1beta1'
database_name: "{{ deployment_type }}"
@@ -9,8 +9,10 @@ database_username: "{{ deployment_type }}"
task_privileged: false
service_type: ClusterIP
ingress_type: none
ingress_class_name: ''
ingress_path: '/'
ingress_path_type: 'Prefix'
ingress_api_version: 'networking.k8s.io/v1'
# Add annotations to the service account. Specify as literal block. E.g.:
# service_account_annotations: |
# eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>
@@ -49,6 +51,10 @@ route_tls_termination_mechanism: edge
#
route_tls_secret: ''
# Route API Version to support older version
# of the kubernetes services
route_api_version: 'route.openshift.io/v1'
# Host to create the root with.
# If not specific will default to <instance-name>-<namespace>-<routerCanonicalHostname>
#
@@ -75,6 +81,8 @@ node_selector: ''
# app.kubernetes.io/name: "<resourcename>"
topology_spread_constraints: ''
affinity: {}
# Add node tolerations for the AWX pods. Specify as literal block. E.g.:
# tolerations: |
# - key: "dedicated"
@@ -130,8 +138,6 @@ _redis_image: docker.io/redis
_redis_image_version: 7
_postgres_image: postgres
_postgres_image_version: 13
_init_container_image: quay.io/centos/centos
_init_container_image_version: stream8
image_pull_policy: IfNotPresent
image_pull_secrets: []
@@ -157,6 +163,11 @@ ee_images:
_control_plane_ee_image: quay.io/ansible/awx-ee:latest
_init_container_image: "{{ _control_plane_ee_image.split(':')[0] }}"
_init_container_image_version: "{{ _control_plane_ee_image.split(':')[1] }}"
_init_projects_container_image: quay.io/centos/centos:stream9
create_preload_data: true
replicas: "1"
@@ -286,7 +297,7 @@ development_mode: false
security_context_settings: {}
# Set no_log settings on certain tasks
no_log: 'true'
no_log: true
# Should AWX instances be automatically upgraded when operator gets upgraded
#
@@ -294,3 +305,6 @@ auto_upgrade: true
# Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
set_self_labels: true
# Disable web container's nginx ipv6 listener
ipv6_disabled: false

3
roles/installer/meta/main.yml
View File

@@ -25,7 +25,8 @@ galaxy_info:
- cd
- deployment
dependencies: []
dependencies:
- role: common
collections:
- kubernetes.core

2
roles/installer/tasks/cleanup.yml
View File

@@ -23,6 +23,8 @@
- '{{ _secret_key }}'
- '{{ _postgres_configuration }}'
- '{{ _broadcast_websocket_secret }}'
- '{{ ansible_operator_meta.name }}-receptor-ca'
- '{{ ansible_operator_meta.name }}-receptor-work-signing'
no_log: "{{ no_log }}"
when: not garbage_collect_secrets | bool

19
roles/installer/tasks/initialize_django.yml
View File

@@ -18,10 +18,21 @@
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "echo \"from django.contrib.auth.models import User;
User.objects.create_superuser('{{ admin_user }}', '{{ admin_email }}', '{{ admin_password }}')\"
| awx-manage shell"
command: awx-manage createsuperuser --username={{ admin_user | quote }} --email={{ admin_email | quote }} --noinput
register: result
changed_when: "'That username is already taken' not in result.stderr"
failed_when: "'That username is already taken' not in result.stderr and 'Superuser created successfully' not in result.stdout"
no_log: "{{ no_log }}"
when: users_result.return_code > 0
- name: Update Django super user password
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: awx-manage update_password --username='{{ admin_user }}' --password='{{ admin_password }}'
register: result
changed_when: "'Password updated' in result.stdout"
no_log: "{{ no_log }}"
when: users_result.return_code > 0

7
roles/installer/tasks/install.yml
View File

@@ -10,12 +10,7 @@
metadata:
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
labels: '{{ lookup("template", "labels/common.yaml.j2") | from_yaml }}'
when: set_self_labels | bool
- name: Include secret key configuration tasks

133
roles/installer/tasks/resources_configuration.yml
View File

@@ -27,6 +27,139 @@
set_fact:
_control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
- name: Check for Receptor CA Secret
k8s_info:
kind: Secret
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-receptor-ca'
register: _receptor_ca
no_log: "{{ no_log }}"
- name: Migrate Receptor CA Secret
when:
- _receptor_ca['resources'] | default([]) | length
- _receptor_ca['resources'][0]['type'] != "kubernetes.io/tls"
block:
- name: Delete old Receptor CA Secret
k8s:
state: absent
kind: Secret
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-receptor-ca'
- name: Create tempfile for receptor-ca.key
tempfile:
state: file
suffix: .key
register: _receptor_ca_key_file
- name: Copy Receptor CA key from old secret to tempfile
copy:
content: "{{ _receptor_ca['resources'][0]['data']['receptor-ca.key'] | b64decode }}"
dest: "{{ _receptor_ca_key_file.path }}"
no_log: "{{ no_log }}"
- name: Create tempfile for receptor-ca.crt
tempfile:
state: file
suffix: .crt
register: _receptor_ca_crt_file
- name: Copy Receptor CA cert from old secret to tempfile
copy:
content: "{{ _receptor_ca['resources'][0]['data']['receptor-ca.crt'] | b64decode }}"
dest: "{{ _receptor_ca_crt_file.path }}"
no_log: "{{ no_log }}"
- name: Create New Receptor CA secret
k8s:
apply: true
definition: "{{ lookup('template', 'secrets/receptor_ca_secret.yaml.j2') }}"
no_log: "{{ no_log }}"
- name: Remove tempfiles
file:
path: "{{ item }}"
state: absent
loop:
- "{{ _receptor_ca_key_file.path }}"
- "{{ _receptor_ca_crt_file.path }}"
- name: Create Receptor Mesh CA
block:
- name: Create tempfile for receptor-ca.key
tempfile:
state: file
suffix: .key
register: _receptor_ca_key_file
- name: Generate Receptor CA key
command: |
openssl genrsa -out {{ _receptor_ca_key_file.path }} 4096
no_log: "{{ no_log }}"
- name: Create tempfile for receptor-ca.crt
tempfile:
state: file
suffix: .crt
register: _receptor_ca_crt_file
- name: Generate Receptor CA cert
command: |
openssl req -x509 -new -nodes -key {{ _receptor_ca_key_file.path }} \
-subj "/CN={{ ansible_operator_meta.name }} Receptor Root CA" \
-sha256 -days 3650 -out {{ _receptor_ca_crt_file.path }}
no_log: "{{ no_log }}"
- name: Create Receptor CA secret
k8s:
apply: true
definition: "{{ lookup('template', 'secrets/receptor_ca_secret.yaml.j2') }}"
no_log: "{{ no_log }}"
- name: Remove tempfiles
file:
path: "{{ item }}"
state: absent
loop:
- "{{ _receptor_ca_key_file.path }}"
- "{{ _receptor_ca_crt_file.path }}"
when: not _receptor_ca['resources'] | default([]) | length
- name: Check for Receptor work signing Secret
k8s_info:
kind: Secret
namespace: '{{ ansible_operator_meta.namespace }}'
name: '{{ ansible_operator_meta.name }}-receptor-work-signing'
register: _receptor_work_signing
no_log: "{{ no_log }}"
- name: Generate Receptor work signing RSA key pair
block:
- name: Create tempfile for receptor work signing private key
tempfile:
state: file
suffix: .pem
register: _receptor_work_signing_private_key_file
- name: Generate Receptor work signing private key
command: |
openssl genrsa -out {{ _receptor_work_signing_private_key_file.path }} 4096
no_log: "{{ no_log }}"
- name: Create tempfile for receptor work signing public key
tempfile:
state: file
suffix: .pem
register: _receptor_work_signing_public_key_file
- name: Generate Receptor work signing public key
command: |
openssl rsa \
-in {{ _receptor_work_signing_private_key_file.path }} \
-out {{ _receptor_work_signing_public_key_file.path }} \
-outform PEM -pubout
no_log: "{{ no_log }}"
- name: Create Receptor work signing Secret
k8s:
apply: true
definition: "{{ lookup('template', 'secrets/receptor_work_signing_secret.yaml.j2') }}"
no_log: "{{ no_log }}"
- name: Remove tempfiles
file:
path: "{{ item }}"
state: absent
loop:
- "{{ _receptor_work_signing_private_key_file.path }}"
- "{{ _receptor_work_signing_public_key_file.path }}"
when: not _receptor_work_signing['resources'] | default([]) | length
- name: Apply Resources
k8s:
apply: yes

4
roles/installer/tasks/upgrade_postgres.yml
View File

@@ -64,7 +64,7 @@
- name: Set full resolvable host name for postgres pod
set_fact:
resolvable_db_host: "{{ ansible_operator_meta.name }}-postgres.{{ ansible_operator_meta.namespace }}.svc.cluster.local" # yamllint disable-line rule:line-length
resolvable_db_host: "{{ ansible_operator_meta.name }}-postgres.{{ ansible_operator_meta.namespace }}.svc" # yamllint disable-line rule:line-length
no_log: "{{ no_log }}"
- name: Set pg_dump command
@@ -93,7 +93,7 @@
command: |
bash -c """
set -e -o pipefail
PGPASSWORD={{ awx_postgres_pass }} {{ pgdump }} | PGPASSWORD={{ awx_postgres_pass }} {{ pg_restore }}
PGPASSWORD='{{ awx_postgres_pass }}' {{ pgdump }} | PGPASSWORD='{{ awx_postgres_pass }}' {{ pg_restore }}
echo 'Successful'
"""
no_log: "{{ no_log }}"

39
roles/installer/templates/configmaps/config.yaml.j2
View File

@@ -18,7 +18,8 @@ data:
settings: |
import os
import socket
from django_auth_ldap.config import LDAPSearch
# Import all so that extra_settings works properly
from django_auth_ldap.config import *
def get_secret():
if os.path.exists("/etc/tower/SECRET_KEY"):
@@ -45,8 +46,8 @@ data:
{%- set cpu_limit = task_resource_requirements["limits"]["cpu"] if "limits" in task_resource_requirements and "cpu" in task_resource_requirements["limits"] -%}
{%- if cpu_limit is defined -%}
{%- set callback_receiver_cpu = cpu_limit | cpu_string_to_decimal -%}
{%- if callback_receiver_cpu |int > 4 -%}
# Set callback receiver workers based off cpu limit, default workers are 4, but if we have more than 4 cpu we can set higher value for workers
{%- if callback_receiver_cpu |int > 4 %}
# Set callback receiver workers based off cpu limit, default workers are 4, but if we have more than 4 cpu we can set higher value for workers
JOB_EVENT_WORKERS = {{ callback_receiver_cpu }}
{%- endif -%}
{%- endif %}
@@ -131,7 +132,9 @@ data:
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
server {
listen 8052 default_server;
{% if not ipv6_disabled %}
listen [::]:8052 default_server;
{% endif %}
server_name _;
# Redirect all HTTP links to the matching HTTPS page
@@ -142,7 +145,9 @@ data:
server {
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
listen 8053 ssl;
{% if not ipv6_disabled %}
listen [::]:8053 ssl;
{% endif %}
ssl_certificate /etc/nginx/pki/web.crt;
ssl_certificate_key /etc/nginx/pki/web.key;
@@ -153,7 +158,9 @@ data:
ssl_prefer_server_ciphers on;
{% else %}
listen 8052 default_server;
{% if not ipv6_disabled %}
listen [::]:8052 default_server;
{% endif %}
{% endif %}
# If you have a domain name, this is where to add it
@@ -211,9 +218,7 @@ data:
uwsgi_read_timeout 120s;
uwsgi_pass uwsgi;
include /etc/nginx/uwsgi_params;
{%- if extra_nginx_include is defined %}
include {{ extra_nginx_include }};
{%- endif %}
include /etc/nginx/conf.d/*.conf;
proxy_set_header X-Forwarded-Port 443;
uwsgi_param HTTP_X_FORWARDED_PORT 443;
@@ -235,30 +240,38 @@ data:
receptor_conf: |
---
- log-level: debug
- local-only: null
- node:
firewallrules:
- action: reject
tonode: HOSTNAME
toservice: control
- control-service:
service: control
filename: /var/run/receptor/receptor.sock
permissions: 0660
- local-only:
permissions: '0660'
- work-command:
worktype: local
command: ansible-runner
params: worker
allowruntimeparams: true
- work-kubernetes:
worktype: kubernetes-runtime-auth
authmethod: runtime
allowruntimeauth: true
allowruntimepod: true
allowruntimeparams: true
- work-kubernetes:
worktype: kubernetes-incluster-auth
authmethod: incluster
allowruntimeauth: true
allowruntimepod: true
allowruntimeparams: true
- tls-client:
cert: /etc/receptor/tls/receptor.crt
key: /etc/receptor/tls/receptor.key
name: tlsclient
rootcas: /etc/receptor/tls/ca/receptor-ca.crt
- work-signing:
privatekey: /etc/receptor/signing/work-private-key.pem
tokenexpiration: 1m

138
roles/installer/templates/deployments/deployment.yaml.j2
View File

@@ -6,12 +6,8 @@ metadata:
name: '{{ ansible_operator_meta.name }}'
namespace: '{{ ansible_operator_meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '') }}'
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
{{ lookup("template", "labels/common.yaml.j2") | indent(width=4) | trim }}
{{ lookup("template", "labels/version.yaml.j2") | indent(width=4) | trim }}
spec:
replicas: {{ replicas }}
selector:
@@ -22,11 +18,8 @@ spec:
template:
metadata:
labels:
app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '') }}'
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
{{ lookup("template", "labels/common.yaml.j2") | indent(width=8) | trim }}
{{ lookup("template", "labels/version.yaml.j2") | indent(width=8) | trim }}
{% if annotations %}
annotations:
{{ annotations | indent(width=8) }}
@@ -46,26 +39,40 @@ spec:
priorityClassName: '{{ control_plane_priority_class }}'
{% endif %}
initContainers:
{% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
- name: init
image: '{{ _init_container_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ task_resource_requirements }}
command:
- /bin/sh
- -c
- |
hostname=$MY_POD_NAME
receptor --cert-makereq bits=2048 commonname=$hostname dnsname=$hostname nodeid=$hostname outreq=/etc/receptor/tls/receptor.req outkey=/etc/receptor/tls/receptor.key
receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/receptor-ca.crt cakey=/etc/receptor/tls/ca/receptor-ca.key outcert=/etc/receptor/tls/receptor.crt verify=yes
{% if bundle_ca_crt %}
mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
update-ca-trust
{% endif %}
{% if projects_persistence|bool %}
chmod 775 /var/lib/awx/projects
chgrp 1000 /var/lib/awx/projects
{% endif %}
{% if init_container_extra_commands %}
{{ init_container_extra_commands | indent(width=14) }}
{% endif %}
env:
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
subPath: "tls.crt"
readOnly: true
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
mountPath: "/etc/receptor/tls/ca/receptor-ca.key"
subPath: "tls.key"
readOnly: true
- name: "{{ ansible_operator_meta.name }}-receptor-tls"
mountPath: "/etc/receptor/tls/"
{% if bundle_ca_crt %}
- name: "ca-trust-extracted"
mountPath: "/etc/pki/ca-trust/extracted"
@@ -74,13 +81,27 @@ spec:
subPath: bundle-ca.crt
readOnly: true
{% endif %}
{% if projects_persistence|bool %}
{% if init_container_extra_volume_mounts -%}
{{ init_container_extra_volume_mounts | indent(width=12, first=True) }}
{% endif %}
{% if projects_persistence|bool and is_k8s|bool %}
- name: init-projects
image: '{{ _init_projects_container_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
command:
- /bin/sh
- -c
- |
chmod 775 /var/lib/awx/projects
chgrp 1000 /var/lib/awx/projects
env:
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: "{{ ansible_operator_meta.name }}-projects"
mountPath: "/var/lib/awx/projects"
{% endif %}
{% if init_container_extra_volume_mounts -%}
{{ init_container_extra_volume_mounts | indent(width=12, indentfirst=True) }}
{% endif %}
{% endif %}
containers:
- image: '{{ _redis_image }}'
@@ -170,12 +191,24 @@ spec:
mountPath: "/var/lib/awx/rsyslog"
- name: "{{ ansible_operator_meta.name }}-projects"
mountPath: "/var/lib/awx/projects"
- name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
mountPath: "/etc/receptor/signing/work-public-key.pem"
subPath: "work-public-key.pem"
readOnly: true
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
subPath: "tls.crt"
readOnly: true
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
mountPath: "/etc/receptor/tls/ca/receptor-ca.key"
subPath: "tls.key"
readOnly: true
{% if development_mode | bool %}
- name: awx-devel
mountPath: "/awx_devel"
{% endif %}
{% if web_extra_volume_mounts -%}
{{ web_extra_volume_mounts | indent(width=12, indentfirst=True) }}
{{ web_extra_volume_mounts | indent(width=12, first=True) }}
{% endif %}
env:
- name: MY_POD_NAMESPACE
@@ -189,7 +222,7 @@ spec:
value: "1"
{% endif %}
{% if web_extra_env -%}
{{ web_extra_env | indent(width=12, indentfirst=True) }}
{{ web_extra_env | indent(width=12, first=True) }}
{% endif %}
resources: {{ web_resource_requirements }}
- image: '{{ _image }}'
@@ -243,8 +276,10 @@ spec:
- name: rsyslog-dir
mountPath: "/var/lib/awx/rsyslog"
- name: "{{ ansible_operator_meta.name }}-receptor-config"
mountPath: "/etc/receptor/receptor.conf"
subPath: receptor.conf
mountPath: "/etc/receptor/"
- name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
mountPath: "/etc/receptor/signing/work-private-key.pem"
subPath: "work-private-key.pem"
readOnly: true
- name: receptor-socket
mountPath: "/var/run/receptor"
@@ -255,7 +290,7 @@ spec:
mountPath: "/awx_devel"
{% endif %}
{% if task_extra_volume_mounts -%}
{{ task_extra_volume_mounts | indent(width=12, indentfirst=True) }}
{{ task_extra_volume_mounts | indent(width=12, first=True) }}
{% endif %}
env:
- name: SUPERVISOR_WEB_CONFIG_PATH
@@ -279,14 +314,22 @@ spec:
value: "1"
{% endif %}
{% if task_extra_env -%}
{{ task_extra_env | indent(width=12, indentfirst=True) }}
{{ task_extra_env | indent(width=12, first=True) }}
{% endif %}
resources: {{ task_resource_requirements }}
- image: '{{ _control_plane_ee_image }}'
name: '{{ ansible_operator_meta.name }}-ee'
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ ee_resource_requirements }}
args: ['receptor', '--config', '/etc/receptor/receptor.conf']
args:
- /bin/sh
- -c
- |
if [ ! -f /etc/receptor/receptor.conf ]; then
cp /etc/receptor/receptor-default.conf /etc/receptor/receptor.conf
sed -i "s/HOSTNAME/$HOSTNAME/g" /etc/receptor/receptor.conf
fi
exec receptor --config /etc/receptor/receptor.conf
volumeMounts:
{% if bundle_ca_crt %}
- name: "ca-trust-extracted"
@@ -296,16 +339,27 @@ spec:
subPath: bundle-ca.crt
readOnly: true
{% endif %}
- name: "{{ ansible_operator_meta.name }}-receptor-config"
mountPath: "/etc/receptor/receptor.conf"
- name: "{{ ansible_operator_meta.name }}-default-receptor-config"
mountPath: "/etc/receptor/receptor-default.conf"
subPath: receptor.conf
- name: "{{ ansible_operator_meta.name }}-receptor-config"
mountPath: "/etc/receptor/"
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
subPath: "tls.crt"
readOnly: true
- name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
mountPath: "/etc/receptor/signing/work-private-key.pem"
subPath: "work-private-key.pem"
readOnly: true
- name: "{{ ansible_operator_meta.name }}-receptor-tls"
mountPath: "/etc/receptor/tls/"
- name: receptor-socket
mountPath: "/var/run/receptor"
- name: "{{ ansible_operator_meta.name }}-projects"
mountPath: "/var/lib/awx/projects"
{% if ee_extra_volume_mounts -%}
{{ ee_extra_volume_mounts | indent(width=12, indentfirst=True) }}
{{ ee_extra_volume_mounts | indent(width=12, first=True) }}
{% endif %}
env:
{% if development_mode | bool %}
@@ -315,7 +369,7 @@ spec:
fieldPath: status.podIP
{% endif %}
{% if ee_extra_env -%}
{{ ee_extra_env | indent(width=12, indentfirst=True) }}
{{ ee_extra_env | indent(width=12, first=True) }}
{% endif %}
{% if node_selector %}
nodeSelector:
@@ -325,13 +379,17 @@ spec:
topologySpreadConstraints:
{{ topology_spread_constraints | indent(width=8) }}
{% endif %}
{% if affinity | length %}
affinity:
{{ affinity | to_nice_yaml | indent(width=8) }}
{% endif %}
{% if tolerations %}
tolerations:
{{ tolerations | indent(width=8) }}
{% endif %}
{% if projects_persistence|bool or (security_context_settings|length) %}
{% if (projects_persistence|bool and is_k8s|bool) or (security_context_settings|length) %}
securityContext:
{% if projects_persistence|bool %}
{% if projects_persistence|bool and is_k8s|bool %}
fsGroup: 1000
{% endif %}
{% if security_context_settings|length %}
@@ -377,6 +435,14 @@ spec:
path: 'ldap.py'
- key: execution_environments.py
path: 'execution_environments.py'
- name: "{{ ansible_operator_meta.name }}-receptor-tls"
emptyDir: {}
- name: "{{ ansible_operator_meta.name }}-receptor-ca"
secret:
secretName: "{{ ansible_operator_meta.name }}-receptor-ca"
- name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
secret:
secretName: "{{ ansible_operator_meta.name }}-receptor-work-signing"
- name: "{{ secret_key_secret_name }}"
secret:
secretName: '{{ secret_key_secret_name }}'
@@ -414,6 +480,8 @@ spec:
- name: rsyslog-dir
emptyDir: {}
- name: {{ ansible_operator_meta.name }}-receptor-config
emptyDir: {}
- name: {{ ansible_operator_meta.name }}-default-receptor-config
configMap:
name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap'
items:
@@ -436,5 +504,5 @@ spec:
path: /awx_devel
{% endif %}
{% if extra_volumes -%}
{{ extra_volumes | indent(width=8, indentfirst=True) }}
{{ extra_volumes | indent(width=8, first=True) }}
{% endif %}

6
roles/installer/templates/labels/common.yaml.j2 Normal file
View File

@@ -0,0 +1,6 @@
# https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/
app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'

1
roles/installer/templates/labels/version.yaml.j2 Normal file
View File

@@ -0,0 +1 @@
app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '', 0) }}'

17
roles/installer/templates/networking/ingress.yaml.j2
View File

@@ -1,6 +1,8 @@
{% if ingress_type|lower == "ingress" %}
---
apiVersion: networking.k8s.io/v1
{% if ingress_api_version is defined %}
apiVersion: '{{ ingress_api_version }}'
{% endif %}
kind: Ingress
metadata:
name: '{{ ansible_operator_meta.name }}-ingress'
@@ -16,6 +18,9 @@ metadata:
{{ ingress_annotations | indent(width=4) }}
{% endif %}
spec:
{% if ingress_class_name %}
ingressClassName: '{{ ingress_class_name }}'
{% endif %}
rules:
- http:
paths:
@@ -39,7 +44,9 @@ spec:
{% if ingress_type|lower == "route" %}
---
apiVersion: route.openshift.io/v1
{% if route_api_version is defined %}
apiVersion: '{{ route_api_version }}'
{% endif %}
kind: Route
metadata:
name: '{{ ansible_operator_meta.name }}'
@@ -61,12 +68,12 @@ spec:
termination: {{ route_tls_termination_mechanism | lower }}
{% if route_tls_termination_mechanism | lower == 'edge' and route_tls_secret != '' %}
key: |-
{{ route_tls_key | indent(width=6, indentfirst=True) }}
{{ route_tls_key | indent(width=6, first=True) }}
certificate: |-
{{ route_tls_crt | indent(width=6, indentfirst=True) }}
{{ route_tls_crt | indent(width=6, first=True) }}
{% if route_ca_crt is defined %}
caCertificate: |-
{{ route_ca_crt | indent(width=6, indentfirst=True) }}
{{ route_ca_crt | indent(width=6, first=True) }}
{% endif %}
{% endif %}
to:

16
roles/installer/templates/secrets/receptor_ca_secret.yaml.j2 Normal file
View File

@@ -0,0 +1,16 @@
---
apiVersion: v1
kind: Secret
metadata:
name: '{{ ansible_operator_meta.name }}-receptor-ca'
namespace: '{{ ansible_operator_meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
type: kubernetes.io/tls
data:
tls.crt: '{{ lookup('file', '{{ _receptor_ca_crt_file.path }}') | b64encode }}'
tls.key: '{{ lookup('file', '{{ _receptor_ca_key_file.path }}') | b64encode }}'

15
roles/installer/templates/secrets/receptor_work_signing_secret.yaml.j2 Normal file
View File

@@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Secret
metadata:
name: '{{ ansible_operator_meta.name }}-receptor-work-signing'
namespace: '{{ ansible_operator_meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
data:
work-private-key.pem: '{{ lookup('file', '{{ _receptor_work_signing_private_key_file.path }}') | b64encode }}'
work-public-key.pem: '{{ lookup('file', '{{ _receptor_work_signing_public_key_file.path }}') | b64encode }}'

25
roles/restore/README.md
View File

@@ -17,6 +17,12 @@ This role assumes you are authenticated with an Openshift or Kubernetes cluster:
- AWX is deployed to via the operator
- An AWX backup is available on a PVC in your cluster (see the backup [README.md](../backup/README.md))
*Before Restoring from a backup*, be sure to:
- delete the old existing AWX CR
- delete the persistent volume claim (PVC) for the database from the old deployment, which has a name like `postgres-13-<deployment-name>-postgres-13-0`
**Note**: Do not delete the namespace/project, as that will delete the backup and the backup's PVC as well.
Usage
----------------
@@ -35,9 +41,9 @@ spec:
backup_name: awxbackup-2021-04-22
```
Note that the `deployment_name` above is the name of the AWX deployment you intend to create and restore to.
Note that the `deployment_name` above is the name of the AWX deployment you intend to create and restore to.
The namespace specified is the namespace the resulting AWX deployment will be in. The namespace you specified must be pre-created.
The namespace specified is the namespace the resulting AWX deployment will be in. The namespace you specified must be pre-created.
```
kubectl create ns my-namespace
@@ -57,7 +63,7 @@ This will create a new deployment and restore your backup to it.
Role Variables
--------------
The name of the backup directory can be found as a status on your AWXBackup object. This can be found in your cluster's console, or with the client as shown below.
The name of the backup directory can be found as a status on your AWXBackup object. This can be found in your cluster's console, or with the client as shown below.
```bash
$ kubectl get awxbackup awxbackup1 -o jsonpath="{.items[0].status.backupDirectory}"
@@ -69,7 +75,7 @@ backup_dir: '/backups/tower-openshift-backup-2021-04-02-03:25:08'
```
The name of the PVC can also be found by looking at the backup object.
The name of the PVC can also be found by looking at the backup object.
```bash
$ kubectl get awxbackup awxbackup1 -o jsonpath="{.items[0].status.backupClaim}"
@@ -95,6 +101,17 @@ backup_pvc: myoldtower-backup-claim
backup_dir: /backups/tower-openshift-backup-2021-04-02-03:25:08
```
Variable to define resources limits and request for restore CR.
```
restore_resource_requirements:
limits:
cpu: "1000m"
memory: "4096Mi"
requests:
cpu: "25m"
memory: "32Mi"
```
Testing
----------------

15
roles/restore/defaults/main.yml
View File

@@ -11,8 +11,21 @@ backup_pvc_namespace: '{{ ansible_operator_meta.namespace }}'
# Required: backup name, found on the awxbackup object
backup_dir: ''
# Default cluster name
cluster_name: 'cluster.local'
# Set no_log settings on certain tasks
no_log: 'true'
no_log: true
# Default resource requirements
restore_resource_requirements:
limits:
cpu: "1000m"
memory: "4096Mi"
requests:
cpu: "25m"
memory: "32Mi"
# Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
set_self_labels: true
...

22
roles/restore/tasks/deploy_awx.yml
View File

@@ -1,27 +1,5 @@
---
- name: Get AWX object definition from pvc
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ ansible_operator_meta.name }}-db-management"
command: >-
bash -c "cat '{{ backup_dir }}/awx_object'"
register: awx_object
- name: Create temp file for spec dict
tempfile:
state: file
register: tmp_spec
- name: Write spec vars to temp file
copy:
content: "{{ awx_object.stdout }}"
dest: "{{ tmp_spec.path }}"
mode: '0644'
- name: Include spec vars to save them as a dict
include_vars: "{{ tmp_spec.path }}"
- name: Deploy AWX
k8s:
state: "{{ state | default('present') }}"

25
roles/restore/tasks/import_vars.yml Normal file
View File

@@ -0,0 +1,25 @@
---
- name: Import awx_object variables
block:
- name: Get AWX object definition from pvc
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ ansible_operator_meta.name }}-db-management"
command: >-
bash -c "cat '{{ backup_dir }}/awx_object'"
register: awx_object
- name: Create temp file for spec dict
tempfile:
state: file
register: tmp_spec
- name: Write spec vars to temp file
copy:
content: "{{ awx_object.stdout }}"
dest: "{{ tmp_spec.path }}"
mode: '0644'
- name: Include spec vars to save them as a dict
include_vars: "{{ tmp_spec.path }}"

2
roles/restore/tasks/main.yml
View File

@@ -29,6 +29,8 @@
- block:
- include_tasks: init.yml
- include_tasks: import_vars.yml
- include_tasks: secrets.yml
- include_tasks: deploy_awx.yml

3
roles/restore/tasks/postgres.yml
View File

@@ -66,7 +66,7 @@
- name: Set full resolvable host name for postgres pod
set_fact:
resolvable_db_host: "{{ awx_postgres_host }}.{{ ansible_operator_meta.namespace }}.svc.cluster.local"
resolvable_db_host: "{{ awx_postgres_host }}.{{ ansible_operator_meta.namespace }}.svc.{{ cluster_name }}"
no_log: "{{ no_log }}"
when: awx_postgres_type == 'managed'
@@ -76,7 +76,6 @@
pg_restore --clean --if-exists
-U {{ awx_postgres_user }}
-h {{ resolvable_db_host }}
-U {{ awx_postgres_user }}
-d {{ awx_postgres_database }}
-p {{ awx_postgres_port }}
no_log: "{{ no_log }}"

31
roles/restore/tasks/secrets.yml
View File

@@ -54,6 +54,37 @@
no_log: "{{ no_log }}"
when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed'
- name: Set new receptor secret names
set_fact:
previous_receptor_ca_name: "{{ previous_deployment_name }}-receptor-ca"
previous_receptor_tls_name: "{{ previous_deployment_name }}-receptor-work-signing"
no_log: "{{ no_log }}"
- name: Set new name for receptor secrets using deployment_name
block:
- name: Set new receptor secret names
set_fact:
receptor_ca_name: "{{ deployment_name }}-receptor-ca"
receptor_work_signing_name: "{{ deployment_name }}-receptor-work-signing"
no_log: "{{ no_log }}"
- name: Set tmp dict for receptor secrets
set_fact:
_ca_secret: "{{ secrets[previous_receptor_ca_name] }}"
_work_signing_secret: "{{ secrets[previous_receptor_tls_name] }}"
no_log: "{{ no_log }}"
- name: Change receptor secret names in tmp dict
set_fact:
_ca_secret_name: "{{ _ca_secret | combine({ 'name': receptor_ca_name }) }}"
_work_signing_secret_name: "{{ _work_signing_secret | combine({ 'name': receptor_work_signing_name}) }}"
no_log: "{{ no_log }}"
- name: Create a new dict of receptor secrets with updated names
set_fact:
secrets: "{{ secrets | combine({previous_receptor_ca_name: _ca_secret_name, previous_receptor_tls_name: _work_signing_secret_name}) }}"
no_log: "{{ no_log }}"
- name: Apply secret
k8s:
state: present

4
roles/restore/templates/management-pod.yml.j2
View File

@@ -20,6 +20,10 @@ spec:
- name: {{ ansible_operator_meta.name }}-backup
mountPath: /backups
readOnly: false
{% if restore_resource_requirements is defined %}
resources:
{{ restore_resource_requirements | to_nice_yaml(indent=2) | indent(width=6, first=False) }}
{%- endif %}
volumes:
- name: {{ ansible_operator_meta.name }}-backup
persistentVolumeClaim:

BIN
vendor/galaxy.ansible.com/kubernetes/core/kubernetes-core-1.1.1.tar.gz generated vendored
View File

Binary file not shown.

BIN
vendor/galaxy.ansible.com/kubernetes/core/kubernetes-core-2.3.2.tar.gz generated vendored Normal file
View File

Binary file not shown.

BIN
vendor/galaxy.ansible.com/operator_sdk/util/operator_sdk-util-0.1.0.tar.gz generated vendored
View File

Binary file not shown.

BIN
vendor/galaxy.ansible.com/operator_sdk/util/operator_sdk-util-0.4.0.tar.gz generated vendored Normal file
View File

Binary file not shown.

2
watches.yaml
View File

@@ -3,7 +3,7 @@
- version: v1beta1
group: awx.ansible.com
kind: AWX
role: installer
playbook: playbooks/awx.yml
snakeCaseParameters: False
- version: v1beta1