Pre-create dummy rh secret to avoid errors (#952 )

Upgrade operator-sdk version from 1.22.2 to 1.23.0 (#1038 )
Signed-off-by: Israel Blancas <iblancasa@gmail.com>
2026-03-27 22:03:11 +00:00 · 2022-09-14 19:04:32 -04:00 · 2022-09-12 10:04:07 -04:00 · 2022-09-09 15:13:05 -04:00 · 2022-08-31 18:46:33 -04:00 · 2022-08-31 17:06:01 -04:00
31 changed files with 278 additions and 261 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,4 @@
 /charts
 /.cr-release-packages
 .vscode/
+__pycache__
--- a/8
+++ b/8
@@ -1,4 +1,10 @@
-FROM quay.io/operator-framework/ansible-operator:v1.22.2
+FROM quay.io/operator-framework/ansible-operator:v1.23.0
+
+USER 0
+
+RUN dnf install -y openssl
+
+USER 1001

 ARG DEFAULT_AWX_VERSION
 ARG OPERATOR_VERSION
--- a/4
+++ b/4
@@ -140,7 +140,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(KUSTOMIZE)) ;\
-	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.2/kustomize_v4.5.2_$(OS)_$(ARCHA).tar.gz | \
+	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.5/kustomize_v4.5.5_$(OS)_$(ARCHA).tar.gz | \
 	tar xzf - -C bin/ ;\
 	}
 else
@@ -156,7 +156,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
-	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.22.2/ansible-operator_$(OS)_$(ARCHA) ;\
+	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.23.0/ansible-operator_$(OS)_$(ARCHA) ;\
 	chmod +x $(ANSIBLE_OPERATOR) ;\
 	}
 else
--- a/README.md
+++ b/README.md
@@ -241,7 +241,7 @@ awx-demo-service    NodePort    10.109.40.38   <none>        80:31006/TCP   3m56
 Once deployed, the AWX instance will be accessible by running:

 ```
-$ minikube service awx-demo-service --url -n $NAMESPACE
+$ minikube service awx-demo-service --url
 ```

 By default, the admin user is `admin` and the password is available in the `<resourcename>-admin-password` secret. To retrieve the admin password, run:
@@ -442,6 +442,7 @@ The following variables are customizable when `ingress_type=ingress`. The `ingre
 | ------------------- | ---------------------------------------- | --------------------------- |
 | ingress_annotations | Ingress annotations                      | Empty string                |
 | ingress_tls_secret  | Secret that contains the TLS information | Empty string                |
+| ingress_class_name  | Define the ingress class name            | Cluster default             |
 | hostname            | Define the FQDN                          | {{ meta.name }}.example.com |
 | ingress_path        | Define the ingress path to the service   | /                           |
 | ingress_path_type   | Define the type of the path (for LBs)    | Prefix                      |
--- a/config/crd/bases/awx.ansible.com_awxbackups.yaml
+++ b/config/crd/bases/awx.ansible.com_awxbackups.yaml
@@ -55,7 +55,7 @@ spec:
                description: Storage requirements for backup PVC (may be similar to existing postgres PVC backing up from)
                type: string
              backup_resource_requirements:
-                description: Resource requirements for the task container
+                description: Resource requirements for the management pod used to create a backup
                properties:
                  requests:
                    properties:
--- a/config/crd/bases/awx.ansible.com_awxrestores.yaml
+++ b/config/crd/bases/awx.ansible.com_awxrestores.yaml
@@ -62,8 +62,8 @@ spec:
              backup_dir:
                description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
                type: string
-              backup_resource_requirements:
-                description: Resource requirements for the management pod that backs up AWX
+              restore_resource_requirements:
+                description: Resource requirements for the management pod that restores AWX from a backup
                properties:
                  requests:
                    properties:
--- a/config/crd/bases/awx.ansible.com_awxs.yaml
+++ b/config/crd/bases/awx.ansible.com_awxs.yaml
@@ -115,6 +115,9 @@ spec:
              ingress_tls_secret:
                description: Secret where the Ingress TLS secret can be found
                type: string
+              ingress_class_name:
+                description: The name of ingress class to use instead of the cluster default.
+                type: string
              loadbalancer_protocol:
                description: Protocol to use for the loadbalancer
                type: string
--- a/config/crd/bases/awxbackup.ansible.com_awxbackups.yaml
+++ b/config/crd/bases/awxbackup.ansible.com_awxbackups.yaml
@@ -1,105 +0,0 @@
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: awxbackups.awx.ansible.com
-spec:
-  group: awx.ansible.com
-  names:
-    kind: AWXBackup
-    listKind: AWXBackupList
-    plural: awxbackups
-    singular: awxbackup
-  scope: Namespaced
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-      subresources:
-        status: {}
-      schema:
-        openAPIV3Schema:
-          type: object
-          x-kubernetes-preserve-unknown-fields: true
-          description: Schema validation for the AWXBackup CRD
-          properties:
-            spec:
-              type: object
-              required:
-                - deployment_name
-              properties:
-                backup_resource_requirements:
-                  description: Resource requirements for the task container
-                  properties:
-                    requests:
-                      properties:
-                        cpu:
-                          type: string
-                        memory:
-                          type: string
-                      type: object
-                    limits:
-                      properties:
-                        cpu:
-                          type: string
-                        memory:
-                          type: string
-                      type: object
-                  type: object
-                deployment_name:
-                  description: Name of the deployment to be backed up
-                  type: string
-                backup_pvc:
-                  description: Name of the backup PVC
-                  type: string
-                backup_pvc_namespace:
-                  description: (Deprecated) Namespace the PVC is in
-                  type: string
-                backup_storage_requirements:
-                  description: Storage requirements for backup PVC (may be similar to existing postgres PVC backing up from)
-                  type: string
-                backup_storage_class:
-                  description: Storage class to use when creating PVC for backup
-                  type: string
-                clean_backup_on_delete:
-                  description: Flag to indicate if backup should be deleted on PVC if AWXBackup object is deleted
-                  type: boolean
-                postgres_label_selector:
-                  description: Label selector used to identify postgres pod for backing up data
-                  type: string
-                postgres_image:
-                  description: Registry path to the PostgreSQL container to use
-                  type: string
-                postgres_image_version:
-                  description: PostgreSQL container image version to use
-                  type: string
-                no_log:
-                  description: Configure no_log for no_log tasks
-                  type: string
-                set_self_labels:
-                  description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
-                  type: boolean
-                  default: true
-            status:
-              type: object
-              properties:
-                conditions:
-                  description: The resulting conditions when a Service Telemetry is instantiated
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    type: object
-                  type: array
-                backupDirectory:
-                  description: Backup directory name on the specified pvc
-                  type: string
-                backupClaim:
-                  description: Backup persistent volume claim
-                  type: string
--- a/config/crd/bases/awxrestore.ansible.com_awxrestores.yaml
+++ b/config/crd/bases/awxrestore.ansible.com_awxrestores.yaml
@@ -1,104 +0,0 @@
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: awxrestores.awx.ansible.com
-spec:
-  group: awx.ansible.com
-  names:
-    kind: AWXRestore
-    listKind: AWXRestoreList
-    plural: awxrestores
-    singular: awxrestore
-  scope: Namespaced
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-      subresources:
-        status: {}
-      schema:
-        openAPIV3Schema:
-          type: object
-          x-kubernetes-preserve-unknown-fields: true
-          description: Schema validation for the AWXRestore CRD
-          properties:
-            spec:
-              type: object
-              properties:
-                backup_source:
-                  description: Backup source
-                  type: string
-                  enum:
-                    - CR
-                    - PVC
-                restore_resource_requirements:
-                  description: Resource requirements for the management pod the restores the database to the new AWX instance
-                  properties:
-                    requests:
-                      properties:
-                        cpu:
-                          type: string
-                        memory:
-                          type: string
-                      type: object
-                    limits:
-                      properties:
-                        cpu:
-                          type: string
-                        memory:
-                          type: string
-                      type: object
-                  type: object
-                deployment_name:
-                  description: Name of the restored deployment. This should be different from the original deployment name
-                    if the original deployment still exists.
-                  type: string
-                backup_name:
-                  description: AWXBackup object name
-                  type: string
-                backup_pvc:
-                  description: Name of the PVC to be restored from, set as a status found on the awxbackup object (backupClaim)
-                  type: string
-                backup_pvc_namespace:
-                  description: (Deprecated) Namespace the PVC is in
-                  type: string
-                backup_dir:
-                  description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
-                  type: string
-                postgres_label_selector:
-                  description: Label selector used to identify postgres pod for backing up data
-                  type: string
-                postgres_image:
-                  description: Registry path to the PostgreSQL container to use
-                  type: string
-                postgres_image_version:
-                  description: PostgreSQL container image version to use
-                  type: string
-                no_log:
-                  description: Configure no_log for no_log tasks
-                  type: string
-                set_self_labels:
-                  description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
-                  type: boolean
-                  default: true
-            status:
-              type: object
-              properties:
-                conditions:
-                  description: The resulting conditions when a Service Telemetry is instantiated
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    type: object
-                  type: array
-                restoreComplete:
-                  description: Restore process complete
-                  type: boolean
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -9,10 +9,12 @@ namespace: awx
 namePrefix: awx-operator-

 # Labels to add to all resources and selectors.
-#commonLabels:
-#  someName: someValue
+#labels:
+#- includeSelectors: true
+#  pairs:
+#    someName: someValue

-bases:
+resources:
 - ../crd
 - ../rbac
 - ../manager
--- a/config/default/manager_auth_proxy_patch.yaml
+++ b/config/default/manager_auth_proxy_patch.yaml
@@ -16,7 +16,7 @@ spec:
        # capabilities:
        #   drop:
        #     - "ALL"
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
        args:
        - "--secure-listen-address=0.0.0.0:8443"
        - "--upstream=http://127.0.0.1:8080/"
--- a/config/manifests/bases/awx-operator.clusterserviceversion.yaml
+++ b/config/manifests/bases/awx-operator.clusterserviceversion.yaml
@@ -193,6 +193,12 @@ spec:
        - urn:alm:descriptor:com.tectonic.ui:select:none
        - urn:alm:descriptor:com.tectonic.ui:select:Ingress
        - urn:alm:descriptor:com.tectonic.ui:select:Route
+      - displayName: Ingress Class Name
+        path: ingress_class_name
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:text
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
      - displayName: Ingress Path
        path: ingress_path
        x-descriptors:
--- a/config/scorecard/patches/basic.config.yaml
+++ b/config/scorecard/patches/basic.config.yaml
@@ -4,7 +4,7 @@
    entrypoint:
    - scorecard-test
    - basic-check-spec
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
    labels:
      suite: basic
      test: basic-check-spec-test
--- a/config/scorecard/patches/olm.config.yaml
+++ b/config/scorecard/patches/olm.config.yaml
@@ -4,7 +4,7 @@
    entrypoint:
    - scorecard-test
    - olm-bundle-validation
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
    labels:
      suite: olm
      test: olm-bundle-validation-test
@@ -14,7 +14,7 @@
    entrypoint:
    - scorecard-test
    - olm-crds-have-validation
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
    labels:
      suite: olm
      test: olm-crds-have-validation-test
@@ -24,7 +24,7 @@
    entrypoint:
    - scorecard-test
    - olm-crds-have-resources
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
    labels:
      suite: olm
      test: olm-crds-have-resources-test
@@ -34,7 +34,7 @@
    entrypoint:
    - scorecard-test
    - olm-spec-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
    labels:
      suite: olm
      test: olm-spec-descriptors-test
@@ -44,7 +44,7 @@
    entrypoint:
    - scorecard-test
    - olm-status-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
    labels:
      suite: olm
      test: olm-status-descriptors-test
--- a/playbooks/awx.yml
+++ b/playbooks/awx.yml
@@ -0,0 +1,31 @@
+---
+- hosts: localhost
+  gather_facts: no
+  collections:
+    - kubernetes.core
+    - operator_sdk.util
+  vars:
+    no_log: true
+  pre_tasks:
+    - name: Verify imagePullSecrets
+      k8s_info:
+        kind: Secret
+        namespace: '{{ ansible_operator_meta.namespace }}'
+        name: redhat-operators-pull-secret
+      register: _rh_ops_secret
+      no_log: "{{ no_log }}"
+    - name: Create imagePullSecret
+      k8s:
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: redhat-operators-pull-secret
+            namespace: '{{ ansible_operator_meta.namespace }}'
+          stringData:
+            operator: awx
+      when:
+        - (_rh_ops_secret is not defined) or not (_rh_ops_secret['resources'] | length)
+  roles:
+    - installer
--- a/requirements.yml
+++ b/requirements.yml
@@ -3,4 +3,4 @@ collections:
  - name: kubernetes.core
    version: '>=2.3.2'
  - name: operator_sdk.util
-    version: "0.2.0"
+    version: "0.4.0"
--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -9,6 +9,7 @@ database_username: "{{ deployment_type }}"
 task_privileged: false
 service_type: ClusterIP
 ingress_type: none
+ingress_class_name: ''
 ingress_path: '/'
 ingress_path_type: 'Prefix'
 # Add annotations to the service account. Specify as literal block. E.g.:
@@ -130,8 +131,6 @@ _redis_image: docker.io/redis
 _redis_image_version: 7
 _postgres_image: postgres
 _postgres_image_version: 13
-_init_container_image: quay.io/centos/centos
-_init_container_image_version: stream8
 image_pull_policy: IfNotPresent
 image_pull_secrets: []

@@ -157,6 +156,9 @@ ee_images:

 _control_plane_ee_image: quay.io/ansible/awx-ee:latest

+_init_container_image: "{{ _control_plane_ee_image.split(':')[0] }}"
+_init_container_image_version: "{{ _control_plane_ee_image.split(':')[1] }}"
+
 create_preload_data: true

 replicas: "1"
--- a/roles/installer/tasks/install.yml
+++ b/roles/installer/tasks/install.yml
@@ -10,12 +10,7 @@
      metadata:
        name: '{{ ansible_operator_meta.name }}'
        namespace: '{{ ansible_operator_meta.namespace }}'
-        labels:
-          app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
-          app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
-          app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-          app.kubernetes.io/component: '{{ deployment_type }}'
-          app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+        labels: '{{ lookup("template", "labels/common.yaml.j2") | from_yaml }}'
  when: set_self_labels | bool

 - name: Include secret key configuration tasks
--- a/roles/installer/tasks/resources_configuration.yml
+++ b/roles/installer/tasks/resources_configuration.yml
@@ -27,6 +27,95 @@
  set_fact:
    _control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"

+- name: Check for Receptor CA Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: '{{ ansible_operator_meta.name }}-receptor-ca'
+  register: _receptor_ca
+  no_log: "{{ no_log }}"
+
+- name: Create Receptor Mesh CA
+  block:
+    - name: Create tempfile for receptor-ca.key
+      tempfile:
+        state: file
+        suffix: .key
+      register: _receptor_ca_key_file
+    - name: Generate Receptor CA key
+      command: |
+        openssl genrsa -out {{ _receptor_ca_key_file.path }} 4096
+      no_log: "{{ no_log }}"
+    - name: Create tempfile for receptor-ca.crt
+      tempfile:
+        state: file
+        suffix: .crt
+      register: _receptor_ca_crt_file
+    - name: Generate Receptor CA cert
+      command: |
+        openssl req -x509 -new -nodes -key {{ _receptor_ca_key_file.path }} \
+          -subj "/CN={{ ansible_operator_meta.name }} Receptor Root CA" \
+          -sha256 -days 3650 -out {{ _receptor_ca_crt_file.path }}
+      no_log: "{{ no_log }}"
+    - name: Create Receptor CA secret
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'secrets/receptor_ca_secret.yaml.j2') }}"
+      no_log: "{{ no_log }}"
+    - name: Remove tempfiles
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - "{{ _receptor_ca_key_file.path }}"
+        - "{{ _receptor_ca_crt_file.path }}"
+  when: not _receptor_ca['resources'] | default([]) | length
+
+- name: Check for Receptor work signing Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: '{{ ansible_operator_meta.name }}-receptor-work-signing'
+  register: _receptor_work_signing
+  no_log: "{{ no_log }}"
+
+- name: Generate Receptor work signing RSA key pair
+  block:
+    - name: Create tempfile for receptor work signing private key
+      tempfile:
+        state: file
+        suffix: .pem
+      register: _receptor_work_signing_private_key_file
+    - name: Generate Receptor work signing private key
+      command: |
+        openssl genrsa -out {{ _receptor_work_signing_private_key_file.path }} 4096
+      no_log: "{{ no_log }}"
+    - name: Create tempfile for receptor work signing public key
+      tempfile:
+        state: file
+        suffix: .pem
+      register: _receptor_work_signing_public_key_file
+    - name: Generate Receptor work signing public key
+      command: |
+        openssl rsa \
+          -in {{ _receptor_work_signing_private_key_file.path }} \
+          -out {{ _receptor_work_signing_public_key_file.path }} \
+          -outform PEM -pubout
+      no_log: "{{ no_log }}"
+    - name: Create Receptor work signing Secret
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'secrets/receptor_work_signing_secret.yaml.j2') }}"
+      no_log: "{{ no_log }}"
+    - name: Remove tempfiles
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - "{{ _receptor_work_signing_private_key_file.path }}"
+        - "{{ _receptor_work_signing_public_key_file.path }}"
+  when: not _receptor_work_signing['resources'] | default([]) | length
+
 - name: Apply Resources
  k8s:
    apply: yes
--- a/roles/installer/templates/configmaps/config.yaml.j2
+++ b/roles/installer/templates/configmaps/config.yaml.j2
@@ -236,30 +236,38 @@ data:
  receptor_conf: |
    ---
    - log-level: debug
-
+    - local-only: null
+    - node:
+       firewallrules:
+        - action: reject
+          tonode: HOSTNAME
+          toservice: control
    - control-service:
        service: control
        filename: /var/run/receptor/receptor.sock
-        permissions: 0660
-
-    - local-only:
-
+        permissions: '0660'
    - work-command:
        worktype: local
        command: ansible-runner
        params: worker
        allowruntimeparams: true
-
    - work-kubernetes:
        worktype: kubernetes-runtime-auth
        authmethod: runtime
        allowruntimeauth: true
        allowruntimepod: true
        allowruntimeparams: true
-
    - work-kubernetes:
        worktype: kubernetes-incluster-auth
        authmethod: incluster
        allowruntimeauth: true
        allowruntimepod: true
        allowruntimeparams: true
+    - tls-client:
+        cert: /etc/receptor/tls/receptor.crt
+        key: /etc/receptor/tls/receptor.key
+        name: tlsclient
+        rootcas: /etc/receptor/tls/ca/receptor-ca.crt
+    - work-signing:
+        privatekey: /etc/receptor/signing/work-private-key.pem
+        tokenexpiration: 1m
--- a/roles/installer/templates/deployments/deployment.yaml.j2
+++ b/roles/installer/templates/deployments/deployment.yaml.j2
@@ -6,12 +6,8 @@ metadata:
  name: '{{ ansible_operator_meta.name }}'
  namespace: '{{ ansible_operator_meta.namespace }}'
  labels:
-    app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
-    app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '') }}'
-    app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+    {{ lookup("template", "labels/common.yaml.j2")  | indent(width=4) | trim }}
+    {{ lookup("template", "labels/version.yaml.j2") | indent(width=4) | trim }}
 spec:
  replicas: {{ replicas }}
  selector:
@@ -22,11 +18,8 @@ spec:
  template:
    metadata:
      labels:
-        app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
-        app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '') }}'
-        app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
-        app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-        app.kubernetes.io/component: '{{ deployment_type }}'
+        {{ lookup("template", "labels/common.yaml.j2")  | indent(width=8) | trim }}
+        {{ lookup("template", "labels/version.yaml.j2") | indent(width=8) | trim }}
 {% if annotations %}
      annotations:
        {{ annotations | indent(width=8) }}
@@ -46,7 +39,6 @@ spec:
      priorityClassName: '{{ control_plane_priority_class }}'
 {% endif %}
      initContainers:
-{% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
        - name: init
          image: '{{ _init_container_image }}'
          imagePullPolicy: '{{ image_pull_policy }}'
@@ -54,6 +46,9 @@ spec:
            - /bin/sh
            - -c
            - |
+              hostname=$MY_POD_NAME
+              receptor --cert-makereq bits=2048 commonname=$hostname dnsname=$hostname nodeid=$hostname outreq=/etc/receptor/tls/receptor.req outkey=/etc/receptor/tls/receptor.key
+              receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/receptor-ca.crt cakey=/etc/receptor/tls/ca/receptor-ca.key outcert=/etc/receptor/tls/receptor.crt verify=yes
 {% if bundle_ca_crt  %}
              mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
              update-ca-trust
@@ -65,7 +60,17 @@ spec:
 {% if init_container_extra_commands %}
              {{ init_container_extra_commands | indent(width=14) }}
 {% endif %}
+          env:
+            - name: MY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
          volumeMounts:
+            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+              mountPath: "/etc/receptor/tls/ca"
+              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-tls"
+              mountPath: "/etc/receptor/tls/"
 {% if bundle_ca_crt  %}
            - name: "ca-trust-extracted"
              mountPath: "/etc/pki/ca-trust/extracted"
@@ -80,7 +85,6 @@ spec:
 {% endif %}
 {% if init_container_extra_volume_mounts -%}
            {{ init_container_extra_volume_mounts | indent(width=12, first=True) }}
-{% endif %}
 {% endif %}
      containers:
        - image: '{{ _redis_image }}'
@@ -170,6 +174,13 @@ spec:
              mountPath: "/var/lib/awx/rsyslog"
            - name: "{{ ansible_operator_meta.name }}-projects"
              mountPath: "/var/lib/awx/projects"
+            - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
+              mountPath: "/etc/receptor/signing/work-public-key.pem"
+              subPath: "work-public-key.pem"
+              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+              mountPath: "/etc/receptor/tls/ca"
+              readOnly: true
 {% if development_mode | bool %}
            - name: awx-devel
              mountPath: "/awx_devel"
@@ -243,8 +254,10 @@ spec:
            - name: rsyslog-dir
              mountPath: "/var/lib/awx/rsyslog"
            - name: "{{ ansible_operator_meta.name }}-receptor-config"
-              mountPath: "/etc/receptor/receptor.conf"
-              subPath: receptor.conf
+              mountPath: "/etc/receptor/"
+            - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
+              mountPath: "/etc/receptor/signing/work-private-key.pem"
+              subPath: "work-private-key.pem"
              readOnly: true
            - name: receptor-socket
              mountPath: "/var/run/receptor"
@@ -286,7 +299,15 @@ spec:
          name: '{{ ansible_operator_meta.name }}-ee'
          imagePullPolicy: '{{ image_pull_policy }}'
          resources: {{ ee_resource_requirements }}
-          args: ['receptor', '--config', '/etc/receptor/receptor.conf']
+          args:
+            - /bin/sh
+            - -c
+            - |
+              if [ ! -f /etc/receptor/receptor.conf ]; then
+                cp /etc/receptor/receptor-default.conf /etc/receptor/receptor.conf
+                sed -i "s/HOSTNAME/$HOSTNAME/g" /etc/receptor/receptor.conf
+              fi
+              exec receptor --config /etc/receptor/receptor.conf
          volumeMounts:
 {% if bundle_ca_crt %}
            - name: "ca-trust-extracted"
@@ -296,10 +317,21 @@ spec:
              subPath: bundle-ca.crt
              readOnly: true
 {% endif %}
-            - name: "{{ ansible_operator_meta.name }}-receptor-config"
-              mountPath: "/etc/receptor/receptor.conf"
+            - name: "{{ ansible_operator_meta.name }}-default-receptor-config"
+              mountPath: "/etc/receptor/receptor-default.conf"
              subPath: receptor.conf
+            - name: "{{ ansible_operator_meta.name }}-receptor-config"
+              mountPath: "/etc/receptor/"
+            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+              mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
+              subPath: "receptor-ca.crt"
              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
+              mountPath: "/etc/receptor/signing/work-private-key.pem"
+              subPath: "work-private-key.pem"
+              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-tls"
+              mountPath: "/etc/receptor/tls/"
            - name: receptor-socket
              mountPath: "/var/run/receptor"
            - name: "{{ ansible_operator_meta.name }}-projects"
@@ -377,6 +409,14 @@ spec:
                path: 'ldap.py'
              - key: execution_environments.py
                path: 'execution_environments.py'
+        - name: "{{ ansible_operator_meta.name }}-receptor-tls"
+          emptyDir: {}
+        - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+          secret:
+            secretName: "{{ ansible_operator_meta.name }}-receptor-ca"
+        - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
+          secret:
+            secretName: "{{ ansible_operator_meta.name }}-receptor-work-signing"
        - name: "{{ secret_key_secret_name }}"
          secret:
            secretName: '{{ secret_key_secret_name }}'
@@ -414,6 +454,8 @@ spec:
        - name: rsyslog-dir
          emptyDir: {}
        - name: {{ ansible_operator_meta.name }}-receptor-config
+          emptyDir: {}
+        - name: {{ ansible_operator_meta.name }}-default-receptor-config
          configMap:
            name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap'
            items:
--- a/roles/installer/templates/labels/common.yaml.j2
+++ b/roles/installer/templates/labels/common.yaml.j2
@@ -0,0 +1,6 @@
+# https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/
+app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
+app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
+app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+app.kubernetes.io/component: '{{ deployment_type }}'
+app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
--- a/roles/installer/templates/labels/version.yaml.j2
+++ b/roles/installer/templates/labels/version.yaml.j2
@@ -0,0 +1 @@
+app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '') }}'
--- a/roles/installer/templates/networking/ingress.yaml.j2
+++ b/roles/installer/templates/networking/ingress.yaml.j2
@@ -16,6 +16,9 @@ metadata:
    {{ ingress_annotations | indent(width=4) }}
 {% endif %}
 spec:
+{% if ingress_class_name %}
+  ingressClassName: '{{ ingress_class_name }}'
+{% endif %}
  rules:
    - http:
        paths:
--- a/roles/installer/templates/secrets/receptor_ca_secret.yaml.j2
+++ b/roles/installer/templates/secrets/receptor_ca_secret.yaml.j2
@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: '{{ ansible_operator_meta.name }}-receptor-ca'
+  namespace: '{{ ansible_operator_meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
+    app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
+    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+data:
+  receptor-ca.crt: '{{ lookup('file', '{{ _receptor_ca_crt_file.path }}') | b64encode }}'
+  receptor-ca.key: '{{ lookup('file', '{{ _receptor_ca_key_file.path }}') | b64encode }}'
--- a/roles/installer/templates/secrets/receptor_work_signing_secret.yaml.j2
+++ b/roles/installer/templates/secrets/receptor_work_signing_secret.yaml.j2
@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: '{{ ansible_operator_meta.name }}-receptor-work-signing'
+  namespace: '{{ ansible_operator_meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
+    app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
+    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+data:
+  work-private-key.pem: '{{ lookup('file', '{{ _receptor_work_signing_private_key_file.path }}') | b64encode }}'
+  work-public-key.pem: '{{ lookup('file', '{{ _receptor_work_signing_public_key_file.path }}') | b64encode }}'
--- a/vendor/galaxy.ansible.com/kubernetes/core/kubernetes-core-1.1.1.tar.gz
+++ b/vendor/galaxy.ansible.com/kubernetes/core/kubernetes-core-1.1.1.tar.gz
--- a/vendor/galaxy.ansible.com/kubernetes/core/kubernetes-core-2.3.2.tar.gz
+++ b/vendor/galaxy.ansible.com/kubernetes/core/kubernetes-core-2.3.2.tar.gz
--- a/vendor/galaxy.ansible.com/operator_sdk/util/operator_sdk-util-0.1.0.tar.gz
+++ b/vendor/galaxy.ansible.com/operator_sdk/util/operator_sdk-util-0.1.0.tar.gz
--- a/vendor/galaxy.ansible.com/operator_sdk/util/operator_sdk-util-0.4.0.tar.gz
+++ b/vendor/galaxy.ansible.com/operator_sdk/util/operator_sdk-util-0.4.0.tar.gz
--- a/watches.yaml
+++ b/watches.yaml
@@ -3,7 +3,7 @@
 - version: v1beta1
  group: awx.ansible.com
  kind: AWX
-  role: installer
+  playbook: playbooks/awx.yml
  snakeCaseParameters: False

 - version: v1beta1
Author	SHA1	Message	Date
Christian Adams	e8096a5f33	Pre-create dummy rh secret to avoid errors (#952 )	2022-09-14 19:04:32 -04:00
Israel Blancas	271bce48bd	Upgrade operator-sdk version from 1.22.2 to 1.23.0 (#1038 ) Signed-off-by: Israel Blancas <iblancasa@gmail.com>	2022-09-12 10:04:07 -04:00
Hao Liu	d64c34f8a4	Add receptor firewall rules to control nodes (#1012 ) Support external execution nodes - Allow receptor.conf to be editable at runtime - Create CA cert and key as a k8s secret - Create work signing RSA keypair as a k8s secret - Setup volume mounts for containers to have access to the needed Receptor keys / certs to facilitate generating the install bundle for a new execution node - added firewall rule, work signing and tls cert configuration to default receptor.conf The volume mount changes in this PR fulfill the following: - `receptor.conf` need to be shared between task container and ee container - task container writes the `receptor.conf` - ee consume the `receptor.conf` - receptor ca cert/key need to be mounted by both ee container and web container - ee container need the ca cert - web container will need the ca key to sign client cert for remote execution node - web container will need the ca cert to generate install bundle for remote execution node - receptor work private/public key need to be mounted by both ee container and web container - ee container need to private key to sign the work - web container need the public key to generate install bundle for remote execution node - task container need the private key to sign the work Signed-off-by: Hao Liu <haoli@redhat.com> Co-Authored-By: Seth Foster <fosterbseth@gmail.com> Co-Authored-By: Shane McDonald <me@shanemcd.com> Signed-off-by: Hao Liu <haoli@redhat.com> Co-authored-by: Shane McDonald <me@shanemcd.com> Co-authored-by: Seth Foster <fosterbseth@gmail.com>	2022-09-09 15:13:05 -04:00
Christian Adams	1bddb98476	Update requirements.yml and vendor new collections (#1045 )	2022-08-31 18:46:33 -04:00
Christian Adams	5f183999d0	Fix restore resource requirements field name for management pod resources (#1044 )	2022-08-31 17:06:01 -04:00
Shane McDonald	3769897131	Merge pull request #1041 from shanemcd/ignore-pycache Add __pycache__ to gitignore	2022-08-30 11:26:02 -04:00
Shane McDonald	7f86231009	Add __pycache__ to gitignore	2022-08-30 11:14:49 -04:00
Shane McDonald	f59dac829a	Merge pull request #1040 from shanemcd/reusable-labels Move labels into reusable templates	2022-08-30 11:13:47 -04:00
Shane McDonald	edecf4d2fe	Move labels into reusable templates	2022-08-30 11:00:43 -04:00
Shane McDonald	4120b5e2b0	Merge pull request #977 from somebadcode/add-ingress-class-name-to-ingress-template Adding ingress class name to ingress template (#716)	2022-08-29 09:12:52 -04:00
Tobias Dahlberg	8dabca5418	Adding ingress class name to ingress template (#716 )	2022-08-29 11:11:19 +02:00
Fedor V	1d341a21d0	feat(readme): remove use of NAMESPACE var (#1028 ) - it was used previously, but not anymore	2022-08-25 16:21:58 -04:00
				`@@ -0,0 +1 @@`
				`app.kubernetes.io/version: '{{ _image.split(':')[-1] \| truncate(63, True, '') }}'`