Merge pull request #1061 from fosterseth/add_custom_ca_docs

Add docs for adding execution nodes and custom CA

.gitignore

@@ -7,3 +7,4 @@
 /charts
 /.cr-release-packages
 .vscode/
+__pycache__

Dockerfile

@@ -1,4 +1,10 @@
-FROM quay.io/operator-framework/ansible-operator:v1.22.2
+FROM quay.io/operator-framework/ansible-operator:v1.23.0
+
+USER 0
+
+RUN dnf install -y openssl
+
+USER 1001
 
 ARG DEFAULT_AWX_VERSION
 ARG OPERATOR_VERSION

Makefile

@@ -140,7 +140,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(KUSTOMIZE)) ;\
-	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.2/kustomize_v4.5.2_$(OS)_$(ARCHA).tar.gz | \
+	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.5/kustomize_v4.5.5_$(OS)_$(ARCHA).tar.gz | \
 	tar xzf - -C bin/ ;\
 	}
 else
@@ -156,7 +156,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
-	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.22.2/ansible-operator_$(OS)_$(ARCHA) ;\
+	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.23.0/ansible-operator_$(OS)_$(ARCHA) ;\
 	chmod +x $(ANSIBLE_OPERATOR) ;\
 	}
 else
@@ -354,6 +354,9 @@ helm-package: cr helm-chart
 	@echo "== CHART RELEASER (package) =="
 	$(CR) package ./charts/awx-operator
 
+# List all tags oldest to newest.
+TAGS := $(shell git tag -l  --sort=creatordate)
+
 # The actual release happens in ansible/helm-release.yml
 # until https://github.com/helm/chart-releaser/issues/122 happens
 .PHONY: helm-index
@@ -362,6 +365,20 @@ helm-index: cr helm-chart
 	git remote add httpsorigin "https://github.com/$(CHART_OWNER)/$(CHART_REPO).git"
 	git fetch httpsorigin
 
+	# This step to workaround issues with old releases being dropped.
+	# Until https://github.com/helm/chart-releaser/issues/133 happens
+	@echo "== CHART FETCH previous releases =="
+	# Download all old releases
+	cd .cr-release-packages;\
+	for tag in $(TAGS); do\
+		dl_url="https://github.com/$${CHART_OWNER}/$${CHART_REPO}/releases/download/$${tag}/$${CHART_REPO}-$${tag}.tgz";\
+		curl -RLOs -z "$${CHART_REPO}-$${tag}.tgz" --fail $${dl_url};\
+		result=$$?;\
+		if [ $${result} -eq 0 ]; then\
+			echo "Downloaded $$dl_url";\
+		fi;\
+	done
+
 	@echo "== CHART RELEASER (index) =="
 	$(CR) index \
 		--owner "$(CHART_OWNER)" \

README.md

@@ -55,6 +55,8 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
             * [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations)
             * [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project)
             * [Steps to upgrade](#steps-to-upgrade)
+      * [Add Execution Nodes](#adding-execution-nodes)
+          * [Custom Receptor CA](#custom-receptor-ca)
    * [Contributing](#contributing)
    * [Release Process](#release-process)
    * [Author](#author)
@@ -241,7 +243,7 @@ awx-demo-service    NodePort    10.109.40.38   <none>        80:31006/TCP   3m56
 Once deployed, the AWX instance will be accessible by running:
 
 ```
-$ minikube service awx-demo-service --url -n $NAMESPACE
+$ minikube service awx-demo-service --url
 ```
 
 By default, the admin user is `admin` and the password is available in the `<resourcename>-admin-password` secret. To retrieve the admin password, run:
@@ -442,6 +444,7 @@ The following variables are customizable when `ingress_type=ingress`. The `ingre
 | ------------------- | ---------------------------------------- | --------------------------- |
 | ingress_annotations | Ingress annotations                      | Empty string                |
 | ingress_tls_secret  | Secret that contains the TLS information | Empty string                |
+| ingress_class_name  | Define the ingress class name            | Cluster default             |
 | hostname            | Define the FQDN                          | {{ meta.name }}.example.com |
 | ingress_path        | Define the ingress path to the service   | /                           |
 | ingress_path_type   | Define the type of the path (for LBs)    | Prefix                      |
@@ -1199,6 +1202,33 @@ Then install the new AWX Operator by following the instructions in [Basic Instal
 
 Once the new AWX Operator is up and running, your AWX deployment will also be upgraded.
 
+### Adding Execution Nodes
+Starting with AWX Operator v0.30.0 and AWX v21.7.0, standalone execution nodes can be added to your deployments.
+See [AWX execution nodes docs](https://github.com/ansible/awx/blob/devel/docs/execution_nodes.md) for information about this feature.
+
+#### Custom Receptor CA
+The control nodes on the K8S cluster will communicate with execution nodes via mutual TLS TCP connections, running via Receptor.
+Execution nodes will verify incoming connections by ensuring the x509 certificate was issued by a trusted Certificate Authority (CA).
+
+A user may wish to provide their own CA for this validation. If no CA is provided, AWX Operator will automatically generate one using OpenSSL.
+
+Given custom `ca.crt` and `ca.key` stored locally, run the following,
+
+```bash
+kubectl create secret tls awx-demo-receptor-ca \
+   --cert=/path/to/ca.crt --key=/path/to/ca.key
+```
+
+The secret should be named `{AWX Custom Resource name}-receptor-ca`. In the above the AWX CR name is "awx-demo". Please replace "awx-demo" with your AWX Custom Resource name.
+
+If this secret is created after AWX is deployed, run the following to restart the deployment,
+
+```bash
+kubectl rollout restart deployment awx-demo
+```
+
+**Important Note**, changing the receptor CA will break connections to any existing execution nodes. These nodes will enter an `unavailable` state, and jobs will not be able to run on them. Users will need to download and re-run the install bundle for each execution node. This will replace the TLS certificate files with those signed by the new CA. The execution nodes should then appear in a `ready` state after a few minutes.
+
 ## Contributing
 
 Please visit [our contributing guidelines](https://github.com/ansible/awx-operator/blob/devel/CONTRIBUTING.md).

config/crd/bases/awx.ansible.com_awxbackups.yaml

@@ -55,7 +55,7 @@ spec:
                 description: Storage requirements for backup PVC (may be similar to existing postgres PVC backing up from)
                 type: string
               backup_resource_requirements:
-                description: Resource requirements for the task container
+                description: Resource requirements for the management pod used to create a backup
                 properties:
                   requests:
                     properties:

config/crd/bases/awx.ansible.com_awxrestores.yaml

@@ -62,8 +62,8 @@ spec:
               backup_dir:
                 description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
                 type: string
-              backup_resource_requirements:
-                description: Resource requirements for the management pod that backs up AWX
+              restore_resource_requirements:
+                description: Resource requirements for the management pod that restores AWX from a backup
                 properties:
                   requests:
                     properties:

config/crd/bases/awx.ansible.com_awxs.yaml

@@ -115,6 +115,9 @@ spec:
               ingress_tls_secret:
                 description: Secret where the Ingress TLS secret can be found
                 type: string
+              ingress_class_name:
+                description: The name of ingress class to use instead of the cluster default.
+                type: string
               loadbalancer_protocol:
                 description: Protocol to use for the loadbalancer
                 type: string

config/crd/bases/awxbackup.ansible.com_awxbackups.yaml

@@ -1,105 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: awxbackups.awx.ansible.com
-spec:
-  group: awx.ansible.com
-  names:
-    kind: AWXBackup
-    listKind: AWXBackupList
-    plural: awxbackups
-    singular: awxbackup
-  scope: Namespaced
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-      subresources:
-        status: {}
-      schema:
-        openAPIV3Schema:
-          type: object
-          x-kubernetes-preserve-unknown-fields: true
-          description: Schema validation for the AWXBackup CRD
-          properties:
-            spec:
-              type: object
-              required:
-                - deployment_name
-              properties:
-                backup_resource_requirements:
-                  description: Resource requirements for the task container
-                  properties:
-                    requests:
-                      properties:
-                        cpu:
-                          type: string
-                        memory:
-                          type: string
-                      type: object
-                    limits:
-                      properties:
-                        cpu:
-                          type: string
-                        memory:
-                          type: string
-                      type: object
-                  type: object
-                deployment_name:
-                  description: Name of the deployment to be backed up
-                  type: string
-                backup_pvc:
-                  description: Name of the backup PVC
-                  type: string
-                backup_pvc_namespace:
-                  description: (Deprecated) Namespace the PVC is in
-                  type: string
-                backup_storage_requirements:
-                  description: Storage requirements for backup PVC (may be similar to existing postgres PVC backing up from)
-                  type: string
-                backup_storage_class:
-                  description: Storage class to use when creating PVC for backup
-                  type: string
-                clean_backup_on_delete:
-                  description: Flag to indicate if backup should be deleted on PVC if AWXBackup object is deleted
-                  type: boolean
-                postgres_label_selector:
-                  description: Label selector used to identify postgres pod for backing up data
-                  type: string
-                postgres_image:
-                  description: Registry path to the PostgreSQL container to use
-                  type: string
-                postgres_image_version:
-                  description: PostgreSQL container image version to use
-                  type: string
-                no_log:
-                  description: Configure no_log for no_log tasks
-                  type: string
-                set_self_labels:
-                  description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
-                  type: boolean
-                  default: true
-            status:
-              type: object
-              properties:
-                conditions:
-                  description: The resulting conditions when a Service Telemetry is instantiated
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    type: object
-                  type: array
-                backupDirectory:
-                  description: Backup directory name on the specified pvc
-                  type: string
-                backupClaim:
-                  description: Backup persistent volume claim
-                  type: string

config/crd/bases/awxrestore.ansible.com_awxrestores.yaml

@@ -1,104 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: awxrestores.awx.ansible.com
-spec:
-  group: awx.ansible.com
-  names:
-    kind: AWXRestore
-    listKind: AWXRestoreList
-    plural: awxrestores
-    singular: awxrestore
-  scope: Namespaced
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-      subresources:
-        status: {}
-      schema:
-        openAPIV3Schema:
-          type: object
-          x-kubernetes-preserve-unknown-fields: true
-          description: Schema validation for the AWXRestore CRD
-          properties:
-            spec:
-              type: object
-              properties:
-                backup_source:
-                  description: Backup source
-                  type: string
-                  enum:
-                    - CR
-                    - PVC
-                restore_resource_requirements:
-                  description: Resource requirements for the management pod the restores the database to the new AWX instance
-                  properties:
-                    requests:
-                      properties:
-                        cpu:
-                          type: string
-                        memory:
-                          type: string
-                      type: object
-                    limits:
-                      properties:
-                        cpu:
-                          type: string
-                        memory:
-                          type: string
-                      type: object
-                  type: object
-                deployment_name:
-                  description: Name of the restored deployment. This should be different from the original deployment name
-                    if the original deployment still exists.
-                  type: string
-                backup_name:
-                  description: AWXBackup object name
-                  type: string
-                backup_pvc:
-                  description: Name of the PVC to be restored from, set as a status found on the awxbackup object (backupClaim)
-                  type: string
-                backup_pvc_namespace:
-                  description: (Deprecated) Namespace the PVC is in
-                  type: string
-                backup_dir:
-                  description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
-                  type: string
-                postgres_label_selector:
-                  description: Label selector used to identify postgres pod for backing up data
-                  type: string
-                postgres_image:
-                  description: Registry path to the PostgreSQL container to use
-                  type: string
-                postgres_image_version:
-                  description: PostgreSQL container image version to use
-                  type: string
-                no_log:
-                  description: Configure no_log for no_log tasks
-                  type: string
-                set_self_labels:
-                  description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
-                  type: boolean
-                  default: true
-            status:
-              type: object
-              properties:
-                conditions:
-                  description: The resulting conditions when a Service Telemetry is instantiated
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    type: object
-                  type: array
-                restoreComplete:
-                  description: Restore process complete
-                  type: boolean

config/default/kustomization.yaml

@@ -9,10 +9,12 @@ namespace: awx
 namePrefix: awx-operator-
 
 # Labels to add to all resources and selectors.
-#commonLabels:
-#  someName: someValue
+#labels:
+#- includeSelectors: true
+#  pairs:
+#    someName: someValue
 
-bases:
+resources:
 - ../crd
 - ../rbac
 - ../manager

config/default/manager_auth_proxy_patch.yaml

@@ -16,7 +16,7 @@ spec:
         # capabilities:
         #   drop:
         #     - "ALL"
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"

config/manifests/bases/awx-operator.clusterserviceversion.yaml

@@ -193,6 +193,12 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:select:none
         - urn:alm:descriptor:com.tectonic.ui:select:Ingress
         - urn:alm:descriptor:com.tectonic.ui:select:Route
+      - displayName: Ingress Class Name
+        path: ingress_class_name
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:text
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
       - displayName: Ingress Path
         path: ingress_path
         x-descriptors:

config/scorecard/patches/basic.config.yaml

@@ -4,7 +4,7 @@
     entrypoint:
     - scorecard-test
     - basic-check-spec
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
     labels:
       suite: basic
       test: basic-check-spec-test

config/scorecard/patches/olm.config.yaml

@@ -4,7 +4,7 @@
     entrypoint:
     - scorecard-test
     - olm-bundle-validation
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
     labels:
       suite: olm
       test: olm-bundle-validation-test
@@ -14,7 +14,7 @@
     entrypoint:
     - scorecard-test
     - olm-crds-have-validation
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
     labels:
       suite: olm
       test: olm-crds-have-validation-test
@@ -24,7 +24,7 @@
     entrypoint:
     - scorecard-test
     - olm-crds-have-resources
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
     labels:
       suite: olm
       test: olm-crds-have-resources-test
@@ -34,7 +34,7 @@
     entrypoint:
     - scorecard-test
     - olm-spec-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
     labels:
       suite: olm
       test: olm-spec-descriptors-test
@@ -44,7 +44,7 @@
     entrypoint:
     - scorecard-test
     - olm-status-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.22.2
+    image: quay.io/operator-framework/scorecard-test:v1.23.0
     labels:
       suite: olm
       test: olm-status-descriptors-test

playbooks/awx.yml

@@ -0,0 +1,31 @@
+---
+- hosts: localhost
+  gather_facts: no
+  collections:
+    - kubernetes.core
+    - operator_sdk.util
+  vars:
+    no_log: true
+  pre_tasks:
+    - name: Verify imagePullSecrets
+      k8s_info:
+        kind: Secret
+        namespace: '{{ ansible_operator_meta.namespace }}'
+        name: redhat-operators-pull-secret
+      register: _rh_ops_secret
+      no_log: "{{ no_log }}"
+    - name: Create imagePullSecret
+      k8s:
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: redhat-operators-pull-secret
+            namespace: '{{ ansible_operator_meta.namespace }}'
+          stringData:
+            operator: awx
+      when:
+        - (_rh_ops_secret is not defined) or not (_rh_ops_secret['resources'] | length)
+  roles:
+    - installer

requirements.yml

@@ -3,4 +3,4 @@ collections:
   - name: kubernetes.core
     version: '>=2.3.2'
   - name: operator_sdk.util
-    version: "0.2.0"
+    version: "0.4.0"

roles/common/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+deployment_type: awx
+kind: 'AWX'
+api_version: '{{ deployment_type }}.ansible.com/v1beta1'
+
+# Used to determine some cluster specific logic regarding projects_persistence pvc permissions
+is_k8s: false
+is_openshift: false

roles/common/meta/main.yml

@@ -0,0 +1,32 @@
+---
+galaxy_info:
+  author: Ansible
+  description: AWX role for AWX Operator for Kubernetes.
+  company: Red Hat, Inc.
+
+  license: MIT
+
+  min_ansible_version: 2.8
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags:
+    - tower
+    - awx
+    - ansible
+    - automation
+    - ci
+    - cd
+    - deployment
+
+dependencies: []
+
+collections:
+  - kubernetes.core
+  - operator_sdk.util

roles/common/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Get information about the cluster
+  set_fact:
+    api_groups: "{{ lookup('k8s', cluster_info='api_groups') }}"
+  when:
+  - not is_openshift | bool
+  - not is_k8s | bool
+
+- name: Determine the cluster type
+  set_fact:
+    is_openshift: "{{ True if 'route.openshift.io' in api_groups else False }}"
+    is_k8s: "{{ False if 'route.openshift.io' in api_groups else True }}"
+  when:
+  - not is_openshift | bool
+  - not is_k8s | bool
+
+# Indicate what kind of cluster we are in (OpenShift or Kubernetes).
+- debug:
+    msg: "CLUSTER TYPE: is_openshift={{ is_openshift }}; is_k8s={{ is_k8s }}"

roles/installer/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 deployment_type: awx
-kind: '{{ deployment_type | upper }}'
+kind: 'AWX'
 api_version: '{{ deployment_type }}.ansible.com/v1beta1'
 
 database_name: "{{ deployment_type }}"
@@ -9,6 +9,7 @@ database_username: "{{ deployment_type }}"
 task_privileged: false
 service_type: ClusterIP
 ingress_type: none
+ingress_class_name: ''
 ingress_path: '/'
 ingress_path_type: 'Prefix'
 # Add annotations to the service account. Specify as literal block. E.g.:
@@ -130,8 +131,6 @@ _redis_image: docker.io/redis
 _redis_image_version: 7
 _postgres_image: postgres
 _postgres_image_version: 13
-_init_container_image: quay.io/centos/centos
-_init_container_image_version: stream8
 image_pull_policy: IfNotPresent
 image_pull_secrets: []
 
@@ -157,6 +156,9 @@ ee_images:
 
 _control_plane_ee_image: quay.io/ansible/awx-ee:latest
 
+_init_container_image: "{{ _control_plane_ee_image.split(':')[0] }}"
+_init_container_image_version: "{{ _control_plane_ee_image.split(':')[1] }}"
+
 create_preload_data: true
 
 replicas: "1"

roles/installer/meta/main.yml

@@ -25,7 +25,8 @@ galaxy_info:
     - cd
     - deployment
 
-dependencies: []
+dependencies:
+  - role: common
 
 collections:
   - kubernetes.core

roles/installer/tasks/install.yml

@@ -10,12 +10,7 @@
       metadata:
         name: '{{ ansible_operator_meta.name }}'
         namespace: '{{ ansible_operator_meta.namespace }}'
-        labels:
-          app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
-          app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
-          app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-          app.kubernetes.io/component: '{{ deployment_type }}'
-          app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+        labels: '{{ lookup("template", "labels/common.yaml.j2") | from_yaml }}'
   when: set_self_labels | bool
 
 - name: Include secret key configuration tasks

roles/installer/tasks/resources_configuration.yml

@@ -27,6 +27,139 @@
   set_fact:
     _control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
 
+- name: Check for Receptor CA Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: '{{ ansible_operator_meta.name }}-receptor-ca'
+  register: _receptor_ca
+  no_log: "{{ no_log }}"
+
+- name: Migrate Receptor CA Secret
+  when:
+    - _receptor_ca['resources'] | default([]) | length
+    - _receptor_ca['resources'][0]['type'] != "kubernetes.io/tls"
+  block:
+    - name: Delete old Receptor CA Secret
+      k8s:
+        state: absent
+        kind: Secret
+        namespace: '{{ ansible_operator_meta.namespace }}'
+        name: '{{ ansible_operator_meta.name }}-receptor-ca'
+    - name: Create tempfile for receptor-ca.key
+      tempfile:
+        state: file
+        suffix: .key
+      register: _receptor_ca_key_file
+    - name: Copy Receptor CA key from old secret to tempfile
+      copy:
+        content: "{{ _receptor_ca['resources'][0]['data']['receptor-ca.key'] | b64decode }}"
+        dest: "{{ _receptor_ca_key_file.path }}"
+      no_log: "{{ no_log }}"
+    - name: Create tempfile for receptor-ca.crt
+      tempfile:
+        state: file
+        suffix: .crt
+      register: _receptor_ca_crt_file
+    - name: Copy Receptor CA cert from old secret to tempfile
+      copy:
+        content: "{{ _receptor_ca['resources'][0]['data']['receptor-ca.crt'] | b64decode }}"
+        dest: "{{ _receptor_ca_crt_file.path }}"
+      no_log: "{{ no_log }}"
+    - name: Create New Receptor CA secret
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'secrets/receptor_ca_secret.yaml.j2') }}"
+      no_log: "{{ no_log }}"
+    - name: Remove tempfiles
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - "{{ _receptor_ca_key_file.path }}"
+        - "{{ _receptor_ca_crt_file.path }}"
+
+- name: Create Receptor Mesh CA
+  block:
+    - name: Create tempfile for receptor-ca.key
+      tempfile:
+        state: file
+        suffix: .key
+      register: _receptor_ca_key_file
+    - name: Generate Receptor CA key
+      command: |
+        openssl genrsa -out {{ _receptor_ca_key_file.path }} 4096
+      no_log: "{{ no_log }}"
+    - name: Create tempfile for receptor-ca.crt
+      tempfile:
+        state: file
+        suffix: .crt
+      register: _receptor_ca_crt_file
+    - name: Generate Receptor CA cert
+      command: |
+        openssl req -x509 -new -nodes -key {{ _receptor_ca_key_file.path }} \
+          -subj "/CN={{ ansible_operator_meta.name }} Receptor Root CA" \
+          -sha256 -days 3650 -out {{ _receptor_ca_crt_file.path }}
+      no_log: "{{ no_log }}"
+    - name: Create Receptor CA secret
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'secrets/receptor_ca_secret.yaml.j2') }}"
+      no_log: "{{ no_log }}"
+    - name: Remove tempfiles
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - "{{ _receptor_ca_key_file.path }}"
+        - "{{ _receptor_ca_crt_file.path }}"
+  when: not _receptor_ca['resources'] | default([]) | length
+
+- name: Check for Receptor work signing Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: '{{ ansible_operator_meta.name }}-receptor-work-signing'
+  register: _receptor_work_signing
+  no_log: "{{ no_log }}"
+
+- name: Generate Receptor work signing RSA key pair
+  block:
+    - name: Create tempfile for receptor work signing private key
+      tempfile:
+        state: file
+        suffix: .pem
+      register: _receptor_work_signing_private_key_file
+    - name: Generate Receptor work signing private key
+      command: |
+        openssl genrsa -out {{ _receptor_work_signing_private_key_file.path }} 4096
+      no_log: "{{ no_log }}"
+    - name: Create tempfile for receptor work signing public key
+      tempfile:
+        state: file
+        suffix: .pem
+      register: _receptor_work_signing_public_key_file
+    - name: Generate Receptor work signing public key
+      command: |
+        openssl rsa \
+          -in {{ _receptor_work_signing_private_key_file.path }} \
+          -out {{ _receptor_work_signing_public_key_file.path }} \
+          -outform PEM -pubout
+      no_log: "{{ no_log }}"
+    - name: Create Receptor work signing Secret
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'secrets/receptor_work_signing_secret.yaml.j2') }}"
+      no_log: "{{ no_log }}"
+    - name: Remove tempfiles
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - "{{ _receptor_work_signing_private_key_file.path }}"
+        - "{{ _receptor_work_signing_public_key_file.path }}"
+  when: not _receptor_work_signing['resources'] | default([]) | length
+
 - name: Apply Resources
   k8s:
     apply: yes

roles/installer/templates/configmaps/config.yaml.j2

@@ -236,30 +236,38 @@ data:
   receptor_conf: |
     ---
     - log-level: debug
-
+    - local-only: null
+    - node:
+       firewallrules:
+        - action: reject
+          tonode: HOSTNAME
+          toservice: control
     - control-service:
         service: control
         filename: /var/run/receptor/receptor.sock
-        permissions: 0660
-
-    - local-only:
-
+        permissions: '0660'
     - work-command:
         worktype: local
         command: ansible-runner
         params: worker
         allowruntimeparams: true
-
     - work-kubernetes:
         worktype: kubernetes-runtime-auth
         authmethod: runtime
         allowruntimeauth: true
         allowruntimepod: true
         allowruntimeparams: true
-
     - work-kubernetes:
         worktype: kubernetes-incluster-auth
         authmethod: incluster
         allowruntimeauth: true
         allowruntimepod: true
         allowruntimeparams: true
+    - tls-client:
+        cert: /etc/receptor/tls/receptor.crt
+        key: /etc/receptor/tls/receptor.key
+        name: tlsclient
+        rootcas: /etc/receptor/tls/ca/receptor-ca.crt
+    - work-signing:
+        privatekey: /etc/receptor/signing/work-private-key.pem
+        tokenexpiration: 1m

roles/installer/templates/deployments/deployment.yaml.j2

@@ -6,12 +6,8 @@ metadata:
   name: '{{ ansible_operator_meta.name }}'
   namespace: '{{ ansible_operator_meta.namespace }}'
   labels:
-    app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
-    app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '') }}'
-    app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+    {{ lookup("template", "labels/common.yaml.j2")  | indent(width=4) | trim }}
+    {{ lookup("template", "labels/version.yaml.j2") | indent(width=4) | trim }}
 spec:
   replicas: {{ replicas }}
   selector:
@@ -22,11 +18,8 @@ spec:
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
-        app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '') }}'
-        app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
-        app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-        app.kubernetes.io/component: '{{ deployment_type }}'
+        {{ lookup("template", "labels/common.yaml.j2")  | indent(width=8) | trim }}
+        {{ lookup("template", "labels/version.yaml.j2") | indent(width=8) | trim }}
 {% if annotations %}
       annotations:
         {{ annotations | indent(width=8) }}
@@ -46,7 +39,6 @@ spec:
       priorityClassName: '{{ control_plane_priority_class }}'
 {% endif %}
       initContainers:
-{% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
         - name: init
           image: '{{ _init_container_image }}'
           imagePullPolicy: '{{ image_pull_policy }}'
@@ -54,18 +46,36 @@ spec:
             - /bin/sh
             - -c
             - |
+              hostname=$MY_POD_NAME
+              receptor --cert-makereq bits=2048 commonname=$hostname dnsname=$hostname nodeid=$hostname outreq=/etc/receptor/tls/receptor.req outkey=/etc/receptor/tls/receptor.key
+              receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/receptor-ca.crt cakey=/etc/receptor/tls/ca/receptor-ca.key outcert=/etc/receptor/tls/receptor.crt verify=yes
 {% if bundle_ca_crt  %}
               mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
               update-ca-trust
 {% endif %}
-{% if projects_persistence|bool %}
+{% if projects_persistence|bool and is_k8s|bool %}
               chmod 775 /var/lib/awx/projects
               chgrp 1000 /var/lib/awx/projects
 {% endif %}
 {% if init_container_extra_commands %}
               {{ init_container_extra_commands | indent(width=14) }}
 {% endif %}
+          env:
+            - name: MY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
           volumeMounts:
+            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+              mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
+              subPath: "tls.crt"
+              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+              mountPath: "/etc/receptor/tls/ca/receptor-ca.key"
+              subPath: "tls.key"
+              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-tls"
+              mountPath: "/etc/receptor/tls/"
 {% if bundle_ca_crt  %}
             - name: "ca-trust-extracted"
               mountPath: "/etc/pki/ca-trust/extracted"
@@ -74,13 +84,12 @@ spec:
               subPath: bundle-ca.crt
               readOnly: true
 {% endif %}
-{% if projects_persistence|bool %}
+{% if projects_persistence|bool and is_k8s|bool %}
             - name: "{{ ansible_operator_meta.name }}-projects"
               mountPath: "/var/lib/awx/projects"
 {% endif %}
 {% if init_container_extra_volume_mounts -%}
             {{ init_container_extra_volume_mounts | indent(width=12, first=True) }}
-{% endif %}
 {% endif %}
       containers:
         - image: '{{ _redis_image }}'
@@ -170,6 +179,18 @@ spec:
               mountPath: "/var/lib/awx/rsyslog"
             - name: "{{ ansible_operator_meta.name }}-projects"
               mountPath: "/var/lib/awx/projects"
+            - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
+              mountPath: "/etc/receptor/signing/work-public-key.pem"
+              subPath: "work-public-key.pem"
+              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+              mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
+              subPath: "tls.crt"
+              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+              mountPath: "/etc/receptor/tls/ca/receptor-ca.key"
+              subPath: "tls.key"
+              readOnly: true
 {% if development_mode | bool %}
             - name: awx-devel
               mountPath: "/awx_devel"
@@ -243,8 +264,10 @@ spec:
             - name: rsyslog-dir
               mountPath: "/var/lib/awx/rsyslog"
             - name: "{{ ansible_operator_meta.name }}-receptor-config"
-              mountPath: "/etc/receptor/receptor.conf"
-              subPath: receptor.conf
+              mountPath: "/etc/receptor/"
+            - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
+              mountPath: "/etc/receptor/signing/work-private-key.pem"
+              subPath: "work-private-key.pem"
               readOnly: true
             - name: receptor-socket
               mountPath: "/var/run/receptor"
@@ -286,7 +309,15 @@ spec:
           name: '{{ ansible_operator_meta.name }}-ee'
           imagePullPolicy: '{{ image_pull_policy }}'
           resources: {{ ee_resource_requirements }}
-          args: ['receptor', '--config', '/etc/receptor/receptor.conf']
+          args:
+            - /bin/sh
+            - -c
+            - |
+              if [ ! -f /etc/receptor/receptor.conf ]; then
+                cp /etc/receptor/receptor-default.conf /etc/receptor/receptor.conf
+                sed -i "s/HOSTNAME/$HOSTNAME/g" /etc/receptor/receptor.conf
+              fi
+              exec receptor --config /etc/receptor/receptor.conf
           volumeMounts:
 {% if bundle_ca_crt %}
             - name: "ca-trust-extracted"
@@ -296,10 +327,21 @@ spec:
               subPath: bundle-ca.crt
               readOnly: true
 {% endif %}
-            - name: "{{ ansible_operator_meta.name }}-receptor-config"
-              mountPath: "/etc/receptor/receptor.conf"
+            - name: "{{ ansible_operator_meta.name }}-default-receptor-config"
+              mountPath: "/etc/receptor/receptor-default.conf"
               subPath: receptor.conf
+            - name: "{{ ansible_operator_meta.name }}-receptor-config"
+              mountPath: "/etc/receptor/"
+            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+              mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
+              subPath: "tls.crt"
               readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
+              mountPath: "/etc/receptor/signing/work-private-key.pem"
+              subPath: "work-private-key.pem"
+              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-tls"
+              mountPath: "/etc/receptor/tls/"
             - name: receptor-socket
               mountPath: "/var/run/receptor"
             - name: "{{ ansible_operator_meta.name }}-projects"
@@ -329,9 +371,9 @@ spec:
       tolerations:
         {{ tolerations | indent(width=8) }}
 {% endif %}
-{% if projects_persistence|bool or (security_context_settings|length) %}
+{% if (projects_persistence|bool and is_k8s|bool) or (security_context_settings|length) %}
       securityContext:
-{% if projects_persistence|bool %}
+{% if projects_persistence|bool and is_k8s|bool %}
         fsGroup: 1000
 {% endif %}
 {% if security_context_settings|length %}
@@ -377,6 +419,14 @@ spec:
                 path: 'ldap.py'
               - key: execution_environments.py
                 path: 'execution_environments.py'
+        - name: "{{ ansible_operator_meta.name }}-receptor-tls"
+          emptyDir: {}
+        - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+          secret:
+            secretName: "{{ ansible_operator_meta.name }}-receptor-ca"
+        - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
+          secret:
+            secretName: "{{ ansible_operator_meta.name }}-receptor-work-signing"
         - name: "{{ secret_key_secret_name }}"
           secret:
             secretName: '{{ secret_key_secret_name }}'
@@ -414,6 +464,8 @@ spec:
         - name: rsyslog-dir
           emptyDir: {}
         - name: {{ ansible_operator_meta.name }}-receptor-config
+          emptyDir: {}
+        - name: {{ ansible_operator_meta.name }}-default-receptor-config
           configMap:
             name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap'
             items:

roles/installer/templates/labels/common.yaml.j2

@@ -0,0 +1,6 @@
+# https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/
+app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
+app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
+app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+app.kubernetes.io/component: '{{ deployment_type }}'
+app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'

roles/installer/templates/labels/version.yaml.j2

@@ -0,0 +1 @@
+app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '') }}'

roles/installer/templates/networking/ingress.yaml.j2

@@ -16,6 +16,9 @@ metadata:
     {{ ingress_annotations | indent(width=4) }}
 {% endif %}
 spec:
+{% if ingress_class_name %}
+  ingressClassName: '{{ ingress_class_name }}'
+{% endif %}
   rules:
     - http:
         paths:

roles/installer/templates/secrets/receptor_ca_secret.yaml.j2

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: '{{ ansible_operator_meta.name }}-receptor-ca'
+  namespace: '{{ ansible_operator_meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
+    app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
+    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+type: kubernetes.io/tls
+data:
+  tls.crt: '{{ lookup('file', '{{ _receptor_ca_crt_file.path }}') | b64encode }}'
+  tls.key: '{{ lookup('file', '{{ _receptor_ca_key_file.path }}') | b64encode }}'

roles/installer/templates/secrets/receptor_work_signing_secret.yaml.j2

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: '{{ ansible_operator_meta.name }}-receptor-work-signing'
+  namespace: '{{ ansible_operator_meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
+    app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
+    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+data:
+  work-private-key.pem: '{{ lookup('file', '{{ _receptor_work_signing_private_key_file.path }}') | b64encode }}'
+  work-public-key.pem: '{{ lookup('file', '{{ _receptor_work_signing_public_key_file.path }}') | b64encode }}'

watches.yaml

@@ -3,7 +3,7 @@
 - version: v1beta1
   group: awx.ansible.com
   kind: AWX
-  role: installer
+  playbook: playbooks/awx.yml
   snakeCaseParameters: False
 
 - version: v1beta1