add default cluster name (#1129)

* add default cluster name

* Update awx.ansible.com_awxrestores.yaml

Co-authored-by: Kirill Smirnov <kirilsmirnov@x5.ru>

.github/workflows/ci.yaml

@@ -82,3 +82,18 @@ jobs:
       - name: Install helm chart
         run: |
           helm install --wait my-awx-operator --namespace awx --create-namespace ./charts/awx-operator
+  no-log:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v2
+
+      - name: Check no_log statements
+        run: |
+          set +e
+          no_log=$(grep -nr ' no_log:' roles | grep -v '"{{ no_log }}"')
+          if [ -n "${no_log}" ]; then
+            echo 'Please update the following no_log statement(s) with the "{{ no_log }}" value'
+            echo "${no_log}"
+            exit 1
+          fi

.github/workflows/label_issue.yml

@@ -0,0 +1,54 @@
+---
+name: Label Issues
+
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+
+jobs:
+  triage:
+    runs-on: ubuntu-latest
+    name: Label
+
+    steps:
+      - name: Label Issue - Needs Triage
+        uses: github/issue-labeler@v2.4.1
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          not-before: 2021-12-07T07:00:00Z
+          configuration-path: .github/issue_labeler.yml
+          enable-versioned-regex: 0
+        if: github.event_name == 'issues'
+
+  community:
+    runs-on: ubuntu-latest
+    name: Label Issue - Community
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v4
+      - name: Install python requests
+        run: pip install requests
+      - name: Check if user is a member of Ansible org
+        uses: jannekem/run-python-script-action@v1
+        id: check_user
+        with:
+          script: |
+            import requests
+            headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
+            response = requests.get('${{ fromJson(toJson(github.event.issue.user.url)) }}/orgs?per_page=100', headers=headers)
+            is_member = False
+            for org in response.json():
+              if org['login'] == 'ansible':
+                is_member = True
+            if is_member:
+                print("User is member")
+            else:
+                print("User is community")
+      - name: Add community label if not a member
+        if: contains(steps.check_user.outputs.stdout, 'community')
+        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
+        with:
+          add-labels: "community"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/label_pr.yml

@@ -0,0 +1,40 @@
+name: Label PR
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+jobs:
+  community:
+    runs-on: ubuntu-latest
+    name: Label PR - Community
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v4
+      - name: Install python requests
+        run: pip install requests
+      - name: Check if user is a member of Ansible org
+        uses: jannekem/run-python-script-action@v1
+        id: check_user
+        with:
+          script: |
+            import requests
+            headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
+            response = requests.get('${{ fromJson(toJson(github.event.pull_request.user.url)) }}/orgs?per_page=100', headers=headers)
+            is_member = False
+            for org in response.json():
+              if org['login'] == 'ansible':
+                is_member = True
+            if is_member:
+                print("User is member")
+            else:
+                print("User is community")
+      - name: Add community label if not a member
+        if: contains(steps.check_user.outputs.stdout, 'community')
+        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
+        with:
+          add-labels: "community"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/triage_new.yml

@@ -1,22 +0,0 @@
----
-name: Triage
-
-on:
-  issues:
-    types:
-      - opened
-
-jobs:
-  triage:
-    runs-on: ubuntu-latest
-    name: Label
-
-    steps:
-      - name: Label issues
-        uses: github/issue-labeler@v2.4.1
-        with:
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
-          not-before: 2021-12-07T07:00:00Z
-          configuration-path: .github/issue_labeler.yml
-          enable-versioned-regex: 0
-        if: github.event_name == 'issues'

Makefile

@@ -296,8 +296,8 @@ helm-chart: helm-chart-generate
 helm-chart-generate: kustomize helm kubectl-slice yq charts
 	@echo "== KUSTOMIZE: Set image and chart label =="
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	cd config/manager && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)-$(VERSION)
-	cd config/default && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)-$(VERSION)
+	cd config/manager && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
+	cd config/default && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
 
 	@echo "== Gather Helm Chart Metadata =="
 	# remove the existing chart if it exists
@@ -354,6 +354,9 @@ helm-package: cr helm-chart
 	@echo "== CHART RELEASER (package) =="
 	$(CR) package ./charts/awx-operator
 
+# List all tags oldest to newest.
+TAGS := $(shell git ls-remote --tags --sort=version:refname --refs -q | cut -d/ -f3)
+
 # The actual release happens in ansible/helm-release.yml
 # until https://github.com/helm/chart-releaser/issues/122 happens
 .PHONY: helm-index
@@ -362,6 +365,20 @@ helm-index: cr helm-chart
 	git remote add httpsorigin "https://github.com/$(CHART_OWNER)/$(CHART_REPO).git"
 	git fetch httpsorigin
 
+	# This step to workaround issues with old releases being dropped.
+	# Until https://github.com/helm/chart-releaser/issues/133 happens
+	@echo "== CHART FETCH previous releases =="
+	# Download all old releases
+	cd .cr-release-packages;\
+	for tag in $(TAGS); do\
+		dl_url="https://github.com/$${CHART_OWNER}/$${CHART_REPO}/releases/download/$${tag}/$${CHART_REPO}-$${tag}.tgz";\
+		curl -RLOs -z "$${CHART_REPO}-$${tag}.tgz" --fail $${dl_url};\
+		result=$$?;\
+		if [ $${result} -eq 0 ]; then\
+			echo "Downloaded $$dl_url";\
+		fi;\
+	done
+
 	@echo "== CHART RELEASER (index) =="
 	$(CR) index \
 		--owner "$(CHART_OWNER)" \

README.md

@@ -55,6 +55,8 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
             * [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations)
             * [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project)
             * [Steps to upgrade](#steps-to-upgrade)
+      * [Add Execution Nodes](#adding-execution-nodes)
+          * [Custom Receptor CA](#custom-receptor-ca)
    * [Contributing](#contributing)
    * [Release Process](#release-process)
    * [Author](#author)
@@ -247,7 +249,7 @@ $ minikube service awx-demo-service --url
 By default, the admin user is `admin` and the password is available in the `<resourcename>-admin-password` secret. To retrieve the admin password, run:
 
 ```
-$ kubectl get secret awx-demo-admin-password -o jsonpath="{.data.password}" | base64 --decode
+$ kubectl get secret awx-demo-admin-password -o jsonpath="{.data.password}" | base64 --decode ; echo
 yDL2Cx5Za94g9MvBP6B73nzVLlmfgPjR
 ```
 
@@ -301,7 +303,7 @@ There are three variables that are customizable for the admin user account creat
 
 If `admin_password_secret` is not provided, the operator will look for a secret named `<resourcename>-admin-password` for the admin password. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-admin-password`.
 
-To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode`
+To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode ; echo`
 
 The secret that is expected to be passed should be formatted as follow:
 
@@ -479,6 +481,12 @@ spec:
 
 ### Database Configuration
 
+#### Postgres Version
+
+The default Postgres version for the version of AWX bundled with the latest version of the awx-operator is Postgres 13. You can find this default for a given version by at the default value for [_postgres_image_version](./roles/installer/defaults/main.yml#L138).
+
+We only have coverage for the default version of Postgres. Newer versions of Postgres (14+) will likely work, but should only be configured as an external database. If your database is managed by the awx-operator (default if you don't specify a `postgres_configuration_secret`), then you should not override the default version as this may cause issues when awx-operator tries to upgrade your postgresql pod.
+
 #### External PostgreSQL Service
 
 To configure AWX to use an external database, the Custom Resource needs to know about the connection details. To do this, create a k8s secret with those connection details and specify the name of the secret as `postgres_configuration_secret` at the CR spec level.
@@ -1068,8 +1076,14 @@ Example configuration of `extra_settings` parameter
 
       - setting: AUTH_LDAP_BIND_DN
         value: "cn=admin,dc=example,dc=com"
+
+      - setting: LOG_AGGREGATOR_LEVEL
+        value: "'DEBUG'"
 ```
 
+Note for some settings, such as `LOG_AGGREGATOR_LEVEL`, the value may need double quotes.
+
+```yaml
 #### No Log
 Configure no_log for tasks with no_log
 
@@ -1081,7 +1095,7 @@ Example configuration of `no_log` parameter
 
 ```yaml
   spec:
-    no_log: 'true'
+    no_log: true
 ```
 
 #### Auto upgrade
@@ -1200,6 +1214,33 @@ Then install the new AWX Operator by following the instructions in [Basic Instal
 
 Once the new AWX Operator is up and running, your AWX deployment will also be upgraded.
 
+### Adding Execution Nodes
+Starting with AWX Operator v0.30.0 and AWX v21.7.0, standalone execution nodes can be added to your deployments.
+See [AWX execution nodes docs](https://github.com/ansible/awx/blob/devel/docs/execution_nodes.md) for information about this feature.
+
+#### Custom Receptor CA
+The control nodes on the K8S cluster will communicate with execution nodes via mutual TLS TCP connections, running via Receptor.
+Execution nodes will verify incoming connections by ensuring the x509 certificate was issued by a trusted Certificate Authority (CA).
+
+A user may wish to provide their own CA for this validation. If no CA is provided, AWX Operator will automatically generate one using OpenSSL.
+
+Given custom `ca.crt` and `ca.key` stored locally, run the following,
+
+```bash
+kubectl create secret tls awx-demo-receptor-ca \
+   --cert=/path/to/ca.crt --key=/path/to/ca.key
+```
+
+The secret should be named `{AWX Custom Resource name}-receptor-ca`. In the above the AWX CR name is "awx-demo". Please replace "awx-demo" with your AWX Custom Resource name.
+
+If this secret is created after AWX is deployed, run the following to restart the deployment,
+
+```bash
+kubectl rollout restart deployment awx-demo
+```
+
+**Important Note**, changing the receptor CA will break connections to any existing execution nodes. These nodes will enter an `unavailable` state, and jobs will not be able to run on them. Users will need to download and re-run the install bundle for each execution node. This will replace the TLS certificate files with those signed by the new CA. The execution nodes should then appear in a `ready` state after a few minutes.
+
 ## Contributing
 
 Please visit [our contributing guidelines](https://github.com/ansible/awx-operator/blob/devel/CONTRIBUTING.md).

config/crd/bases/awx.ansible.com_awxbackups.yaml

@@ -89,7 +89,8 @@ spec:
                 type: string
               no_log:
                 description: Configure no_log for no_log tasks
-                type: string
+                type: boolean
+                default: true
               set_self_labels:
                 description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
                 type: boolean

config/crd/bases/awx.ansible.com_awxrestores.yaml

@@ -50,6 +50,9 @@ spec:
                 description: Name of the restored deployment. This should be different from the original deployment name
                   if the original deployment still exists.
                 type: string
+              cluster_name:
+                description: Cluster name
+                type: string
               backup_name:
                 description: AWXBackup object name
                 type: string
@@ -91,7 +94,8 @@ spec:
                 type: string
               no_log:
                 description: Configure no_log for no_log tasks
-                type: string
+                type: boolean
+                default: true
               set_self_labels:
                 description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
                 type: boolean

config/crd/bases/awx.ansible.com_awxs.yaml

@@ -103,6 +103,9 @@ spec:
                 - ingress
                 - Route
                 - route
+              ingress_api_version:
+                description: The Ingress API version to use
+                type: string
               ingress_path:
                 description: The ingress path used to reach the deployed service
                 type: string
@@ -141,6 +144,9 @@ spec:
                 - edge
                 - Passthrough
                 - passthrough
+              route_api_version:
+                description: The route API version to use
+                type: string
               route_tls_secret:
                 description: Secret where the TLS related credentials are stored
                 type: string
@@ -504,7 +510,8 @@ spec:
                 type: array
               no_log:
                 description: Configure no_log for no_log tasks
-                type: string
+                type: boolean
+                default: true
               security_context_settings:
                 description: Key/values that will be set under the pod-level securityContext field
                 type: object
@@ -517,6 +524,10 @@ spec:
                 description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
                 type: boolean
                 default: true
+              ipv6_disabled:
+                description: Disable web container's nginx ipv6 listener
+                type: boolean
+                default: false
             type: object
           status:
             properties:

config/manager/manager.yaml

@@ -21,7 +21,7 @@ spec:
   template:
     metadata:
       annotations:
-        kubectl.kubernetes.io/default-container: manager
+        kubectl.kubernetes.io/default-container: awx-manager
       labels:
         control-plane: controller-manager
     spec:

molecule/requirements.txt

@@ -1,4 +1,4 @@
-molecule
+molecule<4.0.2
 molecule-docker
 yamllint
 ansible-lint

roles/backup/defaults/main.yml

@@ -12,7 +12,7 @@ backup_pvc_namespace: "{{ ansible_operator_meta.namespace }}"
 backup_storage_requirements: ''
 
 # Set no_log settings on certain tasks
-no_log: 'true'
+no_log: true
 
 # Variable to set when you want backups to be cleaned up when the CRD object is deleted
 clean_backup_on_delete: false

roles/backup/tasks/awx-cro.yml

@@ -25,6 +25,7 @@
   set_fact:
     awx_spec:
       spec: "{{ _awx }}"
+      previous_deployment_name: "{{ this_awx['resources'][0]['metadata']['name'] }}"
 
 - name: Write awx object to pvc
   k8s_exec:

roles/backup/tasks/dump_receptor_secrets.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Get secret
+  k8s_info:
+    version: v1
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: "{{ item }}"
+  register: _secret
+  no_log: "{{ no_log }}"
+
+- name: Backup secret if exists
+  block:
+    - name: Set secret key
+      set_fact:
+        _data: "{{ _secret['resources'][0]['data'] }}"
+        _type: "{{ _secret['resources'][0]['type'] }}"
+      no_log: "{{ no_log }}"
+
+    - name: Create and Add secret names and data to dictionary
+      set_fact:
+        secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': item, 'data': _data, 'type': _type }}) }}"
+      no_log: "{{ no_log }}"
+  when: _secret | length

roles/backup/tasks/postgres.yml

@@ -75,7 +75,7 @@
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ ansible_operator_meta.name }}-db-management"
     command: >-
-      bash -c "chmod 0600 {{ backup_dir }}/tower.db && chown postgres:root {{ backup_dir }}/tower.db"
+      bash -c "chmod 660 {{ backup_dir }}/tower.db && chown :root {{ backup_dir }}/tower.db"
 
 - name: Set full resolvable host name for postgres pod
   set_fact:

roles/backup/tasks/secrets.yml

@@ -1,11 +1,5 @@
 ---
 
-- name: Create Temporary secrets file
-  tempfile:
-    state: file
-    suffix: .json
-  register: tmp_secrets
-
 - name: Dump (generated) secret names from statuses and data into file
   include_tasks: dump_generated_secret.yml
   with_items:
@@ -23,6 +17,12 @@
     - bundle_cacert_secret
     - ee_pull_credentials_secret
 
+- name: Dump receptor secret names and data into file
+  include_tasks: dump_receptor_secrets.yml
+  loop:
+    - '{{ deployment_name }}-receptor-ca'
+    - '{{ deployment_name }}-receptor-work-signing'
+
 # image_pull_secret is deprecated in favor of image_pull_secrets
 - name: Dump image_pull_secret into file
   include_tasks: dump_secret.yml

roles/common/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+deployment_type: awx
+kind: 'AWX'
+api_version: '{{ deployment_type }}.ansible.com/v1beta1'
+
+# Used to determine some cluster specific logic regarding projects_persistence pvc permissions
+is_k8s: false
+is_openshift: false

roles/common/meta/main.yml

@@ -0,0 +1,32 @@
+---
+galaxy_info:
+  author: Ansible
+  description: AWX role for AWX Operator for Kubernetes.
+  company: Red Hat, Inc.
+
+  license: MIT
+
+  min_ansible_version: 2.8
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags:
+    - tower
+    - awx
+    - ansible
+    - automation
+    - ci
+    - cd
+    - deployment
+
+dependencies: []
+
+collections:
+  - kubernetes.core
+  - operator_sdk.util

roles/common/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Get information about the cluster
+  set_fact:
+    api_groups: "{{ lookup('k8s', cluster_info='api_groups') }}"
+  when:
+  - not is_openshift | bool
+  - not is_k8s | bool
+
+- name: Determine the cluster type
+  set_fact:
+    is_openshift: "{{ True if 'route.openshift.io' in api_groups else False }}"
+    is_k8s: "{{ False if 'route.openshift.io' in api_groups else True }}"
+  when:
+  - not is_openshift | bool
+  - not is_k8s | bool
+
+# Indicate what kind of cluster we are in (OpenShift or Kubernetes).
+- debug:
+    msg: "CLUSTER TYPE: is_openshift={{ is_openshift }}; is_k8s={{ is_k8s }}"

roles/installer/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 deployment_type: awx
-kind: '{{ deployment_type | upper }}'
+kind: 'AWX'
 api_version: '{{ deployment_type }}.ansible.com/v1beta1'
 
 database_name: "{{ deployment_type }}"
@@ -12,6 +12,7 @@ ingress_type: none
 ingress_class_name: ''
 ingress_path: '/'
 ingress_path_type: 'Prefix'
+ingress_api_version: 'networking.k8s.io/v1'
 # Add annotations to the service account. Specify as literal block. E.g.:
 # service_account_annotations: |
 #   eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>
@@ -50,6 +51,10 @@ route_tls_termination_mechanism: edge
 #
 route_tls_secret: ''
 
+# Route API Version to support older version
+# of the kubernetes services
+route_api_version: 'route.openshift.io/v1'
+
 # Host to create the root with.
 # If not specific will default to <instance-name>-<namespace>-<routerCanonicalHostname>
 #
@@ -159,6 +164,8 @@ _control_plane_ee_image: quay.io/ansible/awx-ee:latest
 _init_container_image: "{{ _control_plane_ee_image.split(':')[0] }}"
 _init_container_image_version: "{{ _control_plane_ee_image.split(':')[1] }}"
 
+_init_projects_container_image: quay.io/centos/centos:stream9
+
 create_preload_data: true
 
 replicas: "1"
@@ -288,7 +295,7 @@ development_mode: false
 security_context_settings: {}
 
 # Set no_log settings on certain tasks
-no_log: 'true'
+no_log: true
 
 # Should AWX instances be automatically upgraded when operator gets upgraded
 #
@@ -296,3 +303,6 @@ auto_upgrade: true
 
 # Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
 set_self_labels: true
+
+# Disable web container's nginx ipv6 listener
+ipv6_disabled: false

roles/installer/meta/main.yml

@@ -25,7 +25,8 @@ galaxy_info:
     - cd
     - deployment
 
-dependencies: []
+dependencies:
+  - role: common
 
 collections:
   - kubernetes.core

roles/installer/tasks/cleanup.yml

@@ -23,6 +23,8 @@
         - '{{ _secret_key }}'
         - '{{ _postgres_configuration }}'
         - '{{ _broadcast_websocket_secret }}'
+        - '{{ ansible_operator_meta.name }}-receptor-ca'
+        - '{{ ansible_operator_meta.name }}-receptor-work-signing'
       no_log: "{{ no_log }}"
 
   when: not garbage_collect_secrets | bool

roles/installer/tasks/resources_configuration.yml

@@ -35,6 +35,50 @@
   register: _receptor_ca
   no_log: "{{ no_log }}"
 
+- name: Migrate Receptor CA Secret
+  when:
+    - _receptor_ca['resources'] | default([]) | length
+    - _receptor_ca['resources'][0]['type'] != "kubernetes.io/tls"
+  block:
+    - name: Delete old Receptor CA Secret
+      k8s:
+        state: absent
+        kind: Secret
+        namespace: '{{ ansible_operator_meta.namespace }}'
+        name: '{{ ansible_operator_meta.name }}-receptor-ca'
+    - name: Create tempfile for receptor-ca.key
+      tempfile:
+        state: file
+        suffix: .key
+      register: _receptor_ca_key_file
+    - name: Copy Receptor CA key from old secret to tempfile
+      copy:
+        content: "{{ _receptor_ca['resources'][0]['data']['receptor-ca.key'] | b64decode }}"
+        dest: "{{ _receptor_ca_key_file.path }}"
+      no_log: "{{ no_log }}"
+    - name: Create tempfile for receptor-ca.crt
+      tempfile:
+        state: file
+        suffix: .crt
+      register: _receptor_ca_crt_file
+    - name: Copy Receptor CA cert from old secret to tempfile
+      copy:
+        content: "{{ _receptor_ca['resources'][0]['data']['receptor-ca.crt'] | b64decode }}"
+        dest: "{{ _receptor_ca_crt_file.path }}"
+      no_log: "{{ no_log }}"
+    - name: Create New Receptor CA secret
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'secrets/receptor_ca_secret.yaml.j2') }}"
+      no_log: "{{ no_log }}"
+    - name: Remove tempfiles
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - "{{ _receptor_ca_key_file.path }}"
+        - "{{ _receptor_ca_crt_file.path }}"
+
 - name: Create Receptor Mesh CA
   block:
     - name: Create tempfile for receptor-ca.key

roles/installer/templates/configmaps/config.yaml.j2

@@ -46,8 +46,8 @@ data:
 {%- set cpu_limit = task_resource_requirements["limits"]["cpu"] if "limits" in task_resource_requirements and "cpu" in task_resource_requirements["limits"] -%}
 {%- if cpu_limit is defined -%}
 {%- set callback_receiver_cpu = cpu_limit | cpu_string_to_decimal -%}
-{%- if callback_receiver_cpu |int > 4 -%}
-# Set callback receiver workers based off cpu limit, default workers are 4, but if we have more than 4 cpu we can set higher value for workers
+{%- if callback_receiver_cpu |int > 4 %}
+    # Set callback receiver workers based off cpu limit, default workers are 4, but if we have more than 4 cpu we can set higher value for workers
     JOB_EVENT_WORKERS = {{ callback_receiver_cpu }}
 {%- endif -%}
 {%- endif %}
@@ -132,7 +132,9 @@ data:
         {% if route_tls_termination_mechanism | lower == 'passthrough' %}
         server {
             listen 8052 default_server;
+            {% if not ipv6_disabled %}
             listen [::]:8052 default_server;
+            {% endif %}
             server_name _;
 
             # Redirect all HTTP links to the matching HTTPS page
@@ -143,7 +145,9 @@ data:
         server {
         {% if route_tls_termination_mechanism | lower == 'passthrough' %}
             listen 8053 ssl;
+            {% if not ipv6_disabled %}
             listen [::]:8053 ssl;
+            {% endif %}
 
             ssl_certificate /etc/nginx/pki/web.crt;
             ssl_certificate_key /etc/nginx/pki/web.key;
@@ -154,7 +158,9 @@ data:
             ssl_prefer_server_ciphers on;
         {% else %}
             listen 8052 default_server;
+            {% if not ipv6_disabled %}
             listen [::]:8052 default_server;
+            {% endif %}
         {% endif %}
 
             # If you have a domain name, this is where to add it

roles/installer/templates/deployments/deployment.yaml.j2

@@ -42,6 +42,7 @@ spec:
         - name: init
           image: '{{ _init_container_image }}'
           imagePullPolicy: '{{ image_pull_policy }}'
+          resources: {{ task_resource_requirements }}
           command:
             - /bin/sh
             - -c
@@ -53,10 +54,6 @@ spec:
               mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
               update-ca-trust
 {% endif %}
-{% if projects_persistence|bool %}
-              chmod 775 /var/lib/awx/projects
-              chgrp 1000 /var/lib/awx/projects
-{% endif %}
 {% if init_container_extra_commands %}
               {{ init_container_extra_commands | indent(width=14) }}
 {% endif %}
@@ -67,7 +64,12 @@ spec:
                   fieldPath: metadata.name
           volumeMounts:
             - name: "{{ ansible_operator_meta.name }}-receptor-ca"
-              mountPath: "/etc/receptor/tls/ca"
+              mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
+              subPath: "tls.crt"
+              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+              mountPath: "/etc/receptor/tls/ca/receptor-ca.key"
+              subPath: "tls.key"
               readOnly: true
             - name: "{{ ansible_operator_meta.name }}-receptor-tls"
               mountPath: "/etc/receptor/tls/"
@@ -79,12 +81,27 @@ spec:
               subPath: bundle-ca.crt
               readOnly: true
 {% endif %}
-{% if projects_persistence|bool %}
-            - name: "{{ ansible_operator_meta.name }}-projects"
-              mountPath: "/var/lib/awx/projects"
-{% endif %}
 {% if init_container_extra_volume_mounts -%}
             {{ init_container_extra_volume_mounts | indent(width=12, first=True) }}
+{% endif %}
+{% if projects_persistence|bool and is_k8s|bool %}
+        - name: init-projects
+          image: '{{ _init_projects_container_image }}'
+          imagePullPolicy: '{{ image_pull_policy }}'
+          command:
+            - /bin/sh
+            - -c
+            - |
+              chmod 775 /var/lib/awx/projects
+              chgrp 1000 /var/lib/awx/projects
+          env:
+            - name: MY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          volumeMounts:
+            - name: "{{ ansible_operator_meta.name }}-projects"
+              mountPath: "/var/lib/awx/projects"
 {% endif %}
       containers:
         - image: '{{ _redis_image }}'
@@ -179,7 +196,12 @@ spec:
               subPath: "work-public-key.pem"
               readOnly: true
             - name: "{{ ansible_operator_meta.name }}-receptor-ca"
-              mountPath: "/etc/receptor/tls/ca"
+              mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
+              subPath: "tls.crt"
+              readOnly: true
+            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
+              mountPath: "/etc/receptor/tls/ca/receptor-ca.key"
+              subPath: "tls.key"
               readOnly: true
 {% if development_mode | bool %}
             - name: awx-devel
@@ -324,7 +346,7 @@ spec:
               mountPath: "/etc/receptor/"
             - name: "{{ ansible_operator_meta.name }}-receptor-ca"
               mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
-              subPath: "receptor-ca.crt"
+              subPath: "tls.crt"
               readOnly: true
             - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
               mountPath: "/etc/receptor/signing/work-private-key.pem"
@@ -361,9 +383,9 @@ spec:
       tolerations:
         {{ tolerations | indent(width=8) }}
 {% endif %}
-{% if projects_persistence|bool or (security_context_settings|length) %}
+{% if (projects_persistence|bool and is_k8s|bool) or (security_context_settings|length) %}
       securityContext:
-{% if projects_persistence|bool %}
+{% if projects_persistence|bool and is_k8s|bool %}
         fsGroup: 1000
 {% endif %}
 {% if security_context_settings|length %}

roles/installer/templates/labels/version.yaml.j2

@@ -1 +1 @@
-app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '') }}'
+app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '', 0) }}'

roles/installer/templates/networking/ingress.yaml.j2

@@ -1,6 +1,8 @@
 {% if ingress_type|lower == "ingress" %}
 ---
-apiVersion: networking.k8s.io/v1
+{% if ingress_api_version is defined %}
+apiVersion: '{{ ingress_api_version }}'
+{% endif %}
 kind: Ingress
 metadata:
   name: '{{ ansible_operator_meta.name }}-ingress'
@@ -42,7 +44,9 @@ spec:
 
 {% if ingress_type|lower == "route" %}
 ---
-apiVersion: route.openshift.io/v1
+{% if route_api_version is defined %}
+apiVersion: '{{ route_api_version }}'
+{% endif %}
 kind: Route
 metadata:
   name: '{{ ansible_operator_meta.name }}'

roles/installer/templates/secrets/receptor_ca_secret.yaml.j2

@@ -10,6 +10,7 @@ metadata:
     app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
     app.kubernetes.io/component: '{{ deployment_type }}'
     app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+type: kubernetes.io/tls
 data:
-  receptor-ca.crt: '{{ lookup('file', '{{ _receptor_ca_crt_file.path }}') | b64encode }}'
-  receptor-ca.key: '{{ lookup('file', '{{ _receptor_ca_key_file.path }}') | b64encode }}'
+  tls.crt: '{{ lookup('file', '{{ _receptor_ca_crt_file.path }}') | b64encode }}'
+  tls.key: '{{ lookup('file', '{{ _receptor_ca_key_file.path }}') | b64encode }}'

roles/restore/defaults/main.yml

@@ -11,8 +11,11 @@ backup_pvc_namespace: '{{ ansible_operator_meta.namespace }}'
 # Required: backup name, found on the awxbackup object
 backup_dir: ''
 
+# Default cluster name
+cluster_name: 'cluster.local'
+
 # Set no_log settings on certain tasks
-no_log: 'true'
+no_log: true
 
 # Default resource requirements
 restore_resource_requirements:

roles/restore/tasks/deploy_awx.yml

@@ -1,27 +1,5 @@
 ---
 
-- name: Get AWX object definition from pvc
-  k8s_exec:
-    namespace: "{{ backup_pvc_namespace }}"
-    pod: "{{ ansible_operator_meta.name }}-db-management"
-    command: >-
-      bash -c "cat '{{ backup_dir }}/awx_object'"
-  register: awx_object
-
-- name: Create temp file for spec dict
-  tempfile:
-    state: file
-  register: tmp_spec
-
-- name: Write spec vars to temp file
-  copy:
-    content: "{{ awx_object.stdout }}"
-    dest: "{{ tmp_spec.path }}"
-    mode: '0644'
-
-- name: Include spec vars to save them as a dict
-  include_vars: "{{ tmp_spec.path }}"
-
 - name: Deploy AWX
   k8s:
     state: "{{ state | default('present') }}"

roles/restore/tasks/import_vars.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Import awx_object variables
+  block:
+  - name: Get AWX object definition from pvc
+    k8s_exec:
+      namespace: "{{ backup_pvc_namespace }}"
+      pod: "{{ ansible_operator_meta.name }}-db-management"
+      command: >-
+        bash -c "cat '{{ backup_dir }}/awx_object'"
+    register: awx_object
+
+  - name: Create temp file for spec dict
+    tempfile:
+      state: file
+    register: tmp_spec
+
+  - name: Write spec vars to temp file
+    copy:
+      content: "{{ awx_object.stdout }}"
+      dest: "{{ tmp_spec.path }}"
+      mode: '0644'
+
+  - name: Include spec vars to save them as a dict
+    include_vars: "{{ tmp_spec.path }}"

roles/restore/tasks/main.yml

@@ -29,6 +29,8 @@
 - block:
     - include_tasks: init.yml
 
+    - include_tasks: import_vars.yml
+
     - include_tasks: secrets.yml
 
     - include_tasks: deploy_awx.yml

roles/restore/tasks/postgres.yml

@@ -66,7 +66,7 @@
 
 - name: Set full resolvable host name for postgres pod
   set_fact:
-    resolvable_db_host: "{{ awx_postgres_host }}.{{ ansible_operator_meta.namespace }}.svc.cluster.local"
+    resolvable_db_host: "{{ awx_postgres_host }}.{{ ansible_operator_meta.namespace }}.svc.{{ cluster_name }}"
   no_log: "{{ no_log }}"
   when: awx_postgres_type == 'managed'
 
@@ -76,7 +76,6 @@
       pg_restore --clean --if-exists
       -U {{ awx_postgres_user }}
       -h {{ resolvable_db_host }}
-      -U {{ awx_postgres_user }}
       -d {{ awx_postgres_database }}
       -p {{ awx_postgres_port }}
   no_log: "{{ no_log }}"

roles/restore/tasks/secrets.yml

@@ -54,6 +54,37 @@
       no_log: "{{ no_log }}"
   when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed'
 
+- name: Set new receptor secret names
+  set_fact:
+    previous_receptor_ca_name: "{{ previous_deployment_name }}-receptor-ca"
+    previous_receptor_tls_name: "{{ previous_deployment_name }}-receptor-work-signing"
+  no_log: "{{ no_log }}"
+
+- name: Set new name for receptor secrets using deployment_name
+  block:
+    - name: Set new receptor secret names
+      set_fact:
+        receptor_ca_name: "{{ deployment_name }}-receptor-ca"
+        receptor_work_signing_name: "{{ deployment_name }}-receptor-work-signing"
+      no_log: "{{ no_log }}"
+
+    - name: Set tmp dict for receptor secrets
+      set_fact:
+        _ca_secret: "{{ secrets[previous_receptor_ca_name] }}"
+        _work_signing_secret: "{{ secrets[previous_receptor_tls_name] }}"
+      no_log: "{{ no_log }}"
+
+    - name: Change receptor secret names in tmp dict
+      set_fact:
+        _ca_secret_name: "{{ _ca_secret | combine({ 'name': receptor_ca_name }) }}"
+        _work_signing_secret_name: "{{ _work_signing_secret | combine({ 'name': receptor_work_signing_name}) }}"
+      no_log: "{{ no_log }}"
+
+    - name: Create a new dict of receptor secrets with updated names
+      set_fact:
+        secrets: "{{ secrets | combine({previous_receptor_ca_name: _ca_secret_name, previous_receptor_tls_name: _work_signing_secret_name}) }}"
+      no_log: "{{ no_log }}"
+
 - name: Apply secret
   k8s:
     state: present