add default cluster name (#1129)

* add default cluster name

* Update awx.ansible.com_awxrestores.yaml

Co-authored-by: Kirill Smirnov <kirilsmirnov@x5.ru>

.github/workflows/ci.yaml

@@ -82,3 +82,18 @@ jobs:
       - name: Install helm chart
         run: |
           helm install --wait my-awx-operator --namespace awx --create-namespace ./charts/awx-operator
+  no-log:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v2
+
+      - name: Check no_log statements
+        run: |
+          set +e
+          no_log=$(grep -nr ' no_log:' roles | grep -v '"{{ no_log }}"')
+          if [ -n "${no_log}" ]; then
+            echo 'Please update the following no_log statement(s) with the "{{ no_log }}" value'
+            echo "${no_log}"
+            exit 1
+          fi

.github/workflows/label_issue.yml

@@ -0,0 +1,54 @@
+---
+name: Label Issues
+
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+
+jobs:
+  triage:
+    runs-on: ubuntu-latest
+    name: Label
+
+    steps:
+      - name: Label Issue - Needs Triage
+        uses: github/issue-labeler@v2.4.1
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          not-before: 2021-12-07T07:00:00Z
+          configuration-path: .github/issue_labeler.yml
+          enable-versioned-regex: 0
+        if: github.event_name == 'issues'
+
+  community:
+    runs-on: ubuntu-latest
+    name: Label Issue - Community
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v4
+      - name: Install python requests
+        run: pip install requests
+      - name: Check if user is a member of Ansible org
+        uses: jannekem/run-python-script-action@v1
+        id: check_user
+        with:
+          script: |
+            import requests
+            headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
+            response = requests.get('${{ fromJson(toJson(github.event.issue.user.url)) }}/orgs?per_page=100', headers=headers)
+            is_member = False
+            for org in response.json():
+              if org['login'] == 'ansible':
+                is_member = True
+            if is_member:
+                print("User is member")
+            else:
+                print("User is community")
+      - name: Add community label if not a member
+        if: contains(steps.check_user.outputs.stdout, 'community')
+        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
+        with:
+          add-labels: "community"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/label_pr.yml

@@ -0,0 +1,40 @@
+name: Label PR
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+jobs:
+  community:
+    runs-on: ubuntu-latest
+    name: Label PR - Community
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v4
+      - name: Install python requests
+        run: pip install requests
+      - name: Check if user is a member of Ansible org
+        uses: jannekem/run-python-script-action@v1
+        id: check_user
+        with:
+          script: |
+            import requests
+            headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
+            response = requests.get('${{ fromJson(toJson(github.event.pull_request.user.url)) }}/orgs?per_page=100', headers=headers)
+            is_member = False
+            for org in response.json():
+              if org['login'] == 'ansible':
+                is_member = True
+            if is_member:
+                print("User is member")
+            else:
+                print("User is community")
+      - name: Add community label if not a member
+        if: contains(steps.check_user.outputs.stdout, 'community')
+        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
+        with:
+          add-labels: "community"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/triage_new.yml

@@ -1,22 +0,0 @@
----
-name: Triage
-
-on:
-  issues:
-    types:
-      - opened
-
-jobs:
-  triage:
-    runs-on: ubuntu-latest
-    name: Label
-
-    steps:
-      - name: Label issues
-        uses: github/issue-labeler@v2.4.1
-        with:
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
-          not-before: 2021-12-07T07:00:00Z
-          configuration-path: .github/issue_labeler.yml
-          enable-versioned-regex: 0
-        if: github.event_name == 'issues'

Makefile

@@ -296,8 +296,8 @@ helm-chart: helm-chart-generate
 helm-chart-generate: kustomize helm kubectl-slice yq charts
 	@echo "== KUSTOMIZE: Set image and chart label =="
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	cd config/manager && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)-$(VERSION)
-	cd config/default && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)-$(VERSION)
+	cd config/manager && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
+	cd config/default && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
 
 	@echo "== Gather Helm Chart Metadata =="
 	# remove the existing chart if it exists
@@ -355,7 +355,7 @@ helm-package: cr helm-chart
 	$(CR) package ./charts/awx-operator
 
 # List all tags oldest to newest.
-TAGS := $(shell git tag -l  --sort=creatordate)
+TAGS := $(shell git ls-remote --tags --sort=version:refname --refs -q | cut -d/ -f3)
 
 # The actual release happens in ansible/helm-release.yml
 # until https://github.com/helm/chart-releaser/issues/122 happens

README.md

@@ -249,7 +249,7 @@ $ minikube service awx-demo-service --url
 By default, the admin user is `admin` and the password is available in the `<resourcename>-admin-password` secret. To retrieve the admin password, run:
 
 ```
-$ kubectl get secret awx-demo-admin-password -o jsonpath="{.data.password}" | base64 --decode
+$ kubectl get secret awx-demo-admin-password -o jsonpath="{.data.password}" | base64 --decode ; echo
 yDL2Cx5Za94g9MvBP6B73nzVLlmfgPjR
 ```
 
@@ -303,7 +303,7 @@ There are three variables that are customizable for the admin user account creat
 
 If `admin_password_secret` is not provided, the operator will look for a secret named `<resourcename>-admin-password` for the admin password. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-admin-password`.
 
-To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode`
+To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode ; echo`
 
 The secret that is expected to be passed should be formatted as follow:
 
@@ -481,6 +481,12 @@ spec:
 
 ### Database Configuration
 
+#### Postgres Version
+
+The default Postgres version for the version of AWX bundled with the latest version of the awx-operator is Postgres 13. You can find this default for a given version by at the default value for [_postgres_image_version](./roles/installer/defaults/main.yml#L138).
+
+We only have coverage for the default version of Postgres. Newer versions of Postgres (14+) will likely work, but should only be configured as an external database. If your database is managed by the awx-operator (default if you don't specify a `postgres_configuration_secret`), then you should not override the default version as this may cause issues when awx-operator tries to upgrade your postgresql pod.
+
 #### External PostgreSQL Service
 
 To configure AWX to use an external database, the Custom Resource needs to know about the connection details. To do this, create a k8s secret with those connection details and specify the name of the secret as `postgres_configuration_secret` at the CR spec level.
@@ -1070,8 +1076,14 @@ Example configuration of `extra_settings` parameter
 
       - setting: AUTH_LDAP_BIND_DN
         value: "cn=admin,dc=example,dc=com"
+
+      - setting: LOG_AGGREGATOR_LEVEL
+        value: "'DEBUG'"
 ```
 
+Note for some settings, such as `LOG_AGGREGATOR_LEVEL`, the value may need double quotes.
+
+```yaml
 #### No Log
 Configure no_log for tasks with no_log
 
@@ -1083,7 +1095,7 @@ Example configuration of `no_log` parameter
 
 ```yaml
   spec:
-    no_log: 'true'
+    no_log: true
 ```
 
 #### Auto upgrade

config/crd/bases/awx.ansible.com_awxbackups.yaml

@@ -89,7 +89,8 @@ spec:
                 type: string
               no_log:
                 description: Configure no_log for no_log tasks
-                type: string
+                type: boolean
+                default: true
               set_self_labels:
                 description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
                 type: boolean

config/crd/bases/awx.ansible.com_awxrestores.yaml

@@ -50,6 +50,9 @@ spec:
                 description: Name of the restored deployment. This should be different from the original deployment name
                   if the original deployment still exists.
                 type: string
+              cluster_name:
+                description: Cluster name
+                type: string
               backup_name:
                 description: AWXBackup object name
                 type: string
@@ -91,7 +94,8 @@ spec:
                 type: string
               no_log:
                 description: Configure no_log for no_log tasks
-                type: string
+                type: boolean
+                default: true
               set_self_labels:
                 description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
                 type: boolean

config/crd/bases/awx.ansible.com_awxs.yaml

@@ -103,6 +103,9 @@ spec:
                 - ingress
                 - Route
                 - route
+              ingress_api_version:
+                description: The Ingress API version to use
+                type: string
               ingress_path:
                 description: The ingress path used to reach the deployed service
                 type: string
@@ -141,6 +144,9 @@ spec:
                 - edge
                 - Passthrough
                 - passthrough
+              route_api_version:
+                description: The route API version to use
+                type: string
               route_tls_secret:
                 description: Secret where the TLS related credentials are stored
                 type: string
@@ -504,7 +510,8 @@ spec:
                 type: array
               no_log:
                 description: Configure no_log for no_log tasks
-                type: string
+                type: boolean
+                default: true
               security_context_settings:
                 description: Key/values that will be set under the pod-level securityContext field
                 type: object
@@ -517,6 +524,10 @@ spec:
                 description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
                 type: boolean
                 default: true
+              ipv6_disabled:
+                description: Disable web container's nginx ipv6 listener
+                type: boolean
+                default: false
             type: object
           status:
             properties:

config/manager/manager.yaml

@@ -21,7 +21,7 @@ spec:
   template:
     metadata:
       annotations:
-        kubectl.kubernetes.io/default-container: manager
+        kubectl.kubernetes.io/default-container: awx-manager
       labels:
         control-plane: controller-manager
     spec:

molecule/requirements.txt

@@ -1,4 +1,4 @@
-molecule
+molecule<4.0.2
 molecule-docker
 yamllint
 ansible-lint

roles/backup/defaults/main.yml

@@ -12,7 +12,7 @@ backup_pvc_namespace: "{{ ansible_operator_meta.namespace }}"
 backup_storage_requirements: ''
 
 # Set no_log settings on certain tasks
-no_log: 'true'
+no_log: true
 
 # Variable to set when you want backups to be cleaned up when the CRD object is deleted
 clean_backup_on_delete: false

roles/backup/tasks/awx-cro.yml

@@ -25,6 +25,7 @@
   set_fact:
     awx_spec:
       spec: "{{ _awx }}"
+      previous_deployment_name: "{{ this_awx['resources'][0]['metadata']['name'] }}"
 
 - name: Write awx object to pvc
   k8s_exec:

roles/backup/tasks/dump_receptor_secrets.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Get secret
+  k8s_info:
+    version: v1
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: "{{ item }}"
+  register: _secret
+  no_log: "{{ no_log }}"
+
+- name: Backup secret if exists
+  block:
+    - name: Set secret key
+      set_fact:
+        _data: "{{ _secret['resources'][0]['data'] }}"
+        _type: "{{ _secret['resources'][0]['type'] }}"
+      no_log: "{{ no_log }}"
+
+    - name: Create and Add secret names and data to dictionary
+      set_fact:
+        secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': item, 'data': _data, 'type': _type }}) }}"
+      no_log: "{{ no_log }}"
+  when: _secret | length

roles/backup/tasks/postgres.yml

@@ -75,7 +75,7 @@
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ ansible_operator_meta.name }}-db-management"
     command: >-
-      bash -c "chmod 0600 {{ backup_dir }}/tower.db && chown postgres:root {{ backup_dir }}/tower.db"
+      bash -c "chmod 660 {{ backup_dir }}/tower.db && chown :root {{ backup_dir }}/tower.db"
 
 - name: Set full resolvable host name for postgres pod
   set_fact:

roles/backup/tasks/secrets.yml

@@ -1,11 +1,5 @@
 ---
 
-- name: Create Temporary secrets file
-  tempfile:
-    state: file
-    suffix: .json
-  register: tmp_secrets
-
 - name: Dump (generated) secret names from statuses and data into file
   include_tasks: dump_generated_secret.yml
   with_items:
@@ -23,6 +17,12 @@
     - bundle_cacert_secret
     - ee_pull_credentials_secret
 
+- name: Dump receptor secret names and data into file
+  include_tasks: dump_receptor_secrets.yml
+  loop:
+    - '{{ deployment_name }}-receptor-ca'
+    - '{{ deployment_name }}-receptor-work-signing'
+
 # image_pull_secret is deprecated in favor of image_pull_secrets
 - name: Dump image_pull_secret into file
   include_tasks: dump_secret.yml

roles/installer/defaults/main.yml

@@ -12,6 +12,7 @@ ingress_type: none
 ingress_class_name: ''
 ingress_path: '/'
 ingress_path_type: 'Prefix'
+ingress_api_version: 'networking.k8s.io/v1'
 # Add annotations to the service account. Specify as literal block. E.g.:
 # service_account_annotations: |
 #   eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>
@@ -50,6 +51,10 @@ route_tls_termination_mechanism: edge
 #
 route_tls_secret: ''
 
+# Route API Version to support older version
+# of the kubernetes services
+route_api_version: 'route.openshift.io/v1'
+
 # Host to create the root with.
 # If not specific will default to <instance-name>-<namespace>-<routerCanonicalHostname>
 #
@@ -159,6 +164,8 @@ _control_plane_ee_image: quay.io/ansible/awx-ee:latest
 _init_container_image: "{{ _control_plane_ee_image.split(':')[0] }}"
 _init_container_image_version: "{{ _control_plane_ee_image.split(':')[1] }}"
 
+_init_projects_container_image: quay.io/centos/centos:stream9
+
 create_preload_data: true
 
 replicas: "1"
@@ -288,7 +295,7 @@ development_mode: false
 security_context_settings: {}
 
 # Set no_log settings on certain tasks
-no_log: 'true'
+no_log: true
 
 # Should AWX instances be automatically upgraded when operator gets upgraded
 #
@@ -296,3 +303,6 @@ auto_upgrade: true
 
 # Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
 set_self_labels: true
+
+# Disable web container's nginx ipv6 listener
+ipv6_disabled: false

roles/installer/tasks/cleanup.yml

@@ -23,6 +23,8 @@
         - '{{ _secret_key }}'
         - '{{ _postgres_configuration }}'
         - '{{ _broadcast_websocket_secret }}'
+        - '{{ ansible_operator_meta.name }}-receptor-ca'
+        - '{{ ansible_operator_meta.name }}-receptor-work-signing'
       no_log: "{{ no_log }}"
 
   when: not garbage_collect_secrets | bool

roles/installer/templates/configmaps/config.yaml.j2

@@ -46,8 +46,8 @@ data:
 {%- set cpu_limit = task_resource_requirements["limits"]["cpu"] if "limits" in task_resource_requirements and "cpu" in task_resource_requirements["limits"] -%}
 {%- if cpu_limit is defined -%}
 {%- set callback_receiver_cpu = cpu_limit | cpu_string_to_decimal -%}
-{%- if callback_receiver_cpu |int > 4 -%}
-# Set callback receiver workers based off cpu limit, default workers are 4, but if we have more than 4 cpu we can set higher value for workers
+{%- if callback_receiver_cpu |int > 4 %}
+    # Set callback receiver workers based off cpu limit, default workers are 4, but if we have more than 4 cpu we can set higher value for workers
     JOB_EVENT_WORKERS = {{ callback_receiver_cpu }}
 {%- endif -%}
 {%- endif %}
@@ -132,7 +132,9 @@ data:
         {% if route_tls_termination_mechanism | lower == 'passthrough' %}
         server {
             listen 8052 default_server;
+            {% if not ipv6_disabled %}
             listen [::]:8052 default_server;
+            {% endif %}
             server_name _;
 
             # Redirect all HTTP links to the matching HTTPS page
@@ -143,7 +145,9 @@ data:
         server {
         {% if route_tls_termination_mechanism | lower == 'passthrough' %}
             listen 8053 ssl;
+            {% if not ipv6_disabled %}
             listen [::]:8053 ssl;
+            {% endif %}
 
             ssl_certificate /etc/nginx/pki/web.crt;
             ssl_certificate_key /etc/nginx/pki/web.key;
@@ -154,7 +158,9 @@ data:
             ssl_prefer_server_ciphers on;
         {% else %}
             listen 8052 default_server;
+            {% if not ipv6_disabled %}
             listen [::]:8052 default_server;
+            {% endif %}
         {% endif %}
 
             # If you have a domain name, this is where to add it

roles/installer/templates/deployments/deployment.yaml.j2

@@ -42,6 +42,7 @@ spec:
         - name: init
           image: '{{ _init_container_image }}'
           imagePullPolicy: '{{ image_pull_policy }}'
+          resources: {{ task_resource_requirements }}
           command:
             - /bin/sh
             - -c
@@ -53,10 +54,6 @@ spec:
               mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
               update-ca-trust
 {% endif %}
-{% if projects_persistence|bool and is_k8s|bool %}
-              chmod 775 /var/lib/awx/projects
-              chgrp 1000 /var/lib/awx/projects
-{% endif %}
 {% if init_container_extra_commands %}
               {{ init_container_extra_commands | indent(width=14) }}
 {% endif %}
@@ -84,12 +81,27 @@ spec:
               subPath: bundle-ca.crt
               readOnly: true
 {% endif %}
-{% if projects_persistence|bool and is_k8s|bool %}
-            - name: "{{ ansible_operator_meta.name }}-projects"
-              mountPath: "/var/lib/awx/projects"
-{% endif %}
 {% if init_container_extra_volume_mounts -%}
             {{ init_container_extra_volume_mounts | indent(width=12, first=True) }}
+{% endif %}
+{% if projects_persistence|bool and is_k8s|bool %}
+        - name: init-projects
+          image: '{{ _init_projects_container_image }}'
+          imagePullPolicy: '{{ image_pull_policy }}'
+          command:
+            - /bin/sh
+            - -c
+            - |
+              chmod 775 /var/lib/awx/projects
+              chgrp 1000 /var/lib/awx/projects
+          env:
+            - name: MY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          volumeMounts:
+            - name: "{{ ansible_operator_meta.name }}-projects"
+              mountPath: "/var/lib/awx/projects"
 {% endif %}
       containers:
         - image: '{{ _redis_image }}'

roles/installer/templates/labels/version.yaml.j2

@@ -1 +1 @@
-app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '') }}'
+app.kubernetes.io/version: '{{ _image.split(':')[-1] | truncate(63, True, '', 0) }}'

roles/installer/templates/networking/ingress.yaml.j2

@@ -1,6 +1,8 @@
 {% if ingress_type|lower == "ingress" %}
 ---
-apiVersion: networking.k8s.io/v1
+{% if ingress_api_version is defined %}
+apiVersion: '{{ ingress_api_version }}'
+{% endif %}
 kind: Ingress
 metadata:
   name: '{{ ansible_operator_meta.name }}-ingress'
@@ -42,7 +44,9 @@ spec:
 
 {% if ingress_type|lower == "route" %}
 ---
-apiVersion: route.openshift.io/v1
+{% if route_api_version is defined %}
+apiVersion: '{{ route_api_version }}'
+{% endif %}
 kind: Route
 metadata:
   name: '{{ ansible_operator_meta.name }}'

roles/restore/defaults/main.yml

@@ -11,8 +11,11 @@ backup_pvc_namespace: '{{ ansible_operator_meta.namespace }}'
 # Required: backup name, found on the awxbackup object
 backup_dir: ''
 
+# Default cluster name
+cluster_name: 'cluster.local'
+
 # Set no_log settings on certain tasks
-no_log: 'true'
+no_log: true
 
 # Default resource requirements
 restore_resource_requirements:

roles/restore/tasks/deploy_awx.yml

@@ -1,27 +1,5 @@
 ---
 
-- name: Get AWX object definition from pvc
-  k8s_exec:
-    namespace: "{{ backup_pvc_namespace }}"
-    pod: "{{ ansible_operator_meta.name }}-db-management"
-    command: >-
-      bash -c "cat '{{ backup_dir }}/awx_object'"
-  register: awx_object
-
-- name: Create temp file for spec dict
-  tempfile:
-    state: file
-  register: tmp_spec
-
-- name: Write spec vars to temp file
-  copy:
-    content: "{{ awx_object.stdout }}"
-    dest: "{{ tmp_spec.path }}"
-    mode: '0644'
-
-- name: Include spec vars to save them as a dict
-  include_vars: "{{ tmp_spec.path }}"
-
 - name: Deploy AWX
   k8s:
     state: "{{ state | default('present') }}"

roles/restore/tasks/import_vars.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Import awx_object variables
+  block:
+  - name: Get AWX object definition from pvc
+    k8s_exec:
+      namespace: "{{ backup_pvc_namespace }}"
+      pod: "{{ ansible_operator_meta.name }}-db-management"
+      command: >-
+        bash -c "cat '{{ backup_dir }}/awx_object'"
+    register: awx_object
+
+  - name: Create temp file for spec dict
+    tempfile:
+      state: file
+    register: tmp_spec
+
+  - name: Write spec vars to temp file
+    copy:
+      content: "{{ awx_object.stdout }}"
+      dest: "{{ tmp_spec.path }}"
+      mode: '0644'
+
+  - name: Include spec vars to save them as a dict
+    include_vars: "{{ tmp_spec.path }}"

roles/restore/tasks/main.yml

@@ -29,6 +29,8 @@
 - block:
     - include_tasks: init.yml
 
+    - include_tasks: import_vars.yml
+
     - include_tasks: secrets.yml
 
     - include_tasks: deploy_awx.yml

roles/restore/tasks/postgres.yml

@@ -66,7 +66,7 @@
 
 - name: Set full resolvable host name for postgres pod
   set_fact:
-    resolvable_db_host: "{{ awx_postgres_host }}.{{ ansible_operator_meta.namespace }}.svc.cluster.local"
+    resolvable_db_host: "{{ awx_postgres_host }}.{{ ansible_operator_meta.namespace }}.svc.{{ cluster_name }}"
   no_log: "{{ no_log }}"
   when: awx_postgres_type == 'managed'
 
@@ -76,7 +76,6 @@
       pg_restore --clean --if-exists
       -U {{ awx_postgres_user }}
       -h {{ resolvable_db_host }}
-      -U {{ awx_postgres_user }}
       -d {{ awx_postgres_database }}
       -p {{ awx_postgres_port }}
   no_log: "{{ no_log }}"

roles/restore/tasks/secrets.yml

@@ -54,6 +54,37 @@
       no_log: "{{ no_log }}"
   when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed'
 
+- name: Set new receptor secret names
+  set_fact:
+    previous_receptor_ca_name: "{{ previous_deployment_name }}-receptor-ca"
+    previous_receptor_tls_name: "{{ previous_deployment_name }}-receptor-work-signing"
+  no_log: "{{ no_log }}"
+
+- name: Set new name for receptor secrets using deployment_name
+  block:
+    - name: Set new receptor secret names
+      set_fact:
+        receptor_ca_name: "{{ deployment_name }}-receptor-ca"
+        receptor_work_signing_name: "{{ deployment_name }}-receptor-work-signing"
+      no_log: "{{ no_log }}"
+
+    - name: Set tmp dict for receptor secrets
+      set_fact:
+        _ca_secret: "{{ secrets[previous_receptor_ca_name] }}"
+        _work_signing_secret: "{{ secrets[previous_receptor_tls_name] }}"
+      no_log: "{{ no_log }}"
+
+    - name: Change receptor secret names in tmp dict
+      set_fact:
+        _ca_secret_name: "{{ _ca_secret | combine({ 'name': receptor_ca_name }) }}"
+        _work_signing_secret_name: "{{ _work_signing_secret | combine({ 'name': receptor_work_signing_name}) }}"
+      no_log: "{{ no_log }}"
+
+    - name: Create a new dict of receptor secrets with updated names
+      set_fact:
+        secrets: "{{ secrets | combine({previous_receptor_ca_name: _ca_secret_name, previous_receptor_tls_name: _work_signing_secret_name}) }}"
+      no_log: "{{ no_log }}"
+
 - name: Apply secret
   k8s:
     state: present