Merge pull request #189 from shanemcd/bump-19

Version bump for AWX 19

.github/workflows/ci.yaml

@@ -0,0 +1,44 @@
+---
+
+name: CI
+
+on:
+  pull_request:
+    branches: [devel]
+
+  push:
+    branches: [devel]
+
+jobs:
+  pull_request:
+    runs-on: ubuntu-18.04
+    name: pull_request
+    env:
+      DOCKER_API_VERSION: "1.38"
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: actions/setup-python@v2
+        with:
+          python-version: "3.8"
+
+      - name: Install Dependencies
+        run: |
+          pip install \
+            molecule \
+            molecule-docker \
+            yamllint \
+            ansible-lint \
+            openshift \
+            jmespath \
+            ansible
+
+      - name: Install Collections
+        run: |
+         ansible-galaxy collection install community.kubernetes operator_sdk.util
+
+      - name: Run Molecule
+        env:
+          MOLECULE_VERBOSITY: 3
+        run: |
+          molecule test -s test-local

.github/workflows/release.yaml

@@ -0,0 +1,34 @@
+---
+
+name: Release
+
+on:
+  push:
+    branches: [devel]
+
+jobs:
+  release:
+    runs-on: ubuntu-18.04
+    name: release
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Install Operator-SDK
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/bin
+          wget -O $GITHUB_WORKSPACE/bin/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/v0.19.4/operator-sdk-v0.19.4-x86_64-linux-gnu
+          chmod +x $GITHUB_WORKSPACE/bin/operator-sdk
+          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
+
+      - name: Build Image
+        run: |
+          operator-sdk build awx-operator:devel
+
+      - name: Push To Quay
+        uses: redhat-actions/push-to-registry@v2.1.1
+        with:
+          image: awx-operator
+          tags: devel
+          registry: quay.io/ansible/
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}

.travis.yml

@@ -1,19 +0,0 @@
----
-services: docker
-language: python
-
-before_install:
-  - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
-  - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
-  - sudo apt-get update
-  - sudo apt-get -y -o Dpkg::Options::="--force-confnew" install docker-ce
-
-env:
-  - DOCKER_API_VERSION=1.38
-
-install:
-  - pip3 install docker molecule molecule-docker yamllint ansible-lint openshift jmespath ansible
-  - ansible-galaxy collection install community.kubernetes operator_sdk.util
-
-script:
-  - MOLECULE_VERBOSITY=3 molecule test -s test-local

.yamllint

@@ -8,5 +8,5 @@ ignore: |
 rules:
   truthy: disable
   line-length:
-    max: 160
+    max: 170
     level: warning

README.md

@@ -1,6 +1,6 @@
 # AWX Operator
 
-[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Build Status](https://travis-ci.org/ansible/awx-operator.svg?branch=devel)](https://travis-ci.org/ansible/awx-operator)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Build Status](https://github.com/ansible/awx-operator/workflows/CI/badge.svg?event=push)](https://github.com/ansible/awx-operator/actions)
 
 An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built with [Operator SDK](https://github.com/operator-framework/operator-sdk) and Ansible.
 
@@ -24,10 +24,13 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
          * [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
          * [Privileged Tasks](#privileged-tasks)
          * [Containers Resource Requirements](#containers-resource-requirements)
+         * [LDAP Certificate Authority](#ldap-certificate-authority)
+         * [Persisting Projects Directory](#persisting-projects-directory)
    * [Development](#development)
       * [Testing](#testing)
          * [Testing in Docker](#testing-in-docker)
          * [Testing in Minikube](#testing-in-minikube)
+      * [Generating a bundle](#generating-a-bundle)
    * [Release Process](#release-process)
       * [Build a new release](#build-a-new-release)
       * [Build a new version of the operator yaml file](#build-a-new-version-of-the-operator-yaml-file)
@@ -62,6 +65,8 @@ metadata:
   name: awx
 ```
 
+> The metadata.name you provide, will be the name of the resulting AWX deployment.  If you deploy more than one to the same namespace, be sure to use unique names.
+
 Finally, use `kubectl` to create the awx instance in your cluster:
 
 ```bash
@@ -87,6 +92,9 @@ There are three variables that are customizable for the admin user account creat
 | tower_admin_email           | Email of the admin user                      | test@example.com |
 | tower_admin_password_secret | Secret that contains the admin user password | Empty string     |
 
+
+> :warning: **tower_admin_password_secret must be a Kubernetes secret and not your text clear password**.
+
 If `tower_admin_password_secret` is not provided, the operator will look for a secret named `<resourcename>-admin-password` for the admin password. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-admin-password`.
 
 To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode`
@@ -173,6 +181,9 @@ The following variables are customizable to specify the TLS termination procedur
 | tower_loadbalancer_protocol    | Protocol to use for Loadbalancer ingress | http          |
 | tower_loadbalancer_port        | Port used for Loadbalancer ingress       | 80            |
 
+When setting up a Load Balancer for HTTPS you will be required to set the `tower_loadbalancer_port` to move the port away from `80`.
+
+The HTTPS Load Balancer also uses SSL termination at the Load Balancer level and will offload traffic to AWX over HTTP.
 
 ### Database Configuration
 
@@ -240,11 +251,12 @@ spec:
 
 There are a few variables that are customizable for awx the image management.
 
-| Name                    | Description                | Default            |
-| ----------------------- | -------------------------- | ------------------ |
-| tower_image             | Path of the image to pull  | ansible/awx:15.0.0 |
-| tower_image_pull_policy | The pull policy to adopt   | IfNotPresent       |
-| tower_image_pull_secret | The pull secret to use     | ''                 |
+| Name                    | Description                |
+| ----------------------- | -------------------------- |
+| tower_image             | Path of the image to pull  |
+| tower_image_pull_policy | The pull policy to adopt   |
+| tower_image_pull_secret | The pull secret to use     |
+| tower_ee_images         | A list of EEs to register  |
 
 Example of customization could be:
 
@@ -255,6 +267,9 @@ spec:
   tower_image: myorg/my-custom-awx
   tower_image_pull_policy: Always
   tower_image_pull_secret: pull_secret_name
+  tower_ee_images: 
+    - name: my-custom-awx-ee
+      image: myorg/my-custom-awx-ee
 ```
 
 #### Privileged Tasks
@@ -276,6 +291,7 @@ If you are attempting to do this on an OpenShift cluster, you will need to grant
 
 Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to familiarize yourself with the security concerns that accompany this action.
 
+
 #### Containers Resource Requirements
 
 The resource requirements for both, the task and the web containers are configurable - both the lower end (requests) and the upper end (limits).
@@ -307,6 +323,82 @@ spec:
       memory: 2Gi
 ```
 
+#### Assigning AWX pods to specific nodes
+
+You can constrain the AWX pods created by the operator to run on a certain subset of nodes. `tower_node_selector` constrains
+the AWX pods to run only on the nodes that match all the specified key/value pairs. `tower_tolerations` allow the AWX
+pods to be scheduled onto nodes with matching taints.
+
+
+| Name                | Description            | Default |
+| ------------------- | ---------------------- | ------- |
+| tower_node_selector | AWX pods' nodeSelector | ''      |
+| tower_tolerations   | AWX pods' tolerations  | ''      |
+
+Example of customization could be:
+
+```yaml
+---
+spec:
+  ...
+  tower_node_selector: |
+    disktype: ssd
+    kubernetes.io/arch: amd64
+    kubernetes.io/os: linux
+  tower_tolerations: |
+    - key: "dedicated"
+      operator: "Equal"
+      value: "AWX"
+      effect: "NoSchedule"
+```
+
+#### LDAP Certificate Authority
+
+If the variable `ldap_cacert_secret` is provided, the operator will look for a the data field `ldap-ca.crt` in the specified secret.
+
+| Name                             | Description                             | Default |
+| -------------------------------- | --------------------------------------- | --------|
+| ldap_cacert_secret               | LDAP Certificate Authority secret name  |  ''     |
+
+
+Example of customization could be:
+
+```yaml
+---
+spec:
+  ...
+  ldap_cacert_secret: <resourcename>-ldap-ca-cert
+```
+
+To create the secret, you can use the command below:
+
+```sh
+# kubectl create secret generic <resourcename>-ldap-ca-cert --from-file=ldap-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
+```
+
+#### Persisting Projects Directory
+
+In cases which you want to persist the `/var/lib/projects` directory, there are few variables that are customizable for the `awx-operator`.
+
+| Name                               | Description                                                                                          | Default        |
+| -----------------------------------| ---------------------------------------------------------------------------------------------------- | ---------------|
+| tower_projects_persistence         | Whether or not the /var/lib/projects directory will be persistent                                    |  false         |
+| tower_projects_storage_class       | Define the PersistentVolume storage class                                                            |  ''            |
+| tower_projects_storage_size        | Define the PersistentVolume size                                                                     |  8Gi           |
+| tower_projects_storage_access_mode | Define the PersistentVolume access mode                                                              |  ReadWriteMany |
+| tower_projects_existing_claim      | Define an existing PersistentVolumeClaim to use (cannot be combined with `tower_projects_storage_*`) |  ''            |
+
+Example of customization when the `awx-operator` automatically handles the persistent volume could be:
+
+```yaml
+---
+spec:
+  ...
+  tower_projects_persistence: true
+  tower_projects_storage_class: rook-ceph
+  tower_projects_storage_size: 20Gi
+```
+
 ## Development
 
 ### Testing
@@ -352,6 +444,55 @@ Alternatively, you can also update the service `awx-service` in your namespace t
 #> minikube service <serviceName> -n <namespaceName> --url
 ```
 
+### Generating a bundle
+
+> :warning: operator-sdk version 0.19.4 is needed to run the following commands
+
+If one has the Operator Lifecycle Manager (OLM) installed, the following steps is the process to generate the bundle that would nicely display in the OLM interface.
+
+At the root of this directory:
+
+1. Build and publish the operator
+
+```
+#> operator-sdk build registry.example.com/ansible/awx-operator:mytag
+#> podman push registry.example.com/ansible/awx-operator:mytag
+```
+
+2. Build and publish the bundle
+
+```
+#> podman build . -f bundle.Dockerfile -t registry.example.com/ansible/awx-operator-bundle:mytag
+#> podman push registry.example.com/ansible/awx-operator-bundle:mytag
+```
+
+3. Build and publish an index with your bundle in it
+
+```
+#> opm index add --bundles registry.example.com/ansible/awx-operator-bundle:mytag --tag registry.example.com/ansible/awx-operator-catalog:mytag
+#> podman push registry.example.com/ansible/awx-operator-catalog:mytag
+```
+
+4. In your Kubernetes create a new CatalogSource pointing to `registry.example.com/ansible/awx-operator-catalog:mytag`
+
+```
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: CatalogSource
+metadata:
+  name: <catalogsource-name>
+  namespace: <namespace>
+spec:
+  displayName: 'myoperatorhub'
+  image: registry.example.com/ansible/awx-operator-catalog:mytag
+  publisher: 'myoperatorhub'
+  sourceType: grpc
+```
+
+Applying this template will do it. Once the CatalogSource is in a READY state, the bundle should be available on the OperatorHub tab (as part of the custom CatalogSource that just got added)
+
+5. Enjoy
+
 ## Release Process
 
 There are a few moving parts to this project:
@@ -393,9 +534,9 @@ After it is built, test it on a local cluster:
 ```sh
 #> minikube start --memory 6g --cpus 4
 #> minikube addons enable ingress
-#> kubectl apply -f deploy/awx-operator.yaml
+#> ansible-playbook ansible/deploy-operator.yml
 #> kubectl create namespace example-awx
-#> kubectl apply -f deploy/crds/awx_v1beta1_cr.yaml
+#> ansible-playbook ansible/instantiate-awx-deployment.yml -e tower_namespace=example-awx
 #> <test everything>
 #> minikube delete
 ```

ansible/group_vars/all

@@ -1,3 +1,3 @@
 operator_image: quay.io/ansible/awx-operator
-operator_version: 0.7.0
+operator_version: 0.8.0
 pull_policy: Always

ansible/instantiate-awx-deployment.yml

@@ -9,7 +9,7 @@
     - name: Deploy AWX
       k8s:
         state: "{{ state | default('present') }}"
-        namespace: "{{ namespace | default('default') }}"
+        namespace: "{{ tower_namespace | default('default') }}"
         apply: yes
         wait: yes
         definition:
@@ -22,5 +22,8 @@
             tower_admin_email: test@example.com
             tower_ingress_type: "{{ tower_ingress_type | default(omit) }}"  # Either Route, Ingress or LoadBalancer
             tower_image: "{{ tower_image | default(omit) }}"
-            development_mode: "{{ development_mode | default(omit) }}"
+            development_mode: "{{ development_mode | default(omit) | bool }}"
             tower_image_pull_policy: "{{ tower_image_pull_policy | default(omit) }}"
+            # tower_ee_images:
+            #   - name: test-ee
+            #     image: quay.io/<user>/awx-ee

ansible/templates/awx-operator.yaml.j2

@@ -1,6 +1,8 @@
 #jinja2: trim_blocks:False
 # This file is generated by Ansible. Changes will be lost.
 # Update templates under ansible/templates/
+{% include 'crd.yml.j2' %}
+
 {% include 'role.yml.j2' %}
 
 {% include 'role_binding.yml.j2' %}
@@ -8,5 +10,3 @@
 {% include 'service_account.yml.j2' %}
 
 {% include 'operator.yml.j2' %}
-
-{% include 'crd.yml.j2' %}

ansible/templates/crd.yml.j2

@@ -29,9 +29,11 @@ spec:
                 tower_task_privileged:
                   description: If a privileged security context should be enabled
                   type: boolean
+                  default: false
                 tower_admin_user:
                   description: Username to use for the admin account
                   type: string
+                  default: admin
                 tower_hostname:
                   description: The hostname of the instance
                   type: string
@@ -102,9 +104,25 @@ spec:
                 tower_route_tls_secret:
                   description: Secret where the TLS related credentials are stored
                   type: string
+                tower_node_selector:
+                  description: nodeSelector for the AWX pods
+                  type: string
+                tower_tolerations:
+                  description: node tolerations for the AWX pods
+                  type: string
                 tower_image:
                   description: Registry path to the application container to use
                   type: string
+                tower_ee_images:
+                  description: Registry path to the Execution Environment container to use
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      name:
+                        type: string
+                      image:
+                        type: string
                 tower_image_pull_policy:
                   description: The image pull policy
                   type: string
@@ -116,6 +134,9 @@ spec:
                     - never
                     - IfNotPresent
                     - ifnotpresent
+                tower_image_pull_secret:
+                  description: The image pull secret
+                  type: string
                 tower_task_resource_requirements:
                   description: Resource requirements for the task container
                   properties:
@@ -237,6 +258,33 @@ spec:
                 development_mode:
                   description: If the deployment should be done in development mode
                   type: boolean
+                ldap_cacert_secret:
+                  description: Secret where can be found the LDAP trusted Certificate Authority Bundle
+                  type: string
+                tower_projects_persistence:
+                  description: Whether or not the /var/lib/projects directory will be persistent
+                  default: false
+                  type: boolean
+                tower_projects_use_existing_claim:
+                  description: Using existing PersistentVolumeClaim
+                  type: string
+                  enum:
+                    - _Yes_
+                    - _No_
+                tower_projects_existing_claim:
+                  description: PersistentVolumeClaim to mount /var/lib/projects directory
+                  type: string
+                tower_projects_storage_class:
+                  description: Storage class for the /var/lib/projects PersistentVolumeClaim
+                  type: string
+                tower_projects_storage_size:
+                  description: Size for the /var/lib/projects PersistentVolumeClaim
+                  default: 8Gi
+                  type: string
+                tower_projects_storage_access_mode:
+                  description: AccessMode for the /var/lib/projects PersistentVolumeClaim
+                  default: ReadWriteMany
+                  type: string
               type: object
             status:
               properties:

ansible/templates/operator.yml.j2

@@ -37,8 +37,8 @@ spec:
             httpGet:
               path: /healthz
               port: 6789
-            initialDelaySeconds: 5
-            periodSeconds: 3
+            initialDelaySeconds: 15
+            periodSeconds: 20
       volumes:
         - name: runner
           emptyDir: {}

bundle.Dockerfile

@@ -0,0 +1,14 @@
+FROM scratch
+
+LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
+LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
+LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
+LABEL operators.operatorframework.io.bundle.package.v1=awx-operator
+LABEL operators.operatorframework.io.bundle.channels.v1=alpha
+LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha
+LABEL operators.operatorframework.io.metrics.project_layout=ansible
+LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v0.19.4
+
+COPY deploy/olm-catalog/awx-operator/manifests /manifests/
+COPY deploy/olm-catalog/awx-operator/metadata /metadata/

deploy/awx-operator.yaml

@@ -1,5 +1,330 @@
 # This file is generated by Ansible. Changes will be lost.
 # Update templates under ansible/templates/
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: awxs.awx.ansible.com
+spec:
+  group: awx.ansible.com
+  names:
+    kind: AWX
+    listKind: AWXList
+    plural: awxs
+    singular: awx
+  scope: Namespaced
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+      subresources:
+        status: {}
+      schema:
+        openAPIV3Schema:
+          description: Schema validation for the AWX CRD
+          properties:
+            spec:
+              properties:
+                deployment_type:
+                  description: Name of the deployment type
+                  type: string
+                tower_task_privileged:
+                  description: If a privileged security context should be enabled
+                  type: boolean
+                  default: false
+                tower_admin_user:
+                  description: Username to use for the admin account
+                  type: string
+                  default: admin
+                tower_hostname:
+                  description: The hostname of the instance
+                  type: string
+                tower_admin_email:
+                  description: The admin user email
+                  type: string
+                tower_admin_password_secret:
+                  description: Secret where the admin password can be found
+                  type: string
+                tower_postgres_configuration_secret:
+                  description: Secret where the database configuration can be found
+                  type: string
+                tower_old_postgres_configuration_secret:
+                  description: Secret where the old database configuration can be found for data migration
+                  type: string
+                tower_secret_key_secret:
+                  description: Secret where the secret key can be found
+                  type: string
+                tower_broadcast_websocket_secret:
+                  description: Secret where the broadcast websocket secret can be found
+                  type: string
+                tower_extra_volumes:
+                  description: Specify extra volumes to add to the application pod
+                  type: string
+                tower_ingress_type:
+                  description: The ingress type to use to reach the deployed instance
+                  type: string
+                  enum:
+                    - none
+                    - Ingress
+                    - ingress
+                    - Route
+                    - route
+                    - LoadBalancer
+                    - loadbalancer
+                tower_ingress_annotations:
+                  description: Annotations to add to the ingress
+                  type: string
+                tower_ingress_tls_secret:
+                  description: Secret where the ingress TLS secret can be found
+                  type: string
+                tower_loadbalancer_annotations:
+                  description: Annotations to add to the loadbalancer
+                  type: string
+                tower_loadbalancer_protocol:
+                  description: Protocol to use for the loadbalancer
+                  type: string
+                  default: http
+                  enum:
+                    - http
+                    - https
+                tower_loadbalancer_port:
+                  description: Port to use for the loadbalancer
+                  type: integer
+                  default: 80
+                tower_route_host:
+                  description: The DNS to use to points to the instance
+                  type: string
+                tower_route_tls_termination_mechanism:
+                  description: The secure TLS termination mechanism to use
+                  type: string
+                  default: Edge
+                  enum:
+                    - Edge
+                    - edge
+                    - Passthrough
+                    - passthrough
+                tower_route_tls_secret:
+                  description: Secret where the TLS related credentials are stored
+                  type: string
+                tower_node_selector:
+                  description: nodeSelector for the AWX pods
+                  type: string
+                tower_tolerations:
+                  description: node tolerations for the AWX pods
+                  type: string
+                tower_image:
+                  description: Registry path to the application container to use
+                  type: string
+                tower_ee_images:
+                  description: Registry path to the Execution Environment container to use
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      name:
+                        type: string
+                      image:
+                        type: string
+                tower_image_pull_policy:
+                  description: The image pull policy
+                  type: string
+                  default: IfNotPresent
+                  enum:
+                    - Always
+                    - always
+                    - Never
+                    - never
+                    - IfNotPresent
+                    - ifnotpresent
+                tower_image_pull_secret:
+                  description: The image pull secret
+                  type: string
+                tower_task_resource_requirements:
+                  description: Resource requirements for the task container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
+                tower_web_resource_requirements:
+                  description: Resource requirements for the web container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
+                tower_replicas:
+                  description: Number of instance replicas
+                  type: integer
+                  default: 1
+                  format: int32
+                tower_garbage_collect_secrets:
+                  description: Whether or not to remove secrets upon instance removal
+                  default: false
+                  type: boolean
+                tower_create_preload_data:
+                  description: Whether or not to preload data upon Tower instance creation
+                  default: true
+                  type: boolean
+                tower_task_args:
+                  type: array
+                  items:
+                    type: string
+                tower_task_command:
+                  type: array
+                  items:
+                    type: string
+                tower_web_args:
+                  type: array
+                  items:
+                    type: string
+                tower_web_command:
+                  type: array
+                  items:
+                    type: string
+                tower_task_extra_env:
+                  type: string
+                tower_web_extra_env:
+                  type: string
+                tower_task_extra_volume_mounts:
+                  type: string
+                tower_web_extra_volume_mounts:
+                  type: string
+                tower_redis_image:
+                  description: Registry path to the redis container to use
+                  type: string
+                tower_postgres_image:
+                  description: Registry path to the PostgreSQL container to use
+                  type: string
+                tower_postgres_resource_requirements:
+                  description: Resource requirements for the PostgreSQL container
+                  properties:
+                    requests:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        cpu:
+                          type: string
+                        memory:
+                          type: string
+                        storage:
+                          type: string
+                      type: object
+                  type: object
+                tower_postgres_storage_class:
+                  description: Storage class to use for the PostgreSQL PVC
+                  type: string
+                tower_postgres_data_path:
+                  description: Path where the PostgreSQL data are located
+                  type: string
+                ca_trust_bundle:
+                  description: Path where the trusted CA bundle is available
+                  type: string
+                development_mode:
+                  description: If the deployment should be done in development mode
+                  type: boolean
+                ldap_cacert_secret:
+                  description: Secret where can be found the LDAP trusted Certificate Authority Bundle
+                  type: string
+                tower_projects_persistence:
+                  description: Whether or not the /var/lib/projects directory will be persistent
+                  default: false
+                  type: boolean
+                tower_projects_use_existing_claim:
+                  description: Using existing PersistentVolumeClaim
+                  type: string
+                  enum:
+                    - _Yes_
+                    - _No_
+                tower_projects_existing_claim:
+                  description: PersistentVolumeClaim to mount /var/lib/projects directory
+                  type: string
+                tower_projects_storage_class:
+                  description: Storage class for the /var/lib/projects PersistentVolumeClaim
+                  type: string
+                tower_projects_storage_size:
+                  description: Size for the /var/lib/projects PersistentVolumeClaim
+                  default: 8Gi
+                  type: string
+                tower_projects_storage_access_mode:
+                  description: AccessMode for the /var/lib/projects PersistentVolumeClaim
+                  default: ReadWriteMany
+                  type: string
+              type: object
+            status:
+              properties:
+                towerURL:
+                  description: URL to access the deployed instance
+                  type: string
+                towerAdminUser:
+                  description: Admin user of the deployed instance
+                  type: string
+                towerAdminPasswordSecret:
+                  description: Admin password of the deployed instance
+                  type: string
+                towerMigratedFromSecret:
+                  description: The secret used for migrating an old Tower.
+                  type: string
+                towerVersion:
+                  description: Version of the deployed instance
+                  type: string
+                towerImage:
+                  description: URL of the image used for the deployed instance
+                  type: string
+                conditions:
+                  description: The resulting conditions when a Service Telemetry is instantiated
+                  items:
+                    properties:
+                      status:
+                        type: string
+                      type:
+                        type: string
+                      reason:
+                        type: string
+                      lastTransitionTime:
+                        type: string
+                    type: object
+                  type: array
+              type: object
+          type: object
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -122,7 +447,7 @@ spec:
       serviceAccountName: awx-operator
       containers:
         - name: awx-operator
-          image: "quay.io/ansible/awx-operator:0.7.0"
+          image: "quay.io/ansible/awx-operator:0.8.0"
           imagePullPolicy: "Always"
           volumeMounts:
             - mountPath: /tmp/ansible-operator/runner
@@ -143,285 +468,8 @@ spec:
             httpGet:
               path: /healthz
               port: 6789
-            initialDelaySeconds: 5
-            periodSeconds: 3
+            initialDelaySeconds: 15
+            periodSeconds: 20
       volumes:
         - name: runner
           emptyDir: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: awxs.awx.ansible.com
-spec:
-  group: awx.ansible.com
-  names:
-    kind: AWX
-    listKind: AWXList
-    plural: awxs
-    singular: awx
-  scope: Namespaced
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-      subresources:
-        status: {}
-      schema:
-        openAPIV3Schema:
-          description: Schema validation for the AWX CRD
-          properties:
-            spec:
-              properties:
-                deployment_type:
-                  description: Name of the deployment type
-                  type: string
-                tower_task_privileged:
-                  description: If a privileged security context should be enabled
-                  type: boolean
-                tower_admin_user:
-                  description: Username to use for the admin account
-                  type: string
-                tower_hostname:
-                  description: The hostname of the instance
-                  type: string
-                tower_admin_email:
-                  description: The admin user email
-                  type: string
-                tower_admin_password_secret:
-                  description: Secret where the admin password can be found
-                  type: string
-                tower_postgres_configuration_secret:
-                  description: Secret where the database configuration can be found
-                  type: string
-                tower_old_postgres_configuration_secret:
-                  description: Secret where the old database configuration can be found for data migration
-                  type: string
-                tower_secret_key_secret:
-                  description: Secret where the secret key can be found
-                  type: string
-                tower_broadcast_websocket_secret:
-                  description: Secret where the broadcast websocket secret can be found
-                  type: string
-                tower_extra_volumes:
-                  description: Specify extra volumes to add to the application pod
-                  type: string
-                tower_ingress_type:
-                  description: The ingress type to use to reach the deployed instance
-                  type: string
-                  enum:
-                    - none
-                    - Ingress
-                    - ingress
-                    - Route
-                    - route
-                    - LoadBalancer
-                    - loadbalancer
-                tower_ingress_annotations:
-                  description: Annotations to add to the ingress
-                  type: string
-                tower_ingress_tls_secret:
-                  description: Secret where the ingress TLS secret can be found
-                  type: string
-                tower_loadbalancer_annotations:
-                  description: Annotations to add to the loadbalancer
-                  type: string
-                tower_loadbalancer_protocol:
-                  description: Protocol to use for the loadbalancer
-                  type: string
-                  default: http
-                  enum:
-                    - http
-                    - https
-                tower_loadbalancer_port:
-                  description: Port to use for the loadbalancer
-                  type: integer
-                  default: 80
-                tower_route_host:
-                  description: The DNS to use to points to the instance
-                  type: string
-                tower_route_tls_termination_mechanism:
-                  description: The secure TLS termination mechanism to use
-                  type: string
-                  default: Edge
-                  enum:
-                    - Edge
-                    - edge
-                    - Passthrough
-                    - passthrough
-                tower_route_tls_secret:
-                  description: Secret where the TLS related credentials are stored
-                  type: string
-                tower_image:
-                  description: Registry path to the application container to use
-                  type: string
-                tower_image_pull_policy:
-                  description: The image pull policy
-                  type: string
-                  default: IfNotPresent
-                  enum:
-                    - Always
-                    - always
-                    - Never
-                    - never
-                    - IfNotPresent
-                    - ifnotpresent
-                tower_task_resource_requirements:
-                  description: Resource requirements for the task container
-                  properties:
-                    requests:
-                      properties:
-                        cpu:
-                          type: string
-                        memory:
-                          type: string
-                        storage:
-                          type: string
-                      type: object
-                    limits:
-                      properties:
-                        cpu:
-                          type: string
-                        memory:
-                          type: string
-                        storage:
-                          type: string
-                      type: object
-                  type: object
-                tower_web_resource_requirements:
-                  description: Resource requirements for the web container
-                  properties:
-                    requests:
-                      properties:
-                        cpu:
-                          type: string
-                        memory:
-                          type: string
-                        storage:
-                          type: string
-                      type: object
-                    limits:
-                      properties:
-                        cpu:
-                          type: string
-                        memory:
-                          type: string
-                        storage:
-                          type: string
-                      type: object
-                  type: object
-                tower_replicas:
-                  description: Number of instance replicas
-                  type: integer
-                  default: 1
-                  format: int32
-                tower_garbage_collect_secrets:
-                  description: Whether or not to remove secrets upon instance removal
-                  default: false
-                  type: boolean
-                tower_create_preload_data:
-                  description: Whether or not to preload data upon Tower instance creation
-                  default: true
-                  type: boolean
-                tower_task_args:
-                  type: array
-                  items:
-                    type: string
-                tower_task_command:
-                  type: array
-                  items:
-                    type: string
-                tower_web_args:
-                  type: array
-                  items:
-                    type: string
-                tower_web_command:
-                  type: array
-                  items:
-                    type: string
-                tower_task_extra_env:
-                  type: string
-                tower_web_extra_env:
-                  type: string
-                tower_task_extra_volume_mounts:
-                  type: string
-                tower_web_extra_volume_mounts:
-                  type: string
-                tower_redis_image:
-                  description: Registry path to the redis container to use
-                  type: string
-                tower_postgres_image:
-                  description: Registry path to the PostgreSQL container to use
-                  type: string
-                tower_postgres_resource_requirements:
-                  description: Resource requirements for the PostgreSQL container
-                  properties:
-                    requests:
-                      properties:
-                        cpu:
-                          type: string
-                        memory:
-                          type: string
-                        storage:
-                          type: string
-                      type: object
-                    limits:
-                      properties:
-                        cpu:
-                          type: string
-                        memory:
-                          type: string
-                        storage:
-                          type: string
-                      type: object
-                  type: object
-                tower_postgres_storage_class:
-                  description: Storage class to use for the PostgreSQL PVC
-                  type: string
-                tower_postgres_data_path:
-                  description: Path where the PostgreSQL data are located
-                  type: string
-                ca_trust_bundle:
-                  description: Path where the trusted CA bundle is available
-                  type: string
-                development_mode:
-                  description: If the deployment should be done in development mode
-                  type: boolean
-              type: object
-            status:
-              properties:
-                towerURL:
-                  description: URL to access the deployed instance
-                  type: string
-                towerAdminUser:
-                  description: Admin user of the deployed instance
-                  type: string
-                towerAdminPasswordSecret:
-                  description: Admin password of the deployed instance
-                  type: string
-                towerMigratedFromSecret:
-                  description: The secret used for migrating an old Tower.
-                  type: string
-                towerVersion:
-                  description: Version of the deployed instance
-                  type: string
-                towerImage:
-                  description: URL of the image used for the deployed instance
-                  type: string
-                conditions:
-                  description: The resulting conditions when a Service Telemetry is instantiated
-                  items:
-                    properties:
-                      status:
-                        type: string
-                      type:
-                        type: string
-                      reason:
-                        type: string
-                      lastTransitionTime:
-                        type: string
-                    type: object
-                  type: array
-              type: object
-          type: object

deploy/crds/awx_v1beta1_cr.yaml

@@ -1,24 +0,0 @@
----
-apiVersion: awx.ansible.com/v1beta1
-kind: AWX
-metadata:
-  name: example-awx
-  namespace: example-awx
-spec:
-  tower_ingress_type: none
-  tower_task_privileged: false
-
-  tower_hostname: example-awx.test
-
-  tower_admin_user: test
-  tower_admin_email: test@example.com
-
-  tower_image: quay.io/ansible/awx:18.0.0
-
-  tower_create_preload_data: true
-
-  tower_memcached_image: memcached:alpine
-
-  tower_redis_image: redis:latest
-
-  tower_postgres_storage_class: ''

deploy/crds/awx_v1beta1_crd.yaml

@@ -29,9 +29,11 @@ spec:
                 tower_task_privileged:
                   description: If a privileged security context should be enabled
                   type: boolean
+                  default: false
                 tower_admin_user:
                   description: Username to use for the admin account
                   type: string
+                  default: admin
                 tower_hostname:
                   description: The hostname of the instance
                   type: string
@@ -102,9 +104,25 @@ spec:
                 tower_route_tls_secret:
                   description: Secret where the TLS related credentials are stored
                   type: string
+                tower_node_selector:
+                  description: nodeSelector for the AWX pods
+                  type: string
+                tower_tolerations:
+                  description: node tolerations for the AWX pods
+                  type: string
                 tower_image:
                   description: Registry path to the application container to use
                   type: string
+                tower_ee_images:
+                  description: Registry path to the Execution Environment container to use
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      name:
+                        type: string
+                      image:
+                        type: string
                 tower_image_pull_policy:
                   description: The image pull policy
                   type: string
@@ -116,6 +134,9 @@ spec:
                     - never
                     - IfNotPresent
                     - ifnotpresent
+                tower_image_pull_secret:
+                  description: The image pull secret
+                  type: string
                 tower_task_resource_requirements:
                   description: Resource requirements for the task container
                   properties:
@@ -237,6 +258,33 @@ spec:
                 development_mode:
                   description: If the deployment should be done in development mode
                   type: boolean
+                ldap_cacert_secret:
+                  description: Secret where can be found the LDAP trusted Certificate Authority Bundle
+                  type: string
+                tower_projects_persistence:
+                  description: Whether or not the /var/lib/projects directory will be persistent
+                  default: false
+                  type: boolean
+                tower_projects_use_existing_claim:
+                  description: Using existing PersistentVolumeClaim
+                  type: string
+                  enum:
+                    - _Yes_
+                    - _No_
+                tower_projects_existing_claim:
+                  description: PersistentVolumeClaim to mount /var/lib/projects directory
+                  type: string
+                tower_projects_storage_class:
+                  description: Storage class for the /var/lib/projects PersistentVolumeClaim
+                  type: string
+                tower_projects_storage_size:
+                  description: Size for the /var/lib/projects PersistentVolumeClaim
+                  default: 8Gi
+                  type: string
+                tower_projects_storage_access_mode:
+                  description: AccessMode for the /var/lib/projects PersistentVolumeClaim
+                  default: ReadWriteMany
+                  type: string
               type: object
             status:
               properties:

deploy/crds/awx_v1beta1_molecule.yaml

@@ -7,28 +7,11 @@ metadata:
 spec:
   deployment_type: awx
   tower_ingress_type: ingress
-  tower_task_privileged: false
-
-  tower_admin_email: test@example.com
-
-  tower_image: quay.io/ansible/awx:18.0.0
-
   tower_web_resource_requirements:
     requests:
       cpu: 500m
       memory: 128M
-
   tower_task_resource_requirements:
     requests:
       cpu: 500m
       memory: 128M
-
-  tower_create_preload_data: true
-
-  tower_memcached_image: memcached:alpine
-
-  tower_redis_image: redis:latest
-
-  tower_postgres_pass: awxpass
-  tower_postgres_image: postgres:12
-  tower_postgres_storage_class: ''

deploy/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./awx-operator.yaml

deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml

@@ -4,27 +4,6 @@ metadata:
   annotations:
     alm-examples: |-
       [
-        {
-          "apiVersion": "awx.ansible.com/v1beta1",
-          "kind": "AWX",
-          "metadata": {
-            "name": "example-awx",
-            "namespace": "example-awx"
-          },
-          "spec": {
-            "tower_admin_email": "test@example.com",
-            "tower_admin_user": "test",
-            "tower_broadcast_websocket_secret": "changeme",
-            "tower_create_preload_data": true,
-            "tower_hostname": "example-awx.test",
-            "tower_image": "quay.io/ansible/awx:18.0.0",
-            "tower_ingress_type": "none",
-            "tower_memcached_image": "memcached:alpine",
-            "tower_postgres_storage_class": "",
-            "tower_redis_image": "redis:latest",
-            "tower_task_privileged": false
-          }
-        },
         {
           "apiVersion": "awx.ansible.com/v1beta1",
           "kind": "AWX",
@@ -34,17 +13,7 @@ metadata:
           },
           "spec": {
             "deployment_type": "awx",
-            "tower_admin_email": "test@example.com",
-            "tower_broadcast_websocket_secret": "changeme",
-            "tower_create_preload_data": true,
-            "tower_image": "quay.io/ansible/awx:18.0.0",
             "tower_ingress_type": "ingress",
-            "tower_memcached_image": "memcached:alpine",
-            "tower_postgres_image": "postgres:12",
-            "tower_postgres_pass": "awxpass",
-            "tower_postgres_storage_class": "",
-            "tower_redis_image": "redis:latest",
-            "tower_task_privileged": false,
             "tower_task_resource_requirements": {
               "requests": {
                 "cpu": "500m",
@@ -70,8 +39,8 @@ spec:
   customresourcedefinitions:
     owned:
     - description: A AWX Instance
-      kind: AWX
       displayName: AWX
+      kind: AWX
       name: awxs.awx.ansible.com
       specDescriptors:
       - displayName: Hostname
@@ -99,6 +68,7 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:io.kubernetes:Secret
+      - displayName: Old Database configuration secret
         path: tower_old_postgres_configuration_secret
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -176,6 +146,11 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:imagePullPolicy
+      - displayName: Image Pull Secret
+        path: tower_image_pull_secret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:imagePullSecret
       - displayName: Web container resource requirements
         path: tower_web_resource_requirements
         x-descriptors:
@@ -207,6 +182,18 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - displayName: Deploy the instance in development mode ?
+        path: development_mode
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Should Tower Task container deployed with privileged level ?
+        path: tower_task_privileged
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - displayName: Deployment Type
         path: deployment_type
         x-descriptors:
@@ -217,16 +204,131 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Redis Image
+        path: tower_redis_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Image
+        path: tower_postgres_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - displayName: Tower Postgres Storage Class
         path: tower_postgres_storage_class
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Postgres Datapath
+        path: tower_postgres_data_path
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - displayName: Certificate Authorirty Trust Bundle
         path: ca_trust_bundle
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: LDAP Certificate Authority Trust Bundle
+        path: ldap_cacert_secret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:io.kubernetes:Secret
+      - displayName: Tower Task Args
+        path: tower_task_args
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Enable persistence for /var/lib/projects directory?
+        path: tower_projects_persistence
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - displayName: Use existing Persistent Claim?
+        path: tower_projects_use_existing_claim
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:select:_Yes_
+        - urn:alm:descriptor:com.tectonic.ui:select:_No_
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_projects_persistence:true
+      - displayName: Tower Projects Existing Persistent Claim
+        path: tower_projects_existing_claim
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_projects_use_existing_claim:_Yes_
+        - urn:alm:descriptor:io.kubernetes:PersistentVolumeClaim
+      - description: Tower Projects Storage Class Name. If not present, the default
+          storage class will be used.
+        displayName: Tower Projects Storage Class Name
+        path: tower_projects_storage_class
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_projects_use_existing_claim:_No_
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Tower Projects Storage Size
+        displayName: Tower Projects Storage Size
+        path: tower_projects_storage_size
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_projects_use_existing_claim:_No_
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Tower Projects Storage Access Mode
+        displayName: Tower Projects Storage Access Mode
+        path: tower_projects_storage_access_mode
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_projects_use_existing_claim:_No_
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - displayName: Tower Task Command
+        path: tower_task_command
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Task Extra Env
+        path: tower_task_extra_env
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Task Extra Volume Mounts
+        path: tower_task_extra_volume_mounts
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Web Args
+        path: tower_web_args
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Web Command
+        path: tower_web_command
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Web Extra Env
+        path: tower_web_extra_env
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Web Extra Volume Mounts
+        path: tower_web_extra_volume_mounts
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Extra Volumes
+        path: tower_extra_volumes
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Node Selector
+        path: tower_node_selector
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Tolerations
+        path: tower_tolerations
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       statusDescriptors:
       - description: Route to access the instance deployed
         displayName: URL
@@ -313,6 +415,12 @@ spec:
           - deployments/finalizers
           verbs:
           - update
+        - apiGroups:
+          - apps
+          resources:
+          - deployments/scale
+          verbs:
+          - patch
         - apiGroups:
           - ""
           resources:
@@ -360,14 +468,14 @@ spec:
                   value: awx-operator
                 - name: ANSIBLE_GATHERING
                   value: explicit
-                image: quay.io/ansible/awx-operator:0.6.0
+                image: quay.io/ansible/awx-operator:0.8.0
                 imagePullPolicy: Always
                 livenessProbe:
                   httpGet:
                     path: /healthz
                     port: 6789
-                  initialDelaySeconds: 5
-                  periodSeconds: 3
+                  initialDelaySeconds: 15
+                  periodSeconds: 20
                 name: awx-operator
                 resources: {}
                 volumeMounts:

deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml

@@ -28,6 +28,10 @@ spec:
               development_mode:
                 description: If the deployment should be done in development mode
                 type: boolean
+              ldap_cacert_secret:
+                description: Secret where can be found the LDAP trusted Certificate
+                  Authority Bundle
+                type: string
               tower_admin_email:
                 description: The admin user email
                 type: string
@@ -35,6 +39,7 @@ spec:
                 description: Secret where the admin password can be found
                 type: string
               tower_admin_user:
+                default: admin
                 description: Username to use for the admin account
                 type: string
               tower_broadcast_websocket_secret:
@@ -44,6 +49,17 @@ spec:
                 default: true
                 description: Whether or not to preload data upon Tower instance creation
                 type: boolean
+              tower_ee_images:
+                description: Registry path to the Execution Environment container
+                  to use
+                items:
+                  properties:
+                    image:
+                      type: string
+                    name:
+                      type: string
+                  type: object
+                type: array
               tower_extra_volumes:
                 description: Specify extra volumes to add to the application pod
                 type: string
@@ -68,6 +84,9 @@ spec:
                 - IfNotPresent
                 - ifnotpresent
                 type: string
+              tower_image_pull_secret:
+                description: The image pull secret
+                type: string
               tower_ingress_annotations:
                 description: Annotations to add to the ingress
                 type: string
@@ -88,22 +107,26 @@ spec:
               tower_loadbalancer_annotations:
                 description: Annotations to add to the loadbalancer
                 type: string
-              tower_loadbalancer_protocol:
-                description: Protocol to use for the loadbalancer
-                type: string
-                default: http
-                enum:
-                  - http
-                  - https
               tower_loadbalancer_port:
-                description: Port to use for the loadbalancer
-                type: number
                 default: 80
-              tower_postgres_configuration_secret:
-                description: Secret where the database configuration can be found
+                description: Port to use for the loadbalancer
+                type: integer
+              tower_loadbalancer_protocol:
+                default: http
+                description: Protocol to use for the loadbalancer
+                enum:
+                - http
+                - https
+                type: string
+              tower_node_selector:
+                description: nodeSelector for the AWX pods
                 type: string
               tower_old_postgres_configuration_secret:
-                description: Secret where the old database configuration can be found for data migration
+                description: Secret where the old database configuration can be found
+                  for data migration
+                type: string
+              tower_postgres_configuration_secret:
+                description: Secret where the database configuration can be found
                 type: string
               tower_postgres_data_path:
                 description: Path where the PostgreSQL data are located
@@ -136,6 +159,31 @@ spec:
               tower_postgres_storage_class:
                 description: Storage class to use for the PostgreSQL PVC
                 type: string
+              tower_projects_existing_claim:
+                description: PersistentVolumeClaim to mount /var/lib/projects directory
+                type: string
+              tower_projects_persistence:
+                default: false
+                description: Whether or not the /var/lib/projects directory will be
+                  persistent
+                type: boolean
+              tower_projects_storage_access_mode:
+                default: ReadWriteMany
+                description: AccessMode for the /var/lib/projects PersistentVolumeClaim
+                type: string
+              tower_projects_storage_class:
+                description: Storage class for the /var/lib/projects PersistentVolumeClaim
+                type: string
+              tower_projects_storage_size:
+                default: 8Gi
+                description: Size for the /var/lib/projects PersistentVolumeClaim
+                type: string
+              tower_projects_use_existing_claim:
+                description: Using existing PersistentVolumeClaim
+                enum:
+                - _Yes_
+                - _No_
+                type: string
               tower_redis_image:
                 description: Registry path to the redis container to use
                 type: string
@@ -175,6 +223,7 @@ spec:
               tower_task_extra_volume_mounts:
                 type: string
               tower_task_privileged:
+                default: false
                 description: If a privileged security context should be enabled
                 type: boolean
               tower_task_resource_requirements:
@@ -199,6 +248,9 @@ spec:
                         type: string
                     type: object
                 type: object
+              tower_tolerations:
+                description: node tolerations for the AWX pods
+                type: string
               tower_web_args:
                 items:
                   type: string
@@ -260,6 +312,9 @@ spec:
               towerImage:
                 description: URL of the image used for the deployed instance
                 type: string
+              towerMigratedFromSecret:
+                description: The secret used for migrating an old Tower.
+                type: string
               towerURL:
                 description: URL to access the deployed instance
                 type: string

docs/migration.md

@@ -21,7 +21,7 @@ type: Opaque
 
 **Note**: `<resourcename>` must match the `name` of the AWX object you are creating. In our example below, it is `awx`.
 
-### Old Databse Credentials
+### Old Database Credentials
 
 The secret should be formatted as follows:
 

molecule/default/asserts.yml

@@ -7,12 +7,31 @@
     ansible_python_interpreter: '{{ ansible_playbook_python }}'
 
   tasks:
+    - name: Get AWX Kind data
+      k8s_info:
+        api_version: awx.ansible.com/v1beta1
+        kind: AWX
+        namespace: example-awx
+        label_selectors:
+          - "app.kubernetes.io/name=example-awx"
+          - "app.kubernetes.io/part-of=example-awx"
+          - "app.kubernetes.io/managed-by=awx-operator"
+          - "app.kubernetes.io/component=awx"
+      register: awx_kind
+
+    - name: Verify there is one AWX kind
+      assert:
+        that: '{{ (awx_kind.resources | length) == 1 }}'
+
     - name: Get AWX Pod data
       k8s_info:
         kind: Pod
         namespace: example-awx
         label_selectors:
-          - app=awx
+          - "app.kubernetes.io/name=example-awx"
+          - "app.kubernetes.io/part-of=example-awx"
+          - "app.kubernetes.io/managed-by=awx-operator"
+          - "app.kubernetes.io/component=awx"
       register: tower_pods
 
     - name: Verify there is one AWX pod

molecule/test-local/converge.yml

@@ -110,7 +110,7 @@
               kind="Deployment",
               api_version="apps/v1",
               namespace=custom_resource.metadata.namespace,
-              label_selector="app=awx")
+              label_selector="app.kubernetes.io/name=example-awx")
             }}'
 
         - name: get operator logs

molecule/test-minikube/converge.yml

@@ -118,7 +118,7 @@
               kind="Deployment",
               api_version="apps/v1",
               namespace=custom_resource.metadata.namespace,
-              label_selector="app=awx")
+              label_selector="app.kubernetes.io/name=example-awx")
             }}'
 
         - name: get operator logs

roles/installer/defaults/main.yml

@@ -38,6 +38,22 @@ tower_route_host: ''
 
 tower_hostname: '{{ deployment_type }}.example.com'
 
+# Add a nodeSelector for the AWX pods. It must match a node's labels for the pod
+# to be scheduled on that node. Specify as literal block. E.g.:
+# tower_node_selector: |
+#   disktype: ssd
+#   kubernetes.io/arch: amd64
+#   kubernetes.io/os: linux
+tower_node_selector: ''
+
+# Add node tolerations for the AWX pods. Specify as literal block. E.g.:
+# tower_tolerations: |
+#   - key: "dedicated"
+#     operator: "Equal"
+#     value: "AWX"
+#     effect: "NoSchedule"
+tower_tolerations: ''
+
 tower_admin_user: admin
 tower_admin_email: test@example.com
 
@@ -65,10 +81,13 @@ tower_extra_volumes: ''
 
 # Use these image versions for Ansible AWX.
 
-tower_image: quay.io/ansible/awx:18.0.0
+tower_image: quay.io/ansible/awx:19.0.0
 tower_image_pull_policy: IfNotPresent
 tower_image_pull_secret: ''
-default_ee: quay.io/ansible/awx-ee
+
+tower_ee_images:
+  - name: AWX EE 0.1.1
+    image: quay.io/ansible/awx-ee:0.1.1
 
 tower_create_preload_data: true
 
@@ -117,10 +136,27 @@ tower_postgres_resource_requirements:
 tower_postgres_storage_class: ''
 tower_postgres_data_path: '/var/lib/postgresql/data/pgdata'
 
+# Persistence to the AWX project data folder
+# Whether or not the /var/lib/projects directory will be persistent
+tower_projects_persistence: false
+#
+# Define an existing PersistentVolumeClaim to use
+tower_projects_existing_claim: ''
+#
+# Define the storage_class, size and access_mode
+# when not using an existing claim
+tower_projects_storage_class: ''
+tower_projects_storage_size: 8Gi
+tower_projects_storage_access_mode: ReadWriteMany
+
 # Secret to lookup that provide the PostgreSQL configuration
 #
 tower_postgres_configuration_secret: ''
 
 ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
 
+# Secret to lookup that provides the LDAP CACert trusted bundle
+#
+ldap_cacert_secret: ''
+
 development_mode: false

roles/installer/tasks/database_configuration.yml

@@ -14,14 +14,26 @@
     name: '{{ meta.name }}-postgres-configuration'
   register: _default_pg_config_resources
 
-- name: Check for old PostgreSQL configuration secret
+- name: Check for specified old PostgreSQL configuration secret
   k8s_info:
     kind: Secret
     namespace: '{{ meta.namespace }}'
     name: '{{ tower_old_postgres_configuration_secret }}'
-  register: old_pg_config
+  register: _custom_old_pg_config_resources
   when: tower_old_postgres_configuration_secret | length
 
+- name: Check for default old PostgreSQL configuration
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ meta.name }}-old-postgres-configuration'
+  register: _default_old_pg_config_resources
+
+- name: Set old PostgreSQL configuration
+  set_fact:
+    # yamllint disable-line rule:line-length
+    old_pg_config: '{{ _custom_old_pg_config_resources["resources"] | default([]) | length | ternary(_custom_old_pg_config_resources, _default_old_pg_config_resources) }}'  # noqa 204
+
 - name: Set proper database name when migrating from old deployment
   set_fact:
     database_name: "{{ old_pg_config['resources'][0]['data']['database'] | b64decode }}"

roles/installer/tasks/load_ldap_cacert_secret.yml

@@ -0,0 +1,12 @@
+---
+- name: Retrieve LDAP CA Certificate Secret
+  community.kubernetes.k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ ldap_cacert_secret }}'
+  register: ldap_cacert
+
+- name: Load LDAP CA Certificate Secret content
+  set_fact:
+    ldap_cacert_ca_crt: '{{ ldap_cacert["resources"][0]["data"]["ldap-ca.crt"] | b64decode }}'
+  when: '"ldap-ca.crt" in ldap_cacert["resources"][0]["data"]'

roles/installer/tasks/main.yml

@@ -1,7 +1,33 @@
 ---
+- name: Patching labels to AWX kind
+  k8s:
+    state: present
+    definition:
+      apiVersion: awx.ansible.com/v1beta1
+      kind: AWX
+      name: '{{ meta.name }}'
+      namespace: '{{ meta.namespace }}'
+      metadata:
+        name: '{{ meta.name }}'
+        namespace: '{{ meta.namespace }}'
+        labels:
+          app.kubernetes.io/name: '{{ meta.name }}'
+          app.kubernetes.io/part-of: '{{ meta.name }}'
+          app.kubernetes.io/managed-by: awx-operator
+          app.kubernetes.io/component: awx
+
+- name: Get current version
+  set_fact:
+    tower_image_version: "{{ tower_image.split(':')[1] }}"
+
 - name: Include secret key configuration tasks
   include_tasks: secret_key_configuration.yml
 
+- name: Load LDAP CAcert certificate
+  include_tasks: load_ldap_cacert_secret.yml
+  when:
+    - ldap_cacert_secret != ''
+
 - name: Include admin password configuration tasks
   include_tasks: admin_password_configuration.yml
 
@@ -32,6 +58,7 @@
   loop:
     - 'tower_app_credentials'
     - 'tower_service_account'
+    - 'tower_persistent'
     - 'tower_deployment'
     - 'tower_service'
     - 'tower_ingress'
@@ -41,7 +68,9 @@
     kind: Pod
     namespace: '{{ meta.namespace }}'
     label_selectors:
-      - "app={{ deployment_type }}"
+      - "app.kubernetes.io/name={{ meta.name }}"
+      - "app.kubernetes.io/managed-by=awx-operator"
+      - "app.kubernetes.io/component=awx"
   register: tower_pods
   until: "tower_pods['resources'][0]['status']['phase'] == 'Running'"
   delay: 5

roles/installer/tasks/migrate_data.yml

@@ -13,7 +13,7 @@
     kind: Pod
     namespace: '{{ meta.namespace }}'
     label_selectors:
-      - "app={{ deployment_type }}-postgres"
+      - "app.kubernetes.io/name={{ meta.name }}-postgres"
   register: postgres_pod
   until: "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
   delay: 5
@@ -52,7 +52,7 @@
 - name: Set pg_restore command
   set_fact:
     psql_restore: >-
-      psql -U {{ awx_postgres_user }}
+      psql -U {{ database_username }}
       -d template1
       -p {{ awx_postgres_port }}
 

roles/installer/templates/environment.sh.j2

@@ -1,5 +0,0 @@
-DATABASE_USER={{ awx_postgres_user }}
-DATABASE_NAME={{ awx_postgres_database }}
-DATABASE_HOST={{ awx_postgres_host }}
-DATABASE_PORT={{ awx_postgres_port }}
-DATABASE_PASSWORD={{ awx_postgres_pass | quote }}

roles/installer/templates/execution_environments.py.j2

@@ -0,0 +1,5 @@
+DEFAULT_EXECUTION_ENVIRONMENTS = [
+{% for item in tower_ee_images %}
+    {'name': '{{ item.name }}' , 'image': '{{ item.image }}'}
+{% endfor %}
+]

roles/installer/templates/ldap.py.j2

@@ -0,0 +1,6 @@
+AUTH_LDAP_GLOBAL_OPTIONS = {
+{% if ldap_cacert_ca_crt %}
+    ldap.OPT_X_TLS_REQUIRE_CERT: True,
+    ldap.OPT_X_TLS_CACERTFILE: "/etc/openldap/certs/ldap-ca.crt"
+{% endif %}
+}

roles/installer/templates/tower_admin_password_secret.yaml.j2

@@ -4,5 +4,10 @@ kind: Secret
 metadata:
   name: '{{ meta.name }}-admin-password'
   namespace: '{{ meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: awx-operator
+    app.kubernetes.io/component: awx
 stringData:
   password: '{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}'

roles/installer/templates/tower_app_credentials.yaml.j2

@@ -5,6 +5,12 @@ kind: Secret
 metadata:
   name: '{{ meta.name }}-app-credentials'
   namespace: '{{ meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: awx-operator
+    app.kubernetes.io/component: awx
 data:
-  credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}"
-  environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}"
+  credentials.py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}"
+  ldap.py: "{{ lookup('template', 'ldap.py.j2') | b64encode }}"
+  execution_environments.py: "{{ lookup('template', 'execution_environments.py.j2') | b64encode }}"

roles/installer/templates/tower_broadcast_websocket_secret.yaml.j2

@@ -4,5 +4,10 @@ kind: Secret
 metadata:
   name: '{{ meta.name }}-broadcast-websocket'
   namespace: '{{ meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: awx-operator
+    app.kubernetes.io/component: awx
 stringData:
   secret: '{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}'

roles/installer/templates/tower_config.yaml.j2

@@ -6,7 +6,10 @@ metadata:
   name: '{{ meta.name }}-{{ deployment_type }}-configmap'
   namespace: '{{ meta.namespace }}'
   labels:
-    app: '{{ deployment_type }}'
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: awx-operator
+    app.kubernetes.io/component: awx
 data:
   environment: |
     AWX_SKIP_MIGRATIONS=true
@@ -218,6 +221,7 @@ data:
     - control-service:
         service: control
         filename: /var/run/receptor/receptor.sock
+        permissions: 0660
 
     - local-only:
 

roles/installer/templates/tower_deployment.yaml.j2

@@ -6,16 +6,26 @@ metadata:
   name: '{{ meta.name }}'
   namespace: '{{ meta.namespace }}'
   labels:
-    app: '{{ deployment_type }}'
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/version: '{{ tower_image_version }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: awx-operator
+    app.kubernetes.io/component: awx
 spec:
   replicas: {{ tower_replicas }}
   selector:
     matchLabels:
-      app: '{{ deployment_type }}'
+      app.kubernetes.io/name: '{{ meta.name }}'
+      app.kubernetes.io/managed-by: awx-operator
+      app.kubernetes.io/component: awx
   template:
     metadata:
       labels:
-        app: '{{ deployment_type }}'
+        app.kubernetes.io/name: '{{ meta.name }}'
+        app.kubernetes.io/version: '{{ tower_image_version }}'
+        app.kubernetes.io/part-of: '{{ meta.name }}'
+        app.kubernetes.io/managed-by: awx-operator
+        app.kubernetes.io/component: awx
     spec:
       serviceAccountName: '{{ meta.name }}'
 {% if tower_image_pull_secret %}
@@ -57,6 +67,12 @@ spec:
             - name: "{{ meta.name }}-nginx-certs"
               mountPath: "/etc/nginx/pki"
               readOnly: true
+{% endif %}
+{% if ldap_cacert_ca_crt %}
+            - name: "{{ meta.name }}-ldap-cacert"
+              mountPath: /etc/openldap/certs/ldap-ca.crt
+              subPath: ldap-ca.crt
+              readOnly: true
 {% endif %}
             - name: "{{ secret_key_secret_name }}"
               mountPath: /etc/tower/SECRET_KEY
@@ -144,7 +160,7 @@ spec:
 {% endif %}
           env:
             - name: SUPERVISOR_WEB_CONFIG_PATH
-              value: "/supervisor.conf"
+              value: "/etc/supervisord.conf"
             - name: AWX_SKIP_MIGRATIONS
               value: "1"
             - name: MY_POD_UID
@@ -167,7 +183,7 @@ spec:
             {{ tower_task_extra_env | indent(width=12, indentfirst=True) }}
 {% endif %}
           resources: {{ tower_task_resource_requirements }}
-        - image: '{{ default_ee }}'
+        - image: '{{ tower_ee_images[0].image }}'
           name: '{{ meta.name }}-ee'
           imagePullPolicy: '{{ tower_image_pull_policy }}'
           args: ['receptor', '--config', '/etc/receptor.conf']
@@ -186,6 +202,14 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
+{% endif %}
+{% if tower_node_selector %}
+      nodeSelector:
+        {{ tower_node_selector | indent(width=8) }}
+{% endif %}
+{% if tower_tolerations %}
+      tolerations:
+        {{ tower_tolerations | indent(width=8) }}
 {% endif %}
       volumes:
 {% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
@@ -197,15 +221,25 @@ spec:
                 path: 'web.key'
               - key: tls.crt
                 path: 'web.crt'
+{% endif %}
+{% if ldap_cacert_ca_crt %}
+        - name: "{{ meta.name }}-ldap-cacert"
+          secret:
+            secretName: "{{ ldap_cacert_secret }}"
+            items:
+              - key: ldap-ca.crt
+                path: 'ldap-ca.crt'
 {% endif %}
         - name: "{{ meta.name }}-application-credentials"
           secret:
             secretName: "{{ meta.name }}-app-credentials"
             items:
-              - key: credentials_py
+              - key: credentials.py
                 path: 'credentials.py'
-              - key: environment_sh
-                path: 'environment.sh'
+              - key: ldap.py
+                path: 'ldap.py'
+              - key: execution_environments.py
+                path: 'execution_environments.py'
         - name: "{{ secret_key_secret_name }}"
           secret:
             secretName: '{{ secret_key_secret_name }}'
@@ -249,7 +283,16 @@ spec:
               - key: receptor_conf
                 path: receptor.conf
         - name: "{{ meta.name }}-projects"
+{% if tower_projects_persistence|bool %}
+          persistentVolumeClaim:
+{% if tower_projects_existing_claim %}
+            claimName: {{ tower_projects_existing_claim }}
+{% else %}
+            claimName: '{{ meta.name }}-projects-claim'
+{% endif %}
+{% else %}
           emptyDir: {}
+{% endif %}
 {% if development_mode | bool %}
         - name: awx-devel
           hostPath:

roles/installer/templates/tower_ingress.yaml.j2

@@ -5,6 +5,11 @@ kind: Ingress
 metadata:
   name: '{{ meta.name }}-ingress'
   namespace: '{{ meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: awx-operator
+    app.kubernetes.io/component: awx
 {% if tower_ingress_annotations %}
   annotations:
     {{ tower_ingress_annotations | indent(width=4) }}
@@ -33,6 +38,11 @@ kind: Route
 metadata:
   name: '{{ meta.name }}'
   namespace: '{{ meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: awx-operator
+    app.kubernetes.io/component: awx
 spec:
 {% if tower_route_host != '' %}
   host: {{ tower_route_host }}

roles/installer/templates/tower_persistent.yaml.j2

@@ -0,0 +1,21 @@
+{% if tower_projects_persistence|bool and tower_projects_existing_claim == '' %}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ meta.name }}-projects-claim'
+  namespace: '{{ meta.namespace }}'
+  labels:
+   app.kubernetes.io/name: '{{ meta.name }}'
+   app.kubernetes.io/part-of: '{{ meta.name }}'
+   app.kubernetes.io/managed-by: awx-operator
+   app.kubernetes.io/component: awx
+spec:
+  accessModes:
+    - {{ tower_projects_storage_access_mode }}
+  resources:
+    requests:
+      storage: {{ tower_projects_storage_size }}
+{% if tower_projects_storage_class != '' %}
+  storageClassName: {{ tower_projects_storage_class }}
+{% endif %}
+{% endif %}

roles/installer/templates/tower_postgres.yaml.j2

@@ -6,11 +6,16 @@ metadata:
   name: '{{ meta.name }}-postgres'
   namespace: '{{ meta.namespace }}'
   labels:
-    app: '{{ deployment_type }}-postgres'
+    app.kubernetes.io/name: '{{ meta.name }}-postgres'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: awx-operator
+    app.kubernetes.io/component: database
 spec:
   selector:
     matchLabels:
-      app: '{{ deployment_type }}-postgres'
+      app.kubernetes.io/name: '{{ meta.name }}-postgres'
+      app.kubernetes.io/managed-by: awx-operator
+      app.kubernetes.io/component: database
   serviceName: '{{ meta.name }}'
   replicas: 1
   updateStrategy:
@@ -18,7 +23,10 @@ spec:
   template:
     metadata:
       labels:
-        app: '{{ deployment_type }}-postgres'
+        app.kubernetes.io/name: '{{ meta.name }}-postgres'
+        app.kubernetes.io/part-of: '{{ meta.name }}'
+        app.kubernetes.io/managed-by: awx-operator
+        app.kubernetes.io/component: database
     spec:
       containers:
         - image: '{{ tower_postgres_image }}'
@@ -71,10 +79,15 @@ metadata:
   name: '{{ meta.name }}-postgres'
   namespace: '{{ meta.namespace }}'
   labels:
-    app: '{{ deployment_type }}-postgres'
+    app.kubernetes.io/name: '{{ meta.name }}-postgres'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: awx-operator
+    app.kubernetes.io/component: database
 spec:
   ports:
     - port: 5432
   clusterIP: None
   selector:
-    app: '{{ deployment_type }}-postgres'
+    app.kubernetes.io/name: '{{ meta.name }}-postgres'
+    app.kubernetes.io/managed-by: awx-operator
+    app.kubernetes.io/component: database

roles/installer/templates/tower_postgres_secret.yaml.j2

@@ -5,6 +5,11 @@ kind: Secret
 metadata:
   name: '{{ meta.name }}-postgres-configuration'
   namespace: '{{ meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: awx-operator
+    app.kubernetes.io/component: awx
 stringData:
   password: '{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}'
   username: '{{ database_username }}'

roles/installer/templates/tower_secret_key.yaml.j2

@@ -4,5 +4,10 @@ kind: Secret
 metadata:
   name: '{{ meta.name }}-secret-key'
   namespace: '{{ meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: awx-operator
+    app.kubernetes.io/component: awx
 stringData:
   secret_key: '{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}'

roles/installer/templates/tower_service.yaml.j2

@@ -5,7 +5,10 @@ metadata:
   name: '{{ meta.name }}-service'
   namespace: '{{ meta.namespace }}'
   labels:
-    app: '{{ deployment_type }}'
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: awx-operator
+    app.kubernetes.io/component: awx
 {% if tower_ingress_type | lower == 'loadbalancer' %}
   annotations:
     {{ tower_loadbalancer_annotations | indent(width=4) }}
@@ -25,13 +28,20 @@ spec:
       name: https
 {% endif %}
 {% if tower_ingress_type | lower == 'loadbalancer' and tower_loadbalancer_protocol | lower == 'https' %}
-    - port: 443
+    - port: {{ tower_loadbalancer_port }}
       protocol: TCP
       targetPort: 8052
       name: https
+{% elif tower_ingress_type | lower == 'loadbalancer' and tower_loadbalancer_protocol | lower != 'https' %}
+    - port: {{ tower_loadbalancer_port }}
+      protocol: TCP
+      targetPort: 8052
+      name: http
 {% endif %}
   selector:
-    app: '{{ deployment_type }}'
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: awx-operator
+    app.kubernetes.io/component: awx
 {% if tower_ingress_type | lower == "loadbalancer" %}
   type: LoadBalancer
 {% elif tower_ingress_type != "none" %}

roles/installer/templates/tower_service_account.yaml.j2

@@ -4,7 +4,11 @@ kind: ServiceAccount
 metadata:
   name: '{{ meta.name }}'
   namespace: '{{ meta.namespace }}'
-
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: awx-operator
+    app.kubernetes.io/component: awx
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

roles/installer/vars/main.yml

@@ -1,3 +1,5 @@
 ---
 postgres_initdb_args: '--auth-host=scram-sha-256'
 postgres_host_auth_method: 'scram-sha-256'
+ldap_cacert_ca_crt: ''
+tower_projects_existing_claim: ''

scripts/build.sh

@@ -0,0 +1,117 @@
+#!/bin/bash
+## This script will be build 3 images awx-{operator,bundle,catalog}
+## and push to the $REGISTRY specified.
+##
+## The goal is provide an quick way to build a test image.
+##
+## Example:
+##
+## git clone https://github.com/ansible/awx-operator.git
+## cd awx-operator
+## REGISTRY=registry.example.com/ansible TAG=mytag scripts/build.sh
+##
+## As a result, the $REGISTRY will be populated with 2 images
+## registry.example.com/ansible/awx-operator:mytag
+## registry.example.com/ansible/awx-operator-bundle:mytag
+## registry.example.com/ansible/awx-operator-catalog:mytag
+
+OPERATOR_IMAGE=${OPERATOR_IMAGE:-awx-operator}
+BUNDLE_IMAGE=${BUNDLE_IMAGE:-awx-operator-bundle}
+CATALOG_IMAGE=${CATALOG_IMAGE:-awx-operator-catalog}
+
+verify_podman_binary() {
+  if hash podman 2>/dev/null; then
+      POD_MANAGER="podman"
+  else
+      POD_MANAGER="docker"
+  fi
+}
+
+verify_operator_sdk_binary() {
+  if hash operator-sdk 2>/dev/null; then
+      OPERATOR_SDK="$(which operator-sdk)"
+  else
+      echo "operator-sdk binary not found."
+      echo "Please visit https://sdk.operatorframework.io/docs/building-operators/ansible/installation"
+      exit 1
+  fi
+}
+
+verify_opm_binary() {
+  if hash opm 2>/dev/null; then
+      OPM_BINARY="$(which opm)"
+  else
+      echo "opm binary not found."
+      echo "Please visit https://github.com/operator-framework/operator-registry/releases"
+      exit 1
+  fi
+}
+
+prepare_local_deploy() {
+    echo "operator_image: $REGISTRY/$OPERATOR_IMAGE" > ansible/group_vars/all
+    echo "operator_version: $TAG" >> ansible/group_vars/all
+    echo "pull_policy: Always" >> ansible/group_vars/all
+    ansible-playbook ansible/chain-operator-files.yml
+}
+
+
+REGISTRY=${REGISTRY:-''}
+if [[ -z "$REGISTRY" ]]; then
+    echo "Set your \$REGISTRY variable to your registry server."
+    echo "export REGISTRY=quay.io/ansible"
+    exit 1
+fi
+
+TAG=${TAG:-''}
+if [[ -z "$TAG" ]]; then
+    echo "Set your \$TAG variable to your registry server."
+    echo "export TAG=mytag"
+    exit 1
+fi
+
+build_operator_image() {
+  echo "Building and pushing $OPERATOR_IMAGE image"
+  $POD_MANAGER build . -f build/Dockerfile -t $REGISTRY/$OPERATOR_IMAGE:$TAG
+  $POD_MANAGER push $REGISTRY/$OPERATOR_IMAGE:$TAG
+}
+
+build_bundle_image() {
+  echo "Building and pushing $BUNDLE_IMAGE image"
+  $POD_MANAGER build . -f bundle.Dockerfile -t $REGISTRY/$BUNDLE_IMAGE:$TAG
+  $POD_MANAGER push $REGISTRY/$BUNDLE_IMAGE:$TAG
+}
+
+build_catalog_image() {
+  echo "Building and pushing $CATALOG_IMAGE image"
+  $OPM_BINARY index add --bundles $REGISTRY/$BUNDLE_IMAGE:$TAG --tag $REGISTRY/$CATALOG_IMAGE:$TAG
+  $POD_MANAGER push $REGISTRY/$CATALOG_IMAGE:$TAG
+}
+
+generate_catalogsource_yaml() {
+  echo "Creating CatalogSource YAML"
+  cat > catalogsource.yaml << EOF
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: CatalogSource
+metadata:
+  name: awx-operator
+  namespace: operators
+spec:
+  displayName: 'Ansible AWX Operator'
+  image: "$REGISTRY/$CATALOG_IMAGE:$TAG"
+  publisher: 'Ansible AWX Operator'
+  sourceType: grpc
+EOF
+
+  echo "Now run: 'kubectl apply -f catalogsource.yaml' to update the operator"
+  echo "Happy testing!"
+}
+
+verify_podman_binary
+verify_operator_sdk_binary
+verify_opm_binary
+prepare_local_deploy
+build_operator_image
+build_bundle_image
+build_catalog_image
+generate_catalogsource_yaml