Merge pull request #266 from shanemcd/bump-19.1.0

Bump 19.1.0

.github/workflows/ci.yaml

@@ -0,0 +1,44 @@
+---
+
+name: CI
+
+on:
+  pull_request:
+    branches: [devel]
+
+  push:
+    branches: [devel]
+
+jobs:
+  pull_request:
+    runs-on: ubuntu-18.04
+    name: pull_request
+    env:
+      DOCKER_API_VERSION: "1.38"
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: actions/setup-python@v2
+        with:
+          python-version: "3.8"
+
+      - name: Install Dependencies
+        run: |
+          pip install \
+            molecule \
+            molecule-docker \
+            yamllint \
+            ansible-lint \
+            openshift \
+            jmespath \
+            ansible
+
+      - name: Install Collections
+        run: |
+         ansible-galaxy collection install community.kubernetes operator_sdk.util
+
+      - name: Run Molecule
+        env:
+          MOLECULE_VERBOSITY: 3
+        run: |
+          molecule test -s test-local

.github/workflows/devel.yaml

@@ -0,0 +1,34 @@
+---
+
+name: Devel
+
+on:
+  push:
+    branches: [devel]
+
+jobs:
+  release:
+    runs-on: ubuntu-18.04
+    name: Push devel image
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Install Operator-SDK
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/bin
+          wget -O $GITHUB_WORKSPACE/bin/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/v0.19.4/operator-sdk-v0.19.4-x86_64-linux-gnu
+          chmod +x $GITHUB_WORKSPACE/bin/operator-sdk
+          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
+
+      - name: Build Image
+        run: |
+          operator-sdk build awx-operator:devel
+
+      - name: Push To Quay
+        uses: redhat-actions/push-to-registry@v2.1.1
+        with:
+          image: awx-operator
+          tags: devel
+          registry: quay.io/ansible/
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}

.github/workflows/release.yaml

@@ -0,0 +1,35 @@
+---
+
+name: Release
+
+on:
+  release:
+    types:
+      - created
+
+jobs:
+  release:
+    runs-on: ubuntu-18.04
+    name: Push tagged image to Quay
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Install Operator-SDK
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/bin
+          wget -O $GITHUB_WORKSPACE/bin/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/v0.19.4/operator-sdk-v0.19.4-x86_64-linux-gnu
+          chmod +x $GITHUB_WORKSPACE/bin/operator-sdk
+          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
+
+      - name: Build Image
+        run: |
+          operator-sdk build awx-operator:${{ github.event.release.tag_name }}
+
+      - name: Push To Quay
+        uses: redhat-actions/push-to-registry@v2.1.1
+        with:
+          image: awx-operator
+          tags: ${{ github.event.release.tag_name }}
+          registry: quay.io/ansible/
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}

.travis.yml

@@ -1,19 +0,0 @@
----
-services: docker
-language: python
-
-before_install:
-  - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
-  - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
-  - sudo apt-get update
-  - sudo apt-get -y -o Dpkg::Options::="--force-confnew" install docker-ce
-
-env:
-  - DOCKER_API_VERSION=1.38
-
-install:
-  - pip3 install docker molecule molecule-docker yamllint ansible-lint openshift jmespath ansible
-  - ansible-galaxy collection install community.kubernetes operator_sdk.util
-
-script:
-  - MOLECULE_VERBOSITY=3 molecule test -s test-local

.yamllint

@@ -8,5 +8,5 @@ ignore: |
 rules:
   truthy: disable
   line-length:
-    max: 160
+    max: 170
     level: warning

README.md

@@ -1,6 +1,6 @@
 # AWX Operator
 
-[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Build Status](https://travis-ci.org/ansible/awx-operator.svg?branch=devel)](https://travis-ci.org/ansible/awx-operator)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Build Status](https://github.com/ansible/awx-operator/workflows/CI/badge.svg?event=push)](https://github.com/ansible/awx-operator/actions)
 
 An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built with [Operator SDK](https://github.com/operator-framework/operator-sdk) and Ansible.
 
@@ -24,10 +24,15 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
          * [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
          * [Privileged Tasks](#privileged-tasks)
          * [Containers Resource Requirements](#containers-resource-requirements)
+         * [LDAP Certificate Authority](#ldap-certificate-authority)
+         * [Persisting Projects Directory](#persisting-projects-directory)
+         * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
+         * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
    * [Development](#development)
       * [Testing](#testing)
          * [Testing in Docker](#testing-in-docker)
          * [Testing in Minikube](#testing-in-minikube)
+      * [Generating a bundle](#generating-a-bundle)
    * [Release Process](#release-process)
       * [Build a new release](#build-a-new-release)
       * [Build a new version of the operator yaml file](#build-a-new-version-of-the-operator-yaml-file)
@@ -46,10 +51,12 @@ Note that the operator is not supported by Red Hat, and is in **alpha** status.
 
 This Kubernetes Operator is meant to be deployed in your Kubernetes cluster(s) and can manage one or more AWX instances in any namespace.
 
-First you need to deploy AWX Operator into your cluster:
+First, you need to deploy AWX Operator into your cluster. Start by going to https://github.com/ansible/awx-operator/releases and making note of the latest release.
+
+Replace `<tag>` in the URL below with the version you are deploying:
 
 ```bash
-#> kubectl apply -f https://raw.githubusercontent.com/ansible/awx-operator/devel/deploy/awx-operator.yaml
+#> kubectl apply -f https://raw.githubusercontent.com/ansible/awx-operator/<tag>/deploy/awx-operator.yaml
 ```
 
 Then create a file named `my-awx.yml` with the following contents:
@@ -62,6 +69,8 @@ metadata:
   name: awx
 ```
 
+> The metadata.name you provide, will be the name of the resulting AWX deployment.  If you deploy more than one to the same namespace, be sure to use unique names.
+
 Finally, use `kubectl` to create the awx instance in your cluster:
 
 ```bash
@@ -87,6 +96,9 @@ There are three variables that are customizable for the admin user account creat
 | tower_admin_email           | Email of the admin user                      | test@example.com |
 | tower_admin_password_secret | Secret that contains the admin user password | Empty string     |
 
+
+> :warning: **tower_admin_password_secret must be a Kubernetes secret and not your text clear password**.
+
 If `tower_admin_password_secret` is not provided, the operator will look for a secret named `<resourcename>-admin-password` for the admin password. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-admin-password`.
 
 To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode`
@@ -111,7 +123,7 @@ stringData:
 
 By default, the AWX operator is not opinionated and won't force a specific ingress type on you. So, if `tower_ingress_type` is not specified as part of the Custom Resource specification, it will default to `none` and nothing ingress-wise will be created.
 
-The AWX operator provides support for three kinds of `Ingress` to access AWX: `Ingress`, `Route` and `LoadBalancer`, To toggle between these options, you can add the following to your AWX CR:
+The AWX operator provides support for four kinds of `Ingress` to access AWX: `Ingress`, `Route`,  `LoadBalancer` and `NodePort`, To toggle between these options, you can add the following to your AWX CR:
 
   * Route
 
@@ -139,9 +151,26 @@ spec:
 spec:
   ...
   tower_ingress_type: LoadBalancer
-  tower_ingress_protocol: http
+  tower_loadbalancer_protocol: http
 ```
 
+  * NodePort
+
+```yaml
+---
+spec:
+  ...
+  tower_ingress_type: NodePort
+```
+
+The AWX `Service` that gets created will have a `type` set based on the `tower_ingress_type` being used:
+
+| Ingress Type `tower_ingress_type`     | Service Type   |
+| ------------------------------------- | -------------- |
+| `LoadBalancer`                        | `LoadBalancer` |
+| `NodePort`                            | `NodePort`     |
+| `Ingress` or `Route` or not specified | `ClusterIP`    |
+
 #### TLS Termination
 
   * Route
@@ -173,6 +202,9 @@ The following variables are customizable to specify the TLS termination procedur
 | tower_loadbalancer_protocol    | Protocol to use for Loadbalancer ingress | http          |
 | tower_loadbalancer_port        | Port used for Loadbalancer ingress       | 80            |
 
+When setting up a Load Balancer for HTTPS you will be required to set the `tower_loadbalancer_port` to move the port away from `80`.
+
+The HTTPS Load Balancer also uses SSL termination at the Load Balancer level and will offload traffic to AWX over HTTP.
 
 ### Database Configuration
 
@@ -196,9 +228,12 @@ stringData:
   database: <desired database name>
   username: <username to connect as>
   password: <password to connect with>
+  sslmode: prefer
 type: Opaque
 ```
 
+**Note**: The variable `sslmode` is valid for `external` databases only. The allowed values are: `prefer`, `disable`, `allow`, `require`, `verify-ca`, `verify-full`.
+
 #### Migrating data from an old AWX instance
 
 For instructions on how to migrate from an older version of AWX, see [migration.md](./docs/migration.md).
@@ -212,7 +247,8 @@ The following variables are customizable for the managed PostgreSQL service
 | Name                                 | Description                                | Default                           |
 | ------------------------------------ | ------------------------------------------ | --------------------------------- |
 | tower_postgres_image                 | Path of the image to pull                  | postgres:12                       |
-| tower_postgres_resource_requirements | PostgreSQL container resource requirements | requests: {storage: 8Gi}          |
+| tower_postgres_resource_requirements | PostgreSQL container resource requirements | Empty object                      |
+| tower_postgres_storage_requirements  | PostgreSQL container storage requirements  | requests: {storage: 8Gi}          |
 | tower_postgres_storage_class         | PostgreSQL PV storage class                | Empty string                      |
 | tower_postgres_data_path             | PostgreSQL data path                       | `/var/lib/postgresql/data/pgdata` |
 
@@ -224,10 +260,15 @@ spec:
   ...
   tower_postgres_resource_requirements:
     requests:
+      cpu: 500m
       memory: 2Gi
+    limits:
+      cpu: 1
+      memory: 4Gi
+  tower_postgres_storage_requirements:
+    requests:
       storage: 8Gi
     limits:
-      memory: 4Gi
       storage: 50Gi
   tower_postgres_storage_class: fast-ssd
 ```
@@ -240,11 +281,15 @@ spec:
 
 There are a few variables that are customizable for awx the image management.
 
-| Name                    | Description                | Default            |
-| ----------------------- | -------------------------- | ------------------ |
-| tower_image             | Path of the image to pull  | ansible/awx:15.0.0 |
-| tower_image_pull_policy | The pull policy to adopt   | IfNotPresent       |
-| tower_image_pull_secret | The pull secret to use     | ''                 |
+| Name                      | Description                |
+| --------------------------| -------------------------- |
+| tower_image               | Path of the image to pull  |
+| tower_image_version       | Image version to pull      |
+| tower_image_pull_policy   | The pull policy to adopt   |
+| tower_image_pull_secret   | The pull secret to use     |
+| tower_ee_images           | A list of EEs to register  |
+| tower_redis_image         | Path of the image to pull  |
+| tower_redis_image_version | Image version to pull      |
 
 Example of customization could be:
 
@@ -253,10 +298,16 @@ Example of customization could be:
 spec:
   ...
   tower_image: myorg/my-custom-awx
+  tower_image_version: latest
   tower_image_pull_policy: Always
   tower_image_pull_secret: pull_secret_name
+  tower_ee_images:
+    - name: my-custom-awx-ee
+      image: myorg/my-custom-awx-ee
 ```
 
+**Note**: The `tower_image` and `tower_image_version` are intended for local mirroring scenarios. Please note that using a version of AWX other than the one bundled with the `awx-operator` is **not** supported. For the default values, check the [main.yml](https://github.com/ansible/awx-operator/blob/devel/roles/installer/defaults/main.yml) file.
+
 #### Privileged Tasks
 
 Depending on the type of tasks that you'll be running, you may find that you need the task pod to run as `privileged`. This can open yourself up to a variety of security concerns, so you should be aware (and verify that you have the privileges) to do this if necessary. In order to toggle this feature, you can add the following to your custom resource:
@@ -276,6 +327,7 @@ If you are attempting to do this on an OpenShift cluster, you will need to grant
 
 Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to familiarize yourself with the security concerns that accompany this action.
 
+
 #### Containers Resource Requirements
 
 The resource requirements for both, the task and the web containers are configurable - both the lower end (requests) and the upper end (limits).
@@ -307,6 +359,183 @@ spec:
       memory: 2Gi
 ```
 
+#### Assigning AWX pods to specific nodes
+
+You can constrain the AWX pods created by the operator to run on a certain subset of nodes. `tower_node_selector` and `tower_postgres_selector` constrains
+the AWX pods to run only on the nodes that match all the specified key/value pairs. `tower_tolerations` and `tower_postgres_tolerations` allow the AWX
+pods to be scheduled onto nodes with matching taints.
+
+
+| Name                           | Description                 | Default |
+| -------------------------------| --------------------------- | ------- |
+| tower_postgres_image           | Path of the image to pull   | 12      |
+| tower_postgres_image_version   | Image version to pull       | 12      |
+| tower_node_selector            | AWX pods' nodeSelector      | ''      |
+| tower_tolerations              | AWX pods' tolerations       | ''      |
+| tower_postgres_selector        | Postgres pods' nodeSelector | ''      |
+| tower_postgres_tolerations     | Postgres pods' tolerations  | ''      |
+
+Example of customization could be:
+
+```yaml
+---
+spec:
+  ...
+  tower_node_selector: |
+    disktype: ssd
+    kubernetes.io/arch: amd64
+    kubernetes.io/os: linux
+  tower_tolerations: |
+    - key: "dedicated"
+      operator: "Equal"
+      value: "AWX"
+      effect: "NoSchedule"
+  tower_postgres_selector: |
+    disktype: ssd
+    kubernetes.io/arch: amd64
+    kubernetes.io/os: linux
+  tower_postgres_tolerations: |
+    - key: "dedicated"
+      operator: "Equal"
+      value: "AWX"
+      effect: "NoSchedule"
+```
+
+#### LDAP Certificate Authority
+
+If the variable `ldap_cacert_secret` is provided, the operator will look for a the data field `ldap-ca.crt` in the specified secret.
+
+| Name                             | Description                             | Default |
+| -------------------------------- | --------------------------------------- | --------|
+| ldap_cacert_secret               | LDAP Certificate Authority secret name  |  ''     |
+
+
+Example of customization could be:
+
+```yaml
+---
+spec:
+  ...
+  ldap_cacert_secret: <resourcename>-ldap-ca-cert
+```
+
+To create the secret, you can use the command below:
+
+```sh
+# kubectl create secret generic <resourcename>-ldap-ca-cert --from-file=ldap-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
+```
+
+#### Persisting Projects Directory
+
+In cases which you want to persist the `/var/lib/projects` directory, there are few variables that are customizable for the `awx-operator`.
+
+| Name                               | Description                                                                                          | Default        |
+| -----------------------------------| ---------------------------------------------------------------------------------------------------- | ---------------|
+| tower_projects_persistence         | Whether or not the /var/lib/projects directory will be persistent                                    |  false         |
+| tower_projects_storage_class       | Define the PersistentVolume storage class                                                            |  ''            |
+| tower_projects_storage_size        | Define the PersistentVolume size                                                                     |  8Gi           |
+| tower_projects_storage_access_mode | Define the PersistentVolume access mode                                                              |  ReadWriteMany |
+| tower_projects_existing_claim      | Define an existing PersistentVolumeClaim to use (cannot be combined with `tower_projects_storage_*`) |  ''            |
+
+Example of customization when the `awx-operator` automatically handles the persistent volume could be:
+
+```yaml
+---
+spec:
+  ...
+  tower_projects_persistence: true
+  tower_projects_storage_class: rook-ceph
+  tower_projects_storage_size: 20Gi
+```
+
+#### Custom Volume and Volume Mount Options
+
+In a scenario where custom volumes and volume mounts are required to either overwrite defaults or mount configuration files.
+
+| Name                           | Description                                              | Default |
+| ------------------------------ | -------------------------------------------------------- | ------- |
+| tower_extra_volumes            | Specify extra volumes to add to the application pod      | ''      |
+| tower_web_extra_volume_mounts  | Specify volume mounts to be added to Web container       | ''      |
+| tower_task_extra_volume_mounts | Specify volume mounts to be added to Task container      | ''      |
+| tower_ee_extra_volume_mounts   | Specify volume mounts to be added to Execution container | ''      |
+
+Example configuration for ConfigMap
+
+```yaml
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: <resourcename>-extra-config
+  namespace: <target namespace>
+data:
+  ansible.cfg: |
+     [defaults]
+     remote_tmp = /tmp
+     [ssh_connection]
+     ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
+  custom.py:  |
+      INSIGHTS_URL_BASE = "example.org"
+      AWX_CLEANUP_PATHS = True
+```
+Example spec file for volumes and volume mounts
+
+```yaml
+---
+    spec:
+    ...
+      tower_ee_extra_volume_mounts: |
+        - name: ansible-cfg
+          mountPath: /etc/ansible/ansible.cfg
+          subPath: ansible.cfg
+
+      tower_task_extra_volume_mounts: |
+        - name: custom-py
+          mountPath: /etc/tower/conf.d/custom.py
+          subPath: custom.py
+
+      tower_extra_volumes: |
+        - name: ansible-cfg
+          configMap:
+            defaultMode: 420
+            items:
+              - key: ansible.cfg
+                path: ansible.cfg
+            name: <resourcename>-extra-config
+        - name: custom-py
+          configMap:
+            defaultMode: 420
+            items:
+              - key: custom.py
+                path: custom.py
+            name: <resourcename>-extra-config
+
+```
+
+> :warning: **Volume and VolumeMount names cannot contain underscores(_)**
+
+#### Exporting Environment Variables to Containers
+
+If you need to export custom environment variables to your containers.
+
+| Name                          | Description                                              | Default |
+| ----------------------------- | -------------------------------------------------------- | ------- |
+| tower_task_extra_env          | Environment variables to be added to Task container      | ''      |
+| tower_web_extra_env           | Environment variables to be added to Web container       | ''      |
+
+Example configuration of environment variables
+
+```yaml
+  spec:
+    tower_task_extra_env: |
+      - name: MYCUSTOMVAR
+        value: foo
+    tower_web_extra_env: |
+      - name: MYCUSTOMVAR
+        value: foo
+```
+
+
 ## Development
 
 ### Testing
@@ -352,6 +581,55 @@ Alternatively, you can also update the service `awx-service` in your namespace t
 #> minikube service <serviceName> -n <namespaceName> --url
 ```
 
+### Generating a bundle
+
+> :warning: operator-sdk version 0.19.4 is needed to run the following commands
+
+If one has the Operator Lifecycle Manager (OLM) installed, the following steps is the process to generate the bundle that would nicely display in the OLM interface.
+
+At the root of this directory:
+
+1. Build and publish the operator
+
+```
+#> operator-sdk build registry.example.com/ansible/awx-operator:mytag
+#> podman push registry.example.com/ansible/awx-operator:mytag
+```
+
+2. Build and publish the bundle
+
+```
+#> podman build . -f bundle.Dockerfile -t registry.example.com/ansible/awx-operator-bundle:mytag
+#> podman push registry.example.com/ansible/awx-operator-bundle:mytag
+```
+
+3. Build and publish an index with your bundle in it
+
+```
+#> opm index add --bundles registry.example.com/ansible/awx-operator-bundle:mytag --tag registry.example.com/ansible/awx-operator-catalog:mytag
+#> podman push registry.example.com/ansible/awx-operator-catalog:mytag
+```
+
+4. In your Kubernetes create a new CatalogSource pointing to `registry.example.com/ansible/awx-operator-catalog:mytag`
+
+```
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: CatalogSource
+metadata:
+  name: <catalogsource-name>
+  namespace: <namespace>
+spec:
+  displayName: 'myoperatorhub'
+  image: registry.example.com/ansible/awx-operator-catalog:mytag
+  publisher: 'myoperatorhub'
+  sourceType: grpc
+```
+
+Applying this template will do it. Once the CatalogSource is in a READY state, the bundle should be available on the OperatorHub tab (as part of the custom CatalogSource that just got added)
+
+5. Enjoy
+
 ## Release Process
 
 There are a few moving parts to this project:
@@ -361,21 +639,34 @@ There are a few moving parts to this project:
 
 Each of these must be appropriately built in preparation for a new tag:
 
-### Build a new release
+### Verify Functionality
 
 Run the following command inside this directory:
 
 ```sh
-#> operator-sdk build quay.io/ansible/awx-operator:$VERSION
+#> operator-sdk build quay.io/<user>/awx-operator:test
 ```
 
 Then push the generated image to Docker Hub:
 
 ```sh
-#> docker push quay.io/ansible/awx-operator:$VERSION
+#> docker push quay.io/<user>/awx-operator:test
 ```
 
-### Build a new version of the operator yaml file
+After it is built, test it on a local cluster:
+
+
+```sh
+#> minikube start --memory 6g --cpus 4
+#> minikube addons enable ingress
+#> ansible-playbook ansible/deploy-operator.yml -e operator_image=quay.io/<user>/awx-operator -e operator_version=test
+#> kubectl create namespace example-awx
+#> ansible-playbook ansible/instantiate-awx-deployment.yml -e tower_namespace=example-awx
+#> <test everything>
+#> minikube delete
+```
+
+### Update version
 
 Update the awx-operator version:
 
@@ -387,20 +678,11 @@ Once the version has been updated, run from the root of the repo:
 #> ansible-playbook ansible/chain-operator-files.yml
 ```
 
-After it is built, test it on a local cluster:
+### Commit / Create Release
 
+If everything works, commit the updated version, then [publish a new release](https://github.com/ansible/awx-operator/releases/new) using the same version you used in `ansible/group_vars/all`.
 
-```sh
-#> minikube start --memory 6g --cpus 4
-#> minikube addons enable ingress
-#> kubectl apply -f deploy/awx-operator.yaml
-#> kubectl create namespace example-awx
-#> kubectl apply -f deploy/crds/awx_v1beta1_cr.yaml
-#> <test everything>
-#> minikube delete
-```
-
-If everything works, commit the updated version, then tag a new repository release with the same tag as the Docker image pushed earlier.
+After creating the release, [this GitHub Workflow](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/release.yaml) will run and publish the new image to quay.io.
 
 ## Author
 

ansible/group_vars/all

@@ -1,3 +1,3 @@
 operator_image: quay.io/ansible/awx-operator
-operator_version: 0.7.0
+operator_version: 0.9.0
 pull_policy: Always

ansible/instantiate-awx-deployment.yml

@@ -9,7 +9,7 @@
     - name: Deploy AWX
       k8s:
         state: "{{ state | default('present') }}"
-        namespace: "{{ namespace | default('default') }}"
+        namespace: "{{ tower_namespace | default('default') }}"
         apply: yes
         wait: yes
         definition:
@@ -18,9 +18,13 @@
           metadata:
             name: awx
           spec:
-            tower_admin_user: test
-            tower_admin_email: test@example.com
+            tower_admin_user: admin
+            tower_admin_email: admin@localhost
             tower_ingress_type: "{{ tower_ingress_type | default(omit) }}"  # Either Route, Ingress or LoadBalancer
             tower_image: "{{ tower_image | default(omit) }}"
-            development_mode: "{{ development_mode | default(omit) }}"
+            tower_image_version: "{{ tower_image_version | default(omit) }}"
+            development_mode: "{{ development_mode | default(omit) | bool }}"
             tower_image_pull_policy: "{{ tower_image_pull_policy | default(omit) }}"
+            # tower_ee_images:
+            #   - name: test-ee
+            #     image: quay.io/<user>/awx-ee

ansible/templates/awx-operator.yaml.j2

@@ -1,6 +1,8 @@
 #jinja2: trim_blocks:False
 # This file is generated by Ansible. Changes will be lost.
 # Update templates under ansible/templates/
+{% include 'crd.yml.j2' %}
+
 {% include 'role.yml.j2' %}
 
 {% include 'role_binding.yml.j2' %}
@@ -8,5 +10,3 @@
 {% include 'service_account.yml.j2' %}
 
 {% include 'operator.yml.j2' %}
-
-{% include 'crd.yml.j2' %}

ansible/templates/crd.yml.j2

@@ -26,12 +26,23 @@ spec:
                 deployment_type:
                   description: Name of the deployment type
                   type: string
+                  default: awx
+                kind:
+                  description: Kind of the deployment type
+                  type: string
+                  default: AWX
+                api_version:
+                  description: apiVersion of the deployment type
+                  type: string
+                  default: awx.ansible.com/v1beta1
                 tower_task_privileged:
                   description: If a privileged security context should be enabled
                   type: boolean
+                  default: false
                 tower_admin_user:
                   description: Username to use for the admin account
                   type: string
+                  default: admin
                 tower_hostname:
                   description: The hostname of the instance
                   type: string
@@ -67,6 +78,8 @@ spec:
                     - route
                     - LoadBalancer
                     - loadbalancer
+                    - NodePort
+                    - nodeport
                 tower_ingress_annotations:
                   description: Annotations to add to the ingress
                   type: string
@@ -102,9 +115,28 @@ spec:
                 tower_route_tls_secret:
                   description: Secret where the TLS related credentials are stored
                   type: string
+                tower_node_selector:
+                  description: nodeSelector for the AWX pods
+                  type: string
+                tower_tolerations:
+                  description: node tolerations for the AWX pods
+                  type: string
                 tower_image:
                   description: Registry path to the application container to use
                   type: string
+                tower_image_version:
+                  description: Application container image version to use
+                  type: string
+                tower_ee_images:
+                  description: Registry path to the Execution Environment container to use
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      name:
+                        type: string
+                      image:
+                        type: string
                 tower_image_pull_policy:
                   description: The image pull policy
                   type: string
@@ -116,6 +148,9 @@ spec:
                     - never
                     - IfNotPresent
                     - ifnotpresent
+                tower_image_pull_secret:
+                  description: The image pull secret
+                  type: string
                 tower_task_resource_requirements:
                   description: Resource requirements for the task container
                   properties:
@@ -193,16 +228,47 @@ spec:
                   type: string
                 tower_web_extra_env:
                   type: string
+                tower_ee_extra_volume_mounts:
+                  description: Specify volume mounts to be added to Execution container
+                  type: string
                 tower_task_extra_volume_mounts:
+                  description: Specify volume mounts to be added to Task container
                   type: string
                 tower_web_extra_volume_mounts:
+                  description: Specify volume mounts to be added to the Web container
                   type: string
                 tower_redis_image:
                   description: Registry path to the redis container to use
                   type: string
+                tower_redis_image_version:
+                  description: Redis container image version to use
+                  type: string
                 tower_postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
+                tower_postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+                tower_postgres_selector:
+                  description: nodeSelector for the Postgres pods
+                  type: string
+                tower_postgres_tolerations:
+                  description: node tolerations for the Postgres pods
+                  type: string
+                tower_postgres_storage_requirements:
+                  description: Storage requirements for the PostgreSQL container
+                  properties:
+                    requests:
+                      properties:
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                 tower_postgres_resource_requirements:
                   description: Resource requirements for the PostgreSQL container
                   properties:
@@ -212,8 +278,6 @@ spec:
                           type: string
                         memory:
                           type: string
-                        storage:
-                          type: string
                       type: object
                     limits:
                       properties:
@@ -221,8 +285,6 @@ spec:
                           type: string
                         memory:
                           type: string
-                        storage:
-                          type: string
                       type: object
                   type: object
                 tower_postgres_storage_class:
@@ -237,6 +299,43 @@ spec:
                 development_mode:
                   description: If the deployment should be done in development mode
                   type: boolean
+                ldap_cacert_secret:
+                  description: Secret where can be found the LDAP trusted Certificate Authority Bundle
+                  type: string
+                tower_projects_persistence:
+                  description: Whether or not the /var/lib/projects directory will be persistent
+                  default: false
+                  type: boolean
+                tower_projects_use_existing_claim:
+                  description: Using existing PersistentVolumeClaim
+                  type: string
+                  enum:
+                    - _Yes_
+                    - _No_
+                tower_projects_existing_claim:
+                  description: PersistentVolumeClaim to mount /var/lib/projects directory
+                  type: string
+                tower_projects_storage_class:
+                  description: Storage class for the /var/lib/projects PersistentVolumeClaim
+                  type: string
+                tower_projects_storage_size:
+                  description: Size for the /var/lib/projects PersistentVolumeClaim
+                  default: 8Gi
+                  type: string
+                tower_projects_storage_access_mode:
+                  description: AccessMode for the /var/lib/projects PersistentVolumeClaim
+                  default: ReadWriteMany
+                  type: string
+                extra_settings:
+                  description: Extra settings to specify for the API
+                  items:
+                    properties:
+                      setting:
+                        type: string
+                      value:
+                        type: string
+                    type: object
+                  type: array
               type: object
             status:
               properties:

ansible/templates/operator.yml.j2

@@ -37,8 +37,8 @@ spec:
             httpGet:
               path: /healthz
               port: 6789
-            initialDelaySeconds: 5
-            periodSeconds: 3
+            initialDelaySeconds: 15
+            periodSeconds: 20
       volumes:
         - name: runner
           emptyDir: {}

ansible/templates/role.yml.j2

@@ -59,6 +59,7 @@ rules:
       - apps
     resources:
       - deployments/scale
+      - statefulsets/scale
     verbs:
       - patch
   - apiGroups:

bundle.Dockerfile

@@ -0,0 +1,14 @@
+FROM scratch
+
+LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
+LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
+LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
+LABEL operators.operatorframework.io.bundle.package.v1=awx-operator
+LABEL operators.operatorframework.io.bundle.channels.v1=alpha
+LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha
+LABEL operators.operatorframework.io.metrics.project_layout=ansible
+LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v0.19.4
+
+COPY deploy/olm-catalog/awx-operator/manifests /manifests/
+COPY deploy/olm-catalog/awx-operator/metadata /metadata/

deploy/awx-operator.yaml

@@ -1,154 +1,5 @@
 # This file is generated by Ansible. Changes will be lost.
 # Update templates under ansible/templates/
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  creationTimestamp: null
-  name: awx-operator
-rules:
-  - apiGroups:
-      - route.openshift.io
-    resources:
-      - routes
-      - routes/custom-host
-    verbs:
-      - '*'
-  - apiGroups:
-      - ""
-      - "rbac.authorization.k8s.io"
-    resources:
-      - pods
-      - services
-      - services/finalizers
-      - serviceaccounts
-      - endpoints
-      - persistentvolumeclaims
-      - events
-      - configmaps
-      - secrets
-      - roles
-      - rolebindings
-    verbs:
-      - '*'
-  - apiGroups:
-      - apps
-      - extensions
-    resources:
-      - deployments
-      - daemonsets
-      - replicasets
-      - statefulsets
-      - ingresses
-    verbs:
-      - '*'
-  - apiGroups:
-      - monitoring.coreos.com
-    resources:
-      - servicemonitors
-    verbs:
-      - get
-      - create
-  - apiGroups:
-      - apps
-    resourceNames:
-      - awx-operator
-    resources:
-      - deployments/finalizers
-    verbs:
-      - update
-  - apiGroups:
-      - apps
-    resources:
-      - deployments/scale
-    verbs:
-      - patch
-  - apiGroups:
-      - ""
-    resources:
-      - pods/exec
-    verbs:
-      - create
-      - get
-  - apiGroups:
-      - apps
-    resources:
-      - replicasets
-    verbs:
-      - get
-  - apiGroups:
-      - awx.ansible.com
-    resources:
-      - '*'
-    verbs:
-      - '*'
-
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: awx-operator
-subjects:
-  - kind: ServiceAccount
-    name: awx-operator
-    namespace: default
-roleRef:
-  kind: ClusterRole
-  name: awx-operator
-  apiGroup: rbac.authorization.k8s.io
-
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: awx-operator
-  namespace: default
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: awx-operator
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      name: awx-operator
-  template:
-    metadata:
-      labels:
-        name: awx-operator
-    spec:
-      serviceAccountName: awx-operator
-      containers:
-        - name: awx-operator
-          image: "quay.io/ansible/awx-operator:0.7.0"
-          imagePullPolicy: "Always"
-          volumeMounts:
-            - mountPath: /tmp/ansible-operator/runner
-              name: runner
-          env:
-            # Watch all namespaces (cluster-scoped).
-            - name: WATCH_NAMESPACE
-              value: ""
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: OPERATOR_NAME
-              value: awx-operator
-            - name: ANSIBLE_GATHERING
-              value: explicit
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 6789
-            initialDelaySeconds: 5
-            periodSeconds: 3
-      volumes:
-        - name: runner
-          emptyDir: {}
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -177,12 +28,23 @@ spec:
                 deployment_type:
                   description: Name of the deployment type
                   type: string
+                  default: awx
+                kind:
+                  description: Kind of the deployment type
+                  type: string
+                  default: AWX
+                api_version:
+                  description: apiVersion of the deployment type
+                  type: string
+                  default: awx.ansible.com/v1beta1
                 tower_task_privileged:
                   description: If a privileged security context should be enabled
                   type: boolean
+                  default: false
                 tower_admin_user:
                   description: Username to use for the admin account
                   type: string
+                  default: admin
                 tower_hostname:
                   description: The hostname of the instance
                   type: string
@@ -218,6 +80,8 @@ spec:
                     - route
                     - LoadBalancer
                     - loadbalancer
+                    - NodePort
+                    - nodeport
                 tower_ingress_annotations:
                   description: Annotations to add to the ingress
                   type: string
@@ -253,9 +117,28 @@ spec:
                 tower_route_tls_secret:
                   description: Secret where the TLS related credentials are stored
                   type: string
+                tower_node_selector:
+                  description: nodeSelector for the AWX pods
+                  type: string
+                tower_tolerations:
+                  description: node tolerations for the AWX pods
+                  type: string
                 tower_image:
                   description: Registry path to the application container to use
                   type: string
+                tower_image_version:
+                  description: Application container image version to use
+                  type: string
+                tower_ee_images:
+                  description: Registry path to the Execution Environment container to use
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      name:
+                        type: string
+                      image:
+                        type: string
                 tower_image_pull_policy:
                   description: The image pull policy
                   type: string
@@ -267,6 +150,9 @@ spec:
                     - never
                     - IfNotPresent
                     - ifnotpresent
+                tower_image_pull_secret:
+                  description: The image pull secret
+                  type: string
                 tower_task_resource_requirements:
                   description: Resource requirements for the task container
                   properties:
@@ -344,16 +230,47 @@ spec:
                   type: string
                 tower_web_extra_env:
                   type: string
+                tower_ee_extra_volume_mounts:
+                  description: Specify volume mounts to be added to Execution container
+                  type: string
                 tower_task_extra_volume_mounts:
+                  description: Specify volume mounts to be added to Task container
                   type: string
                 tower_web_extra_volume_mounts:
+                  description: Specify volume mounts to be added to the Web container
                   type: string
                 tower_redis_image:
                   description: Registry path to the redis container to use
                   type: string
+                tower_redis_image_version:
+                  description: Redis container image version to use
+                  type: string
                 tower_postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
+                tower_postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+                tower_postgres_selector:
+                  description: nodeSelector for the Postgres pods
+                  type: string
+                tower_postgres_tolerations:
+                  description: node tolerations for the Postgres pods
+                  type: string
+                tower_postgres_storage_requirements:
+                  description: Storage requirements for the PostgreSQL container
+                  properties:
+                    requests:
+                      properties:
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                 tower_postgres_resource_requirements:
                   description: Resource requirements for the PostgreSQL container
                   properties:
@@ -363,8 +280,6 @@ spec:
                           type: string
                         memory:
                           type: string
-                        storage:
-                          type: string
                       type: object
                     limits:
                       properties:
@@ -372,8 +287,6 @@ spec:
                           type: string
                         memory:
                           type: string
-                        storage:
-                          type: string
                       type: object
                   type: object
                 tower_postgres_storage_class:
@@ -388,6 +301,43 @@ spec:
                 development_mode:
                   description: If the deployment should be done in development mode
                   type: boolean
+                ldap_cacert_secret:
+                  description: Secret where can be found the LDAP trusted Certificate Authority Bundle
+                  type: string
+                tower_projects_persistence:
+                  description: Whether or not the /var/lib/projects directory will be persistent
+                  default: false
+                  type: boolean
+                tower_projects_use_existing_claim:
+                  description: Using existing PersistentVolumeClaim
+                  type: string
+                  enum:
+                    - _Yes_
+                    - _No_
+                tower_projects_existing_claim:
+                  description: PersistentVolumeClaim to mount /var/lib/projects directory
+                  type: string
+                tower_projects_storage_class:
+                  description: Storage class for the /var/lib/projects PersistentVolumeClaim
+                  type: string
+                tower_projects_storage_size:
+                  description: Size for the /var/lib/projects PersistentVolumeClaim
+                  default: 8Gi
+                  type: string
+                tower_projects_storage_access_mode:
+                  description: AccessMode for the /var/lib/projects PersistentVolumeClaim
+                  default: ReadWriteMany
+                  type: string
+                extra_settings:
+                  description: Extra settings to specify for the API
+                  items:
+                    properties:
+                      setting:
+                        type: string
+                      value:
+                        type: string
+                    type: object
+                  type: array
               type: object
             status:
               properties:
@@ -425,3 +375,153 @@ spec:
                   type: array
               type: object
           type: object
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: awx-operator
+rules:
+  - apiGroups:
+      - route.openshift.io
+    resources:
+      - routes
+      - routes/custom-host
+    verbs:
+      - '*'
+  - apiGroups:
+      - ""
+      - "rbac.authorization.k8s.io"
+    resources:
+      - pods
+      - services
+      - services/finalizers
+      - serviceaccounts
+      - endpoints
+      - persistentvolumeclaims
+      - events
+      - configmaps
+      - secrets
+      - roles
+      - rolebindings
+    verbs:
+      - '*'
+  - apiGroups:
+      - apps
+      - extensions
+    resources:
+      - deployments
+      - daemonsets
+      - replicasets
+      - statefulsets
+      - ingresses
+    verbs:
+      - '*'
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - servicemonitors
+    verbs:
+      - get
+      - create
+  - apiGroups:
+      - apps
+    resourceNames:
+      - awx-operator
+    resources:
+      - deployments/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - apps
+    resources:
+      - deployments/scale
+      - statefulsets/scale
+    verbs:
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - pods/exec
+    verbs:
+      - create
+      - get
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets
+    verbs:
+      - get
+  - apiGroups:
+      - awx.ansible.com
+    resources:
+      - '*'
+    verbs:
+      - '*'
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: awx-operator
+subjects:
+  - kind: ServiceAccount
+    name: awx-operator
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: awx-operator
+  apiGroup: rbac.authorization.k8s.io
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: awx-operator
+  namespace: default
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: awx-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: awx-operator
+  template:
+    metadata:
+      labels:
+        name: awx-operator
+    spec:
+      serviceAccountName: awx-operator
+      containers:
+        - name: awx-operator
+          image: "quay.io/ansible/awx-operator:0.9.0"
+          imagePullPolicy: "Always"
+          volumeMounts:
+            - mountPath: /tmp/ansible-operator/runner
+              name: runner
+          env:
+            # Watch all namespaces (cluster-scoped).
+            - name: WATCH_NAMESPACE
+              value: ""
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: OPERATOR_NAME
+              value: awx-operator
+            - name: ANSIBLE_GATHERING
+              value: explicit
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 6789
+            initialDelaySeconds: 15
+            periodSeconds: 20
+      volumes:
+        - name: runner
+          emptyDir: {}

deploy/crds/awx_v1beta1_cr.yaml

@@ -1,24 +0,0 @@
----
-apiVersion: awx.ansible.com/v1beta1
-kind: AWX
-metadata:
-  name: example-awx
-  namespace: example-awx
-spec:
-  tower_ingress_type: none
-  tower_task_privileged: false
-
-  tower_hostname: example-awx.test
-
-  tower_admin_user: test
-  tower_admin_email: test@example.com
-
-  tower_image: quay.io/ansible/awx:18.0.0
-
-  tower_create_preload_data: true
-
-  tower_memcached_image: memcached:alpine
-
-  tower_redis_image: redis:latest
-
-  tower_postgres_storage_class: ''

deploy/crds/awx_v1beta1_crd.yaml

@@ -26,12 +26,23 @@ spec:
                 deployment_type:
                   description: Name of the deployment type
                   type: string
+                  default: awx
+                kind:
+                  description: Kind of the deployment type
+                  type: string
+                  default: AWX
+                api_version:
+                  description: apiVersion of the deployment type
+                  type: string
+                  default: awx.ansible.com/v1beta1
                 tower_task_privileged:
                   description: If a privileged security context should be enabled
                   type: boolean
+                  default: false
                 tower_admin_user:
                   description: Username to use for the admin account
                   type: string
+                  default: admin
                 tower_hostname:
                   description: The hostname of the instance
                   type: string
@@ -67,6 +78,8 @@ spec:
                     - route
                     - LoadBalancer
                     - loadbalancer
+                    - NodePort
+                    - nodeport
                 tower_ingress_annotations:
                   description: Annotations to add to the ingress
                   type: string
@@ -102,9 +115,28 @@ spec:
                 tower_route_tls_secret:
                   description: Secret where the TLS related credentials are stored
                   type: string
+                tower_node_selector:
+                  description: nodeSelector for the AWX pods
+                  type: string
+                tower_tolerations:
+                  description: node tolerations for the AWX pods
+                  type: string
                 tower_image:
                   description: Registry path to the application container to use
                   type: string
+                tower_image_version:
+                  description: Application container image version to use
+                  type: string
+                tower_ee_images:
+                  description: Registry path to the Execution Environment container to use
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      name:
+                        type: string
+                      image:
+                        type: string
                 tower_image_pull_policy:
                   description: The image pull policy
                   type: string
@@ -116,6 +148,9 @@ spec:
                     - never
                     - IfNotPresent
                     - ifnotpresent
+                tower_image_pull_secret:
+                  description: The image pull secret
+                  type: string
                 tower_task_resource_requirements:
                   description: Resource requirements for the task container
                   properties:
@@ -193,16 +228,47 @@ spec:
                   type: string
                 tower_web_extra_env:
                   type: string
+                tower_ee_extra_volume_mounts:
+                  description: Specify volume mounts to be added to Execution container
+                  type: string
                 tower_task_extra_volume_mounts:
+                  description: Specify volume mounts to be added to Task container
                   type: string
                 tower_web_extra_volume_mounts:
+                  description: Specify volume mounts to be added to the Web container
                   type: string
                 tower_redis_image:
                   description: Registry path to the redis container to use
                   type: string
+                tower_redis_image_version:
+                  description: Redis container image version to use
+                  type: string
                 tower_postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
+                tower_postgres_image_version:
+                  description: PostgreSQL container image version to use
+                  type: string
+                tower_postgres_selector:
+                  description: nodeSelector for the Postgres pods
+                  type: string
+                tower_postgres_tolerations:
+                  description: node tolerations for the Postgres pods
+                  type: string
+                tower_postgres_storage_requirements:
+                  description: Storage requirements for the PostgreSQL container
+                  properties:
+                    requests:
+                      properties:
+                        storage:
+                          type: string
+                      type: object
+                    limits:
+                      properties:
+                        storage:
+                          type: string
+                      type: object
+                  type: object
                 tower_postgres_resource_requirements:
                   description: Resource requirements for the PostgreSQL container
                   properties:
@@ -212,8 +278,6 @@ spec:
                           type: string
                         memory:
                           type: string
-                        storage:
-                          type: string
                       type: object
                     limits:
                       properties:
@@ -221,8 +285,6 @@ spec:
                           type: string
                         memory:
                           type: string
-                        storage:
-                          type: string
                       type: object
                   type: object
                 tower_postgres_storage_class:
@@ -237,6 +299,43 @@ spec:
                 development_mode:
                   description: If the deployment should be done in development mode
                   type: boolean
+                ldap_cacert_secret:
+                  description: Secret where can be found the LDAP trusted Certificate Authority Bundle
+                  type: string
+                tower_projects_persistence:
+                  description: Whether or not the /var/lib/projects directory will be persistent
+                  default: false
+                  type: boolean
+                tower_projects_use_existing_claim:
+                  description: Using existing PersistentVolumeClaim
+                  type: string
+                  enum:
+                    - _Yes_
+                    - _No_
+                tower_projects_existing_claim:
+                  description: PersistentVolumeClaim to mount /var/lib/projects directory
+                  type: string
+                tower_projects_storage_class:
+                  description: Storage class for the /var/lib/projects PersistentVolumeClaim
+                  type: string
+                tower_projects_storage_size:
+                  description: Size for the /var/lib/projects PersistentVolumeClaim
+                  default: 8Gi
+                  type: string
+                tower_projects_storage_access_mode:
+                  description: AccessMode for the /var/lib/projects PersistentVolumeClaim
+                  default: ReadWriteMany
+                  type: string
+                extra_settings:
+                  description: Extra settings to specify for the API
+                  items:
+                    properties:
+                      setting:
+                        type: string
+                      value:
+                        type: string
+                    type: object
+                  type: array
               type: object
             status:
               properties:

deploy/crds/awx_v1beta1_molecule.yaml

@@ -7,28 +7,11 @@ metadata:
 spec:
   deployment_type: awx
   tower_ingress_type: ingress
-  tower_task_privileged: false
-
-  tower_admin_email: test@example.com
-
-  tower_image: quay.io/ansible/awx:18.0.0
-
   tower_web_resource_requirements:
     requests:
       cpu: 500m
       memory: 128M
-
   tower_task_resource_requirements:
     requests:
       cpu: 500m
       memory: 128M
-
-  tower_create_preload_data: true
-
-  tower_memcached_image: memcached:alpine
-
-  tower_redis_image: redis:latest
-
-  tower_postgres_pass: awxpass
-  tower_postgres_image: postgres:12
-  tower_postgres_storage_class: ''

deploy/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./awx-operator.yaml

deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml

@@ -4,27 +4,6 @@ metadata:
   annotations:
     alm-examples: |-
       [
-        {
-          "apiVersion": "awx.ansible.com/v1beta1",
-          "kind": "AWX",
-          "metadata": {
-            "name": "example-awx",
-            "namespace": "example-awx"
-          },
-          "spec": {
-            "tower_admin_email": "test@example.com",
-            "tower_admin_user": "test",
-            "tower_broadcast_websocket_secret": "changeme",
-            "tower_create_preload_data": true,
-            "tower_hostname": "example-awx.test",
-            "tower_image": "quay.io/ansible/awx:18.0.0",
-            "tower_ingress_type": "none",
-            "tower_memcached_image": "memcached:alpine",
-            "tower_postgres_storage_class": "",
-            "tower_redis_image": "redis:latest",
-            "tower_task_privileged": false
-          }
-        },
         {
           "apiVersion": "awx.ansible.com/v1beta1",
           "kind": "AWX",
@@ -34,17 +13,7 @@ metadata:
           },
           "spec": {
             "deployment_type": "awx",
-            "tower_admin_email": "test@example.com",
-            "tower_broadcast_websocket_secret": "changeme",
-            "tower_create_preload_data": true,
-            "tower_image": "quay.io/ansible/awx:18.0.0",
             "tower_ingress_type": "ingress",
-            "tower_memcached_image": "memcached:alpine",
-            "tower_postgres_image": "postgres:12",
-            "tower_postgres_pass": "awxpass",
-            "tower_postgres_storage_class": "",
-            "tower_redis_image": "redis:latest",
-            "tower_task_privileged": false,
             "tower_task_resource_requirements": {
               "requests": {
                 "cpu": "500m",
@@ -70,8 +39,8 @@ spec:
   customresourcedefinitions:
     owned:
     - description: A AWX Instance
-      kind: AWX
       displayName: AWX
+      kind: AWX
       name: awxs.awx.ansible.com
       specDescriptors:
       - displayName: Hostname
@@ -99,6 +68,7 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:io.kubernetes:Secret
+      - displayName: Old Database configuration secret
         path: tower_old_postgres_configuration_secret
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -121,6 +91,7 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:select:Ingress
         - urn:alm:descriptor:com.tectonic.ui:select:Route
         - urn:alm:descriptor:com.tectonic.ui:select:LoadBalancer
+        - urn:alm:descriptor:com.tectonic.ui:select:NodePort
       - displayName: Tower Ingress Annotations
         path: tower_ingress_annotations
         x-descriptors:
@@ -176,6 +147,11 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:imagePullPolicy
+      - displayName: Image Pull Secret
+        path: tower_image_pull_secret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:imagePullSecret
       - displayName: Web container resource requirements
         path: tower_web_resource_requirements
         x-descriptors:
@@ -186,12 +162,16 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
-      - displayName: PostgreSQL container resource requirements (when using a managed
-          instance)
+      - displayName: PostgreSQL container resource requirements (when using a managed instance)
         path: tower_postgres_resource_requirements
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
+      - displayName: PostgreSQL container storage requirements (when using a managed instance)
+        path: tower_postgres_storage_requirements
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
       - displayName: Replicas
         path: tower_replicas
         x-descriptors:
@@ -207,26 +187,210 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - displayName: Deploy the instance in development mode ?
+        path: development_mode
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Should Tower Task container deployed with privileged level ?
+        path: tower_task_privileged
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - displayName: Deployment Type
         path: deployment_type
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Deployment Kind
+        path: kind
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Deployment apiVersion
+        path: api_version
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - displayName: Tower Image
         path: tower_image
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Image Version
+        path: tower_image_version
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Redis Image
+        path: tower_redis_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Redis Image Version
+        path: tower_redis_image_version
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Image
+        path: tower_postgres_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Image Version
+        path: tower_postgres_image_version
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Postgres Selector
+        path: tower_postgres_selector
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Postgres Tolerations
+        path: tower_postgres_tolerations
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - displayName: Tower Postgres Storage Class
         path: tower_postgres_storage_class
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Postgres Datapath
+        path: tower_postgres_data_path
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - displayName: Certificate Authorirty Trust Bundle
         path: ca_trust_bundle
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: LDAP Certificate Authority Trust Bundle
+        path: ldap_cacert_secret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:io.kubernetes:Secret
+      - displayName: Tower Task Args
+        path: tower_task_args
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Enable persistence for /var/lib/projects directory?
+        path: tower_projects_persistence
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - displayName: Use existing Persistent Claim?
+        path: tower_projects_use_existing_claim
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:select:_Yes_
+        - urn:alm:descriptor:com.tectonic.ui:select:_No_
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_projects_persistence:true
+      - displayName: Tower Projects Existing Persistent Claim
+        path: tower_projects_existing_claim
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_projects_use_existing_claim:_Yes_
+        - urn:alm:descriptor:io.kubernetes:PersistentVolumeClaim
+      - description: Tower Projects Storage Class Name. If not present, the default
+          storage class will be used.
+        displayName: Tower Projects Storage Class Name
+        path: tower_projects_storage_class
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_projects_use_existing_claim:_No_
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Tower Projects Storage Size
+        displayName: Tower Projects Storage Size
+        path: tower_projects_storage_size
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_projects_use_existing_claim:_No_
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Tower Projects Storage Access Mode
+        displayName: Tower Projects Storage Access Mode
+        path: tower_projects_storage_access_mode
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_projects_use_existing_claim:_No_
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - displayName: Tower Task Command
+        path: tower_task_command
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Task Extra Env
+        description: Environment variables to be added to Task container
+        path: tower_task_extra_env
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: 
+        path: tower_ee_extra_volume_mounts
+        description: Specify volume mounts to be added to Execution container
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower EE Images
+        description: Registry path to the Execution Environment container to use
+        path: tower_ee_images
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Task Extra Volume Mounts
+        description: Specify volume mounts to be added to Task container
+        path: tower_task_extra_volume_mounts
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Web Args
+        path: tower_web_args
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Web Command
+        path: tower_web_command
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Web Extra Env
+        description: Environment variables to be added to Web container
+        path: tower_web_extra_env
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Web Extra Volume Mounts
+        description: Specify volume mounts to be added to Web container
+        path: tower_web_extra_volume_mounts
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Extra Volumes
+        description: Specify extra volumes to add to the application pod
+        path: tower_extra_volumes
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Node Selector
+        path: tower_node_selector
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Tower Tolerations
+        path: tower_tolerations
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: API Extra Settings
+        path: extra_settings
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       statusDescriptors:
       - description: Route to access the instance deployed
         displayName: URL
@@ -313,6 +477,13 @@ spec:
           - deployments/finalizers
           verbs:
           - update
+        - apiGroups:
+          - apps
+          resources:
+          - deployments/scale
+          - statefulsets/scale
+          verbs:
+          - patch
         - apiGroups:
           - ""
           resources:
@@ -360,14 +531,14 @@ spec:
                   value: awx-operator
                 - name: ANSIBLE_GATHERING
                   value: explicit
-                image: quay.io/ansible/awx-operator:0.6.0
+                image: quay.io/ansible/awx-operator:0.8.0
                 imagePullPolicy: Always
                 livenessProbe:
                   httpGet:
                     path: /healthz
                     port: 6789
-                  initialDelaySeconds: 5
-                  periodSeconds: 3
+                  initialDelaySeconds: 15
+                  periodSeconds: 20
                 name: awx-operator
                 resources: {}
                 volumeMounts:

deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml

@@ -25,9 +25,22 @@ spec:
               deployment_type:
                 description: Name of the deployment type
                 type: string
+                default: awx
+              kind:
+                description: Kind of the deployment type
+                type: string
+                default: AWX
+              api_version:
+                description: apiVersion of the deployment type
+                type: string
+                default: awx.ansible.com/v1beta1
               development_mode:
                 description: If the deployment should be done in development mode
                 type: boolean
+              ldap_cacert_secret:
+                description: Secret where can be found the LDAP trusted Certificate
+                  Authority Bundle
+                type: string
               tower_admin_email:
                 description: The admin user email
                 type: string
@@ -35,6 +48,7 @@ spec:
                 description: Secret where the admin password can be found
                 type: string
               tower_admin_user:
+                default: admin
                 description: Username to use for the admin account
                 type: string
               tower_broadcast_websocket_secret:
@@ -44,6 +58,17 @@ spec:
                 default: true
                 description: Whether or not to preload data upon Tower instance creation
                 type: boolean
+              tower_ee_images:
+                description: Registry path to the Execution Environment container
+                  to use
+                items:
+                  properties:
+                    image:
+                      type: string
+                    name:
+                      type: string
+                  type: object
+                type: array
               tower_extra_volumes:
                 description: Specify extra volumes to add to the application pod
                 type: string
@@ -57,6 +82,9 @@ spec:
               tower_image:
                 description: Registry path to the application container to use
                 type: string
+              tower_image_version:
+                description: Application container image version to use
+                type: string
               tower_image_pull_policy:
                 default: IfNotPresent
                 description: The image pull policy
@@ -68,6 +96,9 @@ spec:
                 - IfNotPresent
                 - ifnotpresent
                 type: string
+              tower_image_pull_secret:
+                description: The image pull secret
+                type: string
               tower_ingress_annotations:
                 description: Annotations to add to the ingress
                 type: string
@@ -84,26 +115,32 @@ spec:
                 - route
                 - LoadBalancer
                 - loadbalancer
+                - NodePort
+                - nodeport
                 type: string
               tower_loadbalancer_annotations:
                 description: Annotations to add to the loadbalancer
                 type: string
-              tower_loadbalancer_protocol:
-                description: Protocol to use for the loadbalancer
-                type: string
-                default: http
-                enum:
-                  - http
-                  - https
               tower_loadbalancer_port:
-                description: Port to use for the loadbalancer
-                type: number
                 default: 80
-              tower_postgres_configuration_secret:
-                description: Secret where the database configuration can be found
+                description: Port to use for the loadbalancer
+                type: integer
+              tower_loadbalancer_protocol:
+                default: http
+                description: Protocol to use for the loadbalancer
+                enum:
+                - http
+                - https
+                type: string
+              tower_node_selector:
+                description: nodeSelector for the AWX pods
                 type: string
               tower_old_postgres_configuration_secret:
-                description: Secret where the old database configuration can be found for data migration
+                description: Secret where the old database configuration can be found
+                  for data migration
+                type: string
+              tower_postgres_configuration_secret:
+                description: Secret where the database configuration can be found
                 type: string
               tower_postgres_data_path:
                 description: Path where the PostgreSQL data are located
@@ -111,34 +148,81 @@ spec:
               tower_postgres_image:
                 description: Registry path to the PostgreSQL container to use
                 type: string
-              tower_postgres_resource_requirements:
-                description: Resource requirements for the PostgreSQL container
+              tower_postgres_image_version:
+                description: PostgreSQL container image version to use
+                type: string
+              tower_postgres_selector:
+                description: nodeSelector for the Postgres pods
+                type: string
+              tower_postgres_tolerations:
+                description: node tolerations for the Postgres pods
+                type: string
+              tower_postgres_storage_requirements:
+                description: Storage requirements for the PostgreSQL container
                 properties:
-                  limits:
+                  requests:
                     properties:
-                      cpu:
-                        type: string
-                      memory:
-                        type: string
                       storage:
                         type: string
                     type: object
+                  limits:
+                    properties:
+                      storage:
+                        type: string
+                    type: object
+                type: object
+              tower_postgres_resource_requirements:
+                description: Resource requirements for the PostgreSQL container
+                properties:
                   requests:
                     properties:
                       cpu:
                         type: string
                       memory:
                         type: string
-                      storage:
+                    type: object
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
                         type: string
                     type: object
                 type: object
               tower_postgres_storage_class:
                 description: Storage class to use for the PostgreSQL PVC
                 type: string
+              tower_projects_existing_claim:
+                description: PersistentVolumeClaim to mount /var/lib/projects directory
+                type: string
+              tower_projects_persistence:
+                default: false
+                description: Whether or not the /var/lib/projects directory will be
+                  persistent
+                type: boolean
+              tower_projects_storage_access_mode:
+                default: ReadWriteMany
+                description: AccessMode for the /var/lib/projects PersistentVolumeClaim
+                type: string
+              tower_projects_storage_class:
+                description: Storage class for the /var/lib/projects PersistentVolumeClaim
+                type: string
+              tower_projects_storage_size:
+                default: 8Gi
+                description: Size for the /var/lib/projects PersistentVolumeClaim
+                type: string
+              tower_projects_use_existing_claim:
+                description: Using existing PersistentVolumeClaim
+                enum:
+                - _Yes_
+                - _No_
+                type: string
               tower_redis_image:
                 description: Registry path to the redis container to use
                 type: string
+              tower_redis_image_version:
+                description: Redis container image version to use
+                type: string
               tower_replicas:
                 default: 1
                 description: Number of instance replicas
@@ -171,10 +255,16 @@ spec:
                   type: string
                 type: array
               tower_task_extra_env:
+                description: Environment variables to be added to Task container
+                type: string
+              tower_ee_extra_volume_mounts:
+                description: Specify volume mounts to be added to Execution container
                 type: string
               tower_task_extra_volume_mounts:
+                description: Specify volume mounts to be added to Task container
                 type: string
               tower_task_privileged:
+                default: false
                 description: If a privileged security context should be enabled
                 type: boolean
               tower_task_resource_requirements:
@@ -199,6 +289,9 @@ spec:
                         type: string
                     type: object
                 type: object
+              tower_tolerations:
+                description: node tolerations for the AWX pods
+                type: string
               tower_web_args:
                 items:
                   type: string
@@ -208,8 +301,10 @@ spec:
                   type: string
                 type: array
               tower_web_extra_env:
+                description: Environment variables to be added to Web container
                 type: string
               tower_web_extra_volume_mounts:
+                description: Specify volume mounts to be added to web container
                 type: string
               tower_web_resource_requirements:
                 description: Resource requirements for the web container
@@ -233,6 +328,16 @@ spec:
                         type: string
                     type: object
                 type: object
+              extra_settings:
+                description: Extra settings to specify for the API
+                items:
+                  properties:
+                    setting:
+                      type: string
+                    value:
+                      type: string
+                  type: object
+                type: array
             type: object
           status:
             properties:
@@ -260,6 +365,9 @@ spec:
               towerImage:
                 description: URL of the image used for the deployed instance
                 type: string
+              towerMigratedFromSecret:
+                description: The secret used for migrating an old Tower.
+                type: string
               towerURL:
                 description: URL to access the deployed instance
                 type: string

docs/migration.md

@@ -21,7 +21,7 @@ type: Opaque
 
 **Note**: `<resourcename>` must match the `name` of the AWX object you are creating. In our example below, it is `awx`.
 
-### Old Databse Credentials
+### Old Database Credentials
 
 The secret should be formatted as follows:
 
@@ -43,6 +43,12 @@ type: Opaque
 
 > For `host`, a URL resolvable by the cluster could look something like `postgresql.<namespace>.svc.cluster.local`, where `<namespace>` is filled in with the namespace of the AWX deployment you are migrating data from.
 
+If your AWX deployment is already using an external database server or its database is otherwise not managed
+by the AWX deployment, you can instead create the same secret as above but omit the `-old-` from the `name`.
+In the next section pass it in through `tower_postgres_configuration_secret` instead, omitting the `_old_`
+from the key and ensuring the value matches the name of the secret. This will make AWX pick up on the existing
+database and apply any pending migrations. It is strongly recommended to backup your database beforehand.
+
 ## Deploy AWX
 
 When you apply your AWX object, you must specify the name to the database secret you created above:

molecule/default/asserts.yml

@@ -7,12 +7,31 @@
     ansible_python_interpreter: '{{ ansible_playbook_python }}'
 
   tasks:
+    - name: Get AWX Kind data
+      k8s_info:
+        api_version: awx.ansible.com/v1beta1
+        kind: AWX
+        namespace: example-awx
+        label_selectors:
+          - "app.kubernetes.io/name=example-awx"
+          - "app.kubernetes.io/part-of=example-awx"
+          - "app.kubernetes.io/managed-by=awx-operator"
+          - "app.kubernetes.io/component=awx"
+      register: awx_kind
+
+    - name: Verify there is one AWX kind
+      assert:
+        that: '{{ (awx_kind.resources | length) == 1 }}'
+
     - name: Get AWX Pod data
       k8s_info:
         kind: Pod
         namespace: example-awx
         label_selectors:
-          - app=awx
+          - "app.kubernetes.io/name=example-awx"
+          - "app.kubernetes.io/part-of=example-awx"
+          - "app.kubernetes.io/managed-by=awx-operator"
+          - "app.kubernetes.io/component=awx"
       register: tower_pods
 
     - name: Verify there is one AWX pod

molecule/test-local/converge.yml

@@ -110,7 +110,7 @@
               kind="Deployment",
               api_version="apps/v1",
               namespace=custom_resource.metadata.namespace,
-              label_selector="app=awx")
+              label_selector="app.kubernetes.io/name=example-awx")
             }}'
 
         - name: get operator logs

molecule/test-minikube/converge.yml

@@ -118,7 +118,7 @@
               kind="Deployment",
               api_version="apps/v1",
               namespace=custom_resource.metadata.namespace,
-              label_selector="app=awx")
+              label_selector="app.kubernetes.io/name=example-awx")
             }}'
 
         - name: get operator logs

roles/installer/defaults/main.yml

@@ -1,5 +1,7 @@
 ---
 deployment_type: awx
+kind: '{{ deployment_type | upper }}'
+api_version: '{{ deployment_type }}.ansible.com/v1beta1'
 
 database_name: "{{ deployment_type }}"
 database_username: "{{ deployment_type }}"
@@ -38,6 +40,22 @@ tower_route_host: ''
 
 tower_hostname: '{{ deployment_type }}.example.com'
 
+# Add a nodeSelector for the AWX pods. It must match a node's labels for the pod
+# to be scheduled on that node. Specify as literal block. E.g.:
+# tower_node_selector: |
+#   disktype: ssd
+#   kubernetes.io/arch: amd64
+#   kubernetes.io/os: linux
+tower_node_selector: ''
+
+# Add node tolerations for the AWX pods. Specify as literal block. E.g.:
+# tower_tolerations: |
+#   - key: "dedicated"
+#     operator: "Equal"
+#     value: "AWX"
+#     effect: "NoSchedule"
+tower_tolerations: ''
+
 tower_admin_user: admin
 tower_admin_email: test@example.com
 
@@ -65,10 +83,18 @@ tower_extra_volumes: ''
 
 # Use these image versions for Ansible AWX.
 
-tower_image: quay.io/ansible/awx:18.0.0
+tower_image: quay.io/ansible/awx
+tower_image_version: 19.1.0
+tower_redis_image: docker.io/redis
+tower_redis_image_version: latest
+tower_postgres_image: postgres
+tower_postgres_image_version: 12
 tower_image_pull_policy: IfNotPresent
 tower_image_pull_secret: ''
-default_ee: quay.io/ansible/awx-ee
+
+tower_ee_images:
+  - name: AWX EE 0.2.0
+    image: quay.io/ansible/awx-ee:0.2.0
 
 tower_create_preload_data: true
 
@@ -107,20 +133,53 @@ tower_web_extra_env: ''
 #     mountPath: /some/path
 tower_task_extra_volume_mounts: ''
 tower_web_extra_volume_mounts: ''
+tower_ee_extra_volume_mounts: ''
 
-tower_redis_image: redis:latest
+# Add a nodeSelector for the Postgres pods.
+# It must match a node's labels for the pod to be scheduled on that node.
+# Specify as literal block. E.g.:
+# tower_postgres_selector: |
+#   disktype: ssd
+#   kubernetes.io/arch: amd64
+#   kubernetes.io/os: linux
+tower_postgres_selector: ''
 
-tower_postgres_image: postgres:12
-tower_postgres_resource_requirements:
+# Add node tolerations for the Postgres pods.
+# Specify as literal block. E.g.:
+# tower_postgres_tolerations: |
+#   - key: "dedicated"
+#     operator: "Equal"
+#     value: "AWX"
+#     effect: "NoSchedule"
+tower_postgres_tolerations: ''
+tower_postgres_storage_requirements:
   requests:
     storage: 8Gi
+tower_postgres_resource_requirements: {}
 tower_postgres_storage_class: ''
 tower_postgres_data_path: '/var/lib/postgresql/data/pgdata'
 
+# Persistence to the AWX project data folder
+# Whether or not the /var/lib/projects directory will be persistent
+tower_projects_persistence: false
+#
+# Define an existing PersistentVolumeClaim to use
+tower_projects_existing_claim: ''
+#
+# Define the storage_class, size and access_mode
+# when not using an existing claim
+tower_projects_storage_class: ''
+tower_projects_storage_size: 8Gi
+tower_projects_storage_access_mode: ReadWriteMany
+
 # Secret to lookup that provide the PostgreSQL configuration
 #
 tower_postgres_configuration_secret: ''
 
 ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
 
+# Secret to lookup that provides the LDAP CACert trusted bundle
+#
+ldap_cacert_secret: ''
+
 development_mode: false

roles/installer/tasks/database_configuration.yml

@@ -14,14 +14,26 @@
     name: '{{ meta.name }}-postgres-configuration'
   register: _default_pg_config_resources
 
-- name: Check for old PostgreSQL configuration secret
+- name: Check for specified old PostgreSQL configuration secret
   k8s_info:
     kind: Secret
     namespace: '{{ meta.namespace }}'
     name: '{{ tower_old_postgres_configuration_secret }}'
-  register: old_pg_config
+  register: _custom_old_pg_config_resources
   when: tower_old_postgres_configuration_secret | length
 
+- name: Check for default old PostgreSQL configuration
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ meta.name }}-old-postgres-configuration'
+  register: _default_old_pg_config_resources
+
+- name: Set old PostgreSQL configuration
+  set_fact:
+    # yamllint disable-line rule:line-length
+    old_pg_config: '{{ _custom_old_pg_config_resources["resources"] | default([]) | length | ternary(_custom_old_pg_config_resources, _default_old_pg_config_resources) }}'  # noqa 204
+
 - name: Set proper database name when migrating from old deployment
   set_fact:
     database_name: "{{ old_pg_config['resources'][0]['data']['database'] | b64decode }}"
@@ -52,12 +64,42 @@
   set_fact:
     pg_config: '{{ _generated_pg_config_resources["resources"] | default([]) | length | ternary(_generated_pg_config_resources, _pg_config) }}'
 
-- name: Create Database if no database is specified
-  k8s:
-    apply: true
-    definition: "{{ lookup('template', 'tower_postgres.yaml.j2') }}"
-  when:
-    - pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed'
+- block:
+    - name: Create Database if no database is specified
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'tower_postgres.yaml.j2') }}"
+      register: create_statefulset_result
+
+  rescue:
+    - name: Scale down Deployment for migration
+      include_tasks: scale_down_deployment.yml
+
+    - name: Scale down PostgreSQL statefulset for migration
+      community.kubernetes.k8s_scale:
+        api_version: apps/v1
+        kind: StatefulSet
+        name: "{{ meta.name }}-postgres"
+        namespace: "{{ meta.namespace }}"
+        replicas: 0
+        wait: yes
+
+    - name: Remove PostgreSQL statefulset for upgrade
+      k8s:
+        state: absent
+        api_version: apps/v1
+        kind: StatefulSet
+        name: "{{ meta.name }}-postgres"
+        namespace: "{{ meta.namespace }}"
+        wait: yes
+      when: create_statefulset_result.error == 422
+
+    - name: Recreate PostgreSQL statefulset with updated values
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'tower_postgres.yaml.j2') }}"
+  when: pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed'
+
 
 - name: Store Database Configuration
   set_fact:
@@ -66,6 +108,7 @@
     awx_postgres_database: "{{ pg_config['resources'][0]['data']['database'] | b64decode }}"
     awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
+    awx_postgres_sslmode: "{{ pg_config['resources'][0]['data']['sslmode'] |  default('prefer'|b64encode) | b64decode }}"
 
 - name: Look up details for this deployment
   k8s_info:

roles/installer/tasks/load_ldap_cacert_secret.yml

@@ -0,0 +1,12 @@
+---
+- name: Retrieve LDAP CA Certificate Secret
+  community.kubernetes.k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ ldap_cacert_secret }}'
+  register: ldap_cacert
+
+- name: Load LDAP CA Certificate Secret content
+  set_fact:
+    ldap_cacert_ca_crt: '{{ ldap_cacert["resources"][0]["data"]["ldap-ca.crt"] | b64decode }}'
+  when: '"ldap-ca.crt" in ldap_cacert["resources"][0]["data"]'

roles/installer/tasks/main.yml

@@ -1,7 +1,29 @@
 ---
+- name: Patching labels to AWX kind
+  k8s:
+    state: present
+    definition:
+      apiVersion: '{{ api_version }}'
+      kind: '{{ kind }}'
+      name: '{{ meta.name }}'
+      namespace: '{{ meta.namespace }}'
+      metadata:
+        name: '{{ meta.name }}'
+        namespace: '{{ meta.namespace }}'
+        labels:
+          app.kubernetes.io/name: '{{ meta.name }}'
+          app.kubernetes.io/part-of: '{{ meta.name }}'
+          app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+          app.kubernetes.io/component: '{{ deployment_type }}'
+
 - name: Include secret key configuration tasks
   include_tasks: secret_key_configuration.yml
 
+- name: Load LDAP CAcert certificate
+  include_tasks: load_ldap_cacert_secret.yml
+  when:
+    - ldap_cacert_secret != ''
+
 - name: Include admin password configuration tasks
   include_tasks: admin_password_configuration.yml
 
@@ -17,44 +39,8 @@
     - tower_ingress_type | lower == 'route'
     - tower_route_tls_secret != ''
 
-- name: Ensure configured instance resources exist in the cluster.
-  k8s:
-    apply: yes
-    definition: "{{ lookup('template', item) | from_yaml_all | list }}"
-  with_items:
-    - tower_config.yaml.j2
-
-- name: Apply Resources
-  k8s:
-    apply: yes
-    definition: "{{ lookup('template', item + '.yaml.j2') }}"
-  register: tower_deployment_result
-  loop:
-    - 'tower_app_credentials'
-    - 'tower_service_account'
-    - 'tower_deployment'
-    - 'tower_service'
-    - 'tower_ingress'
-
-- name: Get the resource pod information.
-  k8s_info:
-    kind: Pod
-    namespace: '{{ meta.namespace }}'
-    label_selectors:
-      - "app={{ deployment_type }}"
-  register: tower_pods
-  until: "tower_pods['resources'][0]['status']['phase'] == 'Running'"
-  delay: 5
-  retries: 60
-
-- name: Set the resource pod name as a variable.
-  set_fact:
-    tower_pod_name: "{{ tower_pods['resources'][0]['metadata']['name'] }}"
-
-- name: Verify the resource pod name is populated.
-  assert:
-    that: tower_pod_name != ''
-    fail_msg: "Could not find the tower pod's name."
+- name: Include resources configuration tasks
+  include_tasks: resources_configuration.yml
 
 - name: Check for pending migrations
   k8s_exec:
@@ -78,7 +64,8 @@
     - database_check is defined
     - (database_check.stdout|trim) != '0'
 
-- include_tasks: initialize.yml
+- name: Initialize Django
+  include_tasks: initialize_django.yml
 
 - name: Update status variables
   include_tasks: update_status.yml

roles/installer/tasks/migrate_data.yml

@@ -12,10 +12,11 @@
   k8s_info:
     kind: Pod
     namespace: '{{ meta.namespace }}'
-    label_selectors:
-      - "app={{ deployment_type }}-postgres"
+    name: '{{ meta.name }}-postgres-0'  # using name to keep compatibility
+    field_selectors:
+      - status.phase=Running
   register: postgres_pod
-  until: "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
+  until: postgres_pod['resources'] | length
   delay: 5
   retries: 60
 
@@ -23,22 +24,8 @@
   set_fact:
     postgres_pod_name: "{{ postgres_pod['resources'][0]['metadata']['name'] }}"
 
-- name: Check for presence of Deployment
-  k8s_info:
-    api_version: v1
-    kind: Deployment
-    name: "{{ meta.name }}"
-    namespace: "{{ meta.namespace }}"
-  register: tower_deployment
-
 - name: Scale down Deployment for migration
-  k8s_scale:
-    api_version: v1
-    kind: Deployment
-    name: "{{ meta.name }}"
-    namespace: "{{ meta.namespace }}"
-    replicas: 0
-  when: tower_deployment['resources'] | length
+  include_tasks: scale_down_deployment.yml
 
 - name: Set pg_dump command
   set_fact:
@@ -52,7 +39,7 @@
 - name: Set pg_restore command
   set_fact:
     psql_restore: >-
-      psql -U {{ awx_postgres_user }}
+      psql -U {{ database_username }}
       -d template1
       -p {{ awx_postgres_port }}
 

roles/installer/tasks/resources_configuration.yml

@@ -0,0 +1,80 @@
+---
+
+- name: Get the current resource pod information.
+  k8s_info:
+    api_version: v1
+    kind: Pod
+    namespace: '{{ meta.namespace }}'
+    label_selectors:
+      - "app.kubernetes.io/name={{ meta.name }}"
+      - "app.kubernetes.io/managed-by={{ deployment_type }}-operator"
+      - "app.kubernetes.io/component={{ deployment_type }}"
+    field_selectors:
+      - status.phase=Running
+  register: tower_pods
+
+- name: Set the resource pod name as a variable.
+  set_fact:
+    tower_pod_name: "{{ tower_pods['resources'][0]['metadata']['name'] | default('') }}"
+
+- name: Apply Resources
+  k8s:
+    apply: yes
+    definition: "{{ lookup('template', item + '.yaml.j2') }}"
+    wait: yes
+  register: tower_resources_result
+  loop:
+    - 'tower_config'
+    - 'tower_app_credentials'
+    - 'tower_service_account'
+    - 'tower_persistent'
+    - 'tower_service'
+    - 'tower_ingress'
+
+- name: Apply deployment resources
+  k8s:
+    apply: yes
+    definition: "{{ lookup('template', 'tower_deployment.yaml.j2') }}"
+    wait: yes
+  register: tower_deployment_result
+
+- block:
+    - name: Delete pod to reload a resource configuration
+      k8s:
+        api_version: v1
+        state: absent
+        kind: Pod
+        namespace: '{{ meta.namespace }}'
+        name: '{{ tower_pod_name }}'
+        wait: yes
+      when:
+        - tower_resources_result.changed
+        - tower_pod_name | length
+
+    - name: Get the new resource pod information after updating resource.
+      k8s_info:
+        kind: Pod
+        namespace: '{{ meta.namespace }}'
+        label_selectors:
+          - "app.kubernetes.io/name={{ meta.name }}"
+          - "app.kubernetes.io/managed-by={{ deployment_type }}-operator"
+          - "app.kubernetes.io/component={{ deployment_type }}"
+        field_selectors:
+          - status.phase=Running
+      register: _new_pod
+      until:
+        - _new_pod['resources'] | length
+        - _new_pod['resources'][0]['metadata']['name'] != tower_pod_name
+      delay: 5
+      retries: 60
+
+    - name: Update new resource pod name as a variable.
+      set_fact:
+        tower_pod_name: '{{ _new_pod["resources"][0]["metadata"]["name"] }}'
+  when:
+    - tower_resources_result.changed or tower_deployment_result.changed
+
+- name: Verify the resource pod name is populated.
+  assert:
+    that: tower_pod_name != ''
+    fail_msg: "Could not find the tower pod's name."

roles/installer/tasks/scale_down_deployment.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Check for presence of Deployment
+  k8s_info:
+    api_version: v1
+    kind: Deployment
+    name: "{{ meta.name }}"
+    namespace: "{{ meta.namespace }}"
+  register: tower_deployment
+
+- name: Scale down Deployment for migration
+  community.kubernetes.k8s_scale:
+    api_version: v1
+    kind: Deployment
+    name: "{{ meta.name }}"
+    namespace: "{{ meta.namespace }}"
+    replicas: 0
+    wait: yes
+  when: tower_deployment['resources'] | length

roles/installer/tasks/update_status.yml

@@ -1,9 +1,4 @@
 ---
-- name: Set apiVersion and kind variables
-  set_fact:
-    api_version: '{{ hostvars["localhost"]["inventory_file"].split("/")[4:6] | join("/")  }}'
-    kind: '{{ hostvars["localhost"]["inventory_file"].split("/")[6]  }}'
-
 - name: Update admin password status
   operator_sdk.util.k8s_status:
     api_version: '{{ api_version }}'

roles/installer/templates/credentials.py.j2

@@ -4,10 +4,10 @@ DATABASES = {
         'ENGINE': 'awx.main.db.profiled_pg',
         'NAME': "{{ awx_postgres_database }}",
         'USER': "{{ awx_postgres_user }}",
-        'PASSWORD': "{{ awx_postgres_pass | quote }}",
+        'PASSWORD': "{{ awx_postgres_pass }}",
         'HOST': '{{ awx_postgres_host }}',
         'PORT': "{{ awx_postgres_port }}",
-        'OPTIONS': { 'sslmode': '{{ pg_sslmode|default("prefer") }}',
+        'OPTIONS': { 'sslmode': '{{ awx_postgres_sslmode }}',
                      'sslrootcert': '{{ ca_trust_bundle }}',
         },
     }

roles/installer/templates/environment.sh.j2

@@ -1,5 +0,0 @@
-DATABASE_USER={{ awx_postgres_user }}
-DATABASE_NAME={{ awx_postgres_database }}
-DATABASE_HOST={{ awx_postgres_host }}
-DATABASE_PORT={{ awx_postgres_port }}
-DATABASE_PASSWORD={{ awx_postgres_pass | quote }}

roles/installer/templates/execution_environments.py.j2

@@ -0,0 +1,5 @@
+DEFAULT_EXECUTION_ENVIRONMENTS = [
+{% for item in tower_ee_images %}
+    {'name': '{{ item.name }}' , 'image': '{{ item.image }}'},
+{% endfor %}
+]

roles/installer/templates/ldap.py.j2

@@ -0,0 +1,6 @@
+AUTH_LDAP_GLOBAL_OPTIONS = {
+{% if ldap_cacert_ca_crt %}
+    ldap.OPT_X_TLS_REQUIRE_CERT: True,
+    ldap.OPT_X_TLS_CACERTFILE: "/etc/openldap/certs/ldap-ca.crt"
+{% endif %}
+}

roles/installer/templates/tower_admin_password_secret.yaml.j2

@@ -4,5 +4,10 @@ kind: Secret
 metadata:
   name: '{{ meta.name }}-admin-password'
   namespace: '{{ meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
 stringData:
   password: '{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}'

roles/installer/templates/tower_app_credentials.yaml.j2

@@ -5,6 +5,12 @@ kind: Secret
 metadata:
   name: '{{ meta.name }}-app-credentials'
   namespace: '{{ meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
 data:
-  credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}"
-  environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}"
+  credentials.py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}"
+  ldap.py: "{{ lookup('template', 'ldap.py.j2') | b64encode }}"
+  execution_environments.py: "{{ lookup('template', 'execution_environments.py.j2') | b64encode }}"

roles/installer/templates/tower_broadcast_websocket_secret.yaml.j2

@@ -4,5 +4,10 @@ kind: Secret
 metadata:
   name: '{{ meta.name }}-broadcast-websocket'
   namespace: '{{ meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
 stringData:
   secret: '{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}'

roles/installer/templates/tower_config.yaml.j2

@@ -6,7 +6,10 @@ metadata:
   name: '{{ meta.name }}-{{ deployment_type }}-configmap'
   namespace: '{{ meta.namespace }}'
   labels:
-    app: '{{ deployment_type }}'
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
 data:
   environment: |
     AWX_SKIP_MIGRATIONS=true
@@ -74,7 +77,6 @@ data:
     LOGGING['loggers']['social']['handlers'] = ['console']
     LOGGING['loggers']['system_tracking_migrations']['handlers'] = ['console']
     LOGGING['loggers']['rbac_migrations']['handlers'] = ['console']
-    LOGGING['loggers']['awx.isolated.manager.playbooks']['handlers'] = ['console']
     LOGGING['handlers']['callback_receiver'] = {'class': 'logging.NullHandler'}
     LOGGING['handlers']['task_system'] = {'class': 'logging.NullHandler'}
     LOGGING['handlers']['tower_warnings'] = {'class': 'logging.NullHandler'}
@@ -86,6 +88,10 @@ data:
     BROADCAST_WEBSOCKET_PORT = 8052
     BROADCAST_WEBSOCKET_PROTOCOL = 'http'
 
+{% for item in extra_settings | default([]) %}
+    {{ item.setting }} = {{ item.value }}
+{% endfor %}
+
   nginx_conf: |
     worker_processes  1;
     pid        /tmp/nginx.pid;
@@ -218,6 +224,7 @@ data:
     - control-service:
         service: control
         filename: /var/run/receptor/receptor.sock
+        permissions: 0660
 
     - local-only:
 

roles/installer/templates/tower_deployment.yaml.j2

@@ -6,16 +6,26 @@ metadata:
   name: '{{ meta.name }}'
   namespace: '{{ meta.namespace }}'
   labels:
-    app: '{{ deployment_type }}'
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/version: '{{ tower_image_version }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
 spec:
   replicas: {{ tower_replicas }}
   selector:
     matchLabels:
-      app: '{{ deployment_type }}'
+      app.kubernetes.io/name: '{{ meta.name }}'
+      app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+      app.kubernetes.io/component: '{{ deployment_type }}'
   template:
     metadata:
       labels:
-        app: '{{ deployment_type }}'
+        app.kubernetes.io/name: '{{ meta.name }}'
+        app.kubernetes.io/version: '{{ tower_image_version }}'
+        app.kubernetes.io/part-of: '{{ meta.name }}'
+        app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+        app.kubernetes.io/component: '{{ deployment_type }}'
     spec:
       serviceAccountName: '{{ meta.name }}'
 {% if tower_image_pull_secret %}
@@ -23,7 +33,8 @@ spec:
         - name: {{ tower_image_pull_secret }}
 {% endif %}
       containers:
-        - image: '{{ tower_redis_image }}'
+        - image: '{{ tower_redis_image }}:{{ tower_redis_image_version }}'
+          imagePullPolicy: '{{ tower_image_pull_policy }}'
           name: redis
           args: ["redis-server", "/etc/redis.conf"]
           volumeMounts:
@@ -35,7 +46,7 @@ spec:
               mountPath: "/var/run/redis"
             - name: "{{ meta.name }}-redis-data"
               mountPath: "/data"
-        - image: '{{ tower_image }}'
+        - image: '{{ tower_image }}:{{ tower_image_version }}'
           name: '{{ meta.name }}-web'
 {% if tower_web_command %}
           command: {{ tower_web_command }}
@@ -51,12 +62,27 @@ spec:
 {% endif %}
           volumeMounts:
             - name: "{{ meta.name }}-application-credentials"
-              mountPath: "/etc/tower/conf.d/"
+              mountPath: "/etc/tower/conf.d/execution_environments.py"
+              subPath: execution_environments.py
+              readOnly: true
+            - name: "{{ meta.name }}-application-credentials"
+              mountPath: "/etc/tower/conf.d/credentials.py"
+              subPath: credentials.py
+              readOnly: true
+            - name: "{{ meta.name }}-application-credentials"
+              mountPath: "/etc/tower/conf.d/ldap.py"
+              subPath: ldap.py
               readOnly: true
 {% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
             - name: "{{ meta.name }}-nginx-certs"
               mountPath: "/etc/nginx/pki"
               readOnly: true
+{% endif %}
+{% if ldap_cacert_ca_crt %}
+            - name: "{{ meta.name }}-ldap-cacert"
+              mountPath: /etc/openldap/certs/ldap-ca.crt
+              subPath: ldap-ca.crt
+              readOnly: true
 {% endif %}
             - name: "{{ secret_key_secret_name }}"
               mountPath: /etc/tower/SECRET_KEY
@@ -78,6 +104,8 @@ spec:
               mountPath: "/var/run/awx-rsyslog"
             - name: rsyslog-dir
               mountPath: "/var/lib/awx/rsyslog"
+            - name: "{{ meta.name }}-projects"
+              mountPath: "/var/lib/awx/projects"
 {% if development_mode | bool %}
             - name: awx-devel
               mountPath: "/awx_devel"
@@ -98,7 +126,7 @@ spec:
             {{ tower_web_extra_env | indent(width=12, indentfirst=True) }}
 {% endif %}
           resources: {{ tower_web_resource_requirements }}
-        - image: '{{ tower_image }}'
+        - image: '{{ tower_image }}:{{ tower_image_version }}'
           name: '{{ meta.name }}-task'
           imagePullPolicy: '{{ tower_image_pull_policy }}'
 {% if tower_task_privileged == true %}
@@ -113,7 +141,16 @@ spec:
 {% endif %}
           volumeMounts:
             - name: "{{ meta.name }}-application-credentials"
-              mountPath: "/etc/tower/conf.d/"
+              mountPath: "/etc/tower/conf.d/execution_environments.py"
+              subPath: execution_environments.py
+              readOnly: true
+            - name: "{{ meta.name }}-application-credentials"
+              mountPath: "/etc/tower/conf.d/credentials.py"
+              subPath: credentials.py
+              readOnly: true
+            - name: "{{ meta.name }}-application-credentials"
+              mountPath: "/etc/tower/conf.d/ldap.py"
+              subPath: ldap.py
               readOnly: true
             - name: "{{ secret_key_secret_name }}"
               mountPath: /etc/tower/SECRET_KEY
@@ -144,7 +181,7 @@ spec:
 {% endif %}
           env:
             - name: SUPERVISOR_WEB_CONFIG_PATH
-              value: "/supervisor.conf"
+              value: "/etc/supervisord.conf"
             - name: AWX_SKIP_MIGRATIONS
               value: "1"
             - name: MY_POD_UID
@@ -167,7 +204,7 @@ spec:
             {{ tower_task_extra_env | indent(width=12, indentfirst=True) }}
 {% endif %}
           resources: {{ tower_task_resource_requirements }}
-        - image: '{{ default_ee }}'
+        - image: '{{ tower_ee_images[0].image }}'
           name: '{{ meta.name }}-ee'
           imagePullPolicy: '{{ tower_image_pull_policy }}'
           args: ['receptor', '--config', '/etc/receptor.conf']
@@ -180,12 +217,23 @@ spec:
               mountPath: "/var/run/receptor"
             - name: "{{ meta.name }}-projects"
               mountPath: "/var/lib/awx/projects"
+{% if tower_ee_extra_volume_mounts -%}
+            {{ tower_ee_extra_volume_mounts | indent(width=12, indentfirst=True) }}
+{% endif %}
 {% if development_mode | bool %}
           env:
             - name: SDB_NOTIFY_HOST
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
+{% endif %}
+{% if tower_node_selector %}
+      nodeSelector:
+        {{ tower_node_selector | indent(width=8) }}
+{% endif %}
+{% if tower_tolerations %}
+      tolerations:
+        {{ tower_tolerations | indent(width=8) }}
 {% endif %}
       volumes:
 {% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
@@ -197,15 +245,25 @@ spec:
                 path: 'web.key'
               - key: tls.crt
                 path: 'web.crt'
+{% endif %}
+{% if ldap_cacert_ca_crt %}
+        - name: "{{ meta.name }}-ldap-cacert"
+          secret:
+            secretName: "{{ ldap_cacert_secret }}"
+            items:
+              - key: ldap-ca.crt
+                path: 'ldap-ca.crt'
 {% endif %}
         - name: "{{ meta.name }}-application-credentials"
           secret:
             secretName: "{{ meta.name }}-app-credentials"
             items:
-              - key: credentials_py
+              - key: credentials.py
                 path: 'credentials.py'
-              - key: environment_sh
-                path: 'environment.sh'
+              - key: ldap.py
+                path: 'ldap.py'
+              - key: execution_environments.py
+                path: 'execution_environments.py'
         - name: "{{ secret_key_secret_name }}"
           secret:
             secretName: '{{ secret_key_secret_name }}'
@@ -249,7 +307,16 @@ spec:
               - key: receptor_conf
                 path: receptor.conf
         - name: "{{ meta.name }}-projects"
+{% if tower_projects_persistence|bool %}
+          persistentVolumeClaim:
+{% if tower_projects_existing_claim %}
+            claimName: {{ tower_projects_existing_claim }}
+{% else %}
+            claimName: '{{ meta.name }}-projects-claim'
+{% endif %}
+{% else %}
           emptyDir: {}
+{% endif %}
 {% if development_mode | bool %}
         - name: awx-devel
           hostPath:

roles/installer/templates/tower_ingress.yaml.j2

@@ -5,6 +5,11 @@ kind: Ingress
 metadata:
   name: '{{ meta.name }}-ingress'
   namespace: '{{ meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
 {% if tower_ingress_annotations %}
   annotations:
     {{ tower_ingress_annotations | indent(width=4) }}
@@ -33,6 +38,11 @@ kind: Route
 metadata:
   name: '{{ meta.name }}'
   namespace: '{{ meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
 spec:
 {% if tower_route_host != '' %}
   host: {{ tower_route_host }}

roles/installer/templates/tower_persistent.yaml.j2

@@ -0,0 +1,21 @@
+{% if tower_projects_persistence|bool and tower_projects_existing_claim == '' %}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ meta.name }}-projects-claim'
+  namespace: '{{ meta.namespace }}'
+  labels:
+   app.kubernetes.io/name: '{{ meta.name }}'
+   app.kubernetes.io/part-of: '{{ meta.name }}'
+   app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+   app.kubernetes.io/component: '{{ deployment_type }}'
+spec:
+  accessModes:
+    - {{ tower_projects_storage_access_mode }}
+  resources:
+    requests:
+      storage: {{ tower_projects_storage_size }}
+{% if tower_projects_storage_class != '' %}
+  storageClassName: {{ tower_projects_storage_class }}
+{% endif %}
+{% endif %}

roles/installer/templates/tower_postgres.yaml.j2

@@ -1,16 +1,21 @@
 # Postgres StatefulSet.
 ---
-apiVersion: v1
+apiVersion: apps/v1
 kind: StatefulSet
 metadata:
   name: '{{ meta.name }}-postgres'
   namespace: '{{ meta.namespace }}'
   labels:
-    app: '{{ deployment_type }}-postgres'
+    app.kubernetes.io/name: '{{ meta.name }}-postgres'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: database
 spec:
   selector:
     matchLabels:
-      app: '{{ deployment_type }}-postgres'
+      app.kubernetes.io/name: '{{ meta.name }}-postgres'
+      app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+      app.kubernetes.io/component: database
   serviceName: '{{ meta.name }}'
   replicas: 1
   updateStrategy:
@@ -18,12 +23,33 @@ spec:
   template:
     metadata:
       labels:
-        app: '{{ deployment_type }}-postgres'
+        app.kubernetes.io/name: '{{ meta.name }}-postgres'
+        app.kubernetes.io/part-of: '{{ meta.name }}'
+        app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+        app.kubernetes.io/component: database
     spec:
       containers:
-        - image: '{{ tower_postgres_image }}'
+        - image: '{{ tower_postgres_image }}:{{ tower_postgres_image_version }}'
           name: postgres
           env:
+            # For tower_postgres_image based on rhel8/postgresql-12
+            - name: POSTGRESQL_DATABASE
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ meta.name }}-postgres-configuration'
+                  key: database
+            - name: POSTGRESQL_USER
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ meta.name }}-postgres-configuration'
+                  key: username
+            - name: POSTGRESQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ meta.name }}-postgres-configuration'
+                  key: password
+
+            # For tower_postgres_image based on postgres
             - name: POSTGRES_DB
               valueFrom:
                 secretKeyRef:
@@ -52,6 +78,15 @@ spec:
             - name: postgres
               mountPath: '{{ tower_postgres_data_path | dirname }}'
               subPath: '{{ tower_postgres_data_path | dirname | basename }}'
+          resources: {{ tower_postgres_resource_requirements }}
+{% if tower_postgres_selector %}
+      nodeSelector:
+        {{ tower_postgres_selector | indent(width=8) }}
+{% endif %}
+{% if tower_postgres_tolerations %}
+      tolerations:
+        {{ tower_postgres_tolerations | indent(width=8) }}
+{% endif %}
   volumeClaimTemplates:
     - metadata:
         name: postgres
@@ -61,7 +96,7 @@ spec:
 {% if tower_postgres_storage_class != '' %}
         storageClassName: '{{ tower_postgres_storage_class }}'
 {% endif %}
-        resources: {{ tower_postgres_resource_requirements }}
+        resources: {{ tower_postgres_storage_requirements }}
 
 # Postgres Service.
 ---
@@ -71,10 +106,15 @@ metadata:
   name: '{{ meta.name }}-postgres'
   namespace: '{{ meta.namespace }}'
   labels:
-    app: '{{ deployment_type }}-postgres'
+    app.kubernetes.io/name: '{{ meta.name }}-postgres'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: database
 spec:
   ports:
     - port: 5432
   clusterIP: None
   selector:
-    app: '{{ deployment_type }}-postgres'
+    app.kubernetes.io/name: '{{ meta.name }}-postgres'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: database

roles/installer/templates/tower_postgres_secret.yaml.j2

@@ -5,6 +5,11 @@ kind: Secret
 metadata:
   name: '{{ meta.name }}-postgres-configuration'
   namespace: '{{ meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
 stringData:
   password: '{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}'
   username: '{{ database_username }}'

roles/installer/templates/tower_secret_key.yaml.j2

@@ -4,5 +4,10 @@ kind: Secret
 metadata:
   name: '{{ meta.name }}-secret-key'
   namespace: '{{ meta.namespace }}'
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
 stringData:
   secret_key: '{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}'

roles/installer/templates/tower_service.yaml.j2

@@ -5,8 +5,11 @@ metadata:
   name: '{{ meta.name }}-service'
   namespace: '{{ meta.namespace }}'
   labels:
-    app: '{{ deployment_type }}'
-{% if tower_ingress_type | lower == 'loadbalancer' %}
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
+{% if tower_ingress_type | lower == 'loadbalancer' and tower_loadbalancer_annotations %}
   annotations:
     {{ tower_loadbalancer_annotations | indent(width=4) }}
 {% endif %}
@@ -25,15 +28,24 @@ spec:
       name: https
 {% endif %}
 {% if tower_ingress_type | lower == 'loadbalancer' and tower_loadbalancer_protocol | lower == 'https' %}
-    - port: 443
+    - port: {{ tower_loadbalancer_port }}
       protocol: TCP
       targetPort: 8052
       name: https
+{% elif tower_ingress_type | lower == 'loadbalancer' and tower_loadbalancer_protocol | lower != 'https' %}
+    - port: {{ tower_loadbalancer_port }}
+      protocol: TCP
+      targetPort: 8052
+      name: http
 {% endif %}
   selector:
-    app: '{{ deployment_type }}'
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
 {% if tower_ingress_type | lower == "loadbalancer" %}
   type: LoadBalancer
 {% elif tower_ingress_type != "none" %}
   type: NodePort
+{% else %}
+  type: ClusterIP
 {% endif %}

roles/installer/templates/tower_service_account.yaml.j2

@@ -4,7 +4,11 @@ kind: ServiceAccount
 metadata:
   name: '{{ meta.name }}'
   namespace: '{{ meta.namespace }}'
-
+  labels:
+    app.kubernetes.io/name: '{{ meta.name }}'
+    app.kubernetes.io/part-of: '{{ meta.name }}'
+    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
+    app.kubernetes.io/component: '{{ deployment_type }}'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

roles/installer/vars/main.yml

@@ -1,3 +1,5 @@
 ---
 postgres_initdb_args: '--auth-host=scram-sha-256'
 postgres_host_auth_method: 'scram-sha-256'
+ldap_cacert_ca_crt: ''
+tower_projects_existing_claim: ''

scripts/build.sh

@@ -0,0 +1,117 @@
+#!/bin/bash
+## This script will be build 3 images awx-{operator,bundle,catalog}
+## and push to the $REGISTRY specified.
+##
+## The goal is provide an quick way to build a test image.
+##
+## Example:
+##
+## git clone https://github.com/ansible/awx-operator.git
+## cd awx-operator
+## REGISTRY=registry.example.com/ansible TAG=mytag scripts/build.sh
+##
+## As a result, the $REGISTRY will be populated with 2 images
+## registry.example.com/ansible/awx-operator:mytag
+## registry.example.com/ansible/awx-operator-bundle:mytag
+## registry.example.com/ansible/awx-operator-catalog:mytag
+
+OPERATOR_IMAGE=${OPERATOR_IMAGE:-awx-operator}
+BUNDLE_IMAGE=${BUNDLE_IMAGE:-awx-operator-bundle}
+CATALOG_IMAGE=${CATALOG_IMAGE:-awx-operator-catalog}
+
+verify_podman_binary() {
+  if hash podman 2>/dev/null; then
+      POD_MANAGER="podman"
+  else
+      POD_MANAGER="docker"
+  fi
+}
+
+verify_operator_sdk_binary() {
+  if hash operator-sdk 2>/dev/null; then
+      OPERATOR_SDK="$(which operator-sdk)"
+  else
+      echo "operator-sdk binary not found."
+      echo "Please visit https://sdk.operatorframework.io/docs/building-operators/ansible/installation"
+      exit 1
+  fi
+}
+
+verify_opm_binary() {
+  if hash opm 2>/dev/null; then
+      OPM_BINARY="$(which opm)"
+  else
+      echo "opm binary not found."
+      echo "Please visit https://github.com/operator-framework/operator-registry/releases"
+      exit 1
+  fi
+}
+
+prepare_local_deploy() {
+    echo "operator_image: $REGISTRY/$OPERATOR_IMAGE" > ansible/group_vars/all
+    echo "operator_version: $TAG" >> ansible/group_vars/all
+    echo "pull_policy: Always" >> ansible/group_vars/all
+    ansible-playbook ansible/chain-operator-files.yml
+}
+
+
+REGISTRY=${REGISTRY:-''}
+if [[ -z "$REGISTRY" ]]; then
+    echo "Set your \$REGISTRY variable to your registry server."
+    echo "export REGISTRY=quay.io/ansible"
+    exit 1
+fi
+
+TAG=${TAG:-''}
+if [[ -z "$TAG" ]]; then
+    echo "Set your \$TAG variable to your registry server."
+    echo "export TAG=mytag"
+    exit 1
+fi
+
+build_operator_image() {
+  echo "Building and pushing $OPERATOR_IMAGE image"
+  $POD_MANAGER build . -f build/Dockerfile -t $REGISTRY/$OPERATOR_IMAGE:$TAG
+  $POD_MANAGER push $REGISTRY/$OPERATOR_IMAGE:$TAG
+}
+
+build_bundle_image() {
+  echo "Building and pushing $BUNDLE_IMAGE image"
+  $POD_MANAGER build . -f bundle.Dockerfile -t $REGISTRY/$BUNDLE_IMAGE:$TAG
+  $POD_MANAGER push $REGISTRY/$BUNDLE_IMAGE:$TAG
+}
+
+build_catalog_image() {
+  echo "Building and pushing $CATALOG_IMAGE image"
+  $OPM_BINARY index add --bundles $REGISTRY/$BUNDLE_IMAGE:$TAG --tag $REGISTRY/$CATALOG_IMAGE:$TAG
+  $POD_MANAGER push $REGISTRY/$CATALOG_IMAGE:$TAG
+}
+
+generate_catalogsource_yaml() {
+  echo "Creating CatalogSource YAML"
+  cat > catalogsource.yaml << EOF
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: CatalogSource
+metadata:
+  name: awx-operator
+  namespace: operators
+spec:
+  displayName: 'Ansible AWX Operator'
+  image: "$REGISTRY/$CATALOG_IMAGE:$TAG"
+  publisher: 'Ansible AWX Operator'
+  sourceType: grpc
+EOF
+
+  echo "Now run: 'kubectl apply -f catalogsource.yaml' to update the operator"
+  echo "Happy testing!"
+}
+
+verify_podman_binary
+verify_operator_sdk_binary
+verify_opm_binary
+prepare_local_deploy
+build_operator_image
+build_bundle_image
+build_catalog_image
+generate_catalogsource_yaml