internet/awx-operator
3
0
Fork 0
mirror of https://github.com/ansible/awx-operator.git synced 2026-03-27 22:03:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:0.9.0
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0
...
compare: internet:0.10.0
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0

111 Commits
0.9.0 ... 0.10.0

Author SHA1 Message Date
Shane McDonald
25bdc23d45 Merge pull request #355 from shanemcd/bump-0.10.0 
Bump versions for 0.10.0
 2021-06-01 19:31:13 -04:00
Shane McDonald
b74d6a582e Bump versions for 0.10.0 2021-06-01 17:07:52 -04:00
Shane McDonald
679af90d71 Merge pull request #352 from tchellomello/ingress_readme_fixup 
Updated README.md to point to released version
 2021-06-01 16:46:29 -04:00
Marcelo Moreira de Mello
5e58da7c7e Updated README.md to point to released version 2021-06-01 16:35:59 -04:00
Shane McDonald
9555a04870 Merge pull request #330 from tchellomello/ingress_minikube 
Introducing service type definition and reworking Ingress rules
 2021-06-01 16:10:32 -04:00
Marcelo Moreira de Mello
e37c091d17 Make tower_ingress_type to respect ClusterIP definition 2021-06-01 15:42:39 -04:00
Shane McDonald
d6c9ebf35c Merge pull request #324 from Zokormazo/extra_settings_quote 
Add quotes to string type extra_settings
 2021-05-26 12:06:02 -04:00
Julen Landa Alustiza
899a8e7bf5 Add quotes to string type extra_settings 
Signed-off-by: Julen Landa Alustiza <jlanda@redhat.com>
 2021-05-26 09:19:00 +02:00
Shane McDonald
a8399c5ec0 Merge pull request #333 from tchellomello/sa_annotations 
Added ability to specify annotations to ServiceAccount
 2021-05-25 20:50:25 -04:00
Shane McDonald
cb3451e8dc Merge pull request #334 from rooftopcellist/extend-service-account-perm 
Add ability to get/create/delete secrets for the awx service account
 2021-05-25 16:02:46 -04:00
Christian M. Adams
61b3cb4c7f Add ability to get/create/delete secrets for the awx service account 2021-05-25 15:38:05 -04:00
Marcelo Moreira de Mello
446ac0b190 Added ability to specify annotations to ServiceAccount 2021-05-25 12:16:16 -04:00
Yanis Guenane
8c6ccfbca2 Merge pull request #331 from Spredzy/remove_variable_prefix 
Do not prepend variables name with tower_
 2021-05-25 15:58:46 +02:00
Yanis Guenane
223fe988aa Do not shadow other variables 2021-05-25 15:38:35 +02:00
Yanis Guenane
75458d0678 Do not prepend variables name with tower_ 2021-05-25 09:52:13 +02:00
Christian Adams
d0a74edd34 Merge pull request #323 from rooftopcellist/remove_finalizer 
Fully remove finalizer
 2021-05-19 11:39:27 -04:00
Shane McDonald
f6b0fb62b8 Merge pull request #200 from tchellomello/okd_console 
Added OKD console deployment
 2021-05-18 14:15:08 -04:00
Christian M. Adams
fd9205070e Fully remove finalizer 2021-05-18 11:34:29 -04:00
Christian Adams
e18ce59ea9 Merge pull request #297 from rooftopcellist/pg-labels 
Make postgres sts labels consistent with k8s recommendations & pulp-operator
 2021-05-18 10:37:46 -04:00
Christian Adams
5fd86e07ce Merge pull request #319 from rooftopcellist/custom_format_backup 
Use custom pg_dump format for faster restores
 2021-05-18 10:33:23 -04:00
Christian M. Adams
406bbf90fa Make postgres sts labels consistent with k8s recommendations & pulp-operator 
- k8s recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/
 2021-05-18 10:02:15 -04:00
Marcelo Moreira de Mello
b887315c8d Merge pull request #317 from tchellomello/operator_labels_complementary 
Extended labels to AWX Backup/Restore
 2021-05-17 21:58:14 -04:00
Marcelo Moreira de Mello
08776ca2b6 Extended labels to AWX Backup/Restore 2021-05-17 21:40:37 -04:00
Christian Adams
8a34188854 Merge pull request #273 from tchellomello/contributing 
Adding contributing guidelines
 2021-05-17 18:12:37 -04:00
Marcelo Moreira de Mello
68e0de4d9e Adding contributing guidelines 2021-05-17 17:54:35 -04:00
Christian M. Adams
f16d9ac55f Use custom pg_dump format for faster restores 2021-05-17 16:54:49 -04:00
Christian Adams
0239062fa4 Merge pull request #318 from rooftopcellist/storage_class_empty 
Default to storage class being undefined
 2021-05-17 16:52:09 -04:00
Christian M. Adams
82ed9d6d56 Default to storage class being undefined 
* This is so that users can intentially set it to an empty string if they want to use the default storage class
  * conversely, now users can manually create a pvc that does not utilize the default storage class
 2021-05-17 16:41:53 -04:00
Christian Adams
1ce36572c4 Merge pull request #302 from rooftopcellist/upgrade_note 
Add note about how to upgrade AWX and the operator
 2021-05-17 16:25:34 -04:00
Christian Adams
708f5d49e8 Merge pull request #315 from rooftopcellist/allow_manual_pvc 
Allow user to specify empty string for storage class on PVC
 2021-05-17 12:27:26 -04:00
Christian M. Adams
818b837fb2 Allow user to specify empty string for storage class on PVC 2021-05-17 12:15:03 -04:00
Marcelo Moreira de Mello
7b7965d506 Merge pull request #308 from tchellomello/operator_version 
Adds operator-version to k8s resources
 2021-05-13 10:00:26 -04:00
Marcelo Moreira de Mello
5266cc23a9 Adds operator-version to k8s resources 2021-05-12 22:17:36 -04:00
Marcelo Moreira de Mello
fd9532ee3f Merge pull request #303 from tchellomello/tower_loadbalancer_annotations 
Set initial value for tower_loadbalancer_annotations
 2021-05-11 11:15:29 -04:00
Marcelo Moreira de Mello
b2b1e07e45 Set initial value for tower_loadbalancer_annotations 2021-05-10 23:31:01 -04:00
Christian Adams
8519ff93b2 Merge pull request #272 from kimbernator/devel 
Add support for custom service labels
 2021-05-10 15:18:31 -04:00
Christian Adams
123d6e4c29 Merge pull request #299 from rooftopcellist/stuck-finalizer 
Unset ownerRefs in the installer instead of the finalizer
 2021-05-10 13:21:46 -04:00
Christian M. Adams
c16e53da46 Add note about how to upgrade AWX and the operator 2021-05-10 11:54:18 -04:00
Christian M. Adams
c12a1f02ab Unset ownerRefs in the installer instead of the finalizer 2021-05-07 17:55:01 -04:00
Christian Adams
13e114afc1 Merge pull request #296 from rooftopcellist/pg_custom_archive 
Use custom archive format when migrating data
 2021-05-07 15:20:00 -04:00
Christian M. Adams
9145b32d11 Use custom archive format when migrating data 
- this approach is compatible with the RH postgresql container
 2021-05-07 15:04:20 -04:00
Christian Adams
aed4d07cf1 Merge pull request #295 from rooftopcellist/scale_down_restore 
Scale down the new deployment before restoring
 2021-05-07 15:03:48 -04:00
Christian M. Adams
ca8127448e Scale down the new deployment before restoring 2021-05-07 11:18:40 -04:00
Christian Adams
e082180cf9 Merge pull request #293 from Zokormazo/restore-kind 
Restore: set proper kind var after deploying AWX CR
 2021-05-07 09:23:02 -04:00
Christian Adams
df2522fa8d Merge pull request #283 from rooftopcellist/fix-lint-errors 
Fix file permissions for tmp spec vars file
 2021-05-07 09:10:25 -04:00
Julen Landa Alustiza
fc4687ff77 Restore: set proper kind var after deploying AWX CR 
Signed-off-by: Julen Landa Alustiza <jlanda@redhat.com>
 2021-05-07 13:31:29 +02:00
Shane McDonald
9cca0d0520 Merge pull request #287 from AlanCoding/include_playbook 
Make awx-operator compatible with Ansible 2.12
 2021-05-06 11:05:19 -04:00
Alan Rominger
521648925c Make awx-operator compatible with Ansible 2.12 2021-05-06 10:49:01 -04:00
Yanis Guenane
bc1814ce95 Merge pull request #282 from Spredzy/olm_backup_and_restore 
olm-catalog: Update with latest content from AWXBackup and AWXRestore
 2021-05-05 17:26:20 +02:00
Christian M. Adams
c551d05182 Fix file permissions for tmp spec vars file 2021-05-05 09:35:03 -04:00
Yanis Guenane
ce0a251c1c olm-catalog: Update with latest content from AWXBackup and AWXRestore 2021-05-05 10:37:23 +02:00
Christian Adams
51dd524579 Merge pull request #279 from rooftopcellist/persist-secrets 
Persist secret names from old deployment & add them to the spec
 2021-05-04 14:59:28 -04:00
Christian M. Adams
9532cc754e Use copy module, not shell 2021-05-04 14:28:59 -04:00
Christian M. Adams
15bc12b7f6 Remove ownerReferences based on secret name from backup 2021-05-04 11:46:09 -04:00
Christian M. Adams
a46938e1be Retrieve pg secret values consistently, do not hardcode secret names 2021-05-04 10:06:39 -04:00
Christian M. Adams
8af0681373 Persist secret names from old deployment & add them to the spec 
- renamed some more variables to be consistent with the pulp-operator
  - removed unneeded vars from backup & restore crds
  - added a way to parse spec at restore time by including vars to
    get around the issue of triply nested quotes when using to_json
 2021-05-04 10:06:29 -04:00
Christian Adams
bd6a5c3156 Merge pull request #133 from rooftopcellist/backup-role 
Backup role for awx-operator
 2021-05-03 15:36:04 -04:00
Jeremy Kimber
51435e3c2b fix example to use correct label 2021-05-03 13:14:49 -05:00
Jeremy Kimber
b204c91baa set tower_service_labels field to hidden 2021-05-03 13:12:37 -05:00
Marcelo Moreira de Mello
e7fd1e265f Merge pull request #271 from tchellomello/changelog 
Added initial CHANGELOG.md
 2021-05-03 13:18:42 -04:00
Marcelo Moreira de Mello
42b39eda40 Merge pull request #264 from ansible/tchellomello-bugreport-template 
Updated bug report template
 2021-05-03 13:18:25 -04:00
Marcelo Moreira de Mello
b50cf82639 Added initial CHANGELOG.md 2021-05-03 11:44:47 -04:00
Jeremy Kimber
fd42802512 Add support for custom service labels 2021-05-03 10:20:56 -05:00
Marcelo Moreira de Mello
b7e043eca8 Update bug_report.md 2021-04-30 13:53:59 -04:00
Marcelo Moreira de Mello
78d03e03bb Updated bug report template 2021-04-30 13:52:09 -04:00
Christian M. Adams
5e2d11835e Fix rebase issue & remove dynamic kind/version var setting 2021-04-30 13:51:48 -04:00
Christian M. Adams
cdbaf9460e Remove unnecessary intermediate awx_spec var 2021-04-30 10:49:32 -04:00
Christian M. Adams
5439681a39 Fix rebase issue due to order or pg config tasks 2021-04-30 10:49:32 -04:00
Christian M. Adams
9cfb7921bc update templated files with new var names 2021-04-30 10:49:32 -04:00
Christian M. Adams
36852cd5f5 remove unused variables in restore role 2021-04-30 10:49:32 -04:00
Christian M. Adams
b5c5a1722d revert unneccesary admin password update 2021-04-30 10:49:31 -04:00
Christian M. Adams
5ae36367a4 Rename product specific variable names 2021-04-30 10:49:31 -04:00
Christian M. Adams
d743936ee4 Update admin user password with value in provided/generated secret 2021-04-30 10:49:31 -04:00
Christian M. Adams
c817a2234d Simplify vars needed for restore CR & do not garbage collect secrets 2021-04-30 10:49:31 -04:00
Christian M. Adams
57f9530198 Simplify pvc naming scheme, one pvc per deployment 2021-04-30 10:49:31 -04:00
Christian M. Adams
3e444da7bc Set ownerRef to null for restore created AWX object to avoid garbage collection 
- Set defaults for pg type to satisfy conditional
 2021-04-30 10:49:30 -04:00
Christian M. Adams
867bc258b9 Allow custom postgres pod label to support user managed pg pods 
- Only set resolvable pg host path for pg container when managed
 2021-04-30 10:49:30 -04:00
Christian M. Adams
ff9248e971 create pvc in namespace of old awx by default, update docs, fix bug with secret statuses 2021-04-30 10:49:30 -04:00
Christian M. Adams
38a6a02f85 Add secret names as statuses on the AWX object 
- set migrate data status even if custom name for old postgres config is not used
 - Allow users to change pg name, pw & db name for a managed postgres
 - set default value for postgres-configuration type as unmanaged if secret is created
 - Make pg port configurable for managed deployments
 2021-04-30 10:49:27 -04:00
Christian M. Adams
90f4d71606 Make pg port configurable for managed deployments 2021-04-30 10:32:07 -04:00
Christian M. Adams
8f760e2842 Allow users to change pg name, pw & db name for a managed postgres 
- set default value for postgres-configuration type as unmanaged if secret is created
 2021-04-30 10:32:05 -04:00
Christian M. Adams
5b32c41277 Fix retry for checking postgres pod & fix secrets template 
- fixed a lot of typos & updated the README.md files
 2021-04-30 10:24:37 -04:00
Christian M. Adams
fb612c24df Only write values for spec section of awx object in backup 2021-04-30 10:24:37 -04:00
Christian M. Adams
8ed0b1fe61 Template only what is needed from secrets and awx cro 2021-04-30 10:24:37 -04:00
Christian M. Adams
82efe05343 store secrets & definitions in a tempfile dir, fix postgres label 2021-04-30 10:24:36 -04:00
Christian M. Adams
2cbf60fa17 Remove unneeded fqcn for modules & fix CI 2021-04-30 10:24:36 -04:00
Christian M. Adams
ce8c58f542 added secrets logic, fixed permissions issues 2021-04-30 10:24:36 -04:00
Christian M. Adams
b9d0852c83 Fix small namespace issue 2021-04-30 10:24:36 -04:00
Christian M. Adams
5669747bbf Scope pvc and management pod to default namespace 
- make this configurable via tower_backup_pvc_namespace var
  - remove redundant k8s task info
 2021-04-30 10:24:36 -04:00
Christian M. Adams
0580398c90 Finish db restore logic 
- rename _backup_dir to backup_dir
  - add towerBackupClaim status to make the pvc name easier to find for users
 2021-04-30 10:24:36 -04:00
Christian M. Adams
8422f6fbd9 rename db task vars with awx instead of tower for consistency 2021-04-30 10:24:35 -04:00
Christian M. Adams
8467209d35 init restore 2021-04-30 10:24:35 -04:00
Christian M. Adams
80c8d87f71 Create an event when pvc is not set to alert the user 2021-04-30 10:24:35 -04:00
Christian M. Adams
6bc149bae2 template awxbackup crd into awx-operator.yml for easy deployment 2021-04-30 10:24:35 -04:00
Christian M. Adams
250ff960bd Add awxbackup CRD creation to molecule to get tests passing 2021-04-30 10:24:35 -04:00
Christian M. Adams
e1dca00f46 Fix backup reconciliation loop, add error status 2021-04-30 10:24:35 -04:00
Christian M. Adams
f17dcdc3e9 Swap vars and defaults, rename to awxbackups 2021-04-30 10:24:35 -04:00
Christian M. Adams
4839bdcaad Rename Backup CR to AWXBackup to be more unique 
- we could alternatively direct users to use the full GVK.  Issue is potential conflict with AH operator CRs
 2021-04-30 10:24:34 -04:00
Christian M. Adams
91dda5cb16 backup secrets to YAML files 2021-04-30 10:24:34 -04:00
Christian M. Adams
0a82fec359 Refactor backup role & store secrets as well 2021-04-30 10:24:34 -04:00
Christian M. Adams
13397f41ad use meta.data to keep pods and pvcs unique in the same namespace 2021-04-30 10:24:34 -04:00
Christian M. Adams
9e44e21a66 Rename pvc name var to be consistent with other backup variables 2021-04-30 10:24:34 -04:00
Christian M. Adams
54efda1a25 Use default cluster storage class if none is provided 2021-04-30 10:24:34 -04:00
Christian M. Adams
bcd1410438 init backup CR files 2021-04-30 10:24:33 -04:00
Christian M. Adams
fdcc745f11 Add watcher for backup CR 2021-04-30 10:24:33 -04:00
Christian M. Adams
4a5ca184c0 Use storage class to dynamically create volume for backups 2021-04-30 10:24:33 -04:00
Christian M. Adams
e037feafbf Create management pod and pvc for backup 2021-04-30 10:24:33 -04:00
Christian M. Adams
0220c75884 wip deployment podspec or sts 2021-04-30 10:24:33 -04:00
Marcelo Moreira de Mello
13f7b2ae30 Fixed indentation lint 2021-04-14 12:00:26 -04:00
Marcelo Moreira de Mello
bdcd95ab55 Fixing lint 2021-04-14 11:45:46 -04:00
Marcelo Moreira de Mello
032d6b790a Added OKD console deployment 2021-04-14 11:41:54 -04:00
93 changed files with 3304 additions and 973 deletions
Expand all files Collapse all files

39
.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View File

@@ -0,0 +1,39 @@
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
---
##### ISSUE TYPE
- Bug Report
##### SUMMARY
<!-- Briefly describe the problem. -->
##### ENVIRONMENT
* AWX version: X.Y.Z
* Operator version: X.Y.Z
* Kubernetes version:
* AWX install method: openshift, minishift, docker on linux, docker for mac, boot2docker
##### STEPS TO REPRODUCE
<!-- Please describe exactly how to reproduce the problem. -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
##### ACTUAL RESULTS
<!-- What actually happened? -->
##### ADDITIONAL INFORMATION
<!-- Include any links to sosreport, database dumps, screenshots or other
information. -->
##### AWX-OPERATOR LOGS

20
CHANGELOG.md Normal file
View File

@@ -0,0 +1,20 @@
# Changelog
This is a list of high-level changes for each release of `awx-operator`. A full list of commits can be found at `https://github.com/ansible/awx-operator/releases/tag/<version>`.
# 0.9.0 (May 1, 2021)
- Update playbook to allow for deploying custom image version/tag (Shane McDonald) - 77e7039
- Mounts /var/lib/awx/projects on awx-web container (Marcelo Moreira de Mello) - f21ec4d
- Extra Settings: Allow one to pass extra API configuration settings. (Yanis Guenane) - 1d14ebc
- PostgreSQL: Properly handle variable name difference when using Red Hat containers (Yanis Guenane) - 2965a90
- Deployment type: Make more fields dynamic based on that field (Yanis Guenane) - 4706aa9
- Add templated EE volume mount var to operator config (Christian M. Adams) - e55d83f
- Add NodePort to tower_ingress_type enum (TheStally) - 96b878f
- Split container image and version in 2 variables (Marcelo Moreira de Mello) - bc34758 (breaking_change)
- Handles deleting and recreating statefulset and deployment when needed (Marcelo Moreira de Mello) - 597356f
- Add tower_ingress_type NodePort (stal) - 1b87616
- expose settings to use custom volumes and volume mounts (Gabe Muniz) - 8d65b84
- Inherit imagePullPolicy to redis container (Marcelo Moreira de Mello) - 83a85d1
- Add nodeSelector and tolerations for Postgres pod (Ernesto Pérez) - 151ff11
- Added support to override pg_sslmode (Marcelo Moreira de Mello) - 298d39c

140
CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,140 @@
# AWX-Operator Contributing Guidelines
Hi there! We're excited to have you as a contributor.
Have questions about this document or anything not covered here? Please file a new at [https://github.com/ansible/awx-operator/issues](https://github.com/ansible/awx-operator/issues).
## Table of contents
* [Things to know prior to submitting code](#things-to-know-prior-to-submitting-code)
* [Submmiting your Work](#submitting-your-work)
* [Testing](#testing)
* [Testing in Docker](#testing-in-docker)
* [Testing in Minikube](#testing-in-minikube)
* [Generating a bundle](#generating-a-bundle)
* [Reporting Issues](#reporting-issues)
## Things to know prior to submitting code
- All code submissions are done through pull requests against the `devel` branch.
- All PRs must have a single commit. Make sure to `squash` any changes into a single commit.
- Take care to make sure no merge commits are in the submission, and use `git rebase` vs `git merge` for this reason.
- If collaborating with someone else on the same branch, consider using `--force-with-lease` instead of `--force`. This will prevent you from accidentally overwriting commits pushed by someone else. For more information, see https://git-scm.com/docs/git-push#git-push---force-with-leaseltrefnamegt
- We ask all of our community members and contributors to adhere to the [Ansible code of conduct](http://docs.ansible.com/ansible/latest/community/code_of_conduct.html). If you have questions, or need assistance, please reach out to our community team at [codeofconduct@ansible.com](mailto:codeofconduct@ansible.com)
## Submmiting your work
1. From your fork `devel` branch, create a new brach to stage your changes.
```sh
#> git checkout -b <branch-name>
```
2. Make your changes.
3. Test your changes according described on the Testing section.
4. If everylooks looks correct, commit your changes.
```sh
#> git add <FILES>
#> git commit -m "My message here"
```
5. Create your [pull request](https://github.com/ansible/awx-operator/pulls)
**Note**: If you have multiple commits, make sure to `squash` your commits into a single commit which will facilitate our release process.
## Testing
This Operator includes a [Molecule](https://molecule.readthedocs.io/en/stable/)-based test environment, which can be executed standalone in Docker (e.g. in CI or in a single Docker container anywhere), or inside any kind of Kubernetes cluster (e.g. Minikube).
You need to make sure you have Molecule installed before running the following commands. You can install Molecule with:
```sh
#> pip install 'molecule[docker]'
```
Running `molecule test` sets up a clean environment, builds the operator, runs all configured tests on an example operator instance, then tears down the environment (at least in the case of Docker).
If you want to actively develop the operator, use `molecule converge`, which does everything but tear down the environment at the end.
#### Testing in Docker
```sh
#> molecule test -s test-local
```
This environment is meant for headless testing (e.g. in a CI environment, or when making smaller changes which don't need to be verified through a web interface). It is difficult to test things like AWX's web UI or to connect other applications on your local machine to the services running inside the cluster, since it is inside a Docker container with no static IP address.
#### Testing in Minikube
```sh
#> minikube start --memory 8g --cpus 4
#> minikube addons enable ingress
#> molecule test -s test-minikube
```
[Minikube](https://kubernetes.io/docs/tasks/tools/install-minikube/) is a more full-featured test environment running inside a full VM on your computer, with an assigned IP address. This makes it easier to test things like NodePort services and Ingress from outside the Kubernetes cluster (e.g. in a browser on your computer).
Once the operator is deployed, you can visit the AWX UI in your browser by following these steps:
1. Make sure you have an entry like `IP_ADDRESS example-awx.test` in your `/etc/hosts` file. (Get the IP address with `minikube ip`.)
2. Visit `http://example-awx.test/` in your browser. (Default admin login is `test`/`changeme`.)
Alternatively, you can also update the service `awx-service` in your namespace to use the type `NodePort` and use following command to get the URL to access your AWX instance:
```sh
#> minikube service <serviceName> -n <namespaceName> --url
```
## Generating a bundle
> :warning: operator-sdk version 0.19.4 is needed to run the following commands
If one has the Operator Lifecycle Manager (OLM) installed, the following steps is the process to generate the bundle that would nicely display in the OLM interface.
At the root of this directory:
1. Build and publish the operator
```
#> operator-sdk build registry.example.com/ansible/awx-operator:mytag
#> podman push registry.example.com/ansible/awx-operator:mytag
```
2. Build and publish the bundle
```
#> podman build . -f bundle.Dockerfile -t registry.example.com/ansible/awx-operator-bundle:mytag
#> podman push registry.example.com/ansible/awx-operator-bundle:mytag
```
3. Build and publish an index with your bundle in it
```
#> opm index add --bundles registry.example.com/ansible/awx-operator-bundle:mytag --tag registry.example.com/ansible/awx-operator-catalog:mytag
#> podman push registry.example.com/ansible/awx-operator-catalog:mytag
```
4. In your Kubernetes create a new CatalogSource pointing to `registry.example.com/ansible/awx-operator-catalog:mytag`
```
---
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: <catalogsource-name>
namespace: <namespace>
spec:
displayName: 'myoperatorhub'
image: registry.example.com/ansible/awx-operator-catalog:mytag
publisher: 'myoperatorhub'
sourceType: grpc
```
Applying this template will do it. Once the CatalogSource is in a READY state, the bundle should be available on the OperatorHub tab (as part of the custom CatalogSource that just got added)
5. Enjoy
## Reporting Issues
We welcome your feedback, and encourage you to file an issue when you run into a problem.

506
README.md
View File

@@ -14,8 +14,8 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
* [Basic Install](#basic-install)
* [Admin user account configuration](#admin-user-account-configuration)
* [Network and TLS Configuration](#network-and-tls-configuration)
* [Service Type](#service-type)
* [Ingress Type](#ingress-type)
* [TLS Termination](#tls-termination)
* [Database Configuration](#database-configuration)
* [External PostgreSQL Service](#external-postgresql-service)
* [Migrating data from an old AWX instance](#migrating-data-from-an-old-awx-instance)
@@ -28,14 +28,13 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
* [Persisting Projects Directory](#persisting-projects-directory)
* [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options)
* [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
* [Development](#development)
* [Testing](#testing)
* [Testing in Docker](#testing-in-docker)
* [Testing in Minikube](#testing-in-minikube)
* [Generating a bundle](#generating-a-bundle)
* [Service Account](#service-account)
* [Upgrading](#upgrading)
* [Contributing](#contributing)
* [Release Process](#release-process)
* [Build a new release](#build-a-new-release)
* [Build a new version of the operator yaml file](#build-a-new-version-of-the-operator-yaml-file)
* [Verifiy Functionality](#verify-functionality)
* [Update Version](#update-version)
* [Commit / Create Release](#commit--create-release)
* [Author](#author)
<!--te-->
@@ -43,7 +42,7 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
This operator is meant to provide a more Kubernetes-native installation method for AWX via an AWX Custom Resource Definition (CRD).
Note that the operator is not supported by Red Hat, and is in **alpha** status. For now, use it at your own risk!
> :warning: The operator is not supported by Red Hat, and is in **alpha** status. For now, use it at your own risk!
## Usage
@@ -51,40 +50,117 @@ Note that the operator is not supported by Red Hat, and is in **alpha** status.
This Kubernetes Operator is meant to be deployed in your Kubernetes cluster(s) and can manage one or more AWX instances in any namespace.
First, you need to deploy AWX Operator into your cluster. Start by going to https://github.com/ansible/awx-operator/releases and making note of the latest release.
Replace `<tag>` in the URL below with the version you are deploying:
For testing purposes, the `awx-operator` can be deployed on a [Minikube](https://minikube.sigs.k8s.io/docs/) cluster. Due to different OS and hardware environments, please refer to the official Minikube documentation for further information.
```bash
#> kubectl apply -f https://raw.githubusercontent.com/ansible/awx-operator/<tag>/deploy/awx-operator.yaml
$ minikube start --addons=ingress --cpus=4 --cni=flannel --install-addons=true \
--kubernetes-version=stable --memory=6g
😄 minikube v1.20.0 on Fedora 34
✨ Using the kvm2 driver based on user configuration
👍 Starting control plane node minikube in cluster minikube
🔥 Creating kvm2 VM (CPUs=4, Memory=6144MB, Disk=20000MB) ...
🐳 Preparing Kubernetes v1.20.2 on Docker 20.10.6 ...
▪ Generating certificates and keys ...
▪ Booting up control plane ...
▪ Configuring RBAC rules ...
🔗 Configuring Flannel (Container Networking Interface) ...
🔎 Verifying Kubernetes components...
▪ Using image docker.io/jettech/kube-webhook-certgen:v1.5.1
▪ Using image k8s.gcr.io/ingress-nginx/controller:v0.44.0
▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
▪ Using image docker.io/jettech/kube-webhook-certgen:v1.5.1
🔎 Verifying ingress addon...
🌟 Enabled addons: storage-provisioner, default-storageclass, ingress
🏄 Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
```
Then create a file named `my-awx.yml` with the following contents:
Once Minikube is deployed, check if the node(s) and `kube-apiserver` communication is working as expected.
```bash
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
minikube Ready control-plane,master 6m28s v1.20.2
$ kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
ingress-nginx ingress-nginx-admission-create-tjk94 0/1 Completed 0 6m4s
ingress-nginx ingress-nginx-admission-patch-r4pl6 0/1 Completed 0 6m4s
ingress-nginx ingress-nginx-controller-5d88495688-sbtp9 1/1 Running 0 6m4s
kube-system coredns-74ff55c5b-2wz6n 1/1 Running 0 6m4s
kube-system etcd-minikube 1/1 Running 0 6m13s
kube-system kube-apiserver-minikube 1/1 Running 0 6m13s
kube-system kube-controller-manager-minikube 1/1 Running 0 6m13s
kube-system kube-flannel-ds-amd64-lw7lv 1/1 Running 0 6m3s
kube-system kube-proxy-lcxx7 1/1 Running 0 6m3s
kube-system kube-scheduler-minikube 1/1 Running 0 6m13s
kube-system storage-provisioner 1/1 Running 1 6m17s
```
Now you need to deploy AWX Operator into your cluster. Start by going to https://github.com/ansible/awx-operator/releases and making note of the latest release. Replace `<TAG>` in the URL `https://raw.githubusercontent.com/ansible/awx-operator/<TAG>/deploy/awx-operator.yaml` with the version you are deploying.
```bash
$ kubectl apply -f https://raw.githubusercontent.com/ansible/awx-operator/<TAG>/deploy/awx-operator.yaml
customresourcedefinition.apiextensions.k8s.io/awxs.awx.ansible.com created
customresourcedefinition.apiextensions.k8s.io/awxbackups.awx.ansible.com created
customresourcedefinition.apiextensions.k8s.io/awxrestores.awx.ansible.com created
clusterrole.rbac.authorization.k8s.io/awx-operator created
clusterrolebinding.rbac.authorization.k8s.io/awx-operator created
serviceaccount/awx-operator created
deployment.apps/awx-operator created
```
Wait a few minutes and you should have the `awx-operator` running.
```bash
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
awx-operator-7dbf9db9d7-z9hqx 1/1 Running 0 50s
```
Then create a file named `awx-demo.yml` with the suggested content. The `metadata.name` you provide, will be the name of the resulting AWX deployment. If you deploy more than one AWX instance to the same namespace, be sure to use unique names.
```yaml
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx
name: awx-demo
spec:
service_type: nodeport
ingress_type: none
hostname: awx-demo.example.com
```
> The metadata.name you provide, will be the name of the resulting AWX deployment. If you deploy more than one to the same namespace, be sure to use unique names.
Finally, use `kubectl` to create the awx instance in your cluster:
```bash
#> kubectl apply -f my-awx.yml
$ kubectl apply -f awx-demo.yml
awx.awx.ansible.com/awx-demo created
```
After a few minutes, the new AWX instance will be deployed. One can look at the operator pod logs in order to know where the installation process is at. This can be done by running the following command: `kubectl logs -f deployments/awx-operator`.
Once deployed, the AWX instance will be accessible at `http://awx.mycompany.com/` (assuming your cluster has an Ingress controller configured).
```bash
$ kubectl get pods -l "app.kubernetes.io/managed-by=awx-operator"
NAME READY STATUS RESTARTS AGE
awx-demo-77d96f88d5-pnhr8 4/4 Running 0 3m24s
awx-demo-postgres-0 1/1 Running 0 3m34s
$ kubectl get svc -l "app.kubernetes.io/managed-by=awx-operator"
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
awx-demo-postgres ClusterIP None <none> 5432/TCP 4m4s
awx-demo-service NodePort 10.109.40.38 <none> 80:31006/TCP 3m56s
```
Once deployed, the AWX instance will be accessible by the command `minikube service awx-demo-service --url`.
By default, the admin user is `admin` and the password is available in the `<resourcename>-admin-password` secret. To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode`
You just completed the most basic install of an AWX instance via this operator. Congratulations!!!!
You just completed the most basic install of an AWX instance via this operator. Congratulations !
For an example using the Nginx Controller in Minukube, don't miss our [demo video](https://asciinema.org/a/416946).
[![asciicast](https://raw.githubusercontent.com/ansible/awx-operator/devel/docs/awx-demo.svg)](https://asciinema.org/a/416946)
### Admin user account configuration
@@ -92,14 +168,14 @@ There are three variables that are customizable for the admin user account creat
| Name | Description | Default |
| --------------------------- | -------------------------------------------- | ---------------- |
| tower_admin_user | Name of the admin user | admin |
| tower_admin_email | Email of the admin user | test@example.com |
| tower_admin_password_secret | Secret that contains the admin user password | Empty string |
| admin_user | Name of the admin user | admin |
| admin_email | Email of the admin user | test@example.com |
| admin_password_secret | Secret that contains the admin user password | Empty string |
> :warning: **tower_admin_password_secret must be a Kubernetes secret and not your text clear password**.
> :warning: **admin_password_secret must be a Kubernetes secret and not your text clear password**.
If `tower_admin_password_secret` is not provided, the operator will look for a secret named `<resourcename>-admin-password` for the admin password. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-admin-password`.
If `admin_password_secret` is not provided, the operator will look for a secret named `<resourcename>-admin-password` for the admin password. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-admin-password`.
To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode`
@@ -119,98 +195,114 @@ stringData:
### Network and TLS Configuration
#### Ingress Type
#### Service Type
By default, the AWX operator is not opinionated and won't force a specific ingress type on you. So, if `tower_ingress_type` is not specified as part of the Custom Resource specification, it will default to `none` and nothing ingress-wise will be created.
If the `service_type` is not specified, the `ClusterIP` service will be used for your AWX Tower service.
The AWX operator provides support for four kinds of `Ingress` to access AWX: `Ingress`, `Route`, `LoadBalancer` and `NodePort`, To toggle between these options, you can add the following to your AWX CR:
The `service_type` supported options are: `ClusterIP`, `LoadBalancer` and `NodePort`.
* Route
```yaml
---
spec:
...
tower_ingress_type: Route
```
* Ingress
```yaml
---
spec:
...
tower_ingress_type: Ingress
tower_hostname: awx.mycompany.com
```
* LoadBalancer
```yaml
---
spec:
...
tower_ingress_type: LoadBalancer
tower_loadbalancer_protocol: http
```
* NodePort
```yaml
---
spec:
...
tower_ingress_type: NodePort
```
The AWX `Service` that gets created will have a `type` set based on the `tower_ingress_type` being used:
| Ingress Type `tower_ingress_type` | Service Type |
| ------------------------------------- | -------------- |
| `LoadBalancer` | `LoadBalancer` |
| `NodePort` | `NodePort` |
| `Ingress` or `Route` or not specified | `ClusterIP` |
#### TLS Termination
* Route
The following variables are customizable to specify the TLS termination procedure when `Route` is picked as an Ingress
The following variables are customizable for any `service_type`
| Name | Description | Default |
| ------------------------------------- | --------------------------------------------- | --------------------------------- |
| tower_route_host | Common name the route answers for | Empty string |
| tower_route_tls_termination_mechanism | TLS Termination mechanism (Edge, Passthrough) | Edge |
| tower_route_tls_secret | Secret that contains the TLS information | Empty string |
| service_labels | Add custom labels | Empty string |
* Ingress
The following variables are customizable to specify the TLS termination procedure when `Ingress` is picked as an Ingress
| Name | Description | Default |
| -------------------------- | ---------------------------------------- | ------------- |
| tower_ingress_annotations | Ingress annotations | Empty string |
| tower_ingress_tls_secret | Secret that contains the TLS information | Empty string |
```yaml
---
spec:
...
service_type: ClusterIP
service_labels: |
environment: testing
```
* LoadBalancer
The following variables are customizable to specify the TLS termination procedure when `LoadBalancer` is picked as an Ingress
The following variables are customizable only when `service_type=LoadBalancer`
| Name | Description | Default |
| ------------------------------ | ---------------------------------------- | ------------- |
| tower_loadbalancer_annotations | LoadBalancer annotations | Empty string |
| tower_loadbalancer_protocol | Protocol to use for Loadbalancer ingress | http |
| tower_loadbalancer_port | Port used for Loadbalancer ingress | 80 |
| loadbalancer_annotations | LoadBalancer annotations | Empty string |
| loadbalancer_protocol | Protocol to use for Loadbalancer ingress | http |
| loadbalancer_port | Port used for Loadbalancer ingress | 80 |
When setting up a Load Balancer for HTTPS you will be required to set the `tower_loadbalancer_port` to move the port away from `80`.
```yaml
---
spec:
...
service_type: LoadBalancer
loadbalancer_protocol: https
loadbalancer_port: 443
loadbalancer_annotations: |
environment: testing
service_labels: |
environment: testing
```
When setting up a Load Balancer for HTTPS you will be required to set the `loadbalancer_port` to move the port away from `80`.
The HTTPS Load Balancer also uses SSL termination at the Load Balancer level and will offload traffic to AWX over HTTP.
#### Ingress Type
By default, the AWX operator is not opinionated and won't force a specific ingress type on you. So, when the `ingress_type` is not specified, it will default to `none` and nothing ingress-wise will be created.
The `ingress_type` supported options are: `none`, `ingress` and `route`. To toggle between these options, you can add the following to your AWX CRD:
* None
```yaml
---
spec:
...
ingress_type: none
```
* Generic Ingress Controller
The following variables are customizable when `ingress_type=ingress`. The `ingress` type creates an Ingress resource as [documented](https://kubernetes.io/docs/concepts/services-networking/ingress/) which can be shared with many other Ingress Controllers as [listed](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/).
| Name | Description | Default |
| -------------------------- | ---------------------------------------- | ---------------------------- |
| ingress_annotations | Ingress annotations | Empty string |
| ingress_tls_secret | Secret that contains the TLS information | Empty string |
| hostname | Define the FQDN | {{ meta.name }}.example.com |
```yaml
---
spec:
...
ingress_type: ingress
hostname: awx-demo.example.com
ingress_annotations: |
environment: testing
```
* Route
The following variables are customizable when `ingress_type=route`
| Name | Description | Default |
| ------------------------------------- | --------------------------------------------- | --------------------------------------------------------|
| route_host | Common name the route answers for | `<instance-name>-<namespace>-<routerCanonicalHostname>` |
| route_tls_termination_mechanism | TLS Termination mechanism (Edge, Passthrough) | Edge |
| route_tls_secret | Secret that contains the TLS information | Empty string |
```yaml
---
spec:
...
ingress_type: route
route_host: awx-demo.example.com
route_tls_termination_mechanism: Passthrough
route_tls_secret: custom-route-tls-secret-name
```
### Database Configuration
#### External PostgreSQL Service
In order for the AWX instance to rely on an external database, the Custom Resource needs to know about the connection details. Those connection details should be stored as a secret and either specified as `tower_postgres_configuration_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-postgres-configuration`.
In order for the AWX instance to rely on an external database, the Custom Resource needs to know about the connection details. Those connection details should be stored as a secret and either specified as `postgres_configuration_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-postgres-configuration`.
The secret should be formatted as follows:
@@ -229,9 +321,12 @@ stringData:
username: <username to connect as>
password: <password to connect with>
sslmode: prefer
type: unmanaged
type: Opaque
```
> It is possible to set a specific username, password, port, or database, but still have the database managed by the operator. In this case, when creating the postgres-configuration secret, the `type: managed` field should be added.
**Note**: The variable `sslmode` is valid for `external` databases only. The allowed values are: `prefer`, `disable`, `allow`, `require`, `verify-ca`, `verify-full`.
#### Migrating data from an old AWX instance
@@ -246,11 +341,11 @@ The following variables are customizable for the managed PostgreSQL service
| Name | Description | Default |
| ------------------------------------ | ------------------------------------------ | --------------------------------- |
| tower_postgres_image | Path of the image to pull | postgres:12 |
| tower_postgres_resource_requirements | PostgreSQL container resource requirements | Empty object |
| tower_postgres_storage_requirements | PostgreSQL container storage requirements | requests: {storage: 8Gi} |
| tower_postgres_storage_class | PostgreSQL PV storage class | Empty string |
| tower_postgres_data_path | PostgreSQL data path | `/var/lib/postgresql/data/pgdata` |
| postgres_image | Path of the image to pull | postgres:12 |
| postgres_resource_requirements | PostgreSQL container resource requirements | Empty object |
| postgres_storage_requirements | PostgreSQL container storage requirements | requests: {storage: 8Gi} |
| postgres_storage_class | PostgreSQL PV storage class | Empty string |
| postgres_data_path | PostgreSQL data path | `/var/lib/postgresql/data/pgdata` |
Example of customization could be:
@@ -258,22 +353,22 @@ Example of customization could be:
---
spec:
...
tower_postgres_resource_requirements:
postgres_resource_requirements:
requests:
cpu: 500m
memory: 2Gi
limits:
cpu: 1
memory: 4Gi
tower_postgres_storage_requirements:
postgres_storage_requirements:
requests:
storage: 8Gi
limits:
storage: 50Gi
tower_postgres_storage_class: fast-ssd
postgres_storage_class: fast-ssd
```
**Note**: If `tower_postgres_storage_class` is not defined, Postgres will store it's data on a volume using the default storage class for your cluster.
**Note**: If `postgres_storage_class` is not defined, Postgres will store it's data on a volume using the default storage class for your cluster.
### Advanced Configuration
@@ -283,13 +378,13 @@ There are a few variables that are customizable for awx the image management.
| Name | Description |
| --------------------------| -------------------------- |
| tower_image | Path of the image to pull |
| tower_image_version | Image version to pull |
| tower_image_pull_policy | The pull policy to adopt |
| tower_image_pull_secret | The pull secret to use |
| tower_ee_images | A list of EEs to register |
| tower_redis_image | Path of the image to pull |
| tower_redis_image_version | Image version to pull |
| image | Path of the image to pull |
| image_version | Image version to pull |
| image_pull_policy | The pull policy to adopt |
| image_pull_secret | The pull secret to use |
| ee_images | A list of EEs to register |
| redis_image | Path of the image to pull |
| redis_image_version | Image version to pull |
Example of customization could be:
@@ -297,16 +392,16 @@ Example of customization could be:
---
spec:
...
tower_image: myorg/my-custom-awx
tower_image_version: latest
tower_image_pull_policy: Always
tower_image_pull_secret: pull_secret_name
tower_ee_images:
image: myorg/my-custom-awx
image_version: latest
image_pull_policy: Always
image_pull_secret: pull_secret_name
ee_images:
- name: my-custom-awx-ee
image: myorg/my-custom-awx-ee
```
**Note**: The `tower_image` and `tower_image_version` are intended for local mirroring scenarios. Please note that using a version of AWX other than the one bundled with the `awx-operator` is **not** supported. For the default values, check the [main.yml](https://github.com/ansible/awx-operator/blob/devel/roles/installer/defaults/main.yml) file.
**Note**: The `image` and `image_version` are intended for local mirroring scenarios. Please note that using a version of AWX other than the one bundled with the `awx-operator` is **not** supported. For the default values, check the [main.yml](https://github.com/ansible/awx-operator/blob/devel/roles/installer/defaults/main.yml) file.
#### Privileged Tasks
@@ -316,7 +411,7 @@ Depending on the type of tasks that you'll be running, you may find that you nee
---
spec:
...
tower_task_privileged: true
task_privileged: true
```
If you are attempting to do this on an OpenShift cluster, you will need to grant the `awx` ServiceAccount the `privileged` SCC, which can be done with:
@@ -334,8 +429,8 @@ The resource requirements for both, the task and the web containers are configur
| Name | Description | Default |
| -------------------------------- | ------------------------------------ | ----------------------------------- |
| tower_web_resource_requirements | Web container resource requirements | requests: {cpu: 1000m, memory: 2Gi} |
| tower_task_resource_requirements | Task container resource requirements | requests: {cpu: 500m, memory: 1Gi} |
| web_resource_requirements | Web container resource requirements | requests: {cpu: 1000m, memory: 2Gi} |
| task_resource_requirements | Task container resource requirements | requests: {cpu: 500m, memory: 1Gi} |
Example of customization could be:
@@ -343,14 +438,14 @@ Example of customization could be:
---
spec:
...
tower_web_resource_requirements:
web_resource_requirements:
requests:
cpu: 1000m
memory: 2Gi
limits:
cpu: 2000m
memory: 4Gi
tower_task_resource_requirements:
task_resource_requirements:
requests:
cpu: 500m
memory: 1Gi
@@ -361,19 +456,19 @@ spec:
#### Assigning AWX pods to specific nodes
You can constrain the AWX pods created by the operator to run on a certain subset of nodes. `tower_node_selector` and `tower_postgres_selector` constrains
the AWX pods to run only on the nodes that match all the specified key/value pairs. `tower_tolerations` and `tower_postgres_tolerations` allow the AWX
You can constrain the AWX pods created by the operator to run on a certain subset of nodes. `node_selector` and `postgres_selector` constrains
the AWX pods to run only on the nodes that match all the specified key/value pairs. `tolerations` and `postgres_tolerations` allow the AWX
pods to be scheduled onto nodes with matching taints.
| Name | Description | Default |
| -------------------------------| --------------------------- | ------- |
| tower_postgres_image | Path of the image to pull | 12 |
| tower_postgres_image_version | Image version to pull | 12 |
| tower_node_selector | AWX pods' nodeSelector | '' |
| tower_tolerations | AWX pods' tolerations | '' |
| tower_postgres_selector | Postgres pods' nodeSelector | '' |
| tower_postgres_tolerations | Postgres pods' tolerations | '' |
| postgres_image | Path of the image to pull | 12 |
| postgres_image_version | Image version to pull | 12 |
| node_selector | AWX pods' nodeSelector | '' |
| tolerations | AWX pods' tolerations | '' |
| postgres_selector | Postgres pods' nodeSelector | '' |
| postgres_tolerations | Postgres pods' tolerations | '' |
Example of customization could be:
@@ -381,20 +476,20 @@ Example of customization could be:
---
spec:
...
tower_node_selector: |
node_selector: |
disktype: ssd
kubernetes.io/arch: amd64
kubernetes.io/os: linux
tower_tolerations: |
tolerations: |
- key: "dedicated"
operator: "Equal"
value: "AWX"
effect: "NoSchedule"
tower_postgres_selector: |
postgres_selector: |
disktype: ssd
kubernetes.io/arch: amd64
kubernetes.io/os: linux
tower_postgres_tolerations: |
postgres_tolerations: |
- key: "dedicated"
operator: "Equal"
value: "AWX"
@@ -431,11 +526,11 @@ In cases which you want to persist the `/var/lib/projects` directory, there are
| Name | Description | Default |
| -----------------------------------| ---------------------------------------------------------------------------------------------------- | ---------------|
| tower_projects_persistence | Whether or not the /var/lib/projects directory will be persistent | false |
| tower_projects_storage_class | Define the PersistentVolume storage class | '' |
| tower_projects_storage_size | Define the PersistentVolume size | 8Gi |
| tower_projects_storage_access_mode | Define the PersistentVolume access mode | ReadWriteMany |
| tower_projects_existing_claim | Define an existing PersistentVolumeClaim to use (cannot be combined with `tower_projects_storage_*`) | '' |
| projects_persistence | Whether or not the /var/lib/projects directory will be persistent | false |
| projects_storage_class | Define the PersistentVolume storage class | '' |
| projects_storage_size | Define the PersistentVolume size | 8Gi |
| projects_storage_access_mode | Define the PersistentVolume access mode | ReadWriteMany |
| projects_existing_claim | Define an existing PersistentVolumeClaim to use (cannot be combined with `projects_storage_*`) | '' |
Example of customization when the `awx-operator` automatically handles the persistent volume could be:
@@ -443,9 +538,9 @@ Example of customization when the `awx-operator` automatically handles the persi
---
spec:
...
tower_projects_persistence: true
tower_projects_storage_class: rook-ceph
tower_projects_storage_size: 20Gi
projects_persistence: true
projects_storage_class: rook-ceph
projects_storage_size: 20Gi
```
#### Custom Volume and Volume Mount Options
@@ -454,10 +549,10 @@ In a scenario where custom volumes and volume mounts are required to either over
| Name | Description | Default |
| ------------------------------ | -------------------------------------------------------- | ------- |
| tower_extra_volumes | Specify extra volumes to add to the application pod | '' |
| tower_web_extra_volume_mounts | Specify volume mounts to be added to Web container | '' |
| tower_task_extra_volume_mounts | Specify volume mounts to be added to Task container | '' |
| tower_ee_extra_volume_mounts | Specify volume mounts to be added to Execution container | '' |
| extra_volumes | Specify extra volumes to add to the application pod | '' |
| web_extra_volume_mounts | Specify volume mounts to be added to Web container | '' |
| task_extra_volume_mounts | Specify volume mounts to be added to Task container | '' |
| ee_extra_volume_mounts | Specify volume mounts to be added to Execution container | '' |
Example configuration for ConfigMap
@@ -484,17 +579,17 @@ Example spec file for volumes and volume mounts
---
spec:
...
tower_ee_extra_volume_mounts: |
ee_extra_volume_mounts: |
- name: ansible-cfg
mountPath: /etc/ansible/ansible.cfg
subPath: ansible.cfg
tower_task_extra_volume_mounts: |
task_extra_volume_mounts: |
- name: custom-py
mountPath: /etc/tower/conf.d/custom.py
subPath: custom.py
tower_extra_volumes: |
extra_volumes: |
- name: ansible-cfg
configMap:
defaultMode: 420
@@ -520,115 +615,48 @@ If you need to export custom environment variables to your containers.
| Name | Description | Default |
| ----------------------------- | -------------------------------------------------------- | ------- |
| tower_task_extra_env | Environment variables to be added to Task container | '' |
| tower_web_extra_env | Environment variables to be added to Web container | '' |
| task_extra_env | Environment variables to be added to Task container | '' |
| web_extra_env | Environment variables to be added to Web container | '' |
Example configuration of environment variables
```yaml
spec:
tower_task_extra_env: |
task_extra_env: |
- name: MYCUSTOMVAR
value: foo
tower_web_extra_env: |
web_extra_env: |
- name: MYCUSTOMVAR
value: foo
```
#### Service Account
## Development
If you need to modify some `ServiceAccount` proprieties
### Testing
| Name | Description | Default |
| ----------------------------- | -------------------------------------------------------- | ------- |
| service_account_annotations | Annotations to the ServiceAccount | '' |
This Operator includes a [Molecule](https://molecule.readthedocs.io/en/stable/)-based test environment, which can be executed standalone in Docker (e.g. in CI or in a single Docker container anywhere), or inside any kind of Kubernetes cluster (e.g. Minikube).
Example configuration of environment variables
You need to make sure you have Molecule installed before running the following commands. You can install Molecule with:
```sh
#> pip install 'molecule[docker]'
```yaml
spec:
service_account_annotations: |
eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>
```
Running `molecule test` sets up a clean environment, builds the operator, runs all configured tests on an example operator instance, then tears down the environment (at least in the case of Docker).
### Upgrading
If you want to actively develop the operator, use `molecule converge`, which does everything but tear down the environment at the end.
To upgrade AWX, it is recommended to upgrade the awx-operator to the version that maps to the desired version of AWX. To find the version of AWX that will be installed by the awx-operator by default, check the version specified in the `image_version` variable in `roles/installer/defaults/main.yml` for that particular release.
#### Testing in Docker
Apply the awx-operator.yml for that release to upgrade the operator, and in turn also upgrade your AWX deployment.
```sh
#> molecule test -s test-local
```
This environment is meant for headless testing (e.g. in a CI environment, or when making smaller changes which don't need to be verified through a web interface). It is difficult to test things like AWX's web UI or to connect other applications on your local machine to the services running inside the cluster, since it is inside a Docker container with no static IP address.
## Contributing
#### Testing in Minikube
Please visit [our contributing guidelines](https://github.com/ansible/awx-operator/blob/devel/CONTRIBUTING.md).
```sh
#> minikube start --memory 8g --cpus 4
#> minikube addons enable ingress
#> molecule test -s test-minikube
```
[Minikube](https://kubernetes.io/docs/tasks/tools/install-minikube/) is a more full-featured test environment running inside a full VM on your computer, with an assigned IP address. This makes it easier to test things like NodePort services and Ingress from outside the Kubernetes cluster (e.g. in a browser on your computer).
Once the operator is deployed, you can visit the AWX UI in your browser by following these steps:
1. Make sure you have an entry like `IP_ADDRESS example-awx.test` in your `/etc/hosts` file. (Get the IP address with `minikube ip`.)
2. Visit `http://example-awx.test/` in your browser. (Default admin login is `test`/`changeme`.)
Alternatively, you can also update the service `awx-service` in your namespace to use the type `NodePort` and use following command to get the URL to access your AWX instance:
```sh
#> minikube service <serviceName> -n <namespaceName> --url
```
### Generating a bundle
> :warning: operator-sdk version 0.19.4 is needed to run the following commands
If one has the Operator Lifecycle Manager (OLM) installed, the following steps is the process to generate the bundle that would nicely display in the OLM interface.
At the root of this directory:
1. Build and publish the operator
```
#> operator-sdk build registry.example.com/ansible/awx-operator:mytag
#> podman push registry.example.com/ansible/awx-operator:mytag
```
2. Build and publish the bundle
```
#> podman build . -f bundle.Dockerfile -t registry.example.com/ansible/awx-operator-bundle:mytag
#> podman push registry.example.com/ansible/awx-operator-bundle:mytag
```
3. Build and publish an index with your bundle in it
```
#> opm index add --bundles registry.example.com/ansible/awx-operator-bundle:mytag --tag registry.example.com/ansible/awx-operator-catalog:mytag
#> podman push registry.example.com/ansible/awx-operator-catalog:mytag
```
4. In your Kubernetes create a new CatalogSource pointing to `registry.example.com/ansible/awx-operator-catalog:mytag`
```
---
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: <catalogsource-name>
namespace: <namespace>
spec:
displayName: 'myoperatorhub'
image: registry.example.com/ansible/awx-operator-catalog:mytag
publisher: 'myoperatorhub'
sourceType: grpc
```
Applying this template will do it. Once the CatalogSource is in a READY state, the bundle should be available on the OperatorHub tab (as part of the custom CatalogSource that just got added)
5. Enjoy
## Release Process
@@ -636,6 +664,10 @@ There are a few moving parts to this project:
1. The Docker image which powers AWX Operator.
2. The `awx-operator.yaml` Kubernetes manifest file which initially deploys the Operator into a cluster.
3. Then use the command below to generate a list of commits between the versions.
```sh
#> git log --no-merges --pretty="- %s (%an) - %h " <old_tag>..<new_tag>
```
Each of these must be appropriately built in preparation for a new tag:
@@ -661,7 +693,7 @@ After it is built, test it on a local cluster:
#> minikube addons enable ingress
#> ansible-playbook ansible/deploy-operator.yml -e operator_image=quay.io/<user>/awx-operator -e operator_version=test
#> kubectl create namespace example-awx
#> ansible-playbook ansible/instantiate-awx-deployment.yml -e tower_namespace=example-awx
#> ansible-playbook ansible/instantiate-awx-deployment.yml -e namespace=example-awx
#> <test everything>
#> minikube delete
```

14
ansible/chain-operator-files.yml
View File

@@ -6,12 +6,24 @@
gather_facts: false
tasks:
- name: Template CRD
- name: Template AWX CRD
template:
src: crd.yml.j2
dest: "{{ playbook_dir }}/../deploy/crds/awx_v1beta1_crd.yaml"
mode: '0644'
- name: Template AWXBackup CRD
template:
src: awxbackup_crd.yml.j2
dest: "{{ playbook_dir }}/../deploy/crds/awxbackup_v1beta1_crd.yaml"
mode: '0644'
- name: Template AWXRestore CRD
template:
src: awxrestore_crd.yml.j2
dest: "{{ playbook_dir }}/../deploy/crds/awxrestore_v1beta1_crd.yaml"
mode: '0644'
- name: Template awx-operator.yaml
template:
src: awx-operator.yaml.j2

2
ansible/deploy-operator.yml
View File

@@ -1,6 +1,6 @@
---
- name: Reconstruct awx-operator.yaml
include: chain-operator-files.yml
import_playbook: chain-operator-files.yml
- name: Deploy Operator
hosts: localhost

3
ansible/group_vars/all
View File

@@ -1,3 +1,4 @@
operator_image: quay.io/ansible/awx-operator
operator_version: 0.9.0
operator_version: 0.10.0
pull_policy: Always
ansible_debug_logs: "false"

17
ansible/instantiate-awx-deployment.yml
View File

@@ -9,7 +9,7 @@
- name: Deploy AWX
k8s:
state: "{{ state | default('present') }}"
namespace: "{{ tower_namespace | default('default') }}"
namespace: "{{ namespace | default('default') }}"
apply: yes
wait: yes
definition:
@@ -18,13 +18,14 @@
metadata:
name: awx
spec:
tower_admin_user: admin
tower_admin_email: admin@localhost
tower_ingress_type: "{{ tower_ingress_type | default(omit) }}" # Either Route, Ingress or LoadBalancer
tower_image: "{{ tower_image | default(omit) }}"
tower_image_version: "{{ tower_image_version | default(omit) }}"
admin_user: admin
admin_email: admin@localhost
service_type: "{{ service_type | default(omit) }}" # Either clusterIP, Loadbalancer or NodePort
ingress_type: "{{ ingress_type | default(omit) }}" # Either none, Ingress, Route
image: "{{ image | default(omit) }}"
image_version: "{{ image_version | default(omit) }}"
development_mode: "{{ development_mode | default(omit) | bool }}"
tower_image_pull_policy: "{{ tower_image_pull_policy | default(omit) }}"
# tower_ee_images:
image_pull_policy: "{{ image_pull_policy | default(omit) }}"
# ee_images:
# - name: test-ee
# image: quay.io/<user>/awx-ee

4
ansible/templates/awx-operator.yaml.j2
View File

@@ -3,6 +3,10 @@
# Update templates under ansible/templates/
{% include 'crd.yml.j2' %}
{% include 'awxbackup_crd.yml.j2' %}
{% include 'awxrestore_crd.yml.j2' %}
{% include 'role.yml.j2' %}
{% include 'role_binding.yml.j2' %}

48
ansible/templates/awxbackup_crd.yml.j2 Normal file
View File

@@ -0,0 +1,48 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: awxbackups.awx.ansible.com
spec:
group: awx.ansible.com
names:
kind: AWXBackup
listKind: AWXBackupList
plural: awxbackups
singular: awxbackup
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
description: Schema validation for the AWXBackup CRD
properties:
spec:
type: object
required:
- deployment_name
properties:
deployment_name:
description: Name of the deployment to be backed up
type: string
backup_pvc:
description: Name of the PVC to be used for storing the backup
type: string
backup_pvc_namespace:
description: Namespace PVC is in
type: string
backup_storage_requirements:
description: Storage requirements for the PostgreSQL container
type: string
backup_storage_class:
description: Storage class to use when creating PVC for backup
type: string
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string

52
ansible/templates/awxrestore_crd.yml.j2 Normal file
View File

@@ -0,0 +1,52 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: awxrestores.awx.ansible.com
spec:
group: awx.ansible.com
names:
kind: AWXRestore
listKind: AWXRestoreList
plural: awxrestores
singular: awxrestore
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
description: Schema validation for the AWXRestore CRD
properties:
spec:
type: object
properties:
backup_source:
description: Backup source
type: string
enum:
- CR
- PVC
deployment_name:
description: Name of the deployment to be restored to
type: string
backup_name:
description: AWXBackup object name
type: string
backup_pvc:
description: Name of the PVC to be restored from, set as a status found on the awxbackup object (backupClaim)
type: string
backup_pvc_namespace:
description: Namespace the PVC is in
type: string
backup_dir:
description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
type: string
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string

170
ansible/templates/crd.yml.j2
View File

@@ -35,39 +35,52 @@ spec:
description: apiVersion of the deployment type
type: string
default: awx.ansible.com/v1beta1
tower_task_privileged:
task_privileged:
description: If a privileged security context should be enabled
type: boolean
default: false
tower_admin_user:
admin_user:
description: Username to use for the admin account
type: string
default: admin
tower_hostname:
hostname:
description: The hostname of the instance
type: string
tower_admin_email:
admin_email:
description: The admin user email
type: string
tower_admin_password_secret:
admin_password_secret:
description: Secret where the admin password can be found
type: string
tower_postgres_configuration_secret:
postgres_configuration_secret:
description: Secret where the database configuration can be found
type: string
tower_old_postgres_configuration_secret:
old_postgres_configuration_secret:
description: Secret where the old database configuration can be found for data migration
type: string
tower_secret_key_secret:
postgres_label_selector:
description: Label selector used to identify postgres pod for data migration
type: string
secret_key_secret:
description: Secret where the secret key can be found
type: string
tower_broadcast_websocket_secret:
broadcast_websocket_secret:
description: Secret where the broadcast websocket secret can be found
type: string
tower_extra_volumes:
extra_volumes:
description: Specify extra volumes to add to the application pod
type: string
tower_ingress_type:
service_type:
description: The service type to be used on the deployed instance
type: string
enum:
- LoadBalancer
- loadbalancer
- ClusterIP
- clusterip
- NodePort
- nodeport
ingress_type:
description: The ingress type to use to reach the deployed instance
type: string
enum:
@@ -76,34 +89,30 @@ spec:
- ingress
- Route
- route
- LoadBalancer
- loadbalancer
- NodePort
- nodeport
tower_ingress_annotations:
description: Annotations to add to the ingress
ingress_annotations:
description: Annotations to add to the Ingress Controller
type: string
tower_ingress_tls_secret:
description: Secret where the ingress TLS secret can be found
ingress_tls_secret:
description: Secret where the Ingress TLS secret can be found
type: string
tower_loadbalancer_annotations:
loadbalancer_annotations:
description: Annotations to add to the loadbalancer
type: string
tower_loadbalancer_protocol:
loadbalancer_protocol:
description: Protocol to use for the loadbalancer
type: string
default: http
enum:
- http
- https
tower_loadbalancer_port:
loadbalancer_port:
description: Port to use for the loadbalancer
type: integer
default: 80
tower_route_host:
route_host:
description: The DNS to use to points to the instance
type: string
tower_route_tls_termination_mechanism:
route_tls_termination_mechanism:
description: The secure TLS termination mechanism to use
type: string
default: Edge
@@ -112,22 +121,25 @@ spec:
- edge
- Passthrough
- passthrough
tower_route_tls_secret:
route_tls_secret:
description: Secret where the TLS related credentials are stored
type: string
tower_node_selector:
description: nodeSelector for the AWX pods
node_selector:
description: nodeSelector for the pods
type: string
tower_tolerations:
description: node tolerations for the AWX pods
service_labels:
description: Additional labels to apply to the service
type: string
tower_image:
tolerations:
description: node tolerations for the pods
type: string
image:
description: Registry path to the application container to use
type: string
tower_image_version:
image_version:
description: Application container image version to use
type: string
tower_ee_images:
ee_images:
description: Registry path to the Execution Environment container to use
type: array
items:
@@ -137,7 +149,7 @@ spec:
type: string
image:
type: string
tower_image_pull_policy:
image_pull_policy:
description: The image pull policy
type: string
default: IfNotPresent
@@ -148,10 +160,10 @@ spec:
- never
- IfNotPresent
- ifnotpresent
tower_image_pull_secret:
image_pull_secret:
description: The image pull secret
type: string
tower_task_resource_requirements:
task_resource_requirements:
description: Resource requirements for the task container
properties:
requests:
@@ -173,7 +185,7 @@ spec:
type: string
type: object
type: object
tower_web_resource_requirements:
web_resource_requirements:
description: Resource requirements for the web container
properties:
requests:
@@ -195,67 +207,70 @@ spec:
type: string
type: object
type: object
tower_replicas:
service_account_annotations:
description: ServiceAccount annotations
type: string
replicas:
description: Number of instance replicas
type: integer
default: 1
format: int32
tower_garbage_collect_secrets:
garbage_collect_secrets:
description: Whether or not to remove secrets upon instance removal
default: false
type: boolean
tower_create_preload_data:
description: Whether or not to preload data upon Tower instance creation
create_preload_data:
description: Whether or not to preload data upon instance creation
default: true
type: boolean
tower_task_args:
task_args:
type: array
items:
type: string
tower_task_command:
task_command:
type: array
items:
type: string
tower_web_args:
web_args:
type: array
items:
type: string
tower_web_command:
web_command:
type: array
items:
type: string
tower_task_extra_env:
task_extra_env:
type: string
tower_web_extra_env:
web_extra_env:
type: string
tower_ee_extra_volume_mounts:
ee_extra_volume_mounts:
description: Specify volume mounts to be added to Execution container
type: string
tower_task_extra_volume_mounts:
task_extra_volume_mounts:
description: Specify volume mounts to be added to Task container
type: string
tower_web_extra_volume_mounts:
web_extra_volume_mounts:
description: Specify volume mounts to be added to the Web container
type: string
tower_redis_image:
redis_image:
description: Registry path to the redis container to use
type: string
tower_redis_image_version:
redis_image_version:
description: Redis container image version to use
type: string
tower_postgres_image:
postgres_image:
description: Registry path to the PostgreSQL container to use
type: string
tower_postgres_image_version:
postgres_image_version:
description: PostgreSQL container image version to use
type: string
tower_postgres_selector:
postgres_selector:
description: nodeSelector for the Postgres pods
type: string
tower_postgres_tolerations:
postgres_tolerations:
description: node tolerations for the Postgres pods
type: string
tower_postgres_storage_requirements:
postgres_storage_requirements:
description: Storage requirements for the PostgreSQL container
properties:
requests:
@@ -269,7 +284,7 @@ spec:
type: string
type: object
type: object
tower_postgres_resource_requirements:
postgres_resource_requirements:
description: Resource requirements for the PostgreSQL container
properties:
requests:
@@ -287,10 +302,10 @@ spec:
type: string
type: object
type: object
tower_postgres_storage_class:
postgres_storage_class:
description: Storage class to use for the PostgreSQL PVC
type: string
tower_postgres_data_path:
postgres_data_path:
description: Path where the PostgreSQL data are located
type: string
ca_trust_bundle:
@@ -302,27 +317,27 @@ spec:
ldap_cacert_secret:
description: Secret where can be found the LDAP trusted Certificate Authority Bundle
type: string
tower_projects_persistence:
projects_persistence:
description: Whether or not the /var/lib/projects directory will be persistent
default: false
type: boolean
tower_projects_use_existing_claim:
projects_use_existing_claim:
description: Using existing PersistentVolumeClaim
type: string
enum:
- _Yes_
- _No_
tower_projects_existing_claim:
projects_existing_claim:
description: PersistentVolumeClaim to mount /var/lib/projects directory
type: string
tower_projects_storage_class:
projects_storage_class:
description: Storage class for the /var/lib/projects PersistentVolumeClaim
type: string
tower_projects_storage_size:
projects_storage_size:
description: Size for the /var/lib/projects PersistentVolumeClaim
default: 8Gi
type: string
tower_projects_storage_access_mode:
projects_storage_access_mode:
description: AccessMode for the /var/lib/projects PersistentVolumeClaim
default: ReadWriteMany
type: string
@@ -339,22 +354,31 @@ spec:
type: object
status:
properties:
towerURL:
URL:
description: URL to access the deployed instance
type: string
towerAdminUser:
adminUser:
description: Admin user of the deployed instance
type: string
towerAdminPasswordSecret:
description: Admin password of the deployed instance
adminPasswordSecret:
description: Admin password secret name of the deployed instance
type: string
towerMigratedFromSecret:
description: The secret used for migrating an old Tower.
postgresConfigurationSecret:
description: Postgres Configuration secret name of the deployed instance
type: string
towerVersion:
broadcastWebsocketSecret:
description: Broadcast websocket secret name of the deployed instance
type: string
secretKeySecret:
description: Secret key secret name of the deployed instance
type: string
migratedFromSecret:
description: The secret used for migrating an old instance.
type: string
version:
description: Version of the deployed instance
type: string
towerImage:
image:
description: URL of the image used for the deployed instance
type: string
conditions:

4
ansible/templates/operator.yml.j2
View File

@@ -33,6 +33,10 @@ spec:
value: awx-operator
- name: ANSIBLE_GATHERING
value: explicit
- name: OPERATOR_VERSION
value: "{{ operator_version }}"
- name: ANSIBLE_DEBUG_LOGS
value: "{{ ansible_debug_logs|lower | default('false'|lower) }}"
livenessProbe:
httpGet:
path: /healthz

2
ansible/templates/role.yml.j2
View File

@@ -79,5 +79,7 @@ rules:
- awx.ansible.com
resources:
- '*'
- awxbackups
- awxrestores
verbs:
- '*'

280
deploy/awx-operator.yaml
View File

@@ -37,39 +37,52 @@ spec:
description: apiVersion of the deployment type
type: string
default: awx.ansible.com/v1beta1
tower_task_privileged:
task_privileged:
description: If a privileged security context should be enabled
type: boolean
default: false
tower_admin_user:
admin_user:
description: Username to use for the admin account
type: string
default: admin
tower_hostname:
hostname:
description: The hostname of the instance
type: string
tower_admin_email:
admin_email:
description: The admin user email
type: string
tower_admin_password_secret:
admin_password_secret:
description: Secret where the admin password can be found
type: string
tower_postgres_configuration_secret:
postgres_configuration_secret:
description: Secret where the database configuration can be found
type: string
tower_old_postgres_configuration_secret:
old_postgres_configuration_secret:
description: Secret where the old database configuration can be found for data migration
type: string
tower_secret_key_secret:
postgres_label_selector:
description: Label selector used to identify postgres pod for data migration
type: string
secret_key_secret:
description: Secret where the secret key can be found
type: string
tower_broadcast_websocket_secret:
broadcast_websocket_secret:
description: Secret where the broadcast websocket secret can be found
type: string
tower_extra_volumes:
extra_volumes:
description: Specify extra volumes to add to the application pod
type: string
tower_ingress_type:
service_type:
description: The service type to be used on the deployed instance
type: string
enum:
- LoadBalancer
- loadbalancer
- ClusterIP
- clusterip
- NodePort
- nodeport
ingress_type:
description: The ingress type to use to reach the deployed instance
type: string
enum:
@@ -78,34 +91,30 @@ spec:
- ingress
- Route
- route
- LoadBalancer
- loadbalancer
- NodePort
- nodeport
tower_ingress_annotations:
description: Annotations to add to the ingress
ingress_annotations:
description: Annotations to add to the Ingress Controller
type: string
tower_ingress_tls_secret:
description: Secret where the ingress TLS secret can be found
ingress_tls_secret:
description: Secret where the Ingress TLS secret can be found
type: string
tower_loadbalancer_annotations:
loadbalancer_annotations:
description: Annotations to add to the loadbalancer
type: string
tower_loadbalancer_protocol:
loadbalancer_protocol:
description: Protocol to use for the loadbalancer
type: string
default: http
enum:
- http
- https
tower_loadbalancer_port:
loadbalancer_port:
description: Port to use for the loadbalancer
type: integer
default: 80
tower_route_host:
route_host:
description: The DNS to use to points to the instance
type: string
tower_route_tls_termination_mechanism:
route_tls_termination_mechanism:
description: The secure TLS termination mechanism to use
type: string
default: Edge
@@ -114,22 +123,25 @@ spec:
- edge
- Passthrough
- passthrough
tower_route_tls_secret:
route_tls_secret:
description: Secret where the TLS related credentials are stored
type: string
tower_node_selector:
description: nodeSelector for the AWX pods
node_selector:
description: nodeSelector for the pods
type: string
tower_tolerations:
description: node tolerations for the AWX pods
service_labels:
description: Additional labels to apply to the service
type: string
tower_image:
tolerations:
description: node tolerations for the pods
type: string
image:
description: Registry path to the application container to use
type: string
tower_image_version:
image_version:
description: Application container image version to use
type: string
tower_ee_images:
ee_images:
description: Registry path to the Execution Environment container to use
type: array
items:
@@ -139,7 +151,7 @@ spec:
type: string
image:
type: string
tower_image_pull_policy:
image_pull_policy:
description: The image pull policy
type: string
default: IfNotPresent
@@ -150,10 +162,10 @@ spec:
- never
- IfNotPresent
- ifnotpresent
tower_image_pull_secret:
image_pull_secret:
description: The image pull secret
type: string
tower_task_resource_requirements:
task_resource_requirements:
description: Resource requirements for the task container
properties:
requests:
@@ -175,7 +187,7 @@ spec:
type: string
type: object
type: object
tower_web_resource_requirements:
web_resource_requirements:
description: Resource requirements for the web container
properties:
requests:
@@ -197,67 +209,70 @@ spec:
type: string
type: object
type: object
tower_replicas:
service_account_annotations:
description: ServiceAccount annotations
type: string
replicas:
description: Number of instance replicas
type: integer
default: 1
format: int32
tower_garbage_collect_secrets:
garbage_collect_secrets:
description: Whether or not to remove secrets upon instance removal
default: false
type: boolean
tower_create_preload_data:
description: Whether or not to preload data upon Tower instance creation
create_preload_data:
description: Whether or not to preload data upon instance creation
default: true
type: boolean
tower_task_args:
task_args:
type: array
items:
type: string
tower_task_command:
task_command:
type: array
items:
type: string
tower_web_args:
web_args:
type: array
items:
type: string
tower_web_command:
web_command:
type: array
items:
type: string
tower_task_extra_env:
task_extra_env:
type: string
tower_web_extra_env:
web_extra_env:
type: string
tower_ee_extra_volume_mounts:
ee_extra_volume_mounts:
description: Specify volume mounts to be added to Execution container
type: string
tower_task_extra_volume_mounts:
task_extra_volume_mounts:
description: Specify volume mounts to be added to Task container
type: string
tower_web_extra_volume_mounts:
web_extra_volume_mounts:
description: Specify volume mounts to be added to the Web container
type: string
tower_redis_image:
redis_image:
description: Registry path to the redis container to use
type: string
tower_redis_image_version:
redis_image_version:
description: Redis container image version to use
type: string
tower_postgres_image:
postgres_image:
description: Registry path to the PostgreSQL container to use
type: string
tower_postgres_image_version:
postgres_image_version:
description: PostgreSQL container image version to use
type: string
tower_postgres_selector:
postgres_selector:
description: nodeSelector for the Postgres pods
type: string
tower_postgres_tolerations:
postgres_tolerations:
description: node tolerations for the Postgres pods
type: string
tower_postgres_storage_requirements:
postgres_storage_requirements:
description: Storage requirements for the PostgreSQL container
properties:
requests:
@@ -271,7 +286,7 @@ spec:
type: string
type: object
type: object
tower_postgres_resource_requirements:
postgres_resource_requirements:
description: Resource requirements for the PostgreSQL container
properties:
requests:
@@ -289,10 +304,10 @@ spec:
type: string
type: object
type: object
tower_postgres_storage_class:
postgres_storage_class:
description: Storage class to use for the PostgreSQL PVC
type: string
tower_postgres_data_path:
postgres_data_path:
description: Path where the PostgreSQL data are located
type: string
ca_trust_bundle:
@@ -304,27 +319,27 @@ spec:
ldap_cacert_secret:
description: Secret where can be found the LDAP trusted Certificate Authority Bundle
type: string
tower_projects_persistence:
projects_persistence:
description: Whether or not the /var/lib/projects directory will be persistent
default: false
type: boolean
tower_projects_use_existing_claim:
projects_use_existing_claim:
description: Using existing PersistentVolumeClaim
type: string
enum:
- _Yes_
- _No_
tower_projects_existing_claim:
projects_existing_claim:
description: PersistentVolumeClaim to mount /var/lib/projects directory
type: string
tower_projects_storage_class:
projects_storage_class:
description: Storage class for the /var/lib/projects PersistentVolumeClaim
type: string
tower_projects_storage_size:
projects_storage_size:
description: Size for the /var/lib/projects PersistentVolumeClaim
default: 8Gi
type: string
tower_projects_storage_access_mode:
projects_storage_access_mode:
description: AccessMode for the /var/lib/projects PersistentVolumeClaim
default: ReadWriteMany
type: string
@@ -341,22 +356,31 @@ spec:
type: object
status:
properties:
towerURL:
URL:
description: URL to access the deployed instance
type: string
towerAdminUser:
adminUser:
description: Admin user of the deployed instance
type: string
towerAdminPasswordSecret:
description: Admin password of the deployed instance
adminPasswordSecret:
description: Admin password secret name of the deployed instance
type: string
towerMigratedFromSecret:
description: The secret used for migrating an old Tower.
postgresConfigurationSecret:
description: Postgres Configuration secret name of the deployed instance
type: string
towerVersion:
broadcastWebsocketSecret:
description: Broadcast websocket secret name of the deployed instance
type: string
secretKeySecret:
description: Secret key secret name of the deployed instance
type: string
migratedFromSecret:
description: The secret used for migrating an old instance.
type: string
version:
description: Version of the deployed instance
type: string
towerImage:
image:
description: URL of the image used for the deployed instance
type: string
conditions:
@@ -376,6 +400,108 @@ spec:
type: object
type: object
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: awxbackups.awx.ansible.com
spec:
group: awx.ansible.com
names:
kind: AWXBackup
listKind: AWXBackupList
plural: awxbackups
singular: awxbackup
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
description: Schema validation for the AWXBackup CRD
properties:
spec:
type: object
required:
- deployment_name
properties:
deployment_name:
description: Name of the deployment to be backed up
type: string
backup_pvc:
description: Name of the PVC to be used for storing the backup
type: string
backup_pvc_namespace:
description: Namespace PVC is in
type: string
backup_storage_requirements:
description: Storage requirements for the PostgreSQL container
type: string
backup_storage_class:
description: Storage class to use when creating PVC for backup
type: string
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: awxrestores.awx.ansible.com
spec:
group: awx.ansible.com
names:
kind: AWXRestore
listKind: AWXRestoreList
plural: awxrestores
singular: awxrestore
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
description: Schema validation for the AWXRestore CRD
properties:
spec:
type: object
properties:
backup_source:
description: Backup source
type: string
enum:
- CR
- PVC
deployment_name:
description: Name of the deployment to be restored to
type: string
backup_name:
description: AWXBackup object name
type: string
backup_pvc:
description: Name of the PVC to be restored from, set as a status found on the awxbackup object (backupClaim)
type: string
backup_pvc_namespace:
description: Namespace the PVC is in
type: string
backup_dir:
description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
type: string
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@@ -457,6 +583,8 @@ rules:
- awx.ansible.com
resources:
- '*'
- awxbackups
- awxrestores
verbs:
- '*'
@@ -499,7 +627,7 @@ spec:
serviceAccountName: awx-operator
containers:
- name: awx-operator
image: "quay.io/ansible/awx-operator:0.9.0"
image: "quay.io/ansible/awx-operator:0.10.0"
imagePullPolicy: "Always"
volumeMounts:
- mountPath: /tmp/ansible-operator/runner
@@ -516,6 +644,10 @@ spec:
value: awx-operator
- name: ANSIBLE_GATHERING
value: explicit
- name: OPERATOR_VERSION
value: "0.10.0"
- name: ANSIBLE_DEBUG_LOGS
value: "false"
livenessProbe:
httpGet:
path: /healthz

170
deploy/crds/awx_v1beta1_crd.yaml
View File

@@ -35,39 +35,52 @@ spec:
description: apiVersion of the deployment type
type: string
default: awx.ansible.com/v1beta1
tower_task_privileged:
task_privileged:
description: If a privileged security context should be enabled
type: boolean
default: false
tower_admin_user:
admin_user:
description: Username to use for the admin account
type: string
default: admin
tower_hostname:
hostname:
description: The hostname of the instance
type: string
tower_admin_email:
admin_email:
description: The admin user email
type: string
tower_admin_password_secret:
admin_password_secret:
description: Secret where the admin password can be found
type: string
tower_postgres_configuration_secret:
postgres_configuration_secret:
description: Secret where the database configuration can be found
type: string
tower_old_postgres_configuration_secret:
old_postgres_configuration_secret:
description: Secret where the old database configuration can be found for data migration
type: string
tower_secret_key_secret:
postgres_label_selector:
description: Label selector used to identify postgres pod for data migration
type: string
secret_key_secret:
description: Secret where the secret key can be found
type: string
tower_broadcast_websocket_secret:
broadcast_websocket_secret:
description: Secret where the broadcast websocket secret can be found
type: string
tower_extra_volumes:
extra_volumes:
description: Specify extra volumes to add to the application pod
type: string
tower_ingress_type:
service_type:
description: The service type to be used on the deployed instance
type: string
enum:
- LoadBalancer
- loadbalancer
- ClusterIP
- clusterip
- NodePort
- nodeport
ingress_type:
description: The ingress type to use to reach the deployed instance
type: string
enum:
@@ -76,34 +89,30 @@ spec:
- ingress
- Route
- route
- LoadBalancer
- loadbalancer
- NodePort
- nodeport
tower_ingress_annotations:
description: Annotations to add to the ingress
ingress_annotations:
description: Annotations to add to the Ingress Controller
type: string
tower_ingress_tls_secret:
description: Secret where the ingress TLS secret can be found
ingress_tls_secret:
description: Secret where the Ingress TLS secret can be found
type: string
tower_loadbalancer_annotations:
loadbalancer_annotations:
description: Annotations to add to the loadbalancer
type: string
tower_loadbalancer_protocol:
loadbalancer_protocol:
description: Protocol to use for the loadbalancer
type: string
default: http
enum:
- http
- https
tower_loadbalancer_port:
loadbalancer_port:
description: Port to use for the loadbalancer
type: integer
default: 80
tower_route_host:
route_host:
description: The DNS to use to points to the instance
type: string
tower_route_tls_termination_mechanism:
route_tls_termination_mechanism:
description: The secure TLS termination mechanism to use
type: string
default: Edge
@@ -112,22 +121,25 @@ spec:
- edge
- Passthrough
- passthrough
tower_route_tls_secret:
route_tls_secret:
description: Secret where the TLS related credentials are stored
type: string
tower_node_selector:
description: nodeSelector for the AWX pods
node_selector:
description: nodeSelector for the pods
type: string
tower_tolerations:
description: node tolerations for the AWX pods
service_labels:
description: Additional labels to apply to the service
type: string
tower_image:
tolerations:
description: node tolerations for the pods
type: string
image:
description: Registry path to the application container to use
type: string
tower_image_version:
image_version:
description: Application container image version to use
type: string
tower_ee_images:
ee_images:
description: Registry path to the Execution Environment container to use
type: array
items:
@@ -137,7 +149,7 @@ spec:
type: string
image:
type: string
tower_image_pull_policy:
image_pull_policy:
description: The image pull policy
type: string
default: IfNotPresent
@@ -148,10 +160,10 @@ spec:
- never
- IfNotPresent
- ifnotpresent
tower_image_pull_secret:
image_pull_secret:
description: The image pull secret
type: string
tower_task_resource_requirements:
task_resource_requirements:
description: Resource requirements for the task container
properties:
requests:
@@ -173,7 +185,7 @@ spec:
type: string
type: object
type: object
tower_web_resource_requirements:
web_resource_requirements:
description: Resource requirements for the web container
properties:
requests:
@@ -195,67 +207,70 @@ spec:
type: string
type: object
type: object
tower_replicas:
service_account_annotations:
description: ServiceAccount annotations
type: string
replicas:
description: Number of instance replicas
type: integer
default: 1
format: int32
tower_garbage_collect_secrets:
garbage_collect_secrets:
description: Whether or not to remove secrets upon instance removal
default: false
type: boolean
tower_create_preload_data:
description: Whether or not to preload data upon Tower instance creation
create_preload_data:
description: Whether or not to preload data upon instance creation
default: true
type: boolean
tower_task_args:
task_args:
type: array
items:
type: string
tower_task_command:
task_command:
type: array
items:
type: string
tower_web_args:
web_args:
type: array
items:
type: string
tower_web_command:
web_command:
type: array
items:
type: string
tower_task_extra_env:
task_extra_env:
type: string
tower_web_extra_env:
web_extra_env:
type: string
tower_ee_extra_volume_mounts:
ee_extra_volume_mounts:
description: Specify volume mounts to be added to Execution container
type: string
tower_task_extra_volume_mounts:
task_extra_volume_mounts:
description: Specify volume mounts to be added to Task container
type: string
tower_web_extra_volume_mounts:
web_extra_volume_mounts:
description: Specify volume mounts to be added to the Web container
type: string
tower_redis_image:
redis_image:
description: Registry path to the redis container to use
type: string
tower_redis_image_version:
redis_image_version:
description: Redis container image version to use
type: string
tower_postgres_image:
postgres_image:
description: Registry path to the PostgreSQL container to use
type: string
tower_postgres_image_version:
postgres_image_version:
description: PostgreSQL container image version to use
type: string
tower_postgres_selector:
postgres_selector:
description: nodeSelector for the Postgres pods
type: string
tower_postgres_tolerations:
postgres_tolerations:
description: node tolerations for the Postgres pods
type: string
tower_postgres_storage_requirements:
postgres_storage_requirements:
description: Storage requirements for the PostgreSQL container
properties:
requests:
@@ -269,7 +284,7 @@ spec:
type: string
type: object
type: object
tower_postgres_resource_requirements:
postgres_resource_requirements:
description: Resource requirements for the PostgreSQL container
properties:
requests:
@@ -287,10 +302,10 @@ spec:
type: string
type: object
type: object
tower_postgres_storage_class:
postgres_storage_class:
description: Storage class to use for the PostgreSQL PVC
type: string
tower_postgres_data_path:
postgres_data_path:
description: Path where the PostgreSQL data are located
type: string
ca_trust_bundle:
@@ -302,27 +317,27 @@ spec:
ldap_cacert_secret:
description: Secret where can be found the LDAP trusted Certificate Authority Bundle
type: string
tower_projects_persistence:
projects_persistence:
description: Whether or not the /var/lib/projects directory will be persistent
default: false
type: boolean
tower_projects_use_existing_claim:
projects_use_existing_claim:
description: Using existing PersistentVolumeClaim
type: string
enum:
- _Yes_
- _No_
tower_projects_existing_claim:
projects_existing_claim:
description: PersistentVolumeClaim to mount /var/lib/projects directory
type: string
tower_projects_storage_class:
projects_storage_class:
description: Storage class for the /var/lib/projects PersistentVolumeClaim
type: string
tower_projects_storage_size:
projects_storage_size:
description: Size for the /var/lib/projects PersistentVolumeClaim
default: 8Gi
type: string
tower_projects_storage_access_mode:
projects_storage_access_mode:
description: AccessMode for the /var/lib/projects PersistentVolumeClaim
default: ReadWriteMany
type: string
@@ -339,22 +354,31 @@ spec:
type: object
status:
properties:
towerURL:
URL:
description: URL to access the deployed instance
type: string
towerAdminUser:
adminUser:
description: Admin user of the deployed instance
type: string
towerAdminPasswordSecret:
description: Admin password of the deployed instance
adminPasswordSecret:
description: Admin password secret name of the deployed instance
type: string
towerMigratedFromSecret:
description: The secret used for migrating an old Tower.
postgresConfigurationSecret:
description: Postgres Configuration secret name of the deployed instance
type: string
towerVersion:
broadcastWebsocketSecret:
description: Broadcast websocket secret name of the deployed instance
type: string
secretKeySecret:
description: Secret key secret name of the deployed instance
type: string
migratedFromSecret:
description: The secret used for migrating an old instance.
type: string
version:
description: Version of the deployed instance
type: string
towerImage:
image:
description: URL of the image used for the deployed instance
type: string
conditions:

8
deploy/crds/awx_v1beta1_molecule.yaml
View File

@@ -5,13 +5,15 @@ metadata:
name: example-awx
namespace: example-awx
spec:
service_account_annotations: |
foo: bar
deployment_type: awx
tower_ingress_type: ingress
tower_web_resource_requirements:
ingress_type: ingress
web_resource_requirements:
requests:
cpu: 500m
memory: 128M
tower_task_resource_requirements:
task_resource_requirements:
requests:
cpu: 500m
memory: 128M

48
deploy/crds/awxbackup_v1beta1_crd.yaml Normal file
View File

@@ -0,0 +1,48 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: awxbackups.awx.ansible.com
spec:
group: awx.ansible.com
names:
kind: AWXBackup
listKind: AWXBackupList
plural: awxbackups
singular: awxbackup
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
description: Schema validation for the AWXBackup CRD
properties:
spec:
type: object
required:
- deployment_name
properties:
deployment_name:
description: Name of the deployment to be backed up
type: string
backup_pvc:
description: Name of the PVC to be used for storing the backup
type: string
backup_pvc_namespace:
description: Namespace PVC is in
type: string
backup_storage_requirements:
description: Storage requirements for the PostgreSQL container
type: string
backup_storage_class:
description: Storage class to use when creating PVC for backup
type: string
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string

52
deploy/crds/awxrestore_v1beta1_crd.yaml Normal file
View File

@@ -0,0 +1,52 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: awxrestores.awx.ansible.com
spec:
group: awx.ansible.com
names:
kind: AWXRestore
listKind: AWXRestoreList
plural: awxrestores
singular: awxrestore
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
description: Schema validation for the AWXRestore CRD
properties:
spec:
type: object
properties:
backup_source:
description: Backup source
type: string
enum:
- CR
- PVC
deployment_name:
description: Name of the deployment to be restored to
type: string
backup_name:
description: AWXBackup object name
type: string
backup_pvc:
description: Name of the PVC to be restored from, set as a status found on the awxbackup object (backupClaim)
type: string
backup_pvc_namespace:
description: Namespace the PVC is in
type: string
backup_dir:
description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
type: string
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string

320
deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml
View File

@@ -13,14 +13,14 @@ metadata:
},
"spec": {
"deployment_type": "awx",
"tower_ingress_type": "ingress",
"tower_task_resource_requirements": {
"ingress_type": "ingress",
"task_resource_requirements": {
"requests": {
"cpu": "500m",
"memory": "128M"
}
},
"tower_web_resource_requirements": {
"web_resource_requirements": {
"requests": {
"cpu": "500m",
"memory": "128M"
@@ -38,152 +38,252 @@ spec:
apiservicedefinitions: {}
customresourcedefinitions:
owned:
- kind: AWXBackup
name: awxbackups.awx.ansible.com
version: v1beta1
displayName: AWX Backup
specDescriptors:
- displayName: Deployment name
path: deployment_name
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Backup persistent volume claim
path: backup_pvc
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Backup persistent volume claim namespace
path: backup_pvc_namespace
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Backup PVC storage requirements
path: backup_storage_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Backup PVC storage class
path: backup_storage_class
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Database backup label selector
path: postgres_label_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
statusDescriptors:
- displayName: Backup claim
description: The persistent volume claim name used during backup
path: backupClaim
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Backup directory
description: The directory data is backed up to on the PVC
path: backupDirectory
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- kind: AWXRestore
name: awxrestores.awx.ansible.com
version: v1beta1
displayName: AWX Restore
specDescriptors:
- displayName: Backup source to restore ?
path: backup_source
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:select:CR
- urn:alm:descriptor:com.tectonic.ui:select:PVC
- displayName: Backup name
path: backup_name
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:CR
- displayName: Deployment name
path: deployment_name
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
- displayName: Backup persistent volume claim
path: backup_pvc
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
- displayName: Backup persistent volume claim namespace
path: backup_pvc_namespace
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
- displayName: Backup directory in the persistent volume claim
path: backup_dir
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
- displayName: Database restore label selector
path: postgres_label_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:hidden
statusDescriptors:
- displayName: Restore status
description: The state of the restore
path: restoreComplete
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- description: A AWX Instance
displayName: AWX
kind: AWX
name: awxs.awx.ansible.com
specDescriptors:
- displayName: Hostname
path: tower_hostname
path: hostname
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Admin account username
path: tower_admin_user
path: admin_user
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Admin email address
path: tower_admin_email
path: admin_email
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Admin password secret
path: tower_admin_password_secret
path: admin_password_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Database configuration secret
path: tower_postgres_configuration_secret
path: postgres_configuration_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Old Database configuration secret
path: tower_old_postgres_configuration_secret
path: old_postgres_configuration_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Secret key secret
path: tower_secret_key_secret
path: secret_key_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Broadcast Websocket Secret
path: tower_broadcast_websocket_secret
path: broadcast_websocket_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Ingress Type
path: tower_ingress_type
- displayName: Service Account Annotations
path: service_account_annotations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Tower Service Type
path: service_type
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:ClusterIP
- urn:alm:descriptor:com.tectonic.ui:select:LoadBalancer
- urn:alm:descriptor:com.tectonic.ui:select:NodePort
- displayName: Tower Ingress Type
path: ingress_type
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:none
- urn:alm:descriptor:com.tectonic.ui:select:Ingress
- urn:alm:descriptor:com.tectonic.ui:select:Route
- urn:alm:descriptor:com.tectonic.ui:select:LoadBalancer
- urn:alm:descriptor:com.tectonic.ui:select:NodePort
- displayName: Tower Ingress Annotations
path: tower_ingress_annotations
path: ingress_annotations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:Ingress
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
- displayName: Tower Ingress TLS Secret
path: tower_ingress_tls_secret
path: ingress_tls_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:Ingress
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
- displayName: Tower LoadBalancer Annotations
path: tower_loadbalancer_annotations
path: loadbalancer_annotations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:LoadBalancer
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:service_type:LoadBalancer
- displayName: Tower LoadBalancer Protocol
path: tower_loadbalancer_protocol
path: loadbalancer_protocol
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:http
- urn:alm:descriptor:com.tectonic.ui:select:https
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:LoadBalancer
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:service_type:LoadBalancer
- displayName: Tower LoadBalancer Port
path: tower_loadbalancer_port
path: loadbalancer_port
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:number
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:LoadBalancer
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:service_type:LoadBalancer
- displayName: Route DNS host
path: tower_route_host
path: route_host
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:Route
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Route
- displayName: Route TLS termination mechanism
path: tower_route_tls_termination_mechanism
path: route_tls_termination_mechanism
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:Edge
- urn:alm:descriptor:com.tectonic.ui:select:Passthrough
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:Route
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Route
- displayName: Route TLS credential secret
path: tower_route_tls_secret
path: route_tls_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:Route
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Route
- displayName: Image Pull Policy
path: tower_image_pull_policy
path: image_pull_policy
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:imagePullPolicy
- displayName: Image Pull Secret
path: tower_image_pull_secret
path: image_pull_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:imagePullSecret
- displayName: Web container resource requirements
path: tower_web_resource_requirements
path: web_resource_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: Task container resource requirements
path: tower_task_resource_requirements
path: task_resource_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: PostgreSQL container resource requirements (when using a managed instance)
path: tower_postgres_resource_requirements
path: postgres_resource_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: PostgreSQL container storage requirements (when using a managed instance)
path: tower_postgres_storage_requirements
path: postgres_storage_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: Replicas
path: tower_replicas
path: replicas
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:number
- displayName: Remove used secrets on instance removal ?
path: tower_garbage_collect_secrets
path: garbage_collect_secrets
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- displayName: Preload instance with data upon creation ?
path: tower_create_preload_data
path: create_preload_data
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
@@ -193,8 +293,8 @@ spec:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Should Tower Task container deployed with privileged level ?
path: tower_task_privileged
- displayName: Should the task container deployed with privileged level ?
path: task_privileged
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
@@ -214,53 +314,53 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower Image
path: tower_image
- displayName: Image
path: image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower Image Version
path: tower_image_version
- displayName: Image Version
path: image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Redis Image
path: tower_redis_image
path: redis_image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Redis Image Version
path: tower_redis_image_version
path: redis_image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image
path: tower_postgres_image
path: postgres_image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image Version
path: tower_postgres_image_version
path: postgres_image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower Postgres Selector
path: tower_postgres_selector
- displayName: Postgres Selector
path: postgres_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower Postgres Tolerations
path: tower_postgres_tolerations
- displayName: Postgres Tolerations
path: postgres_tolerations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower Postgres Storage Class
path: tower_postgres_storage_class
- displayName: Postgres Storage Class
path: postgres_storage_class
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower Postgres Datapath
path: tower_postgres_data_path
- displayName: Postgres Datapath
path: postgres_data_path
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
@@ -274,115 +374,121 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: Tower Task Args
path: tower_task_args
- displayName: Task Args
path: task_args
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Enable persistence for /var/lib/projects directory?
path: tower_projects_persistence
path: projects_persistence
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- displayName: Use existing Persistent Claim?
path: tower_projects_use_existing_claim
path: projects_use_existing_claim
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:_Yes_
- urn:alm:descriptor:com.tectonic.ui:select:_No_
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_projects_persistence:true
- displayName: Tower Projects Existing Persistent Claim
path: tower_projects_existing_claim
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_persistence:true
- displayName: Projects Existing Persistent Claim
path: projects_existing_claim
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_projects_use_existing_claim:_Yes_
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_Yes_
- urn:alm:descriptor:io.kubernetes:PersistentVolumeClaim
- description: Tower Projects Storage Class Name. If not present, the default
- description: Projects Storage Class Name. If not present, the default
storage class will be used.
displayName: Tower Projects Storage Class Name
path: tower_projects_storage_class
displayName: Projects Storage Class Name
path: projects_storage_class
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_projects_use_existing_claim:_No_
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_No_
- urn:alm:descriptor:com.tectonic.ui:text
- description: Tower Projects Storage Size
displayName: Tower Projects Storage Size
path: tower_projects_storage_size
- description: Projects Storage Size
displayName: Projects Storage Size
path: projects_storage_size
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_projects_use_existing_claim:_No_
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_No_
- urn:alm:descriptor:com.tectonic.ui:text
- description: Tower Projects Storage Access Mode
displayName: Tower Projects Storage Access Mode
path: tower_projects_storage_access_mode
- description: Projects Storage Access Mode
displayName: Projects Storage Access Mode
path: projects_storage_access_mode
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_projects_use_existing_claim:_No_
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_No_
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Tower Task Command
path: tower_task_command
- displayName: Task Command
path: task_command
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower Task Extra Env
- displayName: Task Extra Env
description: Environment variables to be added to Task container
path: tower_task_extra_env
path: task_extra_env
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName:
path: tower_ee_extra_volume_mounts
- displayName: EE Extra Volume Mounts
path: ee_extra_volume_mounts
description: Specify volume mounts to be added to Execution container
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower EE Images
- displayName: EE Images
description: Registry path to the Execution Environment container to use
path: tower_ee_images
path: ee_images
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower Task Extra Volume Mounts
- displayName: Task Extra Volume Mounts
description: Specify volume mounts to be added to Task container
path: tower_task_extra_volume_mounts
path: task_extra_volume_mounts
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower Web Args
path: tower_web_args
- displayName: Web Args
path: web_args
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower Web Command
path: tower_web_command
- displayName: Web Command
path: web_command
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower Web Extra Env
- displayName: Web Extra Env
description: Environment variables to be added to Web container
path: tower_web_extra_env
path: web_extra_env
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower Web Extra Volume Mounts
- displayName: Web Extra Volume Mounts
description: Specify volume mounts to be added to Web container
path: tower_web_extra_volume_mounts
path: web_extra_volume_mounts
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower Extra Volumes
- displayName: Extra Volumes
description: Specify extra volumes to add to the application pod
path: tower_extra_volumes
path: extra_volumes
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower Node Selector
path: tower_node_selector
- displayName: Node Selector
path: node_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tower Tolerations
path: tower_tolerations
- displayName: Service Labels
path: service_labels
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tolerations
path: tolerations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
@@ -394,27 +500,27 @@ spec:
statusDescriptors:
- description: Route to access the instance deployed
displayName: URL
path: towerURL
path: URL
x-descriptors:
- urn:alm:descriptor:org.w3:link
- description: Admin user for the instance deployed
displayName: Admin User
path: towerAdminUser
path: adminUser
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- description: Admin password for the instance deployed
displayName: Admin Password
path: towerAdminPasswordSecret
path: adminPasswordSecret
x-descriptors:
- urn:alm:descriptor:io.kubernetes:Secret
- description: Version of the instance deployed
displayName: Version
path: towerVersion
path: version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- description: Image of the instance deployed
displayName: Image
path: towerImage
path: image
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
version: v1beta1

55
deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxbackups_crd.yaml Normal file
View File

@@ -0,0 +1,55 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: awxbackups.awx.ansible.com
spec:
group: awx.ansible.com
names:
kind: AWXBackup
listKind: AWXBackupList
plural: awxbackups
singular: awxbackup
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: Schema validation for the AWXBackup CRD
properties:
spec:
required:
- deployment_name
properties:
backup_pvc:
description: Name of the PVC to be used for storing the backup
type: string
backup_pvc_namespace:
description: Namespace PVC is in
type: string
backup_storage_class:
description: Storage class to use when creating PVC for backup
type: string
backup_storage_requirements:
description: Storage requirements for the PostgreSQL container
type: string
deployment_name:
description: Name of the deployment to be backed up
type: string
postgres_label_selector:
description: Label selector used to identify postgres pod for backing
up data
type: string
type: object
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

61
deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxrestores_crd.yaml Normal file
View File

@@ -0,0 +1,61 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: awxrestores.awx.ansible.com
spec:
group: awx.ansible.com
names:
kind: AWXRestore
listKind: AWXRestoreList
plural: awxrestores
singular: awxrestore
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: Schema validation for the AWXRestore CRD
properties:
spec:
properties:
backup_source:
description: Backup source
type: string
enum:
- CR
- PVC
backup_dir:
description: Backup directory name, set as a status found on the awxbackup
object (backupDirectory)
type: string
backup_name:
description: AWXBackup object name
type: string
backup_pvc:
description: Name of the PVC to be restored from, set as a status
found on the awxbackup object (backupClaim)
type: string
backup_pvc_namespace:
description: Namespace the PVC is in
type: string
deployment_name:
description: Name of the deployment to be restored to
type: string
postgres_label_selector:
description: Label selector used to identify postgres pod for backing
up data
type: string
type: object
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

138
deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml
View File

@@ -41,24 +41,24 @@ spec:
description: Secret where can be found the LDAP trusted Certificate
Authority Bundle
type: string
tower_admin_email:
admin_email:
description: The admin user email
type: string
tower_admin_password_secret:
admin_password_secret:
description: Secret where the admin password can be found
type: string
tower_admin_user:
admin_user:
default: admin
description: Username to use for the admin account
type: string
tower_broadcast_websocket_secret:
broadcast_websocket_secret:
description: Secret where the broadcast websocket secret can be found
type: string
tower_create_preload_data:
create_preload_data:
default: true
description: Whether or not to preload data upon Tower instance creation
description: Whether or not to preload data upon instance creation
type: boolean
tower_ee_images:
ee_images:
description: Registry path to the Execution Environment container
to use
items:
@@ -69,23 +69,23 @@ spec:
type: string
type: object
type: array
tower_extra_volumes:
extra_volumes:
description: Specify extra volumes to add to the application pod
type: string
tower_garbage_collect_secrets:
garbage_collect_secrets:
default: false
description: Whether or not to remove secrets upon instance removal
type: boolean
tower_hostname:
hostname:
description: The hostname of the instance
type: string
tower_image:
image:
description: Registry path to the application container to use
type: string
tower_image_version:
image_version:
description: Application container image version to use
type: string
tower_image_pull_policy:
image_pull_policy:
default: IfNotPresent
description: The image pull policy
enum:
@@ -96,16 +96,16 @@ spec:
- IfNotPresent
- ifnotpresent
type: string
tower_image_pull_secret:
image_pull_secret:
description: The image pull secret
type: string
tower_ingress_annotations:
ingress_annotations:
description: Annotations to add to the ingress
type: string
tower_ingress_tls_secret:
ingress_tls_secret:
description: Secret where the ingress TLS secret can be found
type: string
tower_ingress_type:
ingress_type:
description: The ingress type to use to reach the deployed instance
enum:
- none
@@ -118,46 +118,49 @@ spec:
- NodePort
- nodeport
type: string
tower_loadbalancer_annotations:
loadbalancer_annotations:
description: Annotations to add to the loadbalancer
type: string
tower_loadbalancer_port:
loadbalancer_port:
default: 80
description: Port to use for the loadbalancer
type: integer
tower_loadbalancer_protocol:
loadbalancer_protocol:
default: http
description: Protocol to use for the loadbalancer
enum:
- http
- https
type: string
tower_node_selector:
description: nodeSelector for the AWX pods
node_selector:
description: nodeSelector for the pods
type: string
tower_old_postgres_configuration_secret:
service_labels:
description: Additional labels to apply to the service
type: string
old_postgres_configuration_secret:
description: Secret where the old database configuration can be found
for data migration
type: string
tower_postgres_configuration_secret:
postgres_configuration_secret:
description: Secret where the database configuration can be found
type: string
tower_postgres_data_path:
postgres_data_path:
description: Path where the PostgreSQL data are located
type: string
tower_postgres_image:
postgres_image:
description: Registry path to the PostgreSQL container to use
type: string
tower_postgres_image_version:
postgres_image_version:
description: PostgreSQL container image version to use
type: string
tower_postgres_selector:
postgres_selector:
description: nodeSelector for the Postgres pods
type: string
tower_postgres_tolerations:
postgres_tolerations:
description: node tolerations for the Postgres pods
type: string
tower_postgres_storage_requirements:
postgres_storage_requirements:
description: Storage requirements for the PostgreSQL container
properties:
requests:
@@ -171,7 +174,7 @@ spec:
type: string
type: object
type: object
tower_postgres_resource_requirements:
postgres_resource_requirements:
description: Resource requirements for the PostgreSQL container
properties:
requests:
@@ -189,52 +192,55 @@ spec:
type: string
type: object
type: object
tower_postgres_storage_class:
postgres_storage_class:
description: Storage class to use for the PostgreSQL PVC
type: string
tower_projects_existing_claim:
projects_existing_claim:
description: PersistentVolumeClaim to mount /var/lib/projects directory
type: string
tower_projects_persistence:
projects_persistence:
default: false
description: Whether or not the /var/lib/projects directory will be
persistent
type: boolean
tower_projects_storage_access_mode:
projects_storage_access_mode:
default: ReadWriteMany
description: AccessMode for the /var/lib/projects PersistentVolumeClaim
type: string
tower_projects_storage_class:
projects_storage_class:
description: Storage class for the /var/lib/projects PersistentVolumeClaim
type: string
tower_projects_storage_size:
projects_storage_size:
default: 8Gi
description: Size for the /var/lib/projects PersistentVolumeClaim
type: string
tower_projects_use_existing_claim:
projects_use_existing_claim:
description: Using existing PersistentVolumeClaim
enum:
- _Yes_
- _No_
type: string
tower_redis_image:
redis_image:
description: Registry path to the redis container to use
type: string
tower_redis_image_version:
redis_image_version:
description: Redis container image version to use
type: string
tower_replicas:
service_account_annotations:
description: ServiceAccount annotations
type: string
replicas:
default: 1
description: Number of instance replicas
format: int32
type: integer
tower_route_host:
route_host:
description: The DNS to use to points to the instance
type: string
tower_route_tls_secret:
route_tls_secret:
description: Secret where the TLS related credentials are stored
type: string
tower_route_tls_termination_mechanism:
route_tls_termination_mechanism:
default: Edge
description: The secure TLS termination mechanism to use
enum:
@@ -243,31 +249,31 @@ spec:
- Passthrough
- passthrough
type: string
tower_secret_key_secret:
secret_key_secret:
description: Secret where the secret key can be found
type: string
tower_task_args:
task_args:
items:
type: string
type: array
tower_task_command:
task_command:
items:
type: string
type: array
tower_task_extra_env:
task_extra_env:
description: Environment variables to be added to Task container
type: string
tower_ee_extra_volume_mounts:
ee_extra_volume_mounts:
description: Specify volume mounts to be added to Execution container
type: string
tower_task_extra_volume_mounts:
task_extra_volume_mounts:
description: Specify volume mounts to be added to Task container
type: string
tower_task_privileged:
task_privileged:
default: false
description: If a privileged security context should be enabled
type: boolean
tower_task_resource_requirements:
task_resource_requirements:
description: Resource requirements for the task container
properties:
limits:
@@ -289,24 +295,24 @@ spec:
type: string
type: object
type: object
tower_tolerations:
description: node tolerations for the AWX pods
tolerations:
description: node tolerations for the pods
type: string
tower_web_args:
web_args:
items:
type: string
type: array
tower_web_command:
web_command:
items:
type: string
type: array
tower_web_extra_env:
web_extra_env:
description: Environment variables to be added to Web container
type: string
tower_web_extra_volume_mounts:
web_extra_volume_mounts:
description: Specify volume mounts to be added to web container
type: string
tower_web_resource_requirements:
web_resource_requirements:
description: Resource requirements for the web container
properties:
limits:
@@ -356,22 +362,22 @@ spec:
type: string
type: object
type: array
towerAdminPasswordSecret:
adminPasswordSecret:
description: Admin password of the deployed instance
type: string
towerAdminUser:
adminUser:
description: Admin user of the deployed instance
type: string
towerImage:
image:
description: URL of the image used for the deployed instance
type: string
towerMigratedFromSecret:
description: The secret used for migrating an old Tower.
migratedFromSecret:
description: The secret used for migrating an old instance.
type: string
towerURL:
URL:
description: URL to access the deployed instance
type: string
towerVersion:
version:
description: Version of the deployed instance
type: string
type: object

1
docs/awx-demo.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 825 KiB

11
docs/migration.md
View File

@@ -6,14 +6,14 @@ To migrate data from an older AWX installation, you must provide some informatio
### Secret Key
You can find your old secret key in the inventory file you used to deploy AWX in releases prior to version 18.
You can find your old secret key in the inventory file you used to deploy AWX in releases prior to version 18.
```yaml
apiVersion: v1
kind: Secret
metadata:
name: <resourcename>-secret-key
namespace: <target namespace>
namespace: <target-namespace>
stringData:
secret_key: <old-secret-key>
type: Opaque
@@ -45,10 +45,13 @@ type: Opaque
If your AWX deployment is already using an external database server or its database is otherwise not managed
by the AWX deployment, you can instead create the same secret as above but omit the `-old-` from the `name`.
In the next section pass it in through `tower_postgres_configuration_secret` instead, omitting the `_old_`
In the next section pass it in through `postgres_configuration_secret` instead, omitting the `_old_`
from the key and ensuring the value matches the name of the secret. This will make AWX pick up on the existing
database and apply any pending migrations. It is strongly recommended to backup your database beforehand.
The postgresql pod for the old deployment is used when streaming data to the new postgresql pod. If your postgresql pod has a custom label,
you can pass that via the `postgres_label_selector` variable to make sure the postgresql pod can be found.
## Deploy AWX
When you apply your AWX object, you must specify the name to the database secret you created above:
@@ -59,6 +62,6 @@ kind: AWX
metadata:
name: awx
spec:
tower_old_postgres_configuration_secret: <resourcename>-old-postgres-configuration
old_postgres_configuration_secret: <resourcename>-old-postgres-configuration
...
```

10
molecule/default/prepare.yml
View File

@@ -11,10 +11,18 @@
- "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/ansible/group_vars/all"
tasks:
- name: Create Custom Resource Definition
- name: Create AWX Custom Resource Definition
k8s:
definition: "{{ lookup('file', '/'.join([deploy_dir, 'crds/awx_v1beta1_crd.yaml'])) }}"
- name: Create AWXBackup Custom Resource Definition
k8s:
definition: "{{ lookup('file', '/'.join([deploy_dir, 'crds/awxbackup_v1beta1_crd.yaml'])) }}"
- name: Create AWXRestore Custom Resource Definition
k8s:
definition: "{{ lookup('file', '/'.join([deploy_dir, 'crds/awxrestore_v1beta1_crd.yaml'])) }}"
- name: Ensure specified namespace is present
k8s:
api_version: v1

4
molecule/test-local/converge.yml
View File

@@ -28,11 +28,11 @@
pull_policy: Never
operator_image: awx.ansible.com/awx-operator
operator_version: testing
ansible_debug_logs: "true"
custom_resource: "{{ lookup('file', '/'.join([deploy_dir, 'crds/awx_v1beta1_molecule.yaml'])) | from_yaml }}"
tasks:
- block:
- name: Delete the Operator Deployment
k8s:
state: absent

1
molecule/test-minikube/converge.yml
View File

@@ -36,6 +36,7 @@
pull_policy: Never
operator_image: awx.ansible.com/awx-operator
operator_version: testing
ansible_debug_logs: "true"
# Change this to _awx to test AWX, _tower to test Tower.
custom_resource: "{{ lookup('file', '/'.join([deploy_dir, 'crds/awx_v1beta1_molecule.yaml'])) | from_yaml }}"

95
roles/backup/README.md Normal file
View File

@@ -0,0 +1,95 @@
Backup Role
=========
The purpose of this role is to create a backup of your AWX deployment which includes:
- custom deployment specific values in the spec section of the AWX custom resource object
- backup of the postgresql database
- secret_key, admin_password, and broadcast_websocket secrets
- database configuration
Requirements
------------
This role assumes you are authenticated with an Openshift or Kubernetes cluster:
- The awx-operator has been deployed to the cluster
- AWX is deployed to via the operator
Usage
----------------
Then create a file named `backup-awx.yml` with the following contents:
```yaml
---
apiVersion: awx.ansible.com/v1beta1
kind: AWXBackup
metadata:
name: awxbackup-2021-04-22
namespace: my-namespace
spec:
deployment_name: mytower
```
Note that the `deployment_name` above is the name of the AWX deployment you intend to backup from. The namespace above is the one containing the AWX deployment that will be backed up.
Finally, use `kubectl` to create the backup object in your cluster:
```bash
$ kubectl apply -f backup-awx.yml
```
The resulting pvc will contain a backup tar that can be used to restore to a new deployment. Future backups will also be stored in separate tars on the same pvc.
Role Variables
--------------
A custom, pre-created pvc can be used by setting the following variables.
```
backup_pvc: 'awx-backup-volume-claim'
```
> If no pvc or storage class is provided, the cluster's default storage class will be used to create the pvc.
This role will automatically create a pvc using a Storage Class if provided:
```
backup_storage_class: 'standard'
backup_storage_requirements: '20Gi'
```
By default, the backup pvc will be created in the same namespace the awxbackup object is created in. If you want your backup to be stored
in a specific namespace, you can do so by specifying `backup_pvc_namespace`. Keep in mind that you will
need to provide the same namespace when restoring.
```
backup_pvc_namespace: 'custom-namespace'
```
If a custom postgres configuration secret was used when deploying AWX, it will automatically be used by the backup role.
To check the name of this secret, look at the postgresConfigurationSecret status on your AWX object.
The postgresql pod for the old deployment is used when backing up data to the new postgresql pod. If your postgresql pod has a custom label,
you can pass that via the `postgres_label_selector` variable to make sure the postgresql pod can be found.
Testing
----------------
You can test this role directly by creating and running the following playbook with the appropriate variables:
```
---
- name: Backup AWX
hosts: localhost
gather_facts: false
roles:
- backup
```
License
-------
MIT

12
roles/backup/defaults/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
# Required: specify name of tower deployment to backup from
deployment_name: ''
kind: 'AWXBackup'
api_version: '{{ deployment_type }}.ansible.com/v1beta1'
# Specify a pre-created PVC (name) to backup to
backup_pvc: ''
backup_pvc_namespace: "{{ meta.namespace }}"
# Size of backup PVC if created dynamically
backup_storage_requirements: ''

31
roles/backup/meta/main.yml Normal file
View File

@@ -0,0 +1,31 @@
---
galaxy_info:
author: Ansible
description: AWX role for AWX Operator for Kubernetes.
company: Red Hat, Inc.
license: MIT
min_ansible_version: 2.8
platforms:
- name: EL
versions:
- all
- name: Debian
versions:
- all
galaxy_tags:
- tower
- controller
- awx
- ansible
- backup
- automation
dependencies: []
collections:
- community.kubernetes
- operator_sdk.util

24
roles/backup/tasks/awx-cro.yml Normal file
View File

@@ -0,0 +1,24 @@
---
- name: Get AWX custom resource object
k8s_info:
version: v1beta1
kind: AWX
namespace: '{{ meta.namespace }}'
name: '{{ deployment_name }}'
register: _awx_cro
- name: Set AWX object
set_fact:
_awx: "{{ _awx_cro['resources'][0] }}"
- name: Set user specified spec
set_fact:
awx_spec: "{{ _awx['spec'] }}"
- name: Write awx object to pvc
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ meta.name }}-db-management"
command: >-
bash -c "echo '{{ awx_spec }}' > {{ backup_dir }}/awx_object"

9
roles/backup/tasks/cleanup.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: Delete any existing management pod
k8s:
name: "{{ meta.name }}-db-management"
kind: Pod
namespace: "{{ backup_pvc_namespace }}"
state: absent
force: true

11
roles/backup/tasks/error_handling.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Determine the timestamp
set_fact:
now: '{{ lookup("pipe", "date +%FT%TZ") }}'
- name: Emit ocp event with error
k8s:
kind: Event
namespace: "{{ meta.namespace }}"
template: "event.yml.j2"

69
roles/backup/tasks/init.yml Normal file
View File

@@ -0,0 +1,69 @@
---
- name: Delete any existing management pod
k8s:
name: "{{ meta.name }}-db-management"
kind: Pod
namespace: "{{ backup_pvc_namespace }}"
state: absent
force: true
wait: true
# Check to make sure provided pvc exists, error loudly if not. Otherwise, the management pod will just stay in pending state forever.
- name: Check provided PVC exists
k8s_info:
name: "{{ backup_pvc }}"
kind: PersistentVolumeClaim
namespace: "{{ backup_pvc_namespace }}"
register: provided_pvc
when:
- backup_pvc != ''
- name: Surface error to user
block:
- name: Set error message
set_fact:
error_msg: "{{ backup_pvc }} does not exist, please create this pvc first."
- name: Handle error
import_tasks: error_handling.yml
- name: Fail early if pvc is defined but does not exist
fail:
msg: "{{ backup_pvc }} does not exist, please create this pvc first."
when:
- backup_pvc != ''
- provided_pvc.resources | length == 0
# If backup_pvc is defined, use in management-pod.yml.j2
- name: Set default pvc name
set_fact:
_default_backup_pvc: "{{ deployment_name }}-backup-claim"
# by default, it will re-use the old pvc if already created (unless a pvc is provided)
- name: Set PVC to use for backup
set_fact:
backup_claim: "{{ backup_pvc | default(_default_backup_pvc, true) }}"
- name: Create PVC for backup
k8s:
kind: PersistentVolumeClaim
template: "backup_pvc.yml.j2"
when:
- backup_pvc == '' or backup_pvc is not defined
- name: Create management pod from templated deployment config
k8s:
name: "{{ meta.name }}-db-management"
kind: Deployment
state: present
template: "management-pod.yml.j2"
wait: true
- name: Look up details for this deployment
k8s_info:
api_version: "{{ api_version }}"
kind: "AWX"
name: "{{ deployment_name }}"
namespace: "{{ meta.namespace }}"
register: this_awx

49
roles/backup/tasks/main.yml Normal file
View File

@@ -0,0 +1,49 @@
---
- name: Patching labels to {{ kind }} kind
k8s:
state: present
definition:
apiVersion: '{{ api_version }}'
kind: '{{ kind }}'
name: '{{ meta.name }}'
namespace: '{{ meta.namespace }}'
metadata:
name: '{{ meta.name }}'
namespace: '{{ meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ meta.name }}'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
- name: Look up details for this backup object
k8s_info:
api_version: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ meta.name }}"
namespace: "{{ meta.namespace }}"
register: this_backup
- block:
- include_tasks: init.yml
- include_tasks: postgres.yml
- include_tasks: secrets.yml
- include_tasks: awx-cro.yml
- name: Set flag signifying this backup was successful
set_fact:
backup_complete: true
- include_tasks: cleanup.yml
when:
- this_backup['resources'][0]['status']['backupDirectory'] is not defined
- name: Update status variables
include_tasks: update_status.yml
# TODO: backup tower settings or make sure that users only specify settings/config changes via AWX object. See ticket

97
roles/backup/tasks/postgres.yml Normal file
View File

@@ -0,0 +1,97 @@
---
- name: Get PostgreSQL configuration
k8s_info:
kind: Secret
namespace: '{{ meta.namespace }}'
name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"
register: pg_config
- name: Fail if postgres configuration secret status does not exist
fail:
msg: "The postgresConfigurationSecret status is not set on the AWX object yet or the secret has been deleted."
when: not pg_config | default([]) | length
- name: Store Database Configuration
set_fact:
awx_postgres_user: "{{ pg_config['resources'][0]['data']['username'] | b64decode }}"
awx_postgres_pass: "{{ pg_config['resources'][0]['data']['password'] | b64decode }}"
awx_postgres_database: "{{ pg_config['resources'][0]['data']['database'] | b64decode }}"
awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | default('unmanaged'|b64encode) | b64decode }}"
- block:
- name: Delete pod to reload a resource configuration
set_fact:
postgres_label_selector: "app.kubernetes.io/name={{ deployment_name }}-postgres"
when: postgres_label_selector is not defined
- name: Get the postgres pod information
k8s_info:
kind: Pod
namespace: '{{ meta.namespace }}'
label_selectors:
- "{{ postgres_label_selector }}"
register: postgres_pod
until:
- "postgres_pod['resources'] | length"
- "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
delay: 5
retries: 60
- name: Set the resource pod name as a variable.
set_fact:
postgres_pod_name: "{{ postgres_pod['resources'][0]['metadata']['name'] }}"
when: awx_postgres_type == 'managed'
- name: Determine the timestamp for the backup once for all nodes
set_fact:
now: '{{ lookup("pipe", "date +%F-%T") }}'
- name: Set backup directory name
set_fact:
backup_dir: "/backups/tower-openshift-backup-{{ now }}"
- name: Create directory for backup
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ meta.name }}-db-management"
command: >-
mkdir -p {{ backup_dir }}
- name: Precreate file for database dump
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ meta.name }}-db-management"
command: >-
touch {{ backup_dir }}/tower.db
- name: Set permissions on file for database dump
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ meta.name }}-db-management"
command: >-
bash -c "chmod 0600 {{ backup_dir }}/tower.db && chown postgres:root {{ backup_dir }}/tower.db"
- name: Set full resolvable host name for postgres pod
set_fact:
resolvable_db_host: '{{ (awx_postgres_type == "managed") | ternary(awx_postgres_host + "." + meta.namespace + ".svc.cluster.local", awx_postgres_host) }}' # noqa 204
- name: Set pg_dump command
set_fact:
pgdump: >-
pg_dump --clean --create
-h {{ resolvable_db_host }}
-U {{ awx_postgres_user }}
-d {{ awx_postgres_database }}
-p {{ awx_postgres_port }}
-F custom
- name: Write pg_dump to backup on PVC
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ meta.name }}-db-management"
command: >-
bash -c "PGPASSWORD={{ awx_postgres_pass }} {{ pgdump }} > {{ backup_dir }}/tower.db"
register: data_migration

65
roles/backup/tasks/secrets.yml Normal file
View File

@@ -0,0 +1,65 @@
---
- name: Get secret_key
k8s_info:
kind: Secret
namespace: '{{ meta.namespace }}'
name: "{{ this_awx['resources'][0]['status']['secretKeySecret'] }}"
register: _secret_key
- name: Set secret key
set_fact:
secret_key: "{{ _secret_key['resources'][0]['data']['secret_key'] | b64decode }}"
- name: Get admin_password
k8s_info:
kind: Secret
namespace: '{{ meta.namespace }}'
name: "{{ this_awx['resources'][0]['status']['adminPasswordSecret'] }}"
register: _admin_password
- name: Set admin_password
set_fact:
admin_password: "{{ _admin_password['resources'][0]['data']['password'] | b64decode }}"
- name: Get broadcast_websocket
k8s_info:
kind: Secret
namespace: '{{ meta.namespace }}'
name: "{{ this_awx['resources'][0]['status']['broadcastWebsocketSecret'] }}"
register: _broadcast_websocket
- name: Set broadcast_websocket key
set_fact:
broadcast_websocket: "{{ _broadcast_websocket['resources'][0]['data']['secret'] | b64decode }}"
- name: Get postgres configuration
k8s_info:
kind: Secret
namespace: '{{ meta.namespace }}'
name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"
register: _postgres_configuration
- name: Set postgres type
set_fact:
database_type: "{{ _postgres_configuration['resources'][0]['data']['type'] | b64decode }}"
when: _postgres_configuration['resources'][0]['data']['type'] is defined
- name: Set postgres configuration
set_fact:
database_password: "{{ _postgres_configuration['resources'][0]['data']['password'] | b64decode }}"
database_username: "{{ _postgres_configuration['resources'][0]['data']['username'] | b64decode }}"
database_name: "{{ _postgres_configuration['resources'][0]['data']['database'] | b64decode }}"
database_port: "{{ _postgres_configuration['resources'][0]['data']['port'] | b64decode }}"
database_host: "{{ _postgres_configuration['resources'][0]['data']['host'] | b64decode }}"
- name: Template secrets into yaml
set_fact:
secrets_file: "{{ lookup('template', 'secrets.yml.j2') }}"
- name: Write postgres configuration to pvc
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ meta.name }}-db-management"
command: >-
bash -c "echo '{{ secrets_file }}' > {{ backup_dir }}/secrets.yml"

13
roles/backup/tasks/update_status.yml Normal file
View File

@@ -0,0 +1,13 @@
---
# The backup directory in this status can be referenced when restoring
- name: Update CR Backup status
operator_sdk.util.k8s_status:
api_version: '{{ api_version }}'
kind: "{{ kind }}"
name: "{{ meta.name }}"
namespace: "{{ meta.namespace }}"
status:
backupDirectory: "{{ backup_dir }}"
backupClaim: "{{ backup_claim }}"
when: backup_complete

21
roles/backup/templates/backup_pvc.yml.j2 Normal file
View File

@@ -0,0 +1,21 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ deployment_name }}-backup-claim
namespace: {{ backup_pvc_namespace }}
labels:
app.kubernetes.io/name: '{{ meta.name }}'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
spec:
accessModes:
- ReadWriteOnce
{% if backup_storage_class is defined %}
storageClassName: {{ backup_storage_class }}
{% endif %}
resources:
requests:
storage: {{ backup_storage_requirements | default('5Gi', true) }}

17
roles/backup/templates/event.yml.j2 Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: Event
metadata:
name: backup-error.{{ now }}
namespace: {{ meta.namespace }}
involvedObject:
apiVersion: awx.ansible.com/v1beta1
kind: {{ kind }}
name: {{ meta.name }}
namespace: {{ meta.namespace }}
message: {{ error_msg }}
reason: BackupFailed
type: Warning
firstTimestamp: {{ now }}
lastTimestamp: {{ now }}
count: 1

28
roles/backup/templates/management-pod.yml.j2 Normal file
View File

@@ -0,0 +1,28 @@
---
apiVersion: v1
kind: Pod
metadata:
name: {{ meta.name }}-db-management
namespace: {{ backup_pvc_namespace }}
labels:
app.kubernetes.io/name: '{{ meta.name }}'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
spec:
containers:
- name: {{ meta.name }}-db-management
image: "{{ postgres_image }}"
imagePullPolicy: Always
command: ["sleep", "infinity"]
volumeMounts:
- name: {{ meta.name }}-backup
mountPath: /backups
readOnly: false
volumes:
- name: {{ meta.name }}-backup
persistentVolumeClaim:
claimName: {{ backup_claim }}
readOnly: false
restartPolicy: Never

14
roles/backup/templates/secrets.yml.j2 Normal file
View File

@@ -0,0 +1,14 @@
---
secret_key_secret_name: "{{ _secret_key['resources'][0]['metadata']['name'] }}"
admin_password_secret_name: "{{ _admin_password['resources'][0]['metadata']['name'] }}"
broadcast_websocket_secret_name: "{{ _broadcast_websocket['resources'][0]['metadata']['name'] }}"
postgres_configuration_secret_name: "{{ _postgres_configuration['resources'][0]['metadata']['name'] }}"
secret_key: {{ secret_key }}
admin_password: {{ admin_password }}
broadcast_websocket: {{ broadcast_websocket }}
database_password: {{ database_password }}
database_username: {{ database_username }}
database_name: {{ database_name }}
database_port: {{ database_port }}
database_host: {{ database_host }}
database_type: {{ database_type }}

5
roles/backup/vars/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
deployment_type: "awx"
postgres_image: postgres:12
backup_complete: false
database_type: "unmanaged"

21
roles/finalizer/defaults/main.yml
View File

@@ -1,21 +0,0 @@
---
# Whether secrets should be garbage collected
# on teardown
#
tower_garbage_collect_secrets: false
# Secret to lookup that provide the admin password
#
tower_admin_password_secret: ''
# Secret to lookup that provide the secret key
#
tower_secret_key_secret: ''
# Secret to lookup that provide the PostgreSQL configuration
#
tower_postgres_configuration_secret: ''
# Secret to lookup that provide the broadcast websocket key
#
tower_broadcast_websocket_secret: ''

27
roles/finalizer/tasks/main.yml
View File

@@ -1,27 +0,0 @@
---
- block:
- name: Define secrets name
set_fact:
_admin_password: '{{ tower_admin_password_secret | length | ternary(tower_admin_password_secret, meta.name + "-admin-password") }}'
_secret_key: '{{ tower_secret_key_secret | length | ternary(tower_secret_key_secret, meta.name + "-secret-key") }}'
# yamllint disable-line rule:line-length
_broadcast_websocket_secret: '{{ tower_broadcast_websocket_secret | length | ternary(tower_broadcast_websocket_secret, meta.name + "-broadcast-websocket") }}' # noqa 204
# yamllint disable-line rule:line-length
_postgres_configuration: '{{ tower_postgres_configuration_secret | length | ternary(tower_postgres_configuration_secret, meta.name + "-postgres-configuration") }}' # noqa 204
- name: Remove ownerReferences reference
k8s:
definition:
apiVersion: v1
kind: Secret
metadata:
name: '{{ item }}'
namespace: '{{ meta.namespace }}'
ownerReferences: null
loop:
- '{{ _admin_password }}'
- '{{ _secret_key }}'
- '{{ _postgres_configuration }}'
- '{{ _broadcast_websocket_secret }}'
when: not tower_garbage_collect_secrets | bool

149
roles/installer/defaults/main.yml
View File

@@ -6,175 +6,187 @@ api_version: '{{ deployment_type }}.ansible.com/v1beta1'
database_name: "{{ deployment_type }}"
database_username: "{{ deployment_type }}"
tower_task_privileged: false
tower_ingress_type: none
task_privileged: false
service_type: ClusterIP
ingress_type: none
# Add annotations to the service account. Specify as literal block. E.g.:
# service_account_annotations: |
# eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>
service_account_annotations: ''
# Custom labels for the tower service. Specify as literal block. E.g.:
# service_labels: |
# environment: non-production
# zone: internal
service_labels: ''
# Add annotations to the ingress. Specify as literal block. E.g.:
# tower_ingress_annotations: |
# ingress_annotations: |
# kubernetes.io/ingress.class: nginx
# nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
tower_ingress_annotations: ''
ingress_annotations: ''
# TLS secret for the ingress. The secret either has to exist before hand with
# the corresponding cert and key or just be an indicator for where an automated
# process like cert-manager (enabled via annotations) will store the TLS
# certificate and key.
tower_ingress_tls_secret: ''
ingress_tls_secret: ''
tower_loadbalancer_protocol: 'http'
tower_loadbalancer_port: '80'
loadbalancer_protocol: 'http'
loadbalancer_port: '80'
loadbalancer_annotations: ''
# The TLS termination mechanism to use to access
# the services. Supported mechanism are: edge, passthrough
#
tower_route_tls_termination_mechanism: edge
route_tls_termination_mechanism: edge
# Secret to lookup that provide the TLS specific
# credentials to deploy
#
tower_route_tls_secret: ''
route_tls_secret: ''
# Host to create the root with.
# If not specific will default to <instance-name>-<namespace>-<routerCanonicalHostname>
#
tower_route_host: ''
route_host: ''
tower_hostname: '{{ deployment_type }}.example.com'
hostname: '{{ meta.name }}.example.com'
# Add a nodeSelector for the AWX pods. It must match a node's labels for the pod
# to be scheduled on that node. Specify as literal block. E.g.:
# tower_node_selector: |
# node_selector: |
# disktype: ssd
# kubernetes.io/arch: amd64
# kubernetes.io/os: linux
tower_node_selector: ''
node_selector: ''
# Add node tolerations for the AWX pods. Specify as literal block. E.g.:
# tower_tolerations: |
# tolerations: |
# - key: "dedicated"
# operator: "Equal"
# value: "AWX"
# effect: "NoSchedule"
tower_tolerations: ''
tolerations: ''
tower_admin_user: admin
tower_admin_email: test@example.com
admin_user: admin
admin_email: test@example.com
# Secret to lookup that provide the admin password
#
tower_admin_password_secret: ''
admin_password_secret: ''
# Secret to lookup that provide the broadcast websocket key
#
tower_broadcast_websocket_secret: ''
broadcast_websocket_secret: ''
# Secret to lookup that provide the secret key
#
tower_secret_key_secret: ''
secret_key_secret: ''
# Secret to lookup that provide the PostgreSQL configuration
#
postgres_configuration_secret: ''
# Secret to lookup that provides old database credentials (for migration)
tower_old_postgres_configuration_secret: ''
old_postgres_configuration_secret: ''
# Add extra volumes to the AWX pod. Specify as literal block. E.g.:
# tower_extra_volumes: |
# extra_volumes: |
# - name: my-volume
# emptyDir: {}
tower_extra_volumes: ''
extra_volumes: ''
# Use these image versions for Ansible AWX.
tower_image: quay.io/ansible/awx
tower_image_version: 19.1.0
tower_redis_image: docker.io/redis
tower_redis_image_version: latest
tower_postgres_image: postgres
tower_postgres_image_version: 12
tower_image_pull_policy: IfNotPresent
tower_image_pull_secret: ''
image: quay.io/ansible/awx
image_version: 19.2.0
redis_image: docker.io/redis
redis_image_version: latest
postgres_image: postgres
postgres_image_version: 12
image_pull_policy: IfNotPresent
image_pull_secret: ''
tower_ee_images:
- name: AWX EE 0.2.0
image: quay.io/ansible/awx-ee:0.2.0
ee_images:
- name: AWX EE 0.3.0
image: quay.io/ansible/awx-ee:0.3.0
tower_create_preload_data: true
create_preload_data: true
tower_replicas: "1"
replicas: "1"
tower_task_args:
task_args:
- /usr/bin/launch_awx_task.sh
tower_task_command: []
tower_web_args: []
tower_web_command: []
task_command: []
web_args: []
web_command: []
tower_task_resource_requirements:
task_resource_requirements:
requests:
cpu: 500m
memory: 1Gi
tower_web_resource_requirements:
web_resource_requirements:
requests:
cpu: 1000m
memory: 2Gi
# Add extra environment variables to the AWX task/web containers. Specify as
# literal block. E.g.:
# tower_task_extra_env: |
# task_extra_env: |
# - name: FOO
# value: bar
# - name: BAZ
# value: bing
tower_task_extra_env: ''
tower_web_extra_env: ''
task_extra_env: ''
web_extra_env: ''
# Mount extra volumes on the AWX task/web containers. Specify as literal block.
# E.g.:
# tower_task_extra_volume_mounts: ''
# task_extra_volume_mounts: ''
# - name: my-volume
# mountPath: /some/path
tower_task_extra_volume_mounts: ''
tower_web_extra_volume_mounts: ''
tower_ee_extra_volume_mounts: ''
task_extra_volume_mounts: ''
web_extra_volume_mounts: ''
ee_extra_volume_mounts: ''
# Add a nodeSelector for the Postgres pods.
# It must match a node's labels for the pod to be scheduled on that node.
# Specify as literal block. E.g.:
# tower_postgres_selector: |
# postgres_selector: |
# disktype: ssd
# kubernetes.io/arch: amd64
# kubernetes.io/os: linux
tower_postgres_selector: ''
postgres_selector: ''
# Add node tolerations for the Postgres pods.
# Specify as literal block. E.g.:
# tower_postgres_tolerations: |
# postgres_tolerations: |
# - key: "dedicated"
# operator: "Equal"
# value: "AWX"
# effect: "NoSchedule"
tower_postgres_tolerations: ''
tower_postgres_storage_requirements:
postgres_tolerations: ''
postgres_storage_requirements:
requests:
storage: 8Gi
tower_postgres_resource_requirements: {}
tower_postgres_storage_class: ''
tower_postgres_data_path: '/var/lib/postgresql/data/pgdata'
postgres_resource_requirements: {}
postgres_data_path: '/var/lib/postgresql/data/pgdata'
# Persistence to the AWX project data folder
# Whether or not the /var/lib/projects directory will be persistent
tower_projects_persistence: false
projects_persistence: false
#
# Define an existing PersistentVolumeClaim to use
tower_projects_existing_claim: ''
projects_existing_claim: ''
#
# Define the storage_class, size and access_mode
# when not using an existing claim
tower_projects_storage_class: ''
tower_projects_storage_size: 8Gi
tower_projects_storage_access_mode: ReadWriteMany
# Secret to lookup that provide the PostgreSQL configuration
#
tower_postgres_configuration_secret: ''
projects_storage_size: 8Gi
projects_storage_access_mode: ReadWriteMany
ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
@@ -182,4 +194,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
#
ldap_cacert_secret: ''
# Whether secrets should be garbage collected
# on teardown
#
garbage_collect_secrets: false
development_mode: false

10
roles/installer/tasks/admin_password_configuration.yml
View File

@@ -3,9 +3,9 @@
k8s_info:
kind: Secret
namespace: '{{ meta.namespace }}'
name: '{{ tower_admin_password_secret }}'
name: '{{ admin_password_secret }}'
register: _custom_admin_password
when: tower_admin_password_secret | length
when: admin_password_secret | length
- name: Check for default admin password configuration
k8s_info:
@@ -22,7 +22,7 @@
- name: Create admin password secret
k8s:
apply: true
definition: "{{ lookup('template', 'tower_admin_password_secret.yaml.j2') }}"
definition: "{{ lookup('template', 'admin_password_secret.yaml.j2') }}"
- name: Read admin password secret
k8s_info:
@@ -35,8 +35,8 @@
- name: Set admin password secret
set_fact:
admin_password_secret: '{{ _generated_admin_password["resources"] | default([]) | length | ternary(_generated_admin_password, _admin_password_secret) }}'
__admin_password_secret: '{{ _generated_admin_password["resources"] | default([]) | length | ternary(_generated_admin_password, _admin_password_secret) }}'
- name: Store admin password
set_fact:
tower_admin_password: "{{ admin_password_secret['resources'][0]['data']['password'] | b64decode }}"
admin_password: "{{ __admin_password_secret['resources'][0]['data']['password'] | b64decode }}"

10
roles/installer/tasks/broadcast_websocket_configuration.yml
View File

@@ -3,9 +3,9 @@
k8s_info:
kind: Secret
namespace: '{{ meta.namespace }}'
name: '{{ tower_broadcast_websocket_secret }}'
name: '{{ broadcast_websocket_secret }}'
register: _custom_broadcast_websocket
when: tower_broadcast_websocket_secret | length
when: broadcast_websocket_secret | length
- name: Check for default broadcast websocket secret configuration
k8s_info:
@@ -23,7 +23,7 @@
- name: Create broadcast websocket secret
k8s:
apply: true
definition: "{{ lookup('template', 'tower_broadcast_websocket_secret.yaml.j2') }}"
definition: "{{ lookup('template', 'broadcast_websocket_secret.yaml.j2') }}"
- name: Read broadcast websocket secret
k8s_info:
@@ -37,8 +37,8 @@
- name: Set broadcast websocket secret
set_fact:
# yamllint disable-line rule:line-length
broadcast_websocket_secret: '{{ _generated_broadcast_websocket["resources"] | default([]) | length | ternary(_generated_broadcast_websocket, _broadcast_websocket_secret) }}' # noqa 204
__broadcast_websocket_secret: '{{ _generated_broadcast_websocket["resources"] | default([]) | length | ternary(_generated_broadcast_websocket, _broadcast_websocket_secret) }}' # noqa 204
- name: Store broadcast websocket secret name
set_fact:
broadcast_websocket_secret_value: "{{ broadcast_websocket_secret['resources'][0]['data']['secret'] | b64decode }}"
broadcast_websocket_secret_value: "{{ __broadcast_websocket_secret['resources'][0]['data']['secret'] | b64decode }}"

27
roles/installer/tasks/cleanup.yml Normal file
View File

@@ -0,0 +1,27 @@
---
- block:
- name: Define secrets name
set_fact:
_admin_password: '{{ admin_password_secret | length | ternary(admin_password_secret, meta.name + "-admin-password") }}'
_secret_key: '{{ secret_key_secret | length | ternary(secret_key_secret, meta.name + "-secret-key") }}'
# yamllint disable-line rule:line-length
_broadcast_websocket_secret: '{{ broadcast_websocket_secret | length | ternary(broadcast_websocket_secret, meta.name + "-broadcast-websocket") }}' # noqa 204
# yamllint disable-line rule:line-length
_postgres_configuration: '{{ postgres_configuration_secret | length | ternary(postgres_configuration_secret, meta.name + "-postgres-configuration") }}' # noqa 204
- name: Remove ownerReferences reference
k8s:
definition:
apiVersion: v1
kind: Secret
metadata:
name: '{{ item }}'
namespace: '{{ meta.namespace }}'
ownerReferences: null
loop:
- '{{ _admin_password }}'
- '{{ _secret_key }}'
- '{{ _postgres_configuration }}'
- '{{ _broadcast_websocket_secret }}'
when: not garbage_collect_secrets | bool

25
roles/installer/tasks/database_configuration.yml
View File

@@ -3,9 +3,9 @@
k8s_info:
kind: Secret
namespace: '{{ meta.namespace }}'
name: '{{ tower_postgres_configuration_secret }}'
name: '{{ postgres_configuration_secret }}'
register: _custom_pg_config_resources
when: tower_postgres_configuration_secret | length
when: postgres_configuration_secret | length
- name: Check for default PostgreSQL configuration
k8s_info:
@@ -18,9 +18,9 @@
k8s_info:
kind: Secret
namespace: '{{ meta.namespace }}'
name: '{{ tower_old_postgres_configuration_secret }}'
name: '{{ old_postgres_configuration_secret }}'
register: _custom_old_pg_config_resources
when: tower_old_postgres_configuration_secret | length
when: old_postgres_configuration_secret | length
- name: Check for default old PostgreSQL configuration
k8s_info:
@@ -50,7 +50,7 @@
- name: Create Database configuration
k8s:
apply: true
definition: "{{ lookup('template', 'tower_postgres_secret.yaml.j2') }}"
definition: "{{ lookup('template', 'postgres_secret.yaml.j2') }}"
- name: Read Database Configuration
k8s_info:
@@ -64,11 +64,15 @@
set_fact:
pg_config: '{{ _generated_pg_config_resources["resources"] | default([]) | length | ternary(_generated_pg_config_resources, _pg_config) }}'
- name: Set actual postgres configuration secret used
set_fact:
__postgres_configuration_secret: "{{ pg_config['resources'][0]['metadata']['name'] }}"
- block:
- name: Create Database if no database is specified
k8s:
apply: true
definition: "{{ lookup('template', 'tower_postgres.yaml.j2') }}"
definition: "{{ lookup('template', 'postgres.yaml.j2') }}"
register: create_statefulset_result
rescue:
@@ -97,10 +101,9 @@
- name: Recreate PostgreSQL statefulset with updated values
k8s:
apply: true
definition: "{{ lookup('template', 'tower_postgres.yaml.j2') }}"
definition: "{{ lookup('template', 'postgres.yaml.j2') }}"
when: pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed'
- name: Store Database Configuration
set_fact:
awx_postgres_user: "{{ pg_config['resources'][0]['data']['username'] | b64decode }}"
@@ -112,8 +115,8 @@
- name: Look up details for this deployment
k8s_info:
api_version: 'v1beta1' # TODO: How to parameterize this?
kind: "AWX" # TODO: How to parameterize this?
api_version: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ meta.name }}"
namespace: "{{ meta.namespace }}"
register: this_awx
@@ -123,4 +126,4 @@
when:
- old_pg_config['resources'] is defined
- old_pg_config['resources'] | length
- this_awx['resources'][0]['status']['towerMigratedFromSecret'] is not defined
- this_awx['resources'][0]['status']['migratedFromSecret'] is not defined

23
roles/installer/tasks/initialize_django.yml
View File

@@ -1,31 +1,42 @@
---
- name: Check if there are any super users defined.
community.kubernetes.k8s_exec:
k8s_exec:
namespace: "{{ meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ meta.name }}-task"
command: >-
bash -c "echo 'from django.contrib.auth.models import User;
nsu = User.objects.filter(is_superuser=True).count();
nsu = User.objects.filter(is_superuser=True, username='{{ admin_user }}').count();
exit(0 if nsu > 0 else 1)'
| awx-manage shell"
ignore_errors: true
register: users_result
changed_when: users_result.return_code > 0
- name: Update super user password via Django if it does exist (same password is a noop)
k8s_exec:
namespace: "{{ meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ meta.name }}-task"
command: >-
bash -c "awx-manage update_password --username '{{ admin_user }}' --password '{{ admin_password }}'"
register: update_pw_result
changed_when: users_result.stdout == 'Password not updated'
when: users_result.return_code == 0
- name: Create super user via Django if it doesn't exist.
community.kubernetes.k8s_exec:
k8s_exec:
namespace: "{{ meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ meta.name }}-task"
command: >-
bash -c "echo \"from django.contrib.auth.models import User;
User.objects.create_superuser('{{ tower_admin_user }}', '{{ tower_admin_email }}', '{{ tower_admin_password }}')\"
User.objects.create_superuser('{{ admin_user }}', '{{ admin_email }}', '{{ admin_password }}')\"
| awx-manage shell"
when: users_result.return_code > 0
- name: Create preload data if necessary. # noqa 305
community.kubernetes.k8s_exec:
k8s_exec:
namespace: "{{ meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ meta.name }}-task"
@@ -33,4 +44,4 @@
bash -c "awx-manage create_preload_data"
register: cdo
changed_when: "'added' in cdo.stdout"
when: tower_create_preload_data | bool
when: create_preload_data | bool

2
roles/installer/tasks/load_ldap_cacert_secret.yml
View File

@@ -1,6 +1,6 @@
---
- name: Retrieve LDAP CA Certificate Secret
community.kubernetes.k8s_info:
k8s_info:
kind: Secret
namespace: '{{ meta.namespace }}'
name: '{{ ldap_cacert_secret }}'

10
roles/installer/tasks/load_route_tls_secret.yml
View File

@@ -1,17 +1,17 @@
---
- name: Retrieve Route TLS Secret
community.kubernetes.k8s_info:
k8s_info:
kind: Secret
namespace: '{{ meta.namespace }}'
name: '{{ tower_route_tls_secret }}'
name: '{{ route_tls_secret }}'
register: route_tls
- name: Load Route TLS Secret content
set_fact:
tower_route_tls_key: '{{ route_tls["resources"][0]["data"]["tls.key"] | b64decode }}'
tower_route_tls_crt: '{{ route_tls["resources"][0]["data"]["tls.crt"] | b64decode }}'
route_tls_key: '{{ route_tls["resources"][0]["data"]["tls.key"] | b64decode }}'
route_tls_crt: '{{ route_tls["resources"][0]["data"]["tls.crt"] | b64decode }}'
- name: Load Route TLS Secret content
set_fact:
tower_route_ca_crt: '{{ route_tls["resources"][0]["data"]["ca.crt"] | b64decode }}'
route_ca_crt: '{{ route_tls["resources"][0]["data"]["ca.crt"] | b64decode }}'
when: '"ca.crt" in route_tls["resources"][0]["data"]'

8
roles/installer/tasks/main.yml
View File

@@ -15,6 +15,7 @@
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
- name: Include secret key configuration tasks
include_tasks: secret_key_configuration.yml
@@ -36,8 +37,8 @@
- name: Load Route TLS certificate
include_tasks: load_route_tls_secret.yml
when:
- tower_ingress_type | lower == 'route'
- tower_route_tls_secret != ''
- ingress_type | lower == 'route'
- route_tls_secret != ''
- name: Include resources configuration tasks
include_tasks: resources_configuration.yml
@@ -69,3 +70,6 @@
- name: Update status variables
include_tasks: update_status.yml
- name: Cleanup & Set garbage collection refs
include_tasks: cleanup.yml

48
roles/installer/tasks/migrate_data.yml
View File

@@ -1,12 +1,21 @@
---
- name: Set actual old postgres configuration secret name
set_fact:
old_postgres_configuration_name: "{{ old_pg_config['resources'][0]['metadata']['name'] }}"
- name: Store Database Configuration
set_fact:
tower_old_postgres_user: "{{ old_pg_config['resources'][0]['data']['username'] | b64decode }}"
tower_old_postgres_pass: "{{ old_pg_config['resources'][0]['data']['password'] | b64decode }}"
tower_old_postgres_database: "{{ old_pg_config['resources'][0]['data']['database'] | b64decode }}"
tower_old_postgres_port: "{{ old_pg_config['resources'][0]['data']['port'] | b64decode }}"
tower_old_postgres_host: "{{ old_pg_config['resources'][0]['data']['host'] | b64decode }}"
awx_old_postgres_user: "{{ old_pg_config['resources'][0]['data']['username'] | b64decode }}"
awx_old_postgres_pass: "{{ old_pg_config['resources'][0]['data']['password'] | b64decode }}"
awx_old_postgres_database: "{{ old_pg_config['resources'][0]['data']['database'] | b64decode }}"
awx_old_postgres_port: "{{ old_pg_config['resources'][0]['data']['port'] | b64decode }}"
awx_old_postgres_host: "{{ old_pg_config['resources'][0]['data']['host'] | b64decode }}"
- name: Default label selector to custom resource generated postgres
set_fact:
postgres_label_selector: "app.kubernetes.io/instance=postgres-{{ meta.name }}"
when: postgres_label_selector is not defined
- name: Get the postgres pod information
k8s_info:
@@ -16,7 +25,9 @@
field_selectors:
- status.phase=Running
register: postgres_pod
until: postgres_pod['resources'] | length
until:
- "postgres_pod['resources'] | length"
- "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
delay: 5
retries: 60
@@ -30,27 +41,28 @@
- name: Set pg_dump command
set_fact:
pgdump: >-
pg_dump --clean --create
-h {{ tower_old_postgres_host }}
-U {{ tower_old_postgres_user }}
-d {{ tower_old_postgres_database }}
-p {{ tower_old_postgres_port }}
pg_dump
-h {{ awx_old_postgres_host }}
-U {{ awx_old_postgres_user }}
-d {{ awx_old_postgres_database }}
-p {{ awx_old_postgres_port }}
-F custom
- name: Set pg_restore command
set_fact:
psql_restore: >-
psql -U {{ database_username }}
-d template1
-p {{ awx_postgres_port }}
pg_restore: >-
pg_restore --clean --if-exists
-U {{ database_username }}
-d {{ database_name }}
- name: Stream backup from pg_dump to the new postgresql container
community.kubernetes.k8s_exec:
k8s_exec:
namespace: "{{ meta.namespace }}"
pod: "{{ postgres_pod_name }}"
command: |
bash -c """
set -e -o pipefail
PGPASSWORD={{ tower_old_postgres_pass }} {{ pgdump }} | PGPASSWORD={{ awx_postgres_pass }} {{ psql_restore }}
PGPASSWORD={{ awx_old_postgres_pass }} {{ pgdump }} | PGPASSWORD={{ awx_postgres_pass }} {{ pg_restore }}
echo 'Successful'
"""
register: data_migration
@@ -58,4 +70,4 @@
- name: Set flag signifying that this instance has been migrated
set_fact:
tower_migrated_from_secret: "{{ tower_old_postgres_configuration_secret }}"
tower_migrated_from_secret: "{{ old_postgres_configuration_name }}"

14
roles/installer/tasks/resources_configuration.yml
View File

@@ -24,17 +24,17 @@
wait: yes
register: tower_resources_result
loop:
- 'tower_config'
- 'tower_app_credentials'
- 'tower_service_account'
- 'tower_persistent'
- 'tower_service'
- 'tower_ingress'
- 'config'
- 'app_credentials'
- 'service_account'
- 'persistent'
- 'service'
- 'ingress'
- name: Apply deployment resources
k8s:
apply: yes
definition: "{{ lookup('template', 'tower_deployment.yaml.j2') }}"
definition: "{{ lookup('template', 'deployment.yaml.j2') }}"
wait: yes
register: tower_deployment_result

10
roles/installer/tasks/secret_key_configuration.yml
View File

@@ -3,9 +3,9 @@
k8s_info:
kind: Secret
namespace: '{{ meta.namespace }}'
name: '{{ tower_secret_key_secret }}'
name: '{{ secret_key_secret }}'
register: _custom_secret_key
when: tower_secret_key_secret | length
when: secret_key_secret | length
- name: Check for default secret key configuration
k8s_info:
@@ -22,7 +22,7 @@
- name: Create secret key secret
k8s:
apply: true
definition: "{{ lookup('template', 'tower_secret_key.yaml.j2') }}"
definition: "{{ lookup('template', 'secret_key.yaml.j2') }}"
- name: Read secret key secret
k8s_info:
@@ -35,8 +35,8 @@
- name: Set secret key secret
set_fact:
secret_key_secret: '{{ _generated_secret_key["resources"] | default([]) | length | ternary(_generated_secret_key, _secret_key_secret) }}'
__secret_key_secret: '{{ _generated_secret_key["resources"] | default([]) | length | ternary(_generated_secret_key, _secret_key_secret) }}'
- name: Store secret key secret name
set_fact:
secret_key_secret_name: "{{ secret_key_secret['resources'][0]['metadata']['name'] }}"
secret_key_secret_name: "{{ __secret_key_secret['resources'][0]['metadata']['name'] }}"

47
roles/installer/tasks/update_status.yml
View File

@@ -6,7 +6,7 @@
name: "{{ meta.name }}"
namespace: "{{ meta.namespace }}"
status:
towerAdminPasswordSecret: "{{ admin_password_secret['resources'][0]['metadata']['name'] }}"
adminPasswordSecret: "{{ __admin_password_secret['resources'][0]['metadata']['name'] }}"
- name: Update admin user status
operator_sdk.util.k8s_status:
@@ -15,10 +15,37 @@
name: "{{ meta.name }}"
namespace: "{{ meta.namespace }}"
status:
towerAdminUser: "{{ tower_admin_user }}"
adminUser: "{{ admin_user }}"
- name: Update postgres configuration status
operator_sdk.util.k8s_status:
api_version: '{{ api_version }}'
kind: "{{ kind }}"
name: "{{ meta.name }}"
namespace: "{{ meta.namespace }}"
status:
postgresConfigurationSecret: "{{ pg_config['resources'][0]['metadata']['name'] }}"
- name: Update broadcast websocket status
operator_sdk.util.k8s_status:
api_version: '{{ api_version }}'
kind: "{{ kind }}"
name: "{{ meta.name }}"
namespace: "{{ meta.namespace }}"
status:
broadcastWebsocketSecret: "{{ __broadcast_websocket_secret['resources'][0]['metadata']['name'] }}"
- name: Update secret key status
operator_sdk.util.k8s_status:
api_version: '{{ api_version }}'
kind: "{{ kind }}"
name: "{{ meta.name }}"
namespace: "{{ meta.namespace }}"
status:
secretKeySecret: "{{ secret_key_secret_name }}"
- name: Retrieve instance version
community.kubernetes.k8s_exec:
k8s_exec:
namespace: "{{ meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ meta.name }}-task"
@@ -34,7 +61,7 @@
name: "{{ meta.name }}"
namespace: "{{ meta.namespace }}"
status:
towerVersion: "{{ instance_version.stdout | trim }}"
version: "{{ instance_version.stdout | trim }}"
- name: Update image status
operator_sdk.util.k8s_status:
@@ -43,11 +70,11 @@
name: "{{ meta.name }}"
namespace: "{{ meta.namespace }}"
status:
towerImage: "{{ tower_image }}"
image: "{{ image }}"
- block:
- name: Retrieve route URL
community.kubernetes.k8s_info:
k8s_info:
kind: Route
namespace: '{{ meta.namespace }}'
name: '{{ meta.name }}'
@@ -60,16 +87,16 @@
name: "{{ meta.name }}"
namespace: "{{ meta.namespace }}"
status:
towerURL: "https://{{ route_url['resources'][0]['status']['ingress'][0]['host'] }}"
URL: "https://{{ route_url['resources'][0]['status']['ingress'][0]['host'] }}"
when: tower_ingress_type | lower == 'route'
when: ingress_type | lower == 'route'
- name: Update towerMigratedFromSecret status
- name: Update migratedFromSecret status
operator_sdk.util.k8s_status:
api_version: '{{ api_version }}'
kind: "{{ kind }}"
name: "{{ meta.name }}"
namespace: "{{ meta.namespace }}"
status:
towerMigratedFromSecret: "{{ tower_migrated_from_secret }}"
migratedFromSecret: "{{ tower_migrated_from_secret }}"
when: tower_migrated_from_secret is defined

1
roles/installer/templates/tower_admin_password_secret.yaml.j2 → roles/installer/templates/admin_password_secret.yaml.j2
View File

@@ -9,5 +9,6 @@ metadata:
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
stringData:
password: '{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}'

1
roles/installer/templates/tower_app_credentials.yaml.j2 → roles/installer/templates/app_credentials.yaml.j2
View File

@@ -10,6 +10,7 @@ metadata:
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
data:
credentials.py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}"
ldap.py: "{{ lookup('template', 'ldap.py.j2') | b64encode }}"

1
roles/installer/templates/tower_broadcast_websocket_secret.yaml.j2 → roles/installer/templates/broadcast_websocket_secret.yaml.j2
View File

@@ -9,5 +9,6 @@ metadata:
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
stringData:
secret: '{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}'

9
roles/installer/templates/tower_config.yaml.j2 → roles/installer/templates/config.yaml.j2
View File

@@ -10,6 +10,7 @@ metadata:
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
data:
environment: |
AWX_SKIP_MIGRATIONS=true
@@ -89,7 +90,11 @@ data:
BROADCAST_WEBSOCKET_PROTOCOL = 'http'
{% for item in extra_settings | default([]) %}
{% if item.value is string %}
{{ item.setting }} = '{{ item.value }}'
{% else %}
{{ item.setting }} = {{ item.value }}
{% endif %}
{% endfor %}
nginx_conf: |
@@ -129,7 +134,7 @@ data:
}
{% if tower_route_tls_termination_mechanism | lower == 'passthrough' %}
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
server {
listen 8052 default_server;
server_name _;
@@ -140,7 +145,7 @@ data:
{% endif %}
server {
{% if tower_route_tls_termination_mechanism | lower == 'passthrough' %}
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
listen 8053 ssl;
ssl_certificate /etc/nginx/pki/web.crt;

95
roles/installer/templates/tower_deployment.yaml.j2 → roles/installer/templates/deployment.yaml.j2
View File

@@ -7,12 +7,13 @@ metadata:
namespace: '{{ meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ meta.name }}'
app.kubernetes.io/version: '{{ tower_image_version }}'
app.kubernetes.io/version: '{{ image_version }}'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
spec:
replicas: {{ tower_replicas }}
replicas: {{ replicas }}
selector:
matchLabels:
app.kubernetes.io/name: '{{ meta.name }}'
@@ -22,19 +23,19 @@ spec:
metadata:
labels:
app.kubernetes.io/name: '{{ meta.name }}'
app.kubernetes.io/version: '{{ tower_image_version }}'
app.kubernetes.io/version: '{{ image_version }}'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
spec:
serviceAccountName: '{{ meta.name }}'
{% if tower_image_pull_secret %}
{% if image_pull_secret %}
imagePullSecrets:
- name: {{ tower_image_pull_secret }}
- name: {{ image_pull_secret }}
{% endif %}
containers:
- image: '{{ tower_redis_image }}:{{ tower_redis_image_version }}'
imagePullPolicy: '{{ tower_image_pull_policy }}'
- image: '{{ redis_image }}:{{ redis_image_version }}'
imagePullPolicy: '{{ image_pull_policy }}'
name: redis
args: ["redis-server", "/etc/redis.conf"]
volumeMounts:
@@ -46,18 +47,18 @@ spec:
mountPath: "/var/run/redis"
- name: "{{ meta.name }}-redis-data"
mountPath: "/data"
- image: '{{ tower_image }}:{{ tower_image_version }}'
- image: '{{ image }}:{{ image_version }}'
name: '{{ meta.name }}-web'
{% if tower_web_command %}
command: {{ tower_web_command }}
{% if web_command %}
command: {{ web_command }}
{% endif %}
{% if tower_web_args %}
args: {{ tower_web_args }}
{% if web_args %}
args: {{ web_args }}
{% endif %}
imagePullPolicy: '{{ tower_image_pull_policy }}'
imagePullPolicy: '{{ image_pull_policy }}'
ports:
- containerPort: 8052
{% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
{% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %}
- containerPort: 8053
{% endif %}
volumeMounts:
@@ -73,7 +74,7 @@ spec:
mountPath: "/etc/tower/conf.d/ldap.py"
subPath: ldap.py
readOnly: true
{% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
{% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %}
- name: "{{ meta.name }}-nginx-certs"
mountPath: "/etc/nginx/pki"
readOnly: true
@@ -110,8 +111,8 @@ spec:
- name: awx-devel
mountPath: "/awx_devel"
{% endif %}
{% if tower_web_extra_volume_mounts -%}
{{ tower_web_extra_volume_mounts | indent(width=12, indentfirst=True) }}
{% if web_extra_volume_mounts -%}
{{ web_extra_volume_mounts | indent(width=12, indentfirst=True) }}
{% endif %}
env:
- name: MY_POD_NAMESPACE
@@ -122,22 +123,22 @@ spec:
- name: AWX_KUBE_DEVEL
value: "1"
{% endif %}
{% if tower_web_extra_env -%}
{{ tower_web_extra_env | indent(width=12, indentfirst=True) }}
{% if web_extra_env -%}
{{ web_extra_env | indent(width=12, indentfirst=True) }}
{% endif %}
resources: {{ tower_web_resource_requirements }}
- image: '{{ tower_image }}:{{ tower_image_version }}'
resources: {{ web_resource_requirements }}
- image: '{{ image }}:{{ image_version }}'
name: '{{ meta.name }}-task'
imagePullPolicy: '{{ tower_image_pull_policy }}'
{% if tower_task_privileged == true %}
imagePullPolicy: '{{ image_pull_policy }}'
{% if task_privileged == true %}
securityContext:
privileged: true
{% endif %}
{% if tower_task_command %}
command: {{ tower_task_command }}
{% if task_command %}
command: {{ task_command }}
{% endif %}
{% if tower_task_args %}
args: {{ tower_task_args }}
{% if task_args %}
args: {{ task_args }}
{% endif %}
volumeMounts:
- name: "{{ meta.name }}-application-credentials"
@@ -176,8 +177,8 @@ spec:
- name: awx-devel
mountPath: "/awx_devel"
{% endif %}
{% if tower_task_extra_volume_mounts -%}
{{ tower_task_extra_volume_mounts | indent(width=12, indentfirst=True) }}
{% if task_extra_volume_mounts -%}
{{ task_extra_volume_mounts | indent(width=12, indentfirst=True) }}
{% endif %}
env:
- name: SUPERVISOR_WEB_CONFIG_PATH
@@ -200,13 +201,13 @@ spec:
- name: AWX_KUBE_DEVEL
value: "1"
{% endif %}
{% if tower_task_extra_env -%}
{{ tower_task_extra_env | indent(width=12, indentfirst=True) }}
{% if task_extra_env -%}
{{ task_extra_env | indent(width=12, indentfirst=True) }}
{% endif %}
resources: {{ tower_task_resource_requirements }}
- image: '{{ tower_ee_images[0].image }}'
resources: {{ task_resource_requirements }}
- image: '{{ ee_images[0].image }}'
name: '{{ meta.name }}-ee'
imagePullPolicy: '{{ tower_image_pull_policy }}'
imagePullPolicy: '{{ image_pull_policy }}'
args: ['receptor', '--config', '/etc/receptor.conf']
volumeMounts:
- name: "{{ meta.name }}-receptor-config"
@@ -217,8 +218,8 @@ spec:
mountPath: "/var/run/receptor"
- name: "{{ meta.name }}-projects"
mountPath: "/var/lib/awx/projects"
{% if tower_ee_extra_volume_mounts -%}
{{ tower_ee_extra_volume_mounts | indent(width=12, indentfirst=True) }}
{% if ee_extra_volume_mounts -%}
{{ ee_extra_volume_mounts | indent(width=12, indentfirst=True) }}
{% endif %}
{% if development_mode | bool %}
env:
@@ -227,19 +228,19 @@ spec:
fieldRef:
fieldPath: status.podIP
{% endif %}
{% if tower_node_selector %}
{% if node_selector %}
nodeSelector:
{{ tower_node_selector | indent(width=8) }}
{{ node_selector | indent(width=8) }}
{% endif %}
{% if tower_tolerations %}
{% if tolerations %}
tolerations:
{{ tower_tolerations | indent(width=8) }}
{{ tolerations | indent(width=8) }}
{% endif %}
volumes:
{% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
{% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %}
- name: "{{ meta.name }}-nginx-certs"
secret:
secretName: "{{ tower_route_tls_secret }}"
secretName: "{{ route_tls_secret }}"
items:
- key: tls.key
path: 'web.key'
@@ -307,10 +308,10 @@ spec:
- key: receptor_conf
path: receptor.conf
- name: "{{ meta.name }}-projects"
{% if tower_projects_persistence|bool %}
{% if projects_persistence|bool %}
persistentVolumeClaim:
{% if tower_projects_existing_claim %}
claimName: {{ tower_projects_existing_claim }}
{% if projects_existing_claim %}
claimName: {{ projects_existing_claim }}
{% else %}
claimName: '{{ meta.name }}-projects-claim'
{% endif %}
@@ -322,6 +323,6 @@ spec:
hostPath:
path: /awx_devel
{% endif %}
{% if tower_extra_volumes -%}
{{ tower_extra_volumes | indent(width=8, indentfirst=True) }}
{% if extra_volumes -%}
{{ extra_volumes | indent(width=8, indentfirst=True) }}
{% endif %}

2
roles/installer/templates/execution_environments.py.j2
View File

@@ -1,5 +1,5 @@
DEFAULT_EXECUTION_ENVIRONMENTS = [
{% for item in tower_ee_images %}
{% for item in ee_images %}
{'name': '{{ item.name }}' , 'image': '{{ item.image }}'},
{% endfor %}
]

36
roles/installer/templates/tower_ingress.yaml.j2 → roles/installer/templates/ingress.yaml.j2
View File

@@ -1,4 +1,4 @@
{% if 'ingress' == tower_ingress_type|lower %}
{% if ingress_type|lower == "ingress" %}
---
apiVersion: extensions/v1beta1
kind: Ingress
@@ -10,28 +10,29 @@ metadata:
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
{% if tower_ingress_annotations %}
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
{% if ingress_annotations %}
annotations:
{{ tower_ingress_annotations | indent(width=4) }}
{{ ingress_annotations | indent(width=4) }}
{% endif %}
spec:
rules:
- host: '{{ tower_hostname }}'
- host: '{{ hostname }}'
http:
paths:
- path: /
backend:
serviceName: '{{ meta.name }}-service'
servicePort: 80
{% if tower_ingress_tls_secret %}
{% if ingress_tls_secret %}
tls:
- hosts:
- {{ tower_hostname }}
secretName: {{ tower_ingress_tls_secret }}
- {{ hostname }}
secretName: {{ ingress_tls_secret }}
{% endif %}
{% endif %}
{% if 'route' == tower_ingress_type|lower %}
{% if ingress_type|lower == "route" %}
---
apiVersion: route.openshift.io/v1
kind: Route
@@ -43,23 +44,24 @@ metadata:
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
spec:
{% if tower_route_host != '' %}
host: {{ tower_route_host }}
{% if route_host != '' %}
host: {{ route_host }}
{% endif %}
port:
targetPort: '{{ (tower_route_tls_termination_mechanism | lower == "passthrough") | ternary("https", "http") }}'
targetPort: '{{ (route_tls_termination_mechanism | lower == "passthrough") | ternary("https", "http") }}'
tls:
insecureEdgeTerminationPolicy: Redirect
termination: {{ tower_route_tls_termination_mechanism | lower }}
{% if tower_route_tls_termination_mechanism | lower == 'edge' and tower_route_tls_secret != '' %}
termination: {{ route_tls_termination_mechanism | lower }}
{% if route_tls_termination_mechanism | lower == 'edge' and route_tls_secret != '' %}
key: |-
{{ tower_route_tls_key | indent(width=6, indentfirst=True) }}
{{ route_tls_key | indent(width=6, indentfirst=True) }}
certificate: |-
{{ tower_route_tls_crt | indent(width=6, indentfirst=True) }}
{% if tower_route_ca_crt is defined %}
{{ route_tls_crt | indent(width=6, indentfirst=True) }}
{% if route_ca_crt is defined %}
caCertificate: |-
{{ tower_route_ca_crt | indent(width=6, indentfirst=True) }}
{{ route_ca_crt | indent(width=6, indentfirst=True) }}
{% endif %}
{% endif %}
to:

22
roles/installer/templates/persistent.yaml.j2 Normal file
View File

@@ -0,0 +1,22 @@
{% if projects_persistence|bool and projects_existing_claim == '' %}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: '{{ meta.name }}-projects-claim'
namespace: '{{ meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ meta.name }}'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
spec:
accessModes:
- {{ projects_storage_access_mode }}
resources:
requests:
storage: {{ projects_storage_size }}
{% if projects_storage_class is defined %}
storageClassName: {{ projects_storage_class }}
{% endif %}
{% endif %}

71
roles/installer/templates/tower_postgres.yaml.j2 → roles/installer/templates/postgres.yaml.j2
View File

@@ -6,16 +6,20 @@ metadata:
name: '{{ meta.name }}-postgres'
namespace: '{{ meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ meta.name }}-postgres'
app.kubernetes.io/name: 'postgres'
app.kubernetes.io/instance: 'postgres-{{ meta.name }}'
app.kubernetes.io/component: 'database'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
app.kubernetes.io/component: database
spec:
selector:
matchLabels:
app.kubernetes.io/name: '{{ meta.name }}-postgres'
app.kubernetes.io/name: 'postgres'
app.kubernetes.io/instance: 'postgres-{{ meta.name }}'
app.kubernetes.io/component: 'database'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: database
serviceName: '{{ meta.name }}'
replicas: 1
updateStrategy:
@@ -23,69 +27,71 @@ spec:
template:
metadata:
labels:
app.kubernetes.io/name: '{{ meta.name }}-postgres'
app.kubernetes.io/name: 'postgres'
app.kubernetes.io/instance: 'postgres-{{ meta.name }}'
app.kubernetes.io/component: 'database'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: database
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
spec:
containers:
- image: '{{ tower_postgres_image }}:{{ tower_postgres_image_version }}'
- image: '{{ postgres_image }}:{{ postgres_image_version }}'
imagePullPolicy: '{{ image_pull_policy }}'
name: postgres
env:
# For tower_postgres_image based on rhel8/postgresql-12
# For postgres_image based on rhel8/postgresql-12
- name: POSTGRESQL_DATABASE
valueFrom:
secretKeyRef:
name: '{{ meta.name }}-postgres-configuration'
name: '{{ __postgres_configuration_secret }}'
key: database
- name: POSTGRESQL_USER
valueFrom:
secretKeyRef:
name: '{{ meta.name }}-postgres-configuration'
name: '{{ __postgres_configuration_secret }}'
key: username
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: '{{ meta.name }}-postgres-configuration'
name: '{{ __postgres_configuration_secret }}'
key: password
# For tower_postgres_image based on postgres
# For postgres_image based on postgres
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: '{{ meta.name }}-postgres-configuration'
name: '{{ __postgres_configuration_secret }}'
key: database
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: '{{ meta.name }}-postgres-configuration'
name: '{{ __postgres_configuration_secret }}'
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: '{{ meta.name }}-postgres-configuration'
name: '{{ __postgres_configuration_secret }}'
key: password
- name: PGDATA
value: '{{ tower_postgres_data_path }}'
value: '{{ postgres_data_path }}'
- name: POSTGRES_INITDB_ARGS
value: '{{ postgres_initdb_args }}'
- name: POSTGRES_HOST_AUTH_METHOD
value: '{{ postgres_host_auth_method }}'
ports:
- containerPort: 5432
- containerPort: {{ awx_postgres_port | default('5432')}}
name: postgres
volumeMounts:
- name: postgres
mountPath: '{{ tower_postgres_data_path | dirname }}'
subPath: '{{ tower_postgres_data_path | dirname | basename }}'
resources: {{ tower_postgres_resource_requirements }}
{% if tower_postgres_selector %}
mountPath: '{{ postgres_data_path | dirname }}'
subPath: '{{ postgres_data_path | dirname | basename }}'
resources: {{ postgres_resource_requirements }}
{% if postgres_selector %}
nodeSelector:
{{ tower_postgres_selector | indent(width=8) }}
{{ postgres_selector | indent(width=8) }}
{% endif %}
{% if tower_postgres_tolerations %}
{% if postgres_tolerations %}
tolerations:
{{ tower_postgres_tolerations | indent(width=8) }}
{{ postgres_tolerations | indent(width=8) }}
{% endif %}
volumeClaimTemplates:
- metadata:
@@ -93,10 +99,10 @@ spec:
spec:
accessModes:
- ReadWriteOnce
{% if tower_postgres_storage_class != '' %}
storageClassName: '{{ tower_postgres_storage_class }}'
{% if postgres_storage_class is defined %}
storageClassName: '{{ postgres_storage_class }}'
{% endif %}
resources: {{ tower_postgres_storage_requirements }}
resources: {{ postgres_storage_requirements }}
# Postgres Service.
---
@@ -106,15 +112,20 @@ metadata:
name: '{{ meta.name }}-postgres'
namespace: '{{ meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ meta.name }}-postgres'
app.kubernetes.io/name: 'postgres'
app.kubernetes.io/instance: 'postgres-{{ meta.name }}'
app.kubernetes.io/component: 'database'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
app.kubernetes.io/component: database
spec:
ports:
- port: 5432
clusterIP: None
selector:
app.kubernetes.io/name: '{{ meta.name }}-postgres'
app.kubernetes.io/name: 'postgres'
app.kubernetes.io/instance: 'postgres-{{ meta.name }}'
app.kubernetes.io/component: 'database'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: database

1
roles/installer/templates/tower_postgres_secret.yaml.j2 → roles/installer/templates/postgres_secret.yaml.j2
View File

@@ -10,6 +10,7 @@ metadata:
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
stringData:
password: '{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}'
username: '{{ database_username }}'

1
roles/installer/templates/tower_secret_key.yaml.j2 → roles/installer/templates/secret_key.yaml.j2
View File

@@ -9,5 +9,6 @@ metadata:
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
stringData:
secret_key: '{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}'

22
roles/installer/templates/tower_service.yaml.j2 → roles/installer/templates/service.yaml.j2
View File

@@ -9,31 +9,33 @@ metadata:
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
{% if tower_ingress_type | lower == 'loadbalancer' and tower_loadbalancer_annotations %}
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
{{ service_labels | indent(width=4) }}
{% if ingress_type | lower == 'loadbalancer' and loadbalancer_annotations %}
annotations:
{{ tower_loadbalancer_annotations | indent(width=4) }}
{{ loadbalancer_annotations | indent(width=4) }}
{% endif %}
spec:
ports:
{% if tower_ingress_type | lower != 'loadbalancer' and tower_loadbalancer_protocol | lower != 'https' %}
{% if service_type | lower != 'loadbalancer' and loadbalancer_protocol | lower != 'https' %}
- port: 80
protocol: TCP
targetPort: 8052
name: http
{% endif %}
{% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
{% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %}
- port: 443
protocol: TCP
targetPort: 8053
name: https
{% endif %}
{% if tower_ingress_type | lower == 'loadbalancer' and tower_loadbalancer_protocol | lower == 'https' %}
- port: {{ tower_loadbalancer_port }}
{% if service_type | lower == 'loadbalancer' and loadbalancer_protocol | lower == 'https' %}
- port: {{ loadbalancer_port }}
protocol: TCP
targetPort: 8052
name: https
{% elif tower_ingress_type | lower == 'loadbalancer' and tower_loadbalancer_protocol | lower != 'https' %}
- port: {{ tower_loadbalancer_port }}
{% elif service_type | lower == 'loadbalancer' and loadbalancer_protocol | lower != 'https' %}
- port: {{ loadbalancer_port }}
protocol: TCP
targetPort: 8052
name: http
@@ -42,9 +44,9 @@ spec:
app.kubernetes.io/name: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
{% if tower_ingress_type | lower == "loadbalancer" %}
{% if service_type | lower == "loadbalancer" %}
type: LoadBalancer
{% elif tower_ingress_type != "none" %}
{% elif service_type | lower == "nodeport" %}
type: NodePort
{% else %}
type: ClusterIP

8
roles/installer/templates/tower_service_account.yaml.j2 → roles/installer/templates/service_account.yaml.j2
View File

@@ -9,6 +9,11 @@ metadata:
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
{% if service_account_annotations %}
annotations:
{{ service_account_annotations | indent(width=4) }}
{% endif %}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@@ -25,6 +30,9 @@ rules:
- apiGroups: [""]
resources: ["pods/attach"]
verbs: ["create"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "create", "delete"]
---
kind: RoleBinding

21
roles/installer/templates/tower_persistent.yaml.j2
View File

@@ -1,21 +0,0 @@
{% if tower_projects_persistence|bool and tower_projects_existing_claim == '' %}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: '{{ meta.name }}-projects-claim'
namespace: '{{ meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ meta.name }}'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
spec:
accessModes:
- {{ tower_projects_storage_access_mode }}
resources:
requests:
storage: {{ tower_projects_storage_size }}
{% if tower_projects_storage_class != '' %}
storageClassName: {{ tower_projects_storage_class }}
{% endif %}
{% endif %}

2
roles/installer/vars/main.yml
View File

@@ -2,4 +2,4 @@
postgres_initdb_args: '--auth-host=scram-sha-256'
postgres_host_auth_method: 'scram-sha-256'
ldap_cacert_ca_crt: ''
tower_projects_existing_claim: ''
projects_existing_claim: ''

121
roles/restore/README.md Normal file
View File

@@ -0,0 +1,121 @@
Restore Role
=========
The purpose of this role is to restore your AWX deployment from an existing PVC backup. The backup includes:
- custom deployment specific values in the spec section of the AWX custom resource object
- backup of the postgresql database
- secret_key, admin_password, and broadcast_websocket secrets
- database configuration
Requirements
------------
This role assumes you are authenticated with an Openshift or Kubernetes cluster:
- The awx-operator has been deployed to the cluster
- AWX is deployed to via the operator
- An AWX backup is available on a PVC in your cluster (see the backup [README.md](../backup/README.md))
Usage
----------------
Then create a file named `restore-awx.yml` with the following contents:
```yaml
---
apiVersion: awx.ansible.com/v1beta1
kind: AWXRestore
metadata:
name: restore1
namespace: my-namespace
spec:
deployment_name: mytower
backup_name: awxbackup-2021-04-22
backup_pvc_namespace: 'old-awx-namespace'
```
Note that the `deployment_name` above is the name of the AWX deployment you intend to create and restore to.
The namespace specified is the namespace the resulting AWX deployment will be in. The namespace you specified must be pre-created.
```
kubectl create ns my-namespace
```
Finally, use `kubectl` to create the restore object in your cluster:
```bash
$ kubectl apply -f restore-awx.yml
```
This will create a new deployment and restore your backup to it.
> :warning: admin_password_secret value will replace the password for the `admin_user` user (by default, this is the `admin` user).
Role Variables
--------------
The name of the backup directory can be found as a status on your AWXBackup object. This can be found in your cluster's console, or with the client as shown below.
```bash
$ kubectl get awxbackup awxbackup1 -o jsonpath="{.items[0].status.backupDirectory}"
/backups/tower-openshift-backup-2021-04-02-03:25:08
```
```
backup_dir: '/backups/tower-openshift-backup-2021-04-02-03:25:08'
```
The name of the PVC can also be found by looking at the backup object.
```bash
$ kubectl get awxbackup awxbackup1 -o jsonpath="{.items[0].status.backupClaim}"
awx-backup-volume-claim
```
```
backup_pvc: 'awx-backup-volume-claim'
```
By default, the backup pvc will be created in the same namespace the awxbackup object is created in. This namespace must be specified using the `backup_pvc_namespace` variable.
```
backup_pvc_namespace: 'custom-namespace'
```
If a custom postgres configuration secret was used when deploying AWX, it must be set:
```
postgres_configuration_secret: 'awx-postgres-configuration'
```
If the awxbackup object no longer exists, it is still possible to restore from the backup it created by specifying the pvc name and the back directory.
```
backup_pvc: myoldtower-backup-claim
backup_dir: /backups/tower-openshift-backup-2021-04-02-03:25:08
```
Testing
----------------
You can test this role directly by creating and running the following playbook with the appropriate variables:
```
---
- name: Restore AWX
hosts: localhost
gather_facts: false
roles:
- restore
```
License
-------
MIT

12
roles/restore/defaults/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
# Required: specify name of tower deployment to restore to
deployment_name: ''
kind: 'AWXRestore'
api_version: '{{ deployment_type }}.ansible.com/v1beta1'
# Required: specify a pre-created PVC (name) to restore from
backup_pvc: ''
backup_pvc_namespace: ''
# Required: backup name, found on the awxbackup object
backup_dir: ''

31
roles/restore/meta/main.yml Normal file
View File

@@ -0,0 +1,31 @@
---
galaxy_info:
author: Ansible
description: AWX role for AWX Operator for Kubernetes.
company: Red Hat, Inc.
license: MIT
min_ansible_version: 2.8
platforms:
- name: EL
versions:
- all
- name: Debian
versions:
- all
galaxy_tags:
- tower
- controller
- awx
- ansible
- restore
- automation
dependencies: []
collections:
- community.kubernetes
- operator_sdk.util

24
roles/restore/tasks/cleanup.yml Normal file
View File

@@ -0,0 +1,24 @@
---
- name: Delete any existing management pod
k8s:
name: "{{ meta.name }}-db-management"
kind: Pod
namespace: "{{ backup_pvc_namespace }}"
state: absent
force: true
- name: Remove ownerReferences from secrets to avoid garbage collection
k8s:
definition:
apiVersion: v1
kind: Secret
metadata:
name: '{{ item }}'
namespace: '{{ meta.namespace }}'
ownerReferences: null
loop:
- '{{ secret_key_secret_name }}'
- '{{ admin_password_secret_name }}'
- '{{ broadcast_websocket_secret_name }}'
- '{{ postgres_configuration_secret_name }}'

66
roles/restore/tasks/deploy_awx.yml Normal file
View File

@@ -0,0 +1,66 @@
---
- name: Save kind
set_fact:
_kind: "{{ kind }}"
- name: Get AWX object definition from pvc
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ meta.name }}-db-management"
command: >-
bash -c "cat '{{ backup_dir }}/awx_object'"
register: awx_object
- name: Create temp file for spec dict
tempfile:
state: file
register: tmp_spec
- name: Write spec vars to temp file
copy:
content: "{{ awx_object.stdout }}"
dest: "{{ tmp_spec.path }}"
mode: '0644'
- name: Include spec vars to save them as a dict
include_vars: "{{ tmp_spec.path }}"
register: spec
- name: Use include_vars to read in spec as a dict (because spec doesn't have quotes)
set_fact:
awx_spec: "{{ spec.ansible_facts }}"
- name: Set names of backed up secrets in the CR spec
set_fact:
awx_spec: "{{ awx_spec | combine ({ item.key : item.value }) }}"
with_items:
- {'key': 'secret_key_secret', 'value': '{{ secret_key_secret_name }}'}
- {'key': 'admin_password_secret', 'value': '{{ admin_password_secret_name }}'}
- {'key': 'broadcast_websocket_secret', 'value': '{{ broadcast_websocket_secret_name }}'}
- {'key': 'postgres_configuration_secret', 'value': '{{ postgres_configuration_secret_name }}'}
- name: Restore kind
set_fact:
kind: "{{ _kind }}"
- name: Deploy AWX
k8s:
state: "{{ state | default('present') }}"
namespace: "{{ meta.namespace }}"
apply: yes
template: awx_object.yml.j2
wait: true
wait_condition:
type: "Running"
status: "True"
- name: Remove ownerReferences to prevent garbage collection of new AWX CRO
k8s:
definition:
apiVersion: '{{ api_version }}'
kind: AWX
metadata:
name: '{{ deployment_name }}'
namespace: '{{ meta.namespace }}'
ownerReferences: null

11
roles/restore/tasks/error_handling.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Determine the timestamp
set_fact:
now: '{{ lookup("pipe", "date +%FT%TZ") }}'
- name: Emit ocp event with error
k8s:
kind: Event
namespace: "{{ meta.namespace }}"
template: "event.yml.j2"

104
roles/restore/tasks/init.yml Normal file
View File

@@ -0,0 +1,104 @@
---
- name: Set variables from awxbackup object statuses if provided
block:
- name: Look up details for the backup
k8s_info:
api_version: "{{ backup_api_version }}"
kind: "{{ backup_kind }}"
name: "{{ backup_name }}"
namespace: "{{ backup_pvc_namespace }}"
register: this_backup
- name: Surface error to user
block:
- name: Set error message
set_fact:
error_msg: "Cannot read the backup status variables for {{ backup_kind }} {{ backup_name }}."
- name: Handle error
import_tasks: error_handling.yml
- name: Fail early if pvc is defined but does not exist
fail:
msg: "{{ error_msg }}"
when:
- this_backup['resources'] | length == 0
- this_backup['resources'][0] is not defined
- this_backup['resources'][0]['status'] is not defined
- this_backup['resources'][0]['status']['backupClaim'] is not defined
- this_backup['resources'][0]['status']['backupDirectory'] is not defined
- name: Set backup facts
set_fact:
backup_pvc: "{{ this_backup['resources'][0]['status']['backupClaim'] }}"
backup_dir: "{{ this_backup['resources'][0]['status']['backupDirectory'] }}"
when:
- backup_name != '' or backup_name is defined
# Check to make sure provided pvc exists, error loudly if not. Otherwise, the management pod will just stay in pending state forever.
- name: Check provided PVC exists
k8s_info:
name: "{{ backup_pvc }}"
kind: PersistentVolumeClaim
namespace: "{{ backup_pvc_namespace }}"
register: provided_pvc
when:
- backup_pvc != ''
- name: Surface error to user
block:
- name: Set error message
set_fact:
error_msg: "{{ backup_pvc }} does not exist, please create this pvc first."
- name: Handle error
import_tasks: error_handling.yml
- name: Fail early if pvc is defined but does not exist
fail:
msg: "{{ error_msg }}"
when:
- backup_pvc != ''
- provided_pvc.resources | length == 0
- name: Delete any existing management pod
k8s:
name: "{{ meta.name }}-db-management"
kind: Pod
namespace: "{{ backup_pvc_namespace }}"
state: absent
force: true
wait: true
- name: Create management pod from templated deployment config
k8s:
name: "{{ meta.name }}-db-management"
kind: Deployment
state: present
template: "management-pod.yml.j2"
wait: true
- name: Check to make sure backup directory exists on PVC
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ meta.name }}-db-management"
command: >-
bash -c "stat {{ backup_dir }}"
register: stat_backup_dir
- name: Error if backup dir is missing
block:
- name: Set error message
set_fact:
error_msg: "{{ backup_dir }} does not exist, see the backupDirectory status on your AWXBackup for the correct backup_dir."
- name: Handle error
import_tasks: error_handling.yml
- name: Fail early if backup dir provided does not exist
fail:
msg: "{{ error_msg }}"
when:
- backup_dir != ''
- stat_backup_dir.return_code != 0

47
roles/restore/tasks/main.yml Normal file
View File

@@ -0,0 +1,47 @@
---
- name: Patching labels to {{ kind }} kind
k8s:
state: present
definition:
apiVersion: '{{ api_version }}'
kind: '{{ kind }}'
name: '{{ meta.name }}'
namespace: '{{ meta.namespace }}'
metadata:
name: '{{ meta.name }}'
namespace: '{{ meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ meta.name }}'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
- name: Look up details for this restore object
k8s_info:
api_version: "{{ api_version }}"
kind: "{{ kind }}"
name: "{{ meta.name }}"
namespace: "{{ meta.namespace }}"
register: this_restore
- block:
- include_tasks: init.yml
- include_tasks: secrets.yml
- include_tasks: deploy_awx.yml
- include_tasks: postgres.yml
- name: Set flag signifying this restore was successful
set_fact:
tower_restore_complete: True
- include_tasks: cleanup.yml
when:
- this_restore['resources'][0]['status']['restoreComplete'] is not defined
- name: Update status variables
include_tasks: update_status.yml

85
roles/restore/tasks/postgres.yml Normal file
View File

@@ -0,0 +1,85 @@
---
- name: Check for specified PostgreSQL configuration
k8s_info:
kind: Secret
namespace: '{{ meta.namespace }}'
name: '{{ postgres_configuration_secret_name }}'
register: pg_config
- name: Store Database Configuration
set_fact:
awx_postgres_user: "{{ pg_config['resources'][0]['data']['username'] | b64decode }}"
awx_postgres_pass: "{{ pg_config['resources'][0]['data']['password'] | b64decode }}"
awx_postgres_database: "{{ pg_config['resources'][0]['data']['database'] | b64decode }}"
awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | b64decode | default('unmanaged') }}"
- name: Default label selector to custom resource generated postgres
set_fact:
postgres_label_selector: "app.kubernetes.io/instance=postgres-{{ deployment_name }}"
when: postgres_label_selector is not defined
- name: Get the postgres pod information
k8s_info:
kind: Pod
namespace: '{{ meta.namespace }}'
label_selectors:
- "{{ postgres_label_selector }}"
register: postgres_pod
until:
- "postgres_pod['resources'] | length"
- "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
delay: 5
retries: 60
- name: Set the resource pod name as a variable.
set_fact:
postgres_pod_name: "{{ postgres_pod['resources'][0]['metadata']['name'] }}"
- name: Check for presence of AWX Deployment
k8s_info:
api_version: v1
kind: Deployment
name: "{{ deployment_name }}"
namespace: "{{ meta.namespace }}"
register: this_deployment
- name: Scale down Deployment for migration
k8s_scale:
api_version: v1
kind: Deployment
name: "{{ deployment_name }}"
namespace: "{{ meta.namespace }}"
replicas: 0
wait: yes
when: this_deployment['resources'] | length
- name: Set full resolvable host name for postgres pod
set_fact:
resolvable_db_host: "{{ awx_postgres_host }}.{{ meta.namespace }}.svc.cluster.local"
when: awx_postgres_type == 'managed'
- name: Set pg_restore command
set_fact:
pg_restore: >-
pg_restore --clean --if-exists
-U {{ awx_postgres_user }}
-h {{ resolvable_db_host }}
-U {{ awx_postgres_user }}
-d {{ awx_postgres_database }}
-p {{ awx_postgres_port }}
- name: Restore database dump to the new postgresql container
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ meta.name }}-db-management"
command: |
bash -c """
set -e -o pipefail
cat {{ backup_dir }}/tower.db | PGPASSWORD={{ awx_postgres_pass }} {{ pg_restore }}
echo 'Successful'
"""
register: data_migration
failed_when: "'Successful' not in data_migration.stdout"

37
roles/restore/tasks/secrets.yml Normal file
View File

@@ -0,0 +1,37 @@
---
- name: Get secret definition from pvc
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ meta.name }}-db-management"
command: >-
bash -c "cat '{{ backup_dir }}/secrets.yml'"
register: secrets
- name: Create temp vars file
tempfile:
prefix: secret_vars-
register: secret_vars
- name: Write vars to file locally
copy:
dest: "{{ secret_vars.path }}"
content: "{{ secrets.stdout }}"
mode: 0640
- name: Include secret vars from backup
include_vars: "{{ secret_vars.path }}"
- name: Set new database host based on supplied deployment_name
set_fact:
database_host: "{{ deployment_name }}-postgres"
when:
- database_type == 'managed'
- name: Apply secret
k8s:
state: present
namespace: "{{ meta.namespace }}"
apply: yes
wait: yes
template: "secrets.yml.j2"

11
roles/restore/tasks/update_status.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Update CR Restore status
operator_sdk.util.k8s_status:
api_version: '{{ api_version }}'
kind: "{{ kind }}"
name: "{{ meta.name }}"
namespace: "{{ meta.namespace }}"
status:
restoreComplete: true
when: tower_restore_complete is defined

7
roles/restore/templates/awx_object.yml.j2 Normal file
View File

@@ -0,0 +1,7 @@
---
apiVersion: '{{ api_version }}'
kind: AWX
metadata:
name: '{{ deployment_name }}'
namespace: '{{ meta.namespace }}'
spec: {{ awx_spec }}

17
roles/restore/templates/event.yml.j2 Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: Event
metadata:
name: restore-error.{{ now }}
namespace: {{ meta.namespace }}
involvedObject:
apiVersion: awx.ansible.com/v1beta1
kind: {{ kind }}
name: {{ meta.name }}
namespace: {{ meta.namespace }}
message: {{ error_msg }}
reason: RestoreFailed
type: Warning
firstTimestamp: {{ now }}
lastTimestamp: {{ now }}
count: 1

28
roles/restore/templates/management-pod.yml.j2 Normal file
View File

@@ -0,0 +1,28 @@
---
apiVersion: v1
kind: Pod
metadata:
name: {{ meta.name }}-db-management
namespace: {{ backup_pvc_namespace }}
labels:
app.kubernetes.io/name: '{{ meta.name }}'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
spec:
containers:
- name: {{ meta.name }}-db-management
image: "{{ postgres_image }}"
imagePullPolicy: Always
command: ["sleep", "infinity"]
volumeMounts:
- name: {{ meta.name }}-backup
mountPath: /backups
readOnly: false
volumes:
- name: {{ meta.name }}-backup
persistentVolumeClaim:
claimName: {{ backup_pvc }}
readOnly: false
restartPolicy: Never

68
roles/restore/templates/secrets.yml.j2 Normal file
View File

@@ -0,0 +1,68 @@
# Postgres Secret
---
apiVersion: v1
kind: Secret
metadata:
name: '{{ postgres_configuration_secret_name }}'
namespace: '{{ meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ meta.name }}'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
stringData:
password: '{{ database_password }}'
username: '{{ database_username }}'
database: '{{ database_name }}'
port: '{{ database_port }}'
host: '{{ database_host }}'
type: '{{ database_type }}'
# Secret Key Secret
---
apiVersion: v1
kind: Secret
metadata:
name: '{{ secret_key_secret_name }}'
namespace: '{{ meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ meta.name }}'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
stringData:
secret_key: '{{ secret_key }}'
# Admin Password Secret
---
apiVersion: v1
kind: Secret
metadata:
name: '{{ admin_password_secret_name }}'
namespace: '{{ meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ meta.name }}'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
stringData:
password: '{{ admin_password }}'
# Broadcast Websocket Secret
---
apiVersion: v1
kind: Secret
metadata:
name: '{{ broadcast_websocket_secret_name }}'
namespace: '{{ meta.namespace }}'
labels:
app.kubernetes.io/name: '{{ meta.name }}'
app.kubernetes.io/part-of: '{{ meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/component: '{{ deployment_type }}'
app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
stringData:
secret: '{{ broadcast_websocket }}'

13
roles/restore/vars/main.yml Normal file
View File

@@ -0,0 +1,13 @@
---
deployment_type: "awx"
postgres_image: postgres:12
backup_api_version: '{{ deployment_type }}.ansible.com/v1beta1'
backup_kind: 'AWXBackup'
# set default secret names to be used if a backup dir and claim are provided (not a backup_name)
secret_key_secret_name: '{{ deployment_name }}-secret-key'
admin_password_secret_name: '{{ deployment_name }}-admin-password'
broadcast_websocket_secret_name: '{{ deployment_name }}-broadcast-websocket'
postgres_configuration_secret_name: '{{ deployment_name }}-postgres-configuration'

3
scripts/build.sh
View File

@@ -8,7 +8,7 @@
##
## git clone https://github.com/ansible/awx-operator.git
## cd awx-operator
## REGISTRY=registry.example.com/ansible TAG=mytag scripts/build.sh
## REGISTRY=registry.example.com/ansible TAG=mytag ANSIBLE_DEBUG_LOGS=true scripts/build.sh
##
## As a result, the $REGISTRY will be populated with 2 images
## registry.example.com/ansible/awx-operator:mytag
@@ -51,6 +51,7 @@ prepare_local_deploy() {
echo "operator_image: $REGISTRY/$OPERATOR_IMAGE" > ansible/group_vars/all
echo "operator_version: $TAG" >> ansible/group_vars/all
echo "pull_policy: Always" >> ansible/group_vars/all
echo "ansible_debug_logs: ${ANSIBLE_DEBUG_LOGS:-false}" >> ansible/group_vars/all
ansible-playbook ansible/chain-operator-files.yml
}

115
scripts/okd-console.yaml Normal file
View File

@@ -0,0 +1,115 @@
### Don't run this deployment in production
### The current configuration will run the
### OKD console without any autentication!!!!
###
### A prerequisite is to install the OLM
### as instructed at https://olm.operatorframework.io/docs/getting-started/#install-released-olm
###
### i.e:
### $ export olm_release=0.15.1
### $ kubectl apply -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/${olm_release}/crds.yaml
### $ kubectl apply -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/${olm_release}/olm.yaml
###
### This deployment is intented to run locally
### and to troubleshoot OLM UI changes.
###
### To access the console, then execute:
### kubectl port-forward svc/okd-console -n okd-console 9000:9000
###
### Then point your browser:
### http://localhost:9000
---
apiVersion: v1
kind: Namespace
metadata:
name: okd-console
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: okd-console
name: okd-console
namespace: okd-console
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: okd-console
labels:
k8s-app: okd-console
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: okd-console
namespace: okd-console
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: okd-console
namespace: okd-console
labels:
k8s-app: okd-console
spec:
replicas: 1
selector:
matchLabels:
k8s-app: okd-console
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
k8s-app: okd-console
spec:
serviceAccountName: okd-console
containers:
- name: okd-console
image: quay.io/openshift/origin-console:4.9.0
imagePullPolicy: IfNotPresent
livenessProbe:
tcpSocket:
port: web
initialDelaySeconds: 2
periodSeconds: 10
failureThreshold: 60
readinessProbe:
tcpSocket:
port: web
initialDelaySeconds: 2
periodSeconds: 10
failureThreshold: 60
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "550m"
ports:
- name: web
containerPort: 9000
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: okd-console
namespace: okd-console
labels:
k8s-app: okd-console
spec:
ports:
- name: web
targetPort: 9000
port: 9000
protocol: TCP
selector:
k8s-app: okd-console

13
watches.yaml
View File

@@ -3,6 +3,13 @@
group: awx.ansible.com
kind: AWX
playbook: /opt/ansible/main.yml
finalizer:
name: finalizer.awx.ansible.com
role: finalizer
- version: v1beta1
group: awx.ansible.com
kind: AWXBackup
role: backup
- version: v1beta1
group: awx.ansible.com
kind: AWXRestore
role: restore