internet/awx-operator
3
0
Fork 0
mirror of https://github.com/ansible/awx-operator.git synced 2026-03-27 22:03:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:1.0.0
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0
...
compare: internet:1.1.4
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0

27 Commits
1.0.0 ... 1.1.4

Author SHA1 Message Date
Miles
f6f58d5c6d Setup make index for testing (#1183) 
- Reconfigure index file generation
- checkout gh-pages branch in promote.yaml
- fix helm-index make target
- add gh-pages folder in .gitignore

Signed-off-by: Miles Wilson <wilson.mil@icloud.com>
Co-authored-by: Hao Liu <haoli@redhat.com>
Co-authored-by: Christian Adams <rooftopcellist@gmail.com>
 2023-01-18 17:53:57 -05:00
kurokobo
b1a547d2a6 fix: add quotes for PGPASSWORD in upgrade_postgres.yml (fixes #1166) (#1167) 2023-01-18 11:59:03 -05:00
Christian Adams
43f98eda77 Fix pr_body_check (#1187) 2023-01-11 22:16:58 -05:00
Christian Adams
007e47e35c Add pre-reqs to the backup and restore docs (#1186) 2023-01-11 17:18:49 -05:00
David Hageman
21eb83b052 Correct admin password updating (#1179) 
Corrects an issue with admin passwords failing to be updated due to shell escaping. This aligns the operator with the logic in the normal installer.
 2023-01-11 11:41:35 -05:00
Dimitri Savineau
1f8414b8cb molecule: set no_log to false (#1185) 
In order to get information during CI debugging then turning off the
no_log statement will help with non hidden output.

FAILED! => {"censored": "the output has been hidden due to the fact that
            'no_log: true' was specified for this result"}

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
 2023-01-11 11:21:53 -05:00
Shane McDonald
a199a8c104 Merge pull request #1172 from orcema/orcema-patch-readme-CA 
update Trusting a Custom Certificate Authority
 2023-01-04 13:18:37 +08:00
Orce MARINKOVSKI
fb1639a5d4 update Trusting a Custom Certificate Authority 
I had hard times to identify how to declare to include statement for a custom certifcate bundle within the Kustomize file.
The tricky part for me was to spot the option "disableNameSuffixHash: true" in order to avoid renaming the secret name with an has suffix
 2022-12-27 10:43:56 +01:00
Christian Adams
19c6c77c41 Add ability to configmap and include config files for nginx.conf (#1145) 2022-12-16 10:36:29 -05:00
Mathijsvw
4ee523ed69 Added pg_dump_suffix doc and crd property (#1006) 
* Added pg_dump_suffix crd property

Signed-off-by: Mathijs van Willigen <mathijs.vanwilligen@student.hu.nl>
 2022-12-14 14:56:40 -05:00
Stanislav Zaprudskiy
4c5bae69ef Add possibility specifying affinity of AWX Pods. (#1139) 
* Add an option to specify affinity rules for the awx pod

In some cases, you may want to use affinity rules instead of a
 node selector so you can have more flexbility. For example if you want
to have "soft" rules i.e. run my pod on this node if possible otherwise
run it anywhere

* Rename `node_affinity` to `affinity`
* Maintain defaults and CSV
* Add fields validation

Co-authored-by: Olivier <oliverf1ca@yahoo.com>
 2022-12-14 10:39:41 -05:00
Dax Kelson
9bf896e37c Update README.md (#1147) 
Use awx namespace whent getting AWX instance URL
 2022-12-07 14:31:34 -05:00
Christian Adams
cb50f4f3ac Add docs for Openshift install configuration (#1140) 2022-12-07 14:18:06 -05:00
Christian Adams
066e55e179 Bump Ansible Operator SDK version to v1.25.3 (#1146) 2022-12-05 16:04:04 -05:00
dru90i
f35bd7cf83 add default cluster name (#1129) 
* add default cluster name

* Update awx.ansible.com_awxrestores.yaml

Co-authored-by: Kirill Smirnov <kirilsmirnov@x5.ru>
 2022-11-30 14:29:52 -05:00
Karsten Heymann
95a1fc082b README.md: Add newline after decoded passwords (#1137) 
`base64 --decode` prints no new line after its output, resulting in the next shell prompt starting immediately after the password. This makes copying the password difficult. Adding an `echo` at the end of the command fixes this.
 2022-11-30 15:59:38 +00:00
dale-mittleman
dbd1e59a55 Added flag to disable ipv6 listener (#1135) 2022-11-30 10:38:44 -05:00
Christian Adams
61f45147f6 Set Minimum K8s cluster version we expect to work (#1126) 2022-11-18 10:27:47 -05:00
Michael Cristina
c20f9b4128 fix default container name (#1048) 2022-11-16 20:33:50 -05:00
Seth Foster
15568fe564 docs show extra setting double quotes (#1123) 2022-11-16 20:25:28 -05:00
Florian LAUNAY
1baf417504 remove helm chart version from labels (#1114) 2022-11-15 16:32:33 -05:00
janorn
7fbf1c42aa Get tags from remote. Local copy not complete. (#1075) 2022-11-10 00:25:51 -05:00
Christian Adams
a5e21b56ae Backup and restore receptor tls secret with expected generated name (#1107) 2022-11-07 11:04:22 -05:00
John Westcott IV
1399504142 Adding community labels on PRs and Issues (#1108) 2022-11-04 11:55:47 -04:00
Shane McDonald
e5896d15ed Merge pull request #1078 from FlorianLaunay/devel 
use dedicated image for projects persistence PVC init tasks
 2022-11-03 19:37:58 -04:00
Christian Adams
6b01ff09ce Amend permissions for backup dir (#1109) 2022-11-03 12:52:48 -04:00
Florian LAUNAY
c708cef4dc use dedicated image for projects persistence PVC init tasks 2022-11-03 17:26:00 +01:00
36 changed files with 814 additions and 143 deletions
Expand all files Collapse all files

54
.github/workflows/label_issue.yml vendored Normal file
View File

@@ -0,0 +1,54 @@
---
name: Label Issues
on:
issues:
types:
- opened
- reopened
jobs:
triage:
runs-on: ubuntu-latest
name: Label
steps:
- name: Label Issue - Needs Triage
uses: github/issue-labeler@v2.4.1
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
not-before: 2021-12-07T07:00:00Z
configuration-path: .github/issue_labeler.yml
enable-versioned-regex: 0
if: github.event_name == 'issues'
community:
runs-on: ubuntu-latest
name: Label Issue - Community
steps:
- uses: actions/checkout@v2
- uses: actions/setup-python@v4
- name: Install python requests
run: pip install requests
- name: Check if user is a member of Ansible org
uses: jannekem/run-python-script-action@v1
id: check_user
with:
script: |
import requests
headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
response = requests.get('${{ fromJson(toJson(github.event.issue.user.url)) }}/orgs?per_page=100', headers=headers)
is_member = False
for org in response.json():
if org['login'] == 'ansible':
is_member = True
if is_member:
print("User is member")
else:
print("User is community")
- name: Add community label if not a member
if: contains(steps.check_user.outputs.stdout, 'community')
uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
with:
add-labels: "community"
repo-token: ${{ secrets.GITHUB_TOKEN }}

40
.github/workflows/label_pr.yml vendored Normal file
View File

@@ -0,0 +1,40 @@
name: Label PR
on:
pull_request_target:
types:
- opened
- reopened
- synchronize
jobs:
community:
runs-on: ubuntu-latest
name: Label PR - Community
steps:
- uses: actions/checkout@v2
- uses: actions/setup-python@v4
- name: Install python requests
run: pip install requests
- name: Check if user is a member of Ansible org
uses: jannekem/run-python-script-action@v1
id: check_user
with:
script: |
import requests
headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
response = requests.get('${{ fromJson(toJson(github.event.pull_request.user.url)) }}/orgs?per_page=100', headers=headers)
is_member = False
for org in response.json():
if org['login'] == 'ansible':
is_member = True
if is_member:
print("User is member")
else:
print("User is community")
- name: Add community label if not a member
if: contains(steps.check_user.outputs.stdout, 'community')
uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
with:
add-labels: "community"
repo-token: ${{ secrets.GITHUB_TOKEN }}

18
.github/workflows/pr_body_check.yml vendored
View File

@@ -13,21 +13,13 @@ jobs:
packages: write
contents: read
steps:
- name: Write PR body to a file
run: |
cat >> pr.body << __SOME_RANDOM_PR_EOF__
${{ github.event.pull_request.body }}
__SOME_RANDOM_PR_EOF__
- name: Display the received body for troubleshooting
run: cat pr.body
# We want to write these out individually just incase the options were joined on a single line
- name: Check for each of the lines
env:
PR_BODY: ${{ github.event.pull_request.body }}
run: |
grep "Bug, Docs Fix or other nominal change" pr.body > Z
grep "New or Enhanced Feature" pr.body > Y
grep "Breaking Change" pr.body > X
echo $PR_BODY | grep "Bug, Docs Fix or other nominal change" > Z
echo $PR_BODY | grep "New or Enhanced Feature" > Y
echo $PR_BODY | grep "Breaking Change" > X
exit 0
# We exit 0 and set the shell to prevent the returns from the greps from failing this step
# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference

9
.github/workflows/promote.yaml vendored
View File

@@ -8,7 +8,14 @@ jobs:
promote:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
with:
depth: 0
- uses: actions/checkout@v3
with:
ref: gh-pages
path: gh-pages
- name: Log in to GHCR
run: |

22
.github/workflows/triage_new.yml vendored
View File

@@ -1,22 +0,0 @@
---
name: Triage
on:
issues:
types:
- opened
jobs:
triage:
runs-on: ubuntu-latest
name: Label
steps:
- name: Label issues
uses: github/issue-labeler@v2.4.1
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
not-before: 2021-12-07T07:00:00Z
configuration-path: .github/issue_labeler.yml
enable-versioned-regex: 0
if: github.event_name == 'issues'

1
.gitignore vendored
View File

@@ -1,4 +1,5 @@
*~
gh-pages/
.cache/
/bin
/bundle

23
.helm/starter/README.md
View File

@@ -1,6 +1,6 @@
# AWX Operator Helm Chart
This chart installs the AWX Operator resources configured in [this](https://github.com/ansible/awx-operator) repository.
This chart installs the AWX Operator resources configured in [this](https://github.com/ansible/awx-operator) repository.
## Getting Started
To configure your AWX resource using this chart, create your own `yaml` values file. The name is up to personal preference since it will explicitly be passed into the helm chart. Helm will merge whatever values you specify in your file with the default `values.yaml`, overriding any settings you've changed while allowing you to fall back on defaults. Because of this functionality, `values.yaml` should not be edited directly.
@@ -8,7 +8,7 @@ To configure your AWX resource using this chart, create your own `yaml` values f
In your values config, enable `AWX.enabled` and add `AWX.spec` values based on the awx operator's [documentation](https://github.com/ansible/awx-operator/blob/devel/README.md). Consult the docs below for additional functionality.
### Installing
The operator's [helm install](https://github.com/ansible/awx-operator/blob/devel/README.md#helm-install-on-existing-cluster) guide provides key installation instructions.
The operator's [helm install](https://github.com/ansible/awx-operator/blob/devel/README.md#helm-install-on-existing-cluster) guide provides key installation instructions.
Example:
```
@@ -27,10 +27,10 @@ To update an existing installation, use `helm upgrade` instead of `install`. The
## Configuration
The goal of adding helm configurations is to abstract out and simplify the creation of multi-resource configs. The `AWX.spec` field maps directly to the spec configs of the `AWX` resource that the operator provides, which are detailed in the [main README](https://github.com/ansible/awx-operator/blob/devel/README.md). Other sub-config can be added with the goal of simplifying more involved setups that require additional resources to be specified.
These sub-headers aim to be a more intuitive entrypoint into customizing your deployment, and are easier to manage in the long-term. By design, the helm templates will defer to the manually defined specs to avoid configuration conflicts. For example, if `AWX.spec.postgres_configuration_secret` is being used, the `AWX.postgres` settings will not be applied, even if enabled.
These sub-headers aim to be a more intuitive entrypoint into customizing your deployment, and are easier to manage in the long-term. By design, the helm templates will defer to the manually defined specs to avoid configuration conflicts. For example, if `AWX.spec.postgres_configuration_secret` is being used, the `AWX.postgres` settings will not be applied, even if enabled.
### External Postgres
The `AWX.postgres` section simplifies the creation of the external postgres secret. If enabled, the configs provided will automatically be placed in a `postgres-config` secret and linked to the `AWX` resource. For proper secret management, the `AWX.postgres.password` value, and any other sensitive values, can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`.
The `AWX.postgres` section simplifies the creation of the external postgres secret. If enabled, the configs provided will automatically be placed in a `postgres-config` secret and linked to the `AWX` resource. For proper secret management, the `AWX.postgres.password` value, and any other sensitive values, can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`. Supplying the password this way is not recommended for production use, but may be helpful for initial PoC.
## Values Summary
@@ -44,13 +44,24 @@ The `AWX.postgres` section simplifies the creation of the external postgres secr
| `AWX.postgres` | configurations for the external postgres secret | - |
# Contributing
# Contributing
## Adding abstracted sections
Where possible, defer to `AWX.spec` configs before applying the abstracted configs to avoid collision. This can be facilitated by the `(hasKey .spec what_i_will_abstract)` check.
Where possible, defer to `AWX.spec` configs before applying the abstracted configs to avoid collision. This can be facilitated by the `(hasKey .spec what_i_will_abstract)` check.
## Building and Testing
This chart is built using the Makefile in the [awx-operator repo](https://github.com/ansible/awx-operator). Clone the repo and run `make helm-chart`. This will create the awx-operator chart in the `charts/awx-operator` directory. In this process, the contents of the `.helm/starter` directory will be added to the chart.
## Future Goals
All values under the `AWX` header are focused on configurations that use the operator. Configurations that relate to the Operator itself could be placed under an `Operator` heading, but that may add a layer of complication over current development.
# Chart Publishing
The chart is currently hosted on the gh-pages branch of the repo. During the release pipeline, the `index.yaml` stored in that branch is generated with helm chart entries from all valid tags. We are currently unable to use the `chart-releaser` pipeline due to the fact that the complete helm chart is not committed to the repo and is instead built during the release process. Therefore, the cr action is unable to compare against previous versions.
Instead of CR, we use `helm repo index` to generate an index from all locally pulled chart versions. Since we build from scratch every time, the timestamps of all entries will be updated. This could be improved by using yq or something similar to detect which tags are already in the index.yaml file, and only merge in tags that are not present.
Not using CR could be addressed in the future by keeping the chart built as a part of releases, as long as CR compares the chart to previous release packages rather than previous commits. If the latter is the case, then we would not have the necessary history for comparison.

2
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM quay.io/operator-framework/ansible-operator:v1.23.0
FROM quay.io/operator-framework/ansible-operator:v1.25.3
USER 0

71
Makefile
View File

@@ -140,7 +140,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(KUSTOMIZE)) ;\
curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.5/kustomize_v4.5.5_$(OS)_$(ARCHA).tar.gz | \
curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.7/kustomize_v4.5.7_$(OS)_$(ARCHA).tar.gz | \
tar xzf - -C bin/ ;\
}
else
@@ -156,7 +156,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.23.0/ansible-operator_$(OS)_$(ARCHA) ;\
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.25.3/ansible-operator_$(OS)_$(ARCHA) ;\
chmod +x $(ANSIBLE_OPERATOR) ;\
}
else
@@ -187,7 +187,7 @@ ifeq (,$(shell which opm 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(OPM)) ;\
curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$(OS)-$(ARCHA)-opm ;\
curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.25.3/$(OS)-$(ARCHA)-opm ;\
chmod +x $(OPM) ;\
}
else
@@ -296,8 +296,8 @@ helm-chart: helm-chart-generate
helm-chart-generate: kustomize helm kubectl-slice yq charts
@echo "== KUSTOMIZE: Set image and chart label =="
cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
cd config/manager && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)-$(VERSION)
cd config/default && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)-$(VERSION)
cd config/manager && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
cd config/default && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
@echo "== Gather Helm Chart Metadata =="
# remove the existing chart if it exists
@@ -350,43 +350,52 @@ helm-chart-generate: kustomize helm kubectl-slice yq charts
.PHONY: helm-package
helm-package: cr helm-chart
@echo "== CHART RELEASER (package) =="
$(CR) package ./charts/awx-operator
helm-package: helm-chart
@echo "== Package Current Chart Version =="
mkdir -p .cr-release-packages
# package the chart and put it in .cr-release-packages dir
$(HELM) package ./charts/awx-operator -d .cr-release-packages
# List all tags oldest to newest.
TAGS := $(shell git tag -l --sort=creatordate)
TAGS := $(shell git ls-remote --tags --sort=version:refname --refs -q | cut -d/ -f3)
# The actual release happens in ansible/helm-release.yml
# until https://github.com/helm/chart-releaser/issues/122 happens
# The actual release happens in ansible/helm-release.yml, which calls this targer
# until https://github.com/helm/chart-releaser/issues/122 happens, chart-releaser is not ideal for a chart
# that is contained within a larger repo, where a tag may not require a new chart version
.PHONY: helm-index
helm-index: cr helm-chart
@echo "== CHART RELEASER (httpsorigin) =="
git remote add httpsorigin "https://github.com/$(CHART_OWNER)/$(CHART_REPO).git"
git fetch httpsorigin
helm-index:
# when running in CI this gh-pages are already checked out with github action to 'gh-pages' directory
# TODO: test if gh-pages directory exists and if not exist
@echo "== GENERATE INDEX FILE =="
# This step to workaround issues with old releases being dropped.
# Until https://github.com/helm/chart-releaser/issues/133 happens
@echo "== CHART FETCH previous releases =="
# Download all old releases
cd .cr-release-packages;\
mkdir -p .cr-release-packages
for tag in $(TAGS); do\
dl_url="https://github.com/$${CHART_OWNER}/$${CHART_REPO}/releases/download/$${tag}/$${CHART_REPO}-$${tag}.tgz";\
curl -RLOs -z "$${CHART_REPO}-$${tag}.tgz" --fail $${dl_url};\
dl_url="https://github.com/$(CHART_OWNER)/$(CHART_REPO)/releases/download/$${tag}/$(CHART_REPO)-$${tag}.tgz";\
echo "Downloading $${tag} from $${dl_url}";\
curl -RLOs -z ".cr-release-packages/$(CHART_REPO)-$${tag}.tgz" --fail $${dl_url};\
result=$$?;\
if [ $${result} -eq 0 ]; then\
echo "Downloaded $$dl_url";\
echo "Downloaded $${dl_url}";\
else\
echo "Skipping release $${tag}; No helm chart present";\
rm -rf ".cr-release-packages/$(CHART_REPO)-$${tag}.tgz";\
fi;\
done
done;\
@echo "== CHART RELEASER (index) =="
$(CR) index \
--owner "$(CHART_OWNER)" \
--git-repo "$(CHART_REPO)" \
--token "$(CR_TOKEN)" \
--pages-branch "$(CHART_BRANCH)" \
--index-path "./charts/$(CHART_INDEX)" \
--charts-repo "https://$(CHART_OWNER).github.io/$(CHART_REPO)/$(CHART_INDEX)" \
--remote httpsorigin \
--release-name-template="{{ .Version }}" \
--push
# generate the index file in the root of the gh-pages branch
# --merge will leave any values in index.yaml that don't get generated by this command, but
# it is likely that all values are overridden
$(HELM) repo index .cr-release-packages --url https://$(CHART_OWNER).github.io/awx-operator/ --merge gh-pages/index.yaml
mv .cr-release-packages/index.yaml gh-pages/index.yaml
@echo "== PUSH INDEX FILE =="
cd gh-pages;\
git add index.yaml;\
git commit -m "Updated index.yaml latest release";\
git push;\

107
README.md
View File

@@ -203,6 +203,20 @@ spec:
> It may make sense to create and specify your own secret key for your deployment so that if the k8s secret gets deleted, it can be re-created if needed. If it is not provided, one will be auto-generated, but cannot be recovered if lost. Read more [here](#secret-key-configuration).
If you are on Openshift, you can take advantage of Routes by specifying the following your spec. This will automatically create a Route for you with a custom hostname. This can be found on the Route section of the Openshift Console.
```yaml
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx-demo
spec:
service_type: clusterip
ingress_type: Route
```
Make sure to add this new file to the list of "resources" in your `kustomization.yaml` file:
```yaml
@@ -243,13 +257,13 @@ awx-demo-service NodePort 10.109.40.38 <none> 80:31006/TCP 3m56
Once deployed, the AWX instance will be accessible by running:
```
$ minikube service awx-demo-service --url
$ minikube service -n awx awx-demo-service --url
```
By default, the admin user is `admin` and the password is available in the `<resourcename>-admin-password` secret. To retrieve the admin password, run:
```
$ kubectl get secret awx-demo-admin-password -o jsonpath="{.data.password}" | base64 --decode
$ kubectl get secret awx-demo-admin-password -o jsonpath="{.data.password}" | base64 --decode ; echo
yDL2Cx5Za94g9MvBP6B73nzVLlmfgPjR
```
@@ -303,7 +317,7 @@ There are three variables that are customizable for the admin user account creat
If `admin_password_secret` is not provided, the operator will look for a secret named `<resourcename>-admin-password` for the admin password. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-admin-password`.
To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode`
To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode ; echo`
The secret that is expected to be passed should be formatted as follow:
@@ -704,18 +718,20 @@ You can constrain the AWX pods created by the operator to run on a certain subse
the AWX pods to run only on the nodes that match all the specified key/value pairs. `tolerations` and `postgres_tolerations` allow the AWX
pods to be scheduled onto nodes with matching taints.
The ability to specify topologySpreadConstraints is also allowed through `topology_spread_constraints`
If you want to use affinity rules for your AWX pod you can use the `affinity` option.
| Name | Description | Default |
| --------------------------- | ----------------------------------- | ------- |
| postgres_image | Path of the image to pull | postgres |
| postgres_image_version | Image version to pull | 13 |
| node_selector | AWX pods' nodeSelector | '' |
| topology_spread_constraints | AWX pods' topologySpreadConstraints | '' |
| tolerations | AWX pods' tolerations | '' |
| annotations | AWX pods' annotations | '' |
| postgres_selector | Postgres pods' nodeSelector | '' |
| postgres_tolerations | Postgres pods' tolerations | '' |
| Name | Description | Default |
| --------------------------- | ----------------------------------- | ------- |
| postgres_image | Path of the image to pull | postgres |
| postgres_image_version | Image version to pull | 13 |
| node_selector | AWX pods' nodeSelector | '' |
| topology_spread_constraints | AWX pods' topologySpreadConstraints | '' |
| affinity | AWX pods' affinity rules | '' |
| tolerations | AWX pods' tolerations | '' |
| annotations | AWX pods' annotations | '' |
| postgres_selector | Postgres pods' nodeSelector | '' |
| postgres_tolerations | Postgres pods' tolerations | '' |
Example of customization could be:
@@ -748,6 +764,28 @@ spec:
operator: "Equal"
value: "AWX"
effect: "NoSchedule"
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: another-node-label-key
operator: In
values:
- another-node-label-value
- another-node-label-value
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: security
operator: In
values:
- S2
topologyKey: topology.kubernetes.io/zone
```
#### Trusting a Custom Certificate Authority
@@ -775,7 +813,22 @@ spec:
bundle_cacert_secret: <resourcename>-custom-certs
```
To create the secrets, you can use the commands below:
Create the secret with `kustomization.yaml` file:
```yaml
....
secretGenerator:
- name: <resourcename>-custom-certs
files:
- bundle-ca.crt=<path+filename>
options:
disableNameSuffixHash: true
...
```
Create the secret with CLI:
* Certificate Authority secret
@@ -957,6 +1010,17 @@ Example spec file for volumes and volume mounts
> :warning: **Volume and VolumeMount names cannot contain underscores(_)**
##### Custom Nginx Configuration
Using the [extra_volumes feature](#custom-volume-and-volume-mount-options), it is possible to extend the nginx.conf.
1. Create a ConfigMap with the extra settings you want to include in the nginx.conf
2. Create an extra_volumes entry in the AWX spec for this ConfigMap
3. Create an web_extra_volume_mounts entry in the AWX spec to mount this volume
The AWX nginx config automatically includes /etc/nginx/conf.d/*.conf if present.
#### Default execution environments from private registries
In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments.
@@ -1076,8 +1140,14 @@ Example configuration of `extra_settings` parameter
- setting: AUTH_LDAP_BIND_DN
value: "cn=admin,dc=example,dc=com"
- setting: LOG_AGGREGATOR_LEVEL
value: "'DEBUG'"
```
Note for some settings, such as `LOG_AGGREGATOR_LEVEL`, the value may need double quotes.
#### No Log
Configure no_log for tasks with no_log
@@ -1167,7 +1237,14 @@ Apply the awx-operator.yml for that release to upgrade the operator, and in turn
#### Backup
The first part of any upgrade should be a backup. Note, there are secrets in the pod which work in conjunction with the database. Having just a database backup without the required secrets will not be sufficient for recovering from an issue when upgrading to a new version. See the [backup role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/backup) for information on how to backup your database and secrets. In the event you need to recover the backup see the [restore role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/restore).
The first part of any upgrade should be a backup. Note, there are secrets in the pod which work in conjunction with the database. Having just a database backup without the required secrets will not be sufficient for recovering from an issue when upgrading to a new version. See the [backup role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/backup) for information on how to backup your database and secrets.
In the event you need to recover the backup see the [restore role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/restore). *Before Restoring from a backup*, be sure to:
* delete the old existing AWX CR
* delete the persistent volume claim (PVC) for the database from the old deployment, which has a name like `postgres-13-<deployment-name>-postgres-13-0`
**Note**: Do not delete the namespace/project, as that will delete the backup and the backup's PVC as well.
#### PostgreSQL Upgrade Considerations

3
config/crd/bases/awx.ansible.com_awxbackups.yaml
View File

@@ -78,6 +78,9 @@ spec:
clean_backup_on_delete:
description: Flag to indicate if backup should be deleted on PVC if AWXBackup object is deleted
type: boolean
pg_dump_suffix:
description: Additional parameters for the pg_dump command
type: string
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string

3
config/crd/bases/awx.ansible.com_awxrestores.yaml
View File

@@ -50,6 +50,9 @@ spec:
description: Name of the restored deployment. This should be different from the original deployment name
if the original deployment still exists.
type: string
cluster_name:
description: Cluster name
type: string
backup_name:
description: AWXBackup object name
type: string

370
config/crd/bases/awx.ansible.com_awxs.yaml
View File

@@ -160,6 +160,372 @@ spec:
topology_spread_constraints:
description: topology rule(s) for the pods
type: string
affinity:
description: If specified, the pod's scheduling constraints
properties:
nodeAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
preference:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
x-kubernetes-map-type: atomic
weight:
format: int32
type: integer
required:
- preference
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
properties:
nodeSelectorTerms:
items:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
x-kubernetes-map-type: atomic
type: array
required:
- nodeSelectorTerms
type: object
x-kubernetes-map-type: atomic
type: object
podAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
podAffinityTerm:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
weight:
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
type: array
type: object
podAntiAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
podAffinityTerm:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
weight:
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
type: array
type: object
type: object
service_labels:
description: Additional labels to apply to the service
type: string
@@ -524,6 +890,10 @@ spec:
description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
type: boolean
default: true
ipv6_disabled:
description: Disable web container's nginx ipv6 listener
type: boolean
default: false
type: object
status:
properties:

2
config/manager/manager.yaml
View File

@@ -21,7 +21,7 @@ spec:
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: manager
kubectl.kubernetes.io/default-container: awx-manager
labels:
control-plane: controller-manager
spec:

11
config/manifests/bases/awx-operator.clusterserviceversion.yaml
View File

@@ -607,6 +607,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Affinity
path: affinity
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Control Plane Priority Class
path: control_plane_priority_class
x-descriptors:
@@ -702,6 +707,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- displayName: Disable IPv6 listener?
path: ipv6_disabled
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
statusDescriptors:
- description: Route to access the instance deployed
displayName: URL
@@ -777,6 +787,7 @@ spec:
- email: awx-project@googlegroups.com
name: AWX Team
maturity: alpha
MinKubeVersion: 1.22.15
provider:
name: Ansible
url: github.com/ansible/awx-operator

2
config/scorecard/patches/basic.config.yaml
View File

@@ -4,7 +4,7 @@
entrypoint:
- scorecard-test
- basic-check-spec
image: quay.io/operator-framework/scorecard-test:v1.23.0
image: quay.io/operator-framework/scorecard-test:v1.25.3
labels:
suite: basic
test: basic-check-spec-test

10
config/scorecard/patches/olm.config.yaml
View File

@@ -4,7 +4,7 @@
entrypoint:
- scorecard-test
- olm-bundle-validation
image: quay.io/operator-framework/scorecard-test:v1.23.0
image: quay.io/operator-framework/scorecard-test:v1.25.3
labels:
suite: olm
test: olm-bundle-validation-test
@@ -14,7 +14,7 @@
entrypoint:
- scorecard-test
- olm-crds-have-validation
image: quay.io/operator-framework/scorecard-test:v1.23.0
image: quay.io/operator-framework/scorecard-test:v1.25.3
labels:
suite: olm
test: olm-crds-have-validation-test
@@ -24,7 +24,7 @@
entrypoint:
- scorecard-test
- olm-crds-have-resources
image: quay.io/operator-framework/scorecard-test:v1.23.0
image: quay.io/operator-framework/scorecard-test:v1.25.3
labels:
suite: olm
test: olm-crds-have-resources-test
@@ -34,7 +34,7 @@
entrypoint:
- scorecard-test
- olm-spec-descriptors
image: quay.io/operator-framework/scorecard-test:v1.23.0
image: quay.io/operator-framework/scorecard-test:v1.25.3
labels:
suite: olm
test: olm-spec-descriptors-test
@@ -44,7 +44,7 @@
entrypoint:
- scorecard-test
- olm-status-descriptors
image: quay.io/operator-framework/scorecard-test:v1.23.0
image: quay.io/operator-framework/scorecard-test:v1.25.3
labels:
suite: olm
test: olm-status-descriptors-test

1
molecule/default/templates/awx_cr_molecule.yml.j2
View File

@@ -26,6 +26,7 @@ spec:
requests:
cpu: 50m
memory: 16M
no_log: false
postgres_resource_requirements: {}
postgres_init_container_resource_requirements: {}
redis_resource_requirements: {}

6
roles/backup/README.md
View File

@@ -93,6 +93,12 @@ backup_resource_requirements:
memory: "32Mi"
```
To customize the pg_dump command that will be executed on a backup use the `pg_dump_suffix` variable. This variable will append your provided pg_dump parameters to the end of the 'standard' command. For example to exclude the data from 'main_jobevent' and 'main_job' to decrease the size of the backup use:
```
pg_dump_suffix: "--exclude-table-data 'main_jobevent*' --exclude-table-data 'main_job'"
```
Testing
----------------

1
roles/backup/tasks/awx-cro.yml
View File

@@ -25,6 +25,7 @@
set_fact:
awx_spec:
spec: "{{ _awx }}"
previous_deployment_name: "{{ this_awx['resources'][0]['metadata']['name'] }}"
- name: Write awx object to pvc
k8s_exec:

24
roles/backup/tasks/dump_receptor_secrets.yml Normal file
View File

@@ -0,0 +1,24 @@
---
- name: Get secret
k8s_info:
version: v1
kind: Secret
namespace: '{{ ansible_operator_meta.namespace }}'
name: "{{ item }}"
register: _secret
no_log: "{{ no_log }}"
- name: Backup secret if exists
block:
- name: Set secret key
set_fact:
_data: "{{ _secret['resources'][0]['data'] }}"
_type: "{{ _secret['resources'][0]['type'] }}"
no_log: "{{ no_log }}"
- name: Create and Add secret names and data to dictionary
set_fact:
secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': item, 'data': _data, 'type': _type }}) }}"
no_log: "{{ no_log }}"
when: _secret | length

2
roles/backup/tasks/postgres.yml
View File

@@ -75,7 +75,7 @@
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ ansible_operator_meta.name }}-db-management"
command: >-
bash -c "chmod 0600 {{ backup_dir }}/tower.db && chown postgres:root {{ backup_dir }}/tower.db"
bash -c "chmod 660 {{ backup_dir }}/tower.db && chown :root {{ backup_dir }}/tower.db"
- name: Set full resolvable host name for postgres pod
set_fact:

12
roles/backup/tasks/secrets.yml
View File

@@ -1,11 +1,5 @@
---
- name: Create Temporary secrets file
tempfile:
state: file
suffix: .json
register: tmp_secrets
- name: Dump (generated) secret names from statuses and data into file
include_tasks: dump_generated_secret.yml
with_items:
@@ -23,6 +17,12 @@
- bundle_cacert_secret
- ee_pull_credentials_secret
- name: Dump receptor secret names and data into file
include_tasks: dump_receptor_secrets.yml
loop:
- '{{ deployment_name }}-receptor-ca'
- '{{ deployment_name }}-receptor-work-signing'
# image_pull_secret is deprecated in favor of image_pull_secrets
- name: Dump image_pull_secret into file
include_tasks: dump_secret.yml

7
roles/installer/defaults/main.yml
View File

@@ -81,6 +81,8 @@ node_selector: ''
# app.kubernetes.io/name: "<resourcename>"
topology_spread_constraints: ''
affinity: {}
# Add node tolerations for the AWX pods. Specify as literal block. E.g.:
# tolerations: |
# - key: "dedicated"
@@ -164,6 +166,8 @@ _control_plane_ee_image: quay.io/ansible/awx-ee:latest
_init_container_image: "{{ _control_plane_ee_image.split(':')[0] }}"
_init_container_image_version: "{{ _control_plane_ee_image.split(':')[1] }}"
_init_projects_container_image: quay.io/centos/centos:stream9
create_preload_data: true
replicas: "1"
@@ -301,3 +305,6 @@ auto_upgrade: true
# Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
set_self_labels: true
# Disable web container's nginx ipv6 listener
ipv6_disabled: false

2
roles/installer/tasks/cleanup.yml
View File

@@ -23,6 +23,8 @@
- '{{ _secret_key }}'
- '{{ _postgres_configuration }}'
- '{{ _broadcast_websocket_secret }}'
- '{{ ansible_operator_meta.name }}-receptor-ca'
- '{{ ansible_operator_meta.name }}-receptor-work-signing'
no_log: "{{ no_log }}"
when: not garbage_collect_secrets | bool

19
roles/installer/tasks/initialize_django.yml
View File

@@ -18,10 +18,21 @@
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "echo \"from django.contrib.auth.models import User;
User.objects.create_superuser('{{ admin_user }}', '{{ admin_email }}', '{{ admin_password }}')\"
| awx-manage shell"
command: awx-manage createsuperuser --username={{ admin_user | quote }} --email={{ admin_email | quote }} --noinput
register: result
changed_when: "'That username is already taken' not in result.stderr"
failed_when: "'That username is already taken' not in result.stderr and 'Superuser created successfully' not in result.stdout"
no_log: "{{ no_log }}"
when: users_result.return_code > 0
- name: Update Django super user password
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ tower_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: awx-manage update_password --username='{{ admin_user }}' --password='{{ admin_password }}'
register: result
changed_when: "'Password updated' in result.stdout"
no_log: "{{ no_log }}"
when: users_result.return_code > 0

2
roles/installer/tasks/upgrade_postgres.yml
View File

@@ -93,7 +93,7 @@
command: |
bash -c """
set -e -o pipefail
PGPASSWORD={{ awx_postgres_pass }} {{ pgdump }} | PGPASSWORD={{ awx_postgres_pass }} {{ pg_restore }}
PGPASSWORD='{{ awx_postgres_pass }}' {{ pgdump }} | PGPASSWORD='{{ awx_postgres_pass }}' {{ pg_restore }}
echo 'Successful'
"""
no_log: "{{ no_log }}"

10
roles/installer/templates/configmaps/config.yaml.j2
View File

@@ -132,7 +132,9 @@ data:
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
server {
listen 8052 default_server;
{% if not ipv6_disabled %}
listen [::]:8052 default_server;
{% endif %}
server_name _;
# Redirect all HTTP links to the matching HTTPS page
@@ -143,7 +145,9 @@ data:
server {
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
listen 8053 ssl;
{% if not ipv6_disabled %}
listen [::]:8053 ssl;
{% endif %}
ssl_certificate /etc/nginx/pki/web.crt;
ssl_certificate_key /etc/nginx/pki/web.key;
@@ -154,7 +158,9 @@ data:
ssl_prefer_server_ciphers on;
{% else %}
listen 8052 default_server;
{% if not ipv6_disabled %}
listen [::]:8052 default_server;
{% endif %}
{% endif %}
# If you have a domain name, this is where to add it
@@ -212,9 +218,7 @@ data:
uwsgi_read_timeout 120s;
uwsgi_pass uwsgi;
include /etc/nginx/uwsgi_params;
{%- if extra_nginx_include is defined %}
include {{ extra_nginx_include }};
{%- endif %}
include /etc/nginx/conf.d/*.conf;
proxy_set_header X-Forwarded-Port 443;
uwsgi_param HTTP_X_FORWARDED_PORT 443;

31
roles/installer/templates/deployments/deployment.yaml.j2
View File

@@ -54,10 +54,6 @@ spec:
mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
update-ca-trust
{% endif %}
{% if projects_persistence|bool and is_k8s|bool %}
chmod 775 /var/lib/awx/projects
chgrp 1000 /var/lib/awx/projects
{% endif %}
{% if init_container_extra_commands %}
{{ init_container_extra_commands | indent(width=14) }}
{% endif %}
@@ -85,12 +81,27 @@ spec:
subPath: bundle-ca.crt
readOnly: true
{% endif %}
{% if projects_persistence|bool and is_k8s|bool %}
- name: "{{ ansible_operator_meta.name }}-projects"
mountPath: "/var/lib/awx/projects"
{% endif %}
{% if init_container_extra_volume_mounts -%}
{{ init_container_extra_volume_mounts | indent(width=12, first=True) }}
{% endif %}
{% if projects_persistence|bool and is_k8s|bool %}
- name: init-projects
image: '{{ _init_projects_container_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
command:
- /bin/sh
- -c
- |
chmod 775 /var/lib/awx/projects
chgrp 1000 /var/lib/awx/projects
env:
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: "{{ ansible_operator_meta.name }}-projects"
mountPath: "/var/lib/awx/projects"
{% endif %}
containers:
- image: '{{ _redis_image }}'
@@ -368,6 +379,10 @@ spec:
topologySpreadConstraints:
{{ topology_spread_constraints | indent(width=8) }}
{% endif %}
{% if affinity | length %}
affinity:
{{ affinity | to_nice_yaml | indent(width=8) }}
{% endif %}
{% if tolerations %}
tolerations:
{{ tolerations | indent(width=8) }}

6
roles/restore/README.md
View File

@@ -17,6 +17,12 @@ This role assumes you are authenticated with an Openshift or Kubernetes cluster:
- AWX is deployed to via the operator
- An AWX backup is available on a PVC in your cluster (see the backup [README.md](../backup/README.md))
*Before Restoring from a backup*, be sure to:
- delete the old existing AWX CR
- delete the persistent volume claim (PVC) for the database from the old deployment, which has a name like `postgres-13-<deployment-name>-postgres-13-0`
**Note**: Do not delete the namespace/project, as that will delete the backup and the backup's PVC as well.
Usage
----------------

3
roles/restore/defaults/main.yml
View File

@@ -11,6 +11,9 @@ backup_pvc_namespace: '{{ ansible_operator_meta.namespace }}'
# Required: backup name, found on the awxbackup object
backup_dir: ''
# Default cluster name
cluster_name: 'cluster.local'
# Set no_log settings on certain tasks
no_log: true

22
roles/restore/tasks/deploy_awx.yml
View File

@@ -1,27 +1,5 @@
---
- name: Get AWX object definition from pvc
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ ansible_operator_meta.name }}-db-management"
command: >-
bash -c "cat '{{ backup_dir }}/awx_object'"
register: awx_object
- name: Create temp file for spec dict
tempfile:
state: file
register: tmp_spec
- name: Write spec vars to temp file
copy:
content: "{{ awx_object.stdout }}"
dest: "{{ tmp_spec.path }}"
mode: '0644'
- name: Include spec vars to save them as a dict
include_vars: "{{ tmp_spec.path }}"
- name: Deploy AWX
k8s:
state: "{{ state | default('present') }}"

25
roles/restore/tasks/import_vars.yml Normal file
View File

@@ -0,0 +1,25 @@
---
- name: Import awx_object variables
block:
- name: Get AWX object definition from pvc
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ ansible_operator_meta.name }}-db-management"
command: >-
bash -c "cat '{{ backup_dir }}/awx_object'"
register: awx_object
- name: Create temp file for spec dict
tempfile:
state: file
register: tmp_spec
- name: Write spec vars to temp file
copy:
content: "{{ awx_object.stdout }}"
dest: "{{ tmp_spec.path }}"
mode: '0644'
- name: Include spec vars to save them as a dict
include_vars: "{{ tmp_spec.path }}"

2
roles/restore/tasks/main.yml
View File

@@ -29,6 +29,8 @@
- block:
- include_tasks: init.yml
- include_tasks: import_vars.yml
- include_tasks: secrets.yml
- include_tasks: deploy_awx.yml

3
roles/restore/tasks/postgres.yml
View File

@@ -66,7 +66,7 @@
- name: Set full resolvable host name for postgres pod
set_fact:
resolvable_db_host: "{{ awx_postgres_host }}.{{ ansible_operator_meta.namespace }}.svc.cluster.local"
resolvable_db_host: "{{ awx_postgres_host }}.{{ ansible_operator_meta.namespace }}.svc.{{ cluster_name }}"
no_log: "{{ no_log }}"
when: awx_postgres_type == 'managed'
@@ -76,7 +76,6 @@
pg_restore --clean --if-exists
-U {{ awx_postgres_user }}
-h {{ resolvable_db_host }}
-U {{ awx_postgres_user }}
-d {{ awx_postgres_database }}
-p {{ awx_postgres_port }}
no_log: "{{ no_log }}"

31
roles/restore/tasks/secrets.yml
View File

@@ -54,6 +54,37 @@
no_log: "{{ no_log }}"
when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed'
- name: Set new receptor secret names
set_fact:
previous_receptor_ca_name: "{{ previous_deployment_name }}-receptor-ca"
previous_receptor_tls_name: "{{ previous_deployment_name }}-receptor-work-signing"
no_log: "{{ no_log }}"
- name: Set new name for receptor secrets using deployment_name
block:
- name: Set new receptor secret names
set_fact:
receptor_ca_name: "{{ deployment_name }}-receptor-ca"
receptor_work_signing_name: "{{ deployment_name }}-receptor-work-signing"
no_log: "{{ no_log }}"
- name: Set tmp dict for receptor secrets
set_fact:
_ca_secret: "{{ secrets[previous_receptor_ca_name] }}"
_work_signing_secret: "{{ secrets[previous_receptor_tls_name] }}"
no_log: "{{ no_log }}"
- name: Change receptor secret names in tmp dict
set_fact:
_ca_secret_name: "{{ _ca_secret | combine({ 'name': receptor_ca_name }) }}"
_work_signing_secret_name: "{{ _work_signing_secret | combine({ 'name': receptor_work_signing_name}) }}"
no_log: "{{ no_log }}"
- name: Create a new dict of receptor secrets with updated names
set_fact:
secrets: "{{ secrets | combine({previous_receptor_ca_name: _ca_secret_name, previous_receptor_tls_name: _work_signing_secret_name}) }}"
no_log: "{{ no_log }}"
- name: Apply secret
k8s:
state: present