mirror of
https://github.com/ansible/awx-operator.git
synced 2026-03-27 05:43:11 +00:00
Compare commits
17 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
f6f58d5c6d | ||
|
b1a547d2a6 | ||
|
43f98eda77 | ||
|
|
007e47e35c | ||
|
21eb83b052 | ||
|
1f8414b8cb | ||
|
a199a8c104 | ||
|
fb1639a5d4 | ||
|
|
19c6c77c41 | ||
|
4ee523ed69 | ||
|
4c5bae69ef | ||
|
9bf896e37c | ||
|
|
cb50f4f3ac | ||
|
|
066e55e179 | ||
|
f35bd7cf83 | ||
|
95a1fc082b | ||
|
dbd1e59a55 |
18
.github/workflows/pr_body_check.yml
vendored
18
.github/workflows/pr_body_check.yml
vendored
@@ -13,21 +13,13 @@ jobs:
|
||||
packages: write
|
||||
contents: read
|
||||
steps:
|
||||
- name: Write PR body to a file
|
||||
run: |
|
||||
cat >> pr.body << __SOME_RANDOM_PR_EOF__
|
||||
${{ github.event.pull_request.body }}
|
||||
__SOME_RANDOM_PR_EOF__
|
||||
|
||||
- name: Display the received body for troubleshooting
|
||||
run: cat pr.body
|
||||
|
||||
# We want to write these out individually just incase the options were joined on a single line
|
||||
- name: Check for each of the lines
|
||||
env:
|
||||
PR_BODY: ${{ github.event.pull_request.body }}
|
||||
run: |
|
||||
grep "Bug, Docs Fix or other nominal change" pr.body > Z
|
||||
grep "New or Enhanced Feature" pr.body > Y
|
||||
grep "Breaking Change" pr.body > X
|
||||
echo $PR_BODY | grep "Bug, Docs Fix or other nominal change" > Z
|
||||
echo $PR_BODY | grep "New or Enhanced Feature" > Y
|
||||
echo $PR_BODY | grep "Breaking Change" > X
|
||||
exit 0
|
||||
# We exit 0 and set the shell to prevent the returns from the greps from failing this step
|
||||
# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
|
||||
|
||||
9
.github/workflows/promote.yaml
vendored
9
.github/workflows/promote.yaml
vendored
@@ -8,7 +8,14 @@ jobs:
|
||||
promote:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
depth: 0
|
||||
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
ref: gh-pages
|
||||
path: gh-pages
|
||||
|
||||
- name: Log in to GHCR
|
||||
run: |
|
||||
|
||||
1
.gitignore
vendored
1
.gitignore
vendored
@@ -1,4 +1,5 @@
|
||||
*~
|
||||
gh-pages/
|
||||
.cache/
|
||||
/bin
|
||||
/bundle
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# AWX Operator Helm Chart
|
||||
|
||||
This chart installs the AWX Operator resources configured in [this](https://github.com/ansible/awx-operator) repository.
|
||||
This chart installs the AWX Operator resources configured in [this](https://github.com/ansible/awx-operator) repository.
|
||||
|
||||
## Getting Started
|
||||
To configure your AWX resource using this chart, create your own `yaml` values file. The name is up to personal preference since it will explicitly be passed into the helm chart. Helm will merge whatever values you specify in your file with the default `values.yaml`, overriding any settings you've changed while allowing you to fall back on defaults. Because of this functionality, `values.yaml` should not be edited directly.
|
||||
@@ -8,7 +8,7 @@ To configure your AWX resource using this chart, create your own `yaml` values f
|
||||
In your values config, enable `AWX.enabled` and add `AWX.spec` values based on the awx operator's [documentation](https://github.com/ansible/awx-operator/blob/devel/README.md). Consult the docs below for additional functionality.
|
||||
|
||||
### Installing
|
||||
The operator's [helm install](https://github.com/ansible/awx-operator/blob/devel/README.md#helm-install-on-existing-cluster) guide provides key installation instructions.
|
||||
The operator's [helm install](https://github.com/ansible/awx-operator/blob/devel/README.md#helm-install-on-existing-cluster) guide provides key installation instructions.
|
||||
|
||||
Example:
|
||||
```
|
||||
@@ -27,10 +27,10 @@ To update an existing installation, use `helm upgrade` instead of `install`. The
|
||||
## Configuration
|
||||
The goal of adding helm configurations is to abstract out and simplify the creation of multi-resource configs. The `AWX.spec` field maps directly to the spec configs of the `AWX` resource that the operator provides, which are detailed in the [main README](https://github.com/ansible/awx-operator/blob/devel/README.md). Other sub-config can be added with the goal of simplifying more involved setups that require additional resources to be specified.
|
||||
|
||||
These sub-headers aim to be a more intuitive entrypoint into customizing your deployment, and are easier to manage in the long-term. By design, the helm templates will defer to the manually defined specs to avoid configuration conflicts. For example, if `AWX.spec.postgres_configuration_secret` is being used, the `AWX.postgres` settings will not be applied, even if enabled.
|
||||
These sub-headers aim to be a more intuitive entrypoint into customizing your deployment, and are easier to manage in the long-term. By design, the helm templates will defer to the manually defined specs to avoid configuration conflicts. For example, if `AWX.spec.postgres_configuration_secret` is being used, the `AWX.postgres` settings will not be applied, even if enabled.
|
||||
|
||||
### External Postgres
|
||||
The `AWX.postgres` section simplifies the creation of the external postgres secret. If enabled, the configs provided will automatically be placed in a `postgres-config` secret and linked to the `AWX` resource. For proper secret management, the `AWX.postgres.password` value, and any other sensitive values, can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`.
|
||||
The `AWX.postgres` section simplifies the creation of the external postgres secret. If enabled, the configs provided will automatically be placed in a `postgres-config` secret and linked to the `AWX` resource. For proper secret management, the `AWX.postgres.password` value, and any other sensitive values, can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`. Supplying the password this way is not recommended for production use, but may be helpful for initial PoC.
|
||||
|
||||
|
||||
## Values Summary
|
||||
@@ -44,13 +44,24 @@ The `AWX.postgres` section simplifies the creation of the external postgres secr
|
||||
| `AWX.postgres` | configurations for the external postgres secret | - |
|
||||
|
||||
|
||||
# Contributing
|
||||
# Contributing
|
||||
|
||||
## Adding abstracted sections
|
||||
Where possible, defer to `AWX.spec` configs before applying the abstracted configs to avoid collision. This can be facilitated by the `(hasKey .spec what_i_will_abstract)` check.
|
||||
Where possible, defer to `AWX.spec` configs before applying the abstracted configs to avoid collision. This can be facilitated by the `(hasKey .spec what_i_will_abstract)` check.
|
||||
|
||||
## Building and Testing
|
||||
This chart is built using the Makefile in the [awx-operator repo](https://github.com/ansible/awx-operator). Clone the repo and run `make helm-chart`. This will create the awx-operator chart in the `charts/awx-operator` directory. In this process, the contents of the `.helm/starter` directory will be added to the chart.
|
||||
|
||||
## Future Goals
|
||||
All values under the `AWX` header are focused on configurations that use the operator. Configurations that relate to the Operator itself could be placed under an `Operator` heading, but that may add a layer of complication over current development.
|
||||
|
||||
|
||||
# Chart Publishing
|
||||
|
||||
The chart is currently hosted on the gh-pages branch of the repo. During the release pipeline, the `index.yaml` stored in that branch is generated with helm chart entries from all valid tags. We are currently unable to use the `chart-releaser` pipeline due to the fact that the complete helm chart is not committed to the repo and is instead built during the release process. Therefore, the cr action is unable to compare against previous versions.
|
||||
|
||||
Instead of CR, we use `helm repo index` to generate an index from all locally pulled chart versions. Since we build from scratch every time, the timestamps of all entries will be updated. This could be improved by using yq or something similar to detect which tags are already in the index.yaml file, and only merge in tags that are not present.
|
||||
|
||||
Not using CR could be addressed in the future by keeping the chart built as a part of releases, as long as CR compares the chart to previous release packages rather than previous commits. If the latter is the case, then we would not have the necessary history for comparison.
|
||||
|
||||
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
FROM quay.io/operator-framework/ansible-operator:v1.23.0
|
||||
FROM quay.io/operator-framework/ansible-operator:v1.25.3
|
||||
|
||||
USER 0
|
||||
|
||||
|
||||
65
Makefile
65
Makefile
@@ -140,7 +140,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
|
||||
@{ \
|
||||
set -e ;\
|
||||
mkdir -p $(dir $(KUSTOMIZE)) ;\
|
||||
curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.5/kustomize_v4.5.5_$(OS)_$(ARCHA).tar.gz | \
|
||||
curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.7/kustomize_v4.5.7_$(OS)_$(ARCHA).tar.gz | \
|
||||
tar xzf - -C bin/ ;\
|
||||
}
|
||||
else
|
||||
@@ -156,7 +156,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
|
||||
@{ \
|
||||
set -e ;\
|
||||
mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
|
||||
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.23.0/ansible-operator_$(OS)_$(ARCHA) ;\
|
||||
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.25.3/ansible-operator_$(OS)_$(ARCHA) ;\
|
||||
chmod +x $(ANSIBLE_OPERATOR) ;\
|
||||
}
|
||||
else
|
||||
@@ -187,7 +187,7 @@ ifeq (,$(shell which opm 2>/dev/null))
|
||||
@{ \
|
||||
set -e ;\
|
||||
mkdir -p $(dir $(OPM)) ;\
|
||||
curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$(OS)-$(ARCHA)-opm ;\
|
||||
curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.25.3/$(OS)-$(ARCHA)-opm ;\
|
||||
chmod +x $(OPM) ;\
|
||||
}
|
||||
else
|
||||
@@ -350,43 +350,52 @@ helm-chart-generate: kustomize helm kubectl-slice yq charts
|
||||
|
||||
|
||||
.PHONY: helm-package
|
||||
helm-package: cr helm-chart
|
||||
@echo "== CHART RELEASER (package) =="
|
||||
$(CR) package ./charts/awx-operator
|
||||
helm-package: helm-chart
|
||||
@echo "== Package Current Chart Version =="
|
||||
mkdir -p .cr-release-packages
|
||||
# package the chart and put it in .cr-release-packages dir
|
||||
$(HELM) package ./charts/awx-operator -d .cr-release-packages
|
||||
|
||||
# List all tags oldest to newest.
|
||||
TAGS := $(shell git ls-remote --tags --sort=version:refname --refs -q | cut -d/ -f3)
|
||||
|
||||
# The actual release happens in ansible/helm-release.yml
|
||||
# until https://github.com/helm/chart-releaser/issues/122 happens
|
||||
# The actual release happens in ansible/helm-release.yml, which calls this targer
|
||||
# until https://github.com/helm/chart-releaser/issues/122 happens, chart-releaser is not ideal for a chart
|
||||
# that is contained within a larger repo, where a tag may not require a new chart version
|
||||
.PHONY: helm-index
|
||||
helm-index: cr helm-chart
|
||||
@echo "== CHART RELEASER (httpsorigin) =="
|
||||
git remote add httpsorigin "https://github.com/$(CHART_OWNER)/$(CHART_REPO).git"
|
||||
git fetch httpsorigin
|
||||
helm-index:
|
||||
# when running in CI this gh-pages are already checked out with github action to 'gh-pages' directory
|
||||
# TODO: test if gh-pages directory exists and if not exist
|
||||
|
||||
@echo "== GENERATE INDEX FILE =="
|
||||
# This step to workaround issues with old releases being dropped.
|
||||
# Until https://github.com/helm/chart-releaser/issues/133 happens
|
||||
@echo "== CHART FETCH previous releases =="
|
||||
# Download all old releases
|
||||
cd .cr-release-packages;\
|
||||
mkdir -p .cr-release-packages
|
||||
|
||||
for tag in $(TAGS); do\
|
||||
dl_url="https://github.com/$${CHART_OWNER}/$${CHART_REPO}/releases/download/$${tag}/$${CHART_REPO}-$${tag}.tgz";\
|
||||
curl -RLOs -z "$${CHART_REPO}-$${tag}.tgz" --fail $${dl_url};\
|
||||
dl_url="https://github.com/$(CHART_OWNER)/$(CHART_REPO)/releases/download/$${tag}/$(CHART_REPO)-$${tag}.tgz";\
|
||||
echo "Downloading $${tag} from $${dl_url}";\
|
||||
curl -RLOs -z ".cr-release-packages/$(CHART_REPO)-$${tag}.tgz" --fail $${dl_url};\
|
||||
result=$$?;\
|
||||
if [ $${result} -eq 0 ]; then\
|
||||
echo "Downloaded $$dl_url";\
|
||||
echo "Downloaded $${dl_url}";\
|
||||
else\
|
||||
echo "Skipping release $${tag}; No helm chart present";\
|
||||
rm -rf ".cr-release-packages/$(CHART_REPO)-$${tag}.tgz";\
|
||||
fi;\
|
||||
done
|
||||
done;\
|
||||
|
||||
@echo "== CHART RELEASER (index) =="
|
||||
$(CR) index \
|
||||
--owner "$(CHART_OWNER)" \
|
||||
--git-repo "$(CHART_REPO)" \
|
||||
--token "$(CR_TOKEN)" \
|
||||
--pages-branch "$(CHART_BRANCH)" \
|
||||
--index-path "./charts/$(CHART_INDEX)" \
|
||||
--charts-repo "https://$(CHART_OWNER).github.io/$(CHART_REPO)/$(CHART_INDEX)" \
|
||||
--remote httpsorigin \
|
||||
--release-name-template="{{ .Version }}" \
|
||||
--push
|
||||
# generate the index file in the root of the gh-pages branch
|
||||
# --merge will leave any values in index.yaml that don't get generated by this command, but
|
||||
# it is likely that all values are overridden
|
||||
$(HELM) repo index .cr-release-packages --url https://$(CHART_OWNER).github.io/awx-operator/ --merge gh-pages/index.yaml
|
||||
|
||||
mv .cr-release-packages/index.yaml gh-pages/index.yaml
|
||||
|
||||
@echo "== PUSH INDEX FILE =="
|
||||
cd gh-pages;\
|
||||
git add index.yaml;\
|
||||
git commit -m "Updated index.yaml latest release";\
|
||||
git push;\
|
||||
|
||||
103
README.md
103
README.md
@@ -203,6 +203,20 @@ spec:
|
||||
|
||||
> It may make sense to create and specify your own secret key for your deployment so that if the k8s secret gets deleted, it can be re-created if needed. If it is not provided, one will be auto-generated, but cannot be recovered if lost. Read more [here](#secret-key-configuration).
|
||||
|
||||
If you are on Openshift, you can take advantage of Routes by specifying the following your spec. This will automatically create a Route for you with a custom hostname. This can be found on the Route section of the Openshift Console.
|
||||
|
||||
```yaml
|
||||
---
|
||||
apiVersion: awx.ansible.com/v1beta1
|
||||
kind: AWX
|
||||
metadata:
|
||||
name: awx-demo
|
||||
spec:
|
||||
service_type: clusterip
|
||||
ingress_type: Route
|
||||
```
|
||||
|
||||
|
||||
Make sure to add this new file to the list of "resources" in your `kustomization.yaml` file:
|
||||
|
||||
```yaml
|
||||
@@ -243,13 +257,13 @@ awx-demo-service NodePort 10.109.40.38 <none> 80:31006/TCP 3m56
|
||||
Once deployed, the AWX instance will be accessible by running:
|
||||
|
||||
```
|
||||
$ minikube service awx-demo-service --url
|
||||
$ minikube service -n awx awx-demo-service --url
|
||||
```
|
||||
|
||||
By default, the admin user is `admin` and the password is available in the `<resourcename>-admin-password` secret. To retrieve the admin password, run:
|
||||
|
||||
```
|
||||
$ kubectl get secret awx-demo-admin-password -o jsonpath="{.data.password}" | base64 --decode
|
||||
$ kubectl get secret awx-demo-admin-password -o jsonpath="{.data.password}" | base64 --decode ; echo
|
||||
yDL2Cx5Za94g9MvBP6B73nzVLlmfgPjR
|
||||
```
|
||||
|
||||
@@ -303,7 +317,7 @@ There are three variables that are customizable for the admin user account creat
|
||||
|
||||
If `admin_password_secret` is not provided, the operator will look for a secret named `<resourcename>-admin-password` for the admin password. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-admin-password`.
|
||||
|
||||
To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode`
|
||||
To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode ; echo`
|
||||
|
||||
The secret that is expected to be passed should be formatted as follow:
|
||||
|
||||
@@ -704,18 +718,20 @@ You can constrain the AWX pods created by the operator to run on a certain subse
|
||||
the AWX pods to run only on the nodes that match all the specified key/value pairs. `tolerations` and `postgres_tolerations` allow the AWX
|
||||
pods to be scheduled onto nodes with matching taints.
|
||||
The ability to specify topologySpreadConstraints is also allowed through `topology_spread_constraints`
|
||||
If you want to use affinity rules for your AWX pod you can use the `affinity` option.
|
||||
|
||||
|
||||
| Name | Description | Default |
|
||||
| --------------------------- | ----------------------------------- | ------- |
|
||||
| postgres_image | Path of the image to pull | postgres |
|
||||
| postgres_image_version | Image version to pull | 13 |
|
||||
| node_selector | AWX pods' nodeSelector | '' |
|
||||
| topology_spread_constraints | AWX pods' topologySpreadConstraints | '' |
|
||||
| tolerations | AWX pods' tolerations | '' |
|
||||
| annotations | AWX pods' annotations | '' |
|
||||
| postgres_selector | Postgres pods' nodeSelector | '' |
|
||||
| postgres_tolerations | Postgres pods' tolerations | '' |
|
||||
| Name | Description | Default |
|
||||
| --------------------------- | ----------------------------------- | ------- |
|
||||
| postgres_image | Path of the image to pull | postgres |
|
||||
| postgres_image_version | Image version to pull | 13 |
|
||||
| node_selector | AWX pods' nodeSelector | '' |
|
||||
| topology_spread_constraints | AWX pods' topologySpreadConstraints | '' |
|
||||
| affinity | AWX pods' affinity rules | '' |
|
||||
| tolerations | AWX pods' tolerations | '' |
|
||||
| annotations | AWX pods' annotations | '' |
|
||||
| postgres_selector | Postgres pods' nodeSelector | '' |
|
||||
| postgres_tolerations | Postgres pods' tolerations | '' |
|
||||
|
||||
Example of customization could be:
|
||||
|
||||
@@ -748,6 +764,28 @@ spec:
|
||||
operator: "Equal"
|
||||
value: "AWX"
|
||||
effect: "NoSchedule"
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- weight: 1
|
||||
preference:
|
||||
matchExpressions:
|
||||
- key: another-node-label-key
|
||||
operator: In
|
||||
values:
|
||||
- another-node-label-value
|
||||
- another-node-label-value
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- weight: 100
|
||||
podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: security
|
||||
operator: In
|
||||
values:
|
||||
- S2
|
||||
topologyKey: topology.kubernetes.io/zone
|
||||
```
|
||||
|
||||
#### Trusting a Custom Certificate Authority
|
||||
@@ -775,7 +813,22 @@ spec:
|
||||
bundle_cacert_secret: <resourcename>-custom-certs
|
||||
```
|
||||
|
||||
To create the secrets, you can use the commands below:
|
||||
Create the secret with `kustomization.yaml` file:
|
||||
|
||||
```yaml
|
||||
....
|
||||
|
||||
secretGenerator:
|
||||
- name: <resourcename>-custom-certs
|
||||
files:
|
||||
- bundle-ca.crt=<path+filename>
|
||||
options:
|
||||
disableNameSuffixHash: true
|
||||
|
||||
...
|
||||
```
|
||||
|
||||
Create the secret with CLI:
|
||||
|
||||
* Certificate Authority secret
|
||||
|
||||
@@ -957,6 +1010,17 @@ Example spec file for volumes and volume mounts
|
||||
|
||||
> :warning: **Volume and VolumeMount names cannot contain underscores(_)**
|
||||
|
||||
##### Custom Nginx Configuration
|
||||
|
||||
Using the [extra_volumes feature](#custom-volume-and-volume-mount-options), it is possible to extend the nginx.conf.
|
||||
|
||||
1. Create a ConfigMap with the extra settings you want to include in the nginx.conf
|
||||
2. Create an extra_volumes entry in the AWX spec for this ConfigMap
|
||||
3. Create an web_extra_volume_mounts entry in the AWX spec to mount this volume
|
||||
|
||||
The AWX nginx config automatically includes /etc/nginx/conf.d/*.conf if present.
|
||||
|
||||
|
||||
#### Default execution environments from private registries
|
||||
|
||||
In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments.
|
||||
@@ -1083,7 +1147,7 @@ Example configuration of `extra_settings` parameter
|
||||
|
||||
Note for some settings, such as `LOG_AGGREGATOR_LEVEL`, the value may need double quotes.
|
||||
|
||||
```yaml
|
||||
|
||||
#### No Log
|
||||
Configure no_log for tasks with no_log
|
||||
|
||||
@@ -1173,7 +1237,14 @@ Apply the awx-operator.yml for that release to upgrade the operator, and in turn
|
||||
|
||||
#### Backup
|
||||
|
||||
The first part of any upgrade should be a backup. Note, there are secrets in the pod which work in conjunction with the database. Having just a database backup without the required secrets will not be sufficient for recovering from an issue when upgrading to a new version. See the [backup role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/backup) for information on how to backup your database and secrets. In the event you need to recover the backup see the [restore role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/restore).
|
||||
The first part of any upgrade should be a backup. Note, there are secrets in the pod which work in conjunction with the database. Having just a database backup without the required secrets will not be sufficient for recovering from an issue when upgrading to a new version. See the [backup role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/backup) for information on how to backup your database and secrets.
|
||||
|
||||
In the event you need to recover the backup see the [restore role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/restore). *Before Restoring from a backup*, be sure to:
|
||||
* delete the old existing AWX CR
|
||||
* delete the persistent volume claim (PVC) for the database from the old deployment, which has a name like `postgres-13-<deployment-name>-postgres-13-0`
|
||||
|
||||
**Note**: Do not delete the namespace/project, as that will delete the backup and the backup's PVC as well.
|
||||
|
||||
|
||||
#### PostgreSQL Upgrade Considerations
|
||||
|
||||
|
||||
@@ -78,6 +78,9 @@ spec:
|
||||
clean_backup_on_delete:
|
||||
description: Flag to indicate if backup should be deleted on PVC if AWXBackup object is deleted
|
||||
type: boolean
|
||||
pg_dump_suffix:
|
||||
description: Additional parameters for the pg_dump command
|
||||
type: string
|
||||
postgres_label_selector:
|
||||
description: Label selector used to identify postgres pod for backing up data
|
||||
type: string
|
||||
|
||||
@@ -50,6 +50,9 @@ spec:
|
||||
description: Name of the restored deployment. This should be different from the original deployment name
|
||||
if the original deployment still exists.
|
||||
type: string
|
||||
cluster_name:
|
||||
description: Cluster name
|
||||
type: string
|
||||
backup_name:
|
||||
description: AWXBackup object name
|
||||
type: string
|
||||
|
||||
@@ -160,6 +160,372 @@ spec:
|
||||
topology_spread_constraints:
|
||||
description: topology rule(s) for the pods
|
||||
type: string
|
||||
affinity:
|
||||
description: If specified, the pod's scheduling constraints
|
||||
properties:
|
||||
nodeAffinity:
|
||||
properties:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
items:
|
||||
properties:
|
||||
preference:
|
||||
properties:
|
||||
matchExpressions:
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
type: string
|
||||
operator:
|
||||
type: string
|
||||
values:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchFields:
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
type: string
|
||||
operator:
|
||||
type: string
|
||||
values:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
weight:
|
||||
format: int32
|
||||
type: integer
|
||||
required:
|
||||
- preference
|
||||
- weight
|
||||
type: object
|
||||
type: array
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
properties:
|
||||
nodeSelectorTerms:
|
||||
items:
|
||||
properties:
|
||||
matchExpressions:
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
type: string
|
||||
operator:
|
||||
type: string
|
||||
values:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchFields:
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
type: string
|
||||
operator:
|
||||
type: string
|
||||
values:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
required:
|
||||
- nodeSelectorTerms
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
podAffinity:
|
||||
properties:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
items:
|
||||
properties:
|
||||
podAffinityTerm:
|
||||
properties:
|
||||
labelSelector:
|
||||
properties:
|
||||
matchExpressions:
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
type: string
|
||||
operator:
|
||||
type: string
|
||||
values:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaceSelector:
|
||||
properties:
|
||||
matchExpressions:
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
type: string
|
||||
operator:
|
||||
type: string
|
||||
values:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
topologyKey:
|
||||
type: string
|
||||
required:
|
||||
- topologyKey
|
||||
type: object
|
||||
weight:
|
||||
format: int32
|
||||
type: integer
|
||||
required:
|
||||
- podAffinityTerm
|
||||
- weight
|
||||
type: object
|
||||
type: array
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
items:
|
||||
properties:
|
||||
labelSelector:
|
||||
properties:
|
||||
matchExpressions:
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
type: string
|
||||
operator:
|
||||
type: string
|
||||
values:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaceSelector:
|
||||
properties:
|
||||
matchExpressions:
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
type: string
|
||||
operator:
|
||||
type: string
|
||||
values:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
topologyKey:
|
||||
type: string
|
||||
required:
|
||||
- topologyKey
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
podAntiAffinity:
|
||||
properties:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
items:
|
||||
properties:
|
||||
podAffinityTerm:
|
||||
properties:
|
||||
labelSelector:
|
||||
properties:
|
||||
matchExpressions:
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
type: string
|
||||
operator:
|
||||
type: string
|
||||
values:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaceSelector:
|
||||
properties:
|
||||
matchExpressions:
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
type: string
|
||||
operator:
|
||||
type: string
|
||||
values:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
topologyKey:
|
||||
type: string
|
||||
required:
|
||||
- topologyKey
|
||||
type: object
|
||||
weight:
|
||||
format: int32
|
||||
type: integer
|
||||
required:
|
||||
- podAffinityTerm
|
||||
- weight
|
||||
type: object
|
||||
type: array
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
items:
|
||||
properties:
|
||||
labelSelector:
|
||||
properties:
|
||||
matchExpressions:
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
type: string
|
||||
operator:
|
||||
type: string
|
||||
values:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaceSelector:
|
||||
properties:
|
||||
matchExpressions:
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
type: string
|
||||
operator:
|
||||
type: string
|
||||
values:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
topologyKey:
|
||||
type: string
|
||||
required:
|
||||
- topologyKey
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
type: object
|
||||
service_labels:
|
||||
description: Additional labels to apply to the service
|
||||
type: string
|
||||
@@ -524,6 +890,10 @@ spec:
|
||||
description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
|
||||
type: boolean
|
||||
default: true
|
||||
ipv6_disabled:
|
||||
description: Disable web container's nginx ipv6 listener
|
||||
type: boolean
|
||||
default: false
|
||||
type: object
|
||||
status:
|
||||
properties:
|
||||
|
||||
@@ -607,6 +607,11 @@ spec:
|
||||
x-descriptors:
|
||||
- urn:alm:descriptor:com.tectonic.ui:advanced
|
||||
- urn:alm:descriptor:com.tectonic.ui:hidden
|
||||
- displayName: Affinity
|
||||
path: affinity
|
||||
x-descriptors:
|
||||
- urn:alm:descriptor:com.tectonic.ui:advanced
|
||||
- urn:alm:descriptor:com.tectonic.ui:hidden
|
||||
- displayName: Control Plane Priority Class
|
||||
path: control_plane_priority_class
|
||||
x-descriptors:
|
||||
@@ -702,6 +707,11 @@ spec:
|
||||
x-descriptors:
|
||||
- urn:alm:descriptor:com.tectonic.ui:advanced
|
||||
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
|
||||
- displayName: Disable IPv6 listener?
|
||||
path: ipv6_disabled
|
||||
x-descriptors:
|
||||
- urn:alm:descriptor:com.tectonic.ui:advanced
|
||||
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
|
||||
statusDescriptors:
|
||||
- description: Route to access the instance deployed
|
||||
displayName: URL
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
entrypoint:
|
||||
- scorecard-test
|
||||
- basic-check-spec
|
||||
image: quay.io/operator-framework/scorecard-test:v1.23.0
|
||||
image: quay.io/operator-framework/scorecard-test:v1.25.3
|
||||
labels:
|
||||
suite: basic
|
||||
test: basic-check-spec-test
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
entrypoint:
|
||||
- scorecard-test
|
||||
- olm-bundle-validation
|
||||
image: quay.io/operator-framework/scorecard-test:v1.23.0
|
||||
image: quay.io/operator-framework/scorecard-test:v1.25.3
|
||||
labels:
|
||||
suite: olm
|
||||
test: olm-bundle-validation-test
|
||||
@@ -14,7 +14,7 @@
|
||||
entrypoint:
|
||||
- scorecard-test
|
||||
- olm-crds-have-validation
|
||||
image: quay.io/operator-framework/scorecard-test:v1.23.0
|
||||
image: quay.io/operator-framework/scorecard-test:v1.25.3
|
||||
labels:
|
||||
suite: olm
|
||||
test: olm-crds-have-validation-test
|
||||
@@ -24,7 +24,7 @@
|
||||
entrypoint:
|
||||
- scorecard-test
|
||||
- olm-crds-have-resources
|
||||
image: quay.io/operator-framework/scorecard-test:v1.23.0
|
||||
image: quay.io/operator-framework/scorecard-test:v1.25.3
|
||||
labels:
|
||||
suite: olm
|
||||
test: olm-crds-have-resources-test
|
||||
@@ -34,7 +34,7 @@
|
||||
entrypoint:
|
||||
- scorecard-test
|
||||
- olm-spec-descriptors
|
||||
image: quay.io/operator-framework/scorecard-test:v1.23.0
|
||||
image: quay.io/operator-framework/scorecard-test:v1.25.3
|
||||
labels:
|
||||
suite: olm
|
||||
test: olm-spec-descriptors-test
|
||||
@@ -44,7 +44,7 @@
|
||||
entrypoint:
|
||||
- scorecard-test
|
||||
- olm-status-descriptors
|
||||
image: quay.io/operator-framework/scorecard-test:v1.23.0
|
||||
image: quay.io/operator-framework/scorecard-test:v1.25.3
|
||||
labels:
|
||||
suite: olm
|
||||
test: olm-status-descriptors-test
|
||||
|
||||
@@ -26,6 +26,7 @@ spec:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 16M
|
||||
no_log: false
|
||||
postgres_resource_requirements: {}
|
||||
postgres_init_container_resource_requirements: {}
|
||||
redis_resource_requirements: {}
|
||||
|
||||
@@ -93,6 +93,12 @@ backup_resource_requirements:
|
||||
memory: "32Mi"
|
||||
```
|
||||
|
||||
To customize the pg_dump command that will be executed on a backup use the `pg_dump_suffix` variable. This variable will append your provided pg_dump parameters to the end of the 'standard' command. For example to exclude the data from 'main_jobevent' and 'main_job' to decrease the size of the backup use:
|
||||
|
||||
```
|
||||
pg_dump_suffix: "--exclude-table-data 'main_jobevent*' --exclude-table-data 'main_job'"
|
||||
```
|
||||
|
||||
Testing
|
||||
----------------
|
||||
|
||||
|
||||
@@ -81,6 +81,8 @@ node_selector: ''
|
||||
# app.kubernetes.io/name: "<resourcename>"
|
||||
topology_spread_constraints: ''
|
||||
|
||||
affinity: {}
|
||||
|
||||
# Add node tolerations for the AWX pods. Specify as literal block. E.g.:
|
||||
# tolerations: |
|
||||
# - key: "dedicated"
|
||||
@@ -303,3 +305,6 @@ auto_upgrade: true
|
||||
|
||||
# Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
|
||||
set_self_labels: true
|
||||
|
||||
# Disable web container's nginx ipv6 listener
|
||||
ipv6_disabled: false
|
||||
|
||||
@@ -18,10 +18,21 @@
|
||||
namespace: "{{ ansible_operator_meta.namespace }}"
|
||||
pod: "{{ tower_pod_name }}"
|
||||
container: "{{ ansible_operator_meta.name }}-task"
|
||||
command: >-
|
||||
bash -c "echo \"from django.contrib.auth.models import User;
|
||||
User.objects.create_superuser('{{ admin_user }}', '{{ admin_email }}', '{{ admin_password }}')\"
|
||||
| awx-manage shell"
|
||||
command: awx-manage createsuperuser --username={{ admin_user | quote }} --email={{ admin_email | quote }} --noinput
|
||||
register: result
|
||||
changed_when: "'That username is already taken' not in result.stderr"
|
||||
failed_when: "'That username is already taken' not in result.stderr and 'Superuser created successfully' not in result.stdout"
|
||||
no_log: "{{ no_log }}"
|
||||
when: users_result.return_code > 0
|
||||
|
||||
- name: Update Django super user password
|
||||
k8s_exec:
|
||||
namespace: "{{ ansible_operator_meta.namespace }}"
|
||||
pod: "{{ tower_pod_name }}"
|
||||
container: "{{ ansible_operator_meta.name }}-task"
|
||||
command: awx-manage update_password --username='{{ admin_user }}' --password='{{ admin_password }}'
|
||||
register: result
|
||||
changed_when: "'Password updated' in result.stdout"
|
||||
no_log: "{{ no_log }}"
|
||||
when: users_result.return_code > 0
|
||||
|
||||
|
||||
@@ -93,7 +93,7 @@
|
||||
command: |
|
||||
bash -c """
|
||||
set -e -o pipefail
|
||||
PGPASSWORD={{ awx_postgres_pass }} {{ pgdump }} | PGPASSWORD={{ awx_postgres_pass }} {{ pg_restore }}
|
||||
PGPASSWORD='{{ awx_postgres_pass }}' {{ pgdump }} | PGPASSWORD='{{ awx_postgres_pass }}' {{ pg_restore }}
|
||||
echo 'Successful'
|
||||
"""
|
||||
no_log: "{{ no_log }}"
|
||||
|
||||
@@ -132,7 +132,9 @@ data:
|
||||
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
|
||||
server {
|
||||
listen 8052 default_server;
|
||||
{% if not ipv6_disabled %}
|
||||
listen [::]:8052 default_server;
|
||||
{% endif %}
|
||||
server_name _;
|
||||
|
||||
# Redirect all HTTP links to the matching HTTPS page
|
||||
@@ -143,7 +145,9 @@ data:
|
||||
server {
|
||||
{% if route_tls_termination_mechanism | lower == 'passthrough' %}
|
||||
listen 8053 ssl;
|
||||
{% if not ipv6_disabled %}
|
||||
listen [::]:8053 ssl;
|
||||
{% endif %}
|
||||
|
||||
ssl_certificate /etc/nginx/pki/web.crt;
|
||||
ssl_certificate_key /etc/nginx/pki/web.key;
|
||||
@@ -154,7 +158,9 @@ data:
|
||||
ssl_prefer_server_ciphers on;
|
||||
{% else %}
|
||||
listen 8052 default_server;
|
||||
{% if not ipv6_disabled %}
|
||||
listen [::]:8052 default_server;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
# If you have a domain name, this is where to add it
|
||||
@@ -212,9 +218,7 @@ data:
|
||||
uwsgi_read_timeout 120s;
|
||||
uwsgi_pass uwsgi;
|
||||
include /etc/nginx/uwsgi_params;
|
||||
{%- if extra_nginx_include is defined %}
|
||||
include {{ extra_nginx_include }};
|
||||
{%- endif %}
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
proxy_set_header X-Forwarded-Port 443;
|
||||
uwsgi_param HTTP_X_FORWARDED_PORT 443;
|
||||
|
||||
|
||||
@@ -379,6 +379,10 @@ spec:
|
||||
topologySpreadConstraints:
|
||||
{{ topology_spread_constraints | indent(width=8) }}
|
||||
{% endif %}
|
||||
{% if affinity | length %}
|
||||
affinity:
|
||||
{{ affinity | to_nice_yaml | indent(width=8) }}
|
||||
{% endif %}
|
||||
{% if tolerations %}
|
||||
tolerations:
|
||||
{{ tolerations | indent(width=8) }}
|
||||
|
||||
@@ -17,6 +17,12 @@ This role assumes you are authenticated with an Openshift or Kubernetes cluster:
|
||||
- AWX is deployed to via the operator
|
||||
- An AWX backup is available on a PVC in your cluster (see the backup [README.md](../backup/README.md))
|
||||
|
||||
*Before Restoring from a backup*, be sure to:
|
||||
- delete the old existing AWX CR
|
||||
- delete the persistent volume claim (PVC) for the database from the old deployment, which has a name like `postgres-13-<deployment-name>-postgres-13-0`
|
||||
|
||||
**Note**: Do not delete the namespace/project, as that will delete the backup and the backup's PVC as well.
|
||||
|
||||
|
||||
Usage
|
||||
----------------
|
||||
|
||||
@@ -11,6 +11,9 @@ backup_pvc_namespace: '{{ ansible_operator_meta.namespace }}'
|
||||
# Required: backup name, found on the awxbackup object
|
||||
backup_dir: ''
|
||||
|
||||
# Default cluster name
|
||||
cluster_name: 'cluster.local'
|
||||
|
||||
# Set no_log settings on certain tasks
|
||||
no_log: true
|
||||
|
||||
|
||||
@@ -66,7 +66,7 @@
|
||||
|
||||
- name: Set full resolvable host name for postgres pod
|
||||
set_fact:
|
||||
resolvable_db_host: "{{ awx_postgres_host }}.{{ ansible_operator_meta.namespace }}.svc.cluster.local"
|
||||
resolvable_db_host: "{{ awx_postgres_host }}.{{ ansible_operator_meta.namespace }}.svc.{{ cluster_name }}"
|
||||
no_log: "{{ no_log }}"
|
||||
when: awx_postgres_type == 'managed'
|
||||
|
||||
@@ -76,7 +76,6 @@
|
||||
pg_restore --clean --if-exists
|
||||
-U {{ awx_postgres_user }}
|
||||
-h {{ resolvable_db_host }}
|
||||
-U {{ awx_postgres_user }}
|
||||
-d {{ awx_postgres_database }}
|
||||
-p {{ awx_postgres_port }}
|
||||
no_log: "{{ no_log }}"
|
||||
|
||||
Reference in New Issue
Block a user