Add doc note about extra_settings being read-only in AWX UI

Co-authored-by: Christian Adams <rooftopcellist@gmail.com>

.github/workflows/ci.yaml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     name: molecule
     env:
-      DOCKER_API_VERSION: "1.38"
+      DOCKER_API_VERSION: "1.41"
     steps:
       - uses: actions/checkout@v2
 

.github/workflows/publish-helm.yml

@@ -0,0 +1,26 @@
+---
+name: Re-publish helm chart
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag'
+        required: true
+        type: string
+jobs:
+  promote:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          depth: 0
+
+      - name: Release Helm chart
+        run: |
+          ansible-playbook ansible/helm-release.yml -v \
+            -e operator_image=quay.io/${{ github.repository }} \
+            -e chart_owner=${{ github.repository_owner }} \
+            -e tag=${{ inputs.tag }} \
+            -e gh_token=${{ secrets.GITHUB_TOKEN }} \
+            -e gh_user=${{ github.actor }} \
+            -e repo_type=https

Dockerfile

@@ -1,4 +1,4 @@
-FROM quay.io/operator-framework/ansible-operator:v1.26.0
+FROM quay.io/operator-framework/ansible-operator:v1.28.1
 
 USER 0
 

README.md

@@ -676,6 +676,25 @@ $ oc adm policy add-scc-to-user privileged -z awx
 
 Again, this is the most relaxed SCC that is provided by OpenShift, so be sure to familiarize yourself with the security concerns that accompany this action.
 
+#### Containers HostAliases Requirements
+
+Sometimes you might need to use [HostAliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) in web/task containers.
+
+| Name         | Description           | Default |
+| ------------ | --------------------- | ------- |
+| host_aliases | A list of HostAliases | None    |
+
+Example of customization could be:
+
+```yaml
+---
+spec:
+  ...
+  host_aliases:
+    - ip: <name-of-your-ip>
+      hostnames:
+        - <name-of-your-domain>
+```
 
 #### Containers Resource Requirements
 
@@ -1064,6 +1083,33 @@ Using the [extra_volumes feature](#custom-volume-and-volume-mount-options), it i
 
 The AWX nginx config automatically includes /etc/nginx/conf.d/*.conf if present.
 
+##### Custom Favicon
+
+You can use custom volume mounts to mount in your own favicon to be displayed in your AWX browser tab.
+
+First, Create the configmap from a local favicon.ico file.
+
+```bash
+$ oc create configmap favicon-configmap --from-file favicon.ico
+```
+
+Then specify the extra_volume and web_extra_volume_mounts on your AWX CR spec
+
+```yaml
+spec:
+  extra_volumes: |
+    - name: favicon
+      configMap:
+        defaultMode: 420
+        items:
+          - key: favicon.ico
+            path: favicon.ico
+        name: favicon-configmap
+  web_extra_volume_mounts: |
+    - name: favicon
+      mountPath: /var/lib/awx/public/static/media/favicon.ico
+      subPath: favicon.ico
+```
 
 #### Default execution environments from private registries
 
@@ -1174,6 +1220,8 @@ With`extra_settings`, you can pass multiple custom settings via the `awx-operato
 | -------------- | -------------- | ------- |
 | extra_settings | Extra settings | ''      |
 
+**Note:** Parameters configured in `extra_settings` are set as read-only settings in AWX.  As a result, they cannot be changed in the UI after deployment. If you need to change the setting after the initial deployment, you need to change it on the AWX CR spec.  
+
 Example configuration of `extra_settings` parameter
 
 ```yaml

ansible/helm-release.yml

@@ -93,13 +93,20 @@
           args:
             chdir: "{{ playbook_dir }}/.."
 
+        - name: Set url base swap in gitconfig
+          command:
+            cmd: "git config --local url.https://{{ gh_user }}:{{ gh_token }}@github.com/.insteadOf https://github.com/"
+          args:
+            chdir: "{{ temp_dir.path }}/"
+          no_log: true
+
         - name: Stage and Push commit to gh-pages branch
           command:
             cmd: "{{ item }}"
           loop:
             - git add index.yaml
             - git commit -m "{{ commit_message }}"
-            #- git push
+            - git push
           args:
             chdir: "{{ temp_dir.path }}/"
           environment:

config/crd/bases/awx.ansible.com_awxbackups.yaml

@@ -90,6 +90,9 @@ spec:
               postgres_image_version:
                 description: PostgreSQL container image version to use
                 type: string
+              db_management_pod_node_selector:
+                description: nodeSelector for the Postgres pods to backup
+                type: string
               no_log:
                 description: Configure no_log for no_log tasks
                 type: boolean

config/crd/bases/awx.ansible.com_awxrestores.yaml

@@ -94,6 +94,9 @@ spec:
               postgres_image_version:
                 description: PostgreSQL container image version to use
                 type: string
+              db_management_pod_node_selector:
+                description: nodeSelector for the Postgres pods to backup
+                type: string
               no_log:
                 description: Configure no_log for no_log tasks
                 type: boolean

config/crd/bases/awx.ansible.com_awxs.yaml

@@ -1345,6 +1345,18 @@ spec:
               image_pull_secret:  # deprecated
                 description: (Deprecated) Image pull secret for app and database containers
                 type: string
+              host_aliases:
+                description: HostAliases for app containers
+                type: array
+                items:
+                  type: object
+                  properties:
+                    ip:
+                      type: string
+                    hostnames:
+                      type: array
+                      items:
+                        type: string
               task_resource_requirements:
                 description: Resource requirements for the task container
                 properties:
@@ -1455,6 +1467,50 @@ spec:
                         type: string
                     type: object
                 type: object
+              rsyslog_resource_requirements:
+                description: Resource requirements for the rsyslog container
+                properties:
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                      storage:
+                        type: string
+                    type: object
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                      storage:
+                        type: string
+                    type: object
+                type: object
+              init_container_resource_requirements:
+                description: Resource requirements for the init container
+                properties:
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                      storage:
+                        type: string
+                    type: object
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                      storage:
+                        type: string
+                    type: object
+                type: object
               service_account_annotations:
                 description: ServiceAccount annotations
                 type: string
@@ -1596,6 +1652,25 @@ spec:
                 type: array
                 items:
                   type: string
+              postgres_keepalives:
+                description: Controls whether client-side TCP keepalives are used for Postgres connections.
+                default: true
+                type: boolean
+              postgres_keepalives_count:
+                description: Controls the number of TCP keepalives that can be lost before the client's connection to the server is considered dead.
+                type: integer
+                default: 5
+                format: int32
+              postgres_keepalives_idle:
+                description: Controls the number of seconds of inactivity after which TCP should send a keepalive message to the server.
+                type: integer
+                default: 5
+                format: int32
+              postgres_keepalives_interval:
+                description: Controls the number of seconds after which a TCP keepalive message that is not acknowledged by the server should be retransmitted.
+                type: integer
+                default: 5
+                format: int32
               ca_trust_bundle:
                 description: Path where the trusted CA bundle is available
                 type: string

config/default/manager_auth_proxy_patch.yaml

@@ -15,7 +15,7 @@ spec:
           capabilities:
             drop:
             - "ALL"
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"

config/manifests/bases/awx-operator.clusterserviceversion.yaml

@@ -323,6 +323,11 @@ spec:
         path: image_pull_secret
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: HostAliases for app containers
+        path: host_aliases
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:text
       - displayName: Web Container Resource Requirements
         path: web_resource_requirements
         x-descriptors:
@@ -350,6 +355,11 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
+      - displayName: Rsyslog Container Resource Requirements
+        path: rsyslog_resource_requirements
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
       - description: The PostgreSQL container is not used when an external DB is configured
         displayName: PostgreSQL Container Resource Requirements
         path: postgres_resource_requirements
@@ -361,6 +371,11 @@ spec:
         path: postgres_storage_requirements
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: Init Container resource requirements
+        path: init_container_resource_requirements
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
       - displayName: Replicas
         path: replicas
         x-descriptors:
@@ -483,6 +498,26 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Enable Postgres Keepalives
+        path: postgres_keepalives
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Postgres Keepalives Count
+        path: postgres_keepalives_count
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Postgres Keepalives Idle
+        path: postgres_keepalives_idle
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Postgres Keepalives Interval
+        path: postgres_keepalives_interval
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - displayName: Certificate Authorirty Trust Bundle
         path: ca_trust_bundle
         x-descriptors:

roles/backup/defaults/main.yml

@@ -17,6 +17,14 @@ no_log: true
 # Variable to set when you want backups to be cleaned up when the CRD object is deleted
 clean_backup_on_delete: false
 
+
+# Add a nodeSelector for the Postgres pods to backup.
+# Specify as literal block. E.g.:
+# db_management_pod_node_selector: |
+#   kubernetes.io/arch: amd64
+#   kubernetes.io/os: linux
+db_management_pod_node_selector: ''
+
 # Variable to signal that this role is being run as a finalizer
 finalizer_run: false
 

roles/backup/templates/management-pod.yml.j2

@@ -20,6 +20,10 @@ spec:
     resources:
       {{ backup_resource_requirements | to_nice_yaml(indent=2) | indent(width=6, first=False) }}
 {%- endif %}
+{% if db_management_pod_node_selector %}
+  nodeSelector:
+        {{ db_management_pod_node_selector | indent(width=8) }}
+{% endif %}
   volumes:
     - name: {{ ansible_operator_meta.name }}-backup
       persistentVolumeClaim:

roles/installer/defaults/main.yml

@@ -303,10 +303,6 @@ ee_resource_requirements:
     memory: 64Mi
 
 # TODO: validate default resource requirements
-rsyslog_resource_requirements:
-  requests:
-    cpu: 100m
-    memory: 128Mi
 
 # Customize CSRF options
 csrf_cookie_secure: False
@@ -319,6 +315,17 @@ redis_resource_requirements:
   requests:
     cpu: 50m
     memory: 64Mi
+
+rsyslog_resource_requirements:
+  requests:
+    cpu: 100m
+    memory: 128Mi
+
+init_container_resource_requirements:
+  requests:
+    cpu: 100m
+    memory: 128Mi
+
 # Add extra environment variables to the AWX task/web containers. Specify as
 # literal block. E.g.:
 # task_extra_env: |
@@ -384,6 +391,12 @@ projects_existing_claim: ''
 # Define postgres configuration arguments to use
 postgres_extra_args: ''
 
+# Configure postgres connection keepalive
+postgres_keepalives: true
+postgres_keepalives_idle: 5
+postgres_keepalives_interval: 5
+postgres_keepalives_count: 5
+
 # Define the storage_class, size and access_mode
 # when not using an existing claim
 projects_storage_size: 8Gi
@@ -425,3 +438,10 @@ set_self_labels: true
 
 # Disable web container's nginx ipv6 listener
 ipv6_disabled: false
+
+# Set hostAliases on deployments
+#       hostAliases:
+#       - ip: 10.10.0.10
+#         hostnames:
+#         - hostname
+host_aliases: ''

roles/installer/templates/configmaps/config.yaml.j2

@@ -16,11 +16,11 @@ data:
     import socket
     # Import all so that extra_settings works properly
     from django_auth_ldap.config import *
-    
+
     def get_secret():
         if os.path.exists("/etc/tower/SECRET_KEY"):
             return open('/etc/tower/SECRET_KEY', 'rb').read().strip()
-    
+
     ADMINS = ()
     STATIC_ROOT = '/var/lib/awx/public/static'
     STATIC_URL = '{{ (ingress_path + '/static/').replace('//', '/') }}'
@@ -59,20 +59,20 @@ data:
 
     # Container environments don't like chroots
     AWX_PROOT_ENABLED = False
-    
+
     # Automatically deprovision pods that go offline
     AWX_AUTO_DEPROVISION_INSTANCES = True
-    
+
     CLUSTER_HOST_ID = socket.gethostname()
     SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
-    
+
     CSRF_COOKIE_SECURE = {{ csrf_cookie_secure | bool }}
     SESSION_COOKIE_SECURE = {{ session_cookie_secure | bool }}
-    
+
     SERVER_EMAIL = 'root@localhost'
     DEFAULT_FROM_EMAIL = 'webmaster@localhost'
     EMAIL_SUBJECT_PREFIX = '[AWX] '
-    
+
     EMAIL_HOST = 'localhost'
     EMAIL_PORT = 25
     EMAIL_HOST_USER = ''
@@ -101,30 +101,30 @@ data:
         default_type  application/octet-stream;
         server_tokens off;
         client_max_body_size 5M;
-    
+
         log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                           '$status $body_bytes_sent "$http_referer" '
                           '"$http_user_agent" "$http_x_forwarded_for"';
-    
+
         access_log /dev/stdout main;
-    
+
         map $http_upgrade $connection_upgrade {
             default upgrade;
             ''      close;
         }
-    
+
         sendfile        on;
         #tcp_nopush     on;
         #gzip  on;
-    
+
         upstream uwsgi {
             server 127.0.0.1:8050;
         }
-    
+
         upstream daphne {
             server 127.0.0.1:8051;
         }
-    
+
 
         {% if route_tls_termination_mechanism | lower == 'passthrough' %}
         server {
@@ -163,30 +163,30 @@ data:
             # If you have a domain name, this is where to add it
             server_name _;
             keepalive_timeout 65;
-    
+
             # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
             add_header Strict-Transport-Security max-age=15768000;
-    
+
             # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
             add_header X-Frame-Options "DENY";
             # Protect against MIME content sniffing https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
             add_header X-Content-Type-Options nosniff;
-    
+
             location /nginx_status {
                 stub_status on;
                 access_log off;
                 allow 127.0.0.1;
                 deny all;
             }
-    
+
             location {{ (ingress_path + '/static').replace('//', '/') }} {
                 alias /var/lib/awx/public/static/;
             }
-    
+
             location {{ (ingress_path + '/favicon.ico').replace('//', '/') }} {
                 alias /var/lib/awx/public/static/media/favicon.ico;
             }
-    
+
             location {{ (ingress_path + '/websocket').replace('//', '/') }} {
                 # Pass request to the upstream alias
                 proxy_pass http://daphne;
@@ -208,7 +208,7 @@ data:
                 proxy_set_header Upgrade $http_upgrade;
                 proxy_set_header Connection $connection_upgrade;
             }
-    
+
             location {{ ingress_path }} {
                 # Add trailing / if missing
                 rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
@@ -268,8 +268,8 @@ data:
         cert: /etc/receptor/tls/receptor.crt
         key: /etc/receptor/tls/receptor.key
         name: tlsclient
-        rootcas: /etc/receptor/tls/ca/receptor-ca.crt
+        rootcas: /etc/receptor/tls/ca/mesh-CA.crt
         mintls13: false
     - work-signing:
-        privatekey: /etc/receptor/signing/work-private-key.pem
+        privatekey: /etc/receptor/work_private_key.pem
         tokenexpiration: 1m

roles/installer/templates/deployments/task.yaml.j2

@@ -59,6 +59,16 @@ spec:
         - name: {{ secret }}
 {% endfor %}
 {% endif %}
+{% if host_aliases is defined and host_aliases | length > 0 %}
+      hostAliases:
+{% for item in host_aliases %}
+      - ip: {{ item.ip }}
+        hostnames:
+{% for hostname in item.hostnames %}
+        - {{ hostname }}
+{% endfor %}
+{% endfor %}
+{% endif %}
 {% if control_plane_priority_class is defined %}
       priorityClassName: '{{ control_plane_priority_class }}'
 {% endif %}
@@ -66,14 +76,14 @@ spec:
         - name: init
           image: '{{ _init_container_image }}'
           imagePullPolicy: '{{ image_pull_policy }}'
-          resources: {{ task_resource_requirements }}
+          resources: {{ init_container_resource_requirements }}
           command:
             - /bin/sh
             - -c
             - |
               hostname=$MY_POD_NAME
               receptor --cert-makereq bits=2048 commonname=$hostname dnsname=$hostname nodeid=$hostname outreq=/etc/receptor/tls/receptor.req outkey=/etc/receptor/tls/receptor.key
-              receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/receptor-ca.crt cakey=/etc/receptor/tls/ca/receptor-ca.key outcert=/etc/receptor/tls/receptor.crt verify=yes
+              receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/mesh-CA.crt cakey=/etc/receptor/tls/ca/mesh-CA.key outcert=/etc/receptor/tls/receptor.crt verify=yes
 {% if bundle_ca_crt  %}
               mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
               update-ca-trust
@@ -88,11 +98,11 @@ spec:
                   fieldPath: metadata.name
           volumeMounts:
             - name: "{{ ansible_operator_meta.name }}-receptor-ca"
-              mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
+              mountPath: "/etc/receptor/tls/ca/mesh-CA.crt"
               subPath: "tls.crt"
               readOnly: true
             - name: "{{ ansible_operator_meta.name }}-receptor-ca"
-              mountPath: "/etc/receptor/tls/ca/receptor-ca.key"
+              mountPath: "/etc/receptor/tls/ca/mesh-CA.key"
               subPath: "tls.key"
               readOnly: true
             - name: "{{ ansible_operator_meta.name }}-receptor-tls"
@@ -112,7 +122,7 @@ spec:
         - name: init-projects
           image: '{{ _init_projects_container_image }}'
           imagePullPolicy: '{{ image_pull_policy }}'
-          resources: {{ task_resource_requirements }}
+          resources: {{ init_container_resource_requirements }}
           command:
             - /bin/sh
             - -c
@@ -214,7 +224,7 @@ spec:
             - name: "{{ ansible_operator_meta.name }}-receptor-config"
               mountPath: "/etc/receptor/"
             - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
-              mountPath: "/etc/receptor/signing/work-private-key.pem"
+              mountPath: "/etc/receptor/work_private_key.pem"
               subPath: "work-private-key.pem"
               readOnly: true
             - name: receptor-socket
@@ -295,11 +305,11 @@ spec:
             - name: "{{ ansible_operator_meta.name }}-receptor-config"
               mountPath: "/etc/receptor/"
             - name: "{{ ansible_operator_meta.name }}-receptor-ca"
-              mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
+              mountPath: "/etc/receptor/tls/ca/mesh-CA.crt"
               subPath: "tls.crt"
               readOnly: true
             - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
-              mountPath: "/etc/receptor/signing/work-private-key.pem"
+              mountPath: "/etc/receptor/work_private_key.pem"
               subPath: "work-private-key.pem"
               readOnly: true
             - name: "{{ ansible_operator_meta.name }}-receptor-tls"
@@ -342,6 +352,7 @@ spec:
           args: {{ rsyslog_args }}
 {% endif %}
           imagePullPolicy: '{{ image_pull_policy }}'
+          resources: {{ rsyslog_resource_requirements }}
           volumeMounts:
             - name: "{{ ansible_operator_meta.name }}-application-credentials"
               mountPath: "/etc/tower/conf.d/credentials.py"
@@ -370,6 +381,18 @@ spec:
 {% if development_mode | bool %}
             - name: awx-devel
               mountPath: "/awx_devel"
+{% endif %}
+{% if termination_grace_period_seconds is defined %}
+            - name: pre-stop-data
+              mountPath: /var/lib/pre-stop
+            - name: pre-stop-scripts
+              mountPath: /var/lib/pre-stop/scripts
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - bash
+                - /var/lib/pre-stop/scripts/termination-waiter
 {% endif %}
           env:
             - name: SUPERVISOR_CONFIG_PATH

roles/installer/templates/deployments/web.yaml.j2

@@ -7,7 +7,7 @@ metadata:
   labels:
     app.kubernetes.io/name: '{{ ansible_operator_meta.name }}-web'
     {{ lookup("template", "../common/templates/labels/common.yaml.j2")  | indent(width=4) | trim }}
-    {{ lookup("template", "../common/templates/labels//version.yaml.j2") | indent(width=4) | trim }}
+    {{ lookup("template", "../common/templates/labels/version.yaml.j2") | indent(width=4) | trim }}
 spec:
 {% if web_replicas %}
   replicas: {{ web_replicas }}
@@ -24,11 +24,10 @@ spec:
       labels:
         app.kubernetes.io/name: '{{ ansible_operator_meta.name }}-web'
         {{ lookup("template", "../common/templates/labels/common.yaml.j2")  | indent(width=8) | trim }}
-        {{ lookup("template", "../common/templates/labels//version.yaml.j2") | indent(width=8) | trim }}
+        {{ lookup("template", "../common/templates/labels/version.yaml.j2") | indent(width=8) | trim }}
       annotations:
 {% for template in [
     "configmaps/config",
-    "configmaps/pre_stop_scripts",
     "secrets/app_credentials",
     "storage/persistent",
   ] %}
@@ -60,6 +59,16 @@ spec:
         - name: {{ secret }}
 {% endfor %}
 {% endif %}
+{% if host_aliases is defined and host_aliases | length > 0 %}
+      hostAliases:
+{% for item in host_aliases %}
+      - ip: {{ item.ip }}
+        hostnames:
+{% for hostname in item.hostnames %}
+        - {{ hostname }}
+{% endfor %}
+{% endfor %}
+{% endif %}
 {% if control_plane_priority_class is defined %}
       priorityClassName: '{{ control_plane_priority_class }}'
 {% endif %}
@@ -68,7 +77,7 @@ spec:
         - name: init
           image: '{{ _init_container_image }}'
           imagePullPolicy: '{{ image_pull_policy }}'
-          resources: {{ web_resource_requirements }}
+          resources: {{ init_container_resource_requirements }}
           command:
             - /bin/sh
             - -c
@@ -97,7 +106,7 @@ spec:
         - name: init-projects
           image: '{{ _init_projects_container_image }}'
           imagePullPolicy: '{{ image_pull_policy }}'
-          resources: {{ web_resource_requirements }}
+          resources: {{ init_container_resource_requirements }}
           command:
             - /bin/sh
             - -c
@@ -200,15 +209,15 @@ spec:
               mountPath: "/var/lib/awx/projects"
 {% endif %}
             - name: "{{ ansible_operator_meta.name }}-receptor-ca"
-              mountPath: "/etc/receptor/tls/ca/receptor-ca.crt"
+              mountPath: "/etc/receptor/tls/ca/mesh-CA.crt"
               subPath: "tls.crt"
               readOnly: true
             - name: "{{ ansible_operator_meta.name }}-receptor-ca"
-              mountPath: "/etc/receptor/tls/ca/receptor-ca.key"
+              mountPath: "/etc/receptor/tls/ca/mesh-CA.key"
               subPath: "tls.key"
               readOnly: true
             - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
-              mountPath: "/etc/receptor/signing/work-public-key.pem"
+              mountPath: "/etc/receptor/work_public_key.pem"
               subPath: "work-public-key.pem"
               readOnly: true
 {% if development_mode | bool %}
@@ -286,6 +295,7 @@ spec:
             - name: AWX_KUBE_DEVEL
               value: "1"
 {% endif %}
+          resources: {{ rsyslog_resource_requirements }}
 {% if web_node_selector %}
       nodeSelector:
         {{ web_node_selector | indent(width=8) }}

roles/installer/templates/settings/credentials.py.j2

@@ -10,6 +10,14 @@ DATABASES = {
         'OPTIONS': { 'sslmode': '{{ awx_postgres_sslmode }}',
 {% if awx_postgres_sslmode in ['verify-ca', 'verify-full'] %}
                      'sslrootcert': '{{ ca_trust_bundle }}',
+{% endif %}
+{% if postgres_keepalives %}
+                     'keepalives': 1,
+                     'keepalives_idle': {{ postgres_keepalives_idle }},
+                     'keepalives_interval': {{ postgres_keepalives_interval }},
+                     'keepalives_count': {{ postgres_keepalives_count }},
+{% else %}
+                     'keepalives': 0,
 {% endif %}
         },
     }

roles/restore/defaults/main.yml

@@ -17,6 +17,14 @@ cluster_name: 'cluster.local'
 # Set no_log settings on certain tasks
 no_log: true
 
+# Add a nodeSelector for the Postgres pods to backup.
+# Specify as literal block. E.g.:
+# db_management_pod_node_selector: |
+#   kubernetes.io/arch: amd64
+#   kubernetes.io/os: linux
+db_management_pod_node_selector: ''
+
+
 # Default resource requirements
 restore_resource_requirements:
   limits:

roles/restore/templates/management-pod.yml.j2

@@ -20,6 +20,10 @@ spec:
     resources:
       {{ restore_resource_requirements | to_nice_yaml(indent=2) | indent(width=6, first=False) }}
 {%- endif %}
+{% if db_management_pod_node_selector %}
+      nodeSelector:
+        {{ db_management_pod_node_selector | indent(width=8) }}
+{% endif %}
   volumes:
     - name: {{ ansible_operator_meta.name }}-backup
       persistentVolumeClaim: