internet/awx-operator
3
0
Fork 0
mirror of https://github.com/ansible/awx-operator.git synced 2026-03-27 13:53:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:2.16.1
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0
..
compare: internet:devel
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0

107 Commits
2.16.1 ... devel

Author SHA1 Message Date
Christian Adams
60fc7d856c Add use_db_compression option for backup database dumps (#2106) 
* Add use_db_compression option for backup database dumps

Enable optional pg_dump compression (-Z 9) via use_db_compression
boolean flag. Restore auto-detects compressed (.db.gz) or
uncompressed (.db) backups for backward compatibility.

Authored By: Christian M. Adams <chadams@redhat.com>
Assisted By: Claude

* Add CRD field, CSV descriptor, and restore auto-detection for use_db_compression

Authored By: Christian M. Adams <chadams@redhat.com>
Assisted By: Claude
 2026-03-24 20:03:44 +00:00
Lucas Benedito
5697feea57 Fix unquoted timestamps in backup/restore event templates (#2110) 
Quote {{ now }} in firstTimestamp and lastTimestamp to prevent
YAML parser from converting the value to a datetime object.

Assisted-by: Claude

Signed-off-by: Lucas Benedito <lbenedit@redhat.com>
 2026-03-23 14:11:54 -04:00
aknochow
56f10cf966 Fix custom backup PVC name not used with create_backup_pvc (#2105) 
Use backup_pvc for custom backup PVC name in templates

When backup_pvc is specified with create_backup_pvc: true, the PVC
template and ownerReference removal used the hardcoded default name
(deployment_name-backup-claim) instead of the user-specified name.
This caused the management pod to reference a PVC that didn't exist.

Replace backup_claim variable with backup_pvc throughout the backup
role so the resolved PVC name is used consistently in all templates.

Authored By: Adam Knochowski <aknochow@redhat.com>
Assisted By: Claude
 2026-03-05 07:22:22 -05:00
Christian M. Adams
c996c88178 Fix config/testing overlay to use new metrics patch 
The testing kustomization overlay still referenced the deleted
manager_auth_proxy_patch.yaml. Update to use manager_metrics_patch.yaml
and add metrics_service.yaml resource.

Ref: AAP-65254

Authored By: Christian M. Adams <chadams@redhat.com>
Assisted By: Claude
 2026-03-04 13:45:50 -05:00
Christian M. Adams
5fb6bb7519 Upgrade operator-sdk to v1.40.0 and remove kube-rbac-proxy 
Bump operator-sdk, ansible-operator, and OPM binaries to align with
the OCP 4.20 / AAP 2.7 target. Replace the deprecated kube-rbac-proxy
sidecar (removed in operator-sdk v1.38.0) with controller-runtime's
built-in WithAuthenticationAndAuthorization for metrics endpoint
protection.

Changes:
- Makefile: operator-sdk v1.36.1 → v1.40.0, OPM v1.26.0 → v1.55.0
- Dockerfile: ansible-operator base image v1.36.1 → v1.40.0
- Remove kube-rbac-proxy sidecar and auth_proxy_* RBAC manifests
- Add metrics_auth_role, metrics_reader, and metrics_service resources
- Add --metrics-secure, --metrics-require-rbac, --metrics-bind-address
  flags via JSON patch to serve metrics directly from the manager on
  port 8443 with TLS and RBAC authentication

Ref: AAP-65254

Authored By: Christian M. Adams <chadams@redhat.com>
Assisted By: Claude
 2026-03-04 13:45:50 -05:00
Lucas Benedito
0b4b5dd7fd Fix AWXRestore multiple bugs 
- Move force_drop_db from vars/main.yml to defaults/main.yml so CR spec
values are not overridden by Ansible variable precedence
- Grant CREATEDB priv to database user before DROP/CREATE and revoke
it after restore, following the containerized-installer pattern
- Omit --clean --if-exists from pg_restore when force_drop_db is true
since the database is freshly created and empty, avoiding partition
index dependency errors

Signed-off-by: Lucas Benedito <lbenedit@redhat.com>
 2026-02-27 14:05:13 -05:00
aknochow
d4b295e8b4 Add automatic backup PVC creation with create_backup_pvc option (#2097) 
When users specify a custom backup_pvc name, the operator now
automatically creates the PVC instead of failing with
"does not exist, please create this pvc first."

Changes:
- Add create_backup_pvc variable (default: true) to backup defaults
- Update error condition to check create_backup_pvc before failing
- Update PVC creation condition to include create_backup_pvc
- Add create_backup_pvc field to AWXBackup CRD

Users who want the previous behavior can set create_backup_pvc: false.
 2026-02-24 16:06:24 -05:00
Hao Liu
e0ce3ef71d [AAP-64061] Add nginx log markers for direct API access detection (#2100) 
Add map directives for X-Trusted-Proxy and X-DAB-JW-TOKEN headers to
log the presence of these headers as trusted_proxy_present and
dab_jwt_present fields in the nginx access log.

These markers enable the detection tool (aap-detect-direct-component-access)
to identify direct API access that bypasses AAP Gateway.

Also add explicit error_log /dev/stderr warn; instead of relying on
container base image symlinks.

Part of ANSTRAT-1840: Remove direct API access to platform components.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-02-17 17:25:36 -05:00
Christian Adams
fcf9a0840b Remove OperatorHub automation and documentation (#2101) 
AWX Operator is no longer published to OperatorHub. Remove the
publish-operator-hub GHA workflow, the hack/publish-to-operator-hub.sh
script, the OperatorHub section from the release process docs, and the
OperatorHub-specific resource list from the debugging guide.

Author: Christian M. Adams
Assisted By: Claude
 2026-02-16 22:52:04 +00:00
Christian Adams
f9c05a5698 ci: Update DOCKER_API_VERSION to 1.44 (#2102) 
The Docker daemon on ubuntu-latest runners now requires minimum API
version 1.44, causing molecule kind tests to fail during cluster
teardown.

Author: Christian M. Adams
Assisted By: Claude
 2026-02-16 17:27:07 -05:00
jamesmarshall24
bfc4d8e37f Add CRD validation for images and image version (#2096) 2026-02-12 13:46:24 -05:00
Dimitri Savineau
f04ab1878c web: Update python path for rediect page 
The application container image is now using python3.12 so we need
to update the associated volume mount for the redirect page.

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
 2026-01-27 19:25:51 -05:00
Dimitri Savineau
eeed2b8ae5 django: Add --no-imports option 
With django updated to 5.2 then the django shell commands load imports
at startup which flood stdout with logs and break workflows

https://docs.djangoproject.com/en/dev/releases/5.2/#automatic-models-import-in-the-shell

Adding --no-imports to the cli call solves the issue.

https://docs.djangoproject.com/en/5.2/ref/django-admin/#cmdoption-shell-no-imports

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
 2026-01-19 13:36:08 -05:00
Lucas Benedito
a47b06f937 devel: Update development guide 
- Update the development.md file
- Allow builds from macos automatically
- implement podman-buildx

Signed-off-by: Lucas Benedito <lbenedit@redhat.com>
 2026-01-15 15:17:24 -05:00
Alan Rominger
605b46d83c Collect logs with greater determination (#2087) 2025-11-04 13:08:35 -05:00
Rebeccah Hunter
7ead166ca0 set client_request_timeout from annotation in the CR (#2077) 
add the functionality to accept an annotation in the awx-cr to be able to override the default client_request_timeout value.

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
 2025-10-15 18:13:12 -04:00
Christian M. Adams
c5533f47c1 Use --no-acl flag when restoring to exclude GRANT and REVOKE commands 
This avoids running in to the following error when pg_restore is run as
  the application db user from the db-management pod:

  pg_restore: error: could not execute query: ERROR: must be member of role postgres
  Command was: ALTER SCHEMA public OWNER TO postgres;
 2025-10-15 13:54:21 -04:00
lucas-benedito
78864b3653 fix: Correct the image_version conditional (#2082) 
* fix: Correct the image_version conditional

When image is set and image_version is unset, the conditional is failing
due to the unset variable causes and error.
Implemented the correct conditional and added an assert to validate that
both variables are set properly when image is set.

Signed-off-by: Lucas Benedito <lbenedit@redhat.com>
 2025-10-09 18:34:50 +01:00
Sharvesh
bed4aff4cc Fix: Redis ERR max number of clients reached (#2041) 
Add timeout to Redis Config

Co-authored-by: Christian Adams <chadams@redhat.com>
 2025-09-10 09:44:30 -04:00
jamesmarshall24
e0a8a88243 Add postgres_extra_settings (#2071) 
* Add hacking/ directory to .gitignore as it is commonly used for dev scripts
* Add postgres_extra_settings
* Add postgres_configuration_secret checksum to DB statefulset
* Docs for postgres_extra_settings, CI coverage, and examples
---------
Co-authored-by: Christian M. Adams <chadams@redhat.com>
 2025-09-03 12:36:34 -04:00
Christian Adams
1c3c5d430d Guard against missing version status on existing CR (#2076) 2025-08-27 16:53:01 -04:00
Joel
6e47dc62c2 Fix installer update-ca-trust command (#1985) 
The latest release of the update-ca-trust requires the --output param
if you run as non-root user.

See: 81a090f89a
And: https://github.com/ansible/awx-ee/issues/258#issuecomment-2439742296

Fixes: https://github.com/ansible/awx-ee/issues/258
 2025-08-25 14:38:18 +02:00
Christian Adams
2e9615aa1e Add configurable pull secret file support to up.sh (#2073) 
- Applies a pull-secret yaml file if it exists at hacking/awx-cr.yml
- The operator will look for a pull secret called
  redhat-operators-pull-secret
- This makes it possible to use a private operator image on your quay.io
  registry out of the box with the up.sh
- Add PULL_SECRET_FILE environment variable with default hacking/pull-secret.yml
 2025-08-19 11:50:19 -04:00
lucas-benedito
e2aef8330e Update the default crd example for the up.sh (#2061) 2025-08-13 17:09:31 -04:00
Ricardo Carrillo Cruz
883baeb16b Revert "Run import_auth_config_to_gateway when public_url is defined … (#2068) 
Revert "Run import_auth_config_to_gateway when public_url is defined (#2066)"

This reverts commit ba1bb878f1.
 2025-07-31 12:59:43 -04:00
Dimitri Savineau
ba1bb878f1 Run import_auth_config_to_gateway when public_url is defined (#2066) 
Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
Co-authored-by: Ricardo Carrillo Cruz <ricarril@redhat.com>
 2025-07-30 23:23:49 -04:00
aknochow
45ce8185df Reverting #2064 and Updating descriptions in backup and restore roles (#2060) 
* updating task descriptions in backup and restore roles

* Revert "Run import_auth_config_to_gateway when public_url is defined (#2064)"

This reverts commit 54293a0efb.
 2025-07-29 23:21:38 +00:00
lucas-benedito
a55829e5d5 Fixes for passwords for FIPS compliance (#2062) 
Set password_encryption to scram-sha-256 and re-encrypt db user passwords for FIPS compliance

(cherry picked from commit 0e76404357a77a5f773aee6e2b3a5b85d1f514b7)

Co-authored-by: Christian M. Adams <chadams@redhat.com>
 2025-07-28 18:52:59 +01:00
Ricardo Carrillo Cruz
54293a0efb Run import_auth_config_to_gateway when public_url is defined (#2064) 2025-07-24 10:25:07 +02:00
Rebeccah Hunter
e506466d08 set api timeout to match proxy timeout (#2056) 
feat: set api timeout to match proxy timeout

Timeout before the openshift route times out
not timing out before undercuts usefulness of our log-traceback-middleware in
django-ansible-base that logs a traceback from requests that get timed
out -- because uwsgi or gunicorn has to send the timeout signal to the
worker handling the request. Also leads to issues where requests that
envoy has already timed out are filling up queues of the workers of the
components.

Also, configure nginx to return a 503 if WSGI server doesn't respond.

Co-authored-by: Elijah DeLee <kdelee@redhat.com>
 2025-07-03 20:19:50 +00:00
Albert Daunis
e9750b489e Update migrate_schema to use check_migrations (#2025) 
Update migrate schema showmigrations conditional
 2025-06-25 15:59:23 -04:00
Christian Adams
0a89fc87a6 Update kubernetes.core to 3.2.0 and sdk to v1.36.1 (#2052) 
* Update collections to match the other ansible operators

* Update the ansible-operator base image to v1.36.1
 2025-06-18 18:12:58 -04:00
Dimitri Savineau
65a82f706c Fix jquery version in redirect page 
Other installer uses 3.7.1 and the file on disk is also using 3.7.1
from the rest framework directory.

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
 2025-06-04 12:17:08 -04:00
Sharvari Khedkar
e8f0306ec2 Add route_annotations feature to mesh ingress CRD (#2045) 
* Add route_annotations feature to mesh ingress CRD
* update route_annotations type to string
* display Route Annotations only when ingress_type=route
 2025-05-12 18:07:21 -04:00
Bruno Rocha
f1660c8bd1 Address review comments 2025-05-09 15:08:17 -04:00
Bruno Rocha
f967c7d341 fix: explicitly import ldap on config file 
File "/etc/tower/conf.d/ldap.py", line 2, in <module>
ldap.OPT_X_TLS_REQUIRE_CERT: True,
^^^^
NameError: name 'ldap' is not defined
 2025-05-09 15:08:17 -04:00
aknochow
54072d6a46 fixing backup pvc namespace quotes (#2042) 2025-04-28 08:14:50 -04:00
Christian Adams
fb13011aad Check if pg_isready before trying to restore to new postgresql pod (#2039) 2025-04-24 17:08:50 -04:00
Ricardo Carrillo Cruz
24cb6006f6 Grant postgres to awx user on migrate_data (#2038) 
This is needed in case customers move to
operator platform.

Fixes https://issues.redhat.com/browse/AAP-41592
 2025-04-24 09:58:48 +02:00
Christian Adams
4c05137fb8 Update kubernetes.core to 2.4.2 to fix k8s_cp module usage against OCP with virt (#2031) 2025-03-17 12:12:32 -04:00
aknochow
07540c29da fixing quotes on namespace to support namespace names with only numbers (#2030) 2025-03-17 09:19:02 -04:00
jamesmarshall24
5bb2b2ac87 Add deployment type shortname for legacy API url (#2026) 
* Add deployment type shortname for legacy API url

* Add trailing slash to legacy API url

Co-authored-by: Christian Adams <rooftopcellist@gmail.com>

---------

Co-authored-by: Christian Adams <rooftopcellist@gmail.com>
 2025-03-05 15:04:01 -05:00
shellclear
039157d070 Parameterization of the client_max_body_size directive in Nginx (#2014) 
Enables users to customize client_max_body_size in Nginx conf to allow
for larger file uploads. This is useful in cases when users need to upload
large subscription manifest files.

---------

Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com>
 2025-02-24 12:50:08 -05:00
Christian Adams
bb4f4c2eb4 Fail early if postgres_configuration_secret is specified by does not exist (#2015) 2025-02-17 12:38:06 -05:00
Christian Adams
97efcab2a2 Accepts new status conditions from the operator on the CR object (#2016) 2025-02-17 12:36:43 -05:00
aknochow
c08c1027a1 idle_deployment - Scale down deployments to put AWX into an idle state (#2012) 
- separating database_configuration and deployment tasks into separate files to add ability to call configuration independently
 2025-02-11 11:01:18 -05:00
Yuval Lahav
3d1ecc19f4 AAP-38745 Increase limits in manager.py (#2006) 
* AAP-38745 Increase limits in manager.py

Closes https://issues.redhat.com/browse/AAP-38745

* Update manager.yaml
 2025-01-20 11:32:49 -05:00
aknochow
5d0f91ec13 adding conditional to checksum template and removing default for public_base_url to fix undefined variable 2024-12-02 11:54:13 -05:00
Christian Adams
6ab32a42cf Add up.sh and down.sh development scripts for consistency with other ansible operators (#1991) 2024-11-26 11:25:24 -05:00
Chris Meyers
9718424483 Point at awx devel collection 
* awx.awx collection on galaxy is ooooold at this point. Releases are
  paused, so point at awx collection in devel to get that new bleeding
  edge hotness.
 2024-11-07 12:53:53 -05:00
aknochow
d5683adaf8 adding redirect page (#1982) 2024-10-29 17:47:41 -04:00
Christian Adams
1bc342258a Only set upgradedFrom status if previous_version is explicitly set (#1980) 2024-10-23 13:51:18 -04:00
Hao Liu
79ab6f0b5e Fix disable reverse sync on mgmt command (#1977) 2024-10-18 15:02:28 +00:00
Christian Adams
3822e32755 Add upgradedFrom status for check-version changes (#1975) 2024-10-17 19:28:43 +00:00
Christian Adams
c30d4c174d Compare gating version against existing deployment versions (#1972) 
* Compare gating version against existing deployment versions and set upgradeFrom status
* Add quotes to default version

Co-authored-by: Dimitri Savineau <savineau.dimitri@gmail.com>
 2024-10-16 17:43:26 -04:00
Christian Adams
8a5ec6e19c Fix Label PR check by using python venv for requests library (#1973) 2024-10-16 13:00:50 -04:00
Alan Rominger
d4de2d3c44 Disable reverse sync for management commands (#1970) 2024-10-09 16:26:24 -04:00
Djebran Lezzoum
848cf17d0b Deprecate LDAP auth (#1969) 
deprecate external auth related configuration

issue: https://issues.redhat.com/browse/AAP-29476
 2024-10-08 12:25:23 -04:00
Djebran Lezzoum
ae86cb3d13 Skip django_auth_ldap import if missing (#1955) 2024-10-02 09:36:00 -04:00
mihirlele
70ec7a5304 Add ability to exclude postgres data during migration to Openshift AAP operator (#1954) 2024-09-20 03:23:39 +00:00
aknochow
532be386fc fix postgres user permissions for upgrades (#1959) 2024-09-18 13:24:18 -04:00
Andrew Klychkov
0367516203 Docs: remove IRC/ML/google.gropus remnants (#1956) 2024-09-16 09:32:16 +01:00
Andrew Klychkov
8bad25cbc7 Docs: update communication section (#1945) 2024-09-05 09:11:13 +01:00
Elijah DeLee
f50c029408 add graceful harakiri 
now there is way for uwsgi to send signal for graceful harakiri to try and handle it nice way before sending signal 9

pairs with https://github.com/ansible/awx/pull/15447/files
 2024-09-04 15:40:59 -04:00
Don Naro
4f87143719 mention helm docs in readme (#1951) 
* mention helm docs in readme

* point to gh pages instead of rtd
 2024-09-03 13:13:27 +01:00
Don Naro
f0a518baf6 Remove Helm chart code (#1938) 
* rm Helm chart starter directory

* rm Helm release playbook

* rm Helm install from docs

* rm Helm chart workflows

* rm Helm starter from yamllint

* rm Helm targets from Makefile

* Revert "rm Helm targets from Makefile"

This reverts commit da38360168.

* remove helm from Makefile

* rm kubectl-slice and yp from Makefile
 2024-08-08 13:39:33 -04:00
Imed
8224b0b354 Adding postgres annotations support (#1829) 
* Adding postgres annotations support

Authored-by: Imed Aouidene <imaouide@imaouide-thinkpadt14sgen2i.cdg.csb>
 2024-07-24 18:45:06 +00:00
Guillaume Lefevre
d42737993f Change ansible k8s_info tasks api_version for Job kind to batch/v1 (#1833) 
Co-authored-by: Guillaume Lefevre <guillaume.lefevre@agoda.com>
 2024-07-24 18:38:04 +00:00
dependabot[bot]
a95815561a Bump docker/login-action from 3.2.0 to 3.3.0 in the dependencies group (#1924) 
Bumps the dependencies group with 1 update: [docker/login-action](https://github.com/docker/login-action).


Updates `docker/login-action` from 3.2.0 to 3.3.0
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](0d4c9c5ea7...9780b0c442)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-07-24 14:09:04 -04:00
kurokobo
2b0221bbc6 docs: overall minor renovations (#1874) 
* docs: simplify README.md and make index.md to refer to it
* docs: change order for pages in navigation and add missing pages
* docs: fix headings to improve navigation, transform notes to admonition, fix indentation, linting issues and minor issues
* docs: merge docs for using images from private registries
* docs: add example to integrate LDAP configuration via extra_settings_files
* Apply suggestions from code review
docs: apply suggested changes

Co-authored-by: Don Naro <dnaro@redhat.com>

* docs: update the doc site url as same as the url in https://www.ansible.com/ecosystem/
* docs: minor fixes for hpa page
* docs: expand note block
* docs: apply #1904 to README.md

---------

Co-authored-by: Don Naro <dnaro@redhat.com>
 2024-07-20 18:34:21 -04:00
Dimitri Savineau
36cf9c23ea web: Add volume to handle debug logs (#1921) 
When enabling debug web requests, the /var/log/tower directory needs
to exist.
Rather than just creating that directory in the container image then
create an emptyDir volume.

Closes: #1485

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
 2024-07-16 11:58:27 -04:00
Christian Adams
041270ffbe Use task_resource_requirements for migration k8s job (#1912) 2024-07-10 15:51:47 -04:00
dependabot[bot]
9f917231a0 Bump the dependencies group with 6 updates (#1909) 
Bumps the dependencies group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `3` | `4` |
| [actions/setup-python](https://github.com/actions/setup-python) | `4` | `5` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `2` | `4` |
| [helm/kind-action](https://github.com/helm/kind-action) | `1.8.0` | `1.10.0` |
| [docker/login-action](https://github.com/docker/login-action) | `3.0.0` | `3.2.0` |
| [github/issue-labeler](https://github.com/github/issue-labeler) | `2.4.1` | `3.4` |


Updates `actions/checkout` from 3 to 4
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

Updates `actions/setup-python` from 4 to 5
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4...v5)

Updates `actions/upload-artifact` from 2 to 4
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v2...v4)

Updates `helm/kind-action` from 1.8.0 to 1.10.0
- [Release notes](https://github.com/helm/kind-action/releases)
- [Commits](https://github.com/helm/kind-action/compare/v1.8.0...v1.10.0)

Updates `docker/login-action` from 3.0.0 to 3.2.0
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](343f7c4344...0d4c9c5ea7)

Updates `github/issue-labeler` from 2.4.1 to 3.4
- [Release notes](https://github.com/github/issue-labeler/releases)
- [Commits](https://github.com/github/issue-labeler/compare/v2.4.1...v3.4)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-07-10 14:30:29 -04:00
Chi Cuong HA
cdab3dd538 fix: Make basic install without operator works (#1875) 
- Update role name for README.md
  - Avoid the this_awx['resources'][0] is undefined in database_configuration.yml
  - Add update_status variable to include or not the update_status.yml
  - metrics_utility_enabled exists in CRD but not as variable

Co-authored-by: Christian Adams <chadams@redhat.com>
 2024-07-03 19:12:47 +00:00
Stéphane Bilqué
0444ae31db Allow to scale up the operator pods by using the Helm Chart (#1881) 
* Allow to scale up the operator pods by using the Helm Chart
* Add support for horizontal pod autoscaling (#1676)
* fix: spec.replicas
 2024-07-03 18:46:47 +00:00
MeganerdDev
e5a24b8918 Update Dockerfile ansible-operator to v1.34.2, operator-sdk to v1.34.2 (#1883) 
* Updates operator-framework/ansible-operator tag from v1.34.0 to v1.34.2

* Update operator-sdk release to v1.34.2

---------

Co-authored-by: meganerd <meganerd@meganerd.org>
Co-authored-by: jessicamack <jmack@redhat.com>
 2024-07-03 14:42:52 -04:00
Stéphane Bilqué
f9792d486e Fix: Enable the creation of a helm chart with a name other than awx-operator (#1884) 
Enable the proper creation of a helm chart with a name other than awx-operator

Co-authored-by: Christian Adams <chadams@redhat.com>
 2024-07-03 18:37:34 +00:00
llussy
dd37ebd440 Update index.md (#1904) 
* Update docs/installation/index.md

---------

Co-authored-by: Christian Adams <rooftopcellist@gmail.com>
 2024-06-26 20:17:22 +00:00
JagannathS
4a1e3c1075 Update kind-install.md (#1903) 
the kind install command had reference to oc (openshift cli). removed that and made it to kubectl
 2024-06-26 20:15:37 +00:00
Don Naro
4b6eb8df05 Add github-actions package manager (#1900) 
add github-actions package manager

This change adds github-actions package manager to the dependabot config
file to bump action versions.
 2024-06-26 15:52:28 -04:00
aknochow
9fc3738b53 Split metrics utility cronjobs for crc and local report (#1906) 
* fixing metrics-utility variables and conditionals

* separating metrics-utility for console into separate tasks and conditionals
 2024-06-26 10:52:58 -04:00
Seth Foster
e3c2720681 Wait for instance ready in molecule test (#1901) 
Sometimes a job is launched through the web api
before the instance is in a ready state. This throws
a 500 internal server error, causing CI to fail.

Adds a task to query the instances endpoint
and check that at least one control node is
in a ready state.

Signed-off-by: Seth Foster <fosterbseth@gmail.com>
 2024-06-18 23:11:04 -04:00
Christian Adams
23a3266b4a Fix nox test failure (#1899) 
Fix nox test failure by bumping nox action to wntrblm/nox@2024.04.15
 2024-06-13 20:23:03 -04:00
Stéphane Bilqué
e271515385 Ability to add custom labels to the DB migration pods (#1878) 
add the labels from the 'additional_labels' parameter in the awx-migration pods

Co-authored-by: Stéphane BILQUÉ <Stephane.Bilque@caissedesdepots.fr>
 2024-06-12 14:42:28 -04:00
David Hageman
13abaab1b3 Add scheduling controls to Mesh Ingress (#1892) 2024-06-12 11:33:03 -04:00
Ricardo Carrillo Cruz
01bde2cebb Cast manage_replicas to bool (#1893) 2024-06-06 14:43:20 +02:00
Joel
c696eda50a Fix custom CA certificates for task/web/migration (#1846) 
* Fix bundle_ca_crt for task/web/migration

- added a new init container init-bundle-ca-trust
- added volume ca-trust-extracted to the migration job
- added volume ca-trust-extracted to the init container init-database
- removed volume bundle-ca from all follow-up containers
 2024-06-05 22:56:52 -04:00
Hao Liu
a260ab6873 Fix migrating from devel version to devel version (#1890) 
upgrading from devel version to devel version currently don't run migration because we chopped off the git sha
 2024-06-05 14:10:51 -04:00
Hao Liu
9fa46bea43 Enable readiness probe for task pod in CI (#1891) 
Avoid race condition where job launch before task container is ready
 2024-06-05 14:07:08 -04:00
David Hageman
8ead140541 Add support for horizontal pod autoscaling (#1676) 2024-06-03 15:59:48 -04:00
Hao Liu
6820981dd5 Use check_instance_ready for task pod readiness (#1885) 2024-05-31 09:33:29 -04:00
kurokobo
56df3279a6 feat: implement extra_settings_files (#1836) 
* feat: implement extra_settings_files
* fix: reduce duplicated code blocks by templates
* docs: update docs for extra settings
* docs: simplify the commands
* docs: add notes for duplicated keys in setting files
 2024-05-23 13:40:51 -04:00
aknochow
64fb262830 fixing metrics-utility variables and conditionals (#1872) 2024-05-22 15:29:26 -04:00
Hao Liu
5d99553fa6 Improve logging in CI (#1868) 
- Set AWX log level to DEBUG
- Fix failure to collect awx API output
 2024-05-22 13:56:49 +00:00
aknochow
cecf812382 moving metrics_utility defaults to vars/main.yaml and setting default… (#1869) 
moving metrics_utility defaults to vars/main.yaml and setting default secret undefined to fix conditional
 2024-05-21 18:16:14 -04:00
Hao Liu
3f0fd7f965 Fix CI failure (#1863) 
Unpin collection in molecule

Fix CI failure
 2024-05-20 18:36:27 -04:00
dependabot[bot]
f27d7b28b8 Bump mkdocs-ansible from 24.3.0 to 24.3.1 in /docs in the dependencies group (#1856) 
Bump mkdocs-ansible in /docs in the dependencies group

Bumps the dependencies group in /docs with 1 update: [mkdocs-ansible](https://github.com/ansible/mkdocs-ansible).


Updates `mkdocs-ansible` from 24.3.0 to 24.3.1
- [Release notes](https://github.com/ansible/mkdocs-ansible/releases)
- [Commits](https://github.com/ansible/mkdocs-ansible/compare/v24.3.0...v24.3.1)

---
updated-dependencies:
- dependency-name: mkdocs-ansible
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-05-20 15:05:09 -04:00
Christian Adams
a8da7f9398 Add support for spec overrides when restoring AWX (#1862) 2024-05-17 15:47:26 -04:00
fluzzykitten
4720d29fda Update k8s_exec and k8s_cp to include container name (#1858) 
Update secrets.yml

We need to specify a container in environments that use sidecar injection, like in the case of istio service mesh. If the container is not specified, and a side car is injected so there are multiple containers running in the pod, this task will fail because a container was not specified in a pod with multiple containers.
 2024-05-16 16:32:38 -04:00
Christian Adams
64e4279d96 Fix innocuous but confusing typo in db management pod task (#1859) 2024-05-16 15:17:39 -04:00
David Hageman
cf61205f49 Create _metrics_utility_secret for metrics utility (#1857) 2024-05-16 13:29:04 -04:00
larsux
e98c913f86 Add postgresql option target_session_attrs (#1847) 
Signed-off-by: Lars Wildemann <lars.wildemann@plusserver.com>
 2024-05-15 18:47:33 +00:00
jamesmarshall24
b49d68ca92 Expose websockets on api prefix v2 (#1842) 
Expose websockets on controller v2
 2024-05-01 15:47:23 -04:00
YaronL16
9638a2b284 Added custom logos by volume mounts documentation (#1840) 2024-05-01 19:34:50 +00:00
Ranvit Bommineni
4fc20de72e add tolerations/nodeselector to migration job template (fixes #1774) (#1804) 
Enable fallback to global settings for db-migration job scheduling (#1804)

Modified the db-migration job template to use `task_*` settings with a fallback to global AWX configurations if not specified.
 2024-05-01 15:10:29 -04:00
Tom Siewert
6fff7cb485 installer: nginx: add missing locales location required by ui_next (#1822) 
The new UI depends on the locales available via ingress/locales which
is being served as static file and not via Django.

A change in the nginx.conf was already done for the dev environment
in commit ec4f10d86881389af12371f90cb75af03417d109 (AWX), but not
here.

Signed-off-by: Tom Siewert <tom.siewert@hetzner.com>
 2024-05-01 15:05:43 -04:00
David Hageman
6baf3a174d Add database secret to metric jobs (#1843) 2024-04-30 16:12:31 -04:00
180 changed files with 2840 additions and 2443 deletions
Expand all files Collapse all files

10
.github/dependabot.yml vendored
View File

@@ -11,3 +11,13 @@ updates:
labels:
- "component:docs"
- "dependencies"
- package-ecosystem: "github-actions"
directory: "/"
groups:
dependencies:
patterns:
- "*"
schedule:
interval: "weekly"
labels:
- "dependencies"

53
.github/workflows/ci.yaml vendored
View File

@@ -16,12 +16,12 @@ jobs:
- --skip-tags=replicas
- -t replicas
env:
DOCKER_API_VERSION: "1.41"
DOCKER_API_VERSION: "1.44"
DEBUG_OUTPUT_DIR: /tmp/awx_operator_molecule_test
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: actions/setup-python@v4
- uses: actions/setup-python@v5
with:
python-version: "3.8"
@@ -46,58 +46,15 @@ jobs:
- name: Upload artifacts for failed tests if Run Molecule fails
if: failure()
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v4
with:
name: awx_operator_molecule_test
path: ${{ env.DEBUG_OUTPUT_DIR }}
helm:
runs-on: ubuntu-latest
name: helm
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Create k8s Kind Cluster
uses: helm/kind-action@v1.8.0
- name: Build operator image and load into kind
run: |
IMG=awx-operator-ci make docker-build
kind load docker-image --name chart-testing awx-operator-ci
- name: Patch pull policy for tests
run: |
kustomize edit add patch --path ../testing/pull_policy/Never.yaml
working-directory: config/default
- name: Build and lint helm chart
run: |
IMG=awx-operator-ci make helm-chart
helm lint ./charts/awx-operator
- name: Install kubeval
run: |
mkdir tmp && cd tmp
wget https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz
tar xf kubeval-linux-amd64.tar.gz
sudo cp kubeval /usr/local/bin
working-directory: ./charts
- name: Run kubeval
run: |
helm template -n awx awx-operator > tmp/test.yaml
kubeval --strict --force-color --ignore-missing-schemas tmp/test.yaml
working-directory: ./charts
- name: Install helm chart
run: |
helm install --wait my-awx-operator --namespace awx --create-namespace ./charts/awx-operator
no-log:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Check no_log statements
run: |

6
.github/workflows/devel.yaml vendored
View File

@@ -11,7 +11,7 @@ jobs:
runs-on: ubuntu-latest
name: Push devel image
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Fail if QUAY_REGISTRY not set
run: |
@@ -21,7 +21,7 @@ jobs:
fi
- name: Log into registry ghcr.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -29,7 +29,7 @@ jobs:
- name: Log into registry quay.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ vars.QUAY_REGISTRY }}
username: ${{ secrets.QUAY_USER }}

2
.github/workflows/feature.yml vendored
View File

@@ -11,7 +11,7 @@ jobs:
runs-on: ubuntu-latest
name: Push devel image
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
fetch-depth: 0 # needed so that git describe --tag works

6
.github/workflows/label_issue.yml vendored
View File

@@ -14,7 +14,7 @@ jobs:
steps:
- name: Label Issue - Needs Triage
uses: github/issue-labeler@v2.4.1
uses: github/issue-labeler@v3.4
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
not-before: 2021-12-07T07:00:00Z
@@ -26,8 +26,8 @@ jobs:
runs-on: ubuntu-latest
name: Label Issue - Community
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- name: Install python requests
run: pip install requests
- name: Check if user is a member of Ansible org

17
.github/workflows/label_pr.yml vendored
View File

@@ -12,10 +12,18 @@ jobs:
runs-on: ubuntu-latest
name: Label PR - Community
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
- name: Install python requests
run: pip install requests
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- name: Create a virtual environment
run: python3 -m venv venv
- name: Activate virtual environment and install dependencies
run: |
source venv/bin/activate
pip3 install requests
- name: Check if user is a member of Ansible org
uses: jannekem/run-python-script-action@v1
id: check_user
@@ -32,6 +40,7 @@ jobs:
print("User is member")
else:
print("User is community")
- name: Add community label if not a member
if: contains(steps.check_user.outputs.stdout, 'community')
uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90

17
.github/workflows/promote.yaml vendored
View File

@@ -37,13 +37,13 @@ jobs:
exit 1
fi
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
depth: 0
- name: Log into registry ghcr.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -51,7 +51,7 @@ jobs:
- name: Log into registry quay.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.QUAY_REGISTRY }}
username: ${{ secrets.QUAY_USER }}
@@ -70,14 +70,3 @@ jobs:
docker buildx imagetools create \
ghcr.io/${{ github.repository }}:${{ env.TAG_NAME }} \
--tag ${{ env.QUAY_REGISTRY }}/awx-operator:latest
- name: Release Helm chart
run: |
ansible-playbook ansible/helm-release.yml -v \
-e operator_image=${{ env.QUAY_REGISTRY }}/awx-operator \
-e chart_owner=${{ github.repository_owner }} \
-e tag=${{ env.TAG_NAME }} \
-e gh_token=${{ secrets.GITHUB_TOKEN }} \
-e gh_user=${{ github.actor }} \
-e repo_type=https

26
.github/workflows/publish-helm.yml vendored
View File

@@ -1,26 +0,0 @@
---
name: Re-publish helm chart
on:
workflow_dispatch:
inputs:
tag:
description: 'Release tag'
required: true
type: string
jobs:
promote:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
depth: 0
- name: Release Helm chart
run: |
ansible-playbook ansible/helm-release.yml -v \
-e operator_image=quay.io/${{ github.repository }} \
-e chart_owner=${{ github.repository_owner }} \
-e tag=${{ inputs.tag }} \
-e gh_token=${{ secrets.GITHUB_TOKEN }} \
-e gh_user=${{ github.actor }} \
-e repo_type=https

86
.github/workflows/publish-operator-hub.yaml vendored
View File

@@ -1,86 +0,0 @@
name: Publish AWX Operator on operator-hub
on:
release:
types: [published]
workflow_dispatch:
inputs:
tag_name:
description: 'Name for the tag of the release.'
required: true
operator_hub_fork:
description: 'Fork of operator-hub where the PR will be created from. default: awx-auto'
required: true
default: 'awx-auto'
image_registry:
description: 'Image registry where the image is published to. default: quay.io'
required: true
default: 'quay.io'
image_registry_organization:
description: 'Image registry organization where the image is published to. default: ansible'
required: true
default: 'ansible'
community_operator_github_org:
description: 'Github organization for community-opeartor project. default: k8s-operatorhub'
required: true
default: 'k8s-operatorhub'
community_operator_prod_github_org:
description: 'GitHub organization for community-operator-prod project. default: redhat-openshift-ecosystem'
required: true
default: 'redhat-openshift-ecosystem'
jobs:
promote:
runs-on: ubuntu-latest
steps:
- name: Set GITHUB_ENV from workflow_dispatch event
if: ${{ github.event_name == 'workflow_dispatch' }}
run: |
echo "VERSION=${{ github.event.inputs.tag_name }}" >> $GITHUB_ENV
echo "IMAGE_REGISTRY=${{ github.event.inputs.image_registry }}" >> $GITHUB_ENV
echo "IMAGE_REGISTRY_ORGANIZATION=${{ github.event.inputs.image_registry_organization }}" >> $GITHUB_ENV
echo "COMMUNITY_OPERATOR_GITHUB_ORG=${{ github.event.inputs.community_operator_github_org }}" >> $GITHUB_ENV
echo "COMMUNITY_OPERATOR_PROD_GITHUB_ORG=${{ github.event.inputs.community_operator_prod_github_org }}" >> $GITHUB_ENV
- name: Set GITHUB_ENV for release event
if: ${{ github.event_name == 'release' }}
run: |
echo "VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
echo "IMAGE_REGISTRY=quay.io" >> $GITHUB_ENV
echo "IMAGE_REGISTRY_ORGANIZATION=ansible" >> $GITHUB_ENV
echo "COMMUNITY_OPERATOR_GITHUB_ORG=k8s-operatorhub" >> $GITHUB_ENV
echo "COMMUNITY_OPERATOR_PROD_GITHUB_ORG=redhat-openshift-ecosystem" >> $GITHUB_ENV
- name: Log in to image registry
run: |
echo ${{ secrets.QUAY_TOKEN }} | docker login ${{ env.IMAGE_REGISTRY }} -u ${{ secrets.QUAY_USER }} --password-stdin
- name: Checkout awx-operator at workflow branch
uses: actions/checkout@v4
with:
path: awx-operator
- name: Checkout awx-opearator at ${{ env.VERSION }}
uses: actions/checkout@v4
with:
fetch-tags: true
ref: ${{ env.VERSION }}
path: awx-operator-${{ env.VERSION }}
fetch-depth: 0 # fetch all history so that git describe works
- name: Copy scripts to awx-operator-${{ env.VERSION }}
run: |
cp -f \
awx-operator/hack/publish-to-operator-hub.sh \
awx-operator-${{ env.VERSION }}/hack/publish-to-operator-hub.sh
cp -f \
awx-operator/Makefile \
awx-operator-${{ env.VERSION }}/Makefile
- name: Build and publish bundle to operator-hub
working-directory: awx-operator-${{ env.VERSION }}
env:
IMG_REPOSITORY: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REGISTRY_ORGANIZATION }}
GITHUB_TOKEN: ${{ secrets.AWX_AUTO_GITHUB_TOKEN }}
run: |
git config --global user.email "awx-automation@redhat.com"
git config --global user.name "AWX Automation"
./hack/publish-to-operator-hub.sh

2
.github/workflows/reusable-nox.yml vendored
View File

@@ -18,7 +18,7 @@ jobs:
- name: Check out repo
uses: actions/checkout@v4
- name: Setup nox
uses: wntrblm/nox@2024.03.02
uses: wntrblm/nox@2024.04.15
with:
python-versions: "${{ matrix.python-versions }}"
- name: "Run nox -s ${{ matrix.session }}"

4
.github/workflows/stage.yml vendored
View File

@@ -38,7 +38,7 @@ jobs:
exit 0
- name: Checkout awx-operator
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
repository: ${{ github.repository_owner }}/awx-operator
path: awx-operator
@@ -48,7 +48,7 @@ jobs:
python3 -m pip install docker
- name: Log into registry ghcr.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}

1
.gitignore vendored
View File

@@ -11,3 +11,4 @@ gh-pages/
__pycache__
/site
venv/*
hacking/

23
.helm/starter/.helmignore
View File

@@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

7
.helm/starter/Chart.yaml
View File

@@ -1,7 +0,0 @@
---
apiVersion: v2
appVersion: 0.1.0
description: A Helm chart for Kubernetes
name: starter
type: application
version: 0.1.0

366
.helm/starter/README.md
View File

@@ -1,366 +0,0 @@
# AWX Operator Helm Chart
This chart installs the AWX Operator resources configured in [this](https://github.com/ansible/awx-operator) repository.
## Getting Started
To configure your AWX resource using this chart, create your own `yaml` values file. The name is up to personal preference since it will explicitly be passed into the helm chart. Helm will merge whatever values you specify in your file with the default `values.yaml`, overriding any settings you've changed while allowing you to fall back on defaults. Because of this functionality, `values.yaml` should not be edited directly.
In your values config, enable `AWX.enabled` and add `AWX.spec` values based on the awx operator's [documentation](https://github.com/ansible/awx-operator/blob/devel/README.md). Consult the docs below for additional functionality.
### Installing
The operator's [helm install](https://ansible.readthedocs.io/projects/awx-operator/en/latest/installation/helm-install-on-existing-cluster.html) guide provides key installation instructions.
Example:
```bash
helm install my-awx-operator awx-operator/awx-operator -n awx --create-namespace -f myvalues.yaml
```
Argument breakdown:
* `-f` passes in the file with your custom values
* `-n` sets the namespace to be installed in
* This value is accessed by `{{ $.Release.Namespace }}` in the templates
* Acts as the default namespace for all unspecified resources
* `--create-namespace` specifies that helm should create the namespace before installing
To update an existing installation, use `helm upgrade` instead of `install`. The rest of the syntax remains the same.
### Caveats on upgrading existing installation
There is no support at this time for upgrading or deleting CRDs using Helm. See [helm documentation](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations) for additional detail.
When upgrading to releases with CRD changes use the following command to update the CRDs
```bash
kubectl apply --server-side -k github.com/ansible/awx-operator/config/crd?ref=<VERSION>
```
If running above command results in an error like below:
```text
Apply failed with 1 conflict: conflict with "helm" using apiextensions.k8s.io/v1: .spec.versions
Please review the fields above--they currently have other managers. Here
are the ways you can resolve this warning:
* If you intend to manage all of these fields, please re-run the apply
command with the `--force-conflicts` flag.
* If you do not intend to manage all of the fields, please edit your
manifest to remove references to the fields that should keep their
current managers.
* You may co-own fields by updating your manifest to match the existing
value; in this case, you'll become the manager if the other manager(s)
stop managing the field (remove it from their configuration).
See https://kubernetes.io/docs/reference/using-api/server-side-apply/#conflicts
```
Use `--force-conflicts` flag to resolve the conflict.
```bash
kubectl apply --server-side --force-conflicts -k github.com/ansible/awx-operator/config/crd?ref=<VERSION>
```
## Configuration
The goal of adding helm configurations is to abstract out and simplify the creation of multi-resource configs. The `AWX.spec` field maps directly to the spec configs of the `AWX` resource that the operator provides, which are detailed in the [main README](https://github.com/ansible/awx-operator/blob/devel/README.md). Other sub-config can be added with the goal of simplifying more involved setups that require additional resources to be specified.
These sub-headers aim to be a more intuitive entrypoint into customizing your deployment, and are easier to manage in the long-term. By design, the helm templates will defer to the manually defined specs to avoid configuration conflicts. For example, if `AWX.spec.postgres_configuration_secret` is being used, the `AWX.postgres` settings will not be applied, even if enabled.
### External Postgres
The `AWX.postgres` section simplifies the creation of the external postgres secret. If enabled, the configs provided will automatically be placed in a `postgres-config` secret and linked to the `AWX` resource. For proper secret management, the `AWX.postgres.password` value, and any other sensitive values, can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`. Supplying the password this way is not recommended for production use, but may be helpful for initial PoC.
### Additional Kubernetes Resources
The `AWX.extraDeploy` section allows the creation of additional Kubernetes resources. This simplifies setups requiring additional objects that are used by AWX, e.g. using `ExternalSecrets` to create Kubernetes secrets.
Resources are passed as an array, either as YAML or strings (literal "|"). The resources are passed through `tpl`, so templating is possible. Example:
```yaml
AWX:
# enable use of awx-deploy template
...
# configurations for external postgres instance
postgres:
enabled: false
...
extraDeploy:
- |
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: {{ .Release.Name }}-postgres-secret-string-example
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Release.Name }}
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
refreshInterval: "1h"
target:
name: postgres-configuration-secret-string-example
creationPolicy: "Owner"
deletionPolicy: "Delete"
dataFrom:
- extract:
key: awx/postgres-configuration-secret
- apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: "{{ .Release.Name }}-postgres-secret-yaml-example"
namespace: "{{ .Release.Namespace }}"
labels:
app: "{{ .Release.Name }}"
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
refreshInterval: "1h"
target:
name: postgres-configuration-secret-yaml-example
creationPolicy: "Owner"
deletionPolicy: "Delete"
dataFrom:
- extract:
key: awx/postgres-configuration-secret
```
### Custom secrets
The `customSecrets` section simplifies the creation of our custom secrets used during AWX deployment. Supplying the passwords this way is not recommended for production use, but may be helpful for initial PoC.
If enabled, the configs provided will automatically used to create the respective secrets and linked at the CR spec level. For proper secret management, the sensitive values can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`.
Example:
```yaml
AWX:
# enable use of awx-deploy template
...
# configurations for external postgres instance
postgres:
enabled: false
...
customSecrets:
enabled: true
admin:
enabled: true
password: mysuperlongpassword
secretName: my-admin-password
secretKey:
enabled: true
key: supersecuresecretkey
secretName: my-awx-secret-key
ingressTls:
enabled: true
selfSignedCert: true
key: unset
certificate: unset
routeTls:
enabled: false
key: <contentoftheprivatekey>
certificate: <contentofthepublickey>
ldapCacert:
enabled: false
crt: <contentofmybundlecacrt>
ldap:
enabled: true
password: yourldapdnpassword
bundleCacert:
enabled: false
crt: <contentofmybundlecacrt>
eePullCredentials:
enabled: false
url: unset
username: unset
password: unset
sslVerify: true
secretName: my-ee-pull-credentials
cpPullCredentials:
enabled: false
dockerconfig:
- registry: https://index.docker.io/v1/
username: unset
password: unset
secretName: my-cp-pull-credentials
```
### Custom volumes
The `customVolumes` section simplifies the creation of Persistent Volumes used when you want to store your databases and projects files on the cluster's Node. Since their backends are `hostPath`, the size specified are just like a label and there is no actual capacity limitation.
You have to prepare directories for these volumes. For example:
```bash
sudo mkdir -p /data/postgres-13
sudo mkdir -p /data/projects
sudo chmod 755 /data/postgres-13
sudo chown 1000:0 /data/projects
```
Example:
```yaml
AWX:
# enable use of awx-deploy template
...
# configurations for external postgres instance
postgres:
enabled: false
...
customVolumes:
postgres:
enabled: true
hostPath: /data/postgres-13
projects:
enabled: true
hostPath: /data/projects
size: 1Gi
```
## Values Summary
### AWX
| Value | Description | Default |
|---|---|---|
| `AWX.enabled` | Enable this AWX resource configuration | `false` |
| `AWX.name` | The name of the AWX resource and default prefix for other resources | `"awx"` |
| `AWX.spec` | specs to directly configure the AWX resource | `{}` |
| `AWX.postgres` | configurations for the external postgres secret | - |
### extraDeploy
| Value | Description | Default |
|---|---|---|
| `extraDeploy` | array of additional resources to be deployed (supports YAML or literal "\|") | - |
### customSecrets
| Value | Description | Default |
|---|---|---|
| `customSecrets.enabled` | Enable the secret resources configuration | `false` |
| `customSecrets.admin` | Configurations for the secret that contains the admin user password | - |
| `customSecrets.secretKey` | Configurations for the secret that contains the symmetric key for encryption | - |
| `customSecrets.ingressTls` | Configurations for the secret that contains the TLS information when `ingress_type=ingress` | - |
| `customSecrets.routeTls` | Configurations for the secret that contains the TLS information when `ingress_type=route` (`route_tls_secret`) | - |
| `customSecrets.ldapCacert` | Configurations for the secret that contains the LDAP Certificate Authority | - |
| `customSecrets.ldap` | Configurations for the secret that contains the LDAP BIND DN password | - |
| `customSecrets.bundleCacert` | Configurations for the secret that contains the Certificate Authority | - |
| `customSecrets.eePullCredentials` | Configurations for the secret that contains the pull credentials for registered ees can be found | - |
| `customSecrets.cpPullCredentials` | Configurations for the secret that contains the image pull credentials for app and database containers | - |
Below the addition variables to customize the secret configuration.
#### Admin user password secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.admin.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.admin.password` | Admin user password | - |
| `customSecrets.admin.secretName` | Name of secret for `admin_password_secret` | `<resourcename>-admin-password>` |
#### Secret Key secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.secretKey.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.secretKey.key` | Key is used to encrypt sensitive data in the database | - |
| `customSecrets.secretKey.secretName` | Name of secret for `secret_key_secret` | `<resourcename>-secret-key` |
#### Ingress TLS secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.ingressTls.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.ingressTls.selfSignedCert` | If `true`, an self-signed TLS certificate for `AWX.spec.hostname` will be create by helm | `false` |
| `customSecrets.ingressTls.key` | Private key to use for TLS/SSL | - |
| `customSecrets.ingressTls.certificate` | Certificate to use for TLS/SSL | - |
| `customSecrets.ingressTls.secretName` | Name of secret for `ingress_tls_secret` | `<resourcename>-ingress-tls` |
| `customSecrets.ingressTls.labels` | Array of labels for the secret | - |
#### Route TLS secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.routeTls.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.routeTls.key` | Private key to use for TLS/SSL | - |
| `customSecrets.routeTls.certificate` | Certificate to use for TLS/SSL | - |
| `customSecrets.routeTls.secretName` | Name of secret for `route_tls_secret` | `<resourcename>-route-tls` |
#### LDAP Certificate Authority secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.ldapCacert.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.ldapCacert.crt` | Bundle of CA Root Certificates | - |
| `customSecrets.ldapCacert.secretName` | Name of secret for `ldap_cacert_secret` | `<resourcename>-custom-certs` |
#### LDAP BIND DN Password secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.ldap.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.ldap.password` | LDAP BIND DN password | - |
| `customSecrets.ldap.secretName` | Name of secret for `ldap_password_secret` | `<resourcename>-ldap-password` |
#### Certificate Authority secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.bundleCacert.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.bundleCacert.crt` | Bundle of CA Root Certificates | - |
| `customSecrets.bundleCacert.secretName` | Name of secret for `bundle_cacert_secret` | `<resourcename>-custom-certs` |
#### Default EE pull secrets configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.eePullCredentials.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.eePullCredentials.url` | Registry url | - |
| `customSecrets.eePullCredentials.username` | Username to connect as | - |
| `customSecrets.eePullCredentials.password` | Password to connect with | - |
| `customSecrets.eePullCredentials.sslVerify` | Whether verify ssl connection or not. | `true` |
| `customSecrets.eePullCredentials.secretName` | Name of secret for `ee_pull_credentials_secret` | `<resourcename>-ee-pull-credentials` |
#### Control Plane pull secrets configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.cpPullCredentials.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.cpPullCredentials.dockerconfig` | Array of configurations for the Docker credentials that are used for accessing a registry | - |
| `customSecrets.cpPullCredentials.dockerconfig[].registry` | Server location for Docker registry | `https://index.docker.io/v1/` |
| `customSecrets.cpPullCredentials.dockerconfig[].username` | Username to connect as | - |
| `customSecrets.cpPullCredentials.dockerconfig[].password` | Password to connect with | - |
| `customSecrets.cpPullCredentials.secretName` | Name of secret for `image_pull_secrets`| `<resoucename>-cp-pull-credentials` |
### customVolumes
#### Persistent Volume for databases postgres
| Value | Description | Default |
|---|---|---|
| `customVolumes.postgres.enabled` | Enable the PV resource configuration for the postgres databases | `false` |
| `customVolumes.postgres.hostPath` | Directory location on host | - |
| `customVolumes.postgres.size` | Size of the volume | `8Gi` |
| `customVolumes.postgres.accessModes` | Volume access mode | `ReadWriteOnce` |
| `customVolumes.postgres.storageClassName` | PersistentVolume storage class name for `postgres_storage_class` | `<resourcename>-postgres-volume` |
#### Persistent Volume for projects files
| Value | Description | Default |
|---|---|---|
| `customVolumes.projects.enabled` | Enable the PVC and PVC resources configuration for the projects files | `false` |
| `customVolumes.projects.hostPath` | Directory location on host | - |
| `customVolumes.projects.size` | Size of the volume | `8Gi` |
| `customVolumes.projects.accessModes` | Volume access mode | `ReadWriteOnce` |
| `customVolumes.postgres.storageClassName` | PersistentVolume storage class name | `<resourcename>-projects-volume` |
# Contributing
## Adding abstracted sections
Where possible, defer to `AWX.spec` configs before applying the abstracted configs to avoid collision. This can be facilitated by the `(hasKey .spec what_i_will_abstract)` check.
## Building and Testing
This chart is built using the Makefile in the [awx-operator repo](https://github.com/ansible/awx-operator). Clone the repo and run `make helm-chart`. This will create the awx-operator chart in the `charts/awx-operator` directory. In this process, the contents of the `.helm/starter` directory will be added to the chart.
## Future Goals
All values under the `AWX` header are focused on configurations that use the operator. Configurations that relate to the Operator itself could be placed under an `Operator` heading, but that may add a layer of complication over current development.
# Chart Publishing
The chart is currently hosted on the gh-pages branch of the repo. During the release pipeline, the `index.yaml` stored in that branch is generated with helm chart entries from all valid tags. We are currently unable to use the `chart-releaser` pipeline due to the fact that the complete helm chart is not committed to the repo and is instead built during the release process. Therefore, the cr action is unable to compare against previous versions.
Instead of CR, we use `helm repo index` to generate an index from all locally pulled chart versions. Since we build from scratch every time, the timestamps of all entries will be updated. This could be improved by using yq or something similar to detect which tags are already in the index.yaml file, and only merge in tags that are not present.
Not using CR could be addressed in the future by keeping the chart built as a part of releases, as long as CR compares the chart to previous release packages rather than previous commits. If the latter is the case, then we would not have the necessary history for comparison.

6
.helm/starter/templates/_helpers.tpl
View File

@@ -1,6 +0,0 @@
{{/*
Generate the name of the postgres secret, expects AWX context passed in
*/}}
{{- define "postgres.secretName" -}}
{{ default (printf "%s-postgres-configuration" .Values.AWX.name) .Values.AWX.postgres.secretName }}
{{- end }}

28
.helm/starter/templates/awx-deploy.yaml
View File

@@ -1,28 +0,0 @@
{{- if $.Values.AWX.enabled }}
{{- with .Values.AWX }}
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: {{ .name }}
namespace: {{ $.Release.Namespace }}
spec:
{{- /* Provide custom persistent volumes configs if enabled */}}
{{- include "spec.storageClassNames" $ }}
{{- /* Provide custom secrets configs if enabled */}}
{{- include "spec.secrets" $ }}
{{- /* Include raw map from the values file spec */}}
{{ .spec | toYaml | indent 2 }}
{{- /* Provide security context defaults */}}
{{- if not (hasKey .spec "security_context_settings") }}
security_context_settings:
runAsGroup: 0
runAsUser: 0
fsGroup: 0
fsGroupChangePolicy: OnRootMismatch
{{- end }}
{{- /* Postgres configs if enabled and not already present */}}
{{- if and .postgres.enabled (not (hasKey .spec "postgres_configuration_secret")) }}
postgres_configuration_secret: {{ include "postgres.secretName" $ }}
{{- end }}
{{- end }}
{{- end }}

8
.helm/starter/templates/extra-list.yaml
View File

@@ -1,8 +0,0 @@
{{- range .Values.extraDeploy }}
---
{{- if typeIs "string" . }}
{{- tpl . $ }}
{{- else }}
{{- tpl (. | toYaml | nindent 0) $ }}
{{- end }}
{{- end }}

18
.helm/starter/templates/postgres-config.yaml
View File

@@ -1,18 +0,0 @@
{{- if and $.Values.AWX.enabled $.Values.AWX.postgres.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "postgres.secretName" . }}
namespace: {{ $.Release.Namespace }}
{{- with $.Values.AWX.postgres }}
stringData:
host: {{ .host }}
port: {{ .port | quote }}
database: {{ .dbName }}
username: {{ .username }}
password: {{ .password }}
sslmode: {{ .sslmode }}
type: {{ .type }}
type: Opaque
{{- end }}
{{- end }}

170
.helm/starter/templates/secrets/_helpers.tpl
View File

@@ -1,170 +0,0 @@
{{/*
Generate certificates for ingress
*/}}
{{- define "ingress.gen-certs" -}}
{{- $ca := genCA "ingress-ca" 365 -}}
{{- $cert := genSignedCert ( $.Values.AWX.spec.hostname | required "AWX.spec.hostname is required!" ) nil nil 365 $ca -}}
tls.crt: {{ $cert.Cert | b64enc }}
tls.key: {{ $cert.Key | b64enc }}
{{- end -}}
{{/*
Generate the name of the secret that contains the admin user password
*/}}
{{- define "admin.secretName" -}}
{{ default (printf "%s-admin-password" $.Values.AWX.name) (default $.Values.customSecrets.admin.secretName $.Values.AWX.spec.admin_password_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the TLS information when ingress_type=route
*/}}
{{- define "routeTls.secretName" -}}
{{ default (printf "%s-route-tls" $.Values.AWX.name) (default $.Values.customSecrets.routeTls.secretName $.Values.AWX.spec.route_tls_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the TLS information when ingress_type=ingress
*/}}
{{- define "ingressTls.secretName" -}}
{{ default (printf "%s-ingress-tls" $.Values.AWX.name) (default $.Values.customSecrets.ingressTls.secretName $.Values.AWX.spec.ingress_tls_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the LDAP Certificate Authority
*/}}
{{- define "ldapCacert.secretName" -}}
{{ default (printf "%s-custom-certs" $.Values.AWX.name) (default ($.Values.customSecrets.ldapCacert).secretName $.Values.AWX.spec.ldap_cacert_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the custom Certificate Authority
*/}}
{{- define "bundleCacert.secretName" -}}
{{ default (printf "%s-custom-certs" $.Values.AWX.name) (default ($.Values.customSecrets.bundleCacert).secretName $.Values.AWX.spec.bundle_cacert_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the LDAP BIND DN password
*/}}
{{- define "ldap.secretName" -}}
{{ default (printf "%s-ldap-password" $.Values.AWX.name) (default $.Values.customSecrets.ldap.secretName $.Values.AWX.spec.ldap_password_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the symmetric key for encryption
*/}}
{{- define "secretKey.secretName" -}}
{{ default (printf "%s-secret-key" $.Values.AWX.name) (default $.Values.customSecrets.secretKey.secretName $.Values.AWX.spec.secret_key_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the default execution environment pull credentials
*/}}
{{- define "eePullCredentials.secretName" -}}
{{ default (printf "%s-ee-pull-credentials" $.Values.AWX.name) (default $.Values.customSecrets.eePullCredentials.secretName $.Values.AWX.spec.ee_pull_credentials_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the default control plane pull credentials
*/}}
{{- define "cpPullCredentials.secretName" -}}
{{ default (printf "%s-cp-pull-credentials" $.Values.AWX.name) (default $.Values.customSecrets.cpPullCredentials.secretName $.Values.AWX.spec.image_pull_secrets) }}
{{- end }}
{{/*
Generate the .dockerconfigjson file unencoded.
*/}}
{{- define "dockerconfigjson.b64dec" }}
{{- print "{\"auths\":{" }}
{{- range $index, $item := . }}
{{- if $index }}
{{- print "," }}
{{- end }}
{{- printf "\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}" (default "https://index.docker.io/v1/" $item.registry) $item.username $item.password (default "" $item.email) (printf "%s:%s" $item.username $item.password | b64enc) }}
{{- end }}
{{- print "}}" }}
{{- end }}
{{/*
Generate the base64-encoded .dockerconfigjson.
*/}}
{{- define "dockerconfigjson.b64enc" }}
{{- $list := ternary (list .) . (kindIs "map" .) }}
{{- include "dockerconfigjson.required" $list }}
{{- include "dockerconfigjson.b64dec" $list | b64enc }}
{{- end }}
{{/*
Required values for .dockerconfigjson
*/}}
{{- define "dockerconfigjson.required" -}}
{{- range . -}}
{{- $_ := required "cpPullCredentials.dockerconfigjson[].username is required!" .username -}}
{{- $_ := required "cpPullCredentials.dockerconfigjson[].password is required!" .password -}}
{{- end -}}
{{/* Check for registry uniqueness */}}
{{- $registries := list -}}
{{- range . -}}
{{- $registries = append $registries (default "https://index.docker.io/v1/" .registry) -}}
{{- end -}}
{{- $_ := required "All cpPullCredentials.dockerconfigjson[].registry's must be unique!" (or (eq (len $registries) (len ($registries | uniq))) nil) -}}
{{- end -}}
{{/*
Generate the name of the secrets
*/}}
{{- define "spec.secrets" -}}
{{- /* secret configs if enabled */}}
{{- if hasKey $.Values "customSecrets" }}
{{- with $.Values.customSecrets }}
{{- if .enabled }}
{{- if hasKey . "admin" }}
{{- if and (not (hasKey $.Values.AWX.spec "admin_password_secret")) .admin.enabled }}
admin_password_secret: {{ include "admin.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "secretKey" }}
{{- if and (not (hasKey $.Values.AWX.spec "secret_key_secret")) .secretKey.enabled }}
secret_key_secret: {{ include "secretKey.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "routeTls" }}
{{- if and (not (hasKey $.Values.AWX.spec "route_tls_secret")) .routeTls.enabled }}
route_tls_secret: {{ include "routeTls.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "ingressTls" }}
{{- if and (not (hasKey $.Values.AWX.spec "ingress_tls_secret")) .ingressTls.enabled }}
ingress_tls_secret: {{ include "ingressTls.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "ldapCacert" }}
{{- if and (not (hasKey $.Values.AWX.spec "ldap_cacert_secret")) .ldapCacert.enabled }}
ldap_cacert_secret: {{ include "ldapCacert.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "bundleCacert" }}
{{- if and (not (hasKey $.Values.AWX.spec "bundle_cacert_secret")) .bundleCacert.enabled }}
bundle_cacert_secret: {{ include "bundleCacert.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "ldap" }}
{{- if and (not (hasKey $.Values.AWX.spec "ldap_password_secret")) .ldap.enabled }}
ldap_password_secret: {{ include "ldap.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "eePullCredentials" }}
{{- if and (not (hasKey $.Values.AWX.spec "ee_pull_credentials_secret")) .eePullCredentials.enabled }}
ee_pull_credentials_secret: {{ include "eePullCredentials.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "cpPullCredentials" }}
{{- if and (not (hasKey $.Values.AWX.spec "image_pull_secrets")) .cpPullCredentials.enabled }}
image_pull_secrets:
- {{ include "cpPullCredentials.secretName" $ }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

16
.helm/starter/templates/secrets/admin-password-secret.yaml
View File

@@ -1,16 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "admin" }}
{{- with $.Values.customSecrets.admin }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "admin.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: Opaque
data:
password: {{ .password | required "customSecrets.admin.password is required!" | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

16
.helm/starter/templates/secrets/cp-pull-credentials-secret.yaml
View File

@@ -1,16 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "cpPullCredentials" }}
{{- with $.Values.customSecrets.cpPullCredentials }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "cpPullCredentials.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "dockerconfigjson.b64enc" .dockerconfig | required "customSecrets.cpPullCredentials.dockerconfig is required!" }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

49
.helm/starter/templates/secrets/custom-certs-secret.yaml
View File

@@ -1,49 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- with .Values.customSecrets }}
{{- $hasLdapCrt := (hasKey $.Values.customSecrets "ldapCacert") -}}
{{- $hasBundleCrt := (hasKey . "bundleCacert") -}}
{{- if or $hasLdapCrt $hasBundleCrt }}
{{- $ldapCrtEnabled := ternary (.ldapCacert).enabled false $hasLdapCrt -}}
{{- $bundleCrtEnabled := ternary (.bundleCacert).enabled false $hasBundleCrt -}}
{{- $ldapSecretName := (include "ldapCacert.secretName" $) -}}
{{- $bundleSecretName := (include "bundleCacert.secretName" $) -}}
{{- if and (or $bundleCrtEnabled $ldapCrtEnabled) (eq $ldapSecretName $bundleSecretName) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $ldapSecretName }}
namespace: {{ $.Release.Namespace }}
type: Opaque
data:
{{- if $ldapCrtEnabled }}
ldap-ca.crt: {{ .ldapCacert.crt | required "customSecrets.ldapCacert.crt is required!" | b64enc }}
{{- end }}
{{- if $bundleCrtEnabled }}
bundle-ca.crt: {{ .bundleCacert.crt | required "customSecrets.bundleCacert.crt is required!" | b64enc }}
{{- end }}
{{- else }}
{{- if $ldapCrtEnabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $ldapSecretName }}
namespace: {{ $.Release.Namespace }}
type: Opaque
data:
ldap-ca.crt: {{ .ldapCacert.crt | required "customSecrets.ldapCacert.crt is required!" | b64enc }}
{{- end }}
{{- if $bundleCrtEnabled }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $bundleSecretName }}
namespace: {{ $.Release.Namespace }}
type: Opaque
data:
bundle-ca.crt: {{ .bundleCacert.crt | required "customSecrets.bundleCacert.crt is required!" | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

19
.helm/starter/templates/secrets/ee-pull-credentials-secret.yaml
View File

@@ -1,19 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "eePullCredentials" }}
{{- with $.Values.customSecrets.eePullCredentials }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "eePullCredentials.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: Opaque
stringData:
url: {{ (required "customSecrets.eePullCredentials.url is required!" .url) | quote }}
username: {{ (required "customSecrets.eePullCredentials.username is required!" .username) | quote }}
password: {{ (required "customSecrets.eePullCredentials.password is required!" .password) | quote }}
ssl_verify: {{ or .sslVerify (eq (.sslVerify | toString) "<nil>") | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

25
.helm/starter/templates/secrets/ingress-tls-secret.yaml
View File

@@ -1,25 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "ingressTls" }}
{{- with $.Values.customSecrets.ingressTls }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "ingressTls.secretName" $ }}
namespace: {{ $.Release.Namespace }}
{{- if .labels }}
labels:
{{ toYaml .labels | indent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
{{- if .selfSignedCert }}
{{ ( include "ingress.gen-certs" $ ) | indent 2 }}
{{ else }}
tls.key: {{ (.key | required "customSecrets.ingressTls.key is required!") | b64enc }}
tls.crt: {{ (.certificate | required "customSecrets.ingressTls.certificate is required!") | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

16
.helm/starter/templates/secrets/ldap-password-secret.yaml
View File

@@ -1,16 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "ldap" }}
{{- with $.Values.customSecrets.ldap }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "ldap.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: Opaque
data:
ldap-password: {{ .password | required "customSecrets.ldap.password is required!" | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

17
.helm/starter/templates/secrets/route-tls-secret.yaml
View File

@@ -1,17 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "routeTls" }}
{{- with $.Values.customSecrets.routeTls }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "routeTls.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: kubernetes.io/tls
data:
tls.key: {{ (.key | required "customSecrets.routeTls.key is required!") | b64enc }}
tls.crt: {{ (.certificate | required "customSecrets.routeTls.certificate is required!") | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

16
.helm/starter/templates/secrets/secret-key-secret.yaml
View File

@@ -1,16 +0,0 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "secretKey" }}
{{- with $.Values.customSecrets.secretKey }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "secretKey.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: Opaque
stringData:
secret_key: {{ .key | required "customSecrets.secretKey.key is required!" | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

57
.helm/starter/templates/storage/_helpers.tpl
View File

@@ -1,57 +0,0 @@
{{/*
Generate the name of the persistent volume for postgres folders
*/}}
{{- define "postgres.persistentVolumeName" -}}
{{ printf "%s-postgres-volume" $.Values.AWX.name }}
{{- end }}
{{/*
Generate the name of the persistent volume for projects folder
*/}}
{{- define "projects.persistentVolumeName" -}}
{{ printf "%s-projects-volume" $.Values.AWX.name }}
{{- end }}
{{/*
Generate the name of the persistent volume claim for the projects volume
*/}}
{{- define "projects.persistentVolumeClaim" -}}
{{ printf "%s-projects-claim" $.Values.AWX.name }}
{{- end }}
{{/*
Generate the name of the storage class to use for the postgres volume
*/}}
{{- define "postgres.storageClassName" -}}
{{ default (printf "%s-postgres-volume" $.Values.AWX.name) (default $.Values.AWX.spec.postgres_storage_class (($.Values.customVolumes).postgres).storageClassName) }}
{{- end }}
{{/*
Generate the name of the storage class to use for the projects volume
*/}}
{{- define "projects.storageClassName" -}}
{{ default (printf "%s-projects-volume" $.Values.AWX.name) (default $.Values.AWX.spec.projects_storage_class (($.Values.customVolumes).projects).storageClassName) }}
{{- end }}
{{/*
Generate the name of the storage class names, expects AWX context passed in
*/}}
{{- define "spec.storageClassNames" -}}
{{- if and (not $.Values.AWX.postgres.enabled) (eq (($.Values.AWX.spec).postgres_configuration_secret | default "") "") -}}
{{- if (($.Values.customVolumes).postgres).enabled -}}
{{- if not (hasKey $.Values.AWX.spec "postgres_storage_class") }}
postgres_storage_class: {{ include "postgres.storageClassName" $ }}
{{- end }}
{{- if not (hasKey $.Values.AWX.spec "postgres_storage_requirements") }}
postgres_storage_requirements:
requests:
storage: {{ default "8Gi" $.Values.customVolumes.postgres.size | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if and ($.Values.AWX.spec.projects_persistence) (eq (($.Values.AWX.spec).projects_existing_claim | default "") "") -}}
{{- if (($.Values.customVolumes).projects).enabled }}
projects_existing_claim: {{ include "projects.persistentVolumeClaim" $ }}
{{- end }}
{{- end }}
{{- end }}

19
.helm/starter/templates/storage/postgres-pv.yaml
View File

@@ -1,19 +0,0 @@
{{- if and (not $.Values.AWX.postgres.enabled) (eq (($.Values.AWX.spec).postgres_configuration_secret | default "") "") -}}
{{- if (($.Values.customVolumes).postgres).enabled -}}
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ include "postgres.persistentVolumeName" $ }}
{{- with $.Values.customVolumes.postgres }}
spec:
accessModes:
- {{ default "ReadWriteOnce" .accessModes }}
persistentVolumeReclaimPolicy: {{ default "Retain" .reclaimPolicy | quote }}
capacity:
storage: {{ default "8Gi" .size | quote }}
storageClassName: {{ include "postgres.storageClassName" $ }}
hostPath:
path: /var/lib/pgsql/data/userdata
{{- end }}
{{- end }}
{{- end }}

32
.helm/starter/templates/storage/projects-pv.yaml
View File

@@ -1,32 +0,0 @@
{{- if and ($.Values.AWX.spec.projects_persistence) (eq (($.Values.AWX.spec).projects_existing_claim | default "") "") -}}
{{- if (($.Values.customVolumes).projects).enabled -}}
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ include "projects.persistentVolumeName" $ }}
{{- with $.Values.customVolumes.projects }}
spec:
accessModes:
- {{ default "ReadWriteOnce" (default $.Values.AWX.spec.projects_storage_access_mode .accessModes) }}
persistentVolumeReclaimPolicy: {{ default "Retain" .reclaimPolicy | quote }}
capacity:
storage: {{ default "8Gi" (default $.Values.AWX.spec.projects_storage_size .size) | quote }}
storageClassName: {{ include "projects.storageClassName" $ }}
hostPath:
path: {{ required "customVolumes.projects.hostPath is required!" .hostPath | quote }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "projects.persistentVolumeClaim" $ }}
spec:
accessModes:
- {{ default "ReadWriteOnce" (default $.Values.AWX.spec.projects_storage_access_mode .accessModes) }}
volumeMode: Filesystem
resources:
requests:
storage: {{ default "8Gi" (default $.Values.AWX.spec.projects_storage_size .size) | quote }}
storageClassName: {{ include "projects.storageClassName" $ }}
{{- end }}
{{- end }}
{{- end }}

19
.helm/starter/values.yaml
View File

@@ -1,19 +0,0 @@
AWX:
# enable use of awx-deploy template
enabled: false
name: awx
spec:
admin_user: admin
# configurations for external postgres instance
postgres:
enabled: false
host: Unset
port: 5678
dbName: Unset
username: admin
# for secret management, pass in the password independently of this file
# at the command line, use --set AWX.postgres.password
password: Unset
sslmode: prefer
type: unmanaged

1
.yamllint
View File

@@ -6,7 +6,6 @@ ignore: |
kustomization.yaml
awx-operator.clusterserviceversion.yaml
bundle
.helm/starter
hacking/
rules:

4
CONTRIBUTING.md
View File

@@ -10,6 +10,7 @@ Have questions about this document or anything not covered here? Please file a n
- [Table of contents](#table-of-contents)
- [Things to know prior to submitting code](#things-to-know-prior-to-submitting-code)
- [Submmiting your work](#submmiting-your-work)
- [Development](#development)
- [Testing](#testing)
- [Testing in Kind](#testing-in-kind)
- [Testing in Minikube](#testing-in-minikube)
@@ -42,7 +43,8 @@ Have questions about this document or anything not covered here? Please file a n
**Note**: If you have multiple commits, make sure to `squash` your commits into a single commit which will facilitate our release process.
## Development
The development environment consists of running an [`up.sh`](./up.sh) and a [`down.sh`](./down.sh) script, which applies or deletes yaml on the Openshift or K8s cluster you are connected to. See the [development.md](docs/development.md) for information on how to deploy and test changes from your branch.
## Testing

6
Dockerfile
View File

@@ -1,8 +1,8 @@
FROM quay.io/operator-framework/ansible-operator:v1.34.0
FROM quay.io/operator-framework/ansible-operator:v1.40.0
USER root
RUN dnf update --security --bugfix -y && \
dnf install -y openssl
RUN dnf update --security --bugfix -y --disableplugin=subscription-manager && \
dnf install -y --disableplugin=subscription-manager openssl
USER 1001

211
Makefile
View File

@@ -8,13 +8,6 @@ PREV_VERSION ?= $(shell git describe --abbrev=0 --tags $(shell git rev-list --ta
CONTAINER_CMD ?= docker
# GNU vs BSD in-place sed
ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
SED_I := sed -i
else
SED_I := sed -i ''
endif
# CHANNELS define the bundle channels used in the bundle.
# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
# To re-generate a bundle for other specific channels without changing the standard setup, you can:
@@ -60,15 +53,6 @@ endif
IMG ?= $(IMAGE_TAG_BASE):$(VERSION)
NAMESPACE ?= awx
# Helm variables
CHART_NAME ?= awx-operator
CHART_DESCRIPTION ?= A Helm chart for the AWX Operator
CHART_OWNER ?= $(GH_REPO_OWNER)
CHART_REPO ?= awx-operator
CHART_BRANCH ?= gh-pages
CHART_DIR ?= gh-pages
CHART_INDEX ?= index.yaml
.PHONY: all
all: docker-build
@@ -121,6 +105,10 @@ docker-buildx: ## Build and push docker image for the manager for cross-platform
- docker buildx build --push $(BUILD_ARGS) --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile .
- docker buildx rm project-v3-builder
.PHONY: podman-buildx
podman-buildx: ## Build and push podman image for the manager for cross-platform support
podman build --platform=$(PLATFORMS) $(BUILD_ARGS) --manifest ${IMG} -f Dockerfile .
podman manifest push --all ${IMG} ${IMG}
##@ Deployment
@@ -177,7 +165,7 @@ ifeq (,$(shell which operator-sdk 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(OPERATOR_SDK)) ;\
curl -sSLo $(OPERATOR_SDK) https://github.com/operator-framework/operator-sdk/releases/download/v1.33.0/operator-sdk_$(OS)_$(ARCHA) ;\
curl -sSLo $(OPERATOR_SDK) https://github.com/operator-framework/operator-sdk/releases/download/v1.40.0/operator-sdk_$(OS)_$(ARCHA) ;\
chmod +x $(OPERATOR_SDK) ;\
}
else
@@ -193,7 +181,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/ansible-operator-plugins/releases/download/v1.34.0/ansible-operator_$(OS)_$(ARCHA) ;\
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/ansible-operator-plugins/releases/download/v1.40.0/ansible-operator_$(OS)_$(ARCHA) ;\
chmod +x $(ANSIBLE_OPERATOR) ;\
}
else
@@ -224,7 +212,7 @@ ifeq (,$(shell which opm 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(OPM)) ;\
curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.26.0/$(OS)-$(ARCHA)-opm ;\
curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.55.0/$(OS)-$(ARCHA)-opm ;\
chmod +x $(OPM) ;\
}
else
@@ -255,188 +243,3 @@ catalog-build: opm ## Build a catalog image.
.PHONY: catalog-push
catalog-push: ## Push a catalog image.
$(MAKE) docker-push IMG=$(CATALOG_IMG)
.PHONY: kubectl-slice
KUBECTL_SLICE = $(shell pwd)/bin/kubectl-slice
kubectl-slice: ## Download kubectl-slice locally if necessary.
ifeq (,$(wildcard $(KUBECTL_SLICE)))
ifeq (,$(shell which kubectl-slice 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(KUBECTL_SLICE)) ;\
curl -sSLo - https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.6/kubectl-slice_$(OS)_$(ARCHX).tar.gz | \
tar xzf - -C bin/ kubectl-slice ;\
}
else
KUBECTL_SLICE = $(shell which kubectl-slice)
endif
endif
.PHONY: helm
HELM = $(shell pwd)/bin/helm
helm: ## Download helm locally if necessary.
ifeq (,$(wildcard $(HELM)))
ifeq (,$(shell which helm 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(HELM)) ;\
curl -sSLo - https://get.helm.sh/helm-v3.8.0-$(OS)-$(ARCHA).tar.gz | \
tar xzf - -C bin/ $(OS)-$(ARCHA)/helm ;\
mv bin/$(OS)-$(ARCHA)/helm bin/helm ;\
rmdir bin/$(OS)-$(ARCHA) ;\
}
else
HELM = $(shell which helm)
endif
endif
.PHONY: yq
YQ = $(shell pwd)/bin/yq
yq: ## Download yq locally if necessary.
ifeq (,$(wildcard $(YQ)))
ifeq (,$(shell which yq 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(HELM)) ;\
curl -sSLo - https://github.com/mikefarah/yq/releases/download/v4.20.2/yq_$(OS)_$(ARCHA).tar.gz | \
tar xzf - -C bin/ ;\
mv bin/yq_$(OS)_$(ARCHA) bin/yq ;\
}
else
YQ = $(shell which yq)
endif
endif
PHONY: cr
CR = $(shell pwd)/bin/cr
cr: ## Download cr locally if necessary.
ifeq (,$(wildcard $(CR)))
ifeq (,$(shell which cr 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(CR)) ;\
curl -sSLo - https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_$(OS)_$(ARCHA).tar.gz | \
tar xzf - -C bin/ cr ;\
}
else
CR = $(shell which cr)
endif
endif
charts:
mkdir -p $@
.PHONY: helm-chart
helm-chart: helm-chart-generate
.PHONY: helm-chart-generate
helm-chart-generate: kustomize helm kubectl-slice yq charts
@echo "== KUSTOMIZE: Set image and chart label =="
cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
cd config/manager && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
cd config/default && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
@echo "== Gather Helm Chart Metadata =="
# remove the existing chart if it exists
rm -rf charts/$(CHART_NAME)
# create new chart metadata in Chart.yaml
cd charts && \
$(HELM) create awx-operator --starter $(shell pwd)/.helm/starter ;\
$(YQ) -i '.version = "$(VERSION)"' $(CHART_NAME)/Chart.yaml ;\
$(YQ) -i '.appVersion = "$(VERSION)" | .appVersion style="double"' $(CHART_NAME)/Chart.yaml ;\
$(YQ) -i '.description = "$(CHART_DESCRIPTION)"' $(CHART_NAME)/Chart.yaml ;\
@echo "Generated chart metadata:"
@cat charts/$(CHART_NAME)/Chart.yaml
@echo "== KUSTOMIZE: Generate resources and slice into templates =="
# place in raw-files directory so they can be modified while they are valid yaml - as soon as they are in templates/,
# wild cards pick up the actual templates, which are not real yaml and can't have yq run on them.
$(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone config/default | \
$(KUBECTL_SLICE) --input-file=- \
--output-dir=charts/$(CHART_NAME)/raw-files \
--sort-by-kind
@echo "== GIT: Reset kustomize configs =="
# reset kustomize configs following kustomize build
git checkout -f config/.
@echo "== Build Templates and CRDS =="
# Delete metadata.namespace, release namespace will be automatically inserted by helm
for file in charts/$(CHART_NAME)/raw-files/*; do\
$(YQ) -i 'del(.metadata.namespace)' $${file};\
done
# Correct namespace for rolebinding to be release namespace, this must be explicit
for file in charts/$(CHART_NAME)/raw-files/*rolebinding*; do\
$(YQ) -i '.subjects[0].namespace = "{{ .Release.Namespace }}"' $${file};\
done
# Correct .metadata.name for cluster scoped resources
cluster_scoped_files="charts/$(CHART_NAME)/raw-files/clusterrolebinding-awx-operator-proxy-rolebinding.yaml charts/$(CHART_NAME)/raw-files/clusterrole-awx-operator-metrics-reader.yaml charts/$(CHART_NAME)/raw-files/clusterrole-awx-operator-proxy-role.yaml";\
for file in $${cluster_scoped_files}; do\
$(YQ) -i '.metadata.name += "-{{ .Release.Name }}"' $${file};\
done
# Correct the reference for the clusterrolebinding
$(YQ) -i '.roleRef.name += "-{{ .Release.Name }}"' 'charts/$(CHART_NAME)/raw-files/clusterrolebinding-awx-operator-proxy-rolebinding.yaml'
# move all custom resource definitions to crds folder
mkdir charts/$(CHART_NAME)/crds
mv charts/$(CHART_NAME)/raw-files/customresourcedefinition*.yaml charts/$(CHART_NAME)/crds/.
# remove any namespace definitions
rm -f charts/$(CHART_NAME)/raw-files/namespace*.yaml
# move remaining resources to helm templates
mv charts/$(CHART_NAME)/raw-files/* charts/$(CHART_NAME)/templates/.
# remove the raw-files folder
rm -rf charts/$(CHART_NAME)/raw-files
# create and populate NOTES.txt
@echo "AWX Operator installed with Helm Chart version $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
@echo "Helm chart successfully configured for $(CHART_NAME) version $(VERSION)"
.PHONY: helm-package
helm-package: helm-chart
@echo "== Package Current Chart Version =="
mkdir -p .cr-release-packages
# package the chart and put it in .cr-release-packages dir
$(HELM) package ./charts/awx-operator -d .cr-release-packages/$(VERSION)
# List all tags oldest to newest.
TAGS := $(shell git ls-remote --tags --sort=version:refname --refs -q | cut -d/ -f3)
# The actual release happens in ansible/helm-release.yml, which calls this targer
# until https://github.com/helm/chart-releaser/issues/122 happens, chart-releaser is not ideal for a chart
# that is contained within a larger repo, where a tag may not require a new chart version
.PHONY: helm-index
helm-index:
# when running in CI the gh-pages branch is checked out by the ansible playbook
# TODO: test if gh-pages directory exists and if not exist
@echo "== GENERATE INDEX FILE =="
# This step to workaround issues with old releases being dropped.
# Until https://github.com/helm/chart-releaser/issues/133 happens
@echo "== CHART FETCH previous releases =="
# Download all old releases
mkdir -p .cr-release-packages
for tag in $(TAGS); do\
dl_url="https://github.com/$(CHART_OWNER)/$(CHART_REPO)/releases/download/$${tag}/$(CHART_REPO)-$${tag}.tgz";\
echo "Downloading $${tag} from $${dl_url}";\
curl -RLOs -z "$(CHART_REPO)-$${tag}.tgz" --fail $${dl_url};\
result=$$?;\
if [ $${result} -eq 0 ]; then\
echo "Downloaded $${dl_url}";\
mkdir -p .cr-release-packages/$${tag};\
mv ./$(CHART_REPO)-$${tag}.tgz .cr-release-packages/$${tag};\
else\
echo "Skipping release $${tag}; No helm chart present";\
rm -rf "$(CHART_REPO)-$${tag}.tgz";\
fi;\
done;\
# generate the index file in the root of the gh-pages branch
# --merge will leave any values in index.yaml that don't get generated by this command, but
# it is likely that all values are overridden
$(HELM) repo index .cr-release-packages --url https://github.com/$(CHART_OWNER)/$(CHART_REPO)/releases/download/ --merge $(CHART_DIR)/index.yaml
mv .cr-release-packages/index.yaml $(CHART_DIR)/index.yaml

47
README.md
View File

@@ -3,35 +3,24 @@
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
[![Build Status](https://github.com/ansible/awx-operator/workflows/CI/badge.svg?event=push)](https://github.com/ansible/awx-operator/actions)
[![Code of Conduct](https://img.shields.io/badge/code%20of%20conduct-Ansible-yellow.svg)](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html)
[![AWX Mailing List](https://img.shields.io/badge/mailing%20list-AWX-orange.svg)](https://groups.google.com/g/awx-project)
[![IRC Chat - #ansible-awx](https://img.shields.io/badge/IRC-%23ansible--awx-blueviolet.svg)](https://libera.chat)
An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built with [Operator SDK](https://github.com/operator-framework/operator-sdk) and Ansible.
<!-- Regenerate this table of contents using https://github.com/ekalinin/github-markdown-toc -->
<!-- gh-md-toc --insert README.md -->
<!--ts-->
The AWX Operator is meant to be deployed in your Kubernetes cluster(s) and can be used to install and manage the lifecycle of an AWX instance in the same namespace.
# AWX Operator Documentation
## Documentation
The AWX Operator documentation is now available at https://awx-operator.readthedocs.io/
The AWX Operator documentation is available at <https://ansible.readthedocs.io/projects/awx-operator/>
For docs changes, create PRs on the appropriate files in the /docs folder.
> Helm chart documentation is available at <https://ansible-community.github.io/awx-operator-helm/>
## Contributing
Please visit [our contributing guidelines](https://github.com/ansible/awx-operator/blob/devel/CONTRIBUTING.md).
## Release Process
For docs changes, create PRs on the appropriate files in the `/docs` folder.
The first step is to create a draft release. Typically this will happen in the [Stage Release](https://github.com/ansible/awx/blob/devel/.github/workflows/stage.yml) workflow for AWX and you don't need to do it as a separate step.
If you need to do an independent release of the operator, you can run the [Stage Release](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/stage.yml) in the awx-operator repo. Both of these workflows will run smoke tests, so there is no need to do this manually.
After the draft release is created, publish it and the [Promote AWX Operator image](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/promote.yaml) will run, which will:
- Publish image to Quay
- Release Helm chart
The development environment consists of running an [`up.sh`](https://github.com/ansible/awx-operator/blob/devel/up.sh) and a [`down.sh`](https://github.com/ansible/awx-operator/blob/devel/down.sh) script, which applies or deletes yaml on the Openshift or K8s cluster you are connected to. See the [development.md](https://github.com/ansible/awx-operator/blob/devel/docs/development.md) for information on how to deploy and test changes from your branch.
## Author
@@ -43,7 +32,25 @@ We ask all of our community members and contributors to adhere to the [Ansible c
## Get Involved
We welcome your feedback and ideas. The AWX operator uses the same mailing list and IRC channel as AWX itself. Here's how to reach us with feedback and questions:
We welcome your feedback, questions and ideas. Here's how to reach the community.
- Join the [Ansible AWX channel on Matrix](https://matrix.to/#/#awx:ansible.com)
- Join the [Ansible Community Forum](https://forum.ansible.com)
### Forum
Join the [Ansible Forum](https://forum.ansible.com) as a single starting point and our default communication platform for questions and help, development discussions, events, and much more. [Register](https://forum.ansible.com/signup?) to join the community. Search by categories and tags to find interesting topics or start a new one; subscribe only to topics you need!
* [Get Help](https://forum.ansible.com/c/help/6): get help or help others. Please add appropriate tags if you start new discussions, for example `awx-operator` and `documentation`.
* [Posts tagged with 'awx-operator'](https://forum.ansible.com/tag/awx-operator): subscribe to participate in project-related conversations.
* [Bullhorn newsletter](https://docs.ansible.com/ansible/devel/community/communication.html#the-bullhorn) used to announce releases and important changes.
* [Social Spaces](https://forum.ansible.com/c/chat/4): gather and interact with fellow enthusiasts.
* [News & Announcements](https://forum.ansible.com/c/news/5): track project-wide announcements including social events.
For more information on the forum navigation, see [Navigating the Ansible forum](https://forum.ansible.com/t/navigating-the-ansible-forum-tags-categories-and-concepts/39) post.
### Matrix
For real-time interactions, conversations in the community happen over the Matrix protocol in the following channels:
* [#awx:ansible.com](https://matrix.to/#/#awx:ansible.com): AWX and AWX-Operator project-related discussions.
* [#docs:ansible.im](https://matrix.to/#/#docs:ansible.im): Ansible, AWX and AWX-Operator documentation-related discussions.
For more information, see the community-hosted [Matrix FAQ](https://hackmd.io/@ansible-community/community-matrix-faq).

122
ansible/helm-release.yml
View File

@@ -1,122 +0,0 @@
---
- hosts: localhost
vars:
chart_repo: awx-operator
environment:
CHART_OWNER: "{{ chart_owner }}"
tasks:
- name: Look up release
uri:
url: "https://api.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/tags/{{ tag }}"
register: release
ignore_errors: yes
- fail:
msg: |
Release must exist before running this playbook
when: release is not success
- name: Set helm filename and commit message
set_fact:
asset_already_attached: False
helm_file_name: "awx-operator-{{ tag }}.tgz"
commit_message: "Updated index.yaml for release {{ release.json.tag_name }}"
- name: See if file is already attached
set_fact:
asset_already_attached: True
loop: "{{ release.json.get('assets', []) }}"
loop_control:
label: "{{ item.name }}"
when: item.name == helm_file_name
- when: not asset_already_attached
block:
- name: Build and package helm chart
command: |
make helm-package
environment:
VERSION: "{{ tag }}"
IMAGE_TAG_BASE: "{{ operator_image }}"
args:
chdir: "{{ playbook_dir }}/../"
# Move to chart releaser after https://github.com/helm/chart-releaser/issues/122 exists
- name: Upload helm chart
uri:
url: "https://uploads.github.com/repos/{{ chart_owner }}/{{ chart_repo }}/releases/{{ release.json.id }}/assets?name={{ helm_file_name }}"
src: "{{ playbook_dir }}/../.cr-release-packages/{{ tag }}/awx-operator-{{ tag }}.tgz"
headers:
Authorization: "token {{ gh_token }}"
Content-Type: "application/octet-stream"
status_code:
- 200
- 201
register: asset_upload
changed_when: asset_upload.json.state == "uploaded"
- name: Ensure gh-pages exists
file:
state: directory
path: "{{ playbook_dir }}/../gh-pages"
- name: Check if we have published the release
command:
cmd: "git log --grep='{{ commit_message }}'"
chdir: "{{ playbook_dir }}/../gh-pages"
register: commits_for_release
- when: commits_for_release.stdout == ''
block:
- name: Make a temp dir
tempfile:
state: directory
register: temp_dir
- name: Clone the gh-pages branch from {{ chart_owner }}
git:
repo: "{{ ((repo_type | default('http')) == 'ssh') | ternary(ssh_repo, http_repo) }}"
dest: "{{ temp_dir.path }}"
single_branch: yes
version: gh-pages
vars:
http_repo: "https://github.com/{{ chart_owner }}/{{ chart_repo }}"
ssh_repo: "git@github.com:{{ chart_owner }}/{{ chart_repo }}.git"
- name: Publish helm index
ansible.builtin.command:
cmd: make helm-index
environment:
CHART_OWNER: "{{ chart_owner }}"
CR_TOKEN: "{{ gh_token }}"
CHART_DIR: "{{ temp_dir.path }}"
args:
chdir: "{{ playbook_dir }}/.."
- name: Set url base swap in gitconfig
command:
cmd: "git config --local url.https://{{ gh_user }}:{{ gh_token }}@github.com/.insteadOf https://github.com/"
args:
chdir: "{{ temp_dir.path }}/"
no_log: true
- name: Stage and Push commit to gh-pages branch
command:
cmd: "{{ item }}"
loop:
- git add index.yaml
- git commit -m "{{ commit_message }}"
- git push
args:
chdir: "{{ temp_dir.path }}/"
environment:
GIT_AUTHOR_NAME: "{{ gh_user }}"
GIT_AUTHOR_EMAIL: "{{ gh_user }}@users.noreply.github.com"
GIT_COMMITTER_NAME: "{{ gh_user }}"
GIT_COMMITTER_EMAIL: "{{ gh_user }}@users.noreply.github.com"
always:
- name: Remove temp dir
file:
path: "{{ temp_dir.path }}"
state: absent

11
config/crd/bases/awx.ansible.com_awxbackups.yaml
View File

@@ -37,6 +37,9 @@ spec:
metadata:
type: object
spec:
x-kubernetes-validations:
- rule: "has(self.postgres_image) && has(self.postgres_image_version) || !has(self.postgres_image) && !has(self.postgres_image_version)"
message: "Both postgres_image and postgres_image_version must be set when required"
type: object
x-kubernetes-preserve-unknown-fields: true
required:
@@ -48,6 +51,10 @@ spec:
backup_pvc:
description: Name of the backup PVC
type: string
create_backup_pvc:
description: If true (default), automatically create the backup PVC if it does not exist
type: boolean
default: true
backup_pvc_namespace:
description: (Deprecated) Namespace the PVC is in
type: string
@@ -81,6 +88,10 @@ spec:
pg_dump_suffix:
description: Additional parameters for the pg_dump command
type: string
use_db_compression:
description: Enable compression for database dumps using pg_dump built-in compression.
type: boolean
default: true
postgres_label_selector:
description: Label selector used to identify postgres pod for backing up data
type: string

378
config/crd/bases/awx.ansible.com_awxmeshingresses.yaml
View File

@@ -69,12 +69,390 @@ spec:
ingress_annotations:
description: Annotations to add to the Ingress Controller
type: string
route_annotations:
description: Annotations to add to the OpenShift Route
type: string
ingress_class_name:
description: The name of ingress class to use instead of the cluster default.
type: string
ingress_controller:
description: Special configuration for specific Ingress Controllers
type: string
node_selector:
description: Assign the Mesh Ingress Pod to the specified node.
type: string
tolerations:
description: Scheduling tolerations for the Mesh Ingress instance.
type: string
topology_spread_constraints:
description: Topology spread constraints for the Mesh Ingress instance.
type: string
affinity:
description: Scheduling constraints to apply to the Pod definition
properties:
nodeAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
preference:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
x-kubernetes-map-type: atomic
weight:
format: int32
type: integer
required:
- preference
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
properties:
nodeSelectorTerms:
items:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
x-kubernetes-map-type: atomic
type: array
required:
- nodeSelectorTerms
type: object
x-kubernetes-map-type: atomic
type: object
podAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
podAffinityTerm:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
weight:
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
type: array
type: object
podAntiAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
podAffinityTerm:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
weight:
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
topologyKey:
type: string
required:
- topologyKey
type: object
type: array
type: object
type: object
status:
description: Status defines the observed state of AWXMeshIngress
type: object

8
config/crd/bases/awx.ansible.com_awxrestores.yaml
View File

@@ -37,6 +37,9 @@ spec:
metadata:
type: object
spec:
x-kubernetes-validations:
- rule: "has(self.postgres_image) && has(self.postgres_image_version) || !has(self.postgres_image) && !has(self.postgres_image_version)"
message: "Both postgres_image and postgres_image_version must be set when required"
type: object
x-kubernetes-preserve-unknown-fields: true
required:
@@ -94,6 +97,11 @@ spec:
postgres_image_version:
description: PostgreSQL container image version to use
type: string
spec_overrides:
description: Overrides for the AWX spec
# type: string
type: object
x-kubernetes-preserve-unknown-fields: true
image_pull_policy:
description: The image pull policy
type: string

88
config/crd/bases/awx.ansible.com_awxs.yaml
View File

@@ -36,6 +36,17 @@ spec:
metadata:
type: object
spec:
x-kubernetes-validations:
- rule: "has(self.image) && has(self.image_version) || !has(self.image) && !has(self.image_version)"
message: "Both image and image_version must be set when required"
- rule: "has(self.redis_image) && has(self.redis_image_version) || !has(self.redis_image) && !has(self.redis_image_version)"
message: "Both redis_image and redis_image_version must be set when required"
- rule: "has(self.postgres_image) && has(self.postgres_image_version) || !has(self.postgres_image) && !has(self.postgres_image_version)"
message: "Both postgres_image and postgres_image_version must be set when required"
- rule: >-
has(self.metrics_utility_image) && has(self.metrics_utility_image_version) ||
!has(self.metrics_utility_image) && !has(self.metrics_utility_image_version)
message: "Both metrics_utility_image and metrics_utility_image_version must be set when required"
properties:
deployment_type:
description: Name of the deployment type
@@ -73,6 +84,9 @@ spec:
type: string
maxLength: 255
pattern: '^[a-zA-Z0-9][-a-zA-Z0-9]{0,253}[a-zA-Z0-9]$'
pg_dump_suffix:
description: Additional parameters for the pg_dump command during a migration
type: string
postgres_label_selector:
description: Label selector used to identify postgres pod for data migration
type: string
@@ -144,6 +158,9 @@ spec:
ingress_controller:
description: Special configuration for specific Ingress Controllers
type: string
api_urlpattern_prefix:
description: An optional configuration to add a prefix in the API URL path
type: string
loadbalancer_protocol:
description: Protocol to use for the loadbalancer
type: string
@@ -218,6 +235,9 @@ spec:
web_annotations:
description: Web deployment annotations. This will override the general annotations parameter for the Web deployment.
type: string
postgres_annotations:
description: Annotations to add to the Postgres deployment.
type: string
tolerations:
description: node tolerations for the pods
type: string
@@ -1571,10 +1591,18 @@ spec:
description: Number of web instance replicas
type: integer
format: int32
web_manage_replicas:
description: Enables operator control of replicas count for the web deployment when set to 'true'
type: boolean
default: true
task_replicas:
description: Number of task instance replicas
type: integer
format: int32
task_manage_replicas:
description: Enables operator control of replicas count for the task deployment when set to 'true'
type: boolean
default: true
web_liveness_initial_delay:
description: Initial delay before starting liveness checks on web pod
type: integer
@@ -1719,6 +1747,9 @@ spec:
nginx_worker_connections:
description: Set the number of connections per worker for nginx
type: integer
nginx_client_max_body_size:
description: Sets the maximum allowed size of the client request body in megabytes (defaults to 5M)
type: integer
nginx_worker_cpu_affinity:
description: Set the CPU affinity for nginx workers
type: string
@@ -1808,9 +1839,25 @@ spec:
description: Assign a preexisting priority class to the postgres pod
type: string
postgres_extra_args:
description: "(Deprecated, use postgres_extra_settings parameter) Define postgres configuration arguments to use"
type: array
items:
type: string
postgres_extra_settings:
description: "PostgreSQL configuration settings to be added to postgresql.conf"
type: array
items:
type: object
properties:
setting:
description: "PostgreSQL configuration parameter name"
type: string
value:
description: "PostgreSQL configuration parameter value"
type: string
required:
- setting
- value
postgres_data_volume_init:
description: Sets permissions on the /var/lib/pgdata/data for postgres container using an init container (not Openshift)
type: boolean
@@ -1845,11 +1892,11 @@ spec:
development_mode:
description: If the deployment should be done in development mode
type: boolean
ldap_cacert_secret:
description: Secret where can be found the LDAP trusted Certificate Authority Bundle
ldap_cacert_secret: # deprecated
description: (Deprecated) Secret where can be found the LDAP trusted Certificate Authority Bundle
type: string
ldap_password_secret:
description: Secret where can be found the LDAP bind password
ldap_password_secret: # deprecated
description: (Deprecated) Secret where can be found the LDAP bind password
type: string
bundle_cacert_secret:
description: Secret where can be found the trusted Certificate Authority Bundle
@@ -1901,6 +1948,28 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
extra_settings_files:
description: Extra ConfigMaps or Secrets of settings files to specify for AWX
properties:
configmaps:
items:
properties:
name:
type: string
key:
type: string
type: object
type: array
secrets:
items:
properties:
name:
type: string
key:
type: string
type: object
type: array
type: object
no_log:
description: Configure no_log for no_log tasks
type: boolean
@@ -1926,6 +1995,9 @@ spec:
description: Disable web container's nginx ipv6 listener
type: boolean
default: false
idle_deployment:
description: Scale down deployments to put AWX into an idle state
type: boolean
metrics_utility_enabled:
description: Enable metrics utility
type: boolean
@@ -1970,8 +2042,12 @@ spec:
description: Enable metrics utility shipping to Red Hat Hybrid Cloud Console
type: boolean
default: false
public_base_url:
description: Public base URL
type: string
type: object
status:
x-kubernetes-preserve-unknown-fields: true
properties:
URL:
description: URL to access the deployed instance
@@ -2003,6 +2079,9 @@ spec:
image:
description: URL of the image used for the deployed instance
type: string
upgradedFrom:
description: Last gated version
type: string
conditions:
description: The resulting conditions when a Service Telemetry is instantiated
items:
@@ -2017,5 +2096,6 @@ spec:
type: string
type: object
type: array
x-kubernetes-preserve-unknown-fields: true
type: object
type: object

8
config/default/kustomization.yaml
View File

@@ -20,11 +20,11 @@ resources:
- ../manager
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
#- ../prometheus
- metrics_service.yaml
# Protect the /metrics endpoint by putting it behind auth.
# If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, please comment the following line.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
patches:
- path: manager_auth_proxy_patch.yaml
- path: manager_metrics_patch.yaml
target:
kind: Deployment

40
config/default/manager_auth_proxy_patch.yaml
View File

@@ -1,40 +0,0 @@
# This patch inject a sidecar container which is a HTTP proxy for the
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=0"
ports:
- containerPort: 8443
protocol: TCP
name: https
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
- name: awx-manager
args:
- "--health-probe-bind-address=:6789"
- "--metrics-bind-address=127.0.0.1:8080"
- "--leader-elect"
- "--leader-election-id=awx-operator"

12
config/default/manager_metrics_patch.yaml Normal file
View File

@@ -0,0 +1,12 @@
# This patch adds the args to allow exposing the metrics endpoint using HTTPS
- op: add
path: /spec/template/spec/containers/0/args/0
value: --metrics-bind-address=:8443
# This patch adds the args to allow securing the metrics endpoint
- op: add
path: /spec/template/spec/containers/0/args/0
value: --metrics-secure
# This patch adds the args to allow RBAC-based authn/authz for the metrics endpoint
- op: add
path: /spec/template/spec/containers/0/args/0
value: --metrics-require-rbac

5
config/rbac/auth_proxy_service.yaml → config/default/metrics_service.yaml
View File

@@ -3,6 +3,8 @@ kind: Service
metadata:
labels:
control-plane: controller-manager
app.kubernetes.io/name: awx-operator
app.kubernetes.io/managed-by: kustomize
name: controller-manager-metrics-service
namespace: system
spec:
@@ -10,6 +12,7 @@ spec:
- name: https
port: 8443
protocol: TCP
targetPort: https
targetPort: 8443
selector:
control-plane: controller-manager
app.kubernetes.io/name: awx-operator

5
config/manager/manager.yaml
View File

@@ -38,6 +38,7 @@ spec:
- args:
- --leader-elect
- --leader-election-id=awx-operator
- --health-probe-bind-address=:6789
image: controller:latest
imagePullPolicy: IfNotPresent
name: awx-manager
@@ -73,8 +74,8 @@ spec:
memory: "32Mi"
cpu: "50m"
limits:
memory: "960Mi"
cpu: "1500m"
memory: "4000Mi"
cpu: "2000m"
serviceAccountName: controller-manager
imagePullSecrets:
- name: redhat-operators-pull-secret

85
config/manifests/bases/awx-operator.clusterserviceversion.yaml
View File

@@ -50,6 +50,12 @@ spec:
path: ingress_annotations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Route Annotations
path: route_annotations
x-descriptors:
- 'urn:alm:descriptor:com.tectonic.ui:advanced'
- 'urn:alm:descriptor:com.tectonic.ui:text'
- 'urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Route'
- displayName: Ingress Class Name
path: ingress_class_name
x-descriptors:
@@ -58,6 +64,31 @@ spec:
path: ingress_controller
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Node Selector
path: node_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tolerations
path: tolerations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Topology Spread Constraints
path: topology_spread_constraints
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Affinity
path: affinity
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Optional API URLPATTERN Prefix
path: api_urlpattern_prefix
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Image Pull Secrets
path: image_pull_secrets
x-descriptors:
@@ -144,10 +175,22 @@ spec:
path: additional_labels
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- description: Enable compression for database dumps using pg_dump built-in compression
displayName: Use DB Compression
path: use_db_compression
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- displayName: Node Selector for backup management pod
path: db_management_pod_node_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Public Base URL
path: public_base_url
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
statusDescriptors:
- description: Persistent volume claim name used during backup
displayName: Backup Claim
@@ -213,6 +256,10 @@ spec:
path: postgres_image_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: AWX Spec Overrides
path: spec_overrides
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Image Pull Policy
path: image_pull_policy
x-descriptors:
@@ -290,6 +337,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- description: PostgreSQL dump additional parameters to exclude tables during migration to openshift
displayname: PostgreSQL Extra Arguments for Migration to Openshift
path: pg_dump_suffix
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Name of the k8s secret the symmetric encryption key is stored
in.
displayName: Secret Key
@@ -544,6 +596,11 @@ spec:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:number
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Set the maximum allowed size of the client request body in megabytes for nginx
path: nginx_client_max_body_size
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:number
- displayName: Task Replicas
path: task_replicas
x-descriptors:
@@ -646,11 +703,16 @@ spec:
x-descriptors:
- urn:alm:descriptor:io.kubernetes:StorageClass
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Postgres Extra Arguments
- displayName: Postgres Extra Arguments (Deprecated)
path: postgres_extra_args
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Postgres Extra Settings
path: postgres_extra_settings
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Specify extra volumes to add to the postgres pod
displayName: Postgres Extra Volumes
path: postgres_extra_volumes
@@ -688,12 +750,12 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: LDAP Certificate Authority Trust Bundle
- displayName: LDAP Certificate Authority Trust Bundle (Deprecated)
path: ldap_cacert_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- displayName: LDAP Password Secret
- displayName: LDAP Password Secret (Deprecated)
path: ldap_password_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
@@ -922,6 +984,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Postgres Annotations
path: postgres_annotations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Tolerations
path: tolerations
x-descriptors:
@@ -957,6 +1024,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Extra Settings Files
path: extra_settings_files
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: No Log Configuration
path: no_log
x-descriptors:
@@ -1105,6 +1177,13 @@ spec:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:metrics_utility_enabled:true
- description: Scale down deployments to put AWX into an idle state
displayName: Idle AWX
path: idle_deployment
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- urn:alm:descriptor:com.tectonic.ui:hidden
statusDescriptors:
- description: Route to access the instance deployed
displayName: URL

10
config/rbac/kustomization.yaml
View File

@@ -9,10 +9,6 @@ resources:
- role_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
# Comment the following 4 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint.
- auth_proxy_service.yaml
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml
- metrics_auth_role.yaml
- metrics_auth_role_binding.yaml
- metrics_reader_role.yaml

2
config/rbac/auth_proxy_role.yaml → config/rbac/metrics_auth_role.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: proxy-role
name: metrics-auth-role
rules:
- apiGroups:
- authentication.k8s.io

4
config/rbac/auth_proxy_role_binding.yaml → config/rbac/metrics_auth_role_binding.yaml
View File

@@ -1,11 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: proxy-rolebinding
name: metrics-auth-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: proxy-role
name: metrics-auth-role
subjects:
- kind: ServiceAccount
name: controller-manager

0
config/rbac/auth_proxy_client_clusterrole.yaml → config/rbac/metrics_reader_role.yaml
View File

5
config/testing/kustomization.yaml
View File

@@ -14,10 +14,13 @@ resources:
- ../crd
- ../rbac
- ../manager
- ../default/metrics_service.yaml
images:
- name: testing
newName: testing-operator
patches:
- path: manager_image.yaml
- path: debug_logs_patch.yaml
- path: ../default/manager_auth_proxy_patch.yaml
- path: ../default/manager_metrics_patch.yaml
target:
kind: Deployment

24
dev/awx-cr/awx-cr-settings.yml Normal file
View File

@@ -0,0 +1,24 @@
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx
spec:
service_type: clusterip
ingress_type: route
no_log: false
# Secrets
admin_password_secret: custom-admin-password
postgres_configuration_secret: custom-pg-configuration
secret_key_secret: custom-secret-key
# Resource Requirements
postgres_storage_requirements:
requests:
storage: 10Gi
# Extra Settings
extra_settings:
- setting: MAX_PAGE_SIZE
value: "500"

30
dev/awx-cr/awx-db-configuration.cr.yml Normal file
View File

@@ -0,0 +1,30 @@
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx
spec:
service_type: clusterip
ingress_type: Route
postgres_extra_settings:
- setting: max_connections
value: "999"
- setting: ssl_ciphers
value: "HIGH:!aNULL:!MD5"
# requires custom-postgres-configuration secret to be pre-created
# postgres_configuration_secret: custom-postgres-configuration
postgres_resource_requirements:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 800m
memory: 1Gi
postgres_storage_requirements:
requests:
storage: 20Gi
limits:
storage: 100Gi

13
dev/awx-cr/awx-k8s-ingress.yml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx
spec:
service_type: nodeport
ingress_type: ingress
# Secrets
admin_password_secret: custom-admin-password
postgres_configuration_secret: custom-pg-configuration
secret_key_secret: custom-secret-key

13
dev/awx-cr/awx-openshift-cr.yml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx
spec:
service_type: clusterip
ingress_type: Route
# # Secrets
# admin_password_secret: custom-admin-password
# postgres_configuration_secret: custom-pg-configuration
# secret_key_secret: custom-secret-key

7
dev/secrets/admin-password-secret.yml Normal file
View File

@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Secret
metadata:
name: custom-admin-password
stringData:
password: 'password'

7
dev/secrets/custom-secret-key.yml Normal file
View File

@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Secret
metadata:
name: custom-secret-key
stringData:
secret_key: 'awxsecret'

12
dev/secrets/external-pg-secret.yml Normal file
View File

@@ -0,0 +1,12 @@
---
apiVersion: v1
kind: Secret
metadata:
name: external-pg-secret
stringData:
database: 'awx'
host: 'awx-postgres'
password: 'test'
port: '5432'
type: 'managed'
username: 'awx'

1
docs/awx-demo.svg
View File

File diff suppressed because one or more lines are too long
Side by Side

Before

Width:  |  Height:  |  Size: 825 KiB

2
docs/contributors-guide/author.md
View File

@@ -1,3 +1,3 @@
## Author
# Author
This operator was originally built in 2019 by [Jeff Geerling](https://www.jeffgeerling.com) and is now maintained by the Ansible Team

2
docs/contributors-guide/code-of-conduct.md
View File

@@ -1,3 +1,3 @@
## Code of Conduct
# Code of Conduct
We ask all of our community members and contributors to adhere to the [Ansible code of conduct](http://docs.ansible.com/ansible/latest/community/code_of_conduct.html). If you have questions or need assistance, please reach out to our community team at [codeofconduct@ansible.com](mailto:codeofconduct@ansible.com)

4
docs/contributors-guide/contributing.md
View File

@@ -1,3 +1,5 @@
## Contributing
# Contributing
Please visit [our contributing guidelines](https://github.com/ansible/awx-operator/blob/devel/CONTRIBUTING.md).
For docs changes, create PRs on the appropriate files in the `/docs` folder.

26
docs/contributors-guide/get-involved.md
View File

@@ -1,6 +1,24 @@
## Get Involved
# Get Involved
We welcome your feedback and ideas. The AWX operator uses the same mailing list and IRC channel as AWX itself. Here's how to reach us with feedback and questions:
We welcome your feedback, questions and ideas. Here's how to reach the community.
- Join the `#ansible-awx` channel on irc.libera.chat
- Join the [mailing list](https://groups.google.com/forum/#!forum/awx-project)
## Forum
Join the [Ansible Forum](https://forum.ansible.com) as a single starting point and our default communication platform for questions and help, development discussions, events, and much more. [Register](https://forum.ansible.com/signup?) to join the community. Search by categories and tags to find interesting topics or start a new one; subscribe only to topics you need!
* [Get Help](https://forum.ansible.com/c/help/6): get help or help others. Please add appropriate tags if you start new discussions, for example `awx-operator` and `documentation`.
* [Posts tagged with 'awx-operator'](https://forum.ansible.com/tag/awx-operator): subscribe to participate in project-related conversations.
* [Bullhorn newsletter](https://docs.ansible.com/ansible/devel/community/communication.html#the-bullhorn) used to announce releases and important changes.
* [Social Spaces](https://forum.ansible.com/c/chat/4): gather and interact with fellow enthusiasts.
* [News & Announcements](https://forum.ansible.com/c/news/5): track project-wide announcements including social events.
For more information on the forum navigation, see [Navigating the Ansible forum](https://forum.ansible.com/t/navigating-the-ansible-forum-tags-categories-and-concepts/39) post.
## Matrix
For real-time interactions, conversations in the community happen over the Matrix protocol in the following channels:
* [#awx:ansible.com](https://matrix.to/#/#awx:ansible.com): AWX and AWX-Operator project-related discussions.
* [#docs:ansible.im](https://matrix.to/#/#docs:ansible.im): Ansible, AWX and AWX-Operator documentation-related discussions.
For more information, see the community-hosted [Matrix FAQ](https://hackmd.io/@ansible-community/community-matrix-faq).

17
docs/contributors-guide/release-process.md
View File

@@ -1,4 +1,4 @@
## Release Process
# Release Process
The first step is to create a draft release. Typically this will happen in the [Stage Release](https://github.com/ansible/awx/blob/devel/.github/workflows/stage.yml) workflow for AWX and you don't need to do it as a separate step.
@@ -8,18 +8,3 @@ After the draft release is created, publish it and the [Promote AWX Operator ima
- Publish image to Quay
- Release Helm chart
After the GHA is complete, the final step is to run the [publish-to-operator-hub.sh](https://github.com/ansible/awx-operator/blob/devel/hack/publish-to-operator-hub.sh) script, which will create a PR in the following repos to add the new awx-operator bundle version to OperatorHub:
* https://github.com/k8s-operatorhub/community-operators (community operator index)
* https://github.com/redhat-openshift-ecosystem/community-operators-prod (operator index shipped with Openshift)
The usage is documented in the script itself, but here is an example of how you would use the script to publish the 2.5.3 awx-opeator bundle to OperatorHub.
Note that you need to specify the version being released, as well as the previous version. This is because the bundle has a pointer to the previous version that is it being upgrade from. This is used by OLM to create a dependency graph.
```bash
$ VERSION=2.5.3 PREV_VERSION=2.5.2 ./publish-operator.sh
```
> Note: There are some quirks with running this on OS X that still need to be fixed, but the script runs smoothly on linux.
As soon as CI completes successfully, the PR's will be auto-merged. Please remember to monitor those PR's to make sure that CI passes, sometimes it needs a retry.

104
docs/development.md Normal file
View File

@@ -0,0 +1,104 @@
# Development Guide
There are development scripts and yaml examples in the [`dev/`](../dev) directory that, along with the up.sh and down.sh scripts in the root of the repo, can be used to build, deploy and test changes made to the awx-operator.
## Prerequisites
You will need to have the following tools installed:
* [git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
* [podman](https://podman.io/docs/installation) or [docker](https://docs.docker.com/get-docker/)
* [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
* [oc](https://docs.openshift.com/container-platform/4.11/cli_reference/openshift_cli/getting-started-cli.html) (if using Openshift)
You will also need to have a container registry account. This guide uses quay.io, but any container registry will work. You will need to create a robot account and login at the CLI with `podman login` or `docker login`.
## Quay.io Setup for Development
Before using the development scripts, you'll need to set up a Quay.io repository and pull secret:
### 1. Create a Private Quay.io Repository
- Go to [quay.io](https://quay.io) and create a private repository named `awx-operator` under your username
- The repository URL should be `quay.io/username/awx-operator`
### 2. Create a Bot Account
- In your Quay.io repository, go to Settings → Robot Accounts
- Create a new robot account with write permissions to your repository
- Click on the robot account name to view its credentials
### 3. Generate Kubernetes Pull Secret
- In the robot account details, click "Kubernetes Secret"
- Copy the generated YAML content from the pop-up
### 4. Create Local Pull Secret File
- Create a file at `hacking/pull-secret.yml` in your awx-operator checkout
- Paste the Kubernetes secret YAML content into this file
- **Important**: Change the `name` field in the secret from the default to `redhat-operators-pull-secret`
- The `hacking/` directory is in `.gitignore`, so this file won't be committed to git
Example `hacking/pull-secret.yml`:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: redhat-operators-pull-secret # Change this name
namespace: awx
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: <base64-encoded-credentials>
```
## Build and Deploy
If you clone the repo, and make sure you are logged in at the CLI with oc and your cluster, you can run:
```
export QUAY_USER=username
export NAMESPACE=awx
export TAG=test
./up.sh
```
You can add those variables to your .bashrc file so that you can just run `./up.sh` in the future.
> Note: the first time you run this, it will create quay.io repos on your fork. If you followed the Quay.io setup steps above and created the `hacking/pull-secret.yml` file, the script will automatically handle the pull secret. Otherwise, you will need to either make those repos public, or create a global pull secret on your cluster.
To get the URL, if on **Openshift**, run:
```
$ oc get route
```
On **k8s with ingress**, run:
```
$ kubectl get ing
```
On **k8s with nodeport**, run:
```
$ kubectl get svc
```
The URL is then `http://<Node-IP>:<NodePort>`
> Note: NodePort will only work if you expose that port on your underlying k8s node, or are accessing it from localhost.
By default, the usename and password will be admin and password if using the `up.sh` script because it pre-creates a custom admin password k8s secret and specifies it on the AWX custom resource spec. Without that, a password would have been generated and stored in a k8s secret named <deployment-name>-admin-password.
## Clean up
Same thing for cleanup, just run ./down.sh and it will clean up your namespace on that cluster
```
./down.sh
```
## Running CI tests locally
More tests coming soon...

2
docs/index.md
View File

@@ -1,2 +0,0 @@
The AWX operator is meant to provide a more Kubernetes-native installation method for AWX via an AWX Custom Resource Definition (CRD).

1
docs/index.md Symbolic link
View File

@@ -0,0 +1 @@
../README.md

59
docs/installation/basic-install.md
View File

@@ -1,6 +1,7 @@
### Basic Install
# Basic Install
After cloning this repository, you must choose the tag to run:
```sh
git clone git@github.com:ansible/awx-operator.git
cd awx-operator
@@ -20,17 +21,23 @@ export VERSION=<tag>
export VERSION=2.7.2
```
Once you have a running Kubernetes cluster, you can deploy AWX Operator into your cluster using [Kustomize](https://kubectl.docs.kubernetes.io/guides/introduction/kustomize/). Since kubectl version 1.14 kustomize functionality is built-in (otherwise, follow the instructions here to install the latest version of Kustomize: https://kubectl.docs.kubernetes.io/installation/kustomize/ )
Once you have a running Kubernetes cluster, you can deploy AWX Operator into your cluster using [Kustomize](https://kubectl.docs.kubernetes.io/guides/introduction/kustomize/). Since kubectl version 1.14 kustomize functionality is built-in (otherwise, follow the instructions here to install the latest version of Kustomize: <https://kubectl.docs.kubernetes.io/installation/kustomize/>)
> Some things may need to be configured slightly differently for different Kubernetes flavors for the networking aspects. When installing on Kind, see the [kind install docs](./kind-install.md) for more details.
!!! tip
If you don't have a Kubernetes cluster, you can use [Minikube](https://minikube.sigs.k8s.io/docs/) for testing purposes. See the [Minikube install docs](./creating-a-minikube-cluster-for-testing.md) for more details.
!!! note
Some things may need to be configured slightly differently for different Kubernetes flavors for the networking aspects. When installing on Kind, see the [kind install docs](./kind-install.md) for more details.
There is a make target you can run:
```
```sh
make deploy
```
If you have a custom operator image you have built, you can specify it with:
```
```sh
IMG=quay.io/$YOURNAMESPACE/awx-operator:$YOURTAG make deploy
```
@@ -52,11 +59,12 @@ images:
namespace: awx
```
> **TIP:** If you need to change any of the default settings for the operator (such as resources.limits), you can add [patches](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patches/) at the bottom of your kustomization.yaml file.
!!! tip
If you need to change any of the default settings for the operator (such as resources.limits), you can add [patches](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patches/) at the bottom of your kustomization.yaml file.
Install the manifests by running this:
```
```sh
$ kubectl apply -k .
namespace/awx created
customresourcedefinition.apiextensions.k8s.io/awxbackups.awx.ansible.com created
@@ -77,7 +85,7 @@ deployment.apps/awx-operator-controller-manager created
Wait a bit and you should have the `awx-operator` running:
```
```sh
$ kubectl get pods -n awx
NAME READY STATUS RESTARTS AGE
awx-operator-controller-manager-66ccd8f997-rhd4z 2/2 Running 0 11s
@@ -85,13 +93,14 @@ awx-operator-controller-manager-66ccd8f997-rhd4z 2/2 Running 0
So we don't have to keep repeating `-n awx`, let's set the current namespace for `kubectl`:
```
$ kubectl config set-context --current --namespace=awx
```sh
kubectl config set-context --current --namespace=awx
```
Next, create a file named `awx-demo.yml` in the same folder with the suggested content below. The `metadata.name` you provide will be the name of the resulting AWX deployment.
**Note:** If you deploy more than one AWX instance to the same namespace, be sure to use unique names.
!!! note
If you deploy more than one AWX instance to the same namespace, be sure to use unique names.
```yaml
---
@@ -103,7 +112,8 @@ spec:
service_type: nodeport
```
> It may make sense to create and specify your own secret key for your deployment so that if the k8s secret gets deleted, it can be re-created if needed. If it is not provided, one will be auto-generated, but cannot be recovered if lost. Read more [here](../user-guide/admin-user-account-configuration.md#secret-key-configuration).
!!! tip
It may make sense to create and specify your own secret key for your deployment so that if the k8s secret gets deleted, it can be re-created if needed. If it is not provided, one will be auto-generated, but cannot be recovered if lost. Read more [here](../user-guide/admin-user-account-configuration.md#secret-key-configuration).
If you are on Openshift, you can take advantage of Routes by specifying the following your spec. This will automatically create a Route for you with a custom hostname. This can be found on the Route section of the Openshift Console.
@@ -118,8 +128,7 @@ spec:
ingress_type: Route
```
Make sure to add this new file to the list of "resources" in your `kustomization.yaml` file:
Make sure to add this new file to the list of `resources` in your `kustomization.yaml` file:
```yaml
...
@@ -132,19 +141,13 @@ resources:
Finally, apply the changes to create the AWX instance in your cluster:
```
```sh
kubectl apply -k .
```
After a few minutes, the new AWX instance will be deployed. You can look at the operator pod logs in order to know where the installation process is at:
```
$ kubectl logs -f deployments/awx-operator-controller-manager -c awx-manager
```
After a few seconds, you should see the operator begin to create new resources:
```
```sh
$ kubectl get pods -l "app.kubernetes.io/managed-by=awx-operator"
NAME READY STATUS RESTARTS AGE
awx-demo-77d96f88d5-pnhr8 4/4 Running 0 3m24s
@@ -156,19 +159,19 @@ awx-demo-postgres ClusterIP None <none> 5432/TCP 4m4s
awx-demo-service NodePort 10.109.40.38 <none> 80:31006/TCP 3m56s
```
Once deployed, the AWX instance will be accessible by running:
After a few minutes, the new AWX instance will be deployed. You can look at the operator pod logs in order to know where the installation process is at:
```sh
kubectl logs -f deployments/awx-operator-controller-manager -c awx-manager
```
$ minikube service -n awx awx-demo-service --url
```
Once deployed, your AWX instance should now be reachable at `http://localhost:<assigned-nodeport>/` (in this case, `http://localhost:31006/`).
By default, the admin user is `admin` and the password is available in the `<resourcename>-admin-password` secret. To retrieve the admin password, run:
```
```sh
$ kubectl get secret awx-demo-admin-password -o jsonpath="{.data.password}" | base64 --decode ; echo
yDL2Cx5Za94g9MvBP6B73nzVLlmfgPjR
```
You just completed the most basic install of an AWX instance via this operator. Congratulations!!!
For an example using the Nginx Ingress Controller in Minikube, don't miss our [demo video](https://asciinema.org/a/416946).

21
docs/installation/creating-a-minikube-cluster-for-testing.md
View File

@@ -1,8 +1,8 @@
### Creating a minikube cluster for testing
# Creating a minikube cluster for testing
If you do not have an existing cluster, the `awx-operator` can be deployed on a [Minikube](https://minikube.sigs.k8s.io/docs/) cluster for testing purposes. Due to different OS and hardware environments, please refer to the official Minikube documentation for further information.
```
```sh
$ minikube start --cpus=4 --memory=6g --addons=ingress
😄 minikube v1.23.2 on Fedora 34
✨ Using the docker driver based on existing profile
@@ -22,7 +22,7 @@ $ minikube start --cpus=4 --memory=6g --addons=ingress
Once Minikube is deployed, check if the node(s) and `kube-apiserver` communication is working as expected.
```
```sh
$ minikube kubectl -- get nodes
NAME STATUS ROLES AGE VERSION
minikube Ready control-plane,master 113s v1.22.2
@@ -45,6 +45,17 @@ It is not required for `kubectl` to be separately installed since it comes alrea
Let's create an alias for easier usage:
```sh
alias kubectl="minikube kubectl --"
```
$ alias kubectl="minikube kubectl --"
```
Now, you can proceed with the installation of the AWX Operator and AWX. Please refer to the [Basic Install](basic-install.md) for further instructions.
!!! tip
Once your AWX has been deployed, the AWX instance will be accessible by running:
```sh
minikube service -n awx awx-demo-service --url
```
For an example using the Nginx Ingress Controller in Minikube, don't miss our [demo video](https://asciinema.org/a/416946).

29
docs/installation/helm-install-on-existing-cluster.md
View File

@@ -1,29 +0,0 @@
### Helm Install on existing cluster
For those that wish to use [Helm](https://helm.sh/) to install the awx-operator to an existing K8s cluster:
The helm chart is generated from the `helm-chart` Makefile section using the starter files in `.helm/starter`. Consult [the documentation](https://github.com/ansible/awx-operator/blob/devel/.helm/starter/README.md) on how to customize the AWX resource with your own values.
```bash
$ helm repo add awx-operator https://ansible.github.io/awx-operator/
"awx-operator" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "awx-operator" chart repository
Update Complete. ⎈Happy Helming!⎈
$ helm search repo awx-operator
NAME CHART VERSION APP VERSION DESCRIPTION
awx-operator/awx-operator 0.17.1 0.17.1 A Helm chart for the AWX Operator
$ helm install -n awx --create-namespace my-awx-operator awx-operator/awx-operator
NAME: my-awx-operator
LAST DEPLOYED: Thu Feb 17 22:09:05 2022
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Helm Chart 0.17.1
```

2
docs/installation/index.md
View File

@@ -1,2 +0,0 @@
This Kubernetes Operator is meant to be deployed in your Kubernetes cluster(s) and can be used to install and manage the lifecycle of an AWX instance in the same namespace.

38
docs/installation/kind-install.md
View File

@@ -2,9 +2,9 @@
## Kind Install
Install Kind by running the following
Install Kind by running the following. Refer to the [official Kind documentation](https://kind.sigs.k8s.io/docs/user/quick-start/) for more information.
```
```sh
# For Intel Macs
[ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-darwin-amd64
# For M1 / ARM Macs
@@ -13,9 +13,6 @@ chmod +x ./kind
mv ./kind /some-dir-in-your-PATH/kind
```
> https://kind.sigs.k8s.io/docs/user/quick-start/
### Create the Kind cluster
Create a file called `kind.config`
@@ -35,40 +32,39 @@ nodes:
Then create a cluster using that config
```
```sh
kind create cluster --config=kind.config
```
Set cluster context for kubectl
```
```sh
kubectl cluster-info --context kind-kind
```
Install NGINX Ingress Controller
```
```sh
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
```
## AWX
Set the namespace context
```
```sh
kubectl config set-context --current --namespace=awx
```
Checkout the tag you want to install from
```
```sh
git checkout 2.7.2
```
Create a file named `kustomization.yaml` in the root of your local awx-operator clone. Include the following:
```
```sh
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
@@ -86,14 +82,13 @@ namespace: awx
Run the following to apply the yaml
```
```sh
kubectl apply -k .
```
Create a file called `awx-cr.yaml` with the following contents and any configuration changes you may wish to add.
```
```yaml
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
@@ -106,20 +101,19 @@ spec:
Create your AWX CR
```
oc create -f awx-cr.yaml
```sh
kubectl create -f awx-cr.yaml
```
Your AWX instance should now be reacheable at http://localhost:32000/
> If you configured a custom nodeport_port, you can find it by running `kubectl -n awx get svc awx-demo-service`
Your AWX instance should now be reachable at <http://localhost:32000/>
!!! note
If you configured a custom `nodeport_port`, you can find it by running `kubectl -n awx get svc awx-demo-service`
## Cleanup
When you are done, you can delete all of this by running
```
```sh
kind delete cluster
```

27
docs/migration/migration.md
View File

@@ -19,7 +19,8 @@ stringData:
type: Opaque
```
**Note**: `<resourcename>` must match the `name` of the AWX object you are creating. In our example below, it is `awx`.
!!! note
`<resourcename>` must match the `name` of the AWX object you are creating. In our example below, it is `awx`.
### Old Database Credentials
@@ -41,16 +42,14 @@ stringData:
type: Opaque
```
> For `host`, a URL resolvable by the cluster could look something like `postgresql.<namespace>.svc.<cluster domain>`, where `<namespace>` is filled in with the namespace of the AWX deployment you are migrating data from, and `<cluster domain>` is filled in with the internal kubernretes cluster domain (In most cases it's `cluster.local`).
!!! note
For `host`, a URL resolvable by the cluster could look something like `postgresql.<namespace>.svc.<cluster domain>`, where `<namespace>` is filled in with the namespace of the AWX deployment you are migrating data from, and `<cluster domain>` is filled in with the internal kubernetes cluster domain (In most cases it's `cluster.local`).
If your AWX deployment is already using an external database server or its database is otherwise not managed
by the AWX deployment, you can instead create the same secret as above but omit the `-old-` from the `name`.
In the next section pass it in through `postgres_configuration_secret` instead, omitting the `_old_`
from the key and ensuring the value matches the name of the secret. This will make AWX pick up on the existing
database and apply any pending migrations. It is strongly recommended to backup your database beforehand.
If your AWX deployment is already using an external database server or its database is otherwise not managed by the AWX deployment, you can instead create the same secret as above but omit the `-old-` from the `name`.
In the next section pass it in through `postgres_configuration_secret` instead, omitting the `_old_` from the key and ensuring the value matches the name of the secret. This will make AWX pick up on the existing database and apply any pending migrations.
It is strongly recommended to backup your database beforehand.
The postgresql pod for the old deployment is used when streaming data to the new postgresql pod. If your postgresql pod has a custom label,
you can pass that via the `postgres_label_selector` variable to make sure the postgresql pod can be found.
The postgresql pod for the old deployment is used when streaming data to the new postgresql pod. If your postgresql pod has a custom label, you can pass that via the `postgres_label_selector` variable to make sure the postgresql pod can be found.
## Deploy AWX
@@ -66,7 +65,16 @@ spec:
secret_key_secret: <resourcename>-secret-key
...
```
### Exclude postgreSQL tables during migration (optional)
Use the `pg_dump_suffix` parameter under `AWX.spec` to customize the pg_dump command that will execute during migration. This variable will append your provided pg_dump parameters to the end of the 'standard' command. For example, to exclude the data from 'main_jobevent' and 'main_job' to decrease the size of the backup use:
```
pg_dump_suffix: "--exclude-table-data 'main_jobevent*' --exclude-table-data 'main_job'"
```
## Important Note
If you intend to put all the above in one file, make sure to separate each block with three dashes like so:
```yaml
@@ -79,4 +87,5 @@ If you intend to put all the above in one file, make sure to separate each block
---
# AWX Config
```
Failing to do so will lead to an inoperable setup.

2
docs/requirements.txt
View File

@@ -94,7 +94,7 @@ mkdocs==1.5.3
# mkdocs-minify-plugin
# mkdocs-monorepo-plugin
# mkdocstrings
mkdocs-ansible==24.3.0
mkdocs-ansible==24.3.1
# via -r requirements.in
mkdocs-autorefs==0.5.0
# via mkdocstrings

40
docs/troubleshooting/debugging.md
View File

@@ -4,13 +4,14 @@
When the operator is deploying AWX, it is running the `installer` role inside the operator container. If the AWX CR's status is `Failed`, it is often useful to look at the awx-operator container logs, which shows the output of the installer role. To see these logs, run:
```
```sh
kubectl logs deployments/awx-operator-controller-manager -c awx-manager -f
```
### Inspect k8s Resources
Past that, it is often useful to inspect various resources the AWX Operator manages like:
* awx
* awxbackup
* awxrestore
@@ -23,15 +24,9 @@ Past that, it is often useful to inspect various resources the AWX Operator mana
* secrets
* serviceaccount
And if installing via OperatorHub and OLM:
* subscription
* csv
* installPlan
* catalogSource
To inspect these resources you can use these commands
```
```sh
# Inspecting k8s resources
kubectl describe -n <namespace> <resource> <resource-name>
kubectl get -n <namespace> <resource> <resource-name> -o yaml
@@ -41,7 +36,6 @@ kubectl logs -n <namespace> <resource> <resource-name>
kubectl exec -it -n <namespace> <pod> <pod-name>
```
### Configure No Log
It is possible to show task output for debugging by setting no_log to false on the AWX CR spec.
@@ -49,7 +43,7 @@ This will show output in the awx-operator logs for any failed tasks where no_log
For example:
```
```sh
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
@@ -63,19 +57,19 @@ spec:
## Iterating on the installer without deploying the operator
Go through the [normal basic install](https://github.com/ansible/awx-operator/blob/devel/README.md#basic-install) steps.
Go through the [normal basic install](../installation/basic-install.md) steps.
Install some dependencies:
```
$ ansible-galaxy collection install -r molecule/requirements.yml
$ pip install -r molecule/requirements.txt
```sh
ansible-galaxy collection install -r molecule/requirements.yml
pip install -r molecule/requirements.txt
```
To prevent the changes we're about to make from being overwritten, scale down any running instance of the operator:
```
$ kubectl scale deployment awx-operator-controller-manager --replicas=0
```sh
kubectl scale deployment awx-operator-controller-manager --replicas=0
```
Create a playbook that invokes the installer role (the operator uses ansible-runner's role execution feature):
@@ -96,8 +90,11 @@ Create a vars file:
ansible_operator_meta:
name: awx
namespace: awx
set_self_labels: false
update_status: false
service_type: nodeport
```
The vars file will replace the awx resource so any value that you wish to over ride using the awx resource, put in the vars file. For example, if you wish to use your own image, version and pull policy, you can specify it like below:
```yaml
@@ -106,6 +103,8 @@ The vars file will replace the awx resource so any value that you wish to over r
ansible_operator_meta:
name: awx
namespace: awx
set_self_labels: false
update_status: false
service_type: nodeport
image: $DEV_DOCKER_TAG_BASE/awx_kube_devel
image_pull_policy: Always
@@ -114,14 +113,13 @@ image_version: $COMPOSE_TAG
Run the installer:
```
$ ansible-playbook run.yml -e @vars.yml -v
```sh
ansible-playbook run.yml -e @vars.yml -v
```
Grab the URL and admin password:
```
$ minikube service awx-service --url -n awx
$ minikube kubectl get secret awx-admin-password -- -o jsonpath="{.data.password}" | base64 --decode
```sh
$ kubectl get secret awx-admin-password -- -o jsonpath="{.data.password}" | base64 --decode ; echo
LU6lTfvnkjUvDwL240kXKy1sNhjakZmT
```

7
docs/uninstall/uninstall.md
View File

@@ -1,12 +1,13 @@
### Uninstall ###
# Uninstall
To uninstall an AWX deployment instance, you basically need to remove the AWX kind related to that instance. For example, to delete an AWX instance named awx-demo, you would do:
```
```sh
$ kubectl delete awx awx-demo
awx.awx.ansible.com "awx-demo" deleted
```
Deleting an AWX instance will remove all related deployments and statefulsets, however, persistent volumes and secrets will remain. To enforce secrets also getting removed, you can use `garbage_collect_secrets: true`.
**Note**: If you ever intend to recover an AWX from an existing database you will need a copy of the secrets in order to perform a successful recovery.
!!! note
If you ever intend to recover an AWX from an existing database you will need a copy of the secrets in order to perform a successful recovery.

31
docs/upgrade/upgrading.md
View File

@@ -1,4 +1,4 @@
### Upgrading
# Upgrading
To upgrade AWX, it is recommended to upgrade the awx-operator to the version that maps to the desired version of AWX. To find the version of AWX that will be installed by the awx-operator by default, check the version specified in the `DEFAULT_AWX_VERSION` variable for that particular release. You can do so by running the following command
@@ -7,9 +7,9 @@ AWX_OPERATOR_VERSION=2.8.0
docker run --entrypoint="" quay.io/ansible/awx-operator:$AWX_OPERATOR_VERSION bash -c "env | grep DEFAULT_AWX_VERSION"
```
Apply the awx-operator.yml for that release to upgrade the operator, and in turn also upgrade your AWX deployment.
Make sure you have a backup before upgrading, then upgrade operator by invoking `make deploy` on the desired tag or by applying the `kustomization.yaml` that contains desired version of the operator, and in turn also upgrade your AWX deployment.
#### Backup
## Backup
The first part of any upgrade should be a backup. Note, there are secrets in the pod which work in conjunction with the database. Having just a database backup without the required secrets will not be sufficient for recovering from an issue when upgrading to a new version. See the [backup role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/backup) for information on how to backup your database and secrets.
@@ -20,7 +20,7 @@ In the event you need to recover the backup see the [restore role documentation]
**Note**: Do not delete the namespace/project, as that will delete the backup and the backup's PVC as well.
#### PostgreSQL Upgrade Considerations
## PostgreSQL Upgrade Considerations
If there is a PostgreSQL major version upgrade, after the data directory on the PVC is migrated to the new version, the old PVC is kept by default.
This provides the ability to roll back if needed, but can take up extra storage space in your cluster unnecessarily. You can configure it to be deleted automatically after a successful upgrade by setting the following variable on the AWX spec.
@@ -30,28 +30,27 @@ spec:
postgres_keep_pvc_after_upgrade: False
```
#### v0.14.0
## Caveats for upgrading to v0.14.0
##### Cluster-scope to Namespace-scope considerations
### Cluster-scope to Namespace-scope considerations
Starting with awx-operator 0.14.0, AWX can only be deployed in the namespace that the operator exists in. This is called a namespace-scoped operator. If you are upgrading from an earlier version, you will want to
delete your existing `awx-operator` service account, role and role binding.
Starting with awx-operator 0.14.0, AWX can only be deployed in the namespace that the operator exists in. This is called a namespace-scoped operator. If you are upgrading from an earlier version, you will want to delete your existing `awx-operator` service account, role and role binding.
##### Project is now based on v1.x of the operator-sdk project
### Project is now based on v1.x of the operator-sdk project
Starting with awx-operator 0.14.0, the project is now based on operator-sdk 1.x. You may need to manually delete your old operator Deployment to avoid issues.
##### Steps to upgrade
### Steps to upgrade to v0.14.0
Delete your old AWX Operator and existing `awx-operator` service account, role and role binding in `default` namespace first:
```
$ kubectl -n default delete deployment awx-operator
$ kubectl -n default delete serviceaccount awx-operator
$ kubectl -n default delete clusterrolebinding awx-operator
$ kubectl -n default delete clusterrole awx-operator
```sh
kubectl -n default delete deployment awx-operator
kubectl -n default delete serviceaccount awx-operator
kubectl -n default delete clusterrolebinding awx-operator
kubectl -n default delete clusterrole awx-operator
```
Then install the new AWX Operator by following the instructions in [Basic Install](#basic-install-on-existing-cluster). The `NAMESPACE` environment variable have to be the name of the namespace in which your old AWX instance resides.
Then install the new AWX Operator by following the instructions in [Basic Install](../installation/basic-install.md). The `NAMESPACE` environment variable have to be the name of the namespace in which your old AWX instance resides.
Once the new AWX Operator is up and running, your AWX deployment will also be upgraded.

24
docs/user-guide/admin-user-account-configuration.md
View File

@@ -1,15 +1,15 @@
### Admin user account configuration
# Admin user account configuration
There are three variables that are customizable for the admin user account creation.
| Name | Description | Default |
| --------------------- | -------------------------------------------- | ---------------- |
| admin_user | Name of the admin user | admin |
| admin_email | Email of the admin user | test@example.com |
| admin_password_secret | Secret that contains the admin user password | Empty string |
| Name | Description | Default |
| --------------------- | -------------------------------------------- | ------------------ |
| admin_user | Name of the admin user | `admin` |
| admin_email | Email of the admin user | `test@example.com` |
| admin_password_secret | Secret that contains the admin user password | Empty string |
> :warning: **admin_password_secret must be a Kubernetes secret and not your text clear password**.
!!! warning
`admin_password_secret` must be a Kubernetes secret and not your text clear password.
If `admin_password_secret` is not provided, the operator will look for a secret named `<resourcename>-admin-password` for the admin password. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-admin-password`.
@@ -28,16 +28,16 @@ stringData:
password: mysuperlongpassword
```
### Secret Key Configuration
## Secret Key Configuration
This key is used to encrypt sensitive data in the database.
| Name | Description | Default |
| ----------------- | ----------------------------------------------------- | ---------------- |
| secret_key_secret | Secret that contains the symmetric key for encryption | Generated |
| secret_key_secret | Secret that contains the symmetric key for encryption | Generated |
> :warning: **secret_key_secret must be a Kubernetes secret and not your text clear secret value**.
!!! warning
`secret_key_secret` must be a Kubernetes secret and not your text clear secret value.
If `secret_key_secret` is not provided, the operator will look for a secret named `<resourcename>-secret-key` for the secret key. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-secret-key`. It is important to not delete this secret as it will be needed for upgrades and if the pods get scaled down at any point. If you are using a GitOps flow, you will want to pass a secret key secret.

4
docs/user-guide/advanced-configuration/adding-execution-nodes.md
View File

@@ -1,4 +0,0 @@
### Adding Execution Nodes
Starting with AWX Operator v0.30.0 and AWX v21.7.0, standalone execution nodes can be added to your deployments.
See [Managing Capacity With Instances](https://ansible.readthedocs.io/projects/awx/en/latest/administration/instances.html) chapter of the AWX Administration Guide for information about this feature.

11
docs/user-guide/advanced-configuration/assigning-awx-pods-to-specific-nodes.md
View File

@@ -1,4 +1,4 @@
#### Assigning AWX pods to specific nodes
# Assigning AWX pods to specific nodes
You can constrain the AWX pods created by the operator to run on a certain subset of nodes. `node_selector` and `postgres_selector` constrains
the AWX pods to run only on the nodes that match all the specified key/value pairs. `tolerations` and `postgres_tolerations` allow the AWX
@@ -6,8 +6,8 @@ pods to be scheduled onto nodes with matching taints.
The ability to specify topologySpreadConstraints is also allowed through `topology_spread_constraints`
If you want to use affinity rules for your AWX pod you can use the `affinity` option.
If you want to constrain the web and task pods individually, you can do so by specificying the deployment type before the specific setting. For
example, specifying `task_tolerations` will allow the AWX task pod to be scheduled onto nodes with matching taints.
If you want to constrain the web and task pods individually, you can do so by specifying the deployment type before the specific setting. For
example, specifying `task_tolerations` will allow the AWX task pod to be scheduled onto nodes with matching taints.
| Name | Description | Default |
| -------------------------------- | ---------------------------------------- | -------------------------------- |
@@ -88,3 +88,8 @@ spec:
- S2
topologyKey: topology.kubernetes.io/zone
```
## Special Note on DB-Migration Job Scheduling
For the **db-migration job**, which applies database migrations at cluster startup, you can specify scheduling settings using the `task_*` configurations such as `task_node_selector`, `task_tolerations`, etc.
If these task-specific settings are not defined, the job will automatically use the global AWX configurations like `node_selector` and `tolerations`.

22
docs/user-guide/advanced-configuration/auto-upgrade.md
View File

@@ -1,10 +1,10 @@
#### Auto upgrade
# Auto upgrade
With this parameter you can influence the behavior during an operator upgrade.
If set to `true`, the operator will upgrade the specific instance directly.
When the value is set to `false`, and we have a running deployment, the operator will not update the AWX instance.
This can be useful when you have multiple AWX instances which you want to upgrade step by step instead of all at once.
| Name | Description | Default |
| -------------| ---------------------------------- | ------- |
| auto_upgrade | Automatic upgrade of AWX instances | true |
@@ -12,11 +12,11 @@ This can be useful when you have multiple AWX instances which you want to upgrad
Example configuration of `auto_upgrade` parameter
```yaml
spec:
auto_upgrade: true
spec:
auto_upgrade: true
```
##### Upgrade of instances without auto upgrade
## Upgrade of instances without auto upgrade
There are two ways to upgrade instances which are marked with the 'auto_upgrade: false' flag.
@@ -28,8 +28,10 @@ Changing flags:
Delete the deployment:
- delete the deployment object of your AWX instance
```
$ kubectl -n awx delete deployment <yourInstanceName>
```
- wait until the instance gets redeployed
- delete the deployment object of your AWX instance
```sh
kubectl -n awx delete deployment <yourInstanceName>
```
- wait until the instance gets redeployed

27
docs/user-guide/advanced-configuration/container-probes.md
View File

@@ -1,19 +1,20 @@
#### Container Probes
# Container Probes
These parameters control the usage of liveness and readiness container probes for
the web and task containers.
> [!ALERT]
> All of probes are disabled by default for now, to enable it, set the *_period parameters. For example:
!!! tip
All of probes are disabled by default for now, to enable it, set the `*_period` parameters. For example:
```
```yaml
spec:
web_liveness_period: 15
web_readiness_period: 15
task_liveness_period: 15
task_readiness_period: 15
```
web_liveness_period: 15
web_readiness_period: 15
task_liveness_period: 15
task_readiness_period: 15
```
#### Web / Task Container Liveness Check
## Web / Task Container Liveness Check
The liveness probe queries the status of the supervisor daemon of the container. The probe will fail if it
detects one of the services in a state other than "RUNNING".
@@ -29,7 +30,7 @@ detects one of the services in a state other than "RUNNING".
| task_liveness_failure_threshold| Number of consecutive failure events to identify failure of container | 3 |
| task_liveness_timeout | Number of seconds to wait for a probe response from container | 1 |
#### Web Container Readiness Check
## Web Container Readiness Check
This is an HTTP check against the status endpoint to confirm the system is still able to respond to web requests.
@@ -40,7 +41,7 @@ This is an HTTP check against the status endpoint to confirm the system is still
| web_readiness_failure_threshold| Number of consecutive failure events to identify failure of container | 3 |
| web_readiness_timeout | Number of seconds to wait for a probe response from container | 1 |
#### Task Container Readiness Check
## Task Container Readiness Check
This is a command probe using the builtin check command of the awx-manage utility.

28
docs/user-guide/advanced-configuration/containers-resource-requirements.md
View File

@@ -1,24 +1,4 @@
#### Containers HostAliases Requirements
Sometimes you might need to use [HostAliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) in web/task containers.
| Name | Description | Default |
| ------------ | --------------------- | ------- |
| host_aliases | A list of HostAliases | None |
Example of customization could be:
```yaml
---
spec:
...
host_aliases:
- ip: <name-of-your-ip>
hostnames:
- <name-of-your-domain>
```
#### Containers Resource Requirements
# Containers Resource Requirements
The resource requirements for both, the task and the web containers are configurable - both the lower end (requests) and the upper end (limits).
@@ -26,13 +6,12 @@ The resource requirements for both, the task and the web containers are configur
| ------------------------------------ | ------------------------------------------------------------ | ------------------------------------ |
| web_resource_requirements | Web container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
| task_resource_requirements | Task container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
| ee_resource_requirements | EE control plane container resource requirements | requests: {cpu: 50m, memory: 64Mi} |
| ee_resource_requirements | EE control plane container resource requirements | requests: {cpu: 50m, memory: 64Mi} |
| redis_resource_requirements | Redis container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
| postgres_resource_requirements | Postgres container (and initContainer) resource requirements | requests: {cpu: 10m, memory: 64Mi} |
| rsyslog_resource_requirements | Rsyslog container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
| init_container_resource_requirements | Init Container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
Example of customization could be:
```yaml
@@ -86,8 +65,7 @@ spec:
memory: 2Gi
```
#### Limits and ResourceQuotas
## Limits and ResourceQuotas
If the cluster you are deploying in has a ResoruceQuota, you will need to configure resource limits for all of the pods deployed in that cluster. This can be done for AWX pods on the AWX spec in the manner shown above.

6
docs/user-guide/advanced-configuration/csrf-cookie-secure-setting.md
View File

@@ -1,4 +1,4 @@
#### CSRF Cookie Secure Setting
# CSRF Cookie Secure Setting
With `csrf_cookie_secure`, you can pass the value for `CSRF_COOKIE_SECURE` to `/etc/tower/settings.py`
@@ -9,6 +9,6 @@ With `csrf_cookie_secure`, you can pass the value for `CSRF_COOKIE_SECURE` to `/
Example configuration of the `csrf_cookie_secure` setting:
```yaml
spec:
csrf_cookie_secure: 'False'
spec:
csrf_cookie_secure: 'False'
```

6
docs/user-guide/advanced-configuration/custom-receptor-certs.md
View File

@@ -1,5 +1,4 @@
### Custom Receptor CA
# Custom Receptor CA
The control nodes on the K8S cluster will communicate with execution nodes via mutual TLS TCP connections, running via Receptor.
Execution nodes will verify incoming connections by ensuring the x509 certificate was issued by a trusted Certificate Authority (CA).
@@ -21,4 +20,5 @@ If this secret is created after AWX is deployed, run the following to restart th
kubectl rollout restart deployment awx-demo
```
**Important Note**, changing the receptor CA will break connections to any existing execution nodes. These nodes will enter an `unavailable` state, and jobs will not be able to run on them. Users will need to download and re-run the install bundle for each execution node. This will replace the TLS certificate files with those signed by the new CA. The execution nodes should then appear in a `ready` state after a few minutes.
!!! warning
Changing the receptor CA will break connections to any existing execution nodes. These nodes will enter an `unavailable` state, and jobs will not be able to run on them. Users will need to download and re-run the install bundle for each execution node. This will replace the TLS certificate files with those signed by the new CA. The execution nodes should then appear in a `ready` state after a few minutes.

88
docs/user-guide/advanced-configuration/custom-volume-and-volume-mount-options.md
View File

@@ -1,4 +1,4 @@
#### Custom Volume and Volume Mount Options
# Custom Volume and Volume Mount Options
In a scenario where custom volumes and volume mounts are required to either overwrite defaults or mount configuration files.
@@ -12,7 +12,6 @@ In a scenario where custom volumes and volume mounts are required to either over
| init_container_extra_volume_mounts | Specify volume mounts to be added to Init container | '' |
| init_container_extra_commands | Specify additional commands for Init container | '' |
!!! warning
The `ee_extra_volume_mounts` and `extra_volumes` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
@@ -31,10 +30,8 @@ data:
remote_tmp = /tmp
[ssh_connection]
ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
custom.py: |
INSIGHTS_URL_BASE = "example.org"
AWX_CLEANUP_PATHS = True
```
Example spec file for volumes and volume mounts
```yaml
@@ -49,13 +46,6 @@ spec:
- key: ansible.cfg
path: ansible.cfg
name: <resourcename>-extra-config
- name: custom-py
configMap:
defaultMode: 420
items:
- key: custom.py
path: custom.py
name: <resourcename>-extra-config
- name: shared-volume
persistentVolumeClaim:
claimName: my-external-volume-claim
@@ -73,24 +63,13 @@ spec:
- name: ansible-cfg
mountPath: /etc/ansible/ansible.cfg
subPath: ansible.cfg
web_extra_volume_mounts: |
- name: custom-py
mountPath: /etc/tower/conf.d/custom.py
subPath: custom.py
task_extra_volume_mounts: |
- name: custom-py
mountPath: /etc/tower/conf.d/custom.py
subPath: custom.py
- name: shared-volume
mountPath: /shared
```
!!! warning
**Volume and VolumeMount names cannot contain underscores(_)**
##### Custom UWSGI Configuration
## Custom UWSGI Configuration
We allow the customization of two UWSGI parameters:
* [processes](https://uwsgi-docs.readthedocs.io/en/latest/Options.html#processes) with `uwsgi_processes` (default 5)
@@ -110,7 +89,7 @@ requests (more than 128) tend to come in a short period of time, but can all be
handled before any other time outs may apply. Also see related nginx
configuration.
##### Custom Nginx Configuration
## Custom Nginx Configuration
Using the [extra_volumes feature](#custom-volume-and-volume-mount-options), it is possible to extend the nginx.conf.
@@ -131,20 +110,63 @@ may allow the web pods to handle more "bursty" request patterns if many
requests (more than 128) tend to come in a short period of time, but can all be
handled before any other time outs may apply. Also see related uwsgi
configuration.
* [worker_processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes) with `nginx_worker_processes` (default of 1)
* [worker_cpu_affinity](http://nginx.org/en/docs/ngx_core_module.html#worker_cpu_affinity) with `nginx_worker_cpu_affinity` (default "auto")
* [worker_connections](http://nginx.org/en/docs/ngx_core_module.html#worker_connections) with `nginx_worker_connections` (minimum of 1024)
* [listen](https://nginx.org/en/docs/http/ngx_http_core_module.html#listen) with `nginx_listen_queue_size` (default same as uwsgi listen queue size)
* [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) with `nginx_client_max_body_size` (default of 5M)
## Custom Logos
##### Custom Favicon
You can use custom volume mounts to mount in your own logos to be displayed instead of the AWX logo.
There are two different logos, one to be displayed on page headers, and one for the login screen.
You can use custom volume mounts to mount in your own favicon to be displayed in your AWX browser tab.
First, Create the configmap from a local favicon.ico file.
First, create configmaps for the logos from local `logo-login.svg` and `logo-header.svg` files.
```bash
$ oc create configmap favicon-configmap --from-file favicon.ico
kubectl create configmap logo-login-configmap --from-file logo-login.svg
kubectl create configmap logo-header-configmap --from-file logo-header.svg
```
Then specify the extra_volume and web_extra_volume_mounts on your AWX CR spec
```yaml
---
spec:
...
extra_volumes: |
- name: logo-login
configMap:
defaultMode: 420
items:
- key: logo-login.svg
path: logo-login.svg
name: logo-login-configmap
- name: logo-header
configMap:
defaultMode: 420
items:
- key: logo-header.svg
path: logo-header.svg
name: logo-header-configmap
web_extra_volume_mounts: |
- name: logo-login
mountPath: /var/lib/awx/public/static/media/logo-login.svg
subPath: logo-login.svg
- name: logo-header
mountPath: /var/lib/awx/public/static/media/logo-header.svg
subPath: logo-header.svg
```
## Custom Favicon
You can also use custom volume mounts to mount in your own favicon to be displayed in your AWX browser tab.
First, create the configmap from a local `favicon.ico` file.
```bash
kubectl create configmap favicon-configmap --from-file favicon.ico
```
Then specify the extra_volume and web_extra_volume_mounts on your AWX CR spec
@@ -166,3 +188,7 @@ spec:
mountPath: /var/lib/awx/public/static/media/favicon.ico
subPath: favicon.ico
```
## Custom AWX Configuration
Refer to the [Extra Settings](./extra-settings.md) documentation for customizing the AWX configuration.

43
docs/user-guide/advanced-configuration/default-execution-environments-from-private-registries.md
View File

@@ -1,43 +0,0 @@
#### Default execution environments from private registries
In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments.
The secret should be formatted as follows:
```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: <resourcename>-ee-pull-credentials
namespace: <target namespace>
stringData:
url: <registry url. i.e. quay.io>
username: <username to connect as>
password: <password to connect with>
ssl_verify: <Optional attribute. Whether verify ssl connection or not. Accepted values "True" (default), "False" >
type: Opaque
```
##### Control plane ee from private registry
The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secrets` to provide a list of k8s pull secrets to access it. Currently the same secret is used for any of these images supplied at install time.
You can create `image_pull_secret`
```
kubectl create secret <resoucename>-cp-pull-credentials regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
```
If you need more control (for example, to set a namespace or a label on the new secret) then you can customize the Secret before storing it
Example spec file extra-config
```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: <resoucename>-cp-pull-credentials
namespace: <target namespace>
data:
.dockerconfigjson: <base64 docker config>
type: kubernetes.io/dockerconfigjson
```

83
docs/user-guide/advanced-configuration/deploying-a-specific-version-of-awx.md
View File

@@ -1,20 +1,23 @@
#### Deploying a specific version of AWX
# Using images from private registries
There are a few variables that are customizable for awx the image management.
## Available variables to use images from private registries
| Name | Description | Default |
| ----------------------------- | ------------------------- | ------------------------------------------ |
| image | Path of the image to pull | quay.io/ansible/awx |
| image_version | Image version to pull | value of DEFAULT_AWX_VERSION or latest |
| image_pull_policy | The pull policy to adopt | IfNotPresent |
| image_pull_secrets | The pull secrets to use | None |
| ee_images | A list of EEs to register | quay.io/ansible/awx-ee:DEFAULT_AWX_VERSION |
| redis_image | Path of the image to pull | docker.io/redis |
| redis_image_version | Image version to pull | latest |
| control_plane_ee_image | Image version to pull | quay.io/ansible/awx-ee:DEFAULT_AWX_VERSION |
| init_container_image | Path of the image to pull | quay.io/ansible/awx-ee |
| init_container_image_version | Image version to pull | value of DEFAULT_AWX_VERSION or latest |
| init_projects_container_image | Image version to pull | quay.io/centos/centos:stream9 |
There are variables that are customizable for awx the image management.
| Name | Description | Default |
| ----------------------------- | ----------------------------- | ------------------------------------------ |
| image | Path of the image to pull | quay.io/ansible/awx |
| image_version | Image version to pull | value of DEFAULT_AWX_VERSION or latest |
| image_pull_policy | The pull policy to adopt | IfNotPresent |
| image_pull_secrets | The pull secrets to use | None |
| ee_images | A list of EEs to register | quay.io/ansible/awx-ee:DEFAULT_AWX_VERSION |
| ee_pull_credentials_secret | The pull secret for ee_images | None |
| redis_image | Path of the image to pull | docker.io/redis |
| redis_image_version | Image version to pull | latest |
| control_plane_ee_image | Image version to pull | quay.io/ansible/awx-ee:DEFAULT_AWX_VERSION |
| init_container_image | Path of the image to pull | quay.io/ansible/awx-ee |
| init_container_image_version | Image version to pull | value of DEFAULT_AWX_VERSION or latest |
| init_projects_container_image | Image version to pull | quay.io/centos/centos:stream9 |
Example of customization could be:
@@ -36,4 +39,52 @@ spec:
init_projects_container_image: myorg/my-mirrored-centos:stream9
```
**Note**: The `image` and `image_version` are intended for local mirroring scenarios. Please note that using a version of AWX other than the one bundled with the `awx-operator` is **not** supported. For the default values, check the [main.yml](https://github.com/ansible/awx-operator/blob/devel/roles/installer/defaults/main.yml) file.
!!! warning
The `image` and `image_version` are intended for local mirroring scenarios. Please note that using a version of AWX other than the one bundled with the `awx-operator` is **not** supported. For the default values, check the [main.yml](https://github.com/ansible/awx-operator/blob/devel/roles/installer/defaults/main.yml) file.
## Default execution environments from private registries
In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments.
The secret should be formatted as follows:
```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: <resourcename>-ee-pull-credentials
namespace: <target namespace>
stringData:
url: <registry url. i.e. quay.io>
username: <username to connect as>
password: <password to connect with>
ssl_verify: <Optional attribute. Whether verify ssl connection or not. Accepted values "True" (default), "False" >
type: Opaque
```
## Control plane ee from private registry
The images listed in `ee_images` will be added as globally available Execution Environments. The `control_plane_ee_image` will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secrets` to provide a list of k8s pull secrets to access it. Currently the same secret is used for any of these images supplied at install time.
You can create `image_pull_secret`
```sh
kubectl create secret <resoucename>-cp-pull-credentials regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
```
If you need more control (for example, to set a namespace or a label on the new secret) then you can customize the Secret before storing it
Example spec file extra-config
```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: <resoucename>-cp-pull-credentials
namespace: <target namespace>
data:
.dockerconfigjson: <base64 docker config>
type: kubernetes.io/dockerconfigjson
```

7
docs/user-guide/advanced-configuration/disable-ipv6.md
View File

@@ -1,12 +1,13 @@
### Disable IPV6
Starting with AWX Operator release 0.24.0,[IPV6 was enabled in ngnix configuration](https://github.com/ansible/awx-operator/pull/950) which causes
# Disable IPv6
Starting with AWX Operator release 0.24.0, [IPv6 was enabled in ngnix configuration](https://github.com/ansible/awx-operator/pull/950) which causes
upgrades and installs to fail in environments where IPv6 is not allowed. Starting in 1.1.1 release, you can set the `ipv6_disabled` flag on the AWX
spec. If you need to use an AWX operator version between 0.24.0 and 1.1.1 in an IPv6 disabled environment, it is suggested to enabled ipv6 on worker
nodes.
In order to disable ipv6 on ngnix configuration (awx-web container), add following to the AWX spec.
The following variables are customizable
The following variables are customizable:
| Name | Description | Default |
| ------------- | ---------------------- | ------- |

94
docs/user-guide/advanced-configuration/enabling-ldap-integration-at-awx-bootstrap.md
View File

@@ -1,10 +1,97 @@
#### Enabling LDAP Integration at AWX bootstrap
# Enabling LDAP Integration at AWX bootstrap (Deprecated)
A sample of extra settings can be found as below. All possible options can be found here: https://django-auth-ldap.readthedocs.io/en/latest/reference.html#settings
A sample of extra settings can be found as below. All possible options can be found here: <https://django-auth-ldap.readthedocs.io/en/latest/reference.html#settings>
> **NOTE:** These values are inserted into a Python file, so pay close attention to which values need quotes and which do not.
Refer to the [Extra Settings](./extra-settings.md) page for more information on how to configure extra settings.
!!! tip
To trust a custom Certificate Authority for your LDAP server, or to specify password LDAP bind DN, refer to the [Trusting a Custom Certificate Authority](./trusting-a-custom-certificate-authority.md) page.
## Configure LDAP integration via `extra_settings_files`
Create a Python file with arbitrary name, e.g. `custom_ldap_settings.py`, and add the following content for example:
```python title="custom_ldap_settings.py"
AUTH_LDAP_SERVER_URI = "ldaps://ad01.abc.com:636 ldaps://ad02.abc.com:636"
AUTH_LDAP_BIND_DN = "CN=LDAP User,OU=Service Accounts,DC=abc,DC=com"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"DC=abc,DC=com",
ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)",
)
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
"OU=Groups,DC=abc,DC=com",
ldap.SCOPE_SUBTREE,
"(objectClass=group)",
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail",
}
AUTH_LDAP_REQUIRE_GROUP = "CN=operators,OU=Groups,DC=abc,DC=com"
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_superuser": ["CN=admin,OU=Groups,DC=abc,DC=com"],
}
AUTH_LDAP_ORGANIZATION_MAP = {
"abc": {
"admins": "CN=admin,OU=Groups,DC=abc,DC=com",
"remove_admins": False,
"remove_users": False,
"users": True,
}
}
AUTH_LDAP_TEAM_MAP = {
"admin": {
"organization": "abc",
"remove": True,
"users": "CN=admin,OU=Groups,DC=abc,DC=com",
}
}
```
Create a ConfigMap with the content of the above Python file.
```bash
kubectl create configmap custom-ldap-settings \
--from-file /PATH/TO/YOUR/custom_ldap_settings.py
```
Then specify this ConfigMap to the `extra_settings_files` parameter.
```yaml
spec:
extra_settings_files:
configmaps:
- name: custom-ldap-settings
key: custom_ldap_settings.py
```
!!! note
If you have embedded some sensitive information like passwords in the Python file, you can create and pass a Secret instead of a ConfigMap.
```bash
kubectl create secret generic custom-ldap-settings \
--from-file /PATH/TO/YOUR/custom_ldap_settings.py
```
```yaml
spec:
extra_settings_files:
secrets:
- name: custom-ldap-settings
key: custom_ldap_settings.py
```
## Configure LDAP integration via `extra_settings`
!!! note
These values are inserted into a Python file, so pay close attention to which values need quotes and which do not.
```yaml
spec:
extra_settings:
- setting: AUTH_LDAP_SERVER_URI
value: >-
"ldaps://ad01.abc.com:636 ldaps://ad02.abc.com:636"
@@ -35,7 +122,6 @@ A sample of extra settings can be found as below. All possible options can be fo
]
}
- setting: AUTH_LDAP_ORGANIZATION_MAP
value: {
"abc": {

5
docs/user-guide/advanced-configuration/exporting-environment-variables-to-containers.md
View File

@@ -1,4 +1,4 @@
#### Exporting Environment Variables to Containers
# Exporting Environment Variables to Containers
If you need to export custom environment variables to your containers.
@@ -9,7 +9,8 @@ If you need to export custom environment variables to your containers.
| rsyslog_extra_env | Environment variables to be added to Rsyslog container | '' |
| ee_extra_env | Environment variables to be added to EE container | '' |
> :warning: The `ee_extra_env` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
!!! warning
The `ee_extra_env` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
Example configuration of environment variables

124
docs/user-guide/advanced-configuration/extra-settings.md
View File

@@ -1,30 +1,120 @@
#### Extra Settings
# Extra Settings
With`extra_settings`, you can pass multiple custom settings via the `awx-operator`. The parameter `extra_settings` will be appended to the `/etc/tower/settings.py` and can be an alternative to the `extra_volumes` parameter.
With `extra_settings` and `extra_settings_files`, you can pass multiple custom settings to AWX via the AWX Operator.
| Name | Description | Default |
| -------------- | -------------- | ------- |
| extra_settings | Extra settings | '' |
!!! note
Parameters configured in `extra_settings` or `extra_settings_files` are set as read-only settings in AWX. As a result, they cannot be changed in the UI after deployment.
**Note:** Parameters configured in `extra_settings` are set as read-only settings in AWX. As a result, they cannot be changed in the UI after deployment. If you need to change the setting after the initial deployment, you need to change it on the AWX CR spec.
If you need to change the setting after the initial deployment, you need to change it on the AWX CR spec (for `extra_settings`) or corresponding ConfigMap or Secret (for `extra_settings_files`). After updating ConfigMap or Secret, you need to restart the AWX pods to apply the changes.
!!! note
If the same setting is set in both `extra_settings` and `extra_settings_files`, the setting in `extra_settings_files` will take precedence.
## Add extra settings with `extra_settings`
You can pass extra settings by specifying the pair of the setting name and value as the `extra_settings` parameter.
The settings passed via `extra_settings` will be appended to the `/etc/tower/settings.py`.
| Name | Description | Default |
| -------------- | -------------- | --------- |
| extra_settings | Extra settings | `[]` |
Example configuration of `extra_settings` parameter
```yaml
spec:
extra_settings:
- setting: MAX_PAGE_SIZE
value: "500"
spec:
extra_settings:
- setting: MAX_PAGE_SIZE
value: "500"
- setting: AUTH_LDAP_BIND_DN
value: "cn=admin,dc=example,dc=com"
# LDAP is deprecated
- setting: AUTH_LDAP_BIND_DN
value: "cn=admin,dc=example,dc=com"
- setting: LOG_AGGREGATOR_LEVEL
value: "'DEBUG'"
- setting: LOG_AGGREGATOR_LEVEL
value: "'DEBUG'"
```
Note for some settings, such as `LOG_AGGREGATOR_LEVEL`, the value may need double quotes.
!!! tip
Alternatively, you can pass any additional settings by mounting ConfigMaps or Secrets of the python files (`*.py`) that contain custom settings to under `/etc/tower/conf.d/` in the web and task pods.
See the example of `custom.py` in the [Custom Volume and Volume Mount Options](custom-volume-and-volume-mount-options.md) section.
## Add extra settings with `extra_settings_files`
You can pass extra settings by specifying the additional settings files in the ConfigMaps or Secrets as the `extra_settings_files` parameter.
The settings files passed via `extra_settings_files` will be mounted as the files under the `/etc/tower/conf.d`.
| Name | Description | Default |
| -------------------- | -------------------- | --------- |
| extra_settings_files | Extra settings files | `{}` |
!!! note
If the same setting is set in multiple files in `extra_settings_files`, it would be difficult to predict which would be adopted since these files are loaded in arbitrary order that [`glob`](https://docs.python.org/3/library/glob.html) returns. For a reliable setting, do not include the same key in more than one file.
Create ConfigMaps or Secrets that contain custom settings files (`*.py`).
```python title="custom_job_settings.py"
AWX_TASK_ENV = {
"HTTPS_PROXY": "http://proxy.example.com:3128",
"HTTP_PROXY": "http://proxy.example.com:3128",
"NO_PROXY": "127.0.0.1,localhost,.example.com"
}
GALAXY_TASK_ENV = {
"ANSIBLE_FORCE_COLOR": "false",
"GIT_SSH_COMMAND": "ssh -o StrictHostKeyChecking=no",
}
```
```python title="custom_system_settings.py"
REMOTE_HOST_HEADERS = [
"HTTP_X_FORWARDED_FOR",
"REMOTE_ADDR",
"REMOTE_HOST",
]
```
```python title="custom_passwords.py"
SUBSCRIPTIONS_PASSWORD = "my-super-secure-subscription-password123!"
REDHAT_PASSWORD = "my-super-secure-redhat-password123!"
```
```bash title="Create ConfigMap and Secret"
# Create ConfigMap
kubectl create configmap my-custom-settings \
--from-file /PATH/TO/YOUR/custom_job_settings.py \
--from-file /PATH/TO/YOUR/custom_system_settings.py
# Create Secret
kubectl create secret generic my-custom-passwords \
--from-file /PATH/TO/YOUR/custom_passwords.py
```
Then specify them in the AWX CR spec. Here is an example configuration of `extra_settings_files` parameter.
```yaml
spec:
extra_settings_files:
configmaps:
- name: my-custom-settings # The name of the ConfigMap
key: custom_job_settings.py # The key in the ConfigMap, which means the file name
- name: my-custom-settings
key: custom_system_settings.py
secrets:
- name: my-custom-passwords # The name of the Secret
key: custom_passwords.py # The key in the Secret, which means the file name
```
!!! Warning "Restriction"
There are some restrictions on the ConfigMaps or Secrets used in `extra_settings_files`.
- The keys in ConfigMaps or Secrets MUST be the name of python files and MUST end with `.py`
- The keys in ConfigMaps or Secrets MUST consists of alphanumeric characters, `-`, `_` or `.`
- The keys in ConfigMaps or Secrets are converted to the following strings, which MUST not exceed 63 characters
- Keys in ConfigMaps: `<instance name>-<KEY>-configmap`
- Keys in Secrets: `<instance name>-<KEY>-secret`
- Following keys are reserved and MUST NOT be used in ConfigMaps or Secrets
- `credentials.py`
- `execution_environments.py`
- `ldap.py`
Refer to the Kubernetes documentations ([[1]](https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/config-map-v1/), [[2]](https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1/), [[3]](https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/volume/), [[4]](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/)) for more information about character types and length restrictions.

24
docs/user-guide/advanced-configuration/horizontal-pod-autoscaler.md Normal file
View File

@@ -0,0 +1,24 @@
# Horizontal Pod Autoscaler (HPA)
Horizontal Pod Autoscaler allows Kubernetes to scale the number of replicas of
deployments in response to configured metrics.
This feature conflicts with the operators ability to manage the number of static
replicas to create for each deployment.
The use of the settings below will tell the operator to not manage the replicas
field on the identified deployments even if a replicas count has been set for those
properties in the operator resource.
| Name | Description | Default |
| ---------------------- | ----------------------------------------------------------------------------- | ------- |
| web_manage_replicas | Indicates operator should control the replicas count for the web deployment. | true |
| task_manage_replicas | Indicates operator should control the replicas count for the task deployment. | true |
## Recommended Settings for HPA
Please see the Kubernetes documentation on how to configure the horizontal pod
autoscaler.
The values for optimal HPA are cluster and need specific so general guidelines
are not available at this time.

19
docs/user-guide/advanced-configuration/host-aliases.md Normal file
View File

@@ -0,0 +1,19 @@
# HostAliases
Sometimes you might need to use [HostAliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) in web/task containers.
| Name | Description | Default |
| ------------ | --------------------- | ------- |
| host_aliases | A list of HostAliases | None |
Example of customization could be:
```yaml
---
spec:
...
host_aliases:
- ip: <name-of-your-ip>
hostnames:
- <name-of-your-domain>
```

0
docs/user-guide/advanced-configuration/mesh-ingress-instance-listener-address-on-awx-ui.png → docs/user-guide/advanced-configuration/images/mesh-ingress-instance-listener-address-on-awx-ui.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 162 KiB

After

Width:  |  Height:  |  Size: 162 KiB

0
docs/user-guide/advanced-configuration/mesh-ingress-instance-on-awx-ui.png → docs/user-guide/advanced-configuration/images/mesh-ingress-instance-on-awx-ui.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 162 KiB

After

Width:  |  Height:  |  Size: 162 KiB

0
docs/user-guide/advanced-configuration/peering-to-mesh-ingress-on-awx-ui.png → docs/user-guide/advanced-configuration/images/peering-to-mesh-ingress-on-awx-ui.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 205 KiB

After

Width:  |  Height:  |  Size: 205 KiB

14
docs/user-guide/advanced-configuration/labeling-operator-managed-objects.md
View File

@@ -1,15 +1,13 @@
#### Labeling operator managed objects
# Labeling operator managed objects
In certain situations labeling of Kubernetes objects managed by the operator
might be desired (e.g. for owner identification purposes). For that
`additional_labels` parameter could be used
In certain situations labeling of Kubernetes objects managed by the operator might be desired (e.g. for owner identification purposes).
For that `additional_labels` parameter could be used:
| Name | Description | Default |
| --------------------------- | ---------------------------------------------------------------------------------------- | ------- |
| additional_labels | Additional labels defined on the resource, which should be propagated to child resources | [] |
Example configuration where only `my/team` and `my/service` labels will be
propagated to child objects (`Deployment`, `Secret`s, `ServiceAccount`, etc):
Example configuration where only `my/team` and `my/service` labels will be propagated to child objects (`Deployment`, `Secret`s, `ServiceAccount`, etc):
```yaml
apiVersion: awx.ansible.com/v1beta1
@@ -22,7 +20,7 @@ metadata:
my/do-not-inherit: "yes"
spec:
additional_labels:
- my/team
- my/service
- my/team
- my/service
...
```

Some files were not shown because too many files have changed in this diff Show More