internet/awx-operator
3
0
Fork 0
mirror of https://github.com/ansible/awx-operator.git synced 2026-03-27 05:43:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:2.6.0
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0
...
compare: internet:2.13.0
Branches Tags
internet:devel internet:TheRealHaoLiu-CI-test-10302025 internet:uwsgi_configurable_timeout internet:dependabot/github_actions/dependencies-c216064e94 internet:dependabot/pip/docs/dependencies-9f52a38f71 internet:test-python-module-fix internet:feature_receptor-collection-python-311 internet:pg-dump-restore-in-job internet:checkpoint_v1 internet:fix-helm-release-again internet:docs-for-port-quotes internet:update-gh-pages-urls internet:pr-check-capacity-fix internet:awx-ee-latest internet:shanemcd-patch-1
internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.0 internet:2.16.1 internet:2.16.0 internet:2.15.0 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.2 internet:2.12.1 internet:2.12.0 internet:2.11.0 internet:2.10.0 internet:2.9.0 internet:2.8.0 internet:2.7.2 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.3 internet:2.5.2 internet:2.5.1 internet:2.5.0 internet:2.4.0 internet:2.3.0 internet:2.2.1 internet:2.2.0 internet:2.1.0 internet:2.0.1 internet:2.0.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.4 internet:1.1.3 internet:1.1.2 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.30.0 internet:0.29.0 internet:0.28.0 internet:0.27.0 internet:0.26.0 internet:0.25.0 internet:0.24.0 internet:0.23.0 internet:0.22.0 internet:0.21.0 internet:0.20.2 internet:0.20.1 internet:0.20.0 internet:0.19.0 internet:0.18.0 internet:0.17.0 internet:0.16.1 internet:0.16.0 internet:0.15.0 internet:0.14.0 internet:0.13.0 internet:0.12.0 internet:0.11.0 internet:0.10.0 internet:0.9.0 internet:0.8.0 internet:0.7.0 internet:0.6.0

113 Commits
2.6.0 ... 2.13.0

Author SHA1 Message Date
Christian Adams
d5a3cb7519 Revert change to cast settings values to strings as they could be nested (#1756) 
- We cast the settings value to a string so that it would display
  properly in the Openshift UI. Unfortunately, the k8s validator will no
  longer allow arrays for settings values.
 2024-03-12 11:58:00 -04:00
Christian Adams
ed6ac1a11a Create a new postgres configuration secret when restoring a new instance (#1733) 
- This will avoid the operator changing the host value of the original
  deployments postgres_configuration_secret. As it was, restores broke
  the original deployment if it was still around before this change.

Signed-off-by: Christian M. Adams <chadams@redhat.com>
 2024-03-11 16:34:43 -04:00
Hao Liu
b5d81b8e5d Fix awx_kube_devel (#1759) 
* Fix awx_kube_devel
* Sanitize version name for kube_dev

When in development mode, awx version may look
like 23.9.1.dev18+gee9eac15dc.d20240311

k8s job to the migration can only have
a name with alphanumeric, and '.', '-'

so we can just drop off the +

Signed-off-by: Seth Foster <fosterbseth@gmail.com>

---------

Signed-off-by: Seth Foster <fosterbseth@gmail.com>
Co-authored-by: Seth Foster <fosterbseth@gmail.com>
 2024-03-11 19:01:00 +00:00
bartowl
3abeec518a Bind EE images version with DEFAULT_AWX_VERSION (#1740) 
* bind ee_images, control_plane_ee_image and init_container_image with DEFAULT_AWX_VERSION instead of "latest"

* fix when condition on init_container_image_version check

* Use DEFAULT_AWX_VERSION for AWXMeshIngress

* Add back AWX EE latest for backward compatibility

---------

Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
 2024-03-11 14:12:10 -04:00
Christian Adams
d2c4b9c8a4 The pg service label_selector now uses the deployment_type variable (#1755) 2024-03-08 09:02:31 -05:00
Christian Adams
2ad1d25120 Update PostgreSQL docs about finding default version (#1747) 2024-03-07 21:47:18 -05:00
Hao Liu
26e72b4e1d Fix undefined external_hostname when using Route (#1753) 2024-03-07 22:53:48 +00:00
Hao Liu
3434cbef96 AWXMeshIngress route respect external_hostname (#1752) 
* AwxMeshIngress route respect external_hostname
* Set host in AWXMeshIngress route if external_hostname is defined
 2024-03-07 15:43:06 -05:00
David Hageman
256d84a42a Add imagePullSecrets option to Mesh Ingress (#1750) 2024-03-07 13:17:39 -05:00
kurokobo
03cfe14c07 fix: extend expiration date for the certs for receptor nodes to 10 years (#1744) 2024-03-06 19:52:04 +00:00
Tyler Muir
82c7dd2f44 add support for defining loadbalancer class (#1746) 2024-03-06 14:35:16 -05:00
Erez Samimi
818b3682fa Fix table format in container-probes.md (#1748) 2024-03-06 19:28:46 +00:00
David Hageman
ffba1b4712 Add -ness checks and refactor migrations (#1674) 2024-03-05 19:54:22 -05:00
kurokobo
dba934daa0 fix: revert type of status.upgradedPostgresVersion to string (#1745) 2024-03-04 15:55:16 -05:00
aknochow
d0827ba426 Fixing postgres upgrade conditional (#1741) 2024-03-01 17:09:15 -05:00
kurokobo
16b2f2a34f fix: correct unsafe conditional (#1737) 2024-03-01 20:54:40 +00:00
John Westcott IV
607a7ca58c Upgrading to PostgreSQL 15 and moving to sclorg images (#1486) 
* Upgrading to postgres:15
* Changing image from postgres to sclorg
* Handle scenario where upgrade status is not defined & correct pg tag
* Rework the upgrade logic to be more resiliant for multiple upgrades

---------

Co-authored-by: john-westcott-iv <john-westcott-iv@users.noreply.github.com>
Co-authored-by: Christian M. Adams <chadams@redhat.com>
 2024-02-29 17:02:11 -05:00
kurokobo
d11d66e81d docs: enable search feature (#1725) 2024-02-28 19:46:04 +00:00
Christian Adams
7a937b0932 Expose extra_settings in OLM UI form (#1732) 
Expose extra_settings in olm UI form

Signed-off-by: Christian M. Adams <chadams@redhat.com>
 2024-02-28 14:35:05 -05:00
Don Naro
e1c0e33b4f Use pip tools to generate the full dependency tree (#1727) 
* add venv to gitignore

* use pip compiled docs requirements
 2024-02-28 14:33:29 -05:00
Neev Geffen
cf905ca5d0 CSV Change Descriptor of StorageClass From Text to StorageClass (#1729) 
Update awx-operator.clusterserviceversion.yaml:
Some Descriptors for StorageClasses were set as text and not Storage Class
 2024-02-28 19:19:24 +00:00
Hao Liu
630a5ee1f3 Fix bug where uppercase Route fails (#1731) 2024-02-26 17:17:37 +00:00
Matt Miller
3d78e90ab1 Update Dockerfile operator-framework/ansible-operator to v1.34.0 (#1714) 
Update Dockerfile base image

* Vulnerability scans against this image when deployed shows: CVE-2023-4911
* https://quay.io/repository/operator-framework/ansible-operator/manifest/sha256:f08f675976f42dc3a8ebbb8482acea153a8f57232e2ee48940e3d40ca40d24d9?tab=vulnerabilities
* It appears if 5f3d9ed96f/Dockerfile (L1C14-L1C49) is updated to `v1.34.0` this vulnerability is mitigated.
 2024-02-21 14:50:08 -05:00
kurokobo
3981e6ba5e fix: correct indentation for annotations for awxmeshingress (#1723) 
fix: correct indentation for annotations
 2024-02-21 19:46:34 +00:00
kurokobo
ac682a9c05 docs: improve documentation for awxmeshingress (#1724) 
* add descriptions and examples for awxmeshingress
* convert list to table
* add note for image
* correct minor wording issues
* apply suggested changes from code review for docs/user-guide/advanced-configuration/mesh-ingress.md

Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com>
 2024-02-21 14:36:50 -05:00
kurokobo
7bdf48ffc0 docs: add description for --force-conflicts option to upgrade crds (#1717) 2024-02-21 14:31:32 -05:00
Seth Foster
fc11db4ece Fix syntax error in mesh ingress docs (#1720) 
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
 2024-02-16 17:16:28 +00:00
TVo
148309325e Separate out the custom receptor CA section to its own section. (#1707) 2024-02-16 10:06:05 -07:00
Hao Liu
82756ebfe7 Add new doc for AWXMeshIngress (#1706) 
* Add new doc for AWXMeshIngress

* Update docs/user-guide/advanced-configuration/mesh-ingress.md

Co-authored-by: TVo <thavo@redhat.com>

* Update docs/user-guide/advanced-configuration/mesh-ingress.md

Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com>

* Update docs/user-guide/advanced-configuration/mesh-ingress.md

Co-authored-by: TVo <thavo@redhat.com>

* Update docs/user-guide/advanced-configuration/mesh-ingress.md

Co-authored-by: TVo <thavo@redhat.com>

* Update mesh-ingress.md

* Update mesh-ingress.md

* Grammar on line 48

---------

Co-authored-by: TVo <thavo@redhat.com>
Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com>
 2024-02-15 13:07:35 -07:00
kurokobo
a9cee5f4da fix: revert removal trim symbol before endif (#1715) 2024-02-15 17:02:48 +00:00
Chris Meyers
5f3d9ed96f More locked down websocket path 
* Previously, the nginx location would match on /foo/websocket... or
  /foo/api/websocket... Now, we require these two paths to start at the
  root i.e. <host>/websocket/... /api/websocket/...
* Note: We now also require an ending / and do NOT support
  <host>/websocket_foobar but DO support <host>/websocket/foobar. This
  was always the intended behavior. We want to keep
  <host>/api/websocket/... "open" and routing to daphne in case we want
  to add more websocket urls in the future.
 2024-02-13 15:53:34 -05:00
Chris Meyers
1eb8501430 Allow connecting to websockets via api/websocket/ 
* Before, we just allowed websockets on <host>/websocket/. With this
  change, they can now come from <host>/api/websocket/
 2024-02-13 10:20:50 -05:00
Christian Adams
ecbb16960f Remove empty statusDescriptor because it fails validation (#1708) 2024-02-09 23:22:56 -05:00
Stéphane Bilqué
368f786244 add 'customSecrets' and 'customVolumes' values to Helm Chart to simplifies the creation of ressources for PoC (#1690) 2024-02-07 15:10:21 -05:00
Hao Liu
e4fe1ee214 Update helm-chart README (#1704) 
- fix link to doc
- add Caveats on upgrading existing installation
 2024-02-07 14:32:19 -05:00
Hao Liu
0d1fa239a5 Fix api version in awxmeshingress-demo.yml (#1700) 
Update awxmeshingress-demo.yml
 2024-02-02 11:50:09 -05:00
Hao Liu
8a51fe9285 Add AWXMeshIngress description to CSV (#1703) 2024-02-02 10:58:57 -05:00
Hao Liu
33c64d5695 Add support annotation to CSV (#1702) 2024-02-01 15:01:15 -05:00
David O Neill
a534c856db Fix Ansible operator url target and update to 1.34 
The url has changed from
https://github.com/operator-framework/operator-sdk/releases
to
https://github.com/operator-framework/ansible-operator-plugins/releases
 2024-01-29 13:44:48 +00:00
kurokobo
acda72558f chore: update docsite link to not include version (#1693) 2024-01-24 19:16:49 +00:00
Hao Liu
9e2eb16b67 Update awxmeshingress sample 2024-01-18 15:38:18 -05:00
Hao Liu
6b02c2c53b Disable CI test for AWXMeshIngress 
TODO: fix this
 2024-01-18 15:38:18 -05:00
Hao Liu
0ca3f1a7c4 Update awx-manage commands for mesh ingress 
and fix linting

Signed-off-by: Seth Foster <fosterbseth@gmail.com>

Set correct protocol for external mesh ingress address

and fix linting error
 2024-01-18 15:38:18 -05:00
Hao Liu
69474557eb Default ingress_type to route when on OpenShift 
also rename route.yml.j2 to ingress.yml.j2 since we cover more than just route now
 2024-01-18 15:38:18 -05:00
Hao Liu
48e3a96305 Add a simple awxmeshingress demo 2024-01-18 15:38:18 -05:00
kurokobo
da7e227f71 Add ingress and ingressroutetcp for awxmeshingress (#1646) 
* fix: correct port number for internal receptor address
* feat: add support for ingress for awxmeshingress cr
* feat: add support for ingressroutetcp (for traefik) for awxmeshingress cr
 2024-01-18 15:38:18 -05:00
Hao Liu
98d5ac126d Create placeholder sample for awxmeshingress to allow bundle build 2024-01-18 15:38:18 -05:00
Hao Liu
cb5db01406 Add finalizer to deprovision ingress instance 2024-01-18 15:38:18 -05:00
Hao Liu
494384c1d7 Fix receptor port when going through route 2024-01-18 15:38:18 -05:00
Hao Liu
34c2e48e0a Fix bug where external_ipaddress is required 
external_ipaddress is optional and we should be able to deal with missing external_ipaddress with no error
 2024-01-18 15:38:18 -05:00
Hao Liu
122995fda7 Add owner ref on AWXMeshIngress to AWX 
This way when AWX is deleted associated AWXMeshIngress will all be deleted as well
 2024-01-18 15:38:18 -05:00
Seth Foster
9761c78fe9 Update add_receptor_address command 
- add --is_internal and --peers_from_control_nodes
to indicate the address is internal

Signed-off-by: Seth Foster <fosterbseth@gmail.com>
 2024-01-18 15:38:18 -05:00
Seth Foster
062c7153c6 Use deployment instead of statefulset 
When pod loses connection with k8s api server,
a statefulset can take a while (5 minutes) before
it is rescheduled. Deployments quicker turnaround
in this situation, which should help mesh
stability.

Signed-off-by: Seth Foster <fosterbseth@gmail.com>
 2024-01-18 15:38:18 -05:00
Seth Foster
6ef4aed024 Provision instance and add receptor address 
The mesh role now calls
1. awx-manage provision instance to register the hop
node to the database
2. awx-manage add_receptor_address to register the
internal address
3. awx-manage add_receptor_address to register the
external address (to be used by remote nodes)

CRD expanded to include external_ipaddress and
external_hostname

external_ipaddress is added as ipaddress in the
hop node certificate

external_hostname is added as dnsname in the
hop node certificate

the mesh role now checks for is_openshift and
only creates a Route if true. Otherwise it
will use external_hostname set in the spec
file in place of Route name.

Signed-off-by: Seth Foster <fosterbseth@gmail.com>
 2024-01-18 15:38:18 -05:00
Hao Liu
3fe42ed4b9 Removing sample awxmeshingress to fix CI 
sample are used in CI for validation test

in current implementation we only support openshift route this will not work on kind clusters correctly and having the sample is causing CI failure
 2024-01-18 15:38:18 -05:00
Hao Liu
2ff1d35b6d Update awxmeshingress sample 2024-01-18 15:38:18 -05:00
Hao Liu
d3934d9e08 Able to deploy mesh ingress node 
TODO: register instance after creation

dependent on API/CLI change
 2024-01-18 15:38:18 -05:00
Hao Liu
3c8ce3718a Scaffold AWXMeshIngress 2024-01-18 15:38:18 -05:00
Hao Liu
66f03c3c16 Adopt LISTENER_DATABASES setting (#1687) 
Related to https://github.com/ansible/awx/pull/14755

move TCP keepalive to pg_listener specific db setting
 2024-01-17 13:47:35 -05:00
Jon
7e2c2bf92c multi-architecture builds and publish (#1681) 
* Add multi-arch image builds to makefile
* A default set of platforms is specified and will build those if var `PLATFORMS` is not specified on the CLI
* Builds containers and stores @ghcr with tag that is git commit.
* Pushes the image to quay.io/ansible with tag devel.
* Update Promote to use single build point and the multi-arch manifest
   - Pulls the complete manifest containing all architectures that matches the version from ghcr
   - Tag manifest with the specified version and publish to quay.io
   - Tag manifest as 'latest' and publish to quay.io

Author: jon-nfc
Co-authored-by: Christian M. Adams <chadams@redhat.com>
Co-authored-by: TheRealHaoLiu
 2024-01-16 17:00:24 -05:00
TVo
7b95f03a30 Updated the "index" file to include "Adding execution nodes" section. (#1684) 2024-01-15 15:04:25 -07:00
TVo
b0cb1cc07d Corrected syntax on xref to fix build failures. (#1683) 
* Corrected syntax on xref to fix build failures.

* Update docs/user-guide/advanced-configuration/containers-resource-requirements.md

Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com>
 2024-01-15 19:26:42 +00:00
TVo
5be4c13016 Moved Adding Execution Nodes to its own section. (#1678) 
* Moved Adding Execution Nodes to its own section.

* Moved Adding Execution Nodes to its own section.
 2024-01-09 08:30:29 -07:00
Guillaume Lefevre
07427be0b7 Allow multiple ingress hosts to be defined when using ingress (#1377) 
* Replace api version for deployment kind to apps/v1

* Add new multiple ingress spec and deprecate hostname and ingress_tls_secret

* Manage new ingress_hosts.tls_secret backup separately

* Fix ci molecule lint warnings and error

* Fix documentation

* Fix ingress_hosts tls_secret key being optional

* Remove fieldDependency:ingress_type:Ingress for Ingress Hosts

* Fix scenario when neither hostname or ingress_hosts is defined

---------

Co-authored-by: Guillaume Lefevre <guillaume.lefevre@agoda.com>
Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com>
Co-authored-by: Christian Adams <chadams@redhat.com>
 2024-01-05 10:15:04 -05:00
Florian Sey
c23bc68900 Fix typo in contributing guidelines (#1677) 
Co-authored-by: Florian Sey <florian.sey@neofacto.com>
 2024-01-03 15:53:35 -05:00
Christian Adams
582701d949 Refactor to resolve the linter warnings on PRs (#1668) 2023-12-14 09:29:35 -05:00
David Gries
b6b3b6c0ab add 'extraDeploy' value to Helm Chart to allow deploying additional r… (#1640) 
* add 'extraDeploy' value to Helm Chart to allow deploying additional resources
 2023-12-13 14:43:30 -05:00
Hao Liu
25a6c3c48a Remove unnessary chmod and chown for db dump (#1667) 
Based on https://github.com/ansible/awx-operator/pull/1602

Fixes https://github.com/ansible/awx-operator/issues/1590
 2023-12-13 19:28:23 +00:00
Akira Yokochi
c67289d2cf Fix link for Assigning AWX pods to specific nodes (#1656) 
* Fix link for Assigning AWX pods to specific nodes

* fix word
 2023-12-13 19:22:19 +00:00
Christian Adams
d0c7f343b2 Fix PG Restore Force Drop DB flag (#1665) 
- Previously, if the flag was set to true, the bash conditional failed
  because the boolean was not correctly interpreted.
- Use pg_restore return code to determine if the task should be marked as failed

Signed-off-by: Christian M. Adams <chadams@redhat.com>
 2023-12-08 16:38:47 -05:00
David Gries
ef17865f12 Update deprecated collections path variable (#1648) 
remove deprecated 'ANSIBLE_COLLECTIONS_PATHS' variable
 2023-12-06 19:29:39 +00:00
Dayne Benn
d5fd5d3819 Update upgrading.md (#1660) 2023-12-05 19:59:39 +00:00
Christian Adams
a61ed18147 Always check and wait for a restore pg_restore to finish (#1652) 2023-12-01 16:18:23 -05:00
Christian Adams
e3e3da0e0e Adding in Kind specific install docs (#1643) 2023-12-01 11:42:23 -05:00
Christian Adams
1470779b8f Bump Ansible Operator SDK version to 1.32.0 for OS updates (#1651) 
- pick up security updates when building the operator container
 2023-12-01 10:00:58 -05:00
Laurent Indermühle
400df47678 Enhance documentation for basic install (#1621) 
- Describe checking out the tag to deploy in basic install instructions
- Also, the repo already contains a awx-demo.yml file but the doc reference awx-demo.yaml with en extra a. I remove this road block for newcomers by using same 'yml' extension everywhere.
 2023-11-29 19:32:38 +00:00
Hao Liu
0f0ff32bf6 Add option to force drop database before restore (#1639) 2023-11-27 18:52:07 +00:00
Imed
a9245454a4 Remove reference to cluster.local (#1566) 
Co-authored-by: Imed Aouidene <imaouide@imaouide-thinkpadt14sgen2i.cdg.csb>
 2023-11-27 16:26:24 +00:00
Gene Tomilko
bba8b8e2b5 Update service.yaml.j2 (#1641) 
fix loadbalancerip
 2023-11-27 10:33:00 -05:00
Klaus Mueller
93c5e4a0c3 awx-operator-controller-manager reduce limit to 30 times as much as request (#1575) 2023-11-22 22:23:41 +00:00
Sandra McCann
06c0dd96d0 Remove TOC and add link to published docs (#1526) 
AWX Operator docs are now published online so removing most of the README and adding a pointer to the new docsite.
 2023-11-20 23:22:29 +00:00
Hao Liu
e6b11084db Omit storage resource limit if empty (#1637) 
We discovered some weird behavior observed on later Kubernetes version (OCP 4.12+)

For some reason why we apply the templates postgres resource with

```
postgres_storage_requirements:
  limit: {}
  requests:
    storage: <x>Gi
```

the `Create Database if no database is specified` task that does the k8s apply will always think the resource is "changed" and proceed to cycle the task and web pod

This resulted in AWX pods being continuously restarted

Update postgres.yaml.j2
 2023-11-14 13:41:30 -06:00
romankuzmik
669fe1d253 1586: awx-operator restore from PVC is not working (#1603) 
Co-authored-by: Roman Kuzmik <rkuzmik@cisco.com>
 2023-11-09 09:39:27 -05:00
Hao Liu
e4cfa2f809 Fix operator-hub publishing automation (#1630) 
Rename TAG_NAME to VERSION so it's no longer ambiguous when running hack/publish-to-operator-hub.sh

Checkout awx-operator at VERSION with fetch-depth=0 so that `make print-PREV_VERSION` will be able to actually find previous tag
 2023-11-08 22:04:28 +00:00
Christian Adams
7251961bcc Add ability to mount custom volumes in the postgres pod (#1626) 
* Add ability to mount custom volumes in the postgres pod
* Fix indentation for postgres_extra_volumes

Signed-off-by: Christian M. Adams <chadams@redhat.com>
Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
 2023-11-08 15:44:30 -05:00
Hao Liu
3a5fbb0b06 Fix PREV_VERSION variable in Makefile - again (#1628) 
Note to self: stop multi-tasking
 2023-11-08 15:06:17 -05:00
Hao Liu
a69ca7f8b5 Fix PRE_VERSION in Makefile (#1625) 
* Fix make print-PREV_VERSION

* Use latest Makefile while running operator-hub publish
 2023-11-08 16:40:24 +00:00
Hao Liu
0fb252b6e4 Fix operator-hub release CI when triggering from release (#1623) 
Fix operator-hub release CI

When triggering from release default values for input is not accessible
 2023-11-08 09:22:27 -05:00
Christian Adams
718e5cfcb9 Add sample AWX CR with resource limits for environments with Resource… (#1554) 
Add sample AWX CR with resource limits for environments with ResourceQuotas
 2023-11-02 12:54:15 -04:00
Hao Liu
a8153d5ffb Automate publishing to automation hub (#1616) 
* Automate awx-operator publishing on operatorhub

* Use scripts from workflow branch
Previously it will use scripts from the release tag to do the release
If we have to fix up the scripts for any reason we would have to retag
This will allow us to modify the publishing script without having to retag the release.

NOTE: the commit in this PR was accidentally pushed to `devel` directly... merging this PR just for the record.
 2023-10-26 11:27:49 -04:00
Hao Liu
7b0a68c2f4 Use scripts from workflow branch 
Previously it will use scripts from the release tag to do the release

If we have to fix up the scripts for any reason we would have to retag

This will allow us to modify the publishing script without having to retag the release.
 2023-10-25 15:46:35 -04:00
Hao Liu
1c89044be4 automate awx-operator publishing on operatorhub 2023-10-25 15:27:18 -04:00
Seth Foster
15ed13dd8d Fix supported_pg_version (#1614) 
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
 2023-10-25 12:47:24 -04:00
Christian Adams
f2ad70678c Bump kube-rbac-proxy image to v0.15.0 (#1615) 2023-10-25 12:22:10 -04:00
dependabot[bot]
2ec77f1e7e Bump pillow from 9.5.0 to 10.0.1 in /docs (#1608) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-24 15:28:54 -04:00
Hao Liu
aa7d0b9918 Fix promote workflow (#1613) 2023-10-24 15:14:00 -04:00
Hao Liu
38209f9720 Add workflow_dispatch to promote workflow (#1612) 2023-10-24 15:10:08 -04:00
Hao Liu
0ba4feaf7a Revert "Stage and promote operator catalog and bundle (#1598)" (#1611) 2023-10-24 14:55:42 -04:00
Hao Liu
d4c1fda066 Stage and promote operator catalog and bundle (#1598) 2023-10-24 13:06:45 -04:00
Christian Adams
0d97183bbf Hardcode the link for the operatorhub publish script (#1609) 2023-10-23 15:13:32 -04:00
Hao Liu
293f0158e0 Fix operator-hub publish script on mac (#1584) 2023-10-19 14:45:21 +00:00
Hao Liu
bb30b3b9fe Fix spacing for csv file (#1601) 2023-10-18 18:38:32 +00:00
Chris
39bebe64ba Fix task deployment indention (#1596) (#1597) 2023-10-17 17:13:44 -04:00
Hao Liu
5bd84b3d3e Install operator-sdk if needed (#1600) 2023-10-17 20:19:29 +00:00
Christian Adams
76e315d191 Change supported OCP range when publishing to OperatorHub (#1599) 2023-10-17 16:03:54 -04:00
Hao Liu
dd022258b5 Remove mailing list from getting involved (#1592) 2023-10-13 17:41:33 +00:00
Hao Liu
019fa3d356 Add background keepalive to awx-manage migrate (#1589) 2023-10-13 09:33:27 -04:00
Preston Alvarado
4a968aa605 docfix - Secret Key Configuration (#1585) 2023-10-11 18:32:37 +00:00
Hao Liu
92639c1e89 Adding keepalive while doing pg_dump (#1580) 2023-10-10 13:08:51 -04:00
kurokobo
a7cfbe23da fix: correct label selector to find task pod (#1573) 2023-10-03 14:08:54 -04:00
kurokobo
16a2b590d6 fix: change type for precreate_partition_hours from string to integer (#1571) 2023-10-03 12:10:40 -04:00
rakesh561
8518e0d1c7 Allow ability to set security context for postgres deployment (#1517) 
- Added docs for securityContext 
- enabled web securityContext configuration

Co-authored-by: Christian M. Adams <chadams@redhat.com>
 2023-09-27 18:05:46 -04:00
Jeff Smith
6bc101af3e Bump ansible-operator to v1.31.0 (#1550) 2023-09-27 15:31:10 -04:00
107 changed files with 3348 additions and 474 deletions
Expand all files Collapse all files

35
.github/workflows/devel.yaml vendored
View File

@@ -13,15 +13,36 @@ jobs:
steps:
- uses: actions/checkout@v3
- name: Build Image
- name: Fail if QUAY_REGISTRY not set
run: |
IMG=awx-operator:devel make docker-build
if [[ -z "${{ vars.QUAY_REGISTRY }}" ]]; then
echo "QUAY_REGISTRY not set. Please set QUAY_REGISTRY in variable GitHub Actions variables."
exit 1
fi
- name: Push To Quay
uses: redhat-actions/push-to-registry@v2.1.1
- name: Log into registry ghcr.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
image: awx-operator
tags: devel
registry: quay.io/ansible/
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Log into registry quay.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ vars.QUAY_REGISTRY }}
username: ${{ secrets.QUAY_USER }}
password: ${{ secrets.QUAY_TOKEN }}
- name: Build and Store Image @ghcr
run: |
IMG=ghcr.io/${{ github.repository }}:${{ github.sha }} make docker-buildx
- name: Publish Image to quay.io
run: |
docker buildx imagetools create \
ghcr.io/${{ github.repository }}:${{ github.sha }} \
--tag ${{ vars.QUAY_REGISTRY }}/awx-operator:devel

19
.github/workflows/feature.yml vendored
View File

@@ -29,25 +29,6 @@ jobs:
run: |
echo "IMAGE_TAG_BASE=ghcr.io/${OWNER_LC}/awx-operator" >>${GITHUB_ENV}
- name: Set ARCH environment variable
run: |
echo "ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac)" >>${GITHUB_ENV}
- name: Set OS environment variable
run: |
echo "OS=$(uname | awk '{print tolower($0)}')" >>${GITHUB_ENV}
- name: Install operator-sdk
run: |
echo "Installing operator-sdk ${OPERATOR_SDK_DL_URL}" && \
curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH} && \
chmod +x operator-sdk_${OS}_${ARCH} && \
sudo mkdir -p /usr/local/bin/ && \
sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk && \
operator-sdk version
env:
OPERATOR_SDK_DL_URL: https://github.com/operator-framework/operator-sdk/releases/download/v1.26.0
- name: Log in to registry
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

72
.github/workflows/promote.yaml vendored
View File

@@ -3,37 +3,81 @@ name: Promote AWX Operator image
on:
release:
types: [published]
workflow_dispatch:
inputs:
tag_name:
description: 'Name for the tag of the release.'
required: true
quay_registry:
description: 'Quay registry to push to.'
default: 'quay.io/ansible'
env:
QUAY_REGISTRY: ${{ vars.QUAY_REGISTRY }}
jobs:
promote:
runs-on: ubuntu-latest
steps:
- name: Set GitHub Env vars for workflow_dispatch event
if: ${{ github.event_name == 'workflow_dispatch' }}
run: |
echo "TAG_NAME=${{ github.event.inputs.tag_name }}" >> $GITHUB_ENV
echo "QUAY_REGISTRY=${{ github.event.inputs.quay_registry }}" >> $GITHUB_ENV
- name: Set GitHub Env vars if release event
if: ${{ github.event_name == 'release' }}
run: |
echo "TAG_NAME=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
- name: Fail if QUAY_REGISTRY not set
run: |
if [[ -z "${{ env.QUAY_REGISTRY }}" ]]; then
echo "QUAY_REGISTRY not set. Please set QUAY_REGISTRY in variable GitHub Actions variables."
exit 1
fi
- uses: actions/checkout@v3
with:
depth: 0
- name: Log in to GHCR
run: |
echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Log in to Quay
run: |
echo ${{ secrets.QUAY_TOKEN }} | docker login quay.io -u ${{ secrets.QUAY_USER }} --password-stdin
- name: Log into registry ghcr.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Re-tag and promote awx-operator image
- name: Log into registry quay.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ env.QUAY_REGISTRY }}
username: ${{ secrets.QUAY_USER }}
password: ${{ secrets.QUAY_TOKEN }}
- name: Pull Tagged Staged Image and Publish to quay.io
run: |
docker pull ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }}
docker tag ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
docker tag ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} quay.io/${{ github.repository }}:latest
docker push quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
docker push quay.io/${{ github.repository }}:latest
docker buildx imagetools create \
ghcr.io/${{ github.repository }}:${{ env.TAG_NAME }} \
--tag ${{ env.QUAY_REGISTRY }}/awx-operator:${{ env.TAG_NAME }}
- name: Pull Staged Image and Publish to quay.io/${{ github.repository }}:latest
run: |
docker buildx imagetools create \
ghcr.io/${{ github.repository }}:${{ env.TAG_NAME }} \
--tag ${{ env.QUAY_REGISTRY }}/awx-operator:latest
- name: Release Helm chart
run: |
ansible-playbook ansible/helm-release.yml -v \
-e operator_image=quay.io/${{ github.repository }} \
-e operator_image=${{ env.QUAY_REGISTRY }}/awx-operator \
-e chart_owner=${{ github.repository_owner }} \
-e tag=${{ github.event.release.tag_name }} \
-e tag=${{ env.TAG_NAME }} \
-e gh_token=${{ secrets.GITHUB_TOKEN }} \
-e gh_user=${{ github.actor }} \
-e repo_type=https

86
.github/workflows/publish-operator-hub.yaml vendored Normal file
View File

@@ -0,0 +1,86 @@
name: Publish AWX Operator on operator-hub
on:
release:
types: [published]
workflow_dispatch:
inputs:
tag_name:
description: 'Name for the tag of the release.'
required: true
operator_hub_fork:
description: 'Fork of operator-hub where the PR will be created from. default: awx-auto'
required: true
default: 'awx-auto'
image_registry:
description: 'Image registry where the image is published to. default: quay.io'
required: true
default: 'quay.io'
image_registry_organization:
description: 'Image registry organization where the image is published to. default: ansible'
required: true
default: 'ansible'
community_operator_github_org:
description: 'Github organization for community-opeartor project. default: k8s-operatorhub'
required: true
default: 'k8s-operatorhub'
community_operator_prod_github_org:
description: 'GitHub organization for community-operator-prod project. default: redhat-openshift-ecosystem'
required: true
default: 'redhat-openshift-ecosystem'
jobs:
promote:
runs-on: ubuntu-latest
steps:
- name: Set GITHUB_ENV from workflow_dispatch event
if: ${{ github.event_name == 'workflow_dispatch' }}
run: |
echo "VERSION=${{ github.event.inputs.tag_name }}" >> $GITHUB_ENV
echo "IMAGE_REGISTRY=${{ github.event.inputs.image_registry }}" >> $GITHUB_ENV
echo "IMAGE_REGISTRY_ORGANIZATION=${{ github.event.inputs.image_registry_organization }}" >> $GITHUB_ENV
echo "COMMUNITY_OPERATOR_GITHUB_ORG=${{ github.event.inputs.community_operator_github_org }}" >> $GITHUB_ENV
echo "COMMUNITY_OPERATOR_PROD_GITHUB_ORG=${{ github.event.inputs.community_operator_prod_github_org }}" >> $GITHUB_ENV
- name: Set GITHUB_ENV for release event
if: ${{ github.event_name == 'release' }}
run: |
echo "VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
echo "IMAGE_REGISTRY=quay.io" >> $GITHUB_ENV
echo "IMAGE_REGISTRY_ORGANIZATION=ansible" >> $GITHUB_ENV
echo "COMMUNITY_OPERATOR_GITHUB_ORG=k8s-operatorhub" >> $GITHUB_ENV
echo "COMMUNITY_OPERATOR_PROD_GITHUB_ORG=redhat-openshift-ecosystem" >> $GITHUB_ENV
- name: Log in to image registry
run: |
echo ${{ secrets.QUAY_TOKEN }} | docker login ${{ env.IMAGE_REGISTRY }} -u ${{ secrets.QUAY_USER }} --password-stdin
- name: Checkout awx-operator at workflow branch
uses: actions/checkout@v4
with:
path: awx-operator
- name: Checkout awx-opearator at ${{ env.VERSION }}
uses: actions/checkout@v4
with:
fetch-tags: true
ref: ${{ env.VERSION }}
path: awx-operator-${{ env.VERSION }}
fetch-depth: 0 # fetch all history so that git describe works
- name: Copy scripts to awx-operator-${{ env.VERSION }}
run: |
cp -f \
awx-operator/hack/publish-to-operator-hub.sh \
awx-operator-${{ env.VERSION }}/hack/publish-to-operator-hub.sh
cp -f \
awx-operator/Makefile \
awx-operator-${{ env.VERSION }}/Makefile
- name: Build and publish bundle to operator-hub
working-directory: awx-operator-${{ env.VERSION }}
env:
IMG_REPOSITORY: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REGISTRY_ORGANIZATION }}
GITHUB_TOKEN: ${{ secrets.AWX_AUTO_GITHUB_TOKEN }}
run: |
git config --global user.email "awx-automation@redhat.com"
git config --global user.name "AWX Automation"
./hack/publish-to-operator-hub.sh

39
.github/workflows/stage.yml vendored
View File

@@ -37,12 +37,6 @@ jobs:
exit 0
- name: Checkout awx
uses: actions/checkout@v3
with:
repository: ${{ github.repository_owner }}/awx
path: awx
- name: Checkout awx-operator
uses: actions/checkout@v3
with:
@@ -53,17 +47,20 @@ jobs:
run: |
python3 -m pip install docker
- name: Log in to GHCR
run: |
echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Log into registry ghcr.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and stage awx-operator
- name: Stage awx-operator
working-directory: awx-operator
run: |
BUILD_ARGS="--build-arg DEFAULT_AWX_VERSION=${{ github.event.inputs.default_awx_version }} \
--build-arg OPERATOR_VERSION=${{ github.event.inputs.version }}" \
IMAGE_TAG_BASE=ghcr.io/${{ github.repository_owner }}/awx-operator \
VERSION=${{ github.event.inputs.version }} make docker-build docker-push
--build-arg OPERATOR_VERSION=${{ github.event.inputs.version }}" \
IMG=ghcr.io/${{ github.repository }}:${{ github.event.inputs.version }} \
make docker-buildx
- name: Run test deployment
working-directory: awx-operator
@@ -76,10 +73,12 @@ jobs:
env:
AWX_TEST_VERSION: ${{ github.event.inputs.default_awx_version }}
- name: Create draft release
working-directory: awx
run: |
ansible-playbook tools/ansible/stage.yml \
-e version=${{ github.event.inputs.version }} \
-e repo=${{ github.repository_owner }}/awx-operator \
-e github_token=${{ secrets.GITHUB_TOKEN }}
- name: Create Draft Release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.event.inputs.version }}
release_name: Release ${{ github.event.inputs.version }}
draft: true

1
.gitignore vendored
View File

@@ -10,3 +10,4 @@ gh-pages/
.vscode/
__pycache__
/site
venv/*

307
.helm/starter/README.md
View File

@@ -8,10 +8,12 @@ To configure your AWX resource using this chart, create your own `yaml` values f
In your values config, enable `AWX.enabled` and add `AWX.spec` values based on the awx operator's [documentation](https://github.com/ansible/awx-operator/blob/devel/README.md). Consult the docs below for additional functionality.
### Installing
The operator's [helm install](https://github.com/ansible/awx-operator/blob/devel/README.md#helm-install-on-existing-cluster) guide provides key installation instructions.
The operator's [helm install](https://ansible.readthedocs.io/projects/awx-operator/en/latest/installation/helm-install-on-existing-cluster.html) guide provides key installation instructions.
Example:
```
```bash
helm install my-awx-operator awx-operator/awx-operator -n awx --create-namespace -f myvalues.yaml
```
@@ -24,6 +26,39 @@ Argument breakdown:
To update an existing installation, use `helm upgrade` instead of `install`. The rest of the syntax remains the same.
### Caveats on upgrading existing installation
There is no support at this time for upgrading or deleting CRDs using Helm. See [helm documentation](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations) for additional detail.
When upgrading to releases with CRD changes use the following command to update the CRDs
```bash
kubectl apply --server-side -k github.com/ansible/awx-operator/config/crd?ref=<VERSION>
```
If running above command results in an error like below:
```text
Apply failed with 1 conflict: conflict with "helm" using apiextensions.k8s.io/v1: .spec.versions
Please review the fields above--they currently have other managers. Here
are the ways you can resolve this warning:
* If you intend to manage all of these fields, please re-run the apply
command with the `--force-conflicts` flag.
* If you do not intend to manage all of the fields, please edit your
manifest to remove references to the fields that should keep their
current managers.
* You may co-own fields by updating your manifest to match the existing
value; in this case, you'll become the manager if the other manager(s)
stop managing the field (remove it from their configuration).
See https://kubernetes.io/docs/reference/using-api/server-side-apply/#conflicts
```
Use `--force-conflicts` flag to resolve the conflict.
```bash
kubectl apply --server-side --force-conflicts -k github.com/ansible/awx-operator/config/crd?ref=<VERSION>
```
## Configuration
The goal of adding helm configurations is to abstract out and simplify the creation of multi-resource configs. The `AWX.spec` field maps directly to the spec configs of the `AWX` resource that the operator provides, which are detailed in the [main README](https://github.com/ansible/awx-operator/blob/devel/README.md). Other sub-config can be added with the goal of simplifying more involved setups that require additional resources to be specified.
@@ -32,6 +67,158 @@ These sub-headers aim to be a more intuitive entrypoint into customizing your de
### External Postgres
The `AWX.postgres` section simplifies the creation of the external postgres secret. If enabled, the configs provided will automatically be placed in a `postgres-config` secret and linked to the `AWX` resource. For proper secret management, the `AWX.postgres.password` value, and any other sensitive values, can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`. Supplying the password this way is not recommended for production use, but may be helpful for initial PoC.
### Additional Kubernetes Resources
The `AWX.extraDeploy` section allows the creation of additional Kubernetes resources. This simplifies setups requiring additional objects that are used by AWX, e.g. using `ExternalSecrets` to create Kubernetes secrets.
Resources are passed as an array, either as YAML or strings (literal "|"). The resources are passed through `tpl`, so templating is possible. Example:
```yaml
AWX:
# enable use of awx-deploy template
...
# configurations for external postgres instance
postgres:
enabled: false
...
extraDeploy:
- |
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: {{ .Release.Name }}-postgres-secret-string-example
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Release.Name }}
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
refreshInterval: "1h"
target:
name: postgres-configuration-secret-string-example
creationPolicy: "Owner"
deletionPolicy: "Delete"
dataFrom:
- extract:
key: awx/postgres-configuration-secret
- apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: "{{ .Release.Name }}-postgres-secret-yaml-example"
namespace: "{{ .Release.Namespace }}"
labels:
app: "{{ .Release.Name }}"
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
refreshInterval: "1h"
target:
name: postgres-configuration-secret-yaml-example
creationPolicy: "Owner"
deletionPolicy: "Delete"
dataFrom:
- extract:
key: awx/postgres-configuration-secret
```
### Custom secrets
The `customSecrets` section simplifies the creation of our custom secrets used during AWX deployment. Supplying the passwords this way is not recommended for production use, but may be helpful for initial PoC.
If enabled, the configs provided will automatically used to create the respective secrets and linked at the CR spec level. For proper secret management, the sensitive values can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`.
Example:
```yaml
AWX:
# enable use of awx-deploy template
...
# configurations for external postgres instance
postgres:
enabled: false
...
customSecrets:
enabled: true
admin:
enabled: true
password: mysuperlongpassword
secretName: my-admin-password
secretKey:
enabled: true
key: supersecuresecretkey
secretName: my-awx-secret-key
ingressTls:
enabled: true
selfSignedCert: true
key: unset
certificate: unset
routeTls:
enabled: false
key: <contentoftheprivatekey>
certificate: <contentofthepublickey>
ldapCacert:
enabled: false
crt: <contentofmybundlecacrt>
ldap:
enabled: true
password: yourldapdnpassword
bundleCacert:
enabled: false
crt: <contentofmybundlecacrt>
eePullCredentials:
enabled: false
url: unset
username: unset
password: unset
sslVerify: true
secretName: my-ee-pull-credentials
cpPullCredentials:
enabled: false
dockerconfig:
- registry: https://index.docker.io/v1/
username: unset
password: unset
secretName: my-cp-pull-credentials
```
### Custom volumes
The `customVolumes` section simplifies the creation of Persistent Volumes used when you want to store your databases and projects files on the cluster's Node. Since their backends are `hostPath`, the size specified are just like a label and there is no actual capacity limitation.
You have to prepare directories for these volumes. For example:
```bash
sudo mkdir -p /data/postgres-13
sudo mkdir -p /data/projects
sudo chmod 755 /data/postgres-13
sudo chown 1000:0 /data/projects
```
Example:
```yaml
AWX:
# enable use of awx-deploy template
...
# configurations for external postgres instance
postgres:
enabled: false
...
customVolumes:
postgres:
enabled: true
hostPath: /data/postgres-13
projects:
enabled: true
hostPath: /data/projects
size: 1Gi
```
## Values Summary
@@ -43,6 +230,120 @@ The `AWX.postgres` section simplifies the creation of the external postgres secr
| `AWX.spec` | specs to directly configure the AWX resource | `{}` |
| `AWX.postgres` | configurations for the external postgres secret | - |
### extraDeploy
| Value | Description | Default |
|---|---|---|
| `extraDeploy` | array of additional resources to be deployed (supports YAML or literal "\|") | - |
### customSecrets
| Value | Description | Default |
|---|---|---|
| `customSecrets.enabled` | Enable the secret resources configuration | `false` |
| `customSecrets.admin` | Configurations for the secret that contains the admin user password | - |
| `customSecrets.secretKey` | Configurations for the secret that contains the symmetric key for encryption | - |
| `customSecrets.ingressTls` | Configurations for the secret that contains the TLS information when `ingress_type=ingress` | - |
| `customSecrets.routeTls` | Configurations for the secret that contains the TLS information when `ingress_type=route` (`route_tls_secret`) | - |
| `customSecrets.ldapCacert` | Configurations for the secret that contains the LDAP Certificate Authority | - |
| `customSecrets.ldap` | Configurations for the secret that contains the LDAP BIND DN password | - |
| `customSecrets.bundleCacert` | Configurations for the secret that contains the Certificate Authority | - |
| `customSecrets.eePullCredentials` | Configurations for the secret that contains the pull credentials for registered ees can be found | - |
| `customSecrets.cpPullCredentials` | Configurations for the secret that contains the image pull credentials for app and database containers | - |
Below the addition variables to customize the secret configuration.
#### Admin user password secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.admin.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.admin.password` | Admin user password | - |
| `customSecrets.admin.secretName` | Name of secret for `admin_password_secret` | `<resourcename>-admin-password>` |
#### Secret Key secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.secretKey.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.secretKey.key` | Key is used to encrypt sensitive data in the database | - |
| `customSecrets.secretKey.secretName` | Name of secret for `secret_key_secret` | `<resourcename>-secret-key` |
#### Ingress TLS secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.ingressTls.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.ingressTls.selfSignedCert` | If `true`, an self-signed TLS certificate for `AWX.spec.hostname` will be create by helm | `false` |
| `customSecrets.ingressTls.key` | Private key to use for TLS/SSL | - |
| `customSecrets.ingressTls.certificate` | Certificate to use for TLS/SSL | - |
| `customSecrets.ingressTls.secretName` | Name of secret for `ingress_tls_secret` | `<resourcename>-ingress-tls` |
| `customSecrets.ingressTls.labels` | Array of labels for the secret | - |
#### Route TLS secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.routeTls.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.routeTls.key` | Private key to use for TLS/SSL | - |
| `customSecrets.routeTls.certificate` | Certificate to use for TLS/SSL | - |
| `customSecrets.routeTls.secretName` | Name of secret for `route_tls_secret` | `<resourcename>-route-tls` |
#### LDAP Certificate Authority secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.ldapCacert.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.ldapCacert.crt` | Bundle of CA Root Certificates | - |
| `customSecrets.ldapCacert.secretName` | Name of secret for `ldap_cacert_secret` | `<resourcename>-custom-certs` |
#### LDAP BIND DN Password secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.ldap.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.ldap.password` | LDAP BIND DN password | - |
| `customSecrets.ldap.secretName` | Name of secret for `ldap_password_secret` | `<resourcename>-ldap-password` |
#### Certificate Authority secret configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.bundleCacert.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.bundleCacert.crt` | Bundle of CA Root Certificates | - |
| `customSecrets.bundleCacert.secretName` | Name of secret for `bundle_cacert_secret` | `<resourcename>-custom-certs` |
#### Default EE pull secrets configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.eePullCredentials.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.eePullCredentials.url` | Registry url | - |
| `customSecrets.eePullCredentials.username` | Username to connect as | - |
| `customSecrets.eePullCredentials.password` | Password to connect with | - |
| `customSecrets.eePullCredentials.sslVerify` | Whether verify ssl connection or not. | `true` |
| `customSecrets.eePullCredentials.secretName` | Name of secret for `ee_pull_credentials_secret` | `<resourcename>-ee-pull-credentials` |
#### Control Plane pull secrets configuration
| Value | Description | Default |
|---|---|---|
| `customSecrets.cpPullCredentials.enabled` | If `true`, secret will be created | `false` |
| `customSecrets.cpPullCredentials.dockerconfig` | Array of configurations for the Docker credentials that are used for accessing a registry | - |
| `customSecrets.cpPullCredentials.dockerconfig[].registry` | Server location for Docker registry | `https://index.docker.io/v1/` |
| `customSecrets.cpPullCredentials.dockerconfig[].username` | Username to connect as | - |
| `customSecrets.cpPullCredentials.dockerconfig[].password` | Password to connect with | - |
| `customSecrets.cpPullCredentials.secretName` | Name of secret for `image_pull_secrets`| `<resoucename>-cp-pull-credentials` |
### customVolumes
#### Persistent Volume for databases postgres
| Value | Description | Default |
|---|---|---|
| `customVolumes.postgres.enabled` | Enable the PV resource configuration for the postgres databases | `false` |
| `customVolumes.postgres.hostPath` | Directory location on host | - |
| `customVolumes.postgres.size` | Size of the volume | `8Gi` |
| `customVolumes.postgres.accessModes` | Volume access mode | `ReadWriteOnce` |
| `customVolumes.postgres.storageClassName` | PersistentVolume storage class name for `postgres_storage_class` | `<resourcename>-postgres-volume` |
#### Persistent Volume for projects files
| Value | Description | Default |
|---|---|---|
| `customVolumes.projects.enabled` | Enable the PVC and PVC resources configuration for the projects files | `false` |
| `customVolumes.projects.hostPath` | Directory location on host | - |
| `customVolumes.projects.size` | Size of the volume | `8Gi` |
| `customVolumes.projects.accessModes` | Volume access mode | `ReadWriteOnce` |
| `customVolumes.postgres.storageClassName` | PersistentVolume storage class name | `<resourcename>-projects-volume` |
# Contributing
@@ -63,5 +364,3 @@ The chart is currently hosted on the gh-pages branch of the repo. During the rel
Instead of CR, we use `helm repo index` to generate an index from all locally pulled chart versions. Since we build from scratch every time, the timestamps of all entries will be updated. This could be improved by using yq or something similar to detect which tags are already in the index.yaml file, and only merge in tags that are not present.
Not using CR could be addressed in the future by keeping the chart built as a part of releases, as long as CR compares the chart to previous release packages rather than previous commits. If the latter is the case, then we would not have the necessary history for comparison.

4
.helm/starter/templates/awx-deploy.yaml
View File

@@ -6,6 +6,10 @@ metadata:
name: {{ .name }}
namespace: {{ $.Release.Namespace }}
spec:
{{- /* Provide custom persistent volumes configs if enabled */}}
{{- include "spec.storageClassNames" $ }}
{{- /* Provide custom secrets configs if enabled */}}
{{- include "spec.secrets" $ }}
{{- /* Include raw map from the values file spec */}}
{{ .spec | toYaml | indent 2 }}
{{- /* Provide security context defaults */}}

8
.helm/starter/templates/extra-list.yaml Normal file
View File

@@ -0,0 +1,8 @@
{{- range .Values.extraDeploy }}
---
{{- if typeIs "string" . }}
{{- tpl . $ }}
{{- else }}
{{- tpl (. | toYaml | nindent 0) $ }}
{{- end }}
{{- end }}

170
.helm/starter/templates/secrets/_helpers.tpl Normal file
View File

@@ -0,0 +1,170 @@
{{/*
Generate certificates for ingress
*/}}
{{- define "ingress.gen-certs" -}}
{{- $ca := genCA "ingress-ca" 365 -}}
{{- $cert := genSignedCert ( $.Values.AWX.spec.hostname | required "AWX.spec.hostname is required!" ) nil nil 365 $ca -}}
tls.crt: {{ $cert.Cert | b64enc }}
tls.key: {{ $cert.Key | b64enc }}
{{- end -}}
{{/*
Generate the name of the secret that contains the admin user password
*/}}
{{- define "admin.secretName" -}}
{{ default (printf "%s-admin-password" $.Values.AWX.name) (default $.Values.customSecrets.admin.secretName $.Values.AWX.spec.admin_password_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the TLS information when ingress_type=route
*/}}
{{- define "routeTls.secretName" -}}
{{ default (printf "%s-route-tls" $.Values.AWX.name) (default $.Values.customSecrets.routeTls.secretName $.Values.AWX.spec.route_tls_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the TLS information when ingress_type=ingress
*/}}
{{- define "ingressTls.secretName" -}}
{{ default (printf "%s-ingress-tls" $.Values.AWX.name) (default $.Values.customSecrets.ingressTls.secretName $.Values.AWX.spec.ingress_tls_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the LDAP Certificate Authority
*/}}
{{- define "ldapCacert.secretName" -}}
{{ default (printf "%s-custom-certs" $.Values.AWX.name) (default ($.Values.customSecrets.ldapCacert).secretName $.Values.AWX.spec.ldap_cacert_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the custom Certificate Authority
*/}}
{{- define "bundleCacert.secretName" -}}
{{ default (printf "%s-custom-certs" $.Values.AWX.name) (default ($.Values.customSecrets.bundleCacert).secretName $.Values.AWX.spec.bundle_cacert_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the LDAP BIND DN password
*/}}
{{- define "ldap.secretName" -}}
{{ default (printf "%s-ldap-password" $.Values.AWX.name) (default $.Values.customSecrets.ldap.secretName $.Values.AWX.spec.ldap_password_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the symmetric key for encryption
*/}}
{{- define "secretKey.secretName" -}}
{{ default (printf "%s-secret-key" $.Values.AWX.name) (default $.Values.customSecrets.secretKey.secretName $.Values.AWX.spec.secret_key_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the default execution environment pull credentials
*/}}
{{- define "eePullCredentials.secretName" -}}
{{ default (printf "%s-ee-pull-credentials" $.Values.AWX.name) (default $.Values.customSecrets.eePullCredentials.secretName $.Values.AWX.spec.ee_pull_credentials_secret) }}
{{- end }}
{{/*
Generate the name of the secret that contains the default control plane pull credentials
*/}}
{{- define "cpPullCredentials.secretName" -}}
{{ default (printf "%s-cp-pull-credentials" $.Values.AWX.name) (default $.Values.customSecrets.cpPullCredentials.secretName $.Values.AWX.spec.image_pull_secrets) }}
{{- end }}
{{/*
Generate the .dockerconfigjson file unencoded.
*/}}
{{- define "dockerconfigjson.b64dec" }}
{{- print "{\"auths\":{" }}
{{- range $index, $item := . }}
{{- if $index }}
{{- print "," }}
{{- end }}
{{- printf "\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}" (default "https://index.docker.io/v1/" $item.registry) $item.username $item.password (default "" $item.email) (printf "%s:%s" $item.username $item.password | b64enc) }}
{{- end }}
{{- print "}}" }}
{{- end }}
{{/*
Generate the base64-encoded .dockerconfigjson.
*/}}
{{- define "dockerconfigjson.b64enc" }}
{{- $list := ternary (list .) . (kindIs "map" .) }}
{{- include "dockerconfigjson.required" $list }}
{{- include "dockerconfigjson.b64dec" $list | b64enc }}
{{- end }}
{{/*
Required values for .dockerconfigjson
*/}}
{{- define "dockerconfigjson.required" -}}
{{- range . -}}
{{- $_ := required "cpPullCredentials.dockerconfigjson[].username is required!" .username -}}
{{- $_ := required "cpPullCredentials.dockerconfigjson[].password is required!" .password -}}
{{- end -}}
{{/* Check for registry uniqueness */}}
{{- $registries := list -}}
{{- range . -}}
{{- $registries = append $registries (default "https://index.docker.io/v1/" .registry) -}}
{{- end -}}
{{- $_ := required "All cpPullCredentials.dockerconfigjson[].registry's must be unique!" (or (eq (len $registries) (len ($registries | uniq))) nil) -}}
{{- end -}}
{{/*
Generate the name of the secrets
*/}}
{{- define "spec.secrets" -}}
{{- /* secret configs if enabled */}}
{{- if hasKey $.Values "customSecrets" }}
{{- with $.Values.customSecrets }}
{{- if .enabled }}
{{- if hasKey . "admin" }}
{{- if and (not (hasKey $.Values.AWX.spec "admin_password_secret")) .admin.enabled }}
admin_password_secret: {{ include "admin.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "secretKey" }}
{{- if and (not (hasKey $.Values.AWX.spec "secret_key_secret")) .secretKey.enabled }}
secret_key_secret: {{ include "secretKey.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "routeTls" }}
{{- if and (not (hasKey $.Values.AWX.spec "route_tls_secret")) .routeTls.enabled }}
route_tls_secret: {{ include "routeTls.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "ingressTls" }}
{{- if and (not (hasKey $.Values.AWX.spec "ingress_tls_secret")) .ingressTls.enabled }}
ingress_tls_secret: {{ include "ingressTls.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "ldapCacert" }}
{{- if and (not (hasKey $.Values.AWX.spec "ldap_cacert_secret")) .ldapCacert.enabled }}
ldap_cacert_secret: {{ include "ldapCacert.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "bundleCacert" }}
{{- if and (not (hasKey $.Values.AWX.spec "bundle_cacert_secret")) .bundleCacert.enabled }}
bundle_cacert_secret: {{ include "bundleCacert.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "ldap" }}
{{- if and (not (hasKey $.Values.AWX.spec "ldap_password_secret")) .ldap.enabled }}
ldap_password_secret: {{ include "ldap.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "eePullCredentials" }}
{{- if and (not (hasKey $.Values.AWX.spec "ee_pull_credentials_secret")) .eePullCredentials.enabled }}
ee_pull_credentials_secret: {{ include "eePullCredentials.secretName" $ }}
{{- end }}
{{- end }}
{{- if hasKey . "cpPullCredentials" }}
{{- if and (not (hasKey $.Values.AWX.spec "image_pull_secrets")) .cpPullCredentials.enabled }}
image_pull_secrets:
- {{ include "cpPullCredentials.secretName" $ }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

16
.helm/starter/templates/secrets/admin-password-secret.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "admin" }}
{{- with $.Values.customSecrets.admin }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "admin.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: Opaque
data:
password: {{ .password | required "customSecrets.admin.password is required!" | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

16
.helm/starter/templates/secrets/cp-pull-credentials-secret.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "cpPullCredentials" }}
{{- with $.Values.customSecrets.cpPullCredentials }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "cpPullCredentials.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "dockerconfigjson.b64enc" .dockerconfig | required "customSecrets.cpPullCredentials.dockerconfig is required!" }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

49
.helm/starter/templates/secrets/custom-certs-secret.yaml Normal file
View File

@@ -0,0 +1,49 @@
{{- if ($.Values.customSecrets).enabled }}
{{- with .Values.customSecrets }}
{{- $hasLdapCrt := (hasKey $.Values.customSecrets "ldapCacert") -}}
{{- $hasBundleCrt := (hasKey . "bundleCacert") -}}
{{- if or $hasLdapCrt $hasBundleCrt }}
{{- $ldapCrtEnabled := ternary (.ldapCacert).enabled false $hasLdapCrt -}}
{{- $bundleCrtEnabled := ternary (.bundleCacert).enabled false $hasBundleCrt -}}
{{- $ldapSecretName := (include "ldapCacert.secretName" $) -}}
{{- $bundleSecretName := (include "bundleCacert.secretName" $) -}}
{{- if and (or $bundleCrtEnabled $ldapCrtEnabled) (eq $ldapSecretName $bundleSecretName) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $ldapSecretName }}
namespace: {{ $.Release.Namespace }}
type: Opaque
data:
{{- if $ldapCrtEnabled }}
ldap-ca.crt: {{ .ldapCacert.crt | required "customSecrets.ldapCacert.crt is required!" | b64enc }}
{{- end }}
{{- if $bundleCrtEnabled }}
bundle-ca.crt: {{ .bundleCacert.crt | required "customSecrets.bundleCacert.crt is required!" | b64enc }}
{{- end }}
{{- else }}
{{- if $ldapCrtEnabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $ldapSecretName }}
namespace: {{ $.Release.Namespace }}
type: Opaque
data:
ldap-ca.crt: {{ .ldapCacert.crt | required "customSecrets.ldapCacert.crt is required!" | b64enc }}
{{- end }}
{{- if $bundleCrtEnabled }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $bundleSecretName }}
namespace: {{ $.Release.Namespace }}
type: Opaque
data:
bundle-ca.crt: {{ .bundleCacert.crt | required "customSecrets.bundleCacert.crt is required!" | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

19
.helm/starter/templates/secrets/ee-pull-credentials-secret.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "eePullCredentials" }}
{{- with $.Values.customSecrets.eePullCredentials }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "eePullCredentials.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: Opaque
stringData:
url: {{ (required "customSecrets.eePullCredentials.url is required!" .url) | quote }}
username: {{ (required "customSecrets.eePullCredentials.username is required!" .username) | quote }}
password: {{ (required "customSecrets.eePullCredentials.password is required!" .password) | quote }}
ssl_verify: {{ or .sslVerify (eq (.sslVerify | toString) "<nil>") | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

25
.helm/starter/templates/secrets/ingress-tls-secret.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "ingressTls" }}
{{- with $.Values.customSecrets.ingressTls }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "ingressTls.secretName" $ }}
namespace: {{ $.Release.Namespace }}
{{- if .labels }}
labels:
{{ toYaml .labels | indent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
{{- if .selfSignedCert }}
{{ ( include "ingress.gen-certs" $ ) | indent 2 }}
{{ else }}
tls.key: {{ (.key | required "customSecrets.ingressTls.key is required!") | b64enc }}
tls.crt: {{ (.certificate | required "customSecrets.ingressTls.certificate is required!") | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

16
.helm/starter/templates/secrets/ldap-password-secret.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "ldap" }}
{{- with $.Values.customSecrets.ldap }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "ldap.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: Opaque
data:
ldap-password: {{ .password | required "customSecrets.ldap.password is required!" | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

17
.helm/starter/templates/secrets/route-tls-secret.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "routeTls" }}
{{- with $.Values.customSecrets.routeTls }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "routeTls.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: kubernetes.io/tls
data:
tls.key: {{ (.key | required "customSecrets.routeTls.key is required!") | b64enc }}
tls.crt: {{ (.certificate | required "customSecrets.routeTls.certificate is required!") | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

16
.helm/starter/templates/secrets/secret-key-secret.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if ($.Values.customSecrets).enabled }}
{{- if hasKey .Values.customSecrets "secretKey" }}
{{- with $.Values.customSecrets.secretKey }}
{{- if .enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "secretKey.secretName" $ }}
namespace: {{ $.Release.Namespace }}
type: Opaque
stringData:
secret_key: {{ .key | required "customSecrets.secretKey.key is required!" | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

57
.helm/starter/templates/storage/_helpers.tpl Normal file
View File

@@ -0,0 +1,57 @@
{{/*
Generate the name of the persistent volume for postgres folders
*/}}
{{- define "postgres.persistentVolumeName" -}}
{{ printf "%s-postgres-volume" $.Values.AWX.name }}
{{- end }}
{{/*
Generate the name of the persistent volume for projects folder
*/}}
{{- define "projects.persistentVolumeName" -}}
{{ printf "%s-projects-volume" $.Values.AWX.name }}
{{- end }}
{{/*
Generate the name of the persistent volume claim for the projects volume
*/}}
{{- define "projects.persistentVolumeClaim" -}}
{{ printf "%s-projects-claim" $.Values.AWX.name }}
{{- end }}
{{/*
Generate the name of the storage class to use for the postgres volume
*/}}
{{- define "postgres.storageClassName" -}}
{{ default (printf "%s-postgres-volume" $.Values.AWX.name) (default $.Values.AWX.spec.postgres_storage_class (($.Values.customVolumes).postgres).storageClassName) }}
{{- end }}
{{/*
Generate the name of the storage class to use for the projects volume
*/}}
{{- define "projects.storageClassName" -}}
{{ default (printf "%s-projects-volume" $.Values.AWX.name) (default $.Values.AWX.spec.projects_storage_class (($.Values.customVolumes).projects).storageClassName) }}
{{- end }}
{{/*
Generate the name of the storage class names, expects AWX context passed in
*/}}
{{- define "spec.storageClassNames" -}}
{{- if and (not $.Values.AWX.postgres.enabled) (eq (($.Values.AWX.spec).postgres_configuration_secret | default "") "") -}}
{{- if (($.Values.customVolumes).postgres).enabled -}}
{{- if not (hasKey $.Values.AWX.spec "postgres_storage_class") }}
postgres_storage_class: {{ include "postgres.storageClassName" $ }}
{{- end }}
{{- if not (hasKey $.Values.AWX.spec "postgres_storage_requirements") }}
postgres_storage_requirements:
requests:
storage: {{ default "8Gi" $.Values.customVolumes.postgres.size | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if and ($.Values.AWX.spec.projects_persistence) (eq (($.Values.AWX.spec).projects_existing_claim | default "") "") -}}
{{- if (($.Values.customVolumes).projects).enabled }}
projects_existing_claim: {{ include "projects.persistentVolumeClaim" $ }}
{{- end }}
{{- end }}
{{- end }}

19
.helm/starter/templates/storage/postgres-pv.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if and (not $.Values.AWX.postgres.enabled) (eq (($.Values.AWX.spec).postgres_configuration_secret | default "") "") -}}
{{- if (($.Values.customVolumes).postgres).enabled -}}
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ include "postgres.persistentVolumeName" $ }}
{{- with $.Values.customVolumes.postgres }}
spec:
accessModes:
- {{ default "ReadWriteOnce" .accessModes }}
persistentVolumeReclaimPolicy: {{ default "Retain" .reclaimPolicy | quote }}
capacity:
storage: {{ default "8Gi" .size | quote }}
storageClassName: {{ include "postgres.storageClassName" $ }}
hostPath:
path: {{ required "customVolumes.postgres.hostPath or spec.postgres_data_path are required!" (default ($.Values.AWX.spec).postgres_data_path .hostPath) | quote }}
{{- end }}
{{- end }}
{{- end }}

32
.helm/starter/templates/storage/projects-pv.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if and ($.Values.AWX.spec.projects_persistence) (eq (($.Values.AWX.spec).projects_existing_claim | default "") "") -}}
{{- if (($.Values.customVolumes).projects).enabled -}}
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ include "projects.persistentVolumeName" $ }}
{{- with $.Values.customVolumes.projects }}
spec:
accessModes:
- {{ default "ReadWriteOnce" (default $.Values.AWX.spec.projects_storage_access_mode .accessModes) }}
persistentVolumeReclaimPolicy: {{ default "Retain" .reclaimPolicy | quote }}
capacity:
storage: {{ default "8Gi" (default $.Values.AWX.spec.projects_storage_size .size) | quote }}
storageClassName: {{ include "projects.storageClassName" $ }}
hostPath:
path: {{ required "customVolumes.projects.hostPath is required!" .hostPath | quote }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "projects.persistentVolumeClaim" $ }}
spec:
accessModes:
- {{ default "ReadWriteOnce" (default $.Values.AWX.spec.projects_storage_access_mode .accessModes) }}
volumeMode: Filesystem
resources:
requests:
storage: {{ default "8Gi" (default $.Values.AWX.spec.projects_storage_size .size) | quote }}
storageClassName: {{ include "projects.storageClassName" $ }}
{{- end }}
{{- end }}
{{- end }}

22
CONTRIBUTING.md
View File

@@ -6,13 +6,15 @@ Have questions about this document or anything not covered here? Please file a n
## Table of contents
* [Things to know prior to submitting code](#things-to-know-prior-to-submitting-code)
* [Submmiting your Work](#submitting-your-work)
* [Testing](#testing)
* [Testing in Docker](#testing-in-docker)
* [Testing in Minikube](#testing-in-minikube)
* [Generating a bundle](#generating-a-bundle)
* [Reporting Issues](#reporting-issues)
- [AWX-Operator Contributing Guidelines](#awx-operator-contributing-guidelines)
- [Table of contents](#table-of-contents)
- [Things to know prior to submitting code](#things-to-know-prior-to-submitting-code)
- [Submmiting your work](#submmiting-your-work)
- [Testing](#testing)
- [Testing in Kind](#testing-in-kind)
- [Testing in Minikube](#testing-in-minikube)
- [Generating a bundle](#generating-a-bundle)
- [Reporting Issues](#reporting-issues)
## Things to know prior to submitting code
@@ -25,7 +27,7 @@ Have questions about this document or anything not covered here? Please file a n
## Submmiting your work
1. From your fork `devel` branch, create a new brach to stage your changes.
1. From your fork `devel` branch, create a new branch to stage your changes.
```sh
#> git checkout -b <branch-name>
```
@@ -44,12 +46,12 @@ Have questions about this document or anything not covered here? Please file a n
## Testing
This Operator includes a [Molecule](https://molecule.readthedocs.io/en/stable/)-based test environment, which can be executed standalone in Docker (e.g. in CI or in a single Docker container anywhere), or inside any kind of Kubernetes cluster (e.g. Minikube).
This Operator includes a [Molecule](https://ansible.readthedocs.io/projects/molecule/)-based test environment, which can be executed standalone in Docker (e.g. in CI or in a single Docker container anywhere), or inside any kind of Kubernetes cluster (e.g. Minikube).
You need to make sure you have Molecule installed before running the following commands. You can install Molecule with:
```sh
#> pip install 'molecule[docker]'
#> python -m pip install molecule-plugins[docker]
```
Running `molecule test` sets up a clean environment, builds the operator, runs all configured tests on an example operator instance, then tears down the environment (at least in the case of Docker).

8
Dockerfile
View File

@@ -1,8 +1,8 @@
FROM quay.io/operator-framework/ansible-operator:v1.28.1
FROM quay.io/operator-framework/ansible-operator:v1.34.0
USER 0
RUN dnf install -y openssl
USER root
RUN dnf update --security --bugfix -y && \
dnf install -y openssl
USER 1001

46
Makefile
View File

@@ -4,6 +4,7 @@
# - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
# - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
VERSION ?= $(shell git describe --tags)
PREV_VERSION ?= $(shell git describe --abbrev=0 --tags $(shell git rev-list --tags --skip=1 --max-count=1))
CONTAINER_CMD ?= docker
@@ -88,6 +89,10 @@ all: docker-build
help: ## Display this help.
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
.PHONY: print-%
print-%: ## Print any variable from the Makefile. Use as `make print-VARIABLE`
@echo $($*)
##@ Build
.PHONY: run
@@ -102,6 +107,21 @@ docker-build: ## Build docker image with the manager.
docker-push: ## Push docker image with the manager.
${CONTAINER_CMD} push ${IMG}
# PLATFORMS defines the target platforms for the manager image be build to provide support to multiple
# architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to:
# - able to use docker buildx . More info: https://docs.docker.com/build/buildx/
# - have enable BuildKit, More info: https://docs.docker.com/develop/develop-images/build_enhancements/
# - be able to push the image for your registry (i.e. if you do not inform a valid value via IMG=<myregistry/image:<tag>> than the export will fail)
# To properly provided solutions that supports more than one platform you should use this option.
PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
.PHONY: docker-buildx
docker-buildx: ## Build and push docker image for the manager for cross-platform support
- docker buildx create --name project-v3-builder
docker buildx use project-v3-builder
- docker buildx build --push $(BUILD_ARGS) --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile .
- docker buildx rm project-v3-builder
##@ Deployment
.PHONY: install
@@ -149,6 +169,22 @@ KUSTOMIZE = $(shell which kustomize)
endif
endif
.PHONY: operator-sdk
OPERATOR_SDK = $(shell pwd)/bin/operator-sdk
operator-sdk: ## Download operator-sdk locally if necessary, preferring the $(pwd)/bin path over global if both exist.
ifeq (,$(wildcard $(OPERATOR_SDK)))
ifeq (,$(shell which operator-sdk 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(OPERATOR_SDK)) ;\
curl -sSLo $(OPERATOR_SDK) https://github.com/operator-framework/operator-sdk/releases/download/v1.33.0/operator-sdk_$(OS)_$(ARCHA) ;\
chmod +x $(OPERATOR_SDK) ;\
}
else
OPERATOR_SDK = $(shell which operator-sdk)
endif
endif
.PHONY: ansible-operator
ANSIBLE_OPERATOR = $(shell pwd)/bin/ansible-operator
ansible-operator: ## Download ansible-operator locally if necessary, preferring the $(pwd)/bin path over global if both exist.
@@ -157,7 +193,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
@{ \
set -e ;\
mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.26.0/ansible-operator_$(OS)_$(ARCHA) ;\
curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/ansible-operator-plugins/releases/download/v1.34.0/ansible-operator_$(OS)_$(ARCHA) ;\
chmod +x $(ANSIBLE_OPERATOR) ;\
}
else
@@ -166,11 +202,11 @@ endif
endif
.PHONY: bundle
bundle: kustomize ## Generate bundle manifests and metadata, then validate generated files.
operator-sdk generate kustomize manifests -q
bundle: kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files.
$(OPERATOR_SDK) generate kustomize manifests -q
cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
$(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
operator-sdk bundle validate ./bundle
$(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
$(OPERATOR_SDK) bundle validate ./bundle
.PHONY: bundle-build
bundle-build: ## Build the bundle image.

11
PROJECT
View File

@@ -1,3 +1,7 @@
# Code generated by tool. DO NOT EDIT.
# This file is used to track the info used to scaffold your project
# and allow the plugins properly work.
# More info: https://book.kubebuilder.io/reference/project-config.html
domain: ansible.com
layout:
- ansible.sdk.operatorframework.io/v1
@@ -27,4 +31,11 @@ resources:
group: awx
kind: AWXRestore
version: v1beta1
- api:
crdVersion: v1
namespaced: true
domain: ansible.com
group: awx
kind: AWXMeshIngress
version: v1alpha1
version: "3"

72
README.md
View File

@@ -2,7 +2,7 @@
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
[![Build Status](https://github.com/ansible/awx-operator/workflows/CI/badge.svg?event=push)](https://github.com/ansible/awx-operator/actions)
[![Code of Conduct](https://img.shields.io/badge/code%20of%20conduct-Ansible-yellow.svg)](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html)
[![Code of Conduct](https://img.shields.io/badge/code%20of%20conduct-Ansible-yellow.svg)](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html)
[![AWX Mailing List](https://img.shields.io/badge/mailing%20list-AWX-orange.svg)](https://groups.google.com/g/awx-project)
[![IRC Chat - #ansible-awx](https://img.shields.io/badge/IRC-%23ansible--awx-blueviolet.svg)](https://libera.chat)
@@ -12,74 +12,11 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
<!-- gh-md-toc --insert README.md -->
<!--ts-->
**Note**: We are in the process of moving this readme into official docs in the /docs folder. Please go there to find additional sections during this interim move phase.
# AWX Operator Documentation
The AWX Operator documentation is now available at https://awx-operator.readthedocs.io/
Table of Contents
=================
- [AWX Operator](#awx-operator)
- [Table of Contents](#table-of-contents)
- [Install and Configuration](#install-and-configuration)
- [Contributing](#contributing)
- [Release Process](#release-process)
- [Author](#author)
- [Code of Conduct](#code-of-conduct)
- [Get Involved](#get-involved)
<!-- Created by https://github.com/ekalinin/github-markdown-toc -->
<!--te-->
## Install and Configuration
All of our usage and configuration docs are nested in the `docs/` directory. Below is a Table of Contents for those.
- Introduction
- [Introduction](./docs/introduction/introduction.md)
- Contributors Guide
- [Code of Conduct](./docs/contributors-guide/code-of-conduct.md)
- [Get Involved](./docs/contributors-guide/get-involved.md)
- [Contributing](./docs/contributors-guide/contributing.md)
- [Release Process](./docs/contributors-guide/release-process.md)
- [Authors](./docs/contributors-guide/author.md)
- Installation
- [Basic Install](./docs/installation/basic-install.md)
- [Creating a Minikube cluster for testing](./docs/installation/creating-a-minikube-cluster-for-testing.md)
- [Helm Install](./docs/installation/helm-install-on-existing-cluster.md)
- [Migration](./docs/migration/migration.md)
- [Uninstall](./docs/uninstall/uninstall.md)
- User Guide
- [Admin User Configuration](./docs/user-guide/admin-user-account-configuration.md)
- [Database Configuration](./docs/user-guide/database-configuration.md)
- [Network and TLS Configuration](./docs/user-guide/network-and-tls-configuration.md)
- Advanced Configuration
- [No Log](./docs/user-guide/advanced-configuration/no-log.md)
- [Deploy a Specific Version of AWX](./docs/user-guide/advanced-configuration/deploying-a-specific-version-of-awx.md)
- [Resource Requirements](./docs/user-guide/advanced-configuration/containers-resource-requirements.md)
- [Extra Settings](./docs/user-guide/advanced-configuration/extra-settings.md)
- [Environment Variables](./docs/user-guide/advanced-configuration/exporting-environment-variables-to-containers.md)
- [Custom Labels](./docs/user-guide/advanced-configuration/labeling-operator-managed-objects.md)
- [Custom Volumes](./docs/user-guide/advanced-configuration/custom-volume-and-volume-mount-options.md)
- [Scaling Deployments](./docs/user-guide/advanced-configuration/scaling-the-web-and-task-pods-independently.md)
- [Auto Update Upon Operator Upgrade](./docs/user-guide/advanced-configuration/auto-upgrade.md)
- [Termination Grace Period](./docs/user-guide/advanced-configuration/pods-termination-grace-period.md)
- [Node Selector for Deployments](./docs/user-guide/advanced-configuration/assigning-awx-pods-to-specific-nodes.md)
- [Default EE from Private Registries](./docs/user-guide/advanced-configuration/default-execution-environments-from-private-registries.md)
- [CSRF Cookie Secure](./docs/user-guide/advanced-configuration/csrf-cookie-secure-setting.md)
- [Disable IPv6](./docs/user-guide/advanced-configuration/disable-ipv6.md)
- [LDAP](./docs/user-guide/advanced-configuration/enabling-ldap-integration-at-awx-bootstrap.md)
- [Priority Clases](./docs/user-guide/advanced-configuration/priority-classes.md)
- [Priveleged Tasks](./docs/user-guide/advanced-configuration/privileged-tasks.md)
- [Redis Container Capabilities](./docs/user-guide/advanced-configuration/redis-container-capabilities.md)
- [Trusting a Custom Certificate Authority](./docs/user-guide/advanced-configuration/trusting-a-custom-certificate-authority.md)
- [Service Account](./docs/user-guide/advanced-configuration/service-account.md)
- [Persisting the Projects Directory](./docs/user-guide/advanced-configuration/persisting-projects-directory.md)
- Troubleshooting
- [General Debugging](./docs/troubleshooting/debugging.md)
For docs changes, create PRs on the appropriate files in the /docs folder.
## Contributing
@@ -110,4 +47,3 @@ We welcome your feedback and ideas. The AWX operator uses the same mailing list
- Join the [Ansible AWX channel on Matrix](https://matrix.to/#/#awx:ansible.com)
- Join the [Ansible Community Forum](https://forum.ansible.com)
- Join the [mailing list](https://groups.google.com/forum/#!forum/awx-project)

7
awxmeshingress-demo.yml Normal file
View File

@@ -0,0 +1,7 @@
---
apiVersion: awx.ansible.com/v1alpha1
kind: AWXMeshIngress
metadata:
name: awx-mesh-ingress-demo
spec:
deployment_name: awx-demo

3
config/crd/bases/awx.ansible.com_awxbackups.yaml
View File

@@ -92,7 +92,8 @@ spec:
type: string
precreate_partition_hours:
description: Number of hours worth of events table partitions to precreate before backup to avoid pg_dump locks.
type: string
type: integer
format: int32
image_pull_policy:
description: The image pull policy
type: string

86
config/crd/bases/awx.ansible.com_awxmeshingresses.yaml Normal file
View File

@@ -0,0 +1,86 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: awxmeshingresses.awx.ansible.com
spec:
group: awx.ansible.com
names:
kind: AWXMeshIngress
listKind: AWXMeshIngressList
plural: awxmeshingresses
singular: awxmeshingress
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: AWXMeshIngress is the Schema for the awxmeshingresses API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of AWXMeshIngress
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- deployment_name
properties:
deployment_name:
description: Name of the AWX deployment to create the Mesh Ingress for.
type: string
image_pull_secrets:
description: Image pull secrets for Mesh Ingress containers.
type: array
items:
type: string
external_hostname:
description: External hostname to use for the Mesh Ingress.
type: string
external_ipaddress:
description: External IP address to use for the Mesh Ingress.
type: string
ingress_type:
description: The ingress type to use to reach the deployed instance
type: string
enum:
- none
- Ingress
- ingress
- IngressRouteTCP
- ingressroutetcp
- Route
- route
ingress_api_version:
description: The Ingress API version to use
type: string
ingress_annotations:
description: Annotations to add to the Ingress Controller
type: string
ingress_class_name:
description: The name of ingress class to use instead of the cluster default.
type: string
ingress_controller:
description: Special configuration for specific Ingress Controllers
type: string
status:
description: Status defines the observed state of AWXMeshIngress
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}

4
config/crd/bases/awx.ansible.com_awxrestores.yaml
View File

@@ -121,6 +121,10 @@ spec:
description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
type: boolean
default: true
force_drop_db:
description: Force drop the database before restoring. USE WITH CAUTION!
type: boolean
default: false
status:
type: object
x-kubernetes-preserve-unknown-fields: true

116
config/crd/bases/awx.ansible.com_awxs.yaml
View File

@@ -54,8 +54,8 @@ spec:
description: Username to use for the admin account
type: string
default: admin
hostname:
description: The hostname of the instance
hostname: # deprecated
description: (Deprecated) The hostname of the instance
type: string
admin_email:
description: The admin user email
@@ -123,12 +123,24 @@ spec:
ingress_annotations:
description: Annotations to add to the Ingress Controller
type: string
ingress_tls_secret:
description: Secret where the Ingress TLS secret can be found
ingress_tls_secret: # deprecated
description: (Deprecated) Secret where the Ingress TLS secret can be found
type: string
ingress_class_name:
description: The name of ingress class to use instead of the cluster default.
type: string
ingress_hosts:
description: Ingress hostnames of the instance
type: array
items:
type: object
properties:
hostname:
description: Hostname of the instance
type: string
tls_secret:
description: Secret where the Ingress TLS secret can be found
type: string
ingress_controller:
description: Special configuration for specific Ingress Controllers
type: string
@@ -147,6 +159,10 @@ spec:
description: Assign LoadBalancer IP address
type: string
default: ''
loadbalancer_class:
description: Class of LoadBalancer to use
type: string
default: ''
route_host:
description: The DNS to use to points to the instance
type: string
@@ -1559,6 +1575,86 @@ spec:
description: Number of task instance replicas
type: integer
format: int32
web_liveness_initial_delay:
description: Initial delay before starting liveness checks on web pod
type: integer
default: 5
format: int32
task_liveness_initial_delay:
description: Initial delay before starting liveness checks on task pod
type: integer
default: 5
format: int32
web_liveness_period:
description: Time period in seconds between each liveness check for the web pod
type: integer
default: 0
format: int32
task_liveness_period:
description: Time period in seconds between each liveness check for the task pod
type: integer
default: 0
format: int32
web_liveness_failure_threshold:
description: Number of consecutive failure events to identify failure of web pod
type: integer
default: 3
format: int32
task_liveness_failure_threshold:
description: Number of consecutive failure events to identify failure of task pod
type: integer
default: 3
format: int32
web_liveness_timeout:
description: Number of seconds to wait for a probe response from web pod
type: integer
default: 1
format: int32
task_liveness_timeout:
description: Number of seconds to wait for a probe response from task pod
type: integer
default: 1
format: int32
web_readiness_initial_delay:
description: Initial delay before starting readiness checks on web pod
type: integer
default: 20
format: int32
task_readiness_initial_delay:
description: Initial delay before starting readiness checks on task pod
type: integer
default: 20
format: int32
web_readiness_period:
description: Time period in seconds between each readiness check for the web pod
type: integer
default: 0
format: int32
task_readiness_period:
description: Time period in seconds between each readiness check for the task pod
type: integer
default: 0
format: int32
web_readiness_failure_threshold:
description: Number of consecutive failure events to identify failure of web pod
type: integer
default: 3
format: int32
task_readiness_failure_threshold:
description: Number of consecutive failure events to identify failure of task pod
type: integer
default: 3
format: int32
web_readiness_timeout:
description: Number of seconds to wait for a probe response from web pod
type: integer
default: 1
format: int32
task_readiness_timeout:
description: Number of seconds to wait for a probe response from task pod
type: integer
default: 1
format: int32
garbage_collect_secrets:
description: Whether or not to remove secrets upon instance removal
default: false
@@ -1608,6 +1704,9 @@ spec:
web_extra_volume_mounts:
description: Specify volume mounts to be added to the Web container
type: string
postgres_extra_volume_mounts:
description: Specify volume mounts to be added to Postgres container
type: string
uwsgi_processes:
description: Set the number of uwsgi processes to run in a web container
type: integer
@@ -1715,6 +1814,9 @@ spec:
type: array
items:
type: string
postgres_extra_volumes:
description: Specify extra volumes to add to the application pod
type: string
postgres_keepalives:
description: Controls whether client-side TCP keepalives are used for Postgres connections.
default: true
@@ -1779,11 +1881,15 @@ spec:
session_cookie_secure:
description: Set session cookie secure mode for web
type: string
postgres_security_context_settings:
description: Key/values that will be set under the pod-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
receptor_log_level:
description: Set log level of receptor service
type: string
extra_settings:
description: Extra settings to specify for the API
description: Extra settings to specify for AWX
items:
properties:
setting:

1
config/crd/kustomization.yaml
View File

@@ -5,4 +5,5 @@ resources:
- bases/awx.ansible.com_awxs.yaml
- bases/awx.ansible.com_awxbackups.yaml
- bases/awx.ansible.com_awxrestores.yaml
- bases/awx.ansible.com_awxmeshingresses.yaml
#+kubebuilder:scaffold:crdkustomizeresource

2
config/default/manager_auth_proxy_patch.yaml
View File

@@ -15,7 +15,7 @@ spec:
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"

4
config/manager/kustomization.yaml
View File

@@ -5,9 +5,9 @@ generatorOptions:
disableNameSuffixHash: true
configMapGenerator:
- name: awx-manager-config
files:
- files:
- controller_manager_config.yaml
name: awx-manager-config
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

5
config/manager/manager.yaml
View File

@@ -39,6 +39,7 @@ spec:
- --leader-elect
- --leader-election-id=awx-operator
image: controller:latest
imagePullPolicy: Always
name: awx-manager
env:
- name: ANSIBLE_GATHERING
@@ -72,8 +73,8 @@ spec:
memory: "32Mi"
cpu: "50m"
limits:
memory: "4096Mi"
cpu: "2000m"
memory: "960Mi"
cpu: "1500m"
serviceAccountName: controller-manager
imagePullSecrets:
- name: redhat-operators-pull-secret

93
config/manifests/bases/awx-operator.clusterserviceversion.yaml
View File

@@ -10,12 +10,60 @@ metadata:
description: AWX provides a web-based user interface, REST API, and task engine
built on top of Ansible.
repository: https://github.com/ansible/awx-operator
support: forum.ansible.com
name: awx-operator.v0.0.0
namespace: placeholder
spec:
apiservicedefinitions: {}
customresourcedefinitions:
owned:
- description: Deploy a instance of AWX Mesh ingress to allow inbound connection
to the AWX Receptor Mesh.
displayName: AWX Mesh Ingress
kind: AWXMeshIngress
name: awxmeshingresses.awx.ansible.com
specDescriptors:
- displayName: Deployment Name
path: deployment_name
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: External Hostname
path: external_hostname
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: External IP Address
path: external_ipaddress
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Ingress Type
path: ingress_type
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:select:none
- urn:alm:descriptor:com.tectonic.ui:select:Ingress
- urn:alm:descriptor:com.tectonic.ui:select:IngressRouteTCP
- urn:alm:descriptor:com.tectonic.ui:select:Route
- displayName: Ingress API Version
path: ingress_api_version
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Ingress Annotations
path: ingress_annotations
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Ingress Class Name
path: ingress_class_name
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Ingress Controller
path: ingress_controller
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Image Pull Secrets
path: image_pull_secrets
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
version: v1alpha1
- description: Back up a deployment of the awx, including jobs, inventories, and
credentials
displayName: AWX Backup
@@ -48,12 +96,12 @@ spec:
- displayName: Backup PVC Storage Class
path: backup_storage_class
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:io.kubernetes:StorageClass
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Precreate Partition Hours
path: precreate_partition_hours
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:number
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Database Backup Label Selector
@@ -61,6 +109,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Security Context Settings
path: postgres_security_context_settings
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image
path: postgres_image
x-descriptors:
@@ -189,6 +242,11 @@ spec:
path: db_management_pod_node_selector
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Force drop database before restore
path: force_drop_db
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
statusDescriptors:
- description: The state of the restore
displayName: Restore Status
@@ -202,7 +260,7 @@ spec:
kind: AWX
name: awxs.awx.ansible.com
specDescriptors:
- displayName: Hostname
- displayName: Hostname (Deprecated)
path: hostname
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
@@ -292,12 +350,17 @@ spec:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
- displayName: Ingress TLS Secret
- displayName: Ingress TLS Secret (Deprecated)
path: ingress_tls_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Secret
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
- displayName: Ingress Hosts
path: ingress_hosts
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:text
- displayName: Ingress Controller
path: ingress_controller
x-descriptors:
@@ -329,6 +392,12 @@ spec:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:string
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:service_type:LoadBalancer
- displayName: LoadBalancer Class
path: loadbalancer_class
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:string
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:service_type:LoadBalancer
- displayName: Route API Version
path: route_api_version
x-descriptors:
@@ -578,6 +647,18 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Specify extra volumes to add to the postgres pod
displayName: Postgres Extra Volumes
path: postgres_extra_volumes
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Specify volume mounts to be added to Postgres container
displayName: Postgres Extra Volume Mounts
path: postgres_extra_volume_mounts
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Enable Postgres Keepalives
path: postgres_keepalives
x-descriptors:
@@ -643,7 +724,7 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:fieldDependency:projects_use_existing_claim:_No_
- urn:alm:descriptor:com.tectonic.ui:text
- urn:alm:descriptor:io.kubernetes:StorageClass
- description: Projects Storage Size
displayName: Projects Storage Size
path: projects_storage_size
@@ -867,7 +948,7 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: API Extra Settings
- displayName: Extra Settings
path: extra_settings
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced

31
config/rbac/awxmeshingress_editor_role.yaml Normal file
View File

@@ -0,0 +1,31 @@
# permissions for end users to edit awxmeshingresses.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: clusterrole
app.kubernetes.io/instance: awxmeshingress-editor-role
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: awx-operator
app.kubernetes.io/part-of: awx-operator
app.kubernetes.io/managed-by: kustomize
name: awxmeshingress-editor-role
rules:
- apiGroups:
- awx.ansible.com
resources:
- awxmeshingresses
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- awx.ansible.com
resources:
- awxmeshingresses/status
verbs:
- get

27
config/rbac/awxmeshingress_viewer_role.yaml Normal file
View File

@@ -0,0 +1,27 @@
# permissions for end users to view awxmeshingresses.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: clusterrole
app.kubernetes.io/instance: awxmeshingress-viewer-role
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: awx-operator
app.kubernetes.io/part-of: awx-operator
app.kubernetes.io/managed-by: kustomize
name: awxmeshingress-viewer-role
rules:
- apiGroups:
- awx.ansible.com
resources:
- awxmeshingresses
verbs:
- get
- list
- watch
- apiGroups:
- awx.ansible.com
resources:
- awxmeshingresses/status
verbs:
- get

24
config/rbac/role.yaml
View File

@@ -78,6 +78,17 @@ rules:
- patch
- update
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
- create
- patch
- update
- watch
- apiGroups:
- monitoring.coreos.com
resources:
@@ -124,3 +135,16 @@ rules:
- awxrestores
verbs:
- '*'
- apiGroups:
- traefik.containo.us
- traefik.io
resources:
- ingressroutetcps
verbs:
- get
- list
- create
- delete
- patch
- update
- watch

8
config/samples/awx_v1alpha1_awxmeshingress.yaml Normal file
View File

@@ -0,0 +1,8 @@
# Placeholder to pass CI and allow bundle generation
---
apiVersion: awx.ansible.com/v1alpha1
kind: AWXMeshIngress
metadata:
name: example-awx-mesh-ingress
spec:
deployment_name: example-awx

55
config/samples/awx_v1beta1_awx_resource_limits.yaml Normal file
View File

@@ -0,0 +1,55 @@
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx-with-limits
spec:
task_resource_requirements:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 4Gi
web_resource_requirements:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 1000m
memory: 4Gi
ee_resource_requirements:
requests:
cpu: 100m
memory: 64Mi
limits:
cpu: 1000m
memory: 4Gi
redis_resource_requirements:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 1000m
memory: 4Gi
rsyslog_resource_requirements:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 1000m
memory: 2Gi
init_container_resource_requirements:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 1000m
memory: 2Gi
postgres_init_container_resource_requirements:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 1000m
memory: 2Gi

1
config/samples/kustomization.yaml
View File

@@ -3,4 +3,5 @@ resources:
- awx_v1beta1_awx.yaml
- awx_v1beta1_awxbackup.yaml
- awx_v1beta1_awxrestore.yaml
- awx_v1alpha1_awxmeshingress.yaml
#+kubebuilder:scaffold:manifestskustomizesamples

2
docs/contributors-guide/release-process.md
View File

@@ -9,7 +9,7 @@ After the draft release is created, publish it and the [Promote AWX Operator ima
- Publish image to Quay
- Release Helm chart
After the GHA is complete, the final step is to run the [publish-to-operator-hub.sh](./hack/publish-to-operator-hub.sh) script, which will create a PR in the following repos to add the new awx-operator bundle version to OperatorHub:
After the GHA is complete, the final step is to run the [publish-to-operator-hub.sh](https://github.com/ansible/awx-operator/blob/devel/hack/publish-to-operator-hub.sh) script, which will create a PR in the following repos to add the new awx-operator bundle version to OperatorHub:
* https://github.com/k8s-operatorhub/community-operators (community operator index)
* https://github.com/redhat-openshift-ecosystem/community-operators-prod (operator index shipped with Openshift)

28
docs/installation/basic-install.md
View File

@@ -1,7 +1,29 @@
### Basic Install
After cloning this repository, you must choose the tag to run:
```sh
git clone git@github.com:ansible/awx-operator.git
cd awx-operator
git tag
git checkout tags/<tag>
# For instance:
git checkout tags/2.7.2
```
If you work from a fork and made modifications since the tag was issued, you must provide the VERSION number to deploy. Otherwise the operator will get stuck in "ImagePullBackOff" state:
```sh
export VERSION=<tag>
# For instance:
export VERSION=2.7.2
```
Once you have a running Kubernetes cluster, you can deploy AWX Operator into your cluster using [Kustomize](https://kubectl.docs.kubernetes.io/guides/introduction/kustomize/). Since kubectl version 1.14 kustomize functionality is built-in (otherwise, follow the instructions here to install the latest version of Kustomize: https://kubectl.docs.kubernetes.io/installation/kustomize/ )
> Some things may need to be configured slightly differently for different Kubernetes flavors for the networking aspects. When installing on Kind, see the [kind install docs](./kind-install.md) for more details.
There is a make target you can run:
```
make deploy
@@ -67,7 +89,7 @@ So we don't have to keep repeating `-n awx`, let's set the current namespace for
$ kubectl config set-context --current --namespace=awx
```
Next, create a file named `awx-demo.yaml` in the same folder with the suggested content below. The `metadata.name` you provide will be the name of the resulting AWX deployment.
Next, create a file named `awx-demo.yml` in the same folder with the suggested content below. The `metadata.name` you provide will be the name of the resulting AWX deployment.
**Note:** If you deploy more than one AWX instance to the same namespace, be sure to use unique names.
@@ -81,7 +103,7 @@ spec:
service_type: nodeport
```
> It may make sense to create and specify your own secret key for your deployment so that if the k8s secret gets deleted, it can be re-created if needed. If it is not provided, one will be auto-generated, but cannot be recovered if lost. Read more [here](#secret-key-configuration).
> It may make sense to create and specify your own secret key for your deployment so that if the k8s secret gets deleted, it can be re-created if needed. If it is not provided, one will be auto-generated, but cannot be recovered if lost. Read more [here](../user-guide/admin-user-account-configuration.md#secret-key-configuration).
If you are on Openshift, you can take advantage of Routes by specifying the following your spec. This will automatically create a Route for you with a custom hostname. This can be found on the Route section of the Openshift Console.
@@ -104,7 +126,7 @@ Make sure to add this new file to the list of "resources" in your `kustomization
resources:
- github.com/ansible/awx-operator/config/default?ref=<tag>
# Add this extra line:
- awx-demo.yaml
- awx-demo.yml
...
```

2
docs/installation/index.md
View File

@@ -1,2 +1,2 @@
This Kubernetes Operator is meant to be deployed in your Kubernetes cluster(s) and can manage one or more AWX instances in any namespace.
This Kubernetes Operator is meant to be deployed in your Kubernetes cluster(s) and can be used to install and manage the lifecycle of an AWX instance in the same namespace.

125
docs/installation/kind-install.md Normal file
View File

@@ -0,0 +1,125 @@
# AWX Operator on Kind
## Kind Install
Install Kind by running the following
```
# For Intel Macs
[ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-darwin-amd64
# For M1 / ARM Macs
[ $(uname -m) = arm64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-darwin-arm64
chmod +x ./kind
mv ./kind /some-dir-in-your-PATH/kind
```
> https://kind.sigs.k8s.io/docs/user/quick-start/
### Create the Kind cluster
Create a file called `kind.config`
```yaml
apiVersion: kind.x-k8s.io/v1alpha4
kind: Cluster
nodes:
- role: control-plane
extraPortMappings:
- containerPort: 32000
hostPort: 32000
listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0"
protocol: tcp # Optional, defaults to tcp
- role: worker
```
Then create a cluster using that config
```
kind create cluster --config=kind.config
```
Set cluster context for kubectl
```
kubectl cluster-info --context kind-kind
```
Install NGINX Ingress Controller
```
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
```
## AWX
Set the namespace context
```
kubectl config set-context --current --namespace=awx
```
Checkout the tag you want to install from
```
git checkout 2.7.2
```
Create a file named `kustomization.yaml` in the root of your local awx-operator clone. Include the following:
```
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Find the latest tag here: https://github.com/ansible/awx-operator/releases
- github.com/ansible/awx-operator/config/default?ref=2.7.2
# Set the image tags to match the git version from above
images:
- name: quay.io/ansible/awx-operator
newTag: 2.7.2
# Specify a custom namespace in which to install AWX
namespace: awx
```
Run the following to apply the yaml
```
kubectl apply -k .
```
Create a file called `awx-cr.yaml` with the following contents and any configuration changes you may wish to add.
```
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx-demo
spec:
service_type: nodeport
nodeport_port: 32000
```
Create your AWX CR
```
oc create -f awx-cr.yaml
```
Your AWX instance should now be reacheable at http://localhost:32000/
> If you configured a custom nodeport_port, you can find it by running `kubectl -n awx get svc awx-demo-service`
## Cleanup
When you are done, you can delete all of this by running
```
kind delete cluster
```

2
docs/migration/migration.md
View File

@@ -41,7 +41,7 @@ stringData:
type: Opaque
```
> For `host`, a URL resolvable by the cluster could look something like `postgresql.<namespace>.svc.cluster.local`, where `<namespace>` is filled in with the namespace of the AWX deployment you are migrating data from.
> For `host`, a URL resolvable by the cluster could look something like `postgresql.<namespace>.svc.<cluster domain>`, where `<namespace>` is filled in with the namespace of the AWX deployment you are migrating data from, and `<cluster domain>` is filled in with the internal kubernretes cluster domain (In most cases it's `cluster.local`).
If your AWX deployment is already using an external database server or its database is otherwise not managed
by the AWX deployment, you can instead create the same secret as above but omit the `-old-` from the `name`.

3
docs/requirements.in Normal file
View File

@@ -0,0 +1,3 @@
# This requirements file is used for AWX Operator latest doc builds.
mkdocs-ansible

190
docs/requirements.txt
View File

@@ -1,12 +1,184 @@
#
# This file is autogenerated by pip-compile with Python 3.12
# by the following command:
#
# pip-compile --allow-unsafe --output-file=docs/requirements.txt --strip-extras docs/requirements.in
#
babel==2.14.0
# via mkdocs-material
beautifulsoup4==4.12.3
# via
# linkchecker
# mkdocs-htmlproofer-plugin
# readtime
cairocffi==1.6.1
# via cairosvg
cairosvg==2.7.0
markdown-exec>=1.6.0
mkdocs-ansible>=0.1.6
mkdocs-gen-files>=0.4.0
mkdocs-material-extensions>=1.1.1
mkdocs-material>=9.1.18
mkdocs
mkdocstrings-python>=1.1.0
mkdocstrings>=0.22.0
pillow==9.5.0
# via mkdocs-ansible
certifi==2024.2.2
# via requests
cffi==1.16.0
# via cairocffi
charset-normalizer==3.3.2
# via requests
click==8.1.7
# via
# mkdocs
# mkdocstrings
colorama==0.4.6
# via
# griffe
# mkdocs-material
csscompressor==0.9.5
# via mkdocs-minify-plugin
cssselect==1.2.0
# via pyquery
cssselect2==0.7.0
# via cairosvg
defusedxml==0.7.1
# via cairosvg
dnspython==2.6.1
# via linkchecker
ghp-import==2.1.0
# via mkdocs
griffe==0.40.1
# via mkdocstrings-python
htmlmin2==0.1.13
# via mkdocs-minify-plugin
idna==3.6
# via requests
jinja2==3.1.3
# via
# mkdocs
# mkdocs-material
# mkdocstrings
jsmin==3.0.1
# via mkdocs-minify-plugin
linkchecker==10.4.0
# via mkdocs-ansible
lxml==5.1.0
# via
# mkdocs-material
# pyquery
markdown==3.5.2
# via
# markdown-include
# mkdocs
# mkdocs-autorefs
# mkdocs-htmlproofer-plugin
# mkdocs-material
# mkdocstrings
# pymdown-extensions
markdown-exec==1.8.0
# via mkdocs-ansible
markdown-include==0.8.1
# via mkdocs-ansible
markdown2==2.4.12
# via readtime
markupsafe==2.1.5
# via
# jinja2
# mkdocs
# mkdocstrings
mergedeep==1.3.4
# via mkdocs
mkdocs==1.5.3
# via
# mkdocs-ansible
# mkdocs-autorefs
# mkdocs-gen-files
# mkdocs-htmlproofer-plugin
# mkdocs-material
# mkdocs-minify-plugin
# mkdocs-monorepo-plugin
# mkdocstrings
mkdocs-ansible==24.2.1
# via -r docs/requirements.in
mkdocs-autorefs==0.5.0
# via mkdocstrings
mkdocs-gen-files==0.5.0
# via mkdocs-ansible
mkdocs-htmlproofer-plugin==1.0.0
# via mkdocs-ansible
mkdocs-material==9.2.6
# via mkdocs-ansible
mkdocs-material-extensions==1.3.1
# via
# mkdocs-ansible
# mkdocs-material
mkdocs-minify-plugin==0.8.0
# via mkdocs-ansible
mkdocs-monorepo-plugin==1.1.0
# via mkdocs-ansible
mkdocstrings==0.24.0
# via
# mkdocs-ansible
# mkdocstrings-python
mkdocstrings-python==1.8.0
# via mkdocs-ansible
packaging==23.2
# via mkdocs
paginate==0.5.6
# via mkdocs-material
pathspec==0.12.1
# via mkdocs
pillow==10.0.1
# via
# cairosvg
# mkdocs-ansible
pipdeptree==2.7.1
# via mkdocs-ansible
platformdirs==4.2.0
# via
# mkdocs
# mkdocstrings
pycparser==2.21
# via cffi
pygments==2.17.2
# via mkdocs-material
pymdown-extensions==10.0.1
# via
# markdown-exec
# mkdocs-ansible
# mkdocs-material
# mkdocstrings
pyquery==2.0.0
# via readtime
python-dateutil==2.8.2
# via ghp-import
python-slugify==8.0.4
# via mkdocs-monorepo-plugin
pyyaml==6.0.1
# via
# mkdocs
# pymdown-extensions
# pyyaml-env-tag
pyyaml-env-tag==0.1
# via mkdocs
readtime==3.0.0
# via mkdocs-material
regex==2023.12.25
# via mkdocs-material
requests==2.31.0
# via
# linkchecker
# mkdocs-htmlproofer-plugin
# mkdocs-material
six==1.16.0
# via python-dateutil
soupsieve==2.5
# via beautifulsoup4
text-unidecode==1.3
# via python-slugify
tinycss2==1.2.1
# via
# cairosvg
# cssselect2
urllib3==2.2.1
# via requests
watchdog==4.0.0
# via mkdocs
webencodings==0.5.1
# via
# cssselect2
# tinycss2

8
docs/upgrade/upgrading.md
View File

@@ -1,6 +1,10 @@
### Upgrading
To upgrade AWX, it is recommended to upgrade the awx-operator to the version that maps to the desired version of AWX. To find the version of AWX that will be installed by the awx-operator by default, check the version specified in the `image_version` variable in `roles/installer/defaults/main.yml` for that particular release.
To upgrade AWX, it is recommended to upgrade the awx-operator to the version that maps to the desired version of AWX. To find the version of AWX that will be installed by the awx-operator by default, check the version specified in the `DEFAULT_AWX_VERSION` variable for that particular release. You can do so by running the following command
```shell
AWX_OPERATOR_VERSION=2.8.0
docker run --entrypoint="" quay.io/ansible/awx-operator:$AWX_OPERATOR_VERSION bash -c "env | grep DEFAULT_AWX_VERSION"
```
Apply the awx-operator.yml for that release to upgrade the operator, and in turn also upgrade your AWX deployment.
@@ -10,7 +14,7 @@ The first part of any upgrade should be a backup. Note, there are secrets in the
In the event you need to recover the backup see the [restore role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/restore). *Before Restoring from a backup*, be sure to:
* delete the old existing AWX CR
* delete the persistent volume claim (PVC) for the database from the old deployment, which has a name like `postgres-13-<deployment-name>-postgres-13-0`
* delete the persistent volume claim (PVC) for the database from the old deployment, which has a name like `postgres-15-<deployment-name>-postgres-15-0`
**Note**: Do not delete the namespace/project, as that will delete the backup and the backup's PVC as well.

4
docs/user-guide/advanced-configuration/adding-execution-nodes.md Normal file
View File

@@ -0,0 +1,4 @@
### Adding Execution Nodes
Starting with AWX Operator v0.30.0 and AWX v21.7.0, standalone execution nodes can be added to your deployments.
See [Managing Capacity With Instances](https://ansible.readthedocs.io/projects/awx/en/latest/administration/instances.html) chapter of the AWX Administration Guide for information about this feature.

38
docs/user-guide/advanced-configuration/assigning-awx-pods-to-specific-nodes.md
View File

@@ -9,25 +9,25 @@ If you want to use affinity rules for your AWX pod you can use the `affinity` op
If you want to constrain the web and task pods individually, you can do so by specificying the deployment type before the specific setting. For
example, specifying `task_tolerations` will allow the AWX task pod to be scheduled onto nodes with matching taints.
| Name | Description | Default |
| -------------------------------- | ---------------------------------------- | ------- |
| postgres_image | Path of the image to pull | postgres |
| postgres_image_version | Image version to pull | 13 |
| node_selector | AWX pods' nodeSelector | '' |
| web_node_selector | AWX web pods' nodeSelector | '' |
| task_node_selector | AWX task pods' nodeSelector | '' |
| topology_spread_constraints | AWX pods' topologySpreadConstraints | '' |
| web_topology_spread_constraints | AWX web pods' topologySpreadConstraints | '' |
| task_topology_spread_constraints | AWX task pods' topologySpreadConstraints | '' |
| affinity | AWX pods' affinity rules | '' |
| web_affinity | AWX web pods' affinity rules | '' |
| task_affinity | AWX task pods' affinity rules | '' |
| tolerations | AWX pods' tolerations | '' |
| web_tolerations | AWX web pods' tolerations | '' |
| task_tolerations | AWX task pods' tolerations | '' |
| annotations | AWX pods' annotations | '' |
| postgres_selector | Postgres pods' nodeSelector | '' |
| postgres_tolerations | Postgres pods' tolerations | '' |
| Name | Description | Default |
| -------------------------------- | ---------------------------------------- | -------------------------------- |
| postgres_image | Path of the image to pull | quay.io/sclorg/postgresql-15-c9s |
| postgres_image_version | Image version to pull | latest |
| node_selector | AWX pods' nodeSelector | '' |
| web_node_selector | AWX web pods' nodeSelector | '' |
| task_node_selector | AWX task pods' nodeSelector | '' |
| topology_spread_constraints | AWX pods' topologySpreadConstraints | '' |
| web_topology_spread_constraints | AWX web pods' topologySpreadConstraints | '' |
| task_topology_spread_constraints | AWX task pods' topologySpreadConstraints | '' |
| affinity | AWX pods' affinity rules | '' |
| web_affinity | AWX web pods' affinity rules | '' |
| task_affinity | AWX task pods' affinity rules | '' |
| tolerations | AWX pods' tolerations | '' |
| web_tolerations | AWX web pods' tolerations | '' |
| task_tolerations | AWX task pods' tolerations | '' |
| annotations | AWX pods' annotations | '' |
| postgres_selector | Postgres pods' nodeSelector | '' |
| postgres_tolerations | Postgres pods' tolerations | '' |
Example of customization could be:

41
docs/user-guide/advanced-configuration/container-probes.md Normal file
View File

@@ -0,0 +1,41 @@
#### Container Probes
These parameters control the usage of liveness and readiness container probes for
the web and task containers.
#### Web / Task Container Liveness Check
The liveness probe queries the status of the supervisor daemon of the container. The probe will fail if it
detects one of the services in a state other than "RUNNING".
| Name | Description | Default |
| -------------| -----------------------------------|---------|
| web_liveness_period | Time period in seconds between each probe check. The value of 0 disables the probe. | 0 |
| web_liveness_initial_delay | Initial delay before starting probes in seconds | 5 |
| web_liveness_failure_threshold| Number of consecutive failure events to identify failure of container | 3 |
| web_liveness_timeout | Number of seconds to wait for a probe response from container | 1 |
| task_liveness_period | Time period in seconds between each probe check. The value of 0 disables the probe. | 0 |
| task_liveness_initial_delay | Initial delay before starting probes in seconds | 5 |
| task_liveness_failure_threshold| Number of consecutive failure events to identify failure of container | 3 |
| task_liveness_timeout | Number of seconds to wait for a probe response from container | 1 |
#### Web Container Readiness Check
This is an HTTP check against the status endpoint to confirm the system is still able to respond to web requests.
| Name | Description | Default |
| -------------| ---------------------------------- | ------- |
| web_readiness_period | Time period in seconds between each probe check. The value of 0 disables the probe. | 0 |
| web_readiness_initial_delay | Initial delay before starting probes in seconds | 5 |
| web_readiness_failure_threshold| Number of consecutive failure events to identify failure of container | 3 |
| web_readiness_timeout | Number of seconds to wait for a probe response from container | 1 |
#### Task Container Readiness Check
This is a command probe using the builtin check command of the awx-manage utility.
| Name | Description | Default |
| -------------| ---------------------------------- | ------- |
| task_readiness_period | Time period in seconds between each probe check. The value of 0 disables the probe. | 0 |
| task_readiness_initial_delay | Initial delay before starting probes in seconds | 5 |
| task_readiness_failure_threshold| Number of consecutive failure events to identify failure of container | 3 |
| task_readiness_timeout | Number of seconds to wait for a probe response from container | 1 |

74
docs/user-guide/advanced-configuration/containers-resource-requirements.md
View File

@@ -26,7 +26,13 @@ The resource requirements for both, the task and the web containers are configur
| -------------------------- | ------------------------------------------------ | ------------------------------------ |
| web_resource_requirements | Web container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
| task_resource_requirements | Task container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
| ee_resource_requirements | EE control plane container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
| ee_resource_requirements | EE control plane container resource requirements | requests: {cpu: 50m, memory: 64Mi} |
| redis_resource_requirements | Redis container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
| postgres_resource_requirements | Postgres container resource requirements | requests: {cpu: 10m, memory: 64Mi} |
| rsyslog_resource_requirements | Rsyslog container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
| init_container_resource_requirements | Init Container resource requirements | requests: {cpu: 100m, memory: 128Mi} |
| postgres_init_container_resource_requirements | Postgres Init Container resource requirements | requests: {cpu: 10m, memory: 64Mi} |
Example of customization could be:
@@ -34,31 +40,63 @@ Example of customization could be:
---
spec:
...
web_resource_requirements:
requests:
cpu: 250m
memory: 2Gi
ephemeral-storage: 100M
limits:
cpu: 1000m
memory: 4Gi
ephemeral-storage: 500M
task_resource_requirements:
requests:
cpu: 250m
memory: 1Gi
cpu: 100m
memory: 128Mi
ephemeral-storage: 100M
limits:
cpu: 2000m
memory: 2Gi
memory: 4Gi
ephemeral-storage: 500M
web_resource_requirements:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 1000m
memory: 4Gi
ee_resource_requirements:
requests:
cpu: 250m
memory: 100Mi
ephemeral-storage: 100M
cpu: 100m
memory: 64Mi
limits:
cpu: 500m
cpu: 1000m
memory: 4Gi
redis_resource_requirements:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 1000m
memory: 4Gi
rsyslog_resource_requirements:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 1000m
memory: 2Gi
init_container_resource_requirements:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 1000m
memory: 2Gi
postgres_init_container_resource_requirements:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 1000m
memory: 2Gi
ephemeral-storage: 500M
```
#### Limits and ResourceQuotas
If the cluster you are deploying in has a ResoruceQuota, you will need to configure resource limits for all of the pods deployed in that cluster. This can be done for AWX pods on the AWX spec in the manner shown above.
There is an example you can use in [`awx_v1beta1_awx_resource_limits.yaml`](https://raw.githubusercontent.com/ansible/awx-operator/devel/config/samples/awx_v1beta1_awx_resource_limits.yaml).

24
docs/user-guide/advanced-configuration/custom-receptor-certs.md Normal file
View File

@@ -0,0 +1,24 @@
### Custom Receptor CA
The control nodes on the K8S cluster will communicate with execution nodes via mutual TLS TCP connections, running via Receptor.
Execution nodes will verify incoming connections by ensuring the x509 certificate was issued by a trusted Certificate Authority (CA).
A user may wish to provide their own CA for this validation. If no CA is provided, AWX Operator will automatically generate one using OpenSSL.
Given custom `ca.crt` and `ca.key` stored locally, run the following,
```bash
kubectl create secret tls awx-demo-receptor-ca \
--cert=/path/to/ca.crt --key=/path/to/ca.key
```
The secret should be named `{AWX Custom Resource name}-receptor-ca`. In the above the AWX CR name is "awx-demo". Please replace "awx-demo" with your AWX Custom Resource name.
If this secret is created after AWX is deployed, run the following to restart the deployment,
```bash
kubectl rollout restart deployment awx-demo
```
**Important Note**, changing the receptor CA will break connections to any existing execution nodes. These nodes will enter an `unavailable` state, and jobs will not be able to run on them. Users will need to download and re-run the install bundle for each execution node. This will replace the TLS certificate files with those signed by the new CA. The execution nodes should then appear in a `ready` state after a few minutes.

18
docs/user-guide/advanced-configuration/deploying-a-specific-version-of-awx.md
View File

@@ -2,15 +2,15 @@
There are a few variables that are customizable for awx the image management.
| Name | Description | Default |
| ------------------- | ------------------------- | -------------------------------------- |
| image | Path of the image to pull | quay.io/ansible/awx |
| image_version | Image version to pull | value of DEFAULT_AWX_VERSION or latest |
| image_pull_policy | The pull policy to adopt | IfNotPresent |
| image_pull_secrets | The pull secrets to use | None |
| ee_images | A list of EEs to register | quay.io/ansible/awx-ee:latest |
| redis_image | Path of the image to pull | docker.io/redis |
| redis_image_version | Image version to pull | latest |
| Name | Description | Default |
| ------------------- | ------------------------- | ----------------------------------------- |
| image | Path of the image to pull | quay.io/ansible/awx |
| image_version | Image version to pull | value of DEFAULT_AWX_VERSION or latest |
| image_pull_policy | The pull policy to adopt | IfNotPresent |
| image_pull_secrets | The pull secrets to use | None |
| ee_images | A list of EEs to register | quay.io/ansible/awx-ee:DEFAULT_AWX_VERSION |
| redis_image | Path of the image to pull | docker.io/redis |
| redis_image_version | Image version to pull | latest |
Example of customization could be:

27
docs/user-guide/advanced-configuration/disable-ipv6.md
View File

@@ -16,30 +16,3 @@ The following variables are customizable
spec:
ipv6_disabled: true
```
### Adding Execution Nodes
Starting with AWX Operator v0.30.0 and AWX v21.7.0, standalone execution nodes can be added to your deployments.
See [AWX execution nodes docs](https://github.com/ansible/awx/blob/devel/docs/execution_nodes.md) for information about this feature.
#### Custom Receptor CA
The control nodes on the K8S cluster will communicate with execution nodes via mutual TLS TCP connections, running via Receptor.
Execution nodes will verify incoming connections by ensuring the x509 certificate was issued by a trusted Certificate Authority (CA).
A user may wish to provide their own CA for this validation. If no CA is provided, AWX Operator will automatically generate one using OpenSSL.
Given custom `ca.crt` and `ca.key` stored locally, run the following,
```bash
kubectl create secret tls awx-demo-receptor-ca \
--cert=/path/to/ca.crt --key=/path/to/ca.key
```
The secret should be named `{AWX Custom Resource name}-receptor-ca`. In the above the AWX CR name is "awx-demo". Please replace "awx-demo" with your AWX Custom Resource name.
If this secret is created after AWX is deployed, run the following to restart the deployment,
```bash
kubectl rollout restart deployment awx-demo
```
**Important Note**, changing the receptor CA will break connections to any existing execution nodes. These nodes will enter an `unavailable` state, and jobs will not be able to run on them. Users will need to download and re-run the install bundle for each execution node. This will replace the TLS certificate files with those signed by the new CA. The execution nodes should then appear in a `ready` state after a few minutes.

BIN
docs/user-guide/advanced-configuration/mesh-ingress-instance-listener-address-on-awx-ui.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 KiB

BIN
docs/user-guide/advanced-configuration/mesh-ingress-instance-on-awx-ui.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 KiB

224
docs/user-guide/advanced-configuration/mesh-ingress.md Normal file
View File

@@ -0,0 +1,224 @@
# Mesh Ingress
The mesh ingress allows users to peer external execution and hop nodes into the AWX control plane.
This guide focuses on how to enable and configure the mesh ingress.
For more information about remote execution and hop nodes and how to create them, refer to the [Managing Capacity With Instances](https://ansible.readthedocs.io/projects/awx/en/latest/administration/instances.html) chapter of the AWX Administration Guide.
## Prerequisites
- AWX operator version > 2.11.0
- AWX > 23.8.0
## Deploy and configure AWXMeshIngress
!!! note
The mesh ingress uses the `control_plane_ee_image` and `image_pull_policy` fields of the AWX instance to determine image and policy to be adopted.
Defaulted to `quay.io/ansible/awx-ee:latest` and `Always`.
Currently there are no dedicated parameters to specify the image and policy.
### On Red Hat OpenShift with Operator managed Route
To deploy a mesh ingress on OpenShift, create the AWXMeshIngress resource on the namespace where your AWX instance is running on.
Example:
```yaml
---
apiVersion: awx.ansible.com/v1alpha1
kind: AWXMeshIngress
metadata:
name: <mesh ingress name>
spec:
deployment_name: <awx instance name>
```
### On Kubernetes with Operator managed Ingress (NGINX)
To deploy a mesh ingress on Kubernetes cluster which has [NGINX Ingress Controller](https://www.nginx.com/products/nginx-ingress-controller/), create the AWXMeshIngress resource on the namespace where your AWX instance is running on.
Note that AWXMeshIngress requires [SSL Passthrough](https://kubernetes.github.io/ingress-nginx/user-guide/tls/#ssl-passthrough) enabled which is disabled by default. Ensure it is enabled on your NGINX Ingress Controller.
By specifying `ingress_controller` as `nginx`, AWX Operator will generate Ingress resource that has `nginx.ingress.kubernetes.io/ssl-passthrough` annotation set to `"true"`.
Example:
```yaml
---
apiVersion: awx.ansible.com/v1alpha1
kind: AWXMeshIngress
metadata:
name: <mesh ingress name>
spec:
deployment_name: <awx instance name>
ingress_type: Ingress
ingress_controller: nginx
ingress_class_name: nginx
external_hostname: <fqdn for mesh ingress>
```
### On Kubernetes with Operator managed Ingress (Traefik)
To deploy a mesh ingress on Kubernetes cluster which has [Traefik Kubernetes Ingress provider](https://doc.traefik.io/traefik/providers/kubernetes-ingress/), create the AWXMeshIngress resource on the namespace where your AWX instance is running on.
Note that by deploying following AWXMeshIngress, AWX Operator will generate IngressRouteTCP resource that has `websecure` as an `entryPoints`. If this does not satisfy your requirement, refer to [User managed Ingress section](#on-kubernetes-with-user-managed-ingress) and create an IngressRouteTCP resource manually.
Example:
```yaml
---
apiVersion: awx.ansible.com/v1alpha1
kind: AWXMeshIngress
metadata:
name: <mesh ingress name>
spec:
deployment_name: <awx instance name>
ingress_type: IngressRouteTCP
ingress_controller: traefik
ingress_class_name: traefik
ingress_api_version: traefik.io/v1alpha1
external_hostname: <fqdn for mesh ingress>
```
### On Kubernetes with User managed Ingress
To deploy a mesh ingress on Kubernetes cluster, create the AWXMeshIngress resource on the namespace where your AWX instance is running on.
Alternatively, if you wish to create your own Ingress resource, you can deploy a mesh ingress with `ingress_type` set to `none` and then manually create an Ingress resource with any configuration.
In this case, the `external_hostname` is still required as it is used to generate the certificate that will be used by Receptor.
Example:
```yaml
---
apiVersion: awx.ansible.com/v1alpha1
kind: AWXMeshIngress
metadata:
name: <mesh ingress name>
spec:
deployment_name: <awx instance name>
ingress_type: none # This line can be omitted since this is the default value
external_hostname: <fqdn for mesh ingress>
```
The requirements for user managed Ingress resource are as follows:
- Supports WebSocket
- SSL/TLS Passthrough enabled
- Accessible over port `443`
- Having the same hostname as `external_hostname` in the AWXMeshIngress resource
- Routing the traffic to port `27199` of the Service of the same name as the AWXMeshIngress resource
These are example Ingress resources for NGINX and Traefik.
```yaml
# Ingress for NGINX Ingress Controller
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: <mesh ingress name>
annotations:
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
ingressClassName: nginx
rules:
- host: <fqdn for mesh ingress>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: <mesh ingress name>
port:
number: 27199
```
```yaml
# Ingress for Traefik Kubernetes Ingress provider
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: <mesh ingress name>
spec:
entryPoints:
- websecure
routes:
- match: HostSNI(`<fqdn for mesh ingress>`)
services:
- name: <mesh ingress name>
port: 27199
tls:
passthrough: true
```
## Validating setup of Mesh Ingress
After AWXMeshIngress has been successfully created, a new Instance with the same name will be registered to AWX and will be visible on the Instance UI page
![mesh ingress instance on AWX UI](mesh-ingress-instance-on-awx-ui.png)
The Instance should have at least 2 listener addresses.
In this example, the mesh ingress has two listener addresses:
- one for internal, that is used for peering to by all control nodes (top)
- one for external, that is exposed to a route so external execution nodes can peer into it (bottom))
![mesh ingress instance listener address on awx ui](mesh-ingress-instance-listener-address-on-awx-ui.png)
When selecting peer for new instance the mesh ingress instance should now be present as a option.
![peering to mesh ingress on awx ui](peering-to-mesh-ingress-on-awx-ui.png)
For more information about how to create external remote execution and hop nodes and configuring the mesh, see AWX Documentation on [Add a instance](https://ansible.readthedocs.io/projects/awx/en/latest/administration/instances.html#add-an-instance).
## Custom Resource Definitions
### AWXMeshIngress
AWXMeshIngress controls the deployment and configuration of mesh ingress on AWX
| Name | Description |
| ----------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **`apiVersion`** | awx.ansible.com/v1alpha1 |
| **`kind`** | AWXMeshIngress |
| **`metadata`** ([ObjectMeta](https://kubernetes.io/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta)) | Standard object's metadata. [More info](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata) |
| **`spec`** ([AWXMeshIngressSpec](#awxmeshingressspec)) | Spec is the desired state of the AWXMeshIngress. [More info](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status) |
| **`status`** ([AWXMeshIngressStatus](#awxmeshingressstatus)) | Status is the current state of the AWXMeshIngress. [More info](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status) |
#### AWXMeshIngressSpec
AWXMeshIngressSpec is the description of the configuration for AWXMeshIngress.
| Name | Description | Default |
| ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------- |
| **`deployment_name`** (string), required | Name of the AWX deployment to create the Mesh Ingress for. | `awx` |
| **`ingress_type`** (string) | Ingress type for ingress managed by the operator. Options: `none`, `Ingress`, `IngressRouteTCP`, `Route` | `Route` (on OpenShift), `none` (on Kubernetes) |
| **`external_hostname`** (string) | External hostname is an optional field used for specifying the external hostname defined in an [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). This parameter is automatically generated on OpenShift | N/A |
| **`external_ipaddress`** (string) | External IP Address is an optional field used for specifying the external IP address defined in an [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) | N/A |
| **`ingress_api_version`** (string) | API Version for ingress managed by the operator. This parameter is ignored when `ingress_type` is `Route` | `networking.k8s.io/v1` |
| **`ingress_annotations`** (string) | Additional annotation on the ingress managed by the operator. This parameter is ignored when `ingress_type` is `Route` | `""` |
| **`ingress_controller`** (string) | Special configuration for specific Ingress Controllers. This parameter is ignored when `ingress_type` is `Route` | `""` |
| **`ingress_class_name`** (string) | The name of ingress class to use instead of the cluster default. see [IngressSpec](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec). This parameter is ignored when `ingress_type` is `Route` | `""` |
#### AWXMeshIngressStatus
AWXMeshIngressStatus describe the current state of the AWXMeshIngress.
### AWXMeshIngressList
AWXMeshIngressList is a collection of AWXMeshIngress.
| Name | Description |
| ----------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **`items`** ([AWXMeshIngress](#awxmeshingress)) | items is the list of Ingress. |
| **`apiVersion`** (string) | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. [More info](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources) |
| **`kind`** (string) | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. [More info](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds) |
| **`metadata`** ([ListMeta](https://kubernetes.io/docs/reference/kubernetes-api/common-definitions/list-meta/#ListMeta)) | Standard object's metadata. [More info](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata) |

BIN
docs/user-guide/advanced-configuration/peering-to-mesh-ingress-on-awx-ui.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 205 KiB

2
docs/user-guide/advanced-configuration/scaling-the-web-and-task-pods-independently.md
View File

@@ -5,4 +5,4 @@ You can scale replicas up or down for each deployment by using the `web_replicas
- If you specify the `replicas` field, the key passed will scale both the `web` and `task` replicas to the same number.
- If `web_replicas` or `task_replicas` is ever passed, it will override the existing `replicas` field on the specific deployment with the new key value.
These new replicas can be constrained in a similar manner to previous single deployments by appending the particular deployment name in front of the constraint used. More about those new constraints can be found below in the [Assigning AWX pods to specific nodes](#assigning-awx-pods-to-specific-nodes) section.
These new replicas can be constrained in a similar manner to previous single deployments by appending the particular deployment name in front of the constraint used. More about those new constraints can be found in the [Assigning AWX pods to specific nodes](./assigning-awx-pods-to-specific-nodes.md) page.

27
docs/user-guide/advanced-configuration/security-context.md Normal file
View File

@@ -0,0 +1,27 @@
#### Service Account
It is possible to modify some `SecurityContext` proprieties of the various deployments and stateful sets if needed.
| Name | Description | Default |
| ---------------------------------- | -------------------------------------------- | ------- |
| security_context_settings | SecurityContext for Task and Web deployments | {} |
| postgres_security_context_settings | SecurityContext for Task and Web deployments | {} |
Example configuration securityContext for the Task and Web deployments:
```yaml
spec:
security_context_settings:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
```
```yaml
spec:
postgres_security_context_settings:
runAsNonRoot: true
```

26
docs/user-guide/database-configuration.md
View File

@@ -1,10 +1,10 @@
### Database Configuration
#### Postgres Version
#### PostgreSQL Version
The default Postgres version for the version of AWX bundled with the latest version of the awx-operator is Postgres 13. You can find this default for a given version by at the default value for [_postgres_image_version](https://github.com/ansible/awx-operator/blob/devel/roles/installer/defaults/main.yml#L243).
The default PostgreSQL version for the version of AWX bundled with the latest version of the awx-operator is PostgreSQL 15. You can find this default for a given version by at the default value for [supported_pg_version](https://github.com/ansible/awx-operator/blob/ffba1b4712a0b03f1faedfa70e3a9ef0d443e4a6/roles/installer/vars/main.yml#L7).
We only have coverage for the default version of Postgres. Newer versions of Postgres (14+) will likely work, but should only be configured as an external database. If your database is managed by the awx-operator (default if you don't specify a `postgres_configuration_secret`), then you should not override the default version as this may cause issues when awx-operator tries to upgrade your postgresql pod.
We only have coverage for the default version of PostgreSQL. Newer versions of PostgreSQL will likely work, but should only be configured as an external database. If your database is managed by the awx-operator (default if you don't specify a `postgres_configuration_secret`), then you should not override the default version as this may cause issues when awx-operator tries to upgrade your postgresql pod.
#### External PostgreSQL Service
@@ -56,15 +56,15 @@ If you don't have access to an external PostgreSQL service, the AWX operator can
The following variables are customizable for the managed PostgreSQL service
| Name | Description | Default |
| --------------------------------------------- | --------------------------------------------- | ---------------------------------- |
| postgres_image | Path of the image to pull | postgres:12 |
| postgres_init_container_resource_requirements | Database init container resource requirements | requests: {cpu: 10m, memory: 64Mi} |
| postgres_resource_requirements | PostgreSQL container resource requirements | requests: {cpu: 10m, memory: 64Mi} |
| postgres_storage_requirements | PostgreSQL container storage requirements | requests: {storage: 8Gi} |
| postgres_storage_class | PostgreSQL PV storage class | Empty string |
| postgres_data_path | PostgreSQL data path | `/var/lib/postgresql/data/pgdata` |
| postgres_priority_class | Priority class used for PostgreSQL pod | Empty string |
| Name | Description | Default |
| --------------------------------------------- | --------------------------------------------- | --------------------------------------- |
| postgres_image | Path of the image to pull | quay.io/sclorg/postgresql-15-c9s:latest |
| postgres_init_container_resource_requirements | Database init container resource requirements | requests: {cpu: 10m, memory: 64Mi} |
| postgres_resource_requirements | PostgreSQL container resource requirements | requests: {cpu: 10m, memory: 64Mi} |
| postgres_storage_requirements | PostgreSQL container storage requirements | requests: {storage: 8Gi} |
| postgres_storage_class | PostgreSQL PV storage class | Empty string |
| postgres_data_path | PostgreSQL data path | `/var/lib/postgresql/data/pgdata` |
| postgres_priority_class | Priority class used for PostgreSQL pod | Empty string |
Example of customization could be:
@@ -90,4 +90,4 @@ spec:
- 'max_connections=1000'
```
**Note**: If `postgres_storage_class` is not defined, Postgres will store it's data on a volume using the default storage class for your cluster.
**Note**: If `postgres_storage_class` is not defined, PostgreSQL will store it's data on a volume using the default storage class for your cluster.

33
docs/user-guide/network-and-tls-configuration.md
View File

@@ -32,7 +32,8 @@ The following variables are customizable only when `service_type=LoadBalancer`
| --------------------- | ---------------------------------------- | ------- |
| loadbalancer_protocol | Protocol to use for Loadbalancer ingress | http |
| loadbalancer_port | Port used for Loadbalancer ingress | 80 |
| loadbalancer_ip | Assign Loadbalancer IP | '' |
| loadbalancer_ip | Assign Loadbalancer IP | '' |
| loadbalancer_class | LoadBalancer class to use | '' |
```yaml
---
@@ -42,6 +43,7 @@ spec:
loadbalancer_ip: '192.168.10.25'
loadbalancer_protocol: https
loadbalancer_port: 443
loadbalancer_class: service.k8s.aws/nlb
service_annotations: |
environment: testing
service_labels: |
@@ -86,22 +88,26 @@ spec:
The following variables are customizable when `ingress_type=ingress`. The `ingress` type creates an Ingress resource as [documented](https://kubernetes.io/docs/concepts/services-networking/ingress/) which can be shared with many other Ingress Controllers as [listed](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/).
| Name | Description | Default |
| ------------------- | ---------------------------------------- | --------------------------- |
| ingress_annotations | Ingress annotations | Empty string |
| ingress_tls_secret | Secret that contains the TLS information | Empty string |
| ingress_class_name | Define the ingress class name | Cluster default |
| hostname | Define the FQDN | {{ meta.name }}.example.com |
| ingress_path | Define the ingress path to the service | / |
| ingress_path_type | Define the type of the path (for LBs) | Prefix |
| ingress_api_version | Define the Ingress resource apiVersion | 'networking.k8s.io/v1' |
| Name | Description | Default |
| ---------------------------------- | ---------------------------------------------------------------------------------- | --------------------------- |
| ingress_annotations | Ingress annotations | Empty string |
| ingress_tls_secret _(deprecated)_ | Secret that contains the TLS information | Empty string |
| ingress_class_name | Define the ingress class name | Cluster default |
| hostname _(deprecated)_ | Define the FQDN | {{ meta.name }}.example.com |
| ingress_hosts | Define one or multiple FQDN with optional Secret that contains the TLS information | Empty string |
| ingress_path | Define the ingress path to the service | / |
| ingress_path_type | Define the type of the path (for LBs) | Prefix |
| ingress_api_version | Define the Ingress resource apiVersion | 'networking.k8s.io/v1' |
```yaml
---
spec:
...
ingress_type: ingress
hostname: awx-demo.example.com
ingress_hosts:
- hostname: awx-demo.example.com
- hostname: awx-demo.sample.com
tls_secret: sample-tls-secret
ingress_annotations: |
environment: testing
```
@@ -119,7 +125,10 @@ Some Ingress Controllers need a special configuration to fully support AWX, add
spec:
...
ingress_type: ingress
hostname: awx-demo.example.com
ingress_hosts:
- hostname: awx-demo.example.com
- hostname: awx-demo.sample.com
tls_secret: sample-tls-secret
ingress_controller: contour
```

100
hack/publish-to-operator-hub.sh Normal file → Executable file
View File

@@ -15,43 +15,42 @@
#
# Usage:
# First, check out awx-operator tag you intend to release, in this case, 1.0.0
# $ VERSION=1.1.2 PREV_VERSION=1.1.1 FORK=<your-fork> ./publish-operator.sh
# $ VERSION=1.1.2 PREV_VERSION=1.1.1 FORK=<your-fork> ./hack/publish-to-operator-hub.sh
#
# Remember to change update the VERSION and PREV_VERSION before running!!!
set -e
VERSION=${VERSION:-blah2}
PREV_VERSION=${PREV_VERSION:-blah1}
VERSION=${VERSION:-$(make print-VERSION)}
PREV_VERSION=${PREV_VERSION:-$(make print-PREV_VERSION)}
BRANCH=publish-awx-operator-$VERSION
FORK=${FORK:-fork}
FORK=${FORK:-awx-auto}
GITHUB_TOKEN=${GITHUB_TOKEN:-$AWX_AUTO_GITHUB_TOKEN}
IMG=quay.io/ansible/awx-operator:$VERSION
CATALOG_IMG=quay.io/ansible/awx-operator-catalog:$VERSION
BUNDLE_IMG=quay.io/ansible/awx-operator-bundle:$VERSION
IMG_REPOSITORY=${IMG_REPOSITORY:-quay.io/ansible}
# Set path variables
OPERATOR_PATH=${OPERATOR_PATH:-~/awx-operator}
OPERATOR_IMG=$IMG_REPOSITORY/awx-operator:$VERSION
CATALOG_IMG=$IMG_REPOSITORY/awx-operator-catalog:$VERSION
BUNDLE_IMG=$IMG_REPOSITORY/awx-operator-bundle:$VERSION
# Build & Push Operator Image # Not needed because it is done as part of the GHA release automation
# make docker-build docker-push IMG=$IMG
COMMUNITY_OPERATOR_GITHUB_ORG=${COMMUNITY_OPERATOR_GITHUB_ORG:-k8s-operatorhub}
COMMUNITY_OPERATOR_PROD_GITHUB_ORG=${COMMUNITY_OPERATOR_PROD_GITHUB_ORG:-redhat-openshift-ecosystem}
# Build bundle directory
rm -rf bundle/
make bundle IMG=$IMG
make bundle IMG=$OPERATOR_IMG
# Build bundle and catalog images
make bundle-build bundle-push BUNDLE_IMG=$BUNDLE_IMG IMG=$IMG
make catalog-build catalog-push CATALOG_IMG=$CATALOG_IMG BUNDLE_IMGS=$BUNDLE_IMG BUNDLE_IMG=$BUNDLE_IMG IMG=$IMG
make bundle-build bundle-push BUNDLE_IMG=$BUNDLE_IMG IMG=$OPERATOR_IMG
make catalog-build catalog-push CATALOG_IMG=$CATALOG_IMG BUNDLE_IMGS=$BUNDLE_IMG BUNDLE_IMG=$BUNDLE_IMG IMG=$OPERATOR_IMG
# Set containerImage & namespace variables in CSV
sed -i -e "s|containerImage: quay.io/ansible/awx-operator:devel|containerImage: quay.io/ansible/awx-operator:${VERSION}|g" bundle/manifests/awx-operator.clusterserviceversion.yaml
sed -i -e "s|namespace: placeholder|namespace: awx|g" bundle/manifests/awx-operator.clusterserviceversion.yaml
sed -i.bak -e "s|containerImage: quay.io/ansible/awx-operator:devel|containerImage: ${OPERATOR_IMG}|g" bundle/manifests/awx-operator.clusterserviceversion.yaml
sed -i.bak -e "s|namespace: placeholder|namespace: awx|g" bundle/manifests/awx-operator.clusterserviceversion.yaml
# Add replaces to dependency graph for upgrade path
if ! grep -qF 'replaces: awx-operator.v${PREV_VERSION}' bundle/manifests/awx-operator.clusterserviceversion.yaml; then
sed -i -e "/version: ${VERSION}/a \\
sed -i.bak -e "/version: ${VERSION}/a \\
replaces: awx-operator.v$PREV_VERSION" bundle/manifests/awx-operator.clusterserviceversion.yaml
fi
@@ -60,21 +59,20 @@ mv bundle/manifests/awx-operator.clusterserviceversion.yaml bundle/manifests/awx
# Set Openshift Support Range (bump minKubeVersion in CSV when changing)
if ! grep -qF 'openshift.versions' bundle/metadata/annotations.yaml; then
sed -i -e "/annotations:/a \\
com.redhat.openshift.versions: v4.10-v4.13\n" bundle/metadata/annotations.yaml
sed -i.bak -e "/annotations:/a \\
com.redhat.openshift.versions: v4.11" bundle/metadata/annotations.yaml
fi
# -- Put up community-operators PR
cd $OPERATOR_PATH
git clone git@github.com:k8s-operatorhub/community-operators.git
# Remove .bak files from bundle result from sed commands
find bundle -name "*.bak" -type f -delete
echo "-- Create branch on community-operators fork --"
git clone https://github.com/$COMMUNITY_OPERATOR_GITHUB_ORG/community-operators.git
mkdir -p community-operators/operators/awx-operator/$VERSION/
cp -r bundle/* community-operators/operators/awx-operator/$VERSION/
cd community-operators/operators/awx-operator/$VERSION/
pwd
ls -la
pushd community-operators/operators/awx-operator/$VERSION/
# Commit and push PR
git checkout -b $BRANCH
git add ./
git status
@@ -83,26 +81,26 @@ message='operator [N] [CI] awx-operator'
commitMessage="${message} ${VERSION}"
git commit -m "$commitMessage" -s
git remote add upstream git@github.com:$FORK/community-operators.git
git remote add upstream https://$GITHUB_TOKEN@github.com/$FORK/community-operators.git
git push upstream --delete $BRANCH || true
git push upstream $BRANCH
gh pr create \
--title "operator awx-operator (${VERSION})" \
--body "operator awx-operator (${VERSION})" \
--base main \
--head $FORK:$BRANCH \
--repo $COMMUNITY_OPERATOR_GITHUB_ORG/community-operators
popd
# -- Put up community-operators-prod PR
# Reset directory
cd $OPERATOR_PATH
pwd
git clone git@github.com:redhat-openshift-ecosystem/community-operators-prod.git
echo "-- Create branch on community-operators-prod fork --"
git clone https://github.com/$COMMUNITY_OPERATOR_PROD_GITHUB_ORG/community-operators-prod.git
mkdir -p community-operators-prod/operators/awx-operator/$VERSION/
cp -r bundle/* community-operators-prod/operators/awx-operator/$VERSION/
cd community-operators-prod/operators/awx-operator/$VERSION/
pushd community-operators-prod/operators/awx-operator/$VERSION/
pwd
ls -la
# Commit and push PR
git checkout -b $BRANCH
git add ./
git status
@@ -111,15 +109,15 @@ message='operator [N] [CI] awx-operator'
commitMessage="${message} ${VERSION}"
git commit -m "$commitMessage" -s
git remote add upstream git@github.com:$FORK/community-operators-prod.git
git remote add upstream https://$GITHUB_TOKEN@github.com/$FORK/community-operators-prod.git
git push upstream --delete $BRANCH || true
git push upstream $BRANCH
# -- Print Links to Branches
echo "Commnity Operators: https://github.com/$FORK/community-operators/pull/new/$BRANCH"
echo "Commnity Operators Prod: https://github.com/$FORK/community-operators-prod/pull/new/$BRANCH"
# -- Cleanup
rm -rf $OPERATOR_PATH/community-operators
rm -rf $OPERATOR_PATH/community-operators-prod
gh pr create \
--title "operator awx-operator (${VERSION})" \
--body "operator awx-operator (${VERSION})" \
--base main \
--head $FORK:$BRANCH \
--repo $COMMUNITY_OPERATOR_PROD_GITHUB_ORG/community-operators-prod
popd

9
mkdocs.yml
View File

@@ -18,6 +18,9 @@ theme:
- navigation.indexes
- navigation.tracking
- toc.integrate
- search.highlight
- search.share
- search.suggest
palette:
- media: "(prefers-color-scheme: light)"
primary: teal
@@ -63,9 +66,11 @@ nav:
- user-guide/advanced-configuration/privileged-tasks.md
- user-guide/advanced-configuration/containers-resource-requirements.md
- user-guide/advanced-configuration/priority-classes.md
- user-guide/advanced-configuration/adding-execution-nodes.md
- user-guide/advanced-configuration/scaling-the-web-and-task-pods-independently.md
- user-guide/advanced-configuration/assigning-awx-pods-to-specific-nodes.md
- user-guide/advanced-configuration/trusting-a-custom-certificate-authority.md
- user-guide/advanced-configuration/custom-receptor-certs.md
- user-guide/advanced-configuration/enabling-ldap-integration-at-awx-bootstrap.md
- user-guide/advanced-configuration/persisting-projects-directory.md
- user-guide/advanced-configuration/custom-volume-and-volume-mount-options.md
@@ -80,6 +85,7 @@ nav:
- user-guide/advanced-configuration/labeling-operator-managed-objects.md
- user-guide/advanced-configuration/pods-termination-grace-period.md
- user-guide/advanced-configuration/disable-ipv6.md
- user-guide/advanced-configuration/mesh-ingress.md
- Troubleshooting:
- troubleshooting/debugging.md
@@ -89,7 +95,8 @@ exclude_docs:
plugins:
- autorefs
- markdown-exec
- search
- material/search:
separator: '[\s\-,:!=\[\]()"`/]+|\.(?!\d)|&[lg]t;|(?!\b)(?=[A-Z][a-z])'
- mkdocstrings:
handlers:
python:

19
molecule/default/tasks/awxmeshingress_test.yml Normal file
View File

@@ -0,0 +1,19 @@
# TODO: Add tests for AWXMeshIngress
# ---
# - name: Create the awx.ansible.com/v1alpha1.AWXMeshIngress
# k8s:
# state: present
# namespace: '{{ namespace }}'
# definition: "{{ lookup('template', '/'.join([samples_dir, cr_file])) | from_yaml }}"
# wait: yes
# wait_timeout: 300
# wait_condition:
# type: Successful
# status: "True"
# vars:
# cr_file: 'awx_v1alpha1_awxmeshingress.yaml'
# - name: Add assertions here
# assert:
# that: false
# fail_msg: FIXME Add real assertions for your operator

2
requirements.yml
View File

@@ -3,4 +3,4 @@ collections:
- name: kubernetes.core
version: '>=2.3.2'
- name: operator_sdk.util
version: "0.4.0"
version: "0.5.0"

24
roles/backup/tasks/dump_ingress_tls_secrets.yml Normal file
View File

@@ -0,0 +1,24 @@
---
- name: Get secret
k8s_info:
version: v1
kind: Secret
namespace: '{{ ansible_operator_meta.namespace }}'
name: "{{ item }}"
register: _secret
no_log: "{{ no_log }}"
- name: Backup secret if exists
block:
- name: Set secret key
set_fact:
_data: "{{ _secret['resources'][0]['data'] }}"
_type: "{{ _secret['resources'][0]['type'] }}"
no_log: "{{ no_log }}"
- name: Create and Add secret names and data to dictionary
set_fact:
secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': item, 'data': _data, 'type': _type }}) }}"
no_log: "{{ no_log }}"
when: _secret | length

31
roles/backup/tasks/postgres.yml
View File

@@ -70,16 +70,9 @@
command: >-
touch {{ backup_dir }}/tower.db
- name: Set permissions on file for database dump
k8s_exec:
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ ansible_operator_meta.name }}-db-management"
command: >-
bash -c "chmod 660 {{ backup_dir }}/tower.db && chown :root {{ backup_dir }}/tower.db"
- name: Set full resolvable host name for postgres pod
set_fact:
resolvable_db_host: '{{ (awx_postgres_type == "managed") | ternary(awx_postgres_host + "." + ansible_operator_meta.namespace + ".svc.cluster.local", awx_postgres_host) }}' # yamllint disable-line rule:line-length
resolvable_db_host: '{{ (awx_postgres_type == "managed") | ternary(awx_postgres_host + "." + ansible_operator_meta.namespace + ".svc", awx_postgres_host) }}' # yamllint disable-line rule:line-length
no_log: "{{ no_log }}"
- name: Get the current resource task pod information.
@@ -88,7 +81,7 @@
kind: Pod
namespace: '{{ ansible_operator_meta.namespace }}'
label_selectors:
- "app.kubernetes.io/name={{ ansible_operator_meta.name }}-task"
- "app.kubernetes.io/name={{ deployment_name }}-task"
- "app.kubernetes.io/managed-by={{ deployment_type }}-operator"
- "app.kubernetes.io/component={{ deployment_type }}"
field_selectors:
@@ -134,11 +127,27 @@
namespace: "{{ backup_pvc_namespace }}"
pod: "{{ ansible_operator_meta.name }}-db-management"
command: |
bash -c """
bash -c "
function end_keepalive {
rc=$?
rm -f \"$1\"
kill $(cat /proc/$2/task/$2/children 2>/dev/null) 2>/dev/null || true
wait $2 || true
exit $rc
}
keepalive_file=\"$(mktemp)\"
while [[ -f \"$keepalive_file\" ]]; do
echo 'Dumping data from database...'
sleep 60
done &
keepalive_pid=$!
trap 'end_keepalive \"$keepalive_file\" \"$keepalive_pid\"' EXIT SIGINT SIGTERM
echo keepalive_pid: $keepalive_pid
set -e -o pipefail
PGPASSWORD='{{ awx_postgres_pass }}' {{ pgdump }} > {{ backup_dir }}/tower.db
set +e +o pipefail
echo 'Successful'
"""
"
register: data_migration
no_log: "{{ no_log }}"
failed_when: "'Successful' not in data_migration.stdout"

7
roles/backup/tasks/secrets.yml
View File

@@ -12,11 +12,18 @@
include_tasks: dump_secret.yml
loop:
- route_tls_secret
# ingress_tls_secret is deprecated in favor of ingress_hosts.tls_secret
- ingress_tls_secret
- ldap_cacert_secret
- bundle_cacert_secret
- ee_pull_credentials_secret
- name: Dump ingress tls secret names from awx spec and data into file
include_tasks: dump_ingress_tls_secrets.yml
with_items:
- "{{ awx_spec.spec['ingress_hosts'] | default('') | map(attribute='tls_secret', default='') | select() | list }}"
when: awx_spec.spec['ingress_hosts'] | default('') | map(attribute='tls_secret', default='') | select() | list | length
- name: Dump receptor secret names and data into file
include_tasks: dump_receptor_secrets.yml
loop:

6
roles/backup/vars/main.yml
View File

@@ -1,8 +1,8 @@
---
deployment_type: "awx"
_postgres_image: postgres
_postgres_image_version: 13
_postgres_image: quay.io/sclorg/postgresql-15-c9s
_postgres_image_version: latest
backup_complete: false
database_type: "unmanaged"
supported_pg_version: 13
supported_pg_version: 15
image_pull_policy: IfNotPresent

33
roles/installer/defaults/main.yml
View File

@@ -40,8 +40,19 @@ ingress_tls_secret: ''
# ingress_controller: contour
ingress_controller: ''
# One or multiple FQDN with optional Secret that contains the TLS information.
# The TLS secret either has to exist before hand with
# the corresponding cert and key or just be an indicator for where an automated
# process like cert-manager (enabled via annotations) will store the TLS
# certificate and key.
# ingress_hosts:
# - hostname: awx-demo.example.com
# tls_secret: example-com-tls
ingress_hosts: ''
loadbalancer_protocol: 'http'
loadbalancer_port: '80'
loadbalancer_class: ''
service_annotations: ''
# Port to be used for NodePort configuration, default is to auto-assign a port between 30000-32768
@@ -233,14 +244,20 @@ ee_pull_credentials_secret: ''
# emptyDir: {}
extra_volumes: ''
# Add extra volumes to the Postgres pod. Specify as literal block. E.g.:
# postgres_extra_volumes: |
# - name: my-volume
# emptyDir: {}
postgres_extra_volumes: ''
# Use these image versions for Ansible AWX.
_image: quay.io/ansible/awx
_image_version: "{{ lookup('env', 'DEFAULT_AWX_VERSION') or 'latest' }}"
_redis_image: docker.io/redis
_redis_image_version: 7
_postgres_image: postgres
_postgres_image_version: 13
_postgres_image: quay.io/sclorg/postgresql-15-c9s
_postgres_image_version: latest
image_pull_policy: IfNotPresent
image_pull_secrets: []
@@ -261,10 +278,12 @@ init_container_extra_commands: ''
init_container_extra_volume_mounts: ''
ee_images:
- name: AWX EE (latest)
image: quay.io/ansible/awx-ee:latest
- name: "AWX EE (latest)"
image: "quay.io/ansible/awx-ee:latest"
- name: "AWX EE ({{ _image_version }})"
image: "quay.io/ansible/awx-ee:{{ _image_version }}"
_control_plane_ee_image: quay.io/ansible/awx-ee:latest
_control_plane_ee_image: "quay.io/ansible/awx-ee:{{ _image_version }}"
_init_container_image: "{{ _control_plane_ee_image.split(':')[0] }}"
_init_container_image_version: "{{ _control_plane_ee_image.split(':')[1] }}"
@@ -340,13 +359,14 @@ ee_extra_env: ''
# Mount extra volumes on the AWX task/web containers. Specify as literal block.
# E.g.:
# task_extra_volume_mounts: ''
# task_extra_volume_mounts: |
# - name: my-volume
# mountPath: /some/path
task_extra_volume_mounts: ''
web_extra_volume_mounts: ''
rsyslog_extra_volume_mounts: ''
ee_extra_volume_mounts: ''
postgres_extra_volume_mounts: ''
# Add a nodeSelector for the Postgres pods.
# It must match a node's labels for the pod to be scheduled on that node.
@@ -424,6 +444,7 @@ garbage_collect_secrets: false
development_mode: false
security_context_settings: {}
postgres_security_context_settings: {}
# Set no_log settings on certain tasks
no_log: true

56
roles/installer/tasks/database_configuration.yml
View File

@@ -106,14 +106,38 @@
set_fact:
managed_database: "{{ pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed' }}"
- name: Get the old postgres pod information
# It is possible that N-2 postgres pods may still be present in the namespace from previous upgrades.
# So we have to take that into account and preferentially set the most recent one.
- name: Get the old postgres pod (N-1)
k8s_info:
kind: Pod
namespace: "{{ ansible_operator_meta.namespace }}"
name: "{{ ansible_operator_meta.name }}-postgres-0"
field_selectors:
- status.phase=Running
register: old_postgres_pod
register: _running_pods
- block:
- name: Filter pods by name
set_fact:
filtered_old_postgres_pods: "{{ _running_pods.resources |
selectattr('metadata.name', 'match', ansible_operator_meta.name + '-postgres.*-0') |
rejectattr('metadata.name', 'search', '-' + supported_pg_version | string + '-0') |
list }}"
# Sort pods by name in reverse order (most recent PG version first) and set
- name: Set info for previous postgres pod
set_fact:
sorted_old_postgres_pods: "{{ filtered_old_postgres_pods |
sort(attribute='metadata.name') |
reverse }}"
when: filtered_old_postgres_pods | length
- name: Set info for previous postgres pod
set_fact:
old_postgres_pod: "{{ sorted_old_postgres_pods | first }}"
when: filtered_old_postgres_pods | length
when: _running_pods.resources | length
- name: Look up details for this deployment
k8s_info:
@@ -123,7 +147,14 @@
namespace: "{{ ansible_operator_meta.namespace }}"
register: this_awx
- name: Check if postgres pod is running and version 12
# If this deployment has been upgraded before or if upgrade has already been started, set this var
- name: Set previous PG version var
set_fact:
_previous_upgraded_pg_version: "{{ this_awx['resources'][0]['status']['upgradedPostgresVersion'] | default(false) }}"
when:
- "'upgradedPostgresVersion' in this_awx['resources'][0]['status']"
- name: Check if postgres pod is running an older version
block:
- name: Set path to PG_VERSION file for given container image
set_fact:
@@ -132,21 +163,24 @@
- name: Get old PostgreSQL version
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ ansible_operator_meta.name }}-postgres-0"
pod: "{{ old_postgres_pod['metadata']['name'] }}"
command: |
bash -c """
cat {{ path_to_pg_version }}
"""
register: _old_pg_version
- name: Upgrade data dir from Postgres 12 to 13 if applicable
- debug:
msg: "--- Upgrading from {{ old_postgres_pod['metadata']['name'] | default('NONE')}} Pod ---"
- name: Upgrade data dir from old Postgres to {{ supported_pg_version }} if applicable
include_tasks: upgrade_postgres.yml
when:
- _old_pg_version.stdout | default('0') | trim == '12'
- (_old_pg_version.stdout | default(0) | int ) < supported_pg_version
when:
- managed_database
- this_awx['resources'][0]['status']['upgradedPostgresVersion'] | default('none') != '12'
- old_postgres_pod['resources'] | length # upgrade is complete and old pg pod has been removed
- (_previous_upgraded_pg_version | default(false)) | ternary(_previous_upgraded_pg_version | int < supported_pg_version, true)
- old_postgres_pod | length # If empty, then old pg pod has been removed and we can assume the upgrade is complete
- block:
- name: Create Database if no database is specified
@@ -167,7 +201,7 @@
kubernetes.core.k8s_scale:
api_version: apps/v1
kind: StatefulSet
name: "{{ ansible_operator_meta.name }}-postgres-13"
name: "{{ ansible_operator_meta.name }}-postgres-{{ supported_pg_version }}"
namespace: "{{ ansible_operator_meta.namespace }}"
replicas: 0
wait: yes
@@ -177,7 +211,7 @@
state: absent
api_version: apps/v1
kind: StatefulSet
name: "{{ ansible_operator_meta.name }}-postgres-13"
name: "{{ ansible_operator_meta.name }}-postgres-{{ supported_pg_version }}"
namespace: "{{ ansible_operator_meta.namespace }}"
wait: yes
when: create_statefulset_result.error == 422

32
roles/installer/tasks/initialize_django.yml
View File

@@ -2,8 +2,8 @@
- name: Check if there are any super users defined.
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_task_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
pod: "{{ awx_web_pod_name }}"
container: "{{ ansible_operator_meta.name }}-web"
command: >-
bash -c "echo 'from django.contrib.auth.models import User;
nsu = User.objects.filter(is_superuser=True, username=\"{{ admin_user }}\").count();
@@ -16,8 +16,8 @@
- name: Create super user via Django if it doesn't exist.
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_task_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
pod: "{{ awx_web_pod_name }}"
container: "{{ ansible_operator_meta.name }}-web"
command: awx-manage createsuperuser --username={{ admin_user | quote }} --email={{ admin_email | quote }} --noinput
register: result
changed_when: "'That username is already taken' not in result.stderr"
@@ -28,8 +28,8 @@
- name: Update Django super user password
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_task_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
pod: "{{ awx_web_pod_name }}"
container: "{{ ansible_operator_meta.name }}-web"
command: awx-manage update_password --username='{{ admin_user }}' --password='{{ admin_password }}'
register: result
changed_when: "'Password updated' in result.stdout"
@@ -39,8 +39,8 @@
- name: Check if legacy queue is present
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_task_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
pod: "{{ awx_web_pod_name }}"
container: "{{ ansible_operator_meta.name }}-web"
command: >-
bash -c "awx-manage list_instances | grep '^\[tower capacity=[0-9]*\]'"
register: legacy_queue
@@ -50,8 +50,8 @@
- name: Unregister legacy queue
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_task_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
pod: "{{ awx_web_pod_name }}"
container: "{{ ansible_operator_meta.name }}-web"
command: >-
bash -c "awx-manage unregister_queue --queuename=tower"
when: "'[tower capacity=' in legacy_queue.stdout"
@@ -74,8 +74,8 @@
- name: Register default execution environments (without authentication)
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_task_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
pod: "{{ awx_web_pod_name }}"
container: "{{ ansible_operator_meta.name }}-web"
command: >-
bash -c "awx-manage register_default_execution_environments"
register: ree
@@ -95,8 +95,8 @@
- name: Register default execution environments (with authentication)
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_task_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
pod: "{{ awx_web_pod_name }}"
container: "{{ ansible_operator_meta.name }}-web"
command: >-
bash -c "awx-manage register_default_execution_environments
--registry-username='{{ default_execution_environment_pull_credentials_user }}'
@@ -111,8 +111,8 @@
- name: Create preload data if necessary. # noqa 305
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_task_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
pod: "{{ awx_web_pod_name }}"
container: "{{ ansible_operator_meta.name }}-web"
command: >-
bash -c "awx-manage create_preload_data"
register: cdo

44
roles/installer/tasks/install.yml
View File

@@ -2,7 +2,7 @@
- name: Delete old deployment for before installing during upgrade
k8s:
kind: Deployment
api_version: v1
api_version: apps/v1
namespace: "{{ ansible_operator_meta.namespace }}"
name: "{{ ansible_operator_meta.name }}"
state: absent
@@ -77,36 +77,30 @@
- ingress_type | lower == 'route'
- route_tls_secret != ''
- name: Wait for {{ deployment_type }}restore to complete
kubernetes.core.k8s_info:
api_version: "{{ api_version }}"
kind: "{{ deployment_type }}restore"
namespace: "{{ ansible_operator_meta.namespace }}"
register: restore_status_check
until:
# yamllint disable-line rule:line-length
- (restore_status_check.resources | length == 0) or (restore_status_check.resources | selectattr('spec.deployment_name', 'equalto', ansible_operator_meta.name) | map(attribute='status') | selectattr('restoreComplete', 'defined') | map(attribute='restoreComplete') | list | length > 0)
delay: 10
retries: 8640
ignore_errors: yes
changed_when: false
- name: Include resources configuration tasks
include_tasks: resources_configuration.yml
- name: Check for pending migrations
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_task_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage showmigrations | grep -v '[X]' | grep '[ ]' | wc -l"
changed_when: false
when: awx_task_pod_name != ''
register: database_check
- name: Migrate the database if the K8s resources were updated. # noqa 305
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_task_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
command: >-
bash -c "awx-manage migrate --noinput"
register: migrate_result
when:
- awx_task_pod_name != ''
- database_check is defined
- (database_check.stdout|trim) != '0'
- name: Migrate database to the latest schema
include_tasks: migrate_schema.yml
when: awx_web_pod_name != ''
- name: Initialize Django
include_tasks: initialize_django.yml
when: awx_task_pod_name != ''
when: awx_web_pod_name != ''
- name: Update status variables
include_tasks: update_status.yml

4
roles/installer/tasks/main.yml
View File

@@ -9,7 +9,7 @@
- name: Check for presence of awx-task Deployment
k8s_info:
api_version: v1
api_version: apps/v1
kind: Deployment
name: "{{ ansible_operator_meta.name }}-task"
namespace: "{{ ansible_operator_meta.namespace }}"
@@ -17,7 +17,7 @@
- name: Check for presence of awx-web Deployment
k8s_info:
api_version: v1
api_version: apps/v1
kind: Deployment
name: "{{ ansible_operator_meta.name }}-web"
namespace: "{{ ansible_operator_meta.namespace }}"

57
roles/installer/tasks/migrate_schema.yml Normal file
View File

@@ -0,0 +1,57 @@
---
- name: Check for pending migrations
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_web_pod_name }}"
container: "{{ ansible_operator_meta.name }}-web"
command: >-
bash -c "awx-manage showmigrations | grep -v '[X]' | grep '[ ]' | wc -l"
changed_when: false
when: awx_web_pod_name != ''
register: database_check
- block:
- name: Get version of controller for tracking
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_web_pod_name }}"
container: "{{ ansible_operator_meta.name }}-web"
command: >-
bash -c "awx-manage --version"
changed_when: false
register: version_check
- name: Sanitize instance version
set_fact:
version: "{{ version_check.stdout.split('+')[0] | trim }}"
# It is possible to do a wait on this task to create the job and wait
# until it completes. Unfortunately, if the job doesn't wait finish within
# the timeout period that is considered an error. We only want this to
# error if there is an issue with creating the job.
- name: Create kubernetes job to perform the migration
k8s:
apply: yes
definition: "{{ lookup('template', 'jobs/migration.yaml.j2') }}"
register: migrate_result
# This task is really only necessary for new installations. We need to
# ensure the database has a schema loaded before continuing with the
# initialization of admin user, etc.
- name: Watch for the migration job to finish
k8s_info:
kind: Job
namespace: "{{ ansible_operator_meta.namespace }}"
name: "{{ ansible_operator_meta.name }}-migration-{{ version }}"
register: result
until:
- result.resources[0].status.succeeded is defined
- result.resources[0].status.succeeded == 1
retries: 180
delay: 5
ignore_errors: true
when:
- database_check is defined
- (database_check.stdout|trim) != '0'

26
roles/installer/tasks/resources_configuration.yml
View File

@@ -1,28 +1,28 @@
---
- name: Get the current resource task pod information.
- name: Get the current resource web pod information.
k8s_info:
api_version: v1
kind: Pod
namespace: '{{ ansible_operator_meta.namespace }}'
label_selectors:
- "app.kubernetes.io/name={{ ansible_operator_meta.name }}-task"
- "app.kubernetes.io/name={{ ansible_operator_meta.name }}-web"
- "app.kubernetes.io/managed-by={{ deployment_type }}-operator"
- "app.kubernetes.io/component={{ deployment_type }}"
field_selectors:
- status.phase=Running
register: awx_task_pod
register: awx_web_pod
- name: Set the resource pod as a variable.
set_fact:
awx_task_pod: >-
{{ awx_task_pod['resources']
awx_web_pod: >-
{{ awx_web_pod['resources']
| rejectattr('metadata.deletionTimestamp', 'defined')
| sort(attribute='metadata.creationTimestamp')
| first | default({}) }}
- name: Set the resource pod name as a variable.
set_fact:
awx_task_pod_name: "{{ awx_task_pod['metadata']['name'] | default('') }}"
awx_web_pod_name: "{{ awx_web_pod['metadata']['name'] | default('') }}"
- name: Set user provided control plane ee image
set_fact:
@@ -249,11 +249,9 @@
k8s:
apply: yes
definition: "{{ lookup('template', 'deployments/{{ item }}.yaml.j2') }}"
wait: yes
wait_timeout: "{{ (120 * replicas) or 120 }}"
loop:
- task
- web
- task
register: this_deployment_result
- block:
@@ -262,7 +260,7 @@
kind: Pod
namespace: '{{ ansible_operator_meta.namespace }}'
label_selectors:
- "app.kubernetes.io/name={{ ansible_operator_meta.name }}-task"
- "app.kubernetes.io/name={{ ansible_operator_meta.name }}-web"
- "app.kubernetes.io/managed-by={{ deployment_type }}-operator"
- "app.kubernetes.io/component={{ deployment_type }}"
field_selectors:
@@ -271,7 +269,7 @@
- name: Update new resource pod as a variable.
set_fact:
awx_task_pod: >-
awx_web_pod: >-
{{ _new_pod['resources']
| rejectattr('metadata.deletionTimestamp', 'defined')
| sort(attribute='metadata.creationTimestamp')
@@ -279,13 +277,13 @@
- name: Update new resource pod name as a variable.
set_fact:
awx_task_pod_name: '{{ awx_task_pod["metadata"]["name"] | default("")}}'
awx_web_pod_name: '{{ awx_web_pod["metadata"]["name"] | default("")}}'
when:
- this_deployment_result.changed
- name: Verify the resource pod name is populated.
assert:
that:
- awx_task_pod_name != ''
- awx_web_pod_name != ''
fail_msg: "Could not find the tower pod's name."
when: task_replicas | int > 0 or (task_replicas == '' and replicas > 0)
when: web_replicas | int > 0 or (web_replicas == '' and replicas > 0)

4
roles/installer/tasks/set_images.yml
View File

@@ -8,8 +8,8 @@
set_fact:
_custom_init_container_image: "{{ init_container_image }}:{{ init_container_image_version }}"
when:
- init_container_image | default([]) | length
- init_container_image_version is defined or init_container_image_version != ''
- init_container_image | default('_undefined',true) != '_undefined'
- init_container_image_version | default('_undefined',true) != '_undefined'
- name: Set Init image URL
set_fact:

8
roles/installer/tasks/update_status.yml
View File

@@ -47,13 +47,13 @@
- name: Retrieve instance version
k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_task_pod_name }}"
container: "{{ ansible_operator_meta.name }}-task"
pod: "{{ awx_web_pod_name }}"
container: "{{ ansible_operator_meta.name }}-web"
command: >-
bash -c "awx-manage --version"
register: instance_version
changed_when: false
when: awx_task_pod_name != ''
when: awx_web_pod_name != ''
- name: Update version status
operator_sdk.util.k8s_status:
@@ -111,5 +111,5 @@
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
status:
upgradedPostgresVersion: "{{ upgraded_postgres_version }}"
upgradedPostgresVersion: "{{ upgraded_postgres_version | string }}"
when: upgraded_postgres_version is defined

42
roles/installer/tasks/upgrade_postgres.yml
View File

@@ -1,9 +1,9 @@
---
# Upgrade Posgres (Managed Databases only)
# * If postgres version is not 12, and not an external postgres instance (when managed_database is yes),
# * If postgres version is not supported_pg_version, and not an external postgres instance (when managed_database is yes),
# then run this playbook with include_tasks from database_configuration.yml
# * Data will be streamed via a pg_dump from the postgres 12 pod to the postgres 13
# * Data will be streamed via a pg_dump from the postgres 12/13 pod to the postgres supported_pg_version
# pod via a pg_restore.
@@ -62,9 +62,19 @@
set_fact:
postgres_pod_name: "{{ postgres_pod['resources'][0]['metadata']['name'] }}"
- name: Get the name of the service for the old postgres pod
k8s_info:
kind: Service
namespace: "{{ ansible_operator_meta.namespace }}"
label_selectors:
- "app.kubernetes.io/component=database"
- "app.kubernetes.io/instance={{ old_postgres_pod.metadata.labels['app.kubernetes.io/instance'] }}"
- "app.kubernetes.io/managed-by={{ deployment_type }}-operator"
register: old_postgres_svc
- name: Set full resolvable host name for postgres pod
set_fact:
resolvable_db_host: "{{ ansible_operator_meta.name }}-postgres.{{ ansible_operator_meta.namespace }}.svc" # yamllint disable-line rule:line-length
resolvable_db_host: "{{ old_postgres_svc['resources'][0]['metadata']['name'] }}.{{ ansible_operator_meta.namespace }}.svc" # yamllint disable-line rule:line-length
no_log: "{{ no_log }}"
- name: Set pg_dump command
@@ -101,7 +111,7 @@
}
keepalive_file=\"$(mktemp)\"
while [[ -f \"$keepalive_file\" ]]; do
echo 'Migrating data to new PostgreSQL {{ supported_postgres_version }} Database...'
echo 'Migrating data to new PostgreSQL {{ supported_pg_version }} Database...'
sleep 60
done &
keepalive_pid=$!
@@ -118,31 +128,41 @@
- name: Set flag signifying that this instance has been migrated
set_fact:
upgraded_postgres_version: '13'
upgraded_postgres_version: '{{ supported_pg_version }}'
# Cleanup old Postgres resources
- name: Remove old Postgres StatefulSet
# Cleanup old PostgreSQL resources
- name: Remove old PostgreSQL StatefulSet
k8s:
kind: StatefulSet
api_version: v1
namespace: "{{ ansible_operator_meta.namespace }}"
name: "{{ ansible_operator_meta.name }}-postgres"
name: "{{ item }}"
state: absent
wait: true
loop:
- "{{ ansible_operator_meta.name }}-postgres"
- "{{ ansible_operator_meta.name }}-postgres-13"
- name: Remove old Postgres Service
- name: Remove old PostgreSQL Service
k8s:
kind: Service
api_version: v1
namespace: "{{ ansible_operator_meta.namespace }}"
name: "{{ ansible_operator_meta.name }}-postgres"
name: "{{ item }}"
state: absent
loop:
- "{{ ansible_operator_meta.name }}-postgres"
- "{{ ansible_operator_meta.name }}-postgres-13"
- name: Remove old persistent volume claim
k8s:
kind: PersistentVolumeClaim
api_version: v1
namespace: "{{ ansible_operator_meta.namespace }}"
name: "postgres-{{ ansible_operator_meta.name }}-postgres-0"
name: "{{ item }}"
state: absent
loop:
- "postgres-{{ ansible_operator_meta.name }}-postgres-0"
- "postgres-{{ ansible_operator_meta.name }}-postgres-13-0"
- "postgres-13-{{ ansible_operator_meta.name }}-postgres-13-0"
when: postgres_keep_pvc_after_upgrade

5
roles/installer/templates/configmaps/config.yaml.j2
View File

@@ -54,9 +54,6 @@ data:
INTERNAL_API_URL = 'http://127.0.0.1:8052'
# Sets Ansible Collection path
AWX_ANSIBLE_COLLECTIONS_PATHS = '/var/lib/awx/vendor/awx_ansible_collections'
# Container environments don't like chroots
AWX_PROOT_ENABLED = False
@@ -191,7 +188,7 @@ data:
alias /var/lib/awx/public/static/media/favicon.ico;
}
location {{ (ingress_path + '/websocket').replace('//', '/') }} {
location ~ ^({{ (ingress_path + '/websocket/').replace('//', '/') }}|{{ (ingress_path + '/api/websocket/').replace('//', '/') }}) {
# Pass request to the upstream alias
proxy_pass http://daphne;
# Require http version 1.1 to allow for upgrade requests

67
roles/installer/templates/deployments/task.yaml.j2
View File

@@ -74,7 +74,32 @@ spec:
priorityClassName: '{{ control_plane_priority_class }}'
{% endif %}
initContainers:
- name: init
- name: init-database
image: '{{ _image }}'
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ init_container_resource_requirements }}
command:
- /bin/sh
- -c
- wait-for-migrations
volumeMounts:
- name: {{ ansible_operator_meta.name }}-application-credentials
mountPath: "/etc/tower/conf.d/credentials.py"
subPath: credentials.py
readOnly: true
- name: "{{ secret_key_secret_name }}"
mountPath: /etc/tower/SECRET_KEY
subPath: SECRET_KEY
readOnly: true
- name: {{ ansible_operator_meta.name }}-settings
mountPath: "/etc/tower/settings.py"
subPath: settings.py
readOnly: true
{% if development_mode | bool %}
- name: awx-devel
mountPath: "/awx_devel"
{% endif %}
- name: init-receptor
image: '{{ _init_container_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ init_container_resource_requirements }}
@@ -83,8 +108,20 @@ spec:
- -c
- |
hostname=$MY_POD_NAME
receptor --cert-makereq bits=2048 commonname=$hostname dnsname=$hostname nodeid=$hostname outreq=/etc/receptor/tls/receptor.req outkey=/etc/receptor/tls/receptor.key
receptor --cert-signreq req=/etc/receptor/tls/receptor.req cacert=/etc/receptor/tls/ca/mesh-CA.crt cakey=/etc/receptor/tls/ca/mesh-CA.key outcert=/etc/receptor/tls/receptor.crt verify=yes
receptor --cert-makereq \
bits=2048 \
commonname=$hostname \
dnsname=$hostname \
nodeid=$hostname \
outreq=/etc/receptor/tls/receptor.req \
outkey=/etc/receptor/tls/receptor.key
receptor --cert-signreq \
req=/etc/receptor/tls/receptor.req \
cacert=/etc/receptor/tls/ca/mesh-CA.crt \
cakey=/etc/receptor/tls/ca/mesh-CA.key \
outcert=/etc/receptor/tls/receptor.crt \
notafter=$(date --iso-8601=seconds --utc --date "10 years") \
verify=yes
{% if bundle_ca_crt %}
mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
update-ca-trust
@@ -188,6 +225,30 @@ spec:
{% endif %}
{% if task_args %}
args: {{ task_args }}
{% endif %}
{% if task_liveness_period|int > 0 %}
livenessProbe:
exec:
command:
- sh
- -c
- |
(exit $(/usr/bin/supervisorctl -c /etc/supervisord_task.conf status | grep -vc RUNNING))
initialDelaySeconds: {{ task_liveness_initial_delay }}
periodSeconds: {{ task_liveness_period }}
failureThreshold: {{ task_liveness_failure_threshold }}
timeoutSeconds: {{ task_liveness_timeout }}
{% endif %}
{% if task_readiness_period|int > 0 %}
readinessProbe:
exec:
command:
- /usr/bin/awx-manage
- check
initialDelaySeconds: {{ task_readiness_initial_delay }}
periodSeconds: {{ task_readiness_period }}
failureThreshold: {{ task_readiness_failure_threshold }}
timeoutSeconds: {{ task_readiness_timeout }}
{% endif %}
volumeMounts:
{% if bundle_ca_crt %}

29
roles/installer/templates/deployments/web.yaml.j2
View File

@@ -162,6 +162,31 @@ spec:
- containerPort: 8052
{% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %}
- containerPort: 8053
{% endif %}
{% if web_liveness_period|int > 0 %}
livenessProbe:
exec:
command:
- sh
- -c
- |
(exit $(/usr/bin/supervisorctl -c /etc/supervisord_task.conf status | grep -vc RUNNING))
initialDelaySeconds: {{ web_liveness_initial_delay }}
periodSeconds: {{ web_liveness_period }}
failureThreshold: {{ web_liveness_failure_threshold }}
timeoutSeconds: {{ web_liveness_timeout }}
{% endif %}
{% if web_readiness_period|int > 0 %}
readinessProbe:
exec:
httpGet:
path: /api/v2/ping/
scheme: HTTP
port: 8052
initialDelaySeconds: {{ web_readiness_initial_delay }}
periodSeconds: {{ web_readiness_period }}
failureThreshold: {{ web_readiness_failure_threshold }}
timeoutSeconds: {{ web_readiness_timeout }}
{% endif %}
volumeMounts:
{% if bundle_ca_crt %}
@@ -340,6 +365,10 @@ spec:
{% elif affinity %}
affinity:
{{ affinity | to_nice_yaml | indent(width=8) }}
{% endif %}
{% if security_context_settings|length %}
securityContext:
{{ security_context_settings | to_nice_yaml | indent(8) }}
{% endif %}
volumes:
- name: "{{ ansible_operator_meta.name }}-receptor-ca"

66
roles/installer/templates/jobs/migration.yaml.j2 Normal file
View File

@@ -0,0 +1,66 @@
apiVersion: batch/v1
kind: Job
metadata:
name: '{{ ansible_operator_meta.name }}-migration-{{ version }}'
namespace: '{{ ansible_operator_meta.namespace }}'
labels:
{{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=4) | trim }}
{{ lookup("template", "../common/templates/labels/version.yaml.j2") | indent(width=4) | trim }}
spec:
template:
spec:
containers:
- name: "migration-job"
image: '{{ _image }}'
command:
- awx-manage
- migrate
- --noinput
volumeMounts:
- name: {{ ansible_operator_meta.name }}-application-credentials
mountPath: "/etc/tower/conf.d/credentials.py"
subPath: credentials.py
readOnly: true
- name: "{{ secret_key_secret_name }}"
mountPath: /etc/tower/SECRET_KEY
subPath: SECRET_KEY
readOnly: true
- name: {{ ansible_operator_meta.name }}-settings
mountPath: "/etc/tower/settings.py"
subPath: settings.py
readOnly: true
{% if development_mode | bool %}
- name: awx-devel
mountPath: "/awx_devel"
{% endif %}
volumes:
- name: "{{ ansible_operator_meta.name }}-application-credentials"
secret:
secretName: "{{ ansible_operator_meta.name }}-app-credentials"
items:
- key: credentials.py
path: 'credentials.py'
- key: ldap.py
path: 'ldap.py'
- key: execution_environments.py
path: 'execution_environments.py'
- name: "{{ secret_key_secret_name }}"
secret:
secretName: '{{ secret_key_secret_name }}'
items:
- key: secret_key
path: SECRET_KEY
- name: {{ ansible_operator_meta.name }}-settings
configMap:
name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap'
items:
- key: settings
path: settings.py
{% if development_mode | bool %}
- name: awx-devel
hostPath:
path: /awx_devel
{% endif %}
dnsPolicy: ClusterFirst
restartPolicy: Never
terminationGracePeriodSeconds: 30

45
roles/installer/templates/networking/ingress.yaml.j2
View File

@@ -24,6 +24,7 @@ spec:
ingressClassName: '{{ ingress_class_name }}'
{% endif %}
rules:
{% if not ingress_hosts %}
- http:
paths:
- path: '{{ ingress_path }}'
@@ -33,6 +34,37 @@ spec:
name: '{{ ansible_operator_meta.name }}-service'
port:
number: 80
{% if hostname %}
host: {{ hostname }}
{% endif %}
{% if ingress_controller|lower == "contour" %}
- path: '{{ ingress_path.rstrip("/") }}/websocket'
pathType: '{{ ingress_path_type }}'
backend:
service:
name: '{{ ansible_operator_meta.name }}-service'
port:
number: 80
{% endif %}
{% if ingress_tls_secret %}
tls:
- hosts:
- {{ hostname }}
secretName: {{ ingress_tls_secret }}
{% endif %}
{% endif %}
{% if ingress_hosts %}
{% for item in ingress_hosts %}
- host: {{ item.hostname }}
http:
paths:
- path: '{{ ingress_path }}'
pathType: '{{ ingress_path_type }}'
backend:
service:
name: '{{ ansible_operator_meta.name }}-service'
port:
number: 80
{% if ingress_controller|lower == "contour" %}
- path: '{{ ingress_path.rstrip("/") }}/websocket'
pathType: '{{ ingress_path_type }}'
@@ -42,14 +74,15 @@ spec:
port:
number: 80
{% endif %}
{% if hostname %}
host: {{ hostname }}
{% endif %}
{% if ingress_tls_secret %}
{% endfor %}
tls:
{% for item in ingress_hosts %}
{% if 'tls_secret' in item %}
- hosts:
- {{ hostname }}
secretName: {{ ingress_tls_secret }}
- {{ item.hostname }}
secretName: {{ item.tls_secret }}
{% endif %}
{% endfor %}
{% endif %}
{% endif %}

5
roles/installer/templates/networking/service.yaml.j2
View File

@@ -52,9 +52,12 @@ spec:
type: NodePort
{% elif service_type | lower == "loadbalancer" %}
type: LoadBalancer
{% if loadbalancer_ip is defined and loadbalancer_ip|length %}
{% if loadbalancer_ip is defined and loadbalancer_ip | length %}
loadbalancerip: '{{ loadbalancer_ip }}'
{% endif %}
{% if loadbalancer_class is defined and loadbalancer_class | length %}
loadBalancerClass: {{ loadbalancer_class }}
{% endif %}
{% else %}
type: ClusterIP
{% endif %}

17
roles/installer/templates/settings/credentials.py.j2
View File

@@ -11,13 +11,20 @@ DATABASES = {
{% if awx_postgres_sslmode in ['verify-ca', 'verify-full'] %}
'sslrootcert': '{{ ca_trust_bundle }}',
{% endif %}
},
}
}
LISTENER_DATABASES = {
'default': {
'OPTIONS': {
{% if postgres_keepalives %}
'keepalives': 1,
'keepalives_idle': {{ postgres_keepalives_idle }},
'keepalives_interval': {{ postgres_keepalives_interval }},
'keepalives_count': {{ postgres_keepalives_count }},
'keepalives': 1,
'keepalives_idle': {{ postgres_keepalives_idle }},
'keepalives_interval': {{ postgres_keepalives_interval }},
'keepalives_count': {{ postgres_keepalives_count }},
{% else %}
'keepalives': 0,
'keepalives': 0,
{% endif %}
},
}

25
roles/installer/templates/statefulsets/postgres.yaml.j2
View File

@@ -33,7 +33,7 @@ spec:
app.kubernetes.io/instance: 'postgres-{{ supported_pg_version }}-{{ ansible_operator_meta.name }}'
app.kubernetes.io/component: 'database'
app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
spec:
{% if image_pull_secret is defined %}
imagePullSecrets:
@@ -51,11 +51,15 @@ spec:
- image: '{{ _postgres_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
name: postgres
{% if postgres_security_context_settings|length %}
securityContext:
{{ postgres_security_context_settings | to_nice_yaml | indent(12) }}
{% endif %}
{% if postgres_extra_args %}
args: {{ postgres_extra_args }}
{% endif %}
env:
# For postgres_image based on rhel8/postgresql-13
# For postgres_image based on rhel8/postgresql-{{ supported_pg_version }}
- name: POSTGRESQL_DATABASE
valueFrom:
secretKeyRef:
@@ -108,6 +112,9 @@ spec:
- name: postgres-{{ supported_pg_version }}
mountPath: '{{ postgres_data_path | dirname }}'
subPath: '{{ postgres_data_path | dirname | basename }}'
{% if postgres_extra_volume_mounts -%}
{{ postgres_extra_volume_mounts | indent(width=12, first=True) }}
{% endif %}
resources: {{ postgres_resource_requirements }}
{% if postgres_selector %}
nodeSelector:
@@ -116,6 +123,10 @@ spec:
{% if postgres_tolerations %}
tolerations:
{{ postgres_tolerations | indent(width=8) }}
{% endif %}
{% if postgres_extra_volumes %}
volumes:
{{ postgres_extra_volumes | indent(width=8, first=False) }}
{% endif %}
volumeClaimTemplates:
- metadata:
@@ -126,7 +137,15 @@ spec:
{% if postgres_storage_class is defined %}
storageClassName: '{{ postgres_storage_class }}'
{% endif %}
resources: {{ postgres_storage_requirements }}
resources:
{% if postgres_storage_requirements.limits.storage | default("", true) %}
limits:
storage: {{ postgres_storage_requirements.limits.storage }}
{% endif %}
{% if postgres_storage_requirements.requests.storage | default("", true) %}
requests:
storage: {{ postgres_storage_requirements.requests.storage }}
{% endif %}
# Postgres Service.
---

4
roles/installer/vars/main.yml
View File

@@ -4,4 +4,6 @@ postgres_host_auth_method: 'scram-sha-256'
ldap_cacert_ca_crt: ''
bundle_ca_crt: ''
projects_existing_claim: ''
supported_pg_version: 13
supported_pg_version: 15
_previous_upgraded_pg_version: 0
old_postgres_pod: []

16
roles/mesh_ingress/defaults/main.yml Normal file
View File

@@ -0,0 +1,16 @@
---
deployment_type: awx
ingress_type: none
ingress_api_version: 'networking.k8s.io/v1'
ingress_annotations: ''
ingress_class_name: ''
ingress_controller: ''
set_self_owneref: true
_control_plane_ee_image: "quay.io/ansible/awx-ee:{{ lookup('env', 'DEFAULT_AWX_VERSION') or 'latest' }}"
_image_pull_policy: Always
image_pull_secrets: []
finalizer_run: false

150
roles/mesh_ingress/tasks/creation.yml Normal file
View File

@@ -0,0 +1,150 @@
---
- name: Import common role
import_role:
name: common
- name: Debug is_openshift
debug:
msg: "is_openshift={{ is_openshift }}"
- name: Check for presence of AWX instance that we will use to create the Mesh Ingress for.
k8s_info:
api_version: awx.ansible.com/v1beta1
kind: AWX
name: "{{ deployment_name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
register: awx_instance
- name: Fail if awx_deployment does not exist in the same namespace
fail:
msg: "AWX instance {{ deployment_name }} does not exist in the same namespace as the AWXMeshIngress instance."
when: awx_instance.resources | length == 0
- name: Set awx_spec
set_fact:
awx_spec: "{{ awx_instance.resources[0].spec }}"
- name: Set owner_reference of AWXMeshIngress to related AWX instance
k8s:
state: present
definition:
apiVersion: awx.ansible.com/v1beta1
kind: AWX
name: "{{ deployment_name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
metadata:
name: "{{ deployment_name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
ownerReferences:
- apiVersion: awx.ansible.com/v1beta1
blockOwnerDeletion: true
controller: true
kind: AWX
name: "{{ deployment_name }}"
uid: "{{ awx_instance.resources[0].metadata.uid }}"
when: set_self_owneref | bool
- name: Set user provided control plane ee image
set_fact:
_custom_control_plane_ee_image: "{{ awx_spec.control_plane_ee_image }}"
when:
- awx_spec.control_plane_ee_image | default([]) | length
- name: Set Control Plane EE image URL
set_fact:
_control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
- name: Set Image Pull Policy
set_fact:
_image_pull_policy: "{{ awx_spec.image_pull_policy | default(_image_pull_policy, true) }}"
- name: Default ingress_type to Route if OpenShift
set_fact:
ingress_type: route
when: is_openshift | bool and ingress_type | lower == 'none'
- name: Apply Ingress resource
k8s:
apply: yes
definition: "{{ lookup('template', 'ingress.yml.j2') }}"
wait: yes
wait_timeout: "120"
register: ingress
# TODO: need to wait until the route is ready before we can get the hostname
# right now this will rereconcile until the route is ready
- name: Set external_hostname
set_fact:
external_hostname: "{{ ingress.result.status.ingress[0].host }}"
when: ingress_type | lower == 'route'
- name: Create other resources
k8s:
apply: yes
definition: "{{ lookup('template', '{{ item }}.yml.j2') }}"
wait: yes
wait_timeout: "120"
loop:
- service_account
- receptor_conf.configmap
- service
- deployment
- name: Get the current resource task pod information.
k8s_info:
api_version: v1
kind: Pod
namespace: '{{ ansible_operator_meta.namespace }}'
label_selectors:
- "app.kubernetes.io/name={{ deployment_name }}-task"
- "app.kubernetes.io/managed-by={{ deployment_type }}-operator"
- "app.kubernetes.io/component={{ deployment_type }}"
field_selectors:
- status.phase=Running
register: awx_task_pod
- name: Set the resource pod as a variable.
set_fact:
awx_task_pod: >-
{{ awx_task_pod['resources']
| rejectattr('metadata.deletionTimestamp', 'defined')
| sort(attribute='metadata.creationTimestamp')
| first | default({}) }}
- name: Set the resource pod name as a variable.
set_fact:
awx_task_pod_name: "{{ awx_task_pod['metadata']['name'] | default('') }}"
- name: Add new instance to AWX
kubernetes.core.k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_task_pod_name }}"
container: "{{ deployment_name }}-task"
command: |
awx-manage provision_instance
--hostname {{ ansible_operator_meta.name }}
--node_type hop
- name: Add internal receptor address
kubernetes.core.k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_task_pod_name }}"
container: "{{ deployment_name }}-task"
command: |
awx-manage add_receptor_address
--instance {{ ansible_operator_meta.name }}
--address {{ ansible_operator_meta.name }}
--port 27199 --protocol ws
--peers_from_control_nodes --is_internal --canonical
- name: Add external receptor address
kubernetes.core.k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_task_pod_name }}"
container: "{{ deployment_name }}-task"
command: |
awx-manage add_receptor_address
--instance {{ ansible_operator_meta.name }}
--address {{ external_hostname }}
--port 443 --protocol ws

33
roles/mesh_ingress/tasks/finalizer.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- name: Get the current resource task pod information.
k8s_info:
api_version: v1
kind: Pod
namespace: '{{ ansible_operator_meta.namespace }}'
label_selectors:
- "app.kubernetes.io/name={{ deployment_name }}-task"
- "app.kubernetes.io/managed-by={{ deployment_type }}-operator"
- "app.kubernetes.io/component={{ deployment_type }}"
field_selectors:
- status.phase=Running
register: awx_task_pod
- name: Set the resource pod as a variable.
set_fact:
awx_task_pod: >-
{{ awx_task_pod['resources']
| rejectattr('metadata.deletionTimestamp', 'defined')
| sort(attribute='metadata.creationTimestamp')
| first | default({}) }}
- name: Set the resource pod name as a variable.
set_fact:
awx_task_pod_name: "{{ awx_task_pod['metadata']['name'] | default('') }}"
- name: Deprovision mesh ingress instance in AWX
kubernetes.core.k8s_exec:
namespace: "{{ ansible_operator_meta.namespace }}"
pod: "{{ awx_task_pod_name }}"
container: "{{ deployment_name }}-task"
command: "awx-manage deprovision_instance --hostname {{ ansible_operator_meta.name }}"
register: result

12
roles/mesh_ingress/tasks/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Lowercase the ingress_type
set_fact:
ingress_type: "{{ ingress_type | lower }}"
- name: Run creation tasks
include_tasks: creation.yml
when: not finalizer_run
- name: Run finalizer tasks
include_tasks: finalizer.yml
when: finalizer_run

86
roles/mesh_ingress/templates/deployment.yml.j2 Normal file
View File

@@ -0,0 +1,86 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ ansible_operator_meta.name }}
namespace: {{ ansible_operator_meta.namespace }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ ansible_operator_meta.name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ ansible_operator_meta.name }}
spec:
{% if image_pull_secrets | length > 0 %}
imagePullSecrets:
{% for secret in image_pull_secrets %}
- name: {{ secret }}
{% endfor %}
{% endif %}
containers:
- args:
- /bin/sh
- -c
- |
internal_hostname={{ ansible_operator_meta.name }}
{% if external_hostname is defined %}
external_hostname={{ external_hostname }}
{% endif %}
{% if external_ipaddress is defined %}
external_ipaddress={{ external_ipaddress }}
{% endif %}
receptor --cert-makereq \
bits=2048 \
commonname=$internal_hostname \
dnsname=$internal_hostname \
nodeid=$internal_hostname \
{% if external_hostname is defined %}
dnsname=$external_hostname \
{% endif %}
{% if external_ipaddress is defined %}
ipaddress=$external_ipaddress \
{% endif %}
outreq=/etc/receptor/tls/receptor.req \
outkey=/etc/receptor/tls/receptor.key
receptor --cert-signreq \
req=/etc/receptor/tls/receptor.req \
cacert=/etc/receptor/tls/ca/mesh-CA.crt \
cakey=/etc/receptor/tls/ca/mesh-CA.key \
outcert=/etc/receptor/tls/receptor.crt \
notafter=$(date --iso-8601=seconds --utc --date "10 years") \
verify=yes
exec receptor --config /etc/receptor/receptor.conf
image: '{{ _control_plane_ee_image }}'
imagePullPolicy: '{{ _image_pull_policy }}'
name: {{ ansible_operator_meta.name }}-mesh-ingress
volumeMounts:
- mountPath: /etc/receptor/receptor.conf
name: {{ ansible_operator_meta.name }}-receptor-config
subPath: receptor.conf
- mountPath: /etc/receptor/tls/ca/mesh-CA.crt
name: {{ ansible_operator_meta.name }}-receptor-ca
readOnly: true
subPath: tls.crt
- mountPath: /etc/receptor/tls/ca/mesh-CA.key
name: {{ ansible_operator_meta.name }}-receptor-ca
readOnly: true
subPath: tls.key
- mountPath: /etc/receptor/tls/
name: {{ ansible_operator_meta.name }}-receptor-tls
restartPolicy: Always
schedulerName: default-scheduler
serviceAccount: {{ ansible_operator_meta.name }}
volumes:
- name: {{ ansible_operator_meta.name }}-receptor-tls
- name: {{ ansible_operator_meta.name }}-receptor-ca
secret:
defaultMode: 420
secretName: {{ deployment_name }}-receptor-ca
- configMap:
defaultMode: 420
items:
- key: receptor_conf
path: receptor.conf
name: {{ ansible_operator_meta.name }}-receptor-config
name: {{ ansible_operator_meta.name }}-receptor-config

86
roles/mesh_ingress/templates/ingress.yml.j2 Normal file
View File

@@ -0,0 +1,86 @@
{% if ingress_type|lower == "ingress" %}
---
{% if ingress_api_version is defined %}
apiVersion: '{{ ingress_api_version }}'
{% endif %}
kind: Ingress
metadata:
name: {{ ansible_operator_meta.name }}
namespace: {{ ansible_operator_meta.namespace }}
annotations:
{% if ingress_annotations %}
{{ ingress_annotations | indent(width=4) }}
{% endif %}
{% if ingress_controller|lower == "nginx" %}
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
{% endif %}
spec:
{% if ingress_class_name %}
ingressClassName: '{{ ingress_class_name }}'
{% endif %}
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: {{ ansible_operator_meta.name }}
port:
number: 27199
{% if external_hostname is defined %}
host: {{ external_hostname }}
{% endif %}
{% endif %}
{% if ingress_type|lower == "ingressroutetcp" %}
---
{% if ingress_api_version is defined %}
apiVersion: '{{ ingress_api_version }}'
{% endif %}
kind: IngressRouteTCP
metadata:
name: {{ ansible_operator_meta.name }}
namespace: {{ ansible_operator_meta.namespace }}
annotations:
{% if ingress_annotations %}
{{ ingress_annotations | indent(width=4) }}
{% endif %}
spec:
entryPoints:
- websecure
routes:
- services:
- name: {{ ansible_operator_meta.name }}
port: 27199
{% if external_hostname is defined %}
match: HostSNI(`{{ external_hostname }}`)
{% endif %}
tls:
passthrough: true
{% endif %}
{% if ingress_type|lower == "route" %}
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
openshift.io/host.generated: "true"
name: {{ ansible_operator_meta.name }}
namespace: {{ ansible_operator_meta.namespace }}
spec:
{% if external_hostname %}
host: {{ external_hostname }}
{% endif %}
port:
targetPort: ws
tls:
insecureEdgeTerminationPolicy: None
termination: passthrough
to:
kind: Service
name: {{ ansible_operator_meta.name }}
weight: 100
wildcardPolicy: None
{% endif %}

24
roles/mesh_ingress/templates/receptor_conf.configmap.yml.j2 Normal file
View File

@@ -0,0 +1,24 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ ansible_operator_meta.name }}-receptor-config
namespace: {{ ansible_operator_meta.namespace }}
data:
receptor_conf: |
---
- node:
id: {{ ansible_operator_meta.name }}
- log-level: debug
- control-service:
service: control
- ws-listener:
port: 27199
tls: tlsserver
- tls-server:
cert: /etc/receptor/tls/receptor.crt
key: /etc/receptor/tls/receptor.key
name: tlsserver
clientcas: /etc/receptor/tls/ca/mesh-CA.crt
requireclientcert: true
mintls13: false

14
roles/mesh_ingress/templates/service.yml.j2 Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: v1
kind: Service
metadata:
name: {{ ansible_operator_meta.name }}
namespace: '{{ ansible_operator_meta.namespace }}'
spec:
type: ClusterIP
ports:
- name: ws
port: 27199
targetPort: 27199
selector:
app.kubernetes.io/name: {{ ansible_operator_meta.name }}

Some files were not shown because too many files have changed in this diff Show More