Add use_db_compression option for backup database dumps (#2106)

* Add use_db_compression option for backup database dumps

Enable optional pg_dump compression (-Z 9) via use_db_compression
boolean flag. Restore auto-detects compressed (.db.gz) or
uncompressed (.db) backups for backward compatibility.

Authored By: Christian M. Adams <chadams@redhat.com>
Assisted By: Claude

* Add CRD field, CSV descriptor, and restore auto-detection for use_db_compression

Authored By: Christian M. Adams <chadams@redhat.com>
Assisted By: Claude

.github/workflows/ci.yaml

@@ -16,7 +16,7 @@ jobs:
           - --skip-tags=replicas
           - -t replicas
     env:
-      DOCKER_API_VERSION: "1.41"
+      DOCKER_API_VERSION: "1.44"
       DEBUG_OUTPUT_DIR: /tmp/awx_operator_molecule_test
     steps:
       - uses: actions/checkout@v4

.github/workflows/publish-operator-hub.yaml

@@ -1,86 +0,0 @@
-name: Publish AWX Operator on operator-hub
-on:
-  release:
-    types: [published]
-  workflow_dispatch:
-    inputs:
-      tag_name:
-        description: 'Name for the tag of the release.'
-        required: true
-      operator_hub_fork:
-        description: 'Fork of operator-hub where the PR will be created from. default: awx-auto'
-        required: true
-        default: 'awx-auto'
-      image_registry:
-        description: 'Image registry where the image is published to. default: quay.io'
-        required: true
-        default: 'quay.io'
-      image_registry_organization:
-        description: 'Image registry organization where the image is published to. default: ansible'
-        required: true
-        default: 'ansible'
-      community_operator_github_org:
-        description: 'Github organization for community-opeartor project. default: k8s-operatorhub'
-        required: true
-        default: 'k8s-operatorhub'
-      community_operator_prod_github_org:
-        description: 'GitHub organization for community-operator-prod project. default: redhat-openshift-ecosystem'
-        required: true
-        default: 'redhat-openshift-ecosystem'
-jobs:
-  promote:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Set GITHUB_ENV from workflow_dispatch event
-        if: ${{ github.event_name == 'workflow_dispatch' }}
-        run: |
-          echo "VERSION=${{ github.event.inputs.tag_name }}" >> $GITHUB_ENV
-          echo "IMAGE_REGISTRY=${{ github.event.inputs.image_registry }}" >> $GITHUB_ENV
-          echo "IMAGE_REGISTRY_ORGANIZATION=${{ github.event.inputs.image_registry_organization }}" >> $GITHUB_ENV
-          echo "COMMUNITY_OPERATOR_GITHUB_ORG=${{ github.event.inputs.community_operator_github_org }}" >> $GITHUB_ENV
-          echo "COMMUNITY_OPERATOR_PROD_GITHUB_ORG=${{ github.event.inputs.community_operator_prod_github_org }}" >> $GITHUB_ENV
-
-      - name: Set GITHUB_ENV for release event
-        if: ${{ github.event_name == 'release' }}
-        run: |
-          echo "VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
-          echo "IMAGE_REGISTRY=quay.io" >> $GITHUB_ENV
-          echo "IMAGE_REGISTRY_ORGANIZATION=ansible" >> $GITHUB_ENV
-          echo "COMMUNITY_OPERATOR_GITHUB_ORG=k8s-operatorhub" >> $GITHUB_ENV
-          echo "COMMUNITY_OPERATOR_PROD_GITHUB_ORG=redhat-openshift-ecosystem" >> $GITHUB_ENV
-
-      - name: Log in to image registry
-        run: |
-          echo ${{ secrets.QUAY_TOKEN }} | docker login ${{ env.IMAGE_REGISTRY }} -u ${{ secrets.QUAY_USER }} --password-stdin
-
-      - name: Checkout awx-operator at workflow branch
-        uses: actions/checkout@v4
-        with:
-          path: awx-operator
-
-      - name: Checkout awx-opearator at ${{ env.VERSION }}
-        uses: actions/checkout@v4
-        with:
-          fetch-tags: true
-          ref: ${{ env.VERSION }}
-          path: awx-operator-${{ env.VERSION }}
-          fetch-depth: 0  # fetch all history so that git describe works
-
-      - name: Copy scripts to awx-operator-${{ env.VERSION }}
-        run: |
-          cp -f \
-            awx-operator/hack/publish-to-operator-hub.sh \
-            awx-operator-${{ env.VERSION }}/hack/publish-to-operator-hub.sh
-          cp -f \
-            awx-operator/Makefile \
-            awx-operator-${{ env.VERSION }}/Makefile
-
-      - name: Build and publish bundle to operator-hub
-        working-directory: awx-operator-${{ env.VERSION }}
-        env:
-          IMG_REPOSITORY: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REGISTRY_ORGANIZATION }}
-          GITHUB_TOKEN: ${{ secrets.AWX_AUTO_GITHUB_TOKEN }}
-        run: |
-          git config --global user.email "awx-automation@redhat.com"
-          git config --global user.name "AWX Automation"
-          ./hack/publish-to-operator-hub.sh

Dockerfile

@@ -1,8 +1,8 @@
-FROM quay.io/operator-framework/ansible-operator:v1.36.1
+FROM quay.io/operator-framework/ansible-operator:v1.40.0
 
 USER root
-RUN dnf update --security --bugfix -y && \
-    dnf install -y openssl
+RUN dnf update --security --bugfix -y --disableplugin=subscription-manager && \
+    dnf install -y --disableplugin=subscription-manager openssl
 
 USER 1001
 

Makefile

@@ -105,6 +105,10 @@ docker-buildx: ## Build and push docker image for the manager for cross-platform
 	- docker buildx build --push $(BUILD_ARGS) --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile .
 	- docker buildx rm project-v3-builder
 
+.PHONY: podman-buildx
+podman-buildx: ## Build and push podman image for the manager for cross-platform support
+	podman build --platform=$(PLATFORMS) $(BUILD_ARGS) --manifest ${IMG} -f Dockerfile .
+	podman manifest push --all ${IMG} ${IMG}
 
 ##@ Deployment
 
@@ -161,7 +165,7 @@ ifeq (,$(shell which operator-sdk 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(OPERATOR_SDK)) ;\
-	curl -sSLo $(OPERATOR_SDK) https://github.com/operator-framework/operator-sdk/releases/download/v1.36.1/operator-sdk_$(OS)_$(ARCHA) ;\
+	curl -sSLo $(OPERATOR_SDK) https://github.com/operator-framework/operator-sdk/releases/download/v1.40.0/operator-sdk_$(OS)_$(ARCHA) ;\
 	chmod +x $(OPERATOR_SDK) ;\
 	}
 else
@@ -177,7 +181,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
-	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/ansible-operator-plugins/releases/download/v1.36.1/ansible-operator_$(OS)_$(ARCHA) ;\
+	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/ansible-operator-plugins/releases/download/v1.40.0/ansible-operator_$(OS)_$(ARCHA) ;\
 	chmod +x $(ANSIBLE_OPERATOR) ;\
 	}
 else
@@ -208,7 +212,7 @@ ifeq (,$(shell which opm 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(OPM)) ;\
-	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.26.0/$(OS)-$(ARCHA)-opm ;\
+	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.55.0/$(OS)-$(ARCHA)-opm ;\
 	chmod +x $(OPM) ;\
 	}
 else

config/crd/bases/awx.ansible.com_awxbackups.yaml

@@ -37,6 +37,9 @@ spec:
           metadata:
             type: object
           spec:
+            x-kubernetes-validations:
+            - rule: "has(self.postgres_image) && has(self.postgres_image_version) || !has(self.postgres_image) && !has(self.postgres_image_version)"
+              message: "Both postgres_image and postgres_image_version must be set when required"
             type: object
             x-kubernetes-preserve-unknown-fields: true
             required:
@@ -48,6 +51,10 @@ spec:
               backup_pvc:
                 description: Name of the backup PVC
                 type: string
+              create_backup_pvc:
+                description: If true (default), automatically create the backup PVC if it does not exist
+                type: boolean
+                default: true
               backup_pvc_namespace:
                 description: (Deprecated) Namespace the PVC is in
                 type: string
@@ -81,6 +88,10 @@ spec:
               pg_dump_suffix:
                 description: Additional parameters for the pg_dump command
                 type: string
+              use_db_compression:
+                description: Enable compression for database dumps using pg_dump built-in compression.
+                type: boolean
+                default: true
               postgres_label_selector:
                 description: Label selector used to identify postgres pod for backing up data
                 type: string

config/crd/bases/awx.ansible.com_awxrestores.yaml

@@ -37,6 +37,9 @@ spec:
           metadata:
             type: object
           spec:
+            x-kubernetes-validations:
+            - rule: "has(self.postgres_image) && has(self.postgres_image_version) || !has(self.postgres_image) && !has(self.postgres_image_version)"
+              message: "Both postgres_image and postgres_image_version must be set when required"
             type: object
             x-kubernetes-preserve-unknown-fields: true
             required:

config/default/kustomization.yaml

@@ -20,11 +20,11 @@ resources:
 - ../manager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
+- metrics_service.yaml
 
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 patches:
-- path: manager_auth_proxy_patch.yaml
+- path: manager_metrics_patch.yaml
+  target:
+    kind: Deployment

config/default/manager_auth_proxy_patch.yaml

@@ -1,40 +0,0 @@
-# This patch inject a sidecar container which is a HTTP proxy for the
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: controller-manager
-  namespace: system
-spec:
-  template:
-    spec:
-      containers:
-      - name: kube-rbac-proxy
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - "ALL"
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
-        args:
-        - "--secure-listen-address=0.0.0.0:8443"
-        - "--upstream=http://127.0.0.1:8080/"
-        - "--logtostderr=true"
-        - "--v=0"
-        ports:
-        - containerPort: 8443
-          protocol: TCP
-          name: https
-        resources:
-          limits:
-            cpu: 500m
-            memory: 128Mi
-          requests:
-            cpu: 5m
-            memory: 64Mi
-      - name: awx-manager
-        args:
-        - "--health-probe-bind-address=:6789"
-        - "--metrics-bind-address=127.0.0.1:8080"
-        - "--leader-elect"
-        - "--leader-election-id=awx-operator"

config/default/manager_metrics_patch.yaml

@@ -0,0 +1,12 @@
+# This patch adds the args to allow exposing the metrics endpoint using HTTPS
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-bind-address=:8443
+# This patch adds the args to allow securing the metrics endpoint
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-secure
+# This patch adds the args to allow RBAC-based authn/authz for the metrics endpoint
+- op: add
+  path: /spec/template/spec/containers/0/args/0
+  value: --metrics-require-rbac

config/default/metrics_service.yaml

@@ -3,6 +3,8 @@ kind: Service
 metadata:
   labels:
     control-plane: controller-manager
+    app.kubernetes.io/name: awx-operator
+    app.kubernetes.io/managed-by: kustomize
   name: controller-manager-metrics-service
   namespace: system
 spec:
@@ -10,6 +12,7 @@ spec:
   - name: https
     port: 8443
     protocol: TCP
-    targetPort: https
+    targetPort: 8443
   selector:
     control-plane: controller-manager
+    app.kubernetes.io/name: awx-operator

config/manager/manager.yaml

@@ -38,6 +38,7 @@ spec:
       - args:
         - --leader-elect
         - --leader-election-id=awx-operator
+        - --health-probe-bind-address=:6789
         image: controller:latest
         imagePullPolicy: IfNotPresent
         name: awx-manager

config/manifests/bases/awx-operator.clusterserviceversion.yaml

@@ -175,6 +175,12 @@ spec:
         path: additional_labels
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: Enable compression for database dumps using pg_dump built-in compression
+        displayName: Use DB Compression
+        path: use_db_compression
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - displayName: Node Selector for backup management pod
         path: db_management_pod_node_selector
         x-descriptors:

config/rbac/kustomization.yaml

@@ -9,10 +9,6 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+- metrics_auth_role.yaml
+- metrics_auth_role_binding.yaml
+- metrics_reader_role.yaml

config/rbac/metrics_auth_role.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: proxy-role
+  name: metrics-auth-role
 rules:
 - apiGroups:
   - authentication.k8s.io

config/rbac/metrics_auth_role_binding.yaml

@@ -1,11 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: proxy-rolebinding
+  name: metrics-auth-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: proxy-role
+  name: metrics-auth-role
 subjects:
 - kind: ServiceAccount
   name: controller-manager

config/testing/kustomization.yaml

@@ -14,10 +14,13 @@ resources:
 - ../crd
 - ../rbac
 - ../manager
+- ../default/metrics_service.yaml
 images:
 - name: testing
   newName: testing-operator
 patches:
 - path: manager_image.yaml
 - path: debug_logs_patch.yaml
-- path: ../default/manager_auth_proxy_patch.yaml
+- path: ../default/manager_metrics_patch.yaml
+  target:
+    kind: Deployment

docs/contributors-guide/release-process.md

@@ -8,20 +8,3 @@ After the draft release is created, publish it and the [Promote AWX Operator ima
 
 - Publish image to Quay
 - Release Helm chart
-
-After the GHA is complete, the final step is to run the [publish-to-operator-hub.sh](https://github.com/ansible/awx-operator/blob/devel/hack/publish-to-operator-hub.sh) script, which will create a PR in the following repos to add the new awx-operator bundle version to OperatorHub:
-
-- <https://github.com/k8s-operatorhub/community-operators> (community operator index)
-- <https://github.com/redhat-openshift-ecosystem/community-operators-prod> (operator index shipped with Openshift)
-
-!!! note
-    The usage is documented in the script itself, but here is an example of how you would use the script to publish the 2.5.3 awx-opeator bundle to OperatorHub.
-    Note that you need to specify the version being released, as well as the previous version. This is because the bundle has a pointer to the previous version that is it being upgrade from. This is used by OLM to create a dependency graph.
-
-    ```bash
-    VERSION=2.5.3 PREV_VERSION=2.5.2 ./hack/publish-to-operator-hub.sh
-    ```
-
-    There are some quirks with running this on OS X that still need to be fixed, but the script runs smoothly on linux.
-
-As soon as CI completes successfully, the PR's will be auto-merged. Please remember to monitor those PR's to make sure that CI passes, sometimes it needs a retry.

docs/development.md

@@ -1,6 +1,6 @@
 # Development Guide
 
-There are development scripts and yaml exaples in the [`dev/`](../dev) directory that, along with the up.sh and down.sh scripts in the root of the repo, can be used to build, deploy and test changes made to the awx-operator.
+There are development scripts and yaml examples in the [`dev/`](../dev) directory that, along with the up.sh and down.sh scripts in the root of the repo, can be used to build, deploy and test changes made to the awx-operator.
 
 
 ## Prerequisites

docs/troubleshooting/debugging.md

@@ -24,13 +24,6 @@ Past that, it is often useful to inspect various resources the AWX Operator mana
 * secrets
 * serviceaccount
 
-And if installing via OperatorHub and OLM:
-
-* subscription
-* csv
-* installPlan
-* catalogSource
-
 To inspect these resources you can use these commands
 
 ```sh

hack/publish-to-operator-hub.sh

@@ -1,123 +0,0 @@
-#!/bin/bash
-
-# Create PR to Publish to community-operators and community-operators-prod
-#
-# * Create upstream awx-operator release
-# * Check out tag (1.1.2).
-# * Run VERSION=1.1.2 make bundle
-# * Clone https://github.com/k8s-operatorhub/community-operators --branch main
-# * mkdir -p operators/awx-operator/0.31.0/
-# * Copy in manifests/ metadata/ and tests/ directories into operators/awx-operator/1.1.2/
-# * Use sed to add in a replaces or skip entry. replace by default.
-# * No need to update config.yaml
-# * Build and Push operator and bundle images
-# * Open PR or at least push to a branch so that a PR can be manually opened from it.
-#
-# Usage:
-#   First, check out awx-operator tag you intend to release, in this case, 1.0.0
-#   $ VERSION=1.1.2 PREV_VERSION=1.1.1 FORK=<your-fork> ./hack/publish-to-operator-hub.sh
-#
-# Remember to change update the VERSION and PREV_VERSION before running!!!
-
-set -e
-
-VERSION=${VERSION:-$(make print-VERSION)}
-PREV_VERSION=${PREV_VERSION:-$(make print-PREV_VERSION)}
-
-BRANCH=publish-awx-operator-$VERSION
-FORK=${FORK:-awx-auto}
-GITHUB_TOKEN=${GITHUB_TOKEN:-$AWX_AUTO_GITHUB_TOKEN}
-
-IMG_REPOSITORY=${IMG_REPOSITORY:-quay.io/ansible}
-
-OPERATOR_IMG=$IMG_REPOSITORY/awx-operator:$VERSION
-CATALOG_IMG=$IMG_REPOSITORY/awx-operator-catalog:$VERSION
-BUNDLE_IMG=$IMG_REPOSITORY/awx-operator-bundle:$VERSION
-
-COMMUNITY_OPERATOR_GITHUB_ORG=${COMMUNITY_OPERATOR_GITHUB_ORG:-k8s-operatorhub}
-COMMUNITY_OPERATOR_PROD_GITHUB_ORG=${COMMUNITY_OPERATOR_PROD_GITHUB_ORG:-redhat-openshift-ecosystem}
-
-# Build bundle directory
-make bundle IMG=$OPERATOR_IMG
-
-# Build bundle and catalog images
-make bundle-build bundle-push BUNDLE_IMG=$BUNDLE_IMG IMG=$OPERATOR_IMG
-make catalog-build catalog-push CATALOG_IMG=$CATALOG_IMG BUNDLE_IMGS=$BUNDLE_IMG BUNDLE_IMG=$BUNDLE_IMG IMG=$OPERATOR_IMG
-
-# Set containerImage & namespace variables in CSV
-sed -i.bak -e "s|containerImage: quay.io/ansible/awx-operator:devel|containerImage: ${OPERATOR_IMG}|g" bundle/manifests/awx-operator.clusterserviceversion.yaml
-sed -i.bak -e "s|namespace: placeholder|namespace: awx|g" bundle/manifests/awx-operator.clusterserviceversion.yaml
-
-# Add replaces to dependency graph for upgrade path
-if ! grep -qF 'replaces: awx-operator.v${PREV_VERSION}' bundle/manifests/awx-operator.clusterserviceversion.yaml; then
-  sed -i.bak -e "/version: ${VERSION}/a \\
-  replaces: awx-operator.v$PREV_VERSION" bundle/manifests/awx-operator.clusterserviceversion.yaml
-fi
-
-# Rename CSV to contain version in name
-mv bundle/manifests/awx-operator.clusterserviceversion.yaml bundle/manifests/awx-operator.v${VERSION}.clusterserviceversion.yaml
-
-# Set Openshift Support Range (bump minKubeVersion in CSV when changing)
-if ! grep -qF 'openshift.versions' bundle/metadata/annotations.yaml; then
-  sed -i.bak -e "/annotations:/a \\
-  com.redhat.openshift.versions: v4.11" bundle/metadata/annotations.yaml
-fi
-
-# Remove .bak files from bundle result from sed commands
-find bundle -name "*.bak" -type f -delete
-
-echo "-- Create branch on community-operators fork --"
-git clone https://github.com/$COMMUNITY_OPERATOR_GITHUB_ORG/community-operators.git
-
-mkdir -p community-operators/operators/awx-operator/$VERSION/
-cp -r bundle/* community-operators/operators/awx-operator/$VERSION/
-pushd community-operators/operators/awx-operator/$VERSION/
-
-git checkout -b $BRANCH
-git add ./
-git status
-
-message='operator [N] [CI] awx-operator'
-commitMessage="${message} ${VERSION}"
-git commit -m "$commitMessage" -s
-
-git remote add upstream https://$GITHUB_TOKEN@github.com/$FORK/community-operators.git
-
-git push upstream --delete $BRANCH || true
-git push upstream $BRANCH
-
-gh pr create \
-  --title "operator awx-operator (${VERSION})" \
-  --body "operator awx-operator (${VERSION})" \
-  --base main \
-  --head $FORK:$BRANCH \
-  --repo $COMMUNITY_OPERATOR_GITHUB_ORG/community-operators
-popd
-
-echo "-- Create branch on community-operators-prod fork --"
-git clone https://github.com/$COMMUNITY_OPERATOR_PROD_GITHUB_ORG/community-operators-prod.git
-
-mkdir -p community-operators-prod/operators/awx-operator/$VERSION/
-cp -r bundle/* community-operators-prod/operators/awx-operator/$VERSION/
-pushd community-operators-prod/operators/awx-operator/$VERSION/
-
-git checkout -b $BRANCH
-git add ./
-git status
-
-message='operator [N] [CI] awx-operator'
-commitMessage="${message} ${VERSION}"
-git commit -m "$commitMessage" -s
-
-git remote add upstream https://$GITHUB_TOKEN@github.com/$FORK/community-operators-prod.git
-
-git push upstream --delete $BRANCH || true
-git push upstream $BRANCH
-
-gh pr create \
-  --title "operator awx-operator (${VERSION})" \
-  --body "operator awx-operator (${VERSION})" \
-  --base main \
-  --head $FORK:$BRANCH \
-  --repo $COMMUNITY_OPERATOR_PROD_GITHUB_ORG/community-operators-prod
-popd

molecule/default/utils/output_all_container_logs_for_pod.yml

@@ -5,10 +5,21 @@
     name: '{{ item.metadata.name }}'
     all_containers: true
   register: all_container_logs
+  ignore_errors: yes
 
 - name: Store logs in file
   ansible.builtin.copy:
-    content: "{{ all_container_logs.log_lines | join('\n') }}"
+    content: |-
+      {% if all_container_logs is failed %}
+      Failed to retrieve logs for pod {{ item.metadata.name }}:
+      {{ all_container_logs.msg | default(all_container_logs.stderr | default('No additional details provided.')) }}
+      {% elif all_container_logs.log_lines is defined %}
+      {{ all_container_logs.log_lines | join('\n') }}
+      {% elif all_container_logs.log is defined %}
+      {{ all_container_logs.log }}
+      {% else %}
+      No log content returned by kubernetes.core.k8s_log.
+      {% endif %}
     dest: '{{ debug_output_dir }}/{{ item.metadata.name }}.log'
 
 # TODO: all_containser option dump all of the output in a single output make it hard to read we probably should iterate through each of the container to get specific logs

roles/backup/defaults/main.yml

@@ -8,6 +8,9 @@ api_version: '{{ deployment_type }}.ansible.com/v1beta1'
 backup_pvc: ''
 backup_pvc_namespace: "{{ ansible_operator_meta.namespace }}"
 
+# If true (default), automatically create the backup PVC if it does not exist
+create_backup_pvc: true
+
 # Size of backup PVC if created dynamically
 backup_storage_requirements: ''
 
@@ -39,6 +42,9 @@ backup_resource_requirements:
 # Allow additional parameters to be added to the pg_dump backup command
 pg_dump_suffix: ''
 
+# Enable compression for database dumps (pg_dump -F custom built-in compression)
+use_db_compression: true
+
 # Labels defined on the resource, which should be propagated to child resources
 additional_labels: []
 

roles/backup/tasks/init.yml

@@ -22,17 +22,18 @@
   block:
     - name: Set error message
       set_fact:
-        error_msg: "{{ backup_pvc }} does not exist, please create this pvc first."
+        error_msg: "{{ backup_pvc }} does not exist, please create this pvc first or ensure create_backup_pvc is set to true (default) for automatic backup_pvc creation."
 
     - name: Handle error
       import_tasks: error_handling.yml
 
     - name: Fail early if pvc is defined but does not exist
       fail:
-        msg: "{{ backup_pvc }} does not exist, please create this pvc first."
+        msg: "{{ backup_pvc }} does not exist, please create this pvc first or ensure create_backup_pvc is set to true (default) for automatic backup_pvc creation."
   when:
     - backup_pvc != ''
     - provided_pvc.resources | length == 0
+    - not create_backup_pvc | bool
 
 # If backup_pvc is defined, use in management-pod.yml.j2
 - name: Set default pvc name
@@ -42,7 +43,7 @@
 # by default, it will re-use the old pvc if already created (unless a pvc is provided)
 - name: Set PVC to use for backup
   set_fact:
-    backup_claim: "{{ backup_pvc | default(_default_backup_pvc, true) }}"
+    backup_pvc: "{{ backup_pvc | default(_default_backup_pvc, true) }}"
 
 - block:
     - name: Create PVC for backup
@@ -56,11 +57,11 @@
           apiVersion: v1
           kind: PersistentVolumeClaim
           metadata:
-            name: "{{ deployment_name }}-backup-claim"
+            name: "{{ backup_pvc }}"
             namespace: "{{ backup_pvc_namespace }}"
             ownerReferences: null
   when:
-    - backup_pvc == '' or backup_pvc is not defined
+    - (backup_pvc == '' or backup_pvc is not defined) or (create_backup_pvc | bool)
 
 - name: Set default postgres image
   set_fact:

roles/backup/tasks/postgres.yml

@@ -121,6 +121,7 @@
       -d {{ awx_postgres_database }}
       -p {{ awx_postgres_port }}
       -F custom
+      {{ use_db_compression | bool | ternary('', '-Z 0') }}
       {{ pg_dump_suffix }}
   no_log: "{{ no_log }}"
 

roles/backup/tasks/update_status.yml

@@ -9,5 +9,5 @@
     namespace: "{{ ansible_operator_meta.namespace }}"
     status:
       backupDirectory: "{{ backup_dir }}"
-      backupClaim: "{{ backup_claim }}"
+      backupClaim: "{{ backup_pvc }}"
   when: backup_complete

roles/backup/templates/backup_pvc.yml.j2

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ deployment_name }}-backup-claim
+  name: {{ backup_pvc }}
   namespace: "{{ backup_pvc_namespace }}"
   ownerReferences: null
   labels:

roles/backup/templates/event.yml.j2

@@ -12,6 +12,6 @@ involvedObject:
 message: {{ error_msg }}
 reason: BackupFailed
 type: Warning
-firstTimestamp: {{ now }}
-lastTimestamp: {{ now }}
+firstTimestamp: "{{ now }}"
+lastTimestamp: "{{ now }}"
 count: 1

roles/backup/templates/management-pod.yml.j2

@@ -27,6 +27,6 @@ spec:
   volumes:
     - name: {{ ansible_operator_meta.name }}-backup
       persistentVolumeClaim:
-        claimName: {{ backup_claim }}
+        claimName: {{ backup_pvc }}
         readOnly: false
   restartPolicy: Never

roles/installer/tasks/initialize_django.yml

@@ -8,7 +8,7 @@
       bash -c "echo 'from django.contrib.auth.models import User;
       nsu = User.objects.filter(is_superuser=True, username=\"{{ admin_user }}\").count();
       exit(0 if nsu > 0 else 1)'
-      | awx-manage shell"
+      | awx-manage shell --no-imports"
   ignore_errors: true
   register: users_result
   changed_when: users_result.return_code > 0

roles/installer/templates/configmaps/config.yaml.j2

@@ -111,11 +111,23 @@ data:
         server_tokens off;
         client_max_body_size {{ nginx_client_max_body_size }}M;
 
+        map $http_x_trusted_proxy $trusted_proxy_present {
+            default "trusted-proxy";
+            ""      "-";
+        }
+
+        map $http_x_dab_jw_token $dab_jwt_present {
+            default "dab-jwt";
+            ""      "-";
+        }
+
         log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                           '$status $body_bytes_sent "$http_referer" '
-                          '"$http_user_agent" "$http_x_forwarded_for"';
+                          '"$http_user_agent" "$http_x_forwarded_for" '
+                          '$trusted_proxy_present $dab_jwt_present';
 
         access_log /dev/stdout main;
+        error_log /dev/stderr warn;
 
         map $http_upgrade $connection_upgrade {
             default upgrade;

roles/installer/templates/deployments/web.yaml.j2

@@ -202,7 +202,7 @@ spec:
           volumeMounts:
 {% if public_base_url is defined %}
             - name: redirect-page
-              mountPath: '/var/lib/awx/venv/awx/lib/python3.11/site-packages/awx/ui/build/index.html'
+              mountPath: '/var/lib/awx/venv/awx/lib/python3.12/site-packages/awx/ui/build/index.html'
               subPath: redirect-page.html
 {% endif %}
 {% if bundle_ca_crt %}

roles/restore/defaults/main.yml

@@ -40,5 +40,8 @@ additional_labels: []
 # Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
 set_self_labels: true
 
+# If set to true, the restore process will drop and recreate the database schema before restoring
+force_drop_db: false
+
 spec_overrides: {}
 ...

roles/restore/tasks/postgres.yml

@@ -83,13 +83,24 @@
 - name: Set pg_restore command
   set_fact:
     pg_restore: >-
-      pg_restore --clean --if-exists --no-owner --no-acl
+      pg_restore {{ force_drop_db | bool | ternary('', '--clean --if-exists') }} --no-owner --no-acl
       -U {{ awx_postgres_user }}
       -h {{ resolvable_db_host }}
       -d {{ awx_postgres_database }}
       -p {{ awx_postgres_port }}
   no_log: "{{ no_log }}"
 
+- name: Grant CREATEDB privilege to database user for force_drop_db
+  kubernetes.core.k8s_exec:
+    namespace: "{{ ansible_operator_meta.namespace }}"
+    pod: "{{ postgres_pod_name }}"
+    container: postgres
+    command: >-
+      psql -c "ALTER USER {{ awx_postgres_user }} CREATEDB;"
+  when:
+    - force_drop_db | bool
+    - awx_postgres_type == 'managed'
+
 - name: Force drop and create database if force_drop_db is true
   block:
     - name: Set drop db command
@@ -155,3 +166,14 @@
       "
   register: data_migration
   no_log: "{{ no_log }}"
+
+- name: Revoke CREATEDB privilege from database user
+  kubernetes.core.k8s_exec:
+    namespace: "{{ ansible_operator_meta.namespace }}"
+    pod: "{{ postgres_pod_name }}"
+    container: postgres
+    command: >-
+      psql -c "ALTER USER {{ awx_postgres_user }} NOCREATEDB;"
+  when:
+    - force_drop_db | bool
+    - awx_postgres_type == 'managed'

roles/restore/templates/event.yml.j2

@@ -12,6 +12,6 @@ involvedObject:
 message: {{ error_msg }}
 reason: RestoreFailed
 type: Warning
-firstTimestamp: {{ now }}
-lastTimestamp: {{ now }}
+firstTimestamp: "{{ now }}"
+lastTimestamp: "{{ now }}"
 count: 1

roles/restore/vars/main.yml

@@ -14,7 +14,4 @@ broadcast_websocket_secret: '{{ deployment_name }}-broadcast-websocket'
 postgres_configuration_secret: '{{ deployment_name }}-postgres-configuration'
 supported_pg_version: 15
 image_pull_policy: IfNotPresent
-
-# If set to true, the restore process will delete the existing database and create a new one
-force_drop_db: false
 pg_drop_create: ''

up.sh

@@ -121,12 +121,20 @@ fi
 # -- Build & Push Operator Image
 echo "Preparing to build $IMG:$TAG ($IMG:$DEV_TAG) with $ENGINE..."
 sleep 3
-make docker-build docker-push IMG=$IMG:$TAG
 
-# Tag and Push DEV_TAG Image when DEV_TAG_PUSH is 'True'
-if $DEV_TAG_PUSH ; then
-  $ENGINE tag $IMG:$TAG $IMG:$DEV_TAG
-  make docker-push IMG=$IMG:$DEV_TAG
+# Detect architecture and use multi-arch build for ARM hosts
+HOST_ARCH=$(uname -m)
+if [[ "$HOST_ARCH" == "aarch64" || "$HOST_ARCH" == "arm64" ]] && [ "$ENGINE" = "podman" ]; then
+  echo "ARM architecture detected ($HOST_ARCH). Using multi-arch build..."
+  make podman-buildx IMG=$IMG:$TAG ENGINE=$ENGINE
+else
+  make docker-build docker-push IMG=$IMG:$TAG
+
+  # Tag and Push DEV_TAG Image when DEV_TAG_PUSH is 'True'
+  if $DEV_TAG_PUSH ; then
+    $ENGINE tag $IMG:$TAG $IMG:$DEV_TAG
+    make docker-push IMG=$IMG:$DEV_TAG
+  fi
 fi
 
 # -- Deploy Operator