Merge pull request #500 from shanemcd/0.13.0

Bump versions / OLM metadata

README.md

@@ -78,11 +78,11 @@ $ minikube start --addons=ingress --cpus=4 --cni=flannel --install-addons=true \
 Once Minikube is deployed, check if the node(s) and `kube-apiserver` communication is working as expected.
 
 ```bash
-$ kubectl get nodes
+$ minikube kubectl -- get nodes
 NAME       STATUS   ROLES                  AGE     VERSION
 minikube   Ready    control-plane,master   6m28s   v1.20.2
 
-$ kubectl get pods -A
+$ minikube kubectl -- get pods -A
 NAMESPACE       NAME                                        READY   STATUS      RESTARTS   AGE
 ingress-nginx   ingress-nginx-admission-create-tjk94        0/1     Completed   0          6m4s
 ingress-nginx   ingress-nginx-admission-patch-r4pl6         0/1     Completed   0          6m4s
@@ -97,6 +97,14 @@ kube-system     kube-scheduler-minikube                     1/1     Running
 kube-system     storage-provisioner                         1/1     Running     1          6m17s
 ```
 
+It is not required for `kubectl` to be separately installed since it comes already wrapped inside minikube. As demonstrated above, simply prefix `minikube kubectl --` before kubectl command, i.e. `kubectl get nodes` would become `minikube kubectl -- get nodes`
+
+Let's create an alias for easier usage: 
+
+```bash
+$ alias kubectl="minikube kubectl --"
+```
+
 Now you need to deploy AWX Operator into your cluster. Start by going to https://github.com/ansible/awx-operator/releases and making note of the latest release. Replace `<TAG>` in the URL `https://raw.githubusercontent.com/ansible/awx-operator/<TAG>/deploy/awx-operator.yaml` with the version you are deploying.
 
 ```bash
@@ -268,6 +276,7 @@ The following variables are customizable when `ingress_type=ingress`. The `ingre
 | ingress_annotations        | Ingress annotations                      | Empty string                 |
 | ingress_tls_secret         | Secret that contains the TLS information | Empty string                 |
 | hostname                   | Define the FQDN                          | {{ meta.name }}.example.com  |
+| ingress_path               | Define the ingress path to the service   | /                            |
 
 ```yaml
 ---
@@ -534,7 +543,7 @@ To create the secret, you can use the command below:
 ```sh
 # kubectl create secret generic <resourcename>-custom-certs \
     --from-file=ldap-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>  \
-    --from-fle=bundle-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
+    --from-file=bundle-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
 ```
 
 #### Persisting Projects Directory
@@ -564,58 +573,20 @@ spec:
 
 In a scenario where custom volumes and volume mounts are required to either overwrite defaults or mount configuration files.
 
-| Name                           | Description                                              | Default |
-| ------------------------------ | -------------------------------------------------------- | ------- |
-| extra_volumes                  | Specify extra volumes to add to the application pod      | ''      |
-| web_extra_volume_mounts        | Specify volume mounts to be added to Web container       | ''      |
-| task_extra_volume_mounts       | Specify volume mounts to be added to Task container      | ''      |
-| ee_extra_volume_mounts         | Specify volume mounts to be added to Execution container | ''      |
+| Name                              | Description                                              | Default |
+| --------------------------------- | -------------------------------------------------------- | ------- |
+| extra_volumes                     | Specify extra volumes to add to the application pod      | ''      |
+| web_extra_volume_mounts           | Specify volume mounts to be added to Web container       | ''      |
+| task_extra_volume_mounts          | Specify volume mounts to be added to Task container      | ''      |
+| ee_extra_volume_mounts            | Specify volume mounts to be added to Execution container | ''      |
+| init_container_extra_volume_mounts| Specify volume mounts to be added to Init container      | ''      |
+| init_container_extra_commands     | Specify additional commands for Init container           | ''      |
+
+
+> :warning: The `ee_extra_volume_mounts` and `extra_volumes` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
 
 Example configuration for ConfigMap
 
-#### Default execution environments from private registries
-
-In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments.
-
-The secret should be formated as follows:
-
-```yaml
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: <resourcename>-ee-pull-credentials
-  namespace: <target namespace>
-stringData:
-  url: <registry url. i.e. quay.io>
-  username: <username to connect as>
-  password: <password to connect with>
-  ssl_verify: <Optional attribute. Whether verify ssl connection or not. Accepted values "True" (default), "False" >
-type: Opaque
-```
-
-##### Control plane ee from private registry
-The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time. 
-
-You can create `image_pull_secret`
-```
-kubectl create secret <resoucename>-cp-pull-credentials regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
-```
-If you need more control (for example, to set a namespace or a label on the new secret) then you can customise the Secret before storing it
-
-```yaml
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: <resoucename>-cp-pull-credentials
-  namespace: <target namespace>
-data:
-  .dockerconfigjson: <base64 docker config>
-type: kubernetes.io/dockerconfigjson
-```
-Example spec file extra-config
-
 ```yaml
 ---
 apiVersion: v1
@@ -639,16 +610,6 @@ Example spec file for volumes and volume mounts
 ---
     spec:
     ...
-      ee_extra_volume_mounts: |
-        - name: ansible-cfg
-          mountPath: /etc/ansible/ansible.cfg
-          subPath: ansible.cfg
-
-      task_extra_volume_mounts: |
-        - name: custom-py
-          mountPath: /etc/tower/conf.d/custom.py
-          subPath: custom.py
-
       extra_volumes: |
         - name: ansible-cfg
           configMap:
@@ -664,11 +625,78 @@ Example spec file for volumes and volume mounts
               - key: custom.py
                 path: custom.py
             name: <resourcename>-extra-config
+        - name: shared-volume
+          persistentVolumeClaim:
+            claimName: my-external-volume-claim
 
+      init_container_extra_volume_mounts: |
+        - name: shared-volume
+          mountPath: /shared
+
+      init_container_extra_commands: |
+        # set proper permissions (rwx) for the awx user
+        chmod 775 /shared
+        chgrp 1000 /shared
+
+      ee_extra_volume_mounts: |
+        - name: ansible-cfg
+          mountPath: /etc/ansible/ansible.cfg
+          subPath: ansible.cfg
+
+      task_extra_volume_mounts: |
+        - name: custom-py
+          mountPath: /etc/tower/conf.d/custom.py
+          subPath: custom.py
+        - name: shared-volume
+          mountPath: /shared
 ```
 
 > :warning: **Volume and VolumeMount names cannot contain underscores(_)**
 
+#### Default execution environments from private registries
+
+In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments.
+
+The secret should be formated as follows:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: <resourcename>-ee-pull-credentials
+  namespace: <target namespace>
+stringData:
+  url: <registry url. i.e. quay.io>
+  username: <username to connect as>
+  password: <password to connect with>
+  ssl_verify: <Optional attribute. Whether verify ssl connection or not. Accepted values "True" (default), "False" >
+type: Opaque
+```
+
+##### Control plane ee from private registry
+The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secret` to provide a k8s pull secret to access it. Currently the same secret is used for any of these images supplied at install time.
+
+You can create `image_pull_secret`
+```
+kubectl create secret <resoucename>-cp-pull-credentials regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
+```
+If you need more control (for example, to set a namespace or a label on the new secret) then you can customise the Secret before storing it
+
+Example spec file extra-config
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: <resoucename>-cp-pull-credentials
+  namespace: <target namespace>
+data:
+  .dockerconfigjson: <base64 docker config>
+type: kubernetes.io/dockerconfigjson
+```
+
 #### Exporting Environment Variables to Containers
 
 If you need to export custom environment variables to your containers.
@@ -679,6 +707,8 @@ If you need to export custom environment variables to your containers.
 | web_extra_env                 | Environment variables to be added to Web container       | ''      |
 | ee_extra_env                  | Environment variables to be added to EE container        | ''      |
 
+> :warning: The `ee_extra_env` will only take effect to the globally available Execution Environments. For custom `ee`, please [customize the Pod spec](https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#customize-the-pod-spec).
+
 Example configuration of environment variables
 
 ```yaml

ansible/group_vars/all

@@ -1,4 +1,4 @@
 operator_image: quay.io/ansible/awx-operator
-operator_version: 0.11.0
+operator_version: 0.13.0
 pull_policy: Always
 ansible_debug_logs: "false"

ansible/templates/crd.yml.j2

@@ -86,6 +86,9 @@ spec:
                     - ingress
                     - Route
                     - route
+                ingress_path:
+                  description: The ingress path used to reach the deployed service
+                  type: string
                 ingress_annotations:
                   description: Annotations to add to the Ingress Controller
                   type: string
@@ -291,6 +294,12 @@ spec:
                 init_container_image_version:
                   description: Init container image version to use
                   type: string
+                init_container_extra_commands:
+                  description: Extra commands for the init container
+                  type: string
+                init_container_extra_volume_mounts:
+                  description: Specify volume mounts to be added to the init container
+                  type: string
                 postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
@@ -384,7 +393,7 @@ spec:
                       setting:
                         type: string
                       value:
-                        type: string
+                        x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
               type: object

deploy/awx-operator.yaml

@@ -88,6 +88,9 @@ spec:
                     - ingress
                     - Route
                     - route
+                ingress_path:
+                  description: The ingress path used to reach the deployed service
+                  type: string
                 ingress_annotations:
                   description: Annotations to add to the Ingress Controller
                   type: string
@@ -293,6 +296,12 @@ spec:
                 init_container_image_version:
                   description: Init container image version to use
                   type: string
+                init_container_extra_commands:
+                  description: Extra commands for the init container
+                  type: string
+                init_container_extra_volume_mounts:
+                  description: Specify volume mounts to be added to the init container
+                  type: string
                 postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
@@ -386,7 +395,7 @@ spec:
                       setting:
                         type: string
                       value:
-                        type: string
+                        x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
               type: object
@@ -720,7 +729,7 @@ spec:
       serviceAccountName: awx-operator
       containers:
         - name: awx-operator
-          image: "quay.io/ansible/awx-operator:0.11.0"
+          image: "quay.io/ansible/awx-operator:0.13.0"
           imagePullPolicy: "Always"
           volumeMounts:
             - mountPath: /tmp/ansible-operator/runner
@@ -738,7 +747,7 @@ spec:
             - name: ANSIBLE_GATHERING
               value: explicit
             - name: OPERATOR_VERSION
-              value: "0.11.0"
+              value: "0.13.0"
             - name: ANSIBLE_DEBUG_LOGS
               value: "false"
           livenessProbe:

deploy/crds/awx_v1beta1_crd.yaml

@@ -86,6 +86,9 @@ spec:
                     - ingress
                     - Route
                     - route
+                ingress_path:
+                  description: The ingress path used to reach the deployed service
+                  type: string
                 ingress_annotations:
                   description: Annotations to add to the Ingress Controller
                   type: string
@@ -291,6 +294,12 @@ spec:
                 init_container_image_version:
                   description: Init container image version to use
                   type: string
+                init_container_extra_commands:
+                  description: Extra commands for the init container
+                  type: string
+                init_container_extra_volume_mounts:
+                  description: Specify volume mounts to be added to the init container
+                  type: string
                 postgres_image:
                   description: Registry path to the PostgreSQL container to use
                   type: string
@@ -384,7 +393,7 @@ spec:
                       setting:
                         type: string
                       value:
-                        type: string
+                        x-kubernetes-preserve-unknown-fields: true
                     type: object
                   type: array
               type: object

deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml

@@ -39,7 +39,7 @@ metadata:
     capabilities: Basic Install
     operators.operatorframework.io/builder: operator-sdk-v0.19.4
     operators.operatorframework.io/project_layout: ansible
-  name: awx-operator.v0.11.0
+  name: awx-operator.v0.13.0
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -78,6 +78,16 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Image
+        path: postgres_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Image Version
+        path: postgres_image_version
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       statusDescriptors:
       - description: The persistent volume claim name used during backup
         displayName: Backup claim
@@ -104,21 +114,19 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:CR
-      - displayName: Deployment name
+      - displayName: Name of newly restored deployment
         path: deployment_name
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
       - displayName: Backup persistent volume claim
         path: backup_pvc
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
-      - displayName: Backup persistent volume claim namespace
+      - displayName: Backup namespace
         path: backup_pvc_namespace
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:backup_source:PVC
       - displayName: Backup directory in the persistent volume claim
         path: backup_dir
         x-descriptors:
@@ -128,6 +136,16 @@ spec:
         path: postgres_label_selector
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Image
+        path: postgres_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Image Version
+        path: postgres_image_version
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       statusDescriptors:
       - description: The state of the restore
         displayName: Restore status
@@ -258,7 +276,7 @@ spec:
         path: image_pull_secret
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
-        - urn:alm:descriptor:com.tectonic.ui:imagePullSecret
+        - urn:alm:descriptor:io.kubernetes:Secret
       - displayName: Web container resource requirements
         path: web_resource_requirements
         x-descriptors:
@@ -535,6 +553,35 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Registry path to the init container to use
+        displayName: Init Container Image
+        path: init_container_image
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Init container image version to use
+        displayName: Init Container Image Version
+        path: init_container_image_version
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Specify Extra commands for the Init container
+        displayName: Init Container Extra Commands
+        path: init_container_extra_commands
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Specify volume mounts to be added to Init container
+        displayName: Init Container Extra Volume Mounts
+        path: init_container_extra_volume_mounts
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Secret where can be found the trusted Certificate Authority Bundle
+        path: bundle_cacert_secret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:io.kubernetes:Secret
       statusDescriptors:
       - description: Route to access the instance deployed
         displayName: URL
@@ -678,10 +725,10 @@ spec:
                 - name: ANSIBLE_GATHERING
                   value: explicit
                 - name: OPERATOR_VERSION
-                  value: 0.11.0
+                  value: 0.13.0
                 - name: ANSIBLE_DEBUG_LOGS
                   value: "false"
-                image: quay.io/ansible/awx-operator:0.11.0
+                image: quay.io/ansible/awx-operator:0.13.0
                 imagePullPolicy: Always
                 livenessProbe:
                   httpGet:
@@ -720,5 +767,5 @@ spec:
   provider:
     name: AWX Community
     url: https://github.com/ansible/awx-operator
-  replaces: awx-operator.v0.10.0
-  version: 0.11.0
+  replaces: awx-operator.v0.12.0
+  version: 0.13.0

deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml

@@ -36,7 +36,8 @@ spec:
                 description: Secret where the broadcast websocket secret can be found
                 type: string
               bundle_cacert_secret:
-                description: Secret where can be found the trusted Certificate Authority Bundle
+                description: Secret where can be found the trusted Certificate Authority
+                  Bundle
                 type: string
               ca_trust_bundle:
                 description: Path where the trusted CA bundle is available
@@ -104,7 +105,7 @@ spec:
                     setting:
                       type: string
                     value:
-                      type: string
+                      x-kubernetes-preserve-unknown-fields: true
                   type: object
                 type: array
               extra_volumes:
@@ -140,6 +141,9 @@ spec:
               ingress_annotations:
                 description: Annotations to add to the Ingress Controller
                 type: string
+              ingress_path:
+                description: The ingress path used to reach the deployed service
+                type: string
               ingress_tls_secret:
                 description: Secret where the Ingress TLS secret can be found
                 type: string
@@ -152,11 +156,17 @@ spec:
                 - Route
                 - route
                 type: string
+              init_container_extra_commands:
+                description: Extra commands for the init container
+                type: string
+              init_container_extra_volume_mounts:
+                description: Specify volume mounts to be added to the init container
+                type: string
               init_container_image:
                 description: Registry path to the init container to use
                 type: string
               init_container_image_version:
-                description: Initcontainer image version to use
+                description: Init container image version to use
                 type: string
               kind:
                 description: Kind of the deployment type

requirements.yml

@@ -1,6 +1,6 @@
 ---
 collections:
   - name: kubernetes.core
-    version: '==1.2.1'
+    version: '==1.1.1'
   - name: operator_sdk.util
     version: '==0.1.0'

roles/backup/tasks/awx-cro.yml

@@ -10,24 +10,25 @@
 
 - name: Set AWX object
   set_fact:
-    _awx: "{{ _awx_cro['resources'][0] }}"
-
-- name: Set user specified spec
-  set_fact:
-    awx_spec: "{{ _awx['spec'] }}"
+    _awx: "{{ this_awx['resources'][0]['spec'] }}"
 
 - name: Set names of backed up secrets in the CR spec
   set_fact:
-    awx_spec: "{{ awx_spec | combine ({ item.key : item.value }) }}"
+    _awx: "{{ _awx | combine ({ item.key : item.value }) }}"
   with_items:
     - {"key": "secret_key_secret", "value": "{{ this_awx['resources'][0]['status']['secretKeySecret'] }}"}
     - {"key": "admin_password_secret", "value": "{{ this_awx['resources'][0]['status']['adminPasswordSecret'] }}"}
     - {"key": "broadcast_websocket_secret", "value": "{{ this_awx['resources'][0]['status']['broadcastWebsocketSecret'] }}"}
     - {"key": "postgres_configuration_secret", "value": "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"}
 
+- name: Set AWX object
+  set_fact:
+    awx_spec:
+      spec: "{{ _awx }}"
+
 - name: Write awx object to pvc
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ meta.name }}-db-management"
     command: >-
-      bash -c 'echo "$0" > {{ backup_dir  }}/awx_object' {{ awx_spec | quote  }}
+      bash -c 'echo "$0" > {{ backup_dir  }}/awx_object' {{ awx_spec | to_yaml | quote  }}

roles/backup/tasks/dump_generated_secret.yml

@@ -25,11 +25,15 @@
       namespace: '{{ meta.namespace }}'
       name: "{{ _name }}"
   register: _secret
+  no_log: true
 
 - name: Set secret data
   set_fact:
       _data: "{{ _secret['resources'][0]['data'] }}"
+      _type: "{{ _secret['resources'][0]['type'] }}"
+  no_log: true
 
 - name: Create and Add secret names and data to dictionary
   set_fact:
-      secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data }}) }}"
+      secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data, 'type': _type }}) }}"
+  no_log: true

roles/backup/tasks/dump_secret.yml

@@ -2,9 +2,9 @@
 
 - name: Get Secret Name
   set_fact:
-      _name: "{{ awx_spec[item] | default('') }}"
+      _name: "{{ awx_spec.spec[item] | default('') }}"
 
-- name: Skip if secret name not defined
+- name: Backup secret if defined
   block:
       - name: Get secret
         k8s_info:
@@ -13,12 +13,16 @@
             namespace: '{{ meta.namespace }}'
             name: "{{ _name }}"
         register: _secret
+        no_log: true
 
       - name: Set secret key
         set_fact:
             _data: "{{ _secret['resources'][0]['data'] }}"
+            _type: "{{ _secret['resources'][0]['type'] }}"
+        no_log: true
 
       - name: Create and Add secret names and data to dictionary
         set_fact:
-            secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data }}) }}"
+            secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data, 'type': _type }}) }}"
+        no_log: true
   when: _name != ''

roles/backup/tasks/init.yml

@@ -45,10 +45,21 @@
   set_fact:
     backup_claim: "{{ backup_pvc | default(_default_backup_pvc, true) }}"
 
-- name: Create PVC for backup
-  k8s:
-    kind: PersistentVolumeClaim
-    template: "backup_pvc.yml.j2"
+- block:
+    - name: Create PVC for backup
+      k8s:
+        kind: PersistentVolumeClaim
+        template: "backup_pvc.yml.j2"
+
+    - name: Remove PVC ownerReference
+      k8s:
+        definition:
+          apiVersion: v1
+          kind: PersistentVolumeClaim
+          metadata:
+            name: '{{ deployment_name }}-backup-claim'
+            namespace: '{{ backup_pvc_namespace }}'
+            ownerReferences: null
   when:
     - backup_pvc == '' or backup_pvc is not defined
 

roles/backup/tasks/postgres.yml

@@ -6,6 +6,7 @@
     namespace: '{{ meta.namespace }}'
     name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"
   register: pg_config
+  no_log: true
 
 - name: Fail if postgres configuration secret status does not exist
   fail:
@@ -20,6 +21,7 @@
     awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
     awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | default('unmanaged'|b64encode) | b64decode }}"
+  no_log: true
 
 - block:
     - name: Delete pod to reload a resource configuration
@@ -77,6 +79,7 @@
 - name: Set full resolvable host name for postgres pod
   set_fact:
     resolvable_db_host: '{{ (awx_postgres_type == "managed") | ternary(awx_postgres_host + "." + meta.namespace + ".svc.cluster.local", awx_postgres_host) }}'  # noqa 204
+  no_log: true
 
 - name: Set pg_dump command
   set_fact:
@@ -87,6 +90,7 @@
       -d {{ awx_postgres_database }}
       -p {{ awx_postgres_port }}
       -F custom
+  no_log: true
 
 - name: Write pg_dump to backup on PVC
   k8s_exec:
@@ -99,4 +103,5 @@
       echo 'Successful'
       """
   register: data_migration
+  no_log: true
   failed_when: "'Successful' not in data_migration.stdout"

roles/backup/tasks/secrets.yml

@@ -18,12 +18,16 @@
   include_tasks: dump_secret.yml
   loop:
     - route_tls_secret
+    - ingress_tls_secret
     - ldap_cacert_secret
+    - bundle_cacert_secret
     - image_pull_secret
+    - ee_pull_credentials_secret
 
 - name: Nest secrets under a single variable
   set_fact:
     secrets: {"secrets": '{{ secret_dict }}'}
+  no_log: true
 
 - name: Write postgres configuration to pvc
   k8s_exec:
@@ -31,3 +35,4 @@
     pod: "{{ meta.name }}-db-management"
     command: >-
       bash -c "echo '{{ secrets | to_yaml }}' > {{ backup_dir }}/secrets.yml"
+  no_log: true

roles/installer/defaults/main.yml

@@ -9,7 +9,7 @@ database_username: "{{ deployment_type }}"
 task_privileged: false
 service_type: ClusterIP
 ingress_type: none
-
+ingress_path: '/'
 # Add annotations to the service account. Specify as literal block. E.g.:
 # service_account_annotations: |
 #   eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>
@@ -106,7 +106,7 @@ extra_volumes: ''
 # Use these image versions for Ansible AWX.
 
 image: quay.io/ansible/awx
-image_version: 19.2.1
+image_version: 19.3.0
 redis_image: docker.io/redis
 redis_image_version: latest
 postgres_image: postgres
@@ -116,11 +116,27 @@ init_container_image_version: 8
 image_pull_policy: IfNotPresent
 image_pull_secret: ''
 
-ee_images:
-  - name: AWX EE 0.4.0
-    image: quay.io/ansible/awx-ee:0.4.0
+# Extra commands which will be appended to the initContainer
+# Make sure that each command entered return an exit code 0
+# otherwise the initContainer will fail
+# init_container_extra_commands: |
+#   date >> /var/lib/awx/projects/timestamp
+#   chgrp 1000 /shared
+#   chmod 775 /shared
+init_container_extra_commands: ''
 
-control_plane_ee_image: quay.io/ansible/awx-ee:0.4.0
+# Mount extra volumes on the initContainer.
+# The volume used must be defined as an `extra_volumes` resource
+# init_container_extra_volume_mounts: |
+#   - name: shared-vol
+#     mountPath: /shared
+init_container_extra_volume_mounts: ''
+
+ee_images:
+  - name: AWX EE (latest)
+    image: quay.io/ansible/awx-ee:latest
+
+control_plane_ee_image: quay.io/ansible/awx-ee:latest
 
 create_preload_data: true
 

roles/installer/tasks/admin_password_configuration.yml

@@ -5,6 +5,7 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ admin_password_secret }}'
   register: _custom_admin_password
+  no_log: true
   when: admin_password_secret | length
 
 - name: Check for default admin password configuration
@@ -13,16 +14,19 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ meta.name }}-admin-password'
   register: _default_admin_password
+  no_log: true
 
 - name: Set admin password secret
   set_fact:
     _admin_password_secret: '{{ _custom_admin_password["resources"] | default([]) | length | ternary(_custom_admin_password, _default_admin_password) }}'
+  no_log: true
 
 - block:
     - name: Create admin password secret
       k8s:
         apply: true
         definition: "{{ lookup('template', 'admin_password_secret.yaml.j2') }}"
+      no_log: true
 
     - name: Read admin password secret
       k8s_info:
@@ -30,13 +34,16 @@
         namespace: '{{ meta.namespace }}'
         name: '{{ meta.name }}-admin-password'
       register: _generated_admin_password
+      no_log: true
 
   when: not _admin_password_secret['resources'] | default([]) | length
 
 - name: Set admin password secret
   set_fact:
     __admin_password_secret: '{{ _generated_admin_password["resources"] | default([]) | length | ternary(_generated_admin_password, _admin_password_secret) }}'
+  no_log: true
 
 - name: Store admin password
   set_fact:
     admin_password: "{{ __admin_password_secret['resources'][0]['data']['password'] | b64decode }}"
+  no_log: true

roles/installer/tasks/broadcast_websocket_configuration.yml

@@ -5,6 +5,7 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ broadcast_websocket_secret }}'
   register: _custom_broadcast_websocket
+  no_log: true
   when: broadcast_websocket_secret | length
 
 - name: Check for default broadcast websocket secret configuration
@@ -13,17 +14,20 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ meta.name }}-broadcast-websocket'
   register: _default_broadcast_websocket
+  no_log: true
 
 - name: Set broadcast websocket secret
   set_fact:
     # yamllint disable-line rule:line-length
     _broadcast_websocket_secret: '{{ _custom_broadcast_websocket["resources"] | default([]) | length | ternary(_custom_broadcast_websocket, _default_broadcast_websocket) }}'  # noqa 204
+  no_log: true
 
 - block:
     - name: Create broadcast websocket secret
       k8s:
         apply: true
         definition: "{{ lookup('template', 'broadcast_websocket_secret.yaml.j2') }}"
+      no_log: true
 
     - name: Read broadcast websocket secret
       k8s_info:
@@ -31,6 +35,7 @@
         namespace: '{{ meta.namespace }}'
         name: '{{ meta.name }}-broadcast-websocket'
       register: _generated_broadcast_websocket
+      no_log: true
 
   when: not _broadcast_websocket_secret['resources'] | default([]) | length
 
@@ -38,7 +43,9 @@
   set_fact:
     # yamllint disable-line rule:line-length
     __broadcast_websocket_secret: '{{ _generated_broadcast_websocket["resources"] | default([]) | length | ternary(_generated_broadcast_websocket, _broadcast_websocket_secret)  }}'  # noqa 204
+  no_log: true
 
 - name: Store broadcast websocket secret name
   set_fact:
     broadcast_websocket_secret_value: "{{ __broadcast_websocket_secret['resources'][0]['data']['secret'] | b64decode }}"
+  no_log: true

roles/installer/tasks/cleanup.yml

@@ -23,5 +23,6 @@
         - '{{ _secret_key }}'
         - '{{ _postgres_configuration }}'
         - '{{ _broadcast_websocket_secret }}'
+      no_log: true
 
   when: not garbage_collect_secrets | bool

roles/installer/tasks/database_configuration.yml

@@ -6,6 +6,7 @@
     name: '{{ postgres_configuration_secret }}'
   register: _custom_pg_config_resources
   when: postgres_configuration_secret | length
+  no_log: true
 
 - name: Check for default PostgreSQL configuration
   k8s_info:
@@ -13,6 +14,7 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ meta.name }}-postgres-configuration'
   register: _default_pg_config_resources
+  no_log: true
 
 - name: Check for specified old PostgreSQL configuration secret
   k8s_info:
@@ -21,6 +23,7 @@
     name: '{{ old_postgres_configuration_secret }}'
   register: _custom_old_pg_config_resources
   when: old_postgres_configuration_secret | length
+  no_log: true
 
 - name: Check for default old PostgreSQL configuration
   k8s_info:
@@ -28,6 +31,7 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ meta.name }}-old-postgres-configuration'
   register: _default_old_pg_config_resources
+  no_log: true
 
 - name: Set old PostgreSQL configuration
   set_fact:
@@ -41,16 +45,19 @@
   when:
     - old_pg_config['resources'] is defined
     - old_pg_config['resources'] | length
+  no_log: true
 
 - name: Set PostgreSQL configuration
   set_fact:
     _pg_config: '{{ _custom_pg_config_resources["resources"] | default([]) | length | ternary(_custom_pg_config_resources, _default_pg_config_resources) }}'
+  no_log: true
 
 - block:
     - name: Create Database configuration
       k8s:
         apply: true
         definition: "{{ lookup('template', 'postgres_secret.yaml.j2') }}"
+      no_log: true
 
     - name: Read Database Configuration
       k8s_info:
@@ -58,11 +65,13 @@
         namespace: '{{ meta.namespace }}'
         name: '{{ meta.name }}-postgres-configuration'
       register: _generated_pg_config_resources
+      no_log: true
   when: not _pg_config['resources'] | default([]) | length
 
 - name: Set PostgreSQL Configuration
   set_fact:
     pg_config: '{{ _generated_pg_config_resources["resources"] | default([]) | length | ternary(_generated_pg_config_resources, _pg_config) }}'
+  no_log: true
 
 - name: Set actual postgres configuration secret used
   set_fact:
@@ -112,6 +121,7 @@
     awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
     awx_postgres_sslmode: "{{ pg_config['resources'][0]['data']['sslmode'] |  default('prefer'|b64encode) | b64decode }}"
+  no_log: true
 
 - name: Look up details for this deployment
   k8s_info:

roles/installer/tasks/initialize_django.yml

@@ -22,6 +22,7 @@
       bash -c "awx-manage update_password --username '{{ admin_user }}' --password '{{ admin_password }}'"
   register: update_pw_result
   changed_when: users_result.stdout == 'Password not updated'
+  no_log: true
   when: users_result.return_code == 0
 
 - name: Create super user via Django if it doesn't exist.
@@ -33,6 +34,7 @@
       bash -c "echo \"from django.contrib.auth.models import User;
       User.objects.create_superuser('{{ admin_user }}', '{{ admin_email }}', '{{ admin_password }}')\"
       | awx-manage shell"
+  no_log: true
   when: users_result.return_code > 0
 
 - name: Create preload data if necessary.  # noqa 305
@@ -73,18 +75,13 @@
   register: _custom_execution_environments_pull_credentials
   when: ee_pull_credentials_secret | length
 
-- name: Check for default execution environment pull credentials
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: '{{ meta.name }}-ee-pull-credentials'
-  register: _default_execution_environments_pull_credentials
-
-- name: Set admin password secret
+- name: Set execution environment pull credential secret
   set_fact:
     _execution_environments_pull_credentials: >-
       {{ _custom_execution_environments_pull_credentials["resources"] | default([]) | length
-      | ternary(_custom_execution_environments_pull_credentials, _default_execution_environments_pull_credentials) }}
+      | ternary(_custom_execution_environments_pull_credentials, []) }}
+  no_log: true
+
 - name: Register default execution environments (without authentication)
   k8s_exec:
     namespace: "{{ meta.namespace }}"
@@ -104,6 +101,8 @@
         default_execution_environment_pull_credentials_url: "{{ _execution_environments_pull_credentials['resources'][0]['data']['url'] | b64decode }}"
         default_execution_environment_pull_credentials_url_verify: >-
           {{ _execution_environments_pull_credentials['resources'][0]['data']['ssl_verify'] | default("True"|b64encode) | b64decode }}
+      no_log: true
+
     - name: Register default execution environments (with authentication)
       k8s_exec:
         namespace: "{{ meta.namespace }}"
@@ -117,4 +116,5 @@
           --verify-ssl='{{ default_execution_environment_pull_credentials_url_verify }}'"
       register: ree
       changed_when: "'changed: True' in ree.stdout"
+      no_log: true
   when: _execution_environments_pull_credentials['resources'] | default([]) | length

roles/installer/tasks/load_bundle_cacert_secret.yml

@@ -5,8 +5,10 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ bundle_cacert_secret }}'
   register: bundle_cacert
+  no_log: true
 
 - name: Load bundle Certificate Authority Secret content
   set_fact:
     bundle_ca_crt: '{{ bundle_cacert["resources"][0]["data"]["bundle-ca.crt"] | b64decode }}'
+  no_log: true
   when: '"bundle-ca.crt" in bundle_cacert["resources"][0]["data"]'

roles/installer/tasks/load_ldap_cacert_secret.yml

@@ -5,8 +5,10 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ ldap_cacert_secret }}'
   register: ldap_cacert
+  no_log: true
 
 - name: Load LDAP CA Certificate Secret content
   set_fact:
     ldap_cacert_ca_crt: '{{ ldap_cacert["resources"][0]["data"]["ldap-ca.crt"] | b64decode }}'
+  no_log: true
   when: '"ldap-ca.crt" in ldap_cacert["resources"][0]["data"]'

roles/installer/tasks/load_route_tls_secret.yml

@@ -5,13 +5,16 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ route_tls_secret }}'
   register: route_tls
+  no_log: true
 
 - name: Load Route TLS Secret content
   set_fact:
     route_tls_key: '{{ route_tls["resources"][0]["data"]["tls.key"] | b64decode }}'
     route_tls_crt: '{{ route_tls["resources"][0]["data"]["tls.crt"] | b64decode }}'
+  no_log: true
 
 - name: Load Route TLS Secret content
   set_fact:
     route_ca_crt: '{{ route_tls["resources"][0]["data"]["ca.crt"] | b64decode }}'
+  no_log: true
   when: '"ca.crt" in route_tls["resources"][0]["data"]'

roles/installer/tasks/migrate_data.yml

@@ -11,6 +11,7 @@
     awx_old_postgres_database: "{{ old_pg_config['resources'][0]['data']['database'] | b64decode }}"
     awx_old_postgres_port: "{{ old_pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_old_postgres_host: "{{ old_pg_config['resources'][0]['data']['host'] | b64decode }}"
+  no_log: true
 
 - name: Default label selector to custom resource generated postgres
   set_fact:
@@ -47,6 +48,7 @@
       -d {{ awx_old_postgres_database }}
       -p {{ awx_old_postgres_port }}
       -F custom
+  no_log: true
 
 - name: Set pg_restore command
   set_fact:
@@ -54,6 +56,7 @@
       pg_restore --clean --if-exists
       -U {{ database_username }}
       -d {{ database_name }}
+  no_log: true
 
 - name: Stream backup from pg_dump to the new postgresql container
   k8s_exec:
@@ -65,6 +68,7 @@
       PGPASSWORD={{ awx_old_postgres_pass }} {{ pgdump }} | PGPASSWORD={{ awx_postgres_pass }} {{ pg_restore }}
       echo 'Successful'
       """
+  no_log: true
   register: data_migration
   failed_when: "'Successful' not in data_migration.stdout"
 

roles/installer/tasks/resources_configuration.yml

@@ -30,6 +30,7 @@
     - 'persistent'
     - 'service'
     - 'ingress'
+  no_log: true
 
 - name: Apply deployment resources
   k8s:

roles/installer/tasks/secret_key_configuration.yml

@@ -5,6 +5,7 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ secret_key_secret }}'
   register: _custom_secret_key
+  no_log: true
   when: secret_key_secret | length
 
 - name: Check for default secret key configuration
@@ -13,16 +14,19 @@
     namespace: '{{ meta.namespace }}'
     name: '{{ meta.name }}-secret-key'
   register: _default_secret_key
+  no_log: true
 
 - name: Set secret key secret
   set_fact:
     _secret_key_secret: '{{ _custom_secret_key["resources"] | default([]) | length | ternary(_custom_secret_key, _default_secret_key) }}'
+  no_log: true
 
 - block:
     - name: Create secret key secret
       k8s:
         apply: true
         definition: "{{ lookup('template', 'secret_key.yaml.j2') }}"
+      no_log: true
 
     - name: Read secret key secret
       k8s_info:
@@ -30,13 +34,16 @@
         namespace: '{{ meta.namespace }}'
         name: '{{ meta.name }}-secret-key'
       register: _generated_secret_key
+      no_log: true
 
   when: not _secret_key_secret['resources'] | default([]) | length
 
 - name: Set secret key secret
   set_fact:
     __secret_key_secret: '{{ _generated_secret_key["resources"] | default([]) | length | ternary(_generated_secret_key, _secret_key_secret)  }}'
+  no_log: true
 
 - name: Store secret key secret name
   set_fact:
     secret_key_secret_name: "{{ __secret_key_secret['resources'][0]['metadata']['name'] }}"
+  no_log: true

roles/installer/tasks/update_status.yml

@@ -75,6 +75,7 @@
 - block:
     - name: Retrieve route URL
       k8s_info:
+        api_version: 'route.openshift.io/v1'
         kind: Route
         namespace: '{{ meta.namespace }}'
         name: '{{ meta.name }}'

roles/installer/templates/config.yaml.j2

@@ -90,11 +90,7 @@ data:
     BROADCAST_WEBSOCKET_PROTOCOL = 'http'
 
 {% for item in extra_settings | default([]) %}
-{% if item.value is string %}
-    {{ item.setting }} = '{{ item.value }}'
-{% else %}
     {{ item.setting }} = {{ item.value }}
-{% endif %}
 {% endfor %}
 
   nginx_conf: |

roles/installer/templates/deployment.yaml.j2

@@ -33,7 +33,7 @@ spec:
       imagePullSecrets:
         - name: {{ image_pull_secret }}
 {% endif %}
-{% if bundle_ca_crt %}
+{% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %}
       initContainers:
         - name: init
           image: '{{ init_container_image }}:{{ init_container_image_version }}'
@@ -42,15 +42,33 @@ spec:
             - /bin/sh
             - -c
             - |
+{% if bundle_ca_crt  %}
               mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
               update-ca-trust
+{% endif %}
+{% if projects_persistence|bool %}
+              chmod 775 /var/lib/awx/projects
+              chgrp 1000 /var/lib/awx/projects
+{% endif %}
+{% if init_container_extra_commands %}
+              {{ init_container_extra_commands | indent(width=14) }}
+{% endif %}
           volumeMounts:
+{% if bundle_ca_crt  %}
             - name: "ca-trust-extracted"
               mountPath: "/etc/pki/ca-trust/extracted"
             - name: "{{ meta.name }}-bundle-cacert"
               mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
               subPath: bundle-ca.crt
               readOnly: true
+{% endif %}
+{% if projects_persistence|bool %}
+            - name: "{{ meta.name }}-projects"
+              mountPath: "/var/lib/awx/projects"
+{% endif %}
+{% if init_container_extra_volume_mounts -%}
+            {{ init_container_extra_volume_mounts | indent(width=12, indentfirst=True) }}
+{% endif %}
 {% endif %}
       containers:
         - image: '{{ redis_image }}:{{ redis_image_version }}'
@@ -282,6 +300,10 @@ spec:
 {% if tolerations %}
       tolerations:
         {{ tolerations | indent(width=8) }}
+{% endif %}
+{% if projects_persistence|bool %}
+      securityContext:
+        fsGroup: 1000
 {% endif %}
       volumes:
 {% if bundle_ca_crt %}

roles/installer/templates/ingress.yaml.j2

@@ -20,7 +20,7 @@ spec:
     - host: '{{ hostname }}'
       http:
         paths:
-          - path: /
+          - path: '{{ ingress_path }}'
             backend:
               serviceName: '{{ meta.name }}-service'
               servicePort: 80

roles/installer/templates/postgres.yaml.j2

@@ -33,6 +33,10 @@ spec:
         app.kubernetes.io/part-of: '{{ meta.name }}'
         app.kubernetes.io/managed-by: '{{ deployment_type }}-operator' 
     spec:
+{% if image_pull_secret %}
+      imagePullSecrets:
+        - name: {{ image_pull_secret }}
+{% endif %}
       containers:
         - image: '{{ postgres_image }}:{{ postgres_image_version }}'
           imagePullPolicy: '{{ image_pull_policy }}'

roles/restore/defaults/main.yml

@@ -6,7 +6,7 @@ api_version: '{{ deployment_type }}.ansible.com/v1beta1'
 
 # Required: specify a pre-created PVC (name) to restore from
 backup_pvc: ''
-backup_pvc_namespace: ''
+backup_pvc_namespace: '{{ meta.namespace }}'
 
 # Required: backup name, found on the awxbackup object
 backup_dir: ''

roles/restore/tasks/cleanup.yml

@@ -22,6 +22,7 @@
     - '{{ admin_password_secret }}'
     - '{{ broadcast_websocket_secret }}'
     - '{{ postgres_configuration_secret }}'
+  no_log: true
 
 - name: Cleanup temp spec file
   file:

roles/restore/tasks/deploy_awx.yml

@@ -1,9 +1,5 @@
 ---
 
-- name: Save kind
-  set_fact:
-    _kind: "{{ kind }}"
-
 - name: Get AWX object definition from pvc
   k8s_exec:
     namespace: "{{ backup_pvc_namespace }}"
@@ -25,22 +21,13 @@
 
 - name: Include spec vars to save them as a dict
   include_vars: "{{ tmp_spec.path }}"
-  register: spec
-
-- name: Use include_vars to read in spec as a dict (because spec doesn't have quotes)
-  set_fact:
-    awx_spec: "{{ spec.ansible_facts }}"
-
-- name: Restore kind
-  set_fact:
-    kind: "{{ _kind }}"
 
 - name: Deploy AWX
   k8s:
     state: "{{ state | default('present') }}"
     namespace: "{{ meta.namespace }}"
     apply: yes
-    template: awx_object.yml.j2
+    definition: "{{ lookup('template', 'awx_object.yml.j2') }}"
     wait: true
     wait_condition:
       type: "Running"

roles/restore/tasks/postgres.yml

@@ -1,11 +1,16 @@
 ---
 
+- name: Set Postgres Configuration Secret name
+  set_fact:
+    postgres_configuration_secret: "{{ spec['postgres_configuration_secret'] | default(postgres_configuration_secret) }}"
+
 - name: Check for specified PostgreSQL configuration
   k8s_info:
     kind: Secret
     namespace: '{{ meta.namespace }}'
     name: '{{ postgres_configuration_secret }}'
   register: pg_config
+  no_log: true
 
 - name: Store Database Configuration
   set_fact:
@@ -15,6 +20,7 @@
     awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
     awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | b64decode | default('unmanaged') }}"
+  no_log: true
 
 - name: Default label selector to custom resource generated postgres
   set_fact:
@@ -59,6 +65,7 @@
 - name: Set full resolvable host name for postgres pod
   set_fact:
     resolvable_db_host: "{{ awx_postgres_host }}.{{ meta.namespace }}.svc.cluster.local"
+  no_log: true
   when: awx_postgres_type == 'managed'
 
 - name: Set pg_restore command
@@ -70,6 +77,7 @@
       -U {{ awx_postgres_user }}
       -d {{ awx_postgres_database }}
       -p {{ awx_postgres_port }}
+  no_log: true
 
 - name: Restore database dump to the new postgresql container
   k8s_exec:
@@ -82,4 +90,5 @@
       echo 'Successful'
       """
   register: data_migration
+  no_log: true
   failed_when: "'Successful' not in data_migration.stdout"

roles/restore/tasks/secrets.yml

@@ -7,6 +7,7 @@
     command: >-
       bash -c "cat '{{ backup_dir }}/secrets.yml'"
   register: _secrets
+  no_log: true
 
 - name: Create Temporary secrets file
   tempfile:
@@ -19,31 +20,38 @@
     dest: "{{ tmp_secrets.path }}"
     content: "{{ _secrets.stdout }}"
     mode: 0640
+  no_log: true
 
 - name: Include secret vars from backup
   include_vars: "{{ tmp_secrets.path }}"
+  no_log: true
 
 - name: If deployment is managed, set the database_host in the pg config secret
   block:
     - name: Set new database host
       set_fact:
         database_host: "{{ deployment_name }}-postgres"
+      no_log: true
 
     - name: Set tmp postgres secret dict
       set_fact:
         _pg_secret: "{{ secrets['postgresConfigurationSecret'] }}"
+      no_log: true
 
     - name: Change postgres host value
       set_fact:
         _pg_data: "{{ _pg_secret['data'] | combine({'host': database_host | b64encode }) }}"
+      no_log: true
 
     - name: Create a postgres secret with the new host value
       set_fact:
         _pg_secret: "{{ _pg_secret | combine({'data': _pg_data}) }}"
+      no_log: true
 
     - name: Create a new dict of secrets with the new postgres secret
       set_fact:
         secrets: "{{ secrets | combine({'postgresConfigurationSecret': _pg_secret}) }}"
+      no_log: true
   when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed'
 
 - name: Apply secret
@@ -53,3 +61,16 @@
     apply: yes
     wait: yes
     template: "secrets.yml.j2"
+  no_log: true
+
+- name: Remove ownerReference on restored secrets
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: "{{ item.value.name }}"
+        namespace: '{{ meta.namespace }}'
+        ownerReferences: null
+  loop: "{{ secrets | dict2items }}"
+  no_log: true

roles/restore/templates/awx_object.yml.j2

@@ -4,4 +4,5 @@ kind: AWX
 metadata:
   name: '{{ deployment_name }}'
   namespace: '{{ meta.namespace }}'
-spec: {{ awx_spec }}
+spec:
+  {{ spec | to_yaml | indent(2) }}

roles/restore/templates/secrets.yml.j2

@@ -11,9 +11,11 @@ metadata:
     app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
     app.kubernetes.io/component: '{{ deployment_type }}'
     app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+type: '{{ secrets[secret]['type'] }}'
 stringData:
-  {% for key, value in secrets[secret]['data'].items() %}
-    '{{ key }}': '{{ value | b64decode }}'
-  {% endfor %}
+{% for key, value in secrets[secret]['data'].items() %}
+  {{ key }}: |-
+    {{ value | b64decode | indent(4) }}
+{% endfor %}
 
 {% endfor %}