mirror of
https://github.com/ansible/awx-operator.git
synced 2026-03-26 21:33:14 +00:00
291 lines
9.6 KiB
YAML
291 lines
9.6 KiB
YAML
---
|
|
|
|
- name: Get the current resource pod information.
|
|
k8s_info:
|
|
api_version: v1
|
|
kind: Pod
|
|
namespace: '{{ ansible_operator_meta.namespace }}'
|
|
label_selectors:
|
|
- "app.kubernetes.io/name={{ ansible_operator_meta.name }}"
|
|
- "app.kubernetes.io/managed-by={{ deployment_type }}-operator"
|
|
- "app.kubernetes.io/component={{ deployment_type }}"
|
|
field_selectors:
|
|
- status.phase=Running
|
|
register: tower_pod
|
|
|
|
- name: Set the resource pod as a variable.
|
|
set_fact:
|
|
tower_pod: >-
|
|
{{ tower_pod['resources']
|
|
| rejectattr('metadata.deletionTimestamp', 'defined')
|
|
| sort(attribute='metadata.creationTimestamp')
|
|
| first | default({}) }}
|
|
|
|
- name: Set the resource pod name as a variable.
|
|
set_fact:
|
|
tower_pod_name: "{{ tower_pod['metadata']['name'] | default('') }}"
|
|
|
|
- name: Set user provided control plane ee image
|
|
set_fact:
|
|
_custom_control_plane_ee_image: "{{ control_plane_ee_image }}"
|
|
when:
|
|
- control_plane_ee_image | default([]) | length
|
|
|
|
- name: Set Control Plane EE image URL
|
|
set_fact:
|
|
_control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"
|
|
|
|
- name: Check for Receptor CA Secret
|
|
k8s_info:
|
|
kind: Secret
|
|
namespace: '{{ ansible_operator_meta.namespace }}'
|
|
name: '{{ ansible_operator_meta.name }}-receptor-ca'
|
|
register: receptor_ca
|
|
no_log: "{{ no_log }}"
|
|
|
|
- name: Migrate Receptor CA Secret
|
|
when:
|
|
- receptor_ca['resources'] | default([]) | length
|
|
- receptor_ca['resources'][0]['type'] != "kubernetes.io/tls"
|
|
block:
|
|
- name: Delete old Receptor CA Secret
|
|
k8s:
|
|
state: absent
|
|
kind: Secret
|
|
namespace: '{{ ansible_operator_meta.namespace }}'
|
|
name: '{{ ansible_operator_meta.name }}-receptor-ca'
|
|
- name: Create tempfile for receptor-ca.key
|
|
tempfile:
|
|
state: file
|
|
suffix: .key
|
|
register: _receptor_ca_key_file
|
|
- name: Copy Receptor CA key from old secret to tempfile
|
|
copy:
|
|
content: "{{ receptor_ca['resources'][0]['data']['receptor-ca.key'] | b64decode }}"
|
|
dest: "{{ _receptor_ca_key_file.path }}"
|
|
no_log: "{{ no_log }}"
|
|
- name: Create tempfile for receptor-ca.crt
|
|
tempfile:
|
|
state: file
|
|
suffix: .crt
|
|
register: _receptor_ca_crt_file
|
|
- name: Copy Receptor CA cert from old secret to tempfile
|
|
copy:
|
|
content: "{{ receptor_ca['resources'][0]['data']['receptor-ca.crt'] | b64decode }}"
|
|
dest: "{{ _receptor_ca_crt_file.path }}"
|
|
no_log: "{{ no_log }}"
|
|
- name: Create New Receptor CA secret
|
|
k8s:
|
|
apply: true
|
|
definition: "{{ lookup('template', 'secrets/receptor_ca_secret.yaml.j2') }}"
|
|
no_log: "{{ no_log }}"
|
|
- name: Read New Receptor CA Secret
|
|
k8s_info:
|
|
kind: Secret
|
|
namespace: '{{ ansible_operator_meta.namespace }}'
|
|
name: '{{ ansible_operator_meta.name }}-receptor-ca'
|
|
register: _receptor_ca
|
|
no_log: "{{ no_log }}"
|
|
- name: Set receptor_ca variable
|
|
set_fact:
|
|
receptor_ca: '{{ _receptor_ca }}'
|
|
no_log: "{{ no_log }}"
|
|
- name: Remove tempfiles
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
loop:
|
|
- "{{ _receptor_ca_key_file.path }}"
|
|
- "{{ _receptor_ca_crt_file.path }}"
|
|
|
|
- name: Create Receptor Mesh CA
|
|
block:
|
|
- name: Create tempfile for receptor-ca.key
|
|
tempfile:
|
|
state: file
|
|
suffix: .key
|
|
register: _receptor_ca_key_file
|
|
- name: Generate Receptor CA key
|
|
command: |
|
|
openssl genrsa -out {{ _receptor_ca_key_file.path }} 4096
|
|
no_log: "{{ no_log }}"
|
|
- name: Create tempfile for receptor-ca.crt
|
|
tempfile:
|
|
state: file
|
|
suffix: .crt
|
|
register: _receptor_ca_crt_file
|
|
- name: Generate Receptor CA cert
|
|
command: |
|
|
openssl req -x509 -new -nodes -key {{ _receptor_ca_key_file.path }} \
|
|
-subj "/CN={{ ansible_operator_meta.name }} Receptor Root CA" \
|
|
-sha256 -days 3650 -out {{ _receptor_ca_crt_file.path }}
|
|
no_log: "{{ no_log }}"
|
|
- name: Create Receptor CA secret
|
|
k8s:
|
|
apply: true
|
|
definition: "{{ lookup('template', 'secrets/receptor_ca_secret.yaml.j2') }}"
|
|
no_log: "{{ no_log }}"
|
|
- name: Read Receptor CA secret
|
|
k8s_info:
|
|
kind: Secret
|
|
namespace: '{{ ansible_operator_meta.namespace }}'
|
|
name: '{{ ansible_operator_meta.name }}-receptor-ca'
|
|
register: _receptor_ca
|
|
no_log: "{{ no_log }}"
|
|
- name: Set receptor_ca variable
|
|
set_fact:
|
|
receptor_ca: '{{ _receptor_ca }}'
|
|
no_log: "{{ no_log }}"
|
|
- name: Remove tempfiles
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
loop:
|
|
- "{{ _receptor_ca_key_file.path }}"
|
|
- "{{ _receptor_ca_crt_file.path }}"
|
|
when: not receptor_ca['resources'] | default([]) | length
|
|
|
|
- name: Check for Receptor work signing Secret
|
|
k8s_info:
|
|
kind: Secret
|
|
namespace: '{{ ansible_operator_meta.namespace }}'
|
|
name: '{{ ansible_operator_meta.name }}-receptor-work-signing'
|
|
register: receptor_work_signing
|
|
no_log: "{{ no_log }}"
|
|
|
|
- name: Generate Receptor work signing RSA key pair
|
|
block:
|
|
- name: Create tempfile for receptor work signing private key
|
|
tempfile:
|
|
state: file
|
|
suffix: .pem
|
|
register: _receptor_work_signing_private_key_file
|
|
- name: Generate Receptor work signing private key
|
|
command: |
|
|
openssl genrsa -out {{ _receptor_work_signing_private_key_file.path }} 4096
|
|
no_log: "{{ no_log }}"
|
|
- name: Create tempfile for receptor work signing public key
|
|
tempfile:
|
|
state: file
|
|
suffix: .pem
|
|
register: _receptor_work_signing_public_key_file
|
|
- name: Generate Receptor work signing public key
|
|
command: |
|
|
openssl rsa \
|
|
-in {{ _receptor_work_signing_private_key_file.path }} \
|
|
-out {{ _receptor_work_signing_public_key_file.path }} \
|
|
-outform PEM -pubout
|
|
no_log: "{{ no_log }}"
|
|
- name: Create Receptor work signing Secret
|
|
k8s:
|
|
apply: true
|
|
definition: "{{ lookup('template', 'secrets/receptor_work_signing_secret.yaml.j2') }}"
|
|
no_log: "{{ no_log }}"
|
|
- name: Read Receptor work signing Secret
|
|
k8s_info:
|
|
kind: Secret
|
|
namespace: '{{ ansible_operator_meta.namespace }}'
|
|
name: '{{ ansible_operator_meta.name }}-receptor-work-signing'
|
|
register: _receptor_work_signing
|
|
no_log: "{{ no_log }}"
|
|
- name: Set receptor_work_signing variable
|
|
set_fact:
|
|
receptor_work_signing: '{{ _receptor_work_signing }}'
|
|
no_log: "{{ no_log }}"
|
|
- name: Remove tempfiles
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
loop:
|
|
- "{{ _receptor_work_signing_private_key_file.path }}"
|
|
- "{{ _receptor_work_signing_public_key_file.path }}"
|
|
when: not receptor_work_signing['resources'] | default([]) | length
|
|
|
|
- name: Apply Resources
|
|
k8s:
|
|
apply: yes
|
|
definition: "{{ lookup('template', item + '.yaml.j2') }}"
|
|
wait: yes
|
|
loop:
|
|
- 'configmaps/config'
|
|
- 'configmaps/pre_stop_scripts'
|
|
- 'secrets/app_credentials'
|
|
- 'rbac/service_account'
|
|
- 'storage/persistent'
|
|
- 'networking/service'
|
|
- 'networking/ingress'
|
|
no_log: "{{ no_log }}"
|
|
|
|
- name: Set default awx app image
|
|
set_fact:
|
|
_default_image: "{{ _image }}:{{ _image_version }}"
|
|
|
|
- name: Set user provided awx app image
|
|
set_fact:
|
|
_custom_image: "{{ image }}:{{ image_version }}"
|
|
when:
|
|
- image | default([]) | length
|
|
- image_version is defined or image_version != ''
|
|
|
|
- name: Set AWX app image URL
|
|
set_fact:
|
|
_image: "{{ _custom_image | default(lookup('env', 'RELATED_IMAGE_AWX')) | default(_default_image, true) }}"
|
|
|
|
- name: Set default redis image
|
|
set_fact:
|
|
_default_redis_image: "{{ _redis_image }}:{{ _redis_image_version }}"
|
|
|
|
- name: Set user provided redis image
|
|
set_fact:
|
|
_custom_redis_image: "{{ redis_image }}:{{ redis_image_version }}"
|
|
when:
|
|
- redis_image | default([]) | length
|
|
- redis_image_version is defined or redis_image_version != ''
|
|
|
|
- name: Set Redis image URL
|
|
set_fact:
|
|
_redis_image: "{{ _custom_redis_image | default(lookup('env', 'RELATED_IMAGE_AWX_REDIS')) | default(_default_redis_image, true) }}"
|
|
|
|
- name: Apply deployment resources
|
|
k8s:
|
|
apply: yes
|
|
definition: "{{ lookup('template', 'deployments/{{ item }}.yaml.j2') }}"
|
|
wait: yes
|
|
wait_timeout: "{{ (120 * replicas) or 120 }}"
|
|
loop:
|
|
- web
|
|
- task
|
|
register: this_deployment_result
|
|
|
|
- block:
|
|
- name: Get the new resource pod information after updating resource.
|
|
k8s_info:
|
|
kind: Pod
|
|
namespace: '{{ ansible_operator_meta.namespace }}'
|
|
label_selectors:
|
|
- "app.kubernetes.io/name={{ ansible_operator_meta.name }}-task"
|
|
- "app.kubernetes.io/managed-by={{ deployment_type }}-operator"
|
|
- "app.kubernetes.io/component={{ deployment_type }}"
|
|
field_selectors:
|
|
- status.phase=Running
|
|
register: _new_pod
|
|
|
|
- name: Update new resource pod as a variable.
|
|
set_fact:
|
|
tower_pod: >-
|
|
{{ _new_pod['resources']
|
|
| rejectattr('metadata.deletionTimestamp', 'defined')
|
|
| sort(attribute='metadata.creationTimestamp')
|
|
| last | default({}) }}
|
|
|
|
- name: Update new resource pod name as a variable.
|
|
set_fact:
|
|
tower_pod_name: '{{ tower_pod["metadata"]["name"] | default("")}}'
|
|
when:
|
|
- this_deployment_result.changed
|
|
|
|
- name: Verify the resource pod name is populated.
|
|
assert:
|
|
that: tower_pod_name != ''
|
|
fail_msg: "Could not find the tower pod's name."
|