diff --git a/config/crd/bases/awx.ansible.com_awxs.yaml b/config/crd/bases/awx.ansible.com_awxs.yaml index 1fb2d61ec..e3387b26e 100644 --- a/config/crd/bases/awx.ansible.com_awxs.yaml +++ b/config/crd/bases/awx.ansible.com_awxs.yaml @@ -54,8 +54,8 @@ spec: description: Username to use for the admin account type: string default: admin - hostname: - description: The hostname of the instance + hostname: # deprecated + description: (Deprecated) The hostname of the instance type: string admin_email: description: The admin user email @@ -123,12 +123,24 @@ spec: ingress_annotations: description: Annotations to add to the Ingress Controller type: string - ingress_tls_secret: - description: Secret where the Ingress TLS secret can be found + ingress_tls_secret: # deprecated + description: (Deprecated) Secret where the Ingress TLS secret can be found type: string ingress_class_name: description: The name of ingress class to use instead of the cluster default. type: string + ingress_hosts: + description: Ingress hostnames of the instance + type: array + items: + type: object + properties: + hostname: + description: Hostname of the instance + type: string + tls_secret: + description: Secret where the Ingress TLS secret can be found + type: string ingress_controller: description: Special configuration for specific Ingress Controllers type: string diff --git a/config/manifests/bases/awx-operator.clusterserviceversion.yaml b/config/manifests/bases/awx-operator.clusterserviceversion.yaml index c9ae90698..01ff854ae 100644 --- a/config/manifests/bases/awx-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/awx-operator.clusterserviceversion.yaml @@ -212,7 +212,7 @@ spec: kind: AWX name: awxs.awx.ansible.com specDescriptors: - - displayName: Hostname + - displayName: Hostname (Deprecated) path: hostname x-descriptors: - urn:alm:descriptor:com.tectonic.ui:advanced @@ -302,12 +302,17 @@ spec: - urn:alm:descriptor:com.tectonic.ui:advanced - urn:alm:descriptor:com.tectonic.ui:text - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress - - displayName: Ingress TLS Secret + - displayName: Ingress TLS Secret (Deprecated) path: ingress_tls_secret x-descriptors: - urn:alm:descriptor:com.tectonic.ui:advanced - urn:alm:descriptor:io.kubernetes:Secret - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress + - displayName: Ingress Hosts + path: ingress_hosts + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:com.tectonic.ui:text - displayName: Ingress Controller path: ingress_controller x-descriptors: diff --git a/docs/user-guide/network-and-tls-configuration.md b/docs/user-guide/network-and-tls-configuration.md index 73b851bad..0eaa0a005 100644 --- a/docs/user-guide/network-and-tls-configuration.md +++ b/docs/user-guide/network-and-tls-configuration.md @@ -32,7 +32,7 @@ The following variables are customizable only when `service_type=LoadBalancer` | --------------------- | ---------------------------------------- | ------- | | loadbalancer_protocol | Protocol to use for Loadbalancer ingress | http | | loadbalancer_port | Port used for Loadbalancer ingress | 80 | -| loadbalancer_ip | Assign Loadbalancer IP | '' | +| loadbalancer_ip | Assign Loadbalancer IP | '' | ```yaml --- @@ -86,22 +86,26 @@ spec: The following variables are customizable when `ingress_type=ingress`. The `ingress` type creates an Ingress resource as [documented](https://kubernetes.io/docs/concepts/services-networking/ingress/) which can be shared with many other Ingress Controllers as [listed](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/). -| Name | Description | Default | -| ------------------- | ---------------------------------------- | --------------------------- | -| ingress_annotations | Ingress annotations | Empty string | -| ingress_tls_secret | Secret that contains the TLS information | Empty string | -| ingress_class_name | Define the ingress class name | Cluster default | -| hostname | Define the FQDN | {{ meta.name }}.example.com | -| ingress_path | Define the ingress path to the service | / | -| ingress_path_type | Define the type of the path (for LBs) | Prefix | -| ingress_api_version | Define the Ingress resource apiVersion | 'networking.k8s.io/v1' | +| Name | Description | Default | +| ---------------------------------- | ---------------------------------------------------------------------------------- | --------------------------- | +| ingress_annotations | Ingress annotations | Empty string | +| ingress_tls_secret _(deprecated)_ | Secret that contains the TLS information | Empty string | +| ingress_class_name | Define the ingress class name | Cluster default | +| hostname _(deprecated)_ | Define the FQDN | {{ meta.name }}.example.com | +| ingress_hosts | Define one or multiple FQDN with optional Secret that contains the TLS information | Empty string | +| ingress_path | Define the ingress path to the service | / | +| ingress_path_type | Define the type of the path (for LBs) | Prefix | +| ingress_api_version | Define the Ingress resource apiVersion | 'networking.k8s.io/v1' | ```yaml --- spec: ... ingress_type: ingress - hostname: awx-demo.example.com + ingress_hosts: + - hostname: awx-demo.example.com + - hostname: awx-demo.sample.com + tls_secret: sample-tls-secret ingress_annotations: | environment: testing ``` @@ -119,7 +123,10 @@ Some Ingress Controllers need a special configuration to fully support AWX, add spec: ... ingress_type: ingress - hostname: awx-demo.example.com + ingress_hosts: + - hostname: awx-demo.example.com + - hostname: awx-demo.sample.com + tls_secret: sample-tls-secret ingress_controller: contour ``` diff --git a/roles/backup/tasks/dump_ingress_tls_secrets.yml b/roles/backup/tasks/dump_ingress_tls_secrets.yml new file mode 100644 index 000000000..dd82dcfa2 --- /dev/null +++ b/roles/backup/tasks/dump_ingress_tls_secrets.yml @@ -0,0 +1,24 @@ +--- + +- name: Get secret + k8s_info: + version: v1 + kind: Secret + namespace: '{{ ansible_operator_meta.namespace }}' + name: "{{ item }}" + register: _secret + no_log: "{{ no_log }}" + +- name: Backup secret if exists + block: + - name: Set secret key + set_fact: + _data: "{{ _secret['resources'][0]['data'] }}" + _type: "{{ _secret['resources'][0]['type'] }}" + no_log: "{{ no_log }}" + + - name: Create and Add secret names and data to dictionary + set_fact: + secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': item, 'data': _data, 'type': _type }}) }}" + no_log: "{{ no_log }}" + when: _secret | length diff --git a/roles/backup/tasks/secrets.yml b/roles/backup/tasks/secrets.yml index 42ca63d03..fd9dc9a93 100644 --- a/roles/backup/tasks/secrets.yml +++ b/roles/backup/tasks/secrets.yml @@ -12,11 +12,18 @@ include_tasks: dump_secret.yml loop: - route_tls_secret + # ingress_tls_secret is deprecated in favor of ingress_hosts.tls_secret - ingress_tls_secret - ldap_cacert_secret - bundle_cacert_secret - ee_pull_credentials_secret +- name: Dump ingress tls secret names from awx spec and data into file + include_tasks: dump_ingress_tls_secrets.yml + with_items: + - "{{ awx_spec.spec['ingress_hosts'] | default('') | map(attribute='tls_secret', default='') | select() | list }}" + when: "{{ awx_spec.spec['ingress_hosts'] | default('') | map(attribute='tls_secret', default='') | select() | list | length }}" + - name: Dump receptor secret names and data into file include_tasks: dump_receptor_secrets.yml loop: diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index bd5d40391..b80d332ad 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -40,6 +40,16 @@ ingress_tls_secret: '' # ingress_controller: contour ingress_controller: '' +# One or multiple FQDN with optional Secret that contains the TLS information. +# The TLS secret either has to exist before hand with +# the corresponding cert and key or just be an indicator for where an automated +# process like cert-manager (enabled via annotations) will store the TLS +# certificate and key. +# ingress_hosts: +# - hostname: awx-demo.example.com +# tls_secret: example-com-tls +ingress_hosts: '' + loadbalancer_protocol: 'http' loadbalancer_port: '80' service_annotations: '' diff --git a/roles/installer/tasks/install.yml b/roles/installer/tasks/install.yml index cee2daa40..2398ebb4d 100644 --- a/roles/installer/tasks/install.yml +++ b/roles/installer/tasks/install.yml @@ -2,7 +2,7 @@ - name: Delete old deployment for before installing during upgrade k8s: kind: Deployment - api_version: v1 + api_version: apps/v1 namespace: "{{ ansible_operator_meta.namespace }}" name: "{{ ansible_operator_meta.name }}" state: absent diff --git a/roles/installer/tasks/main.yml b/roles/installer/tasks/main.yml index 234caa3f4..f0b2ae5b6 100644 --- a/roles/installer/tasks/main.yml +++ b/roles/installer/tasks/main.yml @@ -9,7 +9,7 @@ - name: Check for presence of awx-task Deployment k8s_info: - api_version: v1 + api_version: apps/v1 kind: Deployment name: "{{ ansible_operator_meta.name }}-task" namespace: "{{ ansible_operator_meta.namespace }}" @@ -17,7 +17,7 @@ - name: Check for presence of awx-web Deployment k8s_info: - api_version: v1 + api_version: apps/v1 kind: Deployment name: "{{ ansible_operator_meta.name }}-web" namespace: "{{ ansible_operator_meta.namespace }}" diff --git a/roles/installer/templates/networking/ingress.yaml.j2 b/roles/installer/templates/networking/ingress.yaml.j2 index 3d79c934f..d252e5066 100644 --- a/roles/installer/templates/networking/ingress.yaml.j2 +++ b/roles/installer/templates/networking/ingress.yaml.j2 @@ -13,7 +13,7 @@ metadata: annotations: {% if ingress_annotations %} {{ ingress_annotations | indent(width=4) }} -{% endif %} +{%- endif %} {% if ingress_controller|lower == "contour" %} projectcontour.io/websocket-routes: "/websocket" kubernetes.io/ingress.class: contour @@ -24,6 +24,7 @@ spec: ingressClassName: '{{ ingress_class_name }}' {% endif %} rules: +{% if not ingress_hosts %} - http: paths: - path: '{{ ingress_path }}' @@ -33,6 +34,9 @@ spec: name: '{{ ansible_operator_meta.name }}-service' port: number: 80 +{% if hostname %} + host: {{ hostname }} +{% endif %} {% if ingress_controller|lower == "contour" %} - path: '{{ ingress_path.rstrip("/") }}/websocket' pathType: '{{ ingress_path_type }}' @@ -42,16 +46,45 @@ spec: port: number: 80 {% endif %} -{% if hostname %} - host: {{ hostname }} -{% endif %} {% if ingress_tls_secret %} tls: - hosts: - - {{ hostname }} + - {{ hostname }} secretName: {{ ingress_tls_secret }} {% endif %} {% endif %} +{% if ingress_hosts %} +{% for item in ingress_hosts %} + - host: {{ item.hostname }} + http: + paths: + - path: '{{ ingress_path }}' + pathType: '{{ ingress_path_type }}' + backend: + service: + name: '{{ ansible_operator_meta.name }}-service' + port: + number: 80 +{% if ingress_controller|lower == "contour" %} + - path: '{{ ingress_path.rstrip("/") }}/websocket' + pathType: '{{ ingress_path_type }}' + backend: + service: + name: '{{ ansible_operator_meta.name }}-service' + port: + number: 80 +{% endif %} +{% endfor %} + tls: +{% for item in ingress_hosts %} +{% if 'tls_secret' in item %} + - hosts: + - {{ item.hostname }} + secretName: {{ item.tls_secret }} +{% endif %} +{% endfor %} +{% endif %} +{% endif %} {% if ingress_type|lower == "route" %} ---