feat: add default_container_group_namespace to isolate job pod execution

config/crd/bases/awx.ansible.com_awxs.yaml

@@ -1691,6 +1691,9 @@ spec:
                 description: Whether or not to preload data upon instance creation
                 default: true
                 type: boolean
+              default_container_group_namespace:
+                description: Namespace where Container Group job pods will run. Creates the namespace and grants required permissions automatically.
+                type: string
               task_args:
                 type: array
                 items:

config/rbac/role.yaml

@@ -5,6 +5,13 @@ metadata:
   creationTimestamp: null
   name: awx-manager-role
 rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - create
   - apiGroups:
       - route.openshift.io
     resources:
@@ -121,6 +128,12 @@ rules:
     verbs:
       - create
       - get
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts/token
+    verbs:
+      - create
   - apiGroups:
       - apps
     resources:

roles/installer/defaults/main.yml

@@ -20,6 +20,11 @@ api_urlpattern_prefix: ''
 #   eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>
 service_account_annotations: ''
 
+# Namespace where Container Group job pods will run.
+# When set, the operator grants the AWX service account pod/secret
+# permissions in this namespace instead of the AWX namespace.
+default_container_group_namespace: ''
+
 # Custom labels for the tower service. Specify as literal block. E.g.:
 # service_labels: |
 #   environment: non-production

roles/installer/templates/configmaps/config.yaml.j2

@@ -91,6 +91,9 @@ data:
 
     RECEPTOR_LOG_LEVEL = '{{ receptor_log_level }}'
 
+{% if default_container_group_namespace %}
+    AWX_CONTAINER_GROUP_DEFAULT_NAMESPACE = '{{ default_container_group_namespace }}'
+{% endif %}
 
 {% for item in extra_settings | default([]) %}
     {{ item.setting }} = {{ item.value }}

roles/installer/templates/rbac/service_account.yaml.j2

@@ -19,7 +19,8 @@ metadata:
   labels:
     {{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=4) | trim }}
 rules:
-- apiGroups: [""] # "" indicates the core API group
+{% if not default_container_group_namespace %}
+- apiGroups: [""]
   resources: ["pods"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 - apiGroups: [""]
@@ -31,6 +32,10 @@ rules:
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["get", "create", "delete"]
+{% endif %}
+- apiGroups: [""]
+  resources: ["serviceaccounts/token"]
+  verbs: ["create"]
 
 ---
 kind: RoleBinding
@@ -47,3 +52,48 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: '{{ ansible_operator_meta.name }}'
+
+{% if default_container_group_namespace %}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: '{{ default_container_group_namespace }}'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: '{{ ansible_operator_meta.name }}-job-execution'
+  namespace: '{{ default_container_group_namespace }}'
+  labels:
+    {{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=4) | trim }}
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["pods/attach"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "create", "delete"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: '{{ ansible_operator_meta.name }}-job-execution'
+  namespace: '{{ default_container_group_namespace }}'
+  labels:
+    {{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=4) | trim }}
+subjects:
+- kind: ServiceAccount
+  name: '{{ ansible_operator_meta.name }}'
+  namespace: '{{ ansible_operator_meta.namespace }}'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: '{{ ansible_operator_meta.name }}-job-execution'
+{% endif %}