vynil/addons
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adding initial kubevirt support

Browse Source
This commit is contained in:
Sébastien Huss
2024-04-15 16:18:28 +02:00
parent 05ce097727
commit 32bc211cb6
136 changed files with 42922 additions and 227 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
virt/cdi/admissionregistration.k8s.io_v1_MutatingWebhookConfiguration_cdi-api-datavolume-mutate.yaml.hbs Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/cdi-apiserver-server-cert"
labels:
cdi.kubevirt.io: cdi-api
name: cdi-api-datavolume-mutate
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cdi-api
namespace: "{{ namespace }}"
path: /datavolume-mutate
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: datavolume-mutate.cdi.kubevirt.io
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- cdi.kubevirt.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- datavolumes
scope: '*'
sideEffects: None
timeoutSeconds: 30

36
virt/cdi/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_cdi-api-dataimportcron-validate.yaml.hbs Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/cdi-apiserver-server-cert"
labels:
cdi.kubevirt.io: cdi-api
name: cdi-api-dataimportcron-validate
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cdi-api
namespace: "{{ namespace }}"
path: /dataimportcron-validate
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: dataimportcron-validate.cdi.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- cdi.kubevirt.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- dataimportcrons
scope: '*'
sideEffects: None
timeoutSeconds: 30

36
virt/cdi/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_cdi-api-datavolume-validate.yaml.hbs Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/cdi-apiserver-server-cert"
labels:
cdi.kubevirt.io: cdi-api
name: cdi-api-datavolume-validate
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cdi-api
namespace: "{{ namespace }}"
path: /datavolume-validate
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: datavolume-validate.cdi.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- cdi.kubevirt.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- datavolumes
scope: '*'
sideEffects: None
timeoutSeconds: 30

37
virt/cdi/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_cdi-api-populator-validate.yaml.hbs Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/cdi-apiserver-server-cert"
labels:
cdi.kubevirt.io: cdi-api
name: cdi-api-populator-validate
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cdi-api
namespace: "{{ namespace }}"
path: /populator-validate
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: populator-validate.cdi.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- cdi.kubevirt.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- volumeimportsources
- volumeuploadsources
scope: '*'
sideEffects: None
timeoutSeconds: 30

35
virt/cdi/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_cdi-api-validate.yaml.hbs Normal file
View File

@@ -0,0 +1,35 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/cdi-apiserver-server-cert"
labels:
cdi.kubevirt.io: cdi-api
name: cdi-api-validate
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cdi-api
namespace: "{{ namespace }}"
path: /cdi-validate
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: cdi-validate.cdi.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- cdi.kubevirt.io
apiVersions:
- v1beta1
operations:
- DELETE
resources:
- cdis
scope: '*'
sideEffects: None
timeoutSeconds: 30

36
virt/cdi/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_objecttransfer-api-validate.yaml.hbs Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/cdi-apiserver-server-cert"
labels:
cdi.kubevirt.io: cdi-api
name: objecttransfer-api-validate
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cdi-api
namespace: "{{ namespace }}"
path: /objecttransfer-validate
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: objecttransfer-validate.cdi.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- cdi.kubevirt.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- objecttransfers
scope: '*'
sideEffects: None
timeoutSeconds: 30

17
virt/cdi/apiregistration.k8s.io_v1_APIService_v1beta1.upload.cdi.kubevirt.io.yaml.hbs Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/cdi-apiserver-server-cert"
labels:
cdi.kubevirt.io: cdi-api
name: v1beta1.upload.cdi.kubevirt.io
spec:
group: upload.cdi.kubevirt.io
groupPriorityMinimum: 1000
service:
name: cdi-api
namespace: "{{ namespace }}"
port: 443
version: v1beta1
versionPriority: 15

108
virt/cdi/apps_v1_Deployment_cdi-apiserver.yaml.hbs Normal file
View File

@@ -0,0 +1,108 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: cdi-apiserver
name: cdi-apiserver
namespace: "{{ namespace }}"
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
cdi.kubevirt.io: cdi-apiserver
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: cdi-apiserver
spec:
containers:
- args:
- -v=1
env:
- name: INSTALLER_PART_OF_LABEL
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['app.kubernetes.io/part-of']
- name: INSTALLER_VERSION_LABEL
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['app.kubernetes.io/version']
image: quay.io/kubevirt/cdi-apiserver@sha256:e9e39408413b1478d2e98eba68913f9e20c93000558b190b47de73bdfd1d9ac4
imagePullPolicy: IfNotPresent
name: cdi-apiserver
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 2
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 10m
memory: 150Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/certs/cdi-apiserver-signer-bundle
name: ca-bundle
readOnly: true
- mountPath: /var/run/certs/cdi-apiserver-server-cert
name: server-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
priorityClassName: cdi-cluster-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsNonRoot: true
serviceAccount: cdi-apiserver
serviceAccountName: cdi-apiserver
terminationGracePeriodSeconds: 30
tolerations:
- key: CriticalAddonsOnly
operator: Exists
volumes:
- secret:
defaultMode: 420
items:
- key: ca.crt
path: ca-bundle.crt
secretName: cdi-apiserver-server-cert
name: ca-bundle
- name: server-cert
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
secretName: cdi-apiserver-server-cert

155
virt/cdi/apps_v1_Deployment_cdi-deployment.yaml.hbs Normal file
View File

@@ -0,0 +1,155 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: containerized-data-importer
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
prometheus.cdi.kubevirt.io: "true"
name: cdi-deployment
namespace: "{{ namespace }}"
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: containerized-data-importer
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: containerized-data-importer
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
prometheus.cdi.kubevirt.io: "true"
spec:
containers:
- args:
- -v=1
env:
- name: IMPORTER_IMAGE
value: quay.io/kubevirt/cdi-importer@sha256:3143bbc67cdc6267eb48b7eaac664b8551ac4c11401dfbf4921efd3f233e6ce9
- name: CLONER_IMAGE
value: quay.io/kubevirt/cdi-cloner@sha256:9d31b14f23259398c5bac636f5ead13ad0afd6fe8eeab4499e8e047b4d85074f
- name: UPLOADSERVER_IMAGE
value: quay.io/kubevirt/cdi-uploadserver@sha256:30f1827d3696cf996b081c22c3267ca78e7219c872fdb54950198fa54359f6ee
- name: UPLOADPROXY_SERVICE
value: cdi-uploadproxy
- name: PULL_POLICY
value: IfNotPresent
- name: INSTALLER_PART_OF_LABEL
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['app.kubernetes.io/part-of']
- name: INSTALLER_VERSION_LABEL
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['app.kubernetes.io/version']
image: quay.io/kubevirt/cdi-controller@sha256:27c47883a08226f83757971d3adafb0cd9bcb26e58fbcf7208236070e0adf37e
imagePullPolicy: IfNotPresent
name: cdi-controller
ports:
- containerPort: 8080
name: metrics
protocol: TCP
readinessProbe:
exec:
command:
- cat
- /tmp/ready
failureThreshold: 3
initialDelaySeconds: 2
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 10m
memory: 150Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/cdi/token/keys
name: cdi-api-signing-key
- mountPath: /var/run/certs/cdi-uploadserver-signer
name: uploadserver-ca-cert
- mountPath: /var/run/certs/cdi-uploadserver-client-signer
name: uploadserver-client-ca-cert
- mountPath: /var/run/ca-bundle/cdi-uploadserver-signer-bundle
name: uploadserver-ca-bundle
- mountPath: /var/run/ca-bundle/cdi-uploadserver-client-signer-bundle
name: uploadserver-client-ca-bundle
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
priorityClassName: cdi-cluster-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsNonRoot: true
serviceAccount: cdi-sa
serviceAccountName: cdi-sa
terminationGracePeriodSeconds: 30
tolerations:
- key: CriticalAddonsOnly
operator: Exists
volumes:
- name: cdi-api-signing-key
secret:
defaultMode: 420
items:
- key: publickey.pem
path: id_rsa.pub
- key: privatekey.pem
path: id_rsa
secretName: cdi-api-signing-key
- name: uploadserver-ca-cert
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
secretName: cdi-uploadserver-signer
- name: uploadserver-client-ca-cert
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
secretName: cdi-uploadserver-client-signer
- secret:
defaultMode: 420
items:
- key: tls.crt
path: ca-bundle.crt
secretName: cdi-uploadserver-signer
name: uploadserver-ca-bundle
- secret:
defaultMode: 420
items:
- key: tls.crt
path: ca-bundle.crt
secretName: cdi-uploadserver-client-signer
name: uploadserver-client-ca-bundle

105
virt/cdi/apps_v1_Deployment_cdi-uploadproxy.yaml.hbs Normal file
View File

@@ -0,0 +1,105 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: cdi-uploadproxy
name: cdi-uploadproxy
namespace: "{{ namespace }}"
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
cdi.kubevirt.io: cdi-uploadproxy
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: cdi-uploadproxy
spec:
containers:
- args:
- -v=1
env:
- name: APISERVER_PUBLIC_KEY
valueFrom:
secretKeyRef:
key: publickey.pem
name: cdi-api-signing-key
image: quay.io/kubevirt/cdi-uploadproxy@sha256:551221d79902a5053d1c734b81163d69f087217e2ac13c49bdf6900336ef0786
imagePullPolicy: IfNotPresent
name: cdi-uploadproxy
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 2
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 10m
memory: 150Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/certs/cdi-uploadproxy-server-cert
name: server-cert
readOnly: true
- mountPath: /var/run/certs/cdi-uploadserver-client-cert
name: client-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
priorityClassName: cdi-cluster-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsNonRoot: true
serviceAccount: cdi-uploadproxy
serviceAccountName: cdi-uploadproxy
terminationGracePeriodSeconds: 30
tolerations:
- key: CriticalAddonsOnly
operator: Exists
volumes:
- name: server-cert
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
secretName: cdi-uploadproxy-server-cert
- name: client-cert
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
secretName: cdi-uploadserver-client-cert

7
virt/cdi/cdi.kubevirt.io_v1beta1_CDIConfig_config.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: cdi.kubevirt.io/v1beta1
kind: CDIConfig
metadata:
name: config
spec:
featureGates:
- HonorWaitForFirstConsumer

18
virt/cdi/cdi.kubevirt.io_v1beta1_CDI_cdi.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: cdi.kubevirt.io/v1beta1
kind: CDI
metadata:
name: cdi
spec:
config:
featureGates:
- HonorWaitForFirstConsumer
imagePullPolicy: IfNotPresent
infra:
nodeSelector:
kubernetes.io/os: linux
tolerations:
- key: CriticalAddonsOnly
operator: Exists
workload:
nodeSelector:
kubernetes.io/os: linux

187
virt/cdi/certs.tf Normal file
View File

@@ -0,0 +1,187 @@
resource "kubectl_manifest" "issuer" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
name: "cdi-selfsigned"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
selfSigned: {}
EOF
}
resource "kubectl_manifest" "cdi-apiserver-signer-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cdi-apiserver-signer
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
isCA: true
duration: "${var.duration}"
commonName: "cdi-apiserver-signer"
secretName: cdi-apiserver-signer
issuerRef:
name: cdi-selfsigned
EOF
}
resource "kubectl_manifest" "cdi-uploadproxy-signer-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cdi-uploadproxy-signer
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
isCA: true
duration: "${var.duration}"
commonName: "cdi-uploadproxy-signer"
secretName: cdi-uploadproxy-signer
issuerRef:
name: cdi-selfsigned
EOF
}
resource "kubectl_manifest" "cdi-uploadserver-client-signer-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cdi-uploadserver-client-signer
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
isCA: true
duration: "${var.duration}"
commonName: "cdi-uploadserver-client-signer"
secretName: cdi-uploadserver-client-signer
issuerRef:
name: cdi-selfsigned
EOF
}
resource "kubectl_manifest" "cdi-uploadserver-signer-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cdi-uploadserver-signer
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
isCA: true
duration: "${var.duration}"
commonName: "cdi-uploadserver-signer"
secretName: cdi-uploadserver-signer
issuerRef:
name: cdi-selfsigned
EOF
}
resource "kubectl_manifest" "cdi-uploadproxy-signer" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
name: "cdi-uploadproxy-signer"
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
spec:
ca:
secretName: "cdi-uploadproxy-signer"
EOF
}
resource "kubectl_manifest" "cdi-uploadserver-client-signer" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
name: "cdi-uploadserver-client-signer"
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
spec:
ca:
secretName: "cdi-uploadserver-client-signer"
EOF
}
resource "kubectl_manifest" "cdi-apiserver-signer" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
name: "cdi-apiserver-signer"
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
spec:
ca:
secretName: "cdi-apiserver-signer"
EOF
}
resource "kubectl_manifest" "cdi-apiserver-server-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "cdi-apiserver-server-cert"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
dnsNames:
- cdi-api
- cdi-api.${var.namespace}
- cdi-api.${var.namespace}.svc
- cdi-api.${var.namespace}.svc.cluster.local
issuerRef:
kind: Issuer
name: cdi-apiserver-signer
secretName: cdi-apiserver-server-cert
subject:
organizationalUnits:
- cdi-api
EOF
}
resource "kubectl_manifest" "cdi-uploadproxy-server-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "cdi-uploadproxy-server-cert"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
dnsNames:
- cdi-uploadproxy
- cdi-uploadproxy.${var.namespace}
- cdi-uploadproxy.${var.namespace}.svc
- cdi-uploadproxy.${var.namespace}.svc.cluster.local
issuerRef:
kind: Issuer
name: cdi-uploadproxy-signer
secretName: cdi-uploadproxy-server-cert
subject:
organizationalUnits:
- cdi-uploadproxy
EOF
}
resource "kubectl_manifest" "cdi-uploadserver-client-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "cdi-uploadserver-client-cert"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
usages:
- digital signature
- client auth
commonName: "cdi-uploadserver-client-cert"
issuerRef:
kind: Issuer
name: cdi-uploadserver-client-signer
secretName: cdi-uploadserver-client-cert
subject:
organizationalUnits:
- cdi-uploadserver-client
EOF
}

32
virt/cdi/datas.tf Normal file
View File

@@ -0,0 +1,32 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
}
data "kustomization_overlay" "data" {
common_labels = local.common-labels
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml"]
images {
name = "quay.io/kubevirt/cdi-apiserver"
new_name = "${var.images.apiserver.registry}/${var.images.apiserver.repository}"
new_tag = "${var.images.apiserver.tag}"
}
images {
name = "quay.io/kubevirt/cdi-controller"
new_name = "${var.images.controller.registry}/${var.images.controller.repository}"
new_tag = "${var.images.controller.tag}"
}
images {
name = "quay.io/kubevirt/cdi-uploadproxy"
new_name = "${var.images.uploadproxy.registry}/${var.images.uploadproxy.repository}"
new_tag = "${var.images.uploadproxy.tag}"
}
}

6
virt/cdi/index.rhai Normal file
View File

@@ -0,0 +1,6 @@
const DEST=dest;
fn pre_install() {
shell(`openssl genrsa -out ${global::DEST}/privatekey.pem 4096`);
shell(`openssl rsa -in ${global::DEST}/privatekey.pem -pubout -out ${global::DEST}/publickey.pem`);
shell(`kubectl get secret -n $NAMESPACE cdi-api-signing-key|| kubectl create secret generic -n $NAMESPACE cdi-api-signing-key --from-file=privatekey.pem=${global::DEST}/privatekey.pem --from-file=publickey.pem=${global::DEST}/publickey.pem`);
}

110
virt/cdi/index.yaml Normal file
View File

@@ -0,0 +1,110 @@
---
apiVersion: vinyl.solidite.fr/v1beta1
kind: Component
category: virt
metadata:
name: cdi
description: Containerized Data Importer
options:
duration:
default: 87660h
examples:
- 87660h
type: string
images:
default:
apiserver:
registry: quay.io
repository: kubevirt/cdi-apiserver
tag: v1.59.0
controller:
registry: quay.io
repository: kubevirt/cdi-controller
tag: v1.59.0
uploadproxy:
registry: quay.io
repository: kubevirt/cdi-uploadproxy
tag: v1.59.0
examples:
- apiserver:
registry: quay.io
repository: kubevirt/cdi-apiserver
tag: v1.59.0
controller:
registry: quay.io
repository: kubevirt/cdi-controller
tag: v1.59.0
uploadproxy:
registry: quay.io
repository: kubevirt/cdi-uploadproxy
tag: v1.59.0
properties:
apiserver:
default:
registry: quay.io
repository: kubevirt/cdi-apiserver
tag: v1.59.0
properties:
registry:
default: quay.io
type: string
repository:
default: kubevirt/cdi-apiserver
type: string
tag:
default: v1.59.0
type: string
type: object
controller:
default:
registry: quay.io
repository: kubevirt/cdi-controller
tag: v1.59.0
properties:
registry:
default: quay.io
type: string
repository:
default: kubevirt/cdi-controller
type: string
tag:
default: v1.59.0
type: string
type: object
uploadproxy:
default:
registry: quay.io
repository: kubevirt/cdi-uploadproxy
tag: v1.59.0
properties:
registry:
default: quay.io
type: string
repository:
default: kubevirt/cdi-uploadproxy
type: string
tag:
default: v1.59.0
type: string
type: object
type: object
dependencies:
- dist: null
category: core
component: cert-manager
- dist: null
category: core
component: secret-generator
- dist: null
category: crd
component: cdi
providers:
kubernetes: true
authentik: null
kubectl: true
postgresql: null
mysql: null
restapi: null
http: null
gitea: null
tfaddtype: null

79
virt/cdi/monitoring.coreos.com_v1_PrometheusRule_prometheus-cdi-rules.yaml.hbs Normal file
View File

@@ -0,0 +1,79 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
prometheus.cdi.kubevirt.io: "true"
name: prometheus-cdi-rules
namespace: "{{ namespace }}"
spec:
groups:
- name: cdi.rules
rules:
- expr: sum(up{namespace='{{ namespace }}', pod=~'cdi-operator-.*'} or vector(0))
record: kubevirt_cdi_operator_up_total
- expr: count(kube_pod_container_status_restarts_total{pod=~'importer-.*', container='importer'} > 3)
record: kubevirt_cdi_import_dv_unusual_restartcount_total
- expr: count(kube_pod_container_status_restarts_total{pod=~'cdi-upload-.*', container='cdi-upload-server'} > 3)
record: kubevirt_cdi_upload_dv_unusual_restartcount_total
- expr: count(kube_pod_container_status_restarts_total{pod=~'.*-source-pod', container='cdi-clone-source'} > 3)
record: kubevirt_cdi_clone_dv_unusual_restartcount_total
- expr: sum(kubevirt_cdi_dataimportcron_outdated or vector(0))
record: kubevirt_cdi_dataimportcron_outdated_total
- alert: CDIOperatorDown
annotations:
runbook_url: https://kubevirt.io/monitoring/runbooks/CDIOperatorDown
summary: CDI operator is down
expr: kubevirt_cdi_operator_up_total == 0
for: 5m
labels:
kubernetes_operator_component: containerized-data-importer
kubernetes_operator_part_of: kubevirt
operator_health_impact: critical
severity: warning
- alert: CDINotReady
annotations:
runbook_url: https://kubevirt.io/monitoring/runbooks/CDINotReady
summary: CDI is not available to use
expr: kubevirt_cdi_cr_ready == 0
for: 5m
labels:
kubernetes_operator_component: containerized-data-importer
kubernetes_operator_part_of: kubevirt
operator_health_impact: critical
severity: warning
- alert: CDIDataVolumeUnusualRestartCount
annotations:
runbook_url: https://kubevirt.io/monitoring/runbooks/CDIDataVolumeUnusualRestartCount
summary: Cluster has DataVolumes (PVC population request) with an unusual restart count, meaning they are probably failing and need to be investigated
expr: kubevirt_cdi_import_dv_unusual_restartcount_total > 0 or kubevirt_cdi_upload_dv_unusual_restartcount_total > 0 or kubevirt_cdi_clone_dv_unusual_restartcount_total > 0
for: 5m
labels:
kubernetes_operator_component: containerized-data-importer
kubernetes_operator_part_of: kubevirt
operator_health_impact: warning
severity: warning
- alert: CDIStorageProfilesIncomplete
annotations:
runbook_url: https://kubevirt.io/monitoring/runbooks/CDIStorageProfilesIncomplete
summary: Incomplete StorageProfiles exist, accessMode/volumeMode cannot be inferred by CDI for PVC population request
expr: kubevirt_cdi_incomplete_storageprofiles_total > 0
for: 5m
labels:
kubernetes_operator_component: containerized-data-importer
kubernetes_operator_part_of: kubevirt
operator_health_impact: warning
severity: info
- alert: CDIDataImportCronOutdated
annotations:
runbook_url: https://kubevirt.io/monitoring/runbooks/CDIDataImportCronOutdated
summary: DataImportCron (recurring polling of VM templates disk image sources, also known as golden images) PVCs are not being updated on the defined schedule
expr: kubevirt_cdi_dataimportcron_outdated_total > 0
for: 15m
labels:
kubernetes_operator_component: containerized-data-importer
kubernetes_operator_part_of: kubevirt
operator_health_impact: warning
severity: info

27
virt/cdi/monitoring.coreos.com_v1_ServiceMonitor_service-monitor-cdi.yaml.hbs Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
openshift.io/cluster-monitoring: ""
prometheus.cdi.kubevirt.io: "true"
name: service-monitor-cdi
namespace: "{{ namespace }}"
spec:
endpoints:
- bearerTokenSecret:
key: ""
port: metrics
scheme: http
tlsConfig:
ca: {}
cert: {}
insecureSkipVerify: true
namespaceSelector:
matchNames:
- "{{ namespace }}"
selector:
matchLabels:
prometheus.cdi.kubevirt.io: "true"

16
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRoleBinding_cdi-apiserver.yaml.hbs Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-apiserver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cdi-apiserver
subjects:
- kind: ServiceAccount
name: cdi-apiserver
namespace: "{{ namespace }}"

16
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRoleBinding_cdi-cronjob.yaml.hbs Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-cronjob
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cdi-cronjob
subjects:
- kind: ServiceAccount
name: cdi-cronjob
namespace: "{{ namespace }}"

16
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRoleBinding_cdi-sa.yaml.hbs Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cdi
subjects:
- kind: ServiceAccount
name: cdi-sa
namespace: "{{ namespace }}"

16
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRoleBinding_cdi-uploadproxy.yaml.hbs Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-uploadproxy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cdi-uploadproxy
subjects:
- kind: ServiceAccount
name: cdi-uploadproxy
namespace: "{{ namespace }}"

19
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRoleBinding_cdi.kubevirt.io:config-reader.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi.kubevirt.io:config-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cdi.kubevirt.io:config-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccount

67
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi-apiserver.yaml Normal file
View File

@@ -0,0 +1,67 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-apiserver
rules:
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- get
- apiGroups:
- cdi.kubevirt.io
resources:
- datavolumes
verbs:
- list
- get
- apiGroups:
- cdi.kubevirt.io
resources:
- datasources
verbs:
- list
- get
- apiGroups:
- cdi.kubevirt.io
resources:
- cdis
verbs:
- get
- apiGroups:
- cdi.kubevirt.io
resources:
- cdis/finalizers
verbs:
- '*'

18
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi-cronjob.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-cronjob
rules:
- apiGroups:
- cdi.kubevirt.io
resources:
- dataimportcrons
verbs:
- get
- list
- update

16
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi-uploadproxy.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-uploadproxy
rules:
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get

29
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi.kubevirt.io:admin.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: cdi.kubevirt.io:admin
rules:
- apiGroups:
- cdi.kubevirt.io
resources:
- datavolumes
verbs:
- '*'
- apiGroups:
- cdi.kubevirt.io
resources:
- datavolumes/source
verbs:
- create
- apiGroups:
- upload.cdi.kubevirt.io
resources:
- uploadtokenrequests
verbs:
- '*'

18
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi.kubevirt.io:config-reader.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi.kubevirt.io:config-reader
rules:
- apiGroups:
- cdi.kubevirt.io
resources:
- cdiconfigs
- storageprofiles
verbs:
- get
- list
- watch

28
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi.kubevirt.io:edit.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: cdi.kubevirt.io:edit
rules:
- apiGroups:
- cdi.kubevirt.io
resources:
- datavolumes
verbs:
- '*'
- apiGroups:
- cdi.kubevirt.io
resources:
- datavolumes/source
verbs:
- create
- apiGroups:
- upload.cdi.kubevirt.io
resources:
- uploadtokenrequests
verbs:
- '*'

32
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi.kubevirt.io:view.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: cdi.kubevirt.io:view
rules:
- apiGroups:
- cdi.kubevirt.io
resources:
- cdiconfigs
- dataimportcrons
- datasources
- datavolumes
- objecttransfers
- storageprofiles
- volumeimportsources
- volumeuploadsources
- volumeclonesources
verbs:
- get
- list
- watch
- apiGroups:
- cdi.kubevirt.io
resources:
- datavolumes/source
verbs:
- create

134
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi.yaml Normal file
View File

@@ -0,0 +1,134 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- persistentvolumes
- persistentvolumeclaims
verbs:
- get
- list
- watch
- create
- update
- delete
- deletecollection
- patch
- apiGroups:
- ""
resources:
- persistentvolumeclaims/finalizers
- pods/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- create
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
- csidrivers
verbs:
- get
- list
- watch
- apiGroups:
- config.openshift.io
resources:
- proxies
verbs:
- get
- list
- watch
- apiGroups:
- cdi.kubevirt.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- snapshot.storage.k8s.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- get
- list
- watch
- apiGroups:
- image.openshift.io
resources:
- imagestreams
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- list
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- list
- watch
- apiGroups:
- kubevirt.io
resources:
- virtualmachines/finalizers
verbs:
- update

16
virt/cdi/rbac.authorization.k8s.io_v1_RoleBinding_cdi-apiserver.yaml.hbs Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-apiserver
namespace: "{{ namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cdi-apiserver
subjects:
- kind: ServiceAccount
name: cdi-apiserver

16
virt/cdi/rbac.authorization.k8s.io_v1_RoleBinding_cdi-deployment.yaml.hbs Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-deployment
namespace: "{{ namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cdi-deployment
subjects:
- kind: ServiceAccount
name: cdi-sa

18
virt/cdi/rbac.authorization.k8s.io_v1_RoleBinding_cdi-monitoring.yaml.hbs Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
prometheus.cdi.kubevirt.io: "true"
name: cdi-monitoring
namespace: "{{ namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cdi-monitoring
subjects:
- kind: ServiceAccount
name: prometheus-k8s
namespace: monitoring

16
virt/cdi/rbac.authorization.k8s.io_v1_RoleBinding_cdi-uploadproxy.yaml.hbs Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-uploadproxy
namespace: "{{ namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cdi-uploadproxy
subjects:
- kind: ServiceAccount
name: cdi-uploadproxy

17
virt/cdi/rbac.authorization.k8s.io_v1_Role_cdi-apiserver.yaml.hbs Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-apiserver
namespace: "{{ namespace }}"
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- '*'

64
virt/cdi/rbac.authorization.k8s.io_v1_Role_cdi-deployment.yaml.hbs Normal file
View File

@@ -0,0 +1,64 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-deployment
namespace: "{{ namespace }}"
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- '*'
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- get
- list
- watch

21
virt/cdi/rbac.authorization.k8s.io_v1_Role_cdi-monitoring.yaml.hbs Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
prometheus.cdi.kubevirt.io: "true"
name: cdi-monitoring
namespace: "{{ namespace }}"
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- pods
verbs:
- get
- list
- watch

16
virt/cdi/rbac.authorization.k8s.io_v1_Role_cdi-uploadproxy.yaml.hbs Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-uploadproxy
namespace: "{{ namespace }}"
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get

7
virt/cdi/scheduling.k8s.io_v1_PriorityClass_cdi-cluster-critical.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: scheduling.k8s.io/v1
description: This priority class should be used for KubeVirt core components only.
kind: PriorityClass
metadata:
name: cdi-cluster-critical
preemptionPolicy: PreemptLowerPriority
value: 1000000000

8
virt/cdi/v1_ConfigMap_cdi-config.yaml.hbs Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
name: cdi-config
namespace: "{{ namespace }}"

9
virt/cdi/v1_ServiceAccount_cdi-apiserver.yaml.hbs Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-apiserver
namespace: "{{ namespace }}"

9
virt/cdi/v1_ServiceAccount_cdi-cronjob.yaml.hbs Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-cronjob
namespace: "{{ namespace }}"

9
virt/cdi/v1_ServiceAccount_cdi-sa.yaml.hbs Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-sa
namespace: "{{ namespace }}"

9
virt/cdi/v1_ServiceAccount_cdi-uploadproxy.yaml.hbs Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-uploadproxy
namespace: "{{ namespace }}"

18
virt/cdi/v1_Service_cdi-api.yaml.hbs Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: cdi-apiserver
name: cdi-api
namespace: "{{ namespace }}"
spec:
ports:
- port: 443
protocol: TCP
targetPort: 8443
selector:
cdi.kubevirt.io: cdi-apiserver
sessionAffinity: None
type: ClusterIP

20
virt/cdi/v1_Service_cdi-prometheus-metrics.yaml.hbs Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
prometheus.cdi.kubevirt.io: "true"
name: cdi-prometheus-metrics
namespace: "{{ namespace }}"
spec:
ports:
- name: metrics
port: 8080
protocol: TCP
targetPort: metrics
selector:
prometheus.cdi.kubevirt.io: "true"
sessionAffinity: None
type: ClusterIP

18
virt/cdi/v1_Service_cdi-uploadproxy.yaml.hbs Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: cdi-uploadproxy
name: cdi-uploadproxy
namespace: "{{ namespace }}"
spec:
ports:
- port: 443
protocol: TCP
targetPort: 8443
selector:
cdi.kubevirt.io: cdi-uploadproxy
sessionAffinity: None
type: ClusterIP

124
virt/kubevirt/admissionregistration.k8s.io_v1_MutatingWebhookConfiguration_virt-api-mutator.yaml.hbs Normal file
View File

@@ -0,0 +1,124 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/kubevirt-virt-api-certs"
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: virt-api-mutator
name: virt-api-mutator
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachines-mutate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachines-mutator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
- UPDATE
resources:
- virtualmachines
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachineinstances-mutate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineinstances-mutator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineinstances
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /migration-mutate-create
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: migrations-mutator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
resources:
- virtualmachineinstancemigrations
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /vm-clone-mutate-create
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineclones-mutator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- clone.kubevirt.io
apiVersions:
- v1alpha1
operations:
- CREATE
resources:
- virtualmachineclones
scope: '*'
sideEffects: None
timeoutSeconds: 10

537
virt/kubevirt/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_virt-api-validator.yaml.hbs Normal file
View File

@@ -0,0 +1,537 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/kubevirt-virt-api-certs"
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: virt-api-validator
name: virt-api-validator
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /launcher-eviction-validate
port: 443
failurePolicy: Ignore
matchPolicy: Equivalent
name: virt-launcher-eviction-interceptor.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- '*'
resources:
- pods/eviction
scope: '*'
sideEffects: NoneOnDryRun
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachineinstances-validate-create
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineinstances-create-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
resources:
- virtualmachineinstances
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachineinstances-validate-update
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineinstances-update-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- UPDATE
resources:
- virtualmachineinstances
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachines-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachine-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
- UPDATE
resources:
- virtualmachines
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachinereplicaset-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachinereplicaset-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineinstancereplicasets
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachinepool-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachinepool-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- pool.kubevirt.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- virtualmachinepools
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /vmipreset-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachinepreset-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineinstancepresets
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /migration-validate-create
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: migration-create-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
resources:
- virtualmachineinstancemigrations
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /migration-validate-update
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: migration-update-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- UPDATE
resources:
- virtualmachineinstancemigrations
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachinesnapshots-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachinesnapshot-validator.snapshot.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- snapshot.kubevirt.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- virtualmachinesnapshots
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachinerestores-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachinerestore-validator.snapshot.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- snapshot.kubevirt.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- virtualmachinerestores
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachineexports-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineexport-validator.export.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- export.kubevirt.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineexports
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachineinstancetypes-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineinstancetype-validator.instancetype.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- instancetype.kubevirt.io
apiVersions:
- v1alpha1
- v1alpha2
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineinstancetypes
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachineclusterinstancetypes-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineclusterinstancetype-validator.instancetype.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- instancetype.kubevirt.io
apiVersions:
- v1alpha1
- v1alpha2
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineclusterinstancetypes
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachinepreferences-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachinepreference-validator.instancetype.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- instancetype.kubevirt.io
apiVersions:
- v1alpha1
- v1alpha2
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- virtualmachinepreferences
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachineclusterpreferences-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineclusterpreference-validator.instancetype.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- instancetype.kubevirt.io
apiVersions:
- v1alpha1
- v1alpha2
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineclusterpreferences
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /status-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: kubevirt-crd-status-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
- UPDATE
resources:
- virtualmachines/status
- virtualmachineinstancereplicasets/status
- virtualmachineinstancemigrations/status
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /migration-policy-validate-create
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: migration-policy-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- migrations.kubevirt.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- migrationpolicies
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /vm-clone-validate-create
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: vm-clone-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- clone.kubevirt.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineclones
scope: '*'
sideEffects: None
timeoutSeconds: 10

19
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1.subresources.kubevirt.io.yaml.hbs Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/kubevirt-virt-api-certs"
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: virt-api-aggregator
name: v1.subresources.kubevirt.io
spec:
group: subresources.kubevirt.io
groupPriorityMinimum: 1000
service:
name: virt-api
namespace: "{{ namespace }}"
port: 443
version: v1
versionPriority: 15

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha1.clone.kubevirt.io.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1alpha1.clone.kubevirt.io
spec:
group: clone.kubevirt.io
groupPriorityMinimum: 1000
version: v1alpha1
versionPriority: 100

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha1.export.kubevirt.io.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1alpha1.export.kubevirt.io
spec:
group: export.kubevirt.io
groupPriorityMinimum: 1000
version: v1alpha1
versionPriority: 100

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha1.instancetype.kubevirt.io.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1alpha1.instancetype.kubevirt.io
spec:
group: instancetype.kubevirt.io
groupPriorityMinimum: 1000
version: v1alpha1
versionPriority: 100

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha1.migrations.kubevirt.io.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1alpha1.migrations.kubevirt.io
spec:
group: migrations.kubevirt.io
groupPriorityMinimum: 1000
version: v1alpha1
versionPriority: 100

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha1.pool.kubevirt.io.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1alpha1.pool.kubevirt.io
spec:
group: pool.kubevirt.io
groupPriorityMinimum: 1000
version: v1alpha1
versionPriority: 100

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha1.snapshot.kubevirt.io.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1alpha1.snapshot.kubevirt.io
spec:
group: snapshot.kubevirt.io
groupPriorityMinimum: 1000
version: v1alpha1
versionPriority: 100

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha2.instancetype.kubevirt.io.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1alpha2.instancetype.kubevirt.io
spec:
group: instancetype.kubevirt.io
groupPriorityMinimum: 1000
version: v1alpha2
versionPriority: 100

19
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha3.subresources.kubevirt.io.yaml.hbs Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/kubevirt-virt-api-certs"
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: virt-api-aggregator
name: v1alpha3.subresources.kubevirt.io
spec:
group: subresources.kubevirt.io
groupPriorityMinimum: 1000
service:
name: virt-api
namespace: "{{ namespace }}"
port: 443
version: v1alpha3
versionPriority: 15

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1beta1.instancetype.kubevirt.io.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1beta1.instancetype.kubevirt.io
spec:
group: instancetype.kubevirt.io
groupPriorityMinimum: 1000
version: v1beta1
versionPriority: 100

209
virt/kubevirt/apps_v1_DaemonSet_virt-handler.yaml.hbs Normal file
View File

@@ -0,0 +1,209 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
app.kubernetes.io/version: v1.0.1
kubevirt.io: virt-handler
name: virt-handler
namespace: "{{ namespace }}"
spec:
revisionHistoryLimit: 10
selector:
matchLabels:
kubevirt.io: virt-handler
template:
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
app.kubernetes.io/version: v1.0.1
kubevirt.io: virt-handler
prometheus.kubevirt.io: "true"
name: virt-handler
spec:
containers:
- args:
- --port
- "8443"
- --hostname-override
- $(NODE_NAME)
- --pod-ip-address
- $(MY_POD_IP)
- --max-metric-requests
- "3"
- --console-server-port
- "8186"
- --graceful-shutdown-seconds
- "315"
- -v
- "2"
command:
- virt-handler
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: MY_POD_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
image: quay.io/kubevirt/virt-handler@sha256:138dfda5fea8622f3da0d6413fe214fef80c2fd6a6f9533592a0dbfa7e1865b5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 45
successThreshold: 1
timeoutSeconds: 10
name: virt-handler
ports:
- containerPort: 8443
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 20
successThreshold: 1
timeoutSeconds: 10
resources:
requests:
cpu: 10m
memory: 325Mi
securityContext:
privileged: true
seLinuxOptions:
level: s0
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/virt-handler/clientcertificates
name: kubevirt-virt-handler-certs
readOnly: true
- mountPath: /etc/virt-handler/servercertificates
name: kubevirt-virt-handler-server-certs
readOnly: true
- mountPath: /profile-data
name: profile-data
- mountPath: /var/run/kubevirt-libvirt-runtimes
name: libvirt-runtimes
- mountPath: /var/run/kubevirt
mountPropagation: Bidirectional
name: virt-share-dir
- mountPath: /var/lib/kubevirt
name: virt-lib-dir
- mountPath: /var/run/kubevirt-private
name: virt-private-dir
- mountPath: /var/lib/kubelet/device-plugins
name: device-plugin
- mountPath: /pods
name: kubelet-pods-shortened
- mountPath: /var/lib/kubelet/pods
mountPropagation: Bidirectional
name: kubelet-pods
- mountPath: /var/lib/kubevirt-node-labeller
name: node-labeller
- mountPath: /etc/podinfo
name: podinfo
dnsPolicy: ClusterFirst
hostPID: true
initContainers:
- args:
- node-labeller.sh
command:
- /bin/sh
- -c
image: quay.io/kubevirt/virt-launcher@sha256:4c5fce3de2e2589197de72fb0c9436490ea318aca952c05a622c43e067023f35
imagePullPolicy: IfNotPresent
name: virt-launcher
resources: {}
securityContext:
privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/lib/kubevirt-node-labeller
name: node-labeller
nodeSelector:
kubernetes.io/os: linux
priorityClassName: kubevirt-cluster-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: kubevirt-handler
serviceAccountName: kubevirt-handler
terminationGracePeriodSeconds: 30
tolerations:
- key: CriticalAddonsOnly
operator: Exists
volumes:
- name: kubevirt-virt-handler-certs
secret:
defaultMode: 420
optional: true
secretName: kubevirt-virt-handler-certs
- name: kubevirt-virt-handler-server-certs
secret:
defaultMode: 420
optional: true
secretName: kubevirt-virt-handler-server-certs
- emptyDir: {}
name: profile-data
- hostPath:
path: /var/run/kubevirt-libvirt-runtimes
type: ""
name: libvirt-runtimes
- hostPath:
path: /var/run/kubevirt
type: ""
name: virt-share-dir
- hostPath:
path: /var/lib/kubevirt
type: ""
name: virt-lib-dir
- hostPath:
path: /var/run/kubevirt-private
type: ""
name: virt-private-dir
- hostPath:
path: /var/lib/kubelet/device-plugins
type: ""
name: device-plugin
- hostPath:
path: /var/lib/kubelet/pods
type: ""
name: kubelet-pods-shortened
- hostPath:
path: /var/lib/kubelet/pods
type: ""
name: kubelet-pods
- hostPath:
path: /var/lib/kubevirt-node-labeller
type: ""
name: node-labeller
- downwardAPI:
defaultMode: 420
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.annotations['k8s.v1.cni.cncf.io/network-status']
path: network-status
name: podinfo
updateStrategy:
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
type: RollingUpdate

127
virt/kubevirt/apps_v1_Deployment_virt-api.yaml.hbs Normal file
View File

@@ -0,0 +1,127 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
app.kubernetes.io/name: virt-api
app.kubernetes.io/version: v1.0.1
kubevirt.io: virt-api
name: virt-api
namespace: "{{ namespace }}"
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
kubevirt.io: virt-api
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
app.kubernetes.io/version: v1.0.1
kubevirt.io: virt-api
prometheus.kubevirt.io: "true"
name: virt-api
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: kubevirt.io
operator: In
values:
- virt-api
topologyKey: kubernetes.io/hostname
weight: 1
containers:
- args:
- --port
- "8443"
- --console-server-port
- "8186"
- --subresources-only
- -v
- "2"
command:
- virt-api
image: quay.io/kubevirt/virt-api@sha256:707003b221496b4432da2f507d1e36e528b45888b5d321e06d460f0678da44ae
imagePullPolicy: IfNotPresent
name: virt-api
ports:
- containerPort: 8443
name: virt-api
protocol: TCP
- containerPort: 8443
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /apis/subresources.kubevirt.io/v1/healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 5m
memory: 500Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/virt-api/certificates
name: kubevirt-virt-api-certs
readOnly: true
- mountPath: /etc/virt-handler/clientcertificates
name: kubevirt-virt-handler-certs
readOnly: true
- mountPath: /profile-data
name: profile-data
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
priorityClassName: kubevirt-cluster-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccount: kubevirt-apiserver
serviceAccountName: kubevirt-apiserver
terminationGracePeriodSeconds: 30
tolerations:
- key: CriticalAddonsOnly
operator: Exists
volumes:
- name: kubevirt-virt-api-certs
secret:
defaultMode: 420
optional: true
secretName: kubevirt-virt-api-certs
- name: kubevirt-virt-handler-certs
secret:
defaultMode: 420
optional: true
secretName: kubevirt-virt-handler-certs
- emptyDir: {}
name: profile-data

135
virt/kubevirt/apps_v1_Deployment_virt-controller.yaml.hbs Normal file
View File

@@ -0,0 +1,135 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
app.kubernetes.io/name: virt-controller
app.kubernetes.io/version: v1.0.1
kubevirt.io: virt-controller
name: virt-controller
namespace: "{{ namespace }}"
spec:
progressDeadlineSeconds: 600
replicas: 2
revisionHistoryLimit: 10
selector:
matchLabels:
kubevirt.io: virt-controller
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
app.kubernetes.io/version: v1.0.1
kubevirt.io: virt-controller
prometheus.kubevirt.io: "true"
name: virt-controller
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: kubevirt.io
operator: In
values:
- virt-controller
topologyKey: kubernetes.io/hostname
weight: 1
containers:
- args:
- --launcher-image
- quay.io/kubevirt/virt-launcher@sha256:4c5fce3de2e2589197de72fb0c9436490ea318aca952c05a622c43e067023f35
- --exporter-image
- quay.io/kubevirt/virt-exportserver@sha256:73311f79a9c71007f8572b3cc40cd6f6da404c7ef0a9c6509fb717d979546582
- --port
- "8443"
- -v
- "2"
command:
- virt-controller
image: quay.io/kubevirt/virt-controller@sha256:0789fafed2913b35a771e3db882748502b3250be04ece86d97f30201779b4e54
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
name: virt-controller
ports:
- containerPort: 8443
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /leader
port: 8443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
resources:
requests:
cpu: 10m
memory: 275Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/virt-controller/certificates
name: kubevirt-controller-certs
readOnly: true
- mountPath: /etc/virt-controller/exportca
name: kubevirt-export-ca
readOnly: true
- mountPath: /profile-data
name: profile-data
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
priorityClassName: kubevirt-cluster-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccount: kubevirt-controller
serviceAccountName: kubevirt-controller
terminationGracePeriodSeconds: 30
tolerations:
- key: CriticalAddonsOnly
operator: Exists
volumes:
- name: kubevirt-controller-certs
secret:
defaultMode: 420
optional: true
secretName: kubevirt-controller-certs
- name: kubevirt-export-ca
secret:
defaultMode: 420
optional: true
secretName: kubevirt-export-ca
- emptyDir: {}
name: profile-data

209
virt/kubevirt/certs.tf Normal file
View File

@@ -0,0 +1,209 @@
resource "kubectl_manifest" "issuer" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
name: "kubevirt-selfsigned"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
selfSigned: {}
EOF
}
resource "kubectl_manifest" "kubevirt-ca-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kubevirt-ca
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
isCA: true
duration: "${var.duration}"
commonName: "kubevirt-ca"
secretName: kubevirt-ca
issuerRef:
name: kubevirt-selfsigned
EOF
}
resource "kubectl_manifest" "kubevirt-export-ca-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kubevirt-export-ca
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
isCA: true
duration: "${var.duration}"
commonName: "kubevirt-export-ca"
secretName: kubevirt-export-ca
issuerRef:
name: kubevirt-selfsigned
EOF
}
resource "kubectl_manifest" "kubevirt-export-ca" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
name: "kubevirt-export-ca"
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
spec:
ca:
secretName: "kubevirt-export-ca"
EOF
}
resource "kubectl_manifest" "kubevirt-ca" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
name: "kubevirt-ca"
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
spec:
ca:
secretName: "kubevirt-ca"
EOF
}
resource "kubectl_manifest" "kubevirt-virt-api-certs" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "kubevirt-virt-api-certs"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
dnsNames:
- virt-api
- virt-api.${var.namespace}
- virt-api.${var.namespace}.svc
- virt-api.${var.namespace}.svc.cluster.local
issuerRef:
kind: Issuer
name: kubevirt-ca
secretName: kubevirt-virt-api-certs
subject:
organizationalUnits:
- kubevirt-virt-api
EOF
}
resource "kubectl_manifest" "kubevirt-controller-certs" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "kubevirt-controller-certs"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
dnsNames:
- virt-controller
- virt-controller.${var.namespace}
- virt-controller.${var.namespace}.svc
- virt-controller.${var.namespace}.svc.cluster.local
issuerRef:
kind: Issuer
name: kubevirt-ca
secretName: kubevirt-controller-certs
subject:
organizationalUnits:
- kubevirt-virt-controller
EOF
}
resource "kubectl_manifest" "kubevirt-exportproxy-certs" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "kubevirt-exportproxy-certs"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
dnsNames:
- virt-exportproxy
- virt-exportproxy.${var.namespace}
- virt-exportproxy.${var.namespace}.svc
- virt-exportproxy.${var.namespace}.svc.cluster.local
issuerRef:
kind: Issuer
name: kubevirt-ca
secretName: kubevirt-exportproxy-certs
subject:
organizationalUnits:
- kubevirt-virt-controller
EOF
}
resource "kubectl_manifest" "kubevirt-operator-certs" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "kubevirt-operator-certs"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
dnsNames:
- kubevirt-operator-webhook
- kubevirt-operator-webhook.${var.namespace}
- kubevirt-operator-webhook.${var.namespace}.svc
- kubevirt-operator-webhook.${var.namespace}.svc.cluster.local
issuerRef:
kind: Issuer
name: kubevirt-ca
secretName: kubevirt-operator-certs
subject:
organizationalUnits:
- kubevirt-operator-webhook
EOF
}
resource "kubectl_manifest" "kubevirt-virt-handler-server-certs" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "kubevirt-virt-handler-server-certs"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
dnsNames:
- virt-handler
- virt-handler.${var.namespace}
- virt-handler.${var.namespace}.svc
- virt-handler.${var.namespace}.svc.cluster.local
issuerRef:
kind: Issuer
name: kubevirt-ca
secretName: kubevirt-virt-handler-server-certs
subject:
organizationalUnits:
- kubevirt-virt-handler
EOF
}
resource "kubectl_manifest" "kubevirt-virt-handler-certs" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "kubevirt-virt-handler-certs"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
usages:
- digital signature
- client auth
commonName: "kubevirt-virt-handler-certs"
issuerRef:
kind: Issuer
name: kubevirt-ca
secretName: kubevirt-virt-handler-certs
subject:
organizationalUnits:
- kubevirt-virt-handler-certs
EOF
}

52
virt/kubevirt/datas.tf Normal file
View File

@@ -0,0 +1,52 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
}
data "kustomization_overlay" "data" {
common_labels = local.common-labels
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml"]
images {
name = "quay.io/kubevirt/virt-handler"
new_name = "${var.images.handler.registry}/${var.images.handler.repository}"
new_tag = "${var.images.handler.tag}"
}
images {
name = "quay.io/kubevirt/virt-api"
new_name = "${var.images.api.registry}/${var.images.api.repository}"
new_tag = "${var.images.api.tag}"
}
images {
name = "quay.io/kubevirt/virt-controller"
new_name = "${var.images.controller.registry}/${var.images.controller.repository}"
new_tag = "${var.images.controller.tag}"
}
patches {
target {
kind = "Deployment"
name = "virt-controller"
}
patch = <<-EOF
- op: replace
path: /spec/template/spec/containers/0/imagePullPolicy
value: "${var.images.controller.pull_policy}"
- op: replace
path: /spec/template/spec/containers/0/image
value: "${var.images.controller.registry}/${var.images.controller.repository}:${var.images.controller.tag}"
- op: replace
path: /spec/template/spec/containers/0/args/1
value: "${var.images.launcher.registry}/${var.images.launcher.repository}:${var.images.launcher.tag}"
- op: replace
path: /spec/template/spec/containers/0/args/3
value: "${var.images.exportserver.registry}/${var.images.exportserver.repository}:${var.images.exportserver.tag}"
EOF
}
}

165
virt/kubevirt/index.yaml Normal file
View File

@@ -0,0 +1,165 @@
---
apiVersion: vinyl.solidite.fr/v1beta1
kind: Component
category: virt
metadata:
name: kubevirt
description: null
options:
duration:
default: 87660h
examples:
- 87660h
type: string
images:
default:
api:
registry: quay.io
repository: kubevirt/virt-api
tag: v1.2.0
controller:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/virt-controller
tag: v1.2.0
exportserver:
registry: quay.io
repository: kubevirt/virt-exportserver
tag: v1.2.0
handler:
registry: quay.io
repository: kubevirt/virt-handler
tag: v1.2.0
launcher:
registry: quay.io
repository: kubevirt/virt-launcher
tag: v1.2.0
examples:
- api:
registry: quay.io
repository: kubevirt/virt-api
tag: v1.2.0
controller:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/virt-controller
tag: v1.2.0
exportserver:
registry: quay.io
repository: kubevirt/virt-exportserver
tag: v1.2.0
handler:
registry: quay.io
repository: kubevirt/virt-handler
tag: v1.2.0
launcher:
registry: quay.io
repository: kubevirt/virt-launcher
tag: v1.2.0
properties:
api:
default:
registry: quay.io
repository: kubevirt/virt-api
tag: v1.2.0
properties:
registry:
default: quay.io
type: string
repository:
default: kubevirt/virt-api
type: string
tag:
default: v1.2.0
type: string
type: object
controller:
default:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/virt-controller
tag: v1.2.0
properties:
pull_policy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: quay.io
type: string
repository:
default: kubevirt/virt-controller
type: string
tag:
default: v1.2.0
type: string
type: object
exportserver:
default:
registry: quay.io
repository: kubevirt/virt-exportserver
tag: v1.2.0
properties:
registry:
default: quay.io
type: string
repository:
default: kubevirt/virt-exportserver
type: string
tag:
default: v1.2.0
type: string
type: object
handler:
default:
registry: quay.io
repository: kubevirt/virt-handler
tag: v1.2.0
properties:
registry:
default: quay.io
type: string
repository:
default: kubevirt/virt-handler
type: string
tag:
default: v1.2.0
type: string
type: object
launcher:
default:
registry: quay.io
repository: kubevirt/virt-launcher
tag: v1.2.0
properties:
registry:
default: quay.io
type: string
repository:
default: kubevirt/virt-launcher
type: string
tag:
default: v1.2.0
type: string
type: object
type: object
dependencies:
- dist: null
category: core
component: cert-manager
- dist: null
category: crd
component: kubevirt
providers:
kubernetes: true
authentik: null
kubectl: true
postgresql: null
mysql: null
restapi: null
http: null
gitea: null
tfaddtype: null

14
virt/kubevirt/policy_v1_PodDisruptionBudget_virt-controller-pdb.yaml.hbs Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: virt-controller-pdb
name: virt-controller-pdb
namespace: "{{ namespace }}"
spec:
minAvailable: 1
selector:
matchLabels:
kubevirt.io: virt-controller

16
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRoleBinding_kubevirt-apiserver-auth-delegator.yaml.hbs Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-apiserver-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: kubevirt-apiserver
namespace: "{{ namespace }}"

16
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRoleBinding_kubevirt-apiserver.yaml.hbs Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-apiserver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubevirt-apiserver
subjects:
- kind: ServiceAccount
name: kubevirt-apiserver
namespace: "{{ namespace }}"

16
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRoleBinding_kubevirt-controller.yaml.hbs Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubevirt-controller
subjects:
- kind: ServiceAccount
name: kubevirt-controller
namespace: "{{ namespace }}"

16
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRoleBinding_kubevirt-exportproxy.yaml.hbs Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-exportproxy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubevirt-exportproxy
subjects:
- kind: ServiceAccount
name: kubevirt-exportproxy
namespace: "{{ namespace }}"

16
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRoleBinding_kubevirt-handler.yaml.hbs Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-handler
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubevirt-handler
subjects:
- kind: ServiceAccount
name: kubevirt-handler
namespace: "{{ namespace }}"

21
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRoleBinding_kubevirt.io:default.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt.io:default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubevirt.io:default
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:unauthenticated

17
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRole_instancetype.kubevirt.io:view.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
name: instancetype.kubevirt.io:view
rules:
- apiGroups:
- instancetype.kubevirt.io
resources:
- virtualmachineclusterinstancetypes
- virtualmachineclusterpreferences
verbs:
- get
- list
- watch

143
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRole_kubevirt-apiserver.yaml Normal file
View File

@@ -0,0 +1,143 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-apiserver
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- delete
- patch
- apiGroups:
- kubevirt.io
resources:
- virtualmachines
- virtualmachineinstances
verbs:
- get
- list
- watch
- patch
- update
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- apiGroups:
- kubevirt.io
resources:
- virtualmachines/status
verbs:
- patch
- apiGroups:
- kubevirt.io
resources:
- virtualmachineinstancemigrations
verbs:
- create
- get
- list
- watch
- patch
- apiGroups:
- kubevirt.io
resources:
- virtualmachineinstancepresets
verbs:
- watch
- list
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- limitranges
verbs:
- watch
- list
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- kubevirt.io
resources:
- kubevirts
verbs:
- get
- list
- watch
- apiGroups:
- snapshot.kubevirt.io
resources:
- virtualmachinesnapshots
- virtualmachinerestores
- virtualmachinesnapshotcontents
verbs:
- get
- list
- watch
- apiGroups:
- cdi.kubevirt.io
resources:
- datasources
- datavolumes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- instancetype.kubevirt.io
resources:
- virtualmachineinstancetypes
- virtualmachineclusterinstancetypes
- virtualmachinepreferences
- virtualmachineclusterpreferences
verbs:
- get
- list
- watch
- apiGroups:
- migrations.kubevirt.io
resources:
- migrationpolicies
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
verbs:
- create
- list
- get

258
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRole_kubevirt-controller.yaml Normal file
View File

@@ -0,0 +1,258 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-controller
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- patch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- delete
- create
- patch
- apiGroups:
- ""
resources:
- pods
- configmaps
- endpoints
- services
verbs:
- get
- list
- watch
- delete
- update
- create
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- update
- create
- patch
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- apiGroups:
- ""
resources:
- pods/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- pods/eviction
verbs:
- create
- apiGroups:
- ""
resources:
- pods/status
verbs:
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- list
- apiGroups:
- apps
resources:
- controllerrevisions
verbs:
- watch
- list
- create
- delete
- get
- update
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- create
- update
- delete
- patch
- apiGroups:
- snapshot.kubevirt.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- export.kubevirt.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- pool.kubevirt.io
resources:
- virtualmachinepools
- virtualmachinepools/finalizers
- virtualmachinepools/status
- virtualmachinepools/scale
verbs:
- watch
- list
- create
- delete
- update
- patch
- get
- apiGroups:
- kubevirt.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachineinstances/addvolume
- virtualmachineinstances/removevolume
- virtualmachineinstances/freeze
- virtualmachineinstances/unfreeze
- virtualmachineinstances/softreboot
verbs:
- update
- apiGroups:
- cdi.kubevirt.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- k8s.cni.cncf.io
resources:
- network-attachment-definitions
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotclasses
verbs:
- get
- list
- watch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- instancetype.kubevirt.io
resources:
- virtualmachineinstancetypes
- virtualmachineclusterinstancetypes
- virtualmachinepreferences
- virtualmachineclusterpreferences
verbs:
- get
- list
- watch
- apiGroups:
- migrations.kubevirt.io
resources:
- migrationpolicies
verbs:
- get
- list
- watch
- apiGroups:
- clone.kubevirt.io
resources:
- virtualmachineclones
- virtualmachineclones/status
- virtualmachineclones/finalizers
verbs:
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- resourcequotas
verbs:
- list
- watch

24
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRole_kubevirt-exportproxy.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-exportproxy
rules:
- apiGroups:
- export.kubevirt.io
resources:
- virtualmachineexports
verbs:
- get
- list
- watch
- apiGroups:
- kubevirt.io
resources:
- kubevirts
verbs:
- list
- watch

65
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRole_kubevirt-handler.yaml Normal file
View File

@@ -0,0 +1,65 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-handler
rules:
- apiGroups:
- kubevirt.io
resources:
- virtualmachineinstances
verbs:
- update
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- patch
- list
- watch
- get
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- kubevirt.io
resources:
- kubevirts
verbs:
- get
- list
- watch
- apiGroups:
- migrations.kubevirt.io
resources:
- migrationpolicies
verbs:
- get
- list
- watch

155
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRole_kubevirt.io:admin.yaml Normal file
View File

@@ -0,0 +1,155 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kubevirt.io:admin
rules:
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachineinstances/console
- virtualmachineinstances/vnc
- virtualmachineinstances/vnc/screenshot
- virtualmachineinstances/portforward
- virtualmachineinstances/guestosinfo
- virtualmachineinstances/filesystemlist
- virtualmachineinstances/userlist
verbs:
- get
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachineinstances/pause
- virtualmachineinstances/unpause
- virtualmachineinstances/addvolume
- virtualmachineinstances/removevolume
- virtualmachineinstances/freeze
- virtualmachineinstances/unfreeze
- virtualmachineinstances/softreboot
verbs:
- update
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachines/expand-spec
- virtualmachines/portforward
verbs:
- get
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachines/start
- virtualmachines/stop
- virtualmachines/restart
- virtualmachines/addvolume
- virtualmachines/removevolume
- virtualmachines/migrate
- virtualmachines/memorydump
- virtualmachines/addinterface
verbs:
- update
- apiGroups:
- subresources.kubevirt.io
resources:
- expand-vm-spec
verbs:
- update
- apiGroups:
- kubevirt.io
resources:
- virtualmachines
- virtualmachineinstances
- virtualmachineinstancepresets
- virtualmachineinstancereplicasets
- virtualmachineinstancemigrations
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- deletecollection
- apiGroups:
- snapshot.kubevirt.io
resources:
- virtualmachinesnapshots
- virtualmachinesnapshotcontents
- virtualmachinerestores
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- deletecollection
- apiGroups:
- export.kubevirt.io
resources:
- virtualmachineexports
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- deletecollection
- apiGroups:
- clone.kubevirt.io
resources:
- virtualmachineclones
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- deletecollection
- apiGroups:
- instancetype.kubevirt.io
resources:
- virtualmachineinstancetypes
- virtualmachineclusterinstancetypes
- virtualmachinepreferences
- virtualmachineclusterpreferences
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- deletecollection
- apiGroups:
- pool.kubevirt.io
resources:
- virtualmachinepools
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- deletecollection
- apiGroups:
- migrations.kubevirt.io
resources:
- migrationpolicies
verbs:
- get
- list
- watch

20
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRole_kubevirt.io:default.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubernetes.io/bootstrapping: rbac-defaults
kubevirt.io: ""
name: kubevirt.io:default
rules:
- apiGroups:
- subresources.kubevirt.io
resources:
- version
- guestfs
verbs:
- get
- list

156
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRole_kubevirt.io:edit.yaml Normal file
View File

@@ -0,0 +1,156 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: kubevirt.io:edit
rules:
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachineinstances/console
- virtualmachineinstances/vnc
- virtualmachineinstances/vnc/screenshot
- virtualmachineinstances/portforward
- virtualmachineinstances/guestosinfo
- virtualmachineinstances/filesystemlist
- virtualmachineinstances/userlist
verbs:
- get
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachineinstances/pause
- virtualmachineinstances/unpause
- virtualmachineinstances/addvolume
- virtualmachineinstances/removevolume
- virtualmachineinstances/freeze
- virtualmachineinstances/unfreeze
- virtualmachineinstances/softreboot
verbs:
- update
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachines/expand-spec
- virtualmachines/portforward
verbs:
- get
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachines/start
- virtualmachines/stop
- virtualmachines/restart
- virtualmachines/addvolume
- virtualmachines/removevolume
- virtualmachines/migrate
- virtualmachines/memorydump
- virtualmachines/addinterface
verbs:
- update
- apiGroups:
- subresources.kubevirt.io
resources:
- expand-vm-spec
verbs:
- update
- apiGroups:
- kubevirt.io
resources:
- virtualmachines
- virtualmachineinstances
- virtualmachineinstancepresets
- virtualmachineinstancereplicasets
- virtualmachineinstancemigrations
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- apiGroups:
- snapshot.kubevirt.io
resources:
- virtualmachinesnapshots
- virtualmachinesnapshotcontents
- virtualmachinerestores
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- apiGroups:
- export.kubevirt.io
resources:
- virtualmachineexports
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- apiGroups:
- clone.kubevirt.io
resources:
- virtualmachineclones
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- apiGroups:
- instancetype.kubevirt.io
resources:
- virtualmachineinstancetypes
- virtualmachineclusterinstancetypes
- virtualmachinepreferences
- virtualmachineclusterpreferences
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- apiGroups:
- pool.kubevirt.io
resources:
- virtualmachinepools
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- apiGroups:
- kubevirt.io
resources:
- kubevirts
verbs:
- get
- list
- apiGroups:
- migrations.kubevirt.io
resources:
- migrationpolicies
verbs:
- get
- list
- watch

90
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRole_kubevirt.io:view.yaml Normal file
View File

@@ -0,0 +1,90 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: kubevirt.io:view
rules:
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachines/expand-spec
- virtualmachineinstances/guestosinfo
- virtualmachineinstances/filesystemlist
- virtualmachineinstances/userlist
verbs:
- get
- apiGroups:
- subresources.kubevirt.io
resources:
- expand-vm-spec
verbs:
- update
- apiGroups:
- kubevirt.io
resources:
- virtualmachines
- virtualmachineinstances
- virtualmachineinstancepresets
- virtualmachineinstancereplicasets
- virtualmachineinstancemigrations
verbs:
- get
- list
- watch
- apiGroups:
- snapshot.kubevirt.io
resources:
- virtualmachinesnapshots
- virtualmachinesnapshotcontents
- virtualmachinerestores
verbs:
- get
- list
- watch
- apiGroups:
- export.kubevirt.io
resources:
- virtualmachineexports
verbs:
- get
- list
- watch
- apiGroups:
- clone.kubevirt.io
resources:
- virtualmachineclones
verbs:
- get
- list
- watch
- apiGroups:
- instancetype.kubevirt.io
resources:
- virtualmachineinstancetypes
- virtualmachineclusterinstancetypes
- virtualmachinepreferences
- virtualmachineclusterpreferences
verbs:
- get
- list
- watch
- apiGroups:
- pool.kubevirt.io
resources:
- virtualmachinepools
verbs:
- get
- list
- watch
- apiGroups:
- migrations.kubevirt.io
resources:
- migrationpolicies
verbs:
- get
- list
- watch

17
virt/kubevirt/rbac.authorization.k8s.io_v1_RoleBinding_kubevirt-apiserver.yaml.hbs Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-apiserver
namespace: "{{ namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubevirt-apiserver
subjects:
- kind: ServiceAccount
name: kubevirt-apiserver
namespace: "{{ namespace }}"

17
virt/kubevirt/rbac.authorization.k8s.io_v1_RoleBinding_kubevirt-controller.yaml.hbs Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-controller
namespace: "{{ namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubevirt-controller
subjects:
- kind: ServiceAccount
name: kubevirt-controller
namespace: "{{ namespace }}"

17
virt/kubevirt/rbac.authorization.k8s.io_v1_RoleBinding_kubevirt-exportproxy.yaml.hbs Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-exportproxy
namespace: "{{ namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubevirt-exportproxy
subjects:
- kind: ServiceAccount
name: kubevirt-exportproxy
namespace: "{{ namespace }}"

17
virt/kubevirt/rbac.authorization.k8s.io_v1_RoleBinding_kubevirt-handler.yaml.hbs Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-handler
namespace: "{{ namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubevirt-handler
subjects:
- kind: ServiceAccount
name: kubevirt-handler
namespace: "{{ namespace }}"

18
virt/kubevirt/rbac.authorization.k8s.io_v1_Role_kubevirt-apiserver.yaml.hbs Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-apiserver
namespace: "{{ namespace }}"
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch

46
virt/kubevirt/rbac.authorization.k8s.io_v1_Role_kubevirt-controller.yaml.hbs Normal file
View File

@@ -0,0 +1,46 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-controller
namespace: "{{ namespace }}"
rules:
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- list
- get
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- get
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- list
- get
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- delete
- update
- create
- patch

20
virt/kubevirt/rbac.authorization.k8s.io_v1_Role_kubevirt-exportproxy.yaml.hbs Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-exportproxy
namespace: "{{ namespace }}"
rules:
- apiGroups:
- ""
resourceNames:
- kubevirt-export-ca
resources:
- configmaps
verbs:
- get
- list
- watch

18
virt/kubevirt/rbac.authorization.k8s.io_v1_Role_kubevirt-handler.yaml.hbs Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-handler
namespace: "{{ namespace }}"
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch

7
virt/kubevirt/scheduling.k8s.io_v1_PriorityClass_kubevirt-cluster-critical.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: scheduling.k8s.io/v1
description: This priority class should be used for KubeVirt core components only.
kind: PriorityClass
metadata:
name: kubevirt-cluster-critical
preemptionPolicy: PreemptLowerPriority
value: 1000000000

9
virt/kubevirt/v1_ServiceAccount_kubevirt-apiserver.yaml.hbs Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-apiserver
namespace: "{{ namespace }}"

9
virt/kubevirt/v1_ServiceAccount_kubevirt-controller.yaml.hbs Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-controller
namespace: "{{ namespace }}"

9
virt/kubevirt/v1_ServiceAccount_kubevirt-exportproxy.yaml.hbs Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-exportproxy
namespace: "{{ namespace }}"

9
virt/kubevirt/v1_ServiceAccount_kubevirt-handler.yaml.hbs Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-handler
namespace: "{{ namespace }}"

20
virt/kubevirt/v1_Service_kubevirt-operator-webhook.yaml.hbs Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
prometheus.kubevirt.io: "true"
name: kubevirt-operator-webhook
namespace: "{{ namespace }}"
spec:
ports:
- name: webhooks
port: 443
protocol: TCP
targetPort: webhooks
selector:
kubevirt.io: virt-operator
sessionAffinity: None
type: ClusterIP

20
virt/kubevirt/v1_Service_kubevirt-prometheus-metrics.yaml.hbs Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
prometheus.kubevirt.io: "true"
name: kubevirt-prometheus-metrics
namespace: "{{ namespace }}"
spec:
ports:
- name: metrics
port: 443
protocol: TCP
targetPort: metrics
selector:
prometheus.kubevirt.io: "true"
sessionAffinity: None
type: ClusterIP

18
virt/kubevirt/v1_Service_virt-api.yaml.hbs Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: virt-api
name: virt-api
namespace: "{{ namespace }}"
spec:
ports:
- port: 443
protocol: TCP
targetPort: 8443
selector:
kubevirt.io: virt-api
sessionAffinity: None
type: ClusterIP

18
virt/kubevirt/v1_Service_virt-exportproxy.yaml.hbs Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: virt-exportproxy
name: virt-exportproxy
namespace: "{{ namespace }}"
spec:
ports:
- port: 443
protocol: TCP
targetPort: 8443
selector:
kubevirt.io: virt-exportproxy
sessionAffinity: None
type: ClusterIP