vynil/addons
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixing meta

Browse Source
This commit is contained in:
Sébastien Huss
2024-05-12 13:44:20 +02:00
parent ed58ef54e1
commit 988497833f
141 changed files with 9443 additions and 7802 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2379
crd/cdi/apiextensions.k8s.io_v1_CustomResourceDefinition_cdis.cdi.kubevirt.io.yaml
View File

File diff suppressed because it is too large Load Diff

5
crd/cdi/index.rhai
View File

@@ -3,7 +3,7 @@ const SRC=src;
const DEST=dest;
const DOIT=config.apply;
const PURGE=config.purge;
const crdFiles=[
const crdFiles=if config.all {[
"apiextensions.k8s.io_v1_CustomResourceDefinition_cdis.cdi.kubevirt.io.yaml",
"apiextensions.k8s.io_v1_CustomResourceDefinition_cdiconfigs.cdi.kubevirt.io.yaml",
"apiextensions.k8s.io_v1_CustomResourceDefinition_dataimportcrons.cdi.kubevirt.io.yaml",
@@ -14,7 +14,8 @@ const crdFiles=[
"apiextensions.k8s.io_v1_CustomResourceDefinition_volumeclonesources.cdi.kubevirt.io.yaml",
"apiextensions.k8s.io_v1_CustomResourceDefinition_volumeimportsources.cdi.kubevirt.io.yaml",
"apiextensions.k8s.io_v1_CustomResourceDefinition_volumeuploadsources.cdi.kubevirt.io.yaml",
];
]} else {["apiextensions.k8s.io_v1_CustomResourceDefinition_cdis.cdi.kubevirt.io.yaml"]};
fn pre_install() {
if ! global::DOIT {
return;

5
crd/cdi/index.yaml
View File

@@ -6,6 +6,11 @@ metadata:
name: cdi
description: CRD for Containerized Data Importer
options:
all:
default: false
examples:
- false
type: boolean
apply:
default: true
examples:

5591
crd/kubevirt/apiextensions.k8s.io_v1_CustomResourceDefinition_kubevirts.kubevirt.io.yaml
View File

File diff suppressed because it is too large Load Diff

5
crd/kubevirt/index.rhai
View File

@@ -1,9 +1,8 @@
const VERSION="3.5.5";
const SRC=src;
const DEST=dest;
const DOIT=config.apply;
const PURGE=config.purge;
const crdFiles=[
const crdFiles=if config.all {[
"apiextensions.k8s.io_v1_CustomResourceDefinition_kubevirts.kubevirt.io.yaml",
"apiextensions.k8s.io_v1_CustomResourceDefinition_migrationpolicies.migrations.kubevirt.io.yaml",
"apiextensions.k8s.io_v1_CustomResourceDefinition_virtualmachineclones.clone.kubevirt.io.yaml",
@@ -21,7 +20,7 @@ const crdFiles=[
"apiextensions.k8s.io_v1_CustomResourceDefinition_virtualmachines.kubevirt.io.yaml",
"apiextensions.k8s.io_v1_CustomResourceDefinition_virtualmachinesnapshotcontents.snapshot.kubevirt.io.yaml",
"apiextensions.k8s.io_v1_CustomResourceDefinition_virtualmachinesnapshots.snapshot.kubevirt.io.yaml",
];
]} else {["apiextensions.k8s.io_v1_CustomResourceDefinition_kubevirts.kubevirt.io.yaml"]};
fn pre_install() {
if ! global::DOIT {
return;

5
crd/kubevirt/index.yaml
View File

@@ -6,6 +6,11 @@ metadata:
name: kubevirt
description: CRD for kube-virt
options:
all:
default: false
examples:
- false
type: boolean
apply:
default: true
examples:

45
crd/multus/apiextensions.k8s.io_v1_CustomResourceDefinition_network-attachment-definitions.k8s.cni.cncf.io.yaml Normal file
View File

@@ -0,0 +1,45 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: network-attachment-definitions.k8s.cni.cncf.io
spec:
group: k8s.cni.cncf.io
scope: Namespaced
names:
plural: network-attachment-definitions
singular: network-attachment-definition
kind: NetworkAttachmentDefinition
shortNames:
- net-attach-def
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
description: 'NetworkAttachmentDefinition is a CRD schema specified by the Network Plumbing
Working Group to express the intent for attaching pods to one or more logical or physical
networks. More information available at: https://github.com/k8snetworkplumbingwg/multi-net-spec'
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this represen
tation of an object. Servers should convert recognized schemas to the
latest internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: 'NetworkAttachmentDefinition spec defines the desired state of a network attachment'
type: object
properties:
config:
description: 'NetworkAttachmentDefinition config is a JSON-formatted CNI configuration'
type: string

17
crd/multus/datas.tf Normal file
View File

@@ -0,0 +1,17 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
}
data "kustomization_overlay" "data" {
common_labels = local.common-labels
namespace = var.namespace
resources = []
}

21
crd/multus/index.rhai Normal file
View File

@@ -0,0 +1,21 @@
const SRC=src;
const DEST=dest;
const DOIT=config.apply;
const PURGE=config.purge;
const crdFiles=["apiextensions.k8s.io_v1_CustomResourceDefinition_network-attachment-definitions.k8s.cni.cncf.io.yaml"];
fn pre_install() {
if ! global::DOIT {
return;
}
for file in global::crdFiles {
shell(`kubectl replace -f ${global::SRC}/${file} || kubectl create -f ${global::SRC}/${file}`);
}
}
fn post_destroy() {
if ! global::PURGE {
return;
}
for file in global::crdFiles {
shell(`kubectl delete -f ${global::SRC}/${file}`);
}
}

21
crd/multus/index.yaml Normal file
View File

@@ -0,0 +1,21 @@
---
apiVersion: vinyl.solidite.fr/v1beta1
kind: Component
category: crd
metadata:
name: multus
description: CRD for multus
options:
apply:
default: true
examples:
- true
type: boolean
purge:
default: false
examples:
- false
type: boolean
dependencies: []
providers: null
tfaddtype: null

2
crd/whereabouts/index.rhai
View File

@@ -1,4 +1,4 @@
const VERSION="0.6.3";
const VERSION="0.7.0";
const SRC=src;
const DEST=dest;
const DOIT=config.apply;

12
dbo/minio/common.tf Normal file
View File

@@ -0,0 +1,12 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
}

115
dbo/minio/index.yaml Normal file
View File

@@ -0,0 +1,115 @@
---
apiVersion: vinyl.solidite.fr/v1beta1
kind: Component
category: dbo
metadata:
name: minio
description: null
options:
app-group:
default: infra
examples:
- infra
type: string
domain:
default: your-company
examples:
- your-company
type: string
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
images:
default:
operator:
pullPolicy: IfNotPresent
registry: docker.io
repository: to-be/defined
tag: v1.0.0
examples:
- operator:
pullPolicy: IfNotPresent
registry: docker.io
repository: to-be/defined
tag: v1.0.0
properties:
operator:
default:
pullPolicy: IfNotPresent
registry: docker.io
repository: to-be/defined
tag: v1.0.0
properties:
pullPolicy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: docker.io
type: string
repository:
default: to-be/defined
type: string
tag:
default: v1.0.0
type: string
type: object
type: object
ingress-class:
default: traefik
examples:
- traefik
type: string
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
storage:
default:
accessMode: ReadWriteOnce
size: 1Gi
type: Filesystem
examples:
- accessMode: ReadWriteOnce
size: 1Gi
type: Filesystem
properties:
accessMode:
default: ReadWriteOnce
enum:
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
type: string
size:
default: 1Gi
type: string
type:
default: Filesystem
enum:
- Filesystem
- Block
type: string
type: object
sub-domain:
default: to-be-set
examples:
- to-be-set
type: string
dependencies: []
providers:
kubernetes: true
authentik: true
kubectl: true
postgresql: null
mysql: null
restapi: null
http: null
gitea: null
tfaddtype: null

12
meta/addons/common.tf Normal file
View File

@@ -0,0 +1,12 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
}

20
meta/addons/crds.tf
View File

@@ -20,6 +20,7 @@ locals {
crd-tekton_triggers = { for k, v in var.crds.tekton_triggers : k => v if k!="enable" }
crd-kubevirt = { for k, v in var.crds.kubevirt : k => v if k!="enable" }
crd-cdi = { for k, v in var.crds.cdi : k => v if k!="enable" }
crd-multus = { for k, v in var.crds.multus : k => v if k!="enable" }
}
resource "kubectl_manifest" "crd-kubevirt" {
@@ -56,6 +57,23 @@ resource "kubectl_manifest" "crd-cdi" {
EOF
}
resource "kubectl_manifest" "crd-multus" {
count = (var.crds.multus.enable || var.virt.enable && var.virt.multus.enable) ? 1 : 0
yaml_body = <<-EOF
apiVersion: "vynil.solidite.fr/v1"
kind: "Install"
metadata:
name: "crd-multus"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
distrib: "${var.component}"
category: "crd"
component: "multus"
options: ${jsonencode(local.crd-multus)}
EOF
}
resource "kubectl_manifest" "crd-tekton_pipelines" {
count = (var.crds.tekton_pipelines.enable || var.tekton.enable && var.tekton.tekton_pipelines.enable) ? 1 : 0
yaml_body = <<-EOF
@@ -278,7 +296,7 @@ resource "kubectl_manifest" "crd-argo-workflows" {
}
resource "kubectl_manifest" "crd-whereabouts" {
count = (var.crds.whereabouts.enable ) ? 1 : 0
count = (var.crds.whereabouts.enable || var.virt.enable && var.virt.whereabouts.enable ) ? 1 : 0
yaml_body = <<-EOF
apiVersion: "vynil.solidite.fr/v1"
kind: "Install"

200
meta/addons/index.yaml
View File

@@ -6,153 +6,6 @@ metadata:
name: addons
description: addons meta-component installing all the addons components
options:
<<<<<<< HEAD
=======
olm:
default:
enable: false
namespace: olm
examples:
- enable: false
namespace: olm
properties:
enable:
default: false
type: boolean
namespace:
default: olm
type: string
type: object
flux:
default:
enable: false
namespace: flux
examples:
- enable: false
namespace: flux
properties:
enable:
default: false
type: boolean
namespace:
default: flux
type: string
type: object
tools:
default:
keda:
enable: false
namespace: vynil-addons
node_problem_detector:
enable: false
examples:
- keda:
enable: false
namespace: vynil-addons
node_problem_detector:
enable: false
properties:
keda:
default:
enable: false
properties:
enable:
default: false
type: boolean
type: object
namespace:
default: vynil-addons
type: string
node_problem_detector:
default:
enable: false
properties:
enable:
default: false
type: boolean
type: object
type: object
monitor:
default:
jaeger:
enable: false
namespace: vynil-monitor
opentelemetry:
enable: false
prometheus:
enable: true
examples:
- jaeger:
enable: false
namespace: vynil-monitor
opentelemetry:
enable: false
prometheus:
enable: true
properties:
jaeger:
default:
enable: false
properties:
enable:
default: false
type: boolean
type: object
namespace:
default: vynil-monitor
type: string
opentelemetry:
default:
enable: false
properties:
enable:
default: false
type: boolean
type: object
prometheus:
default:
enable: true
properties:
enable:
default: true
type: boolean
type: object
type: object
tekton:
default:
namespace: tekton
tekton_pipelines:
enable: false
tekton_triggers:
enable: false
examples:
- namespace: tekton
tekton_pipelines:
enable: false
tekton_triggers:
enable: false
properties:
namespace:
default: tekton
type: string
tekton_pipelines:
default:
enable: false
properties:
enable:
default: false
type: boolean
type: object
tekton_triggers:
default:
enable: false
properties:
enable:
default: false
type: boolean
type: object
type: object
>>>>>>> e51ed83 (Disable olm and flux by default)
crds:
default:
argo-cd:
@@ -175,6 +28,8 @@ options:
enable: false
minio:
enable: false
multus:
enable: false
olm:
enable: false
opentelemetry:
@@ -210,6 +65,8 @@ options:
enable: false
minio:
enable: false
multus:
enable: false
olm:
enable: false
opentelemetry:
@@ -305,6 +162,14 @@ options:
default: false
type: boolean
type: object
multus:
default:
enable: false
properties:
enable:
default: false
type: boolean
type: object
olm:
default:
enable: false
@@ -362,7 +227,6 @@ options:
type: boolean
type: object
type: object
<<<<<<< HEAD
fission:
default:
enable: false
@@ -529,20 +393,40 @@ options:
type: object
virt:
default:
bridges:
enable: true
cdi:
enable: true
enable: false
kubevirt:
enable: true
multus:
enable: true
namespace: vynil-virt
whereabouts:
enable: true
examples:
- cdi:
- bridges:
enable: true
cdi:
enable: true
enable: false
kubevirt:
enable: true
multus:
enable: true
namespace: vynil-virt
whereabouts:
enable: true
properties:
bridges:
default:
enable: true
properties:
enable:
default: true
type: boolean
type: object
cdi:
default:
enable: true
@@ -562,12 +446,26 @@ options:
default: true
type: boolean
type: object
multus:
default:
enable: true
properties:
enable:
default: true
type: boolean
type: object
namespace:
default: vynil-virt
type: string
whereabouts:
default:
enable: true
properties:
enable:
default: true
type: boolean
type: object
type: object
=======
>>>>>>> e51ed83 (Disable olm and flux by default)
dependencies: []
providers:
kubernetes: true

59
meta/addons/virt.tf
View File

@@ -1,10 +1,13 @@
locals {
cdi = { for k, v in var.virt.cdi : k => v if k!="enable" }
kubevirt = { for k, v in var.virt.kubevirt : k => v if k!="enable" }
bridges = { for k, v in var.virt.bridges : k => v if k!="enable" }
multus = { for k, v in var.virt.multus : k => v if k!="enable" }
whereabouts = { for k, v in var.virt.whereabouts : k => v if k!="enable" }
}
resource "kubernetes_namespace_v1" "virt-ns" {
count = var.virt.enable && ( var.virt.cdi.enable || var.virt.kubevirt.enable)? 1 : 0
count = var.virt.enable && ( var.virt.bridges.enable || var.virt.multus.enable || var.virt.whereabouts.enable || var.virt.cdi.enable || var.virt.kubevirt.enable)? 1 : 0
metadata {
annotations = local.annotations
labels = local.common-labels
@@ -30,6 +33,60 @@ resource "kubectl_manifest" "cdi" {
EOF
}
resource "kubectl_manifest" "bridges" {
count = var.virt.enable && var.virt.bridges.enable ? 1 : 0
depends_on = [kubernetes_namespace_v1.virt-ns]
yaml_body = <<-EOF
apiVersion: "vynil.solidite.fr/v1"
kind: "Install"
metadata:
name: "bridges"
namespace: "${var.virt.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
distrib: "${var.component}"
category: "virt"
component: "bridges"
options: ${jsonencode(local.bridges)}
EOF
}
resource "kubectl_manifest" "multus" {
count = var.virt.enable && var.virt.multus.enable ? 1 : 0
depends_on = [kubernetes_namespace_v1.virt-ns]
yaml_body = <<-EOF
apiVersion: "vynil.solidite.fr/v1"
kind: "Install"
metadata:
name: "multus"
namespace: "${var.virt.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
distrib: "${var.component}"
category: "virt"
component: "multus"
options: ${jsonencode(local.multus)}
EOF
}
resource "kubectl_manifest" "whereabouts" {
count = var.virt.enable && var.virt.whereabouts.enable ? 1 : 0
depends_on = [kubernetes_namespace_v1.virt-ns]
yaml_body = <<-EOF
apiVersion: "vynil.solidite.fr/v1"
kind: "Install"
metadata:
name: "whereabouts"
namespace: "${var.virt.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
distrib: "${var.component}"
category: "virt"
component: "whereabouts"
options: ${jsonencode(local.whereabouts)}
EOF
}
resource "kubectl_manifest" "kubevirt" {
count = var.virt.enable && var.virt.kubevirt.enable ? 1 : 0
depends_on = [kubernetes_namespace_v1.virt-ns]

12
virt/bridges/common.tf Normal file
View File

@@ -0,0 +1,12 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
}

103
virt/bridges/index.yaml Normal file
View File

@@ -0,0 +1,103 @@
---
apiVersion: vinyl.solidite.fr/v1beta1
kind: Component
category: virt
metadata:
name: bridges
description: Bridge CNI plugin and associated devices marker
options:
cni:
default:
bin_dir: /opt/cni/bin
examples:
- bin_dir: /opt/cni/bin
properties:
bin_dir:
default: /opt/cni/bin
description: use /var/lib/rancher/k3s/data/current/bin for k3s
type: string
type: object
images:
default:
marker:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/bridge-marker
tag: 0.11.1
plugin:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/cni-default-plugins
tag: v1.4.0
examples:
- marker:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/bridge-marker
tag: 0.11.1
plugin:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/cni-default-plugins
tag: v1.4.0
properties:
marker:
default:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/bridge-marker
tag: 0.11.1
properties:
pull_policy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: quay.io
type: string
repository:
default: kubevirt/bridge-marker
type: string
tag:
default: 0.11.1
type: string
type: object
plugin:
default:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/cni-default-plugins
tag: v1.4.0
properties:
pull_policy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: quay.io
type: string
repository:
default: kubevirt/cni-default-plugins
type: string
tag:
default: v1.4.0
type: string
type: object
type: object
dependencies: []
providers:
kubernetes: true
authentik: null
kubectl: true
postgresql: null
mysql: null
restapi: null
http: null
gitea: null
tfaddtype: null

56
virt/bridges/marker.tf Normal file
View File

@@ -0,0 +1,56 @@
resource "kubectl_manifest" "marker" {
yaml_body = <<-EOF
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: bridge-marker
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
revisionHistoryLimit: 10
selector:
matchLabels:
name: bridge-marker
template:
metadata:
annotations:
description: Bridge marker exposes network bridges available on nodes as node
resources
creationTimestamp: null
labels:
app: bridge-marker
app.kubernetes.io/component: network
name: bridge-marker
tier: node
spec:
containers:
- args:
- -node-name
- $(NODE_NAME)
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
image: ${var.images.marker.registry}/${var.images.marker.repository}:${var.images.marker.tag}
imagePullPolicy: ${var.images.marker.pull_policy}
name: bridge-marker
resources:
requests:
cpu: 10m
memory: 15Mi
hostNetwork: true
nodeSelector:
kubernetes.io/arch: amd64
priorityClassName: system-node-critical
restartPolicy: Always
serviceAccount: bridge-marker
serviceAccountName: bridge-marker
tolerations:
- effect: NoSchedule
operator: Exists
EOF
}

75
virt/bridges/plugin.tf Normal file
View File

@@ -0,0 +1,75 @@
resource "kubectl_manifest" "plugin" {
yaml_body = <<-EOF
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-cni-linux-bridge-plugin
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
selector:
matchLabels:
name: kube-cni-linux-bridge-plugin
template:
metadata:
annotations:
description: LinuxBridge installs 'bridge' CNI on cluster nodes, so it can
be later used to attach Pods/VMs to Linux bridges
labels:
app: cni-plugins
app.kubernetes.io/component: network
name: kube-cni-linux-bridge-plugin
tier: node
spec:
containers:
- command:
- /bin/bash
- -ce
- |
echo 'Installing bridge and tuning CNIs'
cni_mount_dir=/opt/cni/bin
sourcebinpath=/usr/src/github.com/containernetworking/plugins/bin
cp --remove-destination $${sourcebinpath}/bridge $${cni_mount_dir}/cnv-bridge
cp --remove-destination $${sourcebinpath}/tuning $${cni_mount_dir}/cnv-tuning
echo 'Checking bridge and tuning CNIs deployment on node'
printf -v bridgechecksum "%s" "$(<$sourcebinpath/bridge.checksum)"
printf -v tuningchecksum "%s" "$(<$sourcebinpath/tuning.checksum)"
printf "%s %s" "$${bridgechecksum% *}" "$${cni_mount_dir}/cnv-bridge" | sha256sum --check
printf "%s %s" "$${tuningchecksum% *}" "$${cni_mount_dir}/cnv-tuning" | sha256sum --check
# Some projects (e.g. openshift/console) use cnv- prefix to distinguish between
# binaries shipped by OpenShift and those shipped by KubeVirt (D/S matters).
# Following two lines make sure we will provide both names when needed.
find $${cni_mount_dir}/bridge &>/dev/null || ln -s $${cni_mount_dir}/cnv-bridge $${cni_mount_dir}/bridge
find $${cni_mount_dir}/tuning &>/dev/null || ln -s $${cni_mount_dir}/cnv-tuning $${cni_mount_dir}/tuning
echo 'Entering sleep... (success)'
sleep infinity
image: ${var.images.plugin.registry}/${var.images.plugin.repository}:${var.images.plugin.tag}
imagePullPolicy: ${var.images.plugin.pull_policy}
name: cni-plugins
resources:
requests:
cpu: 10m
memory: 15Mi
securityContext:
privileged: true
volumeMounts:
- mountPath: /opt/cni/bin
name: cnibin
nodeSelector:
kubernetes.io/arch: amd64
priorityClassName: system-cluster-critical
restartPolicy: Always
tolerations:
- effect: NoSchedule
operator: Exists
volumes:
- hostPath:
path: "${var.cni.bin_dir}"
type: ""
name: cnibin
EOF
}

50
virt/bridges/rbac.tf Normal file
View File

@@ -0,0 +1,50 @@
resource "kubectl_manifest" "sa" {
yaml_body = <<-EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: bridge-marker
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
labels: ${jsonencode(local.common-labels)}
EOF
}
resource "kubectl_manifest" "crb" {
yaml_body = <<-EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: bridge-marker-crb
labels: ${jsonencode(local.common-labels)}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: bridge-marker-cr
subjects:
- kind: ServiceAccount
name: bridge-marker
namespace: ${var.namespace}
EOF
}
resource "kubectl_manifest" "cr" {
yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: bridge-marker-cr
labels: ${jsonencode(local.common-labels)}
rules:
- apiGroups:
- ""
resources:
- nodes
- nodes/status
verbs:
- get
- update
- patch
EOF
}

13
virt/cdi/additionnal_rbac.tf Normal file
View File

@@ -0,0 +1,13 @@
// Allow duplication for terraform
resource "kubectl_manifest" "datavolume_cloner" {
yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: datavolume-cloner
rules:
- apiGroups: ["cdi.kubevirt.io"]
resources: ["datavolumes/source"]
verbs: ["create"]
EOF
}

37
virt/cdi/admissionregistration.k8s.io_v1_MutatingWebhookConfiguration_cdi-api-datavolume-mutate.yaml.hbs
View File

@@ -1,37 +0,0 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/cdi-apiserver-server-cert"
labels:
cdi.kubevirt.io: cdi-api
name: cdi-api-datavolume-mutate
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cdi-api
namespace: "{{ namespace }}"
path: /datavolume-mutate
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: datavolume-mutate.cdi.kubevirt.io
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- cdi.kubevirt.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- datavolumes
scope: '*'
sideEffects: None
timeoutSeconds: 30

36
virt/cdi/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_cdi-api-dataimportcron-validate.yaml.hbs
View File

@@ -1,36 +0,0 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/cdi-apiserver-server-cert"
labels:
cdi.kubevirt.io: cdi-api
name: cdi-api-dataimportcron-validate
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cdi-api
namespace: "{{ namespace }}"
path: /dataimportcron-validate
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: dataimportcron-validate.cdi.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- cdi.kubevirt.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- dataimportcrons
scope: '*'
sideEffects: None
timeoutSeconds: 30

36
virt/cdi/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_cdi-api-datavolume-validate.yaml.hbs
View File

@@ -1,36 +0,0 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/cdi-apiserver-server-cert"
labels:
cdi.kubevirt.io: cdi-api
name: cdi-api-datavolume-validate
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cdi-api
namespace: "{{ namespace }}"
path: /datavolume-validate
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: datavolume-validate.cdi.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- cdi.kubevirt.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- datavolumes
scope: '*'
sideEffects: None
timeoutSeconds: 30

37
virt/cdi/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_cdi-api-populator-validate.yaml.hbs
View File

@@ -1,37 +0,0 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/cdi-apiserver-server-cert"
labels:
cdi.kubevirt.io: cdi-api
name: cdi-api-populator-validate
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cdi-api
namespace: "{{ namespace }}"
path: /populator-validate
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: populator-validate.cdi.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- cdi.kubevirt.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- volumeimportsources
- volumeuploadsources
scope: '*'
sideEffects: None
timeoutSeconds: 30

35
virt/cdi/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_cdi-api-validate.yaml.hbs
View File

@@ -1,35 +0,0 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/cdi-apiserver-server-cert"
labels:
cdi.kubevirt.io: cdi-api
name: cdi-api-validate
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cdi-api
namespace: "{{ namespace }}"
path: /cdi-validate
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: cdi-validate.cdi.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- cdi.kubevirt.io
apiVersions:
- v1beta1
operations:
- DELETE
resources:
- cdis
scope: '*'
sideEffects: None
timeoutSeconds: 30

36
virt/cdi/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_objecttransfer-api-validate.yaml.hbs
View File

@@ -1,36 +0,0 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/cdi-apiserver-server-cert"
labels:
cdi.kubevirt.io: cdi-api
name: objecttransfer-api-validate
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: cdi-api
namespace: "{{ namespace }}"
path: /objecttransfer-validate
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: objecttransfer-validate.cdi.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- cdi.kubevirt.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- objecttransfers
scope: '*'
sideEffects: None
timeoutSeconds: 30

17
virt/cdi/apiregistration.k8s.io_v1_APIService_v1beta1.upload.cdi.kubevirt.io.yaml.hbs
View File

@@ -1,17 +0,0 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/cdi-apiserver-server-cert"
labels:
cdi.kubevirt.io: cdi-api
name: v1beta1.upload.cdi.kubevirt.io
spec:
group: upload.cdi.kubevirt.io
groupPriorityMinimum: 1000
service:
name: cdi-api
namespace: "{{ namespace }}"
port: 443
version: v1beta1
versionPriority: 15

108
virt/cdi/apps_v1_Deployment_cdi-apiserver.yaml.hbs
View File

@@ -1,108 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: cdi-apiserver
name: cdi-apiserver
namespace: "{{ namespace }}"
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
cdi.kubevirt.io: cdi-apiserver
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: cdi-apiserver
spec:
containers:
- args:
- -v=1
env:
- name: INSTALLER_PART_OF_LABEL
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['app.kubernetes.io/part-of']
- name: INSTALLER_VERSION_LABEL
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['app.kubernetes.io/version']
image: quay.io/kubevirt/cdi-apiserver@sha256:e9e39408413b1478d2e98eba68913f9e20c93000558b190b47de73bdfd1d9ac4
imagePullPolicy: IfNotPresent
name: cdi-apiserver
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 2
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 10m
memory: 150Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/certs/cdi-apiserver-signer-bundle
name: ca-bundle
readOnly: true
- mountPath: /var/run/certs/cdi-apiserver-server-cert
name: server-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
priorityClassName: cdi-cluster-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsNonRoot: true
serviceAccount: cdi-apiserver
serviceAccountName: cdi-apiserver
terminationGracePeriodSeconds: 30
tolerations:
- key: CriticalAddonsOnly
operator: Exists
volumes:
- secret:
defaultMode: 420
items:
- key: ca.crt
path: ca-bundle.crt
secretName: cdi-apiserver-server-cert
name: ca-bundle
- name: server-cert
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
secretName: cdi-apiserver-server-cert

155
virt/cdi/apps_v1_Deployment_cdi-deployment.yaml.hbs
View File

@@ -1,155 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: containerized-data-importer
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
prometheus.cdi.kubevirt.io: "true"
name: cdi-deployment
namespace: "{{ namespace }}"
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: containerized-data-importer
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: containerized-data-importer
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
prometheus.cdi.kubevirt.io: "true"
spec:
containers:
- args:
- -v=1
env:
- name: IMPORTER_IMAGE
value: quay.io/kubevirt/cdi-importer@sha256:3143bbc67cdc6267eb48b7eaac664b8551ac4c11401dfbf4921efd3f233e6ce9
- name: CLONER_IMAGE
value: quay.io/kubevirt/cdi-cloner@sha256:9d31b14f23259398c5bac636f5ead13ad0afd6fe8eeab4499e8e047b4d85074f
- name: UPLOADSERVER_IMAGE
value: quay.io/kubevirt/cdi-uploadserver@sha256:30f1827d3696cf996b081c22c3267ca78e7219c872fdb54950198fa54359f6ee
- name: UPLOADPROXY_SERVICE
value: cdi-uploadproxy
- name: PULL_POLICY
value: IfNotPresent
- name: INSTALLER_PART_OF_LABEL
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['app.kubernetes.io/part-of']
- name: INSTALLER_VERSION_LABEL
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['app.kubernetes.io/version']
image: quay.io/kubevirt/cdi-controller@sha256:27c47883a08226f83757971d3adafb0cd9bcb26e58fbcf7208236070e0adf37e
imagePullPolicy: IfNotPresent
name: cdi-controller
ports:
- containerPort: 8080
name: metrics
protocol: TCP
readinessProbe:
exec:
command:
- cat
- /tmp/ready
failureThreshold: 3
initialDelaySeconds: 2
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 10m
memory: 150Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/cdi/token/keys
name: cdi-api-signing-key
- mountPath: /var/run/certs/cdi-uploadserver-signer
name: uploadserver-ca-cert
- mountPath: /var/run/certs/cdi-uploadserver-client-signer
name: uploadserver-client-ca-cert
- mountPath: /var/run/ca-bundle/cdi-uploadserver-signer-bundle
name: uploadserver-ca-bundle
- mountPath: /var/run/ca-bundle/cdi-uploadserver-client-signer-bundle
name: uploadserver-client-ca-bundle
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
priorityClassName: cdi-cluster-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsNonRoot: true
serviceAccount: cdi-sa
serviceAccountName: cdi-sa
terminationGracePeriodSeconds: 30
tolerations:
- key: CriticalAddonsOnly
operator: Exists
volumes:
- name: cdi-api-signing-key
secret:
defaultMode: 420
items:
- key: publickey.pem
path: id_rsa.pub
- key: privatekey.pem
path: id_rsa
secretName: cdi-api-signing-key
- name: uploadserver-ca-cert
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
secretName: cdi-uploadserver-signer
- name: uploadserver-client-ca-cert
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
secretName: cdi-uploadserver-client-signer
- secret:
defaultMode: 420
items:
- key: tls.crt
path: ca-bundle.crt
secretName: cdi-uploadserver-signer
name: uploadserver-ca-bundle
- secret:
defaultMode: 420
items:
- key: tls.crt
path: ca-bundle.crt
secretName: cdi-uploadserver-client-signer
name: uploadserver-client-ca-bundle

105
virt/cdi/apps_v1_Deployment_cdi-uploadproxy.yaml.hbs
View File

@@ -1,105 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: cdi-uploadproxy
name: cdi-uploadproxy
namespace: "{{ namespace }}"
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
cdi.kubevirt.io: cdi-uploadproxy
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: cdi-uploadproxy
spec:
containers:
- args:
- -v=1
env:
- name: APISERVER_PUBLIC_KEY
valueFrom:
secretKeyRef:
key: publickey.pem
name: cdi-api-signing-key
image: quay.io/kubevirt/cdi-uploadproxy@sha256:551221d79902a5053d1c734b81163d69f087217e2ac13c49bdf6900336ef0786
imagePullPolicy: IfNotPresent
name: cdi-uploadproxy
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 2
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 10m
memory: 150Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/certs/cdi-uploadproxy-server-cert
name: server-cert
readOnly: true
- mountPath: /var/run/certs/cdi-uploadserver-client-cert
name: client-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
priorityClassName: cdi-cluster-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsNonRoot: true
serviceAccount: cdi-uploadproxy
serviceAccountName: cdi-uploadproxy
terminationGracePeriodSeconds: 30
tolerations:
- key: CriticalAddonsOnly
operator: Exists
volumes:
- name: server-cert
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
secretName: cdi-uploadproxy-server-cert
- name: client-cert
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
secretName: cdi-uploadserver-client-cert

7
virt/cdi/cdi.kubevirt.io_v1beta1_CDIConfig_config.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: cdi.kubevirt.io/v1beta1
kind: CDIConfig
metadata:
name: config
spec:
featureGates:
- HonorWaitForFirstConsumer

18
virt/cdi/cdi.kubevirt.io_v1beta1_CDI_cdi.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: cdi.kubevirt.io/v1beta1
kind: CDI
metadata:
name: cdi
spec:
config:
featureGates:
- HonorWaitForFirstConsumer
imagePullPolicy: IfNotPresent
infra:
nodeSelector:
kubernetes.io/os: linux
tolerations:
- key: CriticalAddonsOnly
operator: Exists
workload:
nodeSelector:
kubernetes.io/os: linux

187
virt/cdi/certs.tf
View File

@@ -1,187 +0,0 @@
resource "kubectl_manifest" "issuer" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
name: "cdi-selfsigned"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
selfSigned: {}
EOF
}
resource "kubectl_manifest" "cdi-apiserver-signer-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cdi-apiserver-signer
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
isCA: true
duration: "${var.duration}"
commonName: "cdi-apiserver-signer"
secretName: cdi-apiserver-signer
issuerRef:
name: cdi-selfsigned
EOF
}
resource "kubectl_manifest" "cdi-uploadproxy-signer-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cdi-uploadproxy-signer
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
isCA: true
duration: "${var.duration}"
commonName: "cdi-uploadproxy-signer"
secretName: cdi-uploadproxy-signer
issuerRef:
name: cdi-selfsigned
EOF
}
resource "kubectl_manifest" "cdi-uploadserver-client-signer-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cdi-uploadserver-client-signer
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
isCA: true
duration: "${var.duration}"
commonName: "cdi-uploadserver-client-signer"
secretName: cdi-uploadserver-client-signer
issuerRef:
name: cdi-selfsigned
EOF
}
resource "kubectl_manifest" "cdi-uploadserver-signer-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cdi-uploadserver-signer
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
isCA: true
duration: "${var.duration}"
commonName: "cdi-uploadserver-signer"
secretName: cdi-uploadserver-signer
issuerRef:
name: cdi-selfsigned
EOF
}
resource "kubectl_manifest" "cdi-uploadproxy-signer" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
name: "cdi-uploadproxy-signer"
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
spec:
ca:
secretName: "cdi-uploadproxy-signer"
EOF
}
resource "kubectl_manifest" "cdi-uploadserver-client-signer" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
name: "cdi-uploadserver-client-signer"
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
spec:
ca:
secretName: "cdi-uploadserver-client-signer"
EOF
}
resource "kubectl_manifest" "cdi-apiserver-signer" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
name: "cdi-apiserver-signer"
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
spec:
ca:
secretName: "cdi-apiserver-signer"
EOF
}
resource "kubectl_manifest" "cdi-apiserver-server-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "cdi-apiserver-server-cert"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
dnsNames:
- cdi-api
- cdi-api.${var.namespace}
- cdi-api.${var.namespace}.svc
- cdi-api.${var.namespace}.svc.cluster.local
issuerRef:
kind: Issuer
name: cdi-apiserver-signer
secretName: cdi-apiserver-server-cert
subject:
organizationalUnits:
- cdi-api
EOF
}
resource "kubectl_manifest" "cdi-uploadproxy-server-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "cdi-uploadproxy-server-cert"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
dnsNames:
- cdi-uploadproxy
- cdi-uploadproxy.${var.namespace}
- cdi-uploadproxy.${var.namespace}.svc
- cdi-uploadproxy.${var.namespace}.svc.cluster.local
issuerRef:
kind: Issuer
name: cdi-uploadproxy-signer
secretName: cdi-uploadproxy-server-cert
subject:
organizationalUnits:
- cdi-uploadproxy
EOF
}
resource "kubectl_manifest" "cdi-uploadserver-client-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "cdi-uploadserver-client-cert"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
usages:
- digital signature
- client auth
commonName: "cdi-uploadserver-client-cert"
issuerRef:
kind: Issuer
name: cdi-uploadserver-client-signer
secretName: cdi-uploadserver-client-cert
subject:
organizationalUnits:
- cdi-uploadserver-client
EOF
}

12
virt/cdi/common.tf Normal file
View File

@@ -0,0 +1,12 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
}

24
virt/cdi/cr_CDI.tf Normal file
View File

@@ -0,0 +1,24 @@
resource "kubectl_manifest" "CDI_cdi" {
yaml_body = <<-EOF
apiVersion: cdi.kubevirt.io/v1beta1
kind: CDI
metadata:
name: cdi
labels: ${jsonencode(local.common-labels)}
spec:
config:
featureGates:
- HonorWaitForFirstConsumer
imagePullPolicy: IfNotPresent
infra:
nodeSelector:
kubernetes.io/os: linux
tolerations:
- key: CriticalAddonsOnly
operator: Exists
workload:
nodeSelector:
kubernetes.io/os: linux
EOF
}

32
virt/cdi/datas.tf
View File

@@ -1,32 +0,0 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
}
data "kustomization_overlay" "data" {
common_labels = local.common-labels
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml"]
images {
name = "quay.io/kubevirt/cdi-apiserver"
new_name = "${var.images.apiserver.registry}/${var.images.apiserver.repository}"
new_tag = "${var.images.apiserver.tag}"
}
images {
name = "quay.io/kubevirt/cdi-controller"
new_name = "${var.images.controller.registry}/${var.images.controller.repository}"
new_tag = "${var.images.controller.tag}"
}
images {
name = "quay.io/kubevirt/cdi-uploadproxy"
new_name = "${var.images.uploadproxy.registry}/${var.images.uploadproxy.repository}"
new_tag = "${var.images.uploadproxy.tag}"
}
}

6
virt/cdi/index.rhai
View File

@@ -1,6 +0,0 @@
const DEST=dest;
fn pre_install() {
shell(`openssl genrsa -out ${global::DEST}/privatekey.pem 4096`);
shell(`openssl rsa -in ${global::DEST}/privatekey.pem -pubout -out ${global::DEST}/publickey.pem`);
shell(`kubectl get secret -n $NAMESPACE cdi-api-signing-key|| kubectl create secret generic -n $NAMESPACE cdi-api-signing-key --from-file=privatekey.pem=${global::DEST}/privatekey.pem --from-file=publickey.pem=${global::DEST}/publickey.pem`);
}

129
virt/cdi/index.yaml
View File

@@ -6,50 +6,105 @@ metadata:
name: cdi
description: Containerized Data Importer
options:
duration:
default: 87660h
examples:
- 87660h
type: string
images:
default:
apiserver:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/cdi-apiserver
tag: v1.59.0
cloner:
registry: quay.io
repository: kubevirt/cdi-cloner
tag: v1.59.0
controller:
registry: quay.io
repository: kubevirt/cdi-controller
tag: v1.59.0
importer:
registry: quay.io
repository: kubevirt/cdi-importer
tag: v1.59.0
operator:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/cdi-operator
tag: v1.59.0
uploadproxy:
registry: quay.io
repository: kubevirt/cdi-uploadproxy
tag: v1.59.0
uploadserver:
registry: quay.io
repository: kubevirt/cdi-uploadserver
tag: v1.59.0
examples:
- apiserver:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/cdi-apiserver
tag: v1.59.0
cloner:
registry: quay.io
repository: kubevirt/cdi-cloner
tag: v1.59.0
controller:
registry: quay.io
repository: kubevirt/cdi-controller
tag: v1.59.0
importer:
registry: quay.io
repository: kubevirt/cdi-importer
tag: v1.59.0
operator:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/cdi-operator
tag: v1.59.0
uploadproxy:
registry: quay.io
repository: kubevirt/cdi-uploadproxy
tag: v1.59.0
uploadserver:
registry: quay.io
repository: kubevirt/cdi-uploadserver
tag: v1.59.0
properties:
apiserver:
default:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/cdi-apiserver
tag: v1.59.0
properties:
pull_policy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: quay.io
type: string
repository:
default: kubevirt/cdi-apiserver
type: string
tag:
default: v1.59.0
type: string
type: object
cloner:
default:
registry: quay.io
repository: kubevirt/cdi-cloner
tag: v1.59.0
properties:
registry:
default: quay.io
type: string
repository:
default: kubevirt/cdi-apiserver
default: kubevirt/cdi-cloner
type: string
tag:
default: v1.59.0
@@ -71,6 +126,46 @@ options:
default: v1.59.0
type: string
type: object
importer:
default:
registry: quay.io
repository: kubevirt/cdi-importer
tag: v1.59.0
properties:
registry:
default: quay.io
type: string
repository:
default: kubevirt/cdi-importer
type: string
tag:
default: v1.59.0
type: string
type: object
operator:
default:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/cdi-operator
tag: v1.59.0
properties:
pull_policy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: quay.io
type: string
repository:
default: kubevirt/cdi-operator
type: string
tag:
default: v1.59.0
type: string
type: object
uploadproxy:
default:
registry: quay.io
@@ -87,14 +182,24 @@ options:
default: v1.59.0
type: string
type: object
uploadserver:
default:
registry: quay.io
repository: kubevirt/cdi-uploadserver
tag: v1.59.0
properties:
registry:
default: quay.io
type: string
repository:
default: kubevirt/cdi-uploadserver
type: string
tag:
default: v1.59.0
type: string
type: object
type: object
dependencies:
- dist: null
category: core
component: cert-manager
- dist: null
category: core
component: secret-generator
- dist: null
category: crd
component: cdi

79
virt/cdi/monitoring.coreos.com_v1_PrometheusRule_prometheus-cdi-rules.yaml.hbs
View File

@@ -1,79 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
prometheus.cdi.kubevirt.io: "true"
name: prometheus-cdi-rules
namespace: "{{ namespace }}"
spec:
groups:
- name: cdi.rules
rules:
- expr: sum(up{namespace='{{ namespace }}', pod=~'cdi-operator-.*'} or vector(0))
record: kubevirt_cdi_operator_up_total
- expr: count(kube_pod_container_status_restarts_total{pod=~'importer-.*', container='importer'} > 3)
record: kubevirt_cdi_import_dv_unusual_restartcount_total
- expr: count(kube_pod_container_status_restarts_total{pod=~'cdi-upload-.*', container='cdi-upload-server'} > 3)
record: kubevirt_cdi_upload_dv_unusual_restartcount_total
- expr: count(kube_pod_container_status_restarts_total{pod=~'.*-source-pod', container='cdi-clone-source'} > 3)
record: kubevirt_cdi_clone_dv_unusual_restartcount_total
- expr: sum(kubevirt_cdi_dataimportcron_outdated or vector(0))
record: kubevirt_cdi_dataimportcron_outdated_total
- alert: CDIOperatorDown
annotations:
runbook_url: https://kubevirt.io/monitoring/runbooks/CDIOperatorDown
summary: CDI operator is down
expr: kubevirt_cdi_operator_up_total == 0
for: 5m
labels:
kubernetes_operator_component: containerized-data-importer
kubernetes_operator_part_of: kubevirt
operator_health_impact: critical
severity: warning
- alert: CDINotReady
annotations:
runbook_url: https://kubevirt.io/monitoring/runbooks/CDINotReady
summary: CDI is not available to use
expr: kubevirt_cdi_cr_ready == 0
for: 5m
labels:
kubernetes_operator_component: containerized-data-importer
kubernetes_operator_part_of: kubevirt
operator_health_impact: critical
severity: warning
- alert: CDIDataVolumeUnusualRestartCount
annotations:
runbook_url: https://kubevirt.io/monitoring/runbooks/CDIDataVolumeUnusualRestartCount
summary: Cluster has DataVolumes (PVC population request) with an unusual restart count, meaning they are probably failing and need to be investigated
expr: kubevirt_cdi_import_dv_unusual_restartcount_total > 0 or kubevirt_cdi_upload_dv_unusual_restartcount_total > 0 or kubevirt_cdi_clone_dv_unusual_restartcount_total > 0
for: 5m
labels:
kubernetes_operator_component: containerized-data-importer
kubernetes_operator_part_of: kubevirt
operator_health_impact: warning
severity: warning
- alert: CDIStorageProfilesIncomplete
annotations:
runbook_url: https://kubevirt.io/monitoring/runbooks/CDIStorageProfilesIncomplete
summary: Incomplete StorageProfiles exist, accessMode/volumeMode cannot be inferred by CDI for PVC population request
expr: kubevirt_cdi_incomplete_storageprofiles_total > 0
for: 5m
labels:
kubernetes_operator_component: containerized-data-importer
kubernetes_operator_part_of: kubevirt
operator_health_impact: warning
severity: info
- alert: CDIDataImportCronOutdated
annotations:
runbook_url: https://kubevirt.io/monitoring/runbooks/CDIDataImportCronOutdated
summary: DataImportCron (recurring polling of VM templates disk image sources, also known as golden images) PVCs are not being updated on the defined schedule
expr: kubevirt_cdi_dataimportcron_outdated_total > 0
for: 15m
labels:
kubernetes_operator_component: containerized-data-importer
kubernetes_operator_part_of: kubevirt
operator_health_impact: warning
severity: info

27
virt/cdi/monitoring.coreos.com_v1_ServiceMonitor_service-monitor-cdi.yaml.hbs
View File

@@ -1,27 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
openshift.io/cluster-monitoring: ""
prometheus.cdi.kubevirt.io: "true"
name: service-monitor-cdi
namespace: "{{ namespace }}"
spec:
endpoints:
- bearerTokenSecret:
key: ""
port: metrics
scheme: http
tlsConfig:
ca: {}
cert: {}
insecureSkipVerify: true
namespaceSelector:
matchNames:
- "{{ namespace }}"
selector:
matchLabels:
prometheus.cdi.kubevirt.io: "true"

584
virt/cdi/operator_rbac.tf Normal file
View File

@@ -0,0 +1,584 @@
resource "kubectl_manifest" "ServiceAccount_cdi-operator" {
yaml_body = <<-EOF
apiVersion: v1
kind: ServiceAccount
metadata:
labels: ${jsonencode(local.common-labels)}
name: cdi-operator
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
EOF
}
resource "kubectl_manifest" "ClusterRoleBinding_cdi-operator" {
yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels: ${jsonencode(local.common-labels)}
name: cdi-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cdi-operator-cluster
subjects:
- kind: ServiceAccount
name: cdi-operator
namespace: ${var.namespace}
EOF
}
resource "kubectl_manifest" "RoleBinding_cdi-operator" {
yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels: ${jsonencode(local.common-labels)}
name: cdi-operator
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cdi-operator
subjects:
- kind: ServiceAccount
name: cdi-operator
namespace: ${var.namespace}
EOF
}
resource "kubectl_manifest" "ClusterRole_cdi-operator-cluster" {
yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels: ${jsonencode(local.common-labels)}
name: cdi-operator-cluster
rules:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- get
- list
- watch
- update
- create
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
- customresourcedefinitions/status
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- cdi.kubevirt.io
- upload.cdi.kubevirt.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- create
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resourceNames:
- cdi-api-dataimportcron-validate
- cdi-api-populator-validate
- cdi-api-datavolume-validate
- cdi-api-validate
- objecttransfer-api-validate
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
- delete
- apiGroups:
- admissionregistration.k8s.io
resourceNames:
- cdi-api-datavolume-mutate
- cdi-api-pvc-mutate
resources:
- mutatingwebhookconfigurations
verbs:
- get
- update
- delete
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- get
- list
- watch
- apiGroups:
- cdi.kubevirt.io
resources:
- datavolumes
verbs:
- list
- get
- apiGroups:
- cdi.kubevirt.io
resources:
- datasources
verbs:
- get
- apiGroups:
- cdi.kubevirt.io
resources:
- volumeclonesources
verbs:
- get
- list
- watch
- apiGroups:
- cdi.kubevirt.io
resources:
- storageprofiles
verbs:
- get
- list
- watch
- apiGroups:
- cdi.kubevirt.io
resources:
- cdis
verbs:
- get
- list
- watch
- apiGroups:
- cdi.kubevirt.io
resources:
- cdiconfigs
verbs:
- get
- list
- watch
- apiGroups:
- cdi.kubevirt.io
resources:
- cdis/finalizers
verbs:
- update
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ''
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- create
- update
- delete
- deletecollection
- patch
- apiGroups:
- ''
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- update
- apiGroups:
- ''
resources:
- persistentvolumeclaims/finalizers
- pods/finalizers
verbs:
- update
- apiGroups:
- ''
resources:
- pods
- services
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- create
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
- csidrivers
verbs:
- get
- list
- watch
- apiGroups:
- config.openshift.io
resources:
- proxies
verbs:
- get
- list
- watch
- apiGroups:
- config.openshift.io
resources:
- clusterversions
verbs:
- get
- apiGroups:
- cdi.kubevirt.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
- volumesnapshotclasses
- volumesnapshotcontents
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- update
- deletecollection
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- get
- list
- watch
- apiGroups:
- image.openshift.io
resources:
- imagestreams
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- secrets
verbs:
- create
- apiGroups:
- kubevirt.io
resources:
- virtualmachines/finalizers
verbs:
- update
- apiGroups:
- ''
resources:
- persistentvolumeclaims
verbs:
- get
- apiGroups:
- cdi.kubevirt.io
resources:
- dataimportcrons
verbs:
- get
- list
- update
EOF
}
resource "kubectl_manifest" "Role_cdi-operator" {
yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels: ${jsonencode(local.common-labels)}
name: cdi-operator
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
rules:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ''
resources:
- serviceaccounts
- configmaps
- events
- secrets
- services
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apps
resources:
- deployments
- deployments/finalizers
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- route.openshift.io
resources:
- routes
- routes/custom-host
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- config.openshift.io
resources:
- proxies
verbs:
- get
- list
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
- prometheusrules
verbs:
- get
- list
- watch
- create
- delete
- update
- patch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- create
- update
- apiGroups:
- ''
resources:
- secrets
- configmaps
verbs:
- get
- list
- watch
- create
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- get
- list
- watch
- create
- update
- deletecollection
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- deletecollection
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- create
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- apiGroups:
- ''
resources:
- services
- endpoints
- pods
verbs:
- get
- list
- watch
EOF
}

89
virt/cdi/operator_workload.tf Normal file
View File

@@ -0,0 +1,89 @@
resource "kubectl_manifest" "Deployment_cdi-operator" {
yaml_body = <<-EOF
apiVersion: apps/v1
kind: Deployment
metadata:
labels: ${jsonencode(local.common-labels)}
name: cdi-operator
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
replicas: 1
selector:
matchLabels:
name: cdi-operator
operator.cdi.kubevirt.io: ''
strategy: {}
template:
metadata:
labels:
cdi.kubevirt.io: cdi-operator
name: cdi-operator
operator.cdi.kubevirt.io: ''
prometheus.cdi.kubevirt.io: 'true'
spec:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: cdi.kubevirt.io
operator: In
values:
- cdi-operator
topologyKey: kubernetes.io/hostname
weight: 1
containers:
- env:
- name: DEPLOY_CLUSTER_RESOURCES
value: 'true'
- name: OPERATOR_VERSION
value: ${var.images.apiserver.tag}
- name: CONTROLLER_IMAGE
value: ${var.images.controller.registry}/${var.images.controller.repository}:${var.images.controller.tag}
- name: IMPORTER_IMAGE
value: ${var.images.importer.registry}/${var.images.importer.repository}:${var.images.importer.tag}
- name: CLONER_IMAGE
value: ${var.images.cloner.registry}/${var.images.cloner.repository}:${var.images.cloner.tag}
- name: APISERVER_IMAGE
value: ${var.images.apiserver.registry}/${var.images.apiserver.repository}:${var.images.apiserver.tag}
- name: UPLOAD_SERVER_IMAGE
value: ${var.images.uploadserver.registry}/${var.images.uploadserver.repository}:${var.images.uploadserver.tag}
- name: UPLOAD_PROXY_IMAGE
value: ${var.images.uploadproxy.registry}/${var.images.uploadproxy.repository}:${var.images.uploadproxy.tag}
- name: VERBOSITY
value: '1'
- name: PULL_POLICY
value: ${var.images.apiserver.pull_policy}
- name: MONITORING_NAMESPACE
image: ${var.images.operator.registry}/${var.images.operator.repository}:${var.images.operator.tag}
imagePullPolicy: ${var.images.operator.pull_policy}
name: cdi-operator
ports:
- containerPort: 8080
name: metrics
protocol: TCP
resources:
requests:
cpu: 100m
memory: 150Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
serviceAccountName: cdi-operator
tolerations:
- key: CriticalAddonsOnly
operator: Exists
EOF
}

16
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRoleBinding_cdi-apiserver.yaml.hbs
View File

@@ -1,16 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-apiserver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cdi-apiserver
subjects:
- kind: ServiceAccount
name: cdi-apiserver
namespace: "{{ namespace }}"

16
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRoleBinding_cdi-cronjob.yaml.hbs
View File

@@ -1,16 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-cronjob
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cdi-cronjob
subjects:
- kind: ServiceAccount
name: cdi-cronjob
namespace: "{{ namespace }}"

16
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRoleBinding_cdi-sa.yaml.hbs
View File

@@ -1,16 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cdi
subjects:
- kind: ServiceAccount
name: cdi-sa
namespace: "{{ namespace }}"

16
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRoleBinding_cdi-uploadproxy.yaml.hbs
View File

@@ -1,16 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-uploadproxy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cdi-uploadproxy
subjects:
- kind: ServiceAccount
name: cdi-uploadproxy
namespace: "{{ namespace }}"

19
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRoleBinding_cdi.kubevirt.io:config-reader.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi.kubevirt.io:config-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cdi.kubevirt.io:config-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccount

67
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi-apiserver.yaml
View File

@@ -1,67 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-apiserver
rules:
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- get
- apiGroups:
- cdi.kubevirt.io
resources:
- datavolumes
verbs:
- list
- get
- apiGroups:
- cdi.kubevirt.io
resources:
- datasources
verbs:
- list
- get
- apiGroups:
- cdi.kubevirt.io
resources:
- cdis
verbs:
- get
- apiGroups:
- cdi.kubevirt.io
resources:
- cdis/finalizers
verbs:
- '*'

18
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi-cronjob.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-cronjob
rules:
- apiGroups:
- cdi.kubevirt.io
resources:
- dataimportcrons
verbs:
- get
- list
- update

16
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi-uploadproxy.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-uploadproxy
rules:
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get

29
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi.kubevirt.io:admin.yaml
View File

@@ -1,29 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: cdi.kubevirt.io:admin
rules:
- apiGroups:
- cdi.kubevirt.io
resources:
- datavolumes
verbs:
- '*'
- apiGroups:
- cdi.kubevirt.io
resources:
- datavolumes/source
verbs:
- create
- apiGroups:
- upload.cdi.kubevirt.io
resources:
- uploadtokenrequests
verbs:
- '*'

18
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi.kubevirt.io:config-reader.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi.kubevirt.io:config-reader
rules:
- apiGroups:
- cdi.kubevirt.io
resources:
- cdiconfigs
- storageprofiles
verbs:
- get
- list
- watch

28
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi.kubevirt.io:edit.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: cdi.kubevirt.io:edit
rules:
- apiGroups:
- cdi.kubevirt.io
resources:
- datavolumes
verbs:
- '*'
- apiGroups:
- cdi.kubevirt.io
resources:
- datavolumes/source
verbs:
- create
- apiGroups:
- upload.cdi.kubevirt.io
resources:
- uploadtokenrequests
verbs:
- '*'

32
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi.kubevirt.io:view.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: cdi.kubevirt.io:view
rules:
- apiGroups:
- cdi.kubevirt.io
resources:
- cdiconfigs
- dataimportcrons
- datasources
- datavolumes
- objecttransfers
- storageprofiles
- volumeimportsources
- volumeuploadsources
- volumeclonesources
verbs:
- get
- list
- watch
- apiGroups:
- cdi.kubevirt.io
resources:
- datavolumes/source
verbs:
- create

134
virt/cdi/rbac.authorization.k8s.io_v1_ClusterRole_cdi.yaml
View File

@@ -1,134 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- persistentvolumes
- persistentvolumeclaims
verbs:
- get
- list
- watch
- create
- update
- delete
- deletecollection
- patch
- apiGroups:
- ""
resources:
- persistentvolumeclaims/finalizers
- pods/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- create
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
- csidrivers
verbs:
- get
- list
- watch
- apiGroups:
- config.openshift.io
resources:
- proxies
verbs:
- get
- list
- watch
- apiGroups:
- cdi.kubevirt.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- snapshot.storage.k8s.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- get
- list
- watch
- apiGroups:
- image.openshift.io
resources:
- imagestreams
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- list
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- list
- watch
- apiGroups:
- kubevirt.io
resources:
- virtualmachines/finalizers
verbs:
- update

16
virt/cdi/rbac.authorization.k8s.io_v1_RoleBinding_cdi-apiserver.yaml.hbs
View File

@@ -1,16 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-apiserver
namespace: "{{ namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cdi-apiserver
subjects:
- kind: ServiceAccount
name: cdi-apiserver

16
virt/cdi/rbac.authorization.k8s.io_v1_RoleBinding_cdi-deployment.yaml.hbs
View File

@@ -1,16 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-deployment
namespace: "{{ namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cdi-deployment
subjects:
- kind: ServiceAccount
name: cdi-sa

18
virt/cdi/rbac.authorization.k8s.io_v1_RoleBinding_cdi-monitoring.yaml.hbs
View File

@@ -1,18 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
prometheus.cdi.kubevirt.io: "true"
name: cdi-monitoring
namespace: "{{ namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cdi-monitoring
subjects:
- kind: ServiceAccount
name: prometheus-k8s
namespace: monitoring

16
virt/cdi/rbac.authorization.k8s.io_v1_RoleBinding_cdi-uploadproxy.yaml.hbs
View File

@@ -1,16 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-uploadproxy
namespace: "{{ namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cdi-uploadproxy
subjects:
- kind: ServiceAccount
name: cdi-uploadproxy

17
virt/cdi/rbac.authorization.k8s.io_v1_Role_cdi-apiserver.yaml.hbs
View File

@@ -1,17 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-apiserver
namespace: "{{ namespace }}"
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- '*'

64
virt/cdi/rbac.authorization.k8s.io_v1_Role_cdi-deployment.yaml.hbs
View File

@@ -1,64 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-deployment
namespace: "{{ namespace }}"
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- '*'
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- get
- list
- watch

21
virt/cdi/rbac.authorization.k8s.io_v1_Role_cdi-monitoring.yaml.hbs
View File

@@ -1,21 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
prometheus.cdi.kubevirt.io: "true"
name: cdi-monitoring
namespace: "{{ namespace }}"
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- pods
verbs:
- get
- list
- watch

16
virt/cdi/rbac.authorization.k8s.io_v1_Role_cdi-uploadproxy.yaml.hbs
View File

@@ -1,16 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-uploadproxy
namespace: "{{ namespace }}"
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get

7
virt/cdi/scheduling.k8s.io_v1_PriorityClass_cdi-cluster-critical.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: scheduling.k8s.io/v1
description: This priority class should be used for KubeVirt core components only.
kind: PriorityClass
metadata:
name: cdi-cluster-critical
preemptionPolicy: PreemptLowerPriority
value: 1000000000

8
virt/cdi/v1_ConfigMap_cdi-config.yaml.hbs
View File

@@ -1,8 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
name: cdi-config
namespace: "{{ namespace }}"

9
virt/cdi/v1_ServiceAccount_cdi-apiserver.yaml.hbs
View File

@@ -1,9 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-apiserver
namespace: "{{ namespace }}"

9
virt/cdi/v1_ServiceAccount_cdi-cronjob.yaml.hbs
View File

@@ -1,9 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-cronjob
namespace: "{{ namespace }}"

9
virt/cdi/v1_ServiceAccount_cdi-sa.yaml.hbs
View File

@@ -1,9 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-sa
namespace: "{{ namespace }}"

9
virt/cdi/v1_ServiceAccount_cdi-uploadproxy.yaml.hbs
View File

@@ -1,9 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
name: cdi-uploadproxy
namespace: "{{ namespace }}"

18
virt/cdi/v1_Service_cdi-api.yaml.hbs
View File

@@ -1,18 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: cdi-apiserver
name: cdi-api
namespace: "{{ namespace }}"
spec:
ports:
- port: 443
protocol: TCP
targetPort: 8443
selector:
cdi.kubevirt.io: cdi-apiserver
sessionAffinity: None
type: ClusterIP

20
virt/cdi/v1_Service_cdi-prometheus-metrics.yaml.hbs
View File

@@ -1,20 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: ""
prometheus.cdi.kubevirt.io: "true"
name: cdi-prometheus-metrics
namespace: "{{ namespace }}"
spec:
ports:
- name: metrics
port: 8080
protocol: TCP
targetPort: metrics
selector:
prometheus.cdi.kubevirt.io: "true"
sessionAffinity: None
type: ClusterIP

18
virt/cdi/v1_Service_cdi-uploadproxy.yaml.hbs
View File

@@ -1,18 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: storage
app.kubernetes.io/managed-by: cdi-operator
cdi.kubevirt.io: cdi-uploadproxy
name: cdi-uploadproxy
namespace: "{{ namespace }}"
spec:
ports:
- port: 443
protocol: TCP
targetPort: 8443
selector:
cdi.kubevirt.io: cdi-uploadproxy
sessionAffinity: None
type: ClusterIP

124
virt/kubevirt/admissionregistration.k8s.io_v1_MutatingWebhookConfiguration_virt-api-mutator.yaml.hbs
View File

@@ -1,124 +0,0 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/kubevirt-virt-api-certs"
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: virt-api-mutator
name: virt-api-mutator
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachines-mutate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachines-mutator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
- UPDATE
resources:
- virtualmachines
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachineinstances-mutate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineinstances-mutator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineinstances
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /migration-mutate-create
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: migrations-mutator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
resources:
- virtualmachineinstancemigrations
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /vm-clone-mutate-create
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineclones-mutator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- clone.kubevirt.io
apiVersions:
- v1alpha1
operations:
- CREATE
resources:
- virtualmachineclones
scope: '*'
sideEffects: None
timeoutSeconds: 10

537
virt/kubevirt/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_virt-api-validator.yaml.hbs
View File

@@ -1,537 +0,0 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/kubevirt-virt-api-certs"
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: virt-api-validator
name: virt-api-validator
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /launcher-eviction-validate
port: 443
failurePolicy: Ignore
matchPolicy: Equivalent
name: virt-launcher-eviction-interceptor.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- '*'
resources:
- pods/eviction
scope: '*'
sideEffects: NoneOnDryRun
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachineinstances-validate-create
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineinstances-create-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
resources:
- virtualmachineinstances
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachineinstances-validate-update
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineinstances-update-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- UPDATE
resources:
- virtualmachineinstances
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachines-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachine-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
- UPDATE
resources:
- virtualmachines
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachinereplicaset-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachinereplicaset-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineinstancereplicasets
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachinepool-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachinepool-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- pool.kubevirt.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- virtualmachinepools
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /vmipreset-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachinepreset-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineinstancepresets
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /migration-validate-create
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: migration-create-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
resources:
- virtualmachineinstancemigrations
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /migration-validate-update
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: migration-update-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- UPDATE
resources:
- virtualmachineinstancemigrations
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachinesnapshots-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachinesnapshot-validator.snapshot.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- snapshot.kubevirt.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- virtualmachinesnapshots
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachinerestores-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachinerestore-validator.snapshot.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- snapshot.kubevirt.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- virtualmachinerestores
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachineexports-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineexport-validator.export.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- export.kubevirt.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineexports
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachineinstancetypes-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineinstancetype-validator.instancetype.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- instancetype.kubevirt.io
apiVersions:
- v1alpha1
- v1alpha2
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineinstancetypes
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachineclusterinstancetypes-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineclusterinstancetype-validator.instancetype.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- instancetype.kubevirt.io
apiVersions:
- v1alpha1
- v1alpha2
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineclusterinstancetypes
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachinepreferences-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachinepreference-validator.instancetype.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- instancetype.kubevirt.io
apiVersions:
- v1alpha1
- v1alpha2
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- virtualmachinepreferences
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /virtualmachineclusterpreferences-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: virtualmachineclusterpreference-validator.instancetype.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- instancetype.kubevirt.io
apiVersions:
- v1alpha1
- v1alpha2
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineclusterpreferences
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /status-validate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: kubevirt-crd-status-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- kubevirt.io
apiVersions:
- v1alpha3
- v1
operations:
- CREATE
- UPDATE
resources:
- virtualmachines/status
- virtualmachineinstancereplicasets/status
- virtualmachineinstancemigrations/status
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /migration-policy-validate-create
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: migration-policy-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- migrations.kubevirt.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- migrationpolicies
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: virt-api
namespace: "{{ namespace }}"
path: /vm-clone-validate-create
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: vm-clone-validator.kubevirt.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- clone.kubevirt.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- virtualmachineclones
scope: '*'
sideEffects: None
timeoutSeconds: 10

19
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1.subresources.kubevirt.io.yaml.hbs
View File

@@ -1,19 +0,0 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/kubevirt-virt-api-certs"
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: virt-api-aggregator
name: v1.subresources.kubevirt.io
spec:
group: subresources.kubevirt.io
groupPriorityMinimum: 1000
service:
name: virt-api
namespace: "{{ namespace }}"
port: 443
version: v1
versionPriority: 15

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha1.clone.kubevirt.io.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1alpha1.clone.kubevirt.io
spec:
group: clone.kubevirt.io
groupPriorityMinimum: 1000
version: v1alpha1
versionPriority: 100

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha1.export.kubevirt.io.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1alpha1.export.kubevirt.io
spec:
group: export.kubevirt.io
groupPriorityMinimum: 1000
version: v1alpha1
versionPriority: 100

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha1.instancetype.kubevirt.io.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1alpha1.instancetype.kubevirt.io
spec:
group: instancetype.kubevirt.io
groupPriorityMinimum: 1000
version: v1alpha1
versionPriority: 100

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha1.migrations.kubevirt.io.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1alpha1.migrations.kubevirt.io
spec:
group: migrations.kubevirt.io
groupPriorityMinimum: 1000
version: v1alpha1
versionPriority: 100

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha1.pool.kubevirt.io.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1alpha1.pool.kubevirt.io
spec:
group: pool.kubevirt.io
groupPriorityMinimum: 1000
version: v1alpha1
versionPriority: 100

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha1.snapshot.kubevirt.io.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1alpha1.snapshot.kubevirt.io
spec:
group: snapshot.kubevirt.io
groupPriorityMinimum: 1000
version: v1alpha1
versionPriority: 100

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha2.instancetype.kubevirt.io.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1alpha2.instancetype.kubevirt.io
spec:
group: instancetype.kubevirt.io
groupPriorityMinimum: 1000
version: v1alpha2
versionPriority: 100

19
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1alpha3.subresources.kubevirt.io.yaml.hbs
View File

@@ -1,19 +0,0 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
annotations:
cert-manager.io/inject-ca-from: "{{ namespace }}/kubevirt-virt-api-certs"
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: virt-api-aggregator
name: v1alpha3.subresources.kubevirt.io
spec:
group: subresources.kubevirt.io
groupPriorityMinimum: 1000
service:
name: virt-api
namespace: "{{ namespace }}"
port: 443
version: v1alpha3
versionPriority: 15

11
virt/kubevirt/apiregistration.k8s.io_v1_APIService_v1beta1.instancetype.kubevirt.io.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
kube-aggregator.kubernetes.io/automanaged: "true"
name: v1beta1.instancetype.kubevirt.io
spec:
group: instancetype.kubevirt.io
groupPriorityMinimum: 1000
version: v1beta1
versionPriority: 100

209
virt/kubevirt/apps_v1_DaemonSet_virt-handler.yaml.hbs
View File

@@ -1,209 +0,0 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
app.kubernetes.io/version: v1.0.1
kubevirt.io: virt-handler
name: virt-handler
namespace: "{{ namespace }}"
spec:
revisionHistoryLimit: 10
selector:
matchLabels:
kubevirt.io: virt-handler
template:
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
app.kubernetes.io/version: v1.0.1
kubevirt.io: virt-handler
prometheus.kubevirt.io: "true"
name: virt-handler
spec:
containers:
- args:
- --port
- "8443"
- --hostname-override
- $(NODE_NAME)
- --pod-ip-address
- $(MY_POD_IP)
- --max-metric-requests
- "3"
- --console-server-port
- "8186"
- --graceful-shutdown-seconds
- "315"
- -v
- "2"
command:
- virt-handler
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: MY_POD_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
image: quay.io/kubevirt/virt-handler@sha256:138dfda5fea8622f3da0d6413fe214fef80c2fd6a6f9533592a0dbfa7e1865b5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 45
successThreshold: 1
timeoutSeconds: 10
name: virt-handler
ports:
- containerPort: 8443
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 20
successThreshold: 1
timeoutSeconds: 10
resources:
requests:
cpu: 10m
memory: 325Mi
securityContext:
privileged: true
seLinuxOptions:
level: s0
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/virt-handler/clientcertificates
name: kubevirt-virt-handler-certs
readOnly: true
- mountPath: /etc/virt-handler/servercertificates
name: kubevirt-virt-handler-server-certs
readOnly: true
- mountPath: /profile-data
name: profile-data
- mountPath: /var/run/kubevirt-libvirt-runtimes
name: libvirt-runtimes
- mountPath: /var/run/kubevirt
mountPropagation: Bidirectional
name: virt-share-dir
- mountPath: /var/lib/kubevirt
name: virt-lib-dir
- mountPath: /var/run/kubevirt-private
name: virt-private-dir
- mountPath: /var/lib/kubelet/device-plugins
name: device-plugin
- mountPath: /pods
name: kubelet-pods-shortened
- mountPath: /var/lib/kubelet/pods
mountPropagation: Bidirectional
name: kubelet-pods
- mountPath: /var/lib/kubevirt-node-labeller
name: node-labeller
- mountPath: /etc/podinfo
name: podinfo
dnsPolicy: ClusterFirst
hostPID: true
initContainers:
- args:
- node-labeller.sh
command:
- /bin/sh
- -c
image: quay.io/kubevirt/virt-launcher@sha256:4c5fce3de2e2589197de72fb0c9436490ea318aca952c05a622c43e067023f35
imagePullPolicy: IfNotPresent
name: virt-launcher
resources: {}
securityContext:
privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/lib/kubevirt-node-labeller
name: node-labeller
nodeSelector:
kubernetes.io/os: linux
priorityClassName: kubevirt-cluster-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: kubevirt-handler
serviceAccountName: kubevirt-handler
terminationGracePeriodSeconds: 30
tolerations:
- key: CriticalAddonsOnly
operator: Exists
volumes:
- name: kubevirt-virt-handler-certs
secret:
defaultMode: 420
optional: true
secretName: kubevirt-virt-handler-certs
- name: kubevirt-virt-handler-server-certs
secret:
defaultMode: 420
optional: true
secretName: kubevirt-virt-handler-server-certs
- emptyDir: {}
name: profile-data
- hostPath:
path: /var/run/kubevirt-libvirt-runtimes
type: ""
name: libvirt-runtimes
- hostPath:
path: /var/run/kubevirt
type: ""
name: virt-share-dir
- hostPath:
path: /var/lib/kubevirt
type: ""
name: virt-lib-dir
- hostPath:
path: /var/run/kubevirt-private
type: ""
name: virt-private-dir
- hostPath:
path: /var/lib/kubelet/device-plugins
type: ""
name: device-plugin
- hostPath:
path: /var/lib/kubelet/pods
type: ""
name: kubelet-pods-shortened
- hostPath:
path: /var/lib/kubelet/pods
type: ""
name: kubelet-pods
- hostPath:
path: /var/lib/kubevirt-node-labeller
type: ""
name: node-labeller
- downwardAPI:
defaultMode: 420
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.annotations['k8s.v1.cni.cncf.io/network-status']
path: network-status
name: podinfo
updateStrategy:
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
type: RollingUpdate

127
virt/kubevirt/apps_v1_Deployment_virt-api.yaml.hbs
View File

@@ -1,127 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
app.kubernetes.io/name: virt-api
app.kubernetes.io/version: v1.0.1
kubevirt.io: virt-api
name: virt-api
namespace: "{{ namespace }}"
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
kubevirt.io: virt-api
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
app.kubernetes.io/version: v1.0.1
kubevirt.io: virt-api
prometheus.kubevirt.io: "true"
name: virt-api
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: kubevirt.io
operator: In
values:
- virt-api
topologyKey: kubernetes.io/hostname
weight: 1
containers:
- args:
- --port
- "8443"
- --console-server-port
- "8186"
- --subresources-only
- -v
- "2"
command:
- virt-api
image: quay.io/kubevirt/virt-api@sha256:707003b221496b4432da2f507d1e36e528b45888b5d321e06d460f0678da44ae
imagePullPolicy: IfNotPresent
name: virt-api
ports:
- containerPort: 8443
name: virt-api
protocol: TCP
- containerPort: 8443
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /apis/subresources.kubevirt.io/v1/healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 5m
memory: 500Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/virt-api/certificates
name: kubevirt-virt-api-certs
readOnly: true
- mountPath: /etc/virt-handler/clientcertificates
name: kubevirt-virt-handler-certs
readOnly: true
- mountPath: /profile-data
name: profile-data
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
priorityClassName: kubevirt-cluster-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccount: kubevirt-apiserver
serviceAccountName: kubevirt-apiserver
terminationGracePeriodSeconds: 30
tolerations:
- key: CriticalAddonsOnly
operator: Exists
volumes:
- name: kubevirt-virt-api-certs
secret:
defaultMode: 420
optional: true
secretName: kubevirt-virt-api-certs
- name: kubevirt-virt-handler-certs
secret:
defaultMode: 420
optional: true
secretName: kubevirt-virt-handler-certs
- emptyDir: {}
name: profile-data

135
virt/kubevirt/apps_v1_Deployment_virt-controller.yaml.hbs
View File

@@ -1,135 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
app.kubernetes.io/name: virt-controller
app.kubernetes.io/version: v1.0.1
kubevirt.io: virt-controller
name: virt-controller
namespace: "{{ namespace }}"
spec:
progressDeadlineSeconds: 600
replicas: 2
revisionHistoryLimit: 10
selector:
matchLabels:
kubevirt.io: virt-controller
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
app.kubernetes.io/version: v1.0.1
kubevirt.io: virt-controller
prometheus.kubevirt.io: "true"
name: virt-controller
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: kubevirt.io
operator: In
values:
- virt-controller
topologyKey: kubernetes.io/hostname
weight: 1
containers:
- args:
- --launcher-image
- quay.io/kubevirt/virt-launcher@sha256:4c5fce3de2e2589197de72fb0c9436490ea318aca952c05a622c43e067023f35
- --exporter-image
- quay.io/kubevirt/virt-exportserver@sha256:73311f79a9c71007f8572b3cc40cd6f6da404c7ef0a9c6509fb717d979546582
- --port
- "8443"
- -v
- "2"
command:
- virt-controller
image: quay.io/kubevirt/virt-controller@sha256:0789fafed2913b35a771e3db882748502b3250be04ece86d97f30201779b4e54
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
name: virt-controller
ports:
- containerPort: 8443
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /leader
port: 8443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
resources:
requests:
cpu: 10m
memory: 275Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/virt-controller/certificates
name: kubevirt-controller-certs
readOnly: true
- mountPath: /etc/virt-controller/exportca
name: kubevirt-export-ca
readOnly: true
- mountPath: /profile-data
name: profile-data
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
priorityClassName: kubevirt-cluster-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccount: kubevirt-controller
serviceAccountName: kubevirt-controller
terminationGracePeriodSeconds: 30
tolerations:
- key: CriticalAddonsOnly
operator: Exists
volumes:
- name: kubevirt-controller-certs
secret:
defaultMode: 420
optional: true
secretName: kubevirt-controller-certs
- name: kubevirt-export-ca
secret:
defaultMode: 420
optional: true
secretName: kubevirt-export-ca
- emptyDir: {}
name: profile-data

209
virt/kubevirt/certs.tf
View File

@@ -1,209 +0,0 @@
resource "kubectl_manifest" "issuer" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
name: "kubevirt-selfsigned"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
selfSigned: {}
EOF
}
resource "kubectl_manifest" "kubevirt-ca-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kubevirt-ca
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
isCA: true
duration: "${var.duration}"
commonName: "kubevirt-ca"
secretName: kubevirt-ca
issuerRef:
name: kubevirt-selfsigned
EOF
}
resource "kubectl_manifest" "kubevirt-export-ca-cert" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kubevirt-export-ca
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
isCA: true
duration: "${var.duration}"
commonName: "kubevirt-export-ca"
secretName: kubevirt-export-ca
issuerRef:
name: kubevirt-selfsigned
EOF
}
resource "kubectl_manifest" "kubevirt-export-ca" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
name: "kubevirt-export-ca"
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
spec:
ca:
secretName: "kubevirt-export-ca"
EOF
}
resource "kubectl_manifest" "kubevirt-ca" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
name: "kubevirt-ca"
namespace: ${var.namespace}
labels: ${jsonencode(local.common-labels)}
spec:
ca:
secretName: "kubevirt-ca"
EOF
}
resource "kubectl_manifest" "kubevirt-virt-api-certs" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "kubevirt-virt-api-certs"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
dnsNames:
- virt-api
- virt-api.${var.namespace}
- virt-api.${var.namespace}.svc
- virt-api.${var.namespace}.svc.cluster.local
issuerRef:
kind: Issuer
name: kubevirt-ca
secretName: kubevirt-virt-api-certs
subject:
organizationalUnits:
- kubevirt-virt-api
EOF
}
resource "kubectl_manifest" "kubevirt-controller-certs" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "kubevirt-controller-certs"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
dnsNames:
- virt-controller
- virt-controller.${var.namespace}
- virt-controller.${var.namespace}.svc
- virt-controller.${var.namespace}.svc.cluster.local
issuerRef:
kind: Issuer
name: kubevirt-ca
secretName: kubevirt-controller-certs
subject:
organizationalUnits:
- kubevirt-virt-controller
EOF
}
resource "kubectl_manifest" "kubevirt-exportproxy-certs" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "kubevirt-exportproxy-certs"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
dnsNames:
- virt-exportproxy
- virt-exportproxy.${var.namespace}
- virt-exportproxy.${var.namespace}.svc
- virt-exportproxy.${var.namespace}.svc.cluster.local
issuerRef:
kind: Issuer
name: kubevirt-ca
secretName: kubevirt-exportproxy-certs
subject:
organizationalUnits:
- kubevirt-virt-controller
EOF
}
resource "kubectl_manifest" "kubevirt-operator-certs" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "kubevirt-operator-certs"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
dnsNames:
- kubevirt-operator-webhook
- kubevirt-operator-webhook.${var.namespace}
- kubevirt-operator-webhook.${var.namespace}.svc
- kubevirt-operator-webhook.${var.namespace}.svc.cluster.local
issuerRef:
kind: Issuer
name: kubevirt-ca
secretName: kubevirt-operator-certs
subject:
organizationalUnits:
- kubevirt-operator-webhook
EOF
}
resource "kubectl_manifest" "kubevirt-virt-handler-server-certs" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "kubevirt-virt-handler-server-certs"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
dnsNames:
- virt-handler
- virt-handler.${var.namespace}
- virt-handler.${var.namespace}.svc
- virt-handler.${var.namespace}.svc.cluster.local
issuerRef:
kind: Issuer
name: kubevirt-ca
secretName: kubevirt-virt-handler-server-certs
subject:
organizationalUnits:
- kubevirt-virt-handler
EOF
}
resource "kubectl_manifest" "kubevirt-virt-handler-certs" {
yaml_body = <<-EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "kubevirt-virt-handler-certs"
labels: ${jsonencode(local.common-labels)}
namespace: ${var.namespace}
spec:
usages:
- digital signature
- client auth
commonName: "kubevirt-virt-handler-certs"
issuerRef:
kind: Issuer
name: kubevirt-ca
secretName: kubevirt-virt-handler-certs
subject:
organizationalUnits:
- kubevirt-virt-handler-certs
EOF
}

12
virt/kubevirt/common.tf Normal file
View File

@@ -0,0 +1,12 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
}

20
virt/kubevirt/cr_KubeVirt.tf Normal file
View File

@@ -0,0 +1,20 @@
resource "kubectl_manifest" "KubeVirt_kubevirt" {
yaml_body = <<-EOF
apiVersion: kubevirt.io/v1
kind: KubeVirt
metadata:
name: kubevirt
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
labels: ${jsonencode(local.common-labels)}
spec:
certificateRotateStrategy: {}
configuration:
developerConfiguration:
featureGates: []
customizeComponents: {}
imagePullPolicy: IfNotPresent
workloadUpdateStrategy: {}
EOF
}

52
virt/kubevirt/datas.tf
View File

@@ -1,52 +0,0 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
}
data "kustomization_overlay" "data" {
common_labels = local.common-labels
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml"]
images {
name = "quay.io/kubevirt/virt-handler"
new_name = "${var.images.handler.registry}/${var.images.handler.repository}"
new_tag = "${var.images.handler.tag}"
}
images {
name = "quay.io/kubevirt/virt-api"
new_name = "${var.images.api.registry}/${var.images.api.repository}"
new_tag = "${var.images.api.tag}"
}
images {
name = "quay.io/kubevirt/virt-controller"
new_name = "${var.images.controller.registry}/${var.images.controller.repository}"
new_tag = "${var.images.controller.tag}"
}
patches {
target {
kind = "Deployment"
name = "virt-controller"
}
patch = <<-EOF
- op: replace
path: /spec/template/spec/containers/0/imagePullPolicy
value: "${var.images.controller.pull_policy}"
- op: replace
path: /spec/template/spec/containers/0/image
value: "${var.images.controller.registry}/${var.images.controller.repository}:${var.images.controller.tag}"
- op: replace
path: /spec/template/spec/containers/0/args/1
value: "${var.images.launcher.registry}/${var.images.launcher.repository}:${var.images.launcher.tag}"
- op: replace
path: /spec/template/spec/containers/0/args/3
value: "${var.images.exportserver.registry}/${var.images.exportserver.repository}:${var.images.exportserver.tag}"
EOF
}
}

126
virt/kubevirt/index.yaml
View File

@@ -6,79 +6,26 @@ metadata:
name: kubevirt
description: null
options:
duration:
default: 87660h
examples:
- 87660h
type: string
images:
default:
api:
registry: quay.io
repository: kubevirt/virt-api
tag: v1.2.0
controller:
operator:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/virt-controller
tag: v1.2.0
exportserver:
registry: quay.io
repository: kubevirt/virt-exportserver
tag: v1.2.0
handler:
registry: quay.io
repository: kubevirt/virt-handler
tag: v1.2.0
launcher:
registry: quay.io
repository: kubevirt/virt-launcher
tag: v1.2.0
repository: kubevirt/virt-operator
tag: v1.3.1
examples:
- api:
registry: quay.io
repository: kubevirt/virt-api
tag: v1.2.0
controller:
- operator:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/virt-controller
tag: v1.2.0
exportserver:
registry: quay.io
repository: kubevirt/virt-exportserver
tag: v1.2.0
handler:
registry: quay.io
repository: kubevirt/virt-handler
tag: v1.2.0
launcher:
registry: quay.io
repository: kubevirt/virt-launcher
tag: v1.2.0
repository: kubevirt/virt-operator
tag: v1.3.1
properties:
api:
default:
registry: quay.io
repository: kubevirt/virt-api
tag: v1.2.0
properties:
registry:
default: quay.io
type: string
repository:
default: kubevirt/virt-api
type: string
tag:
default: v1.2.0
type: string
type: object
controller:
operator:
default:
pull_policy: IfNotPresent
registry: quay.io
repository: kubevirt/virt-controller
tag: v1.2.0
repository: kubevirt/virt-operator
tag: v1.3.1
properties:
pull_policy:
default: IfNotPresent
@@ -91,65 +38,14 @@ options:
default: quay.io
type: string
repository:
default: kubevirt/virt-controller
default: kubevirt/virt-operator
type: string
tag:
default: v1.2.0
type: string
type: object
exportserver:
default:
registry: quay.io
repository: kubevirt/virt-exportserver
tag: v1.2.0
properties:
registry:
default: quay.io
type: string
repository:
default: kubevirt/virt-exportserver
type: string
tag:
default: v1.2.0
type: string
type: object
handler:
default:
registry: quay.io
repository: kubevirt/virt-handler
tag: v1.2.0
properties:
registry:
default: quay.io
type: string
repository:
default: kubevirt/virt-handler
type: string
tag:
default: v1.2.0
type: string
type: object
launcher:
default:
registry: quay.io
repository: kubevirt/virt-launcher
tag: v1.2.0
properties:
registry:
default: quay.io
type: string
repository:
default: kubevirt/virt-launcher
type: string
tag:
default: v1.2.0
default: v1.3.1
type: string
type: object
type: object
dependencies:
- dist: null
category: core
component: cert-manager
- dist: null
category: crd
component: kubevirt

13
virt/kubevirt/operator_PriorityClass.tf Normal file
View File

@@ -0,0 +1,13 @@
resource "kubectl_manifest" "PriorityClass_kubevirt-cluster-critical" {
yaml_body = <<-EOF
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: kubevirt-cluster-critical
labels: ${jsonencode(local.common-labels)}
value: 1000000000
globalDefault: false
description: This priority class should be used for core kubevirt components only.
EOF
}

1269
virt/kubevirt/operator_rbac.tf Normal file
View File

File diff suppressed because it is too large Load Diff

108
virt/kubevirt/operator_workload.tf Normal file
View File

@@ -0,0 +1,108 @@
resource "kubectl_manifest" "Deployment_virt-operator" {
yaml_body = <<-EOF
apiVersion: apps/v1
kind: Deployment
metadata:
labels: ${jsonencode(local.common-labels)}
name: virt-operator
namespace: ${var.namespace}
ownerReferences: ${jsonencode(var.install_owner)}
spec:
replicas: 1
selector:
matchLabels:
kubevirt.io: virt-operator
strategy:
type: RollingUpdate
template:
metadata:
labels:
kubevirt.io: virt-operator
name: virt-operator
prometheus.kubevirt.io: 'true'
name: virt-operator
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: kubevirt.io
operator: In
values:
- virt-operator
topologyKey: kubernetes.io/hostname
weight: 1
containers:
- args:
- --port
- '8443'
- -v
- '2'
command:
- virt-operator
env:
- name: VIRT_OPERATOR_IMAGE
value: ${var.images.operator.registry}/${var.images.operator.repository}:${var.images.operator.tag}
- name: WATCH_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.annotations['olm.targetNamespaces']
- name: KUBEVIRT_VERSION
value: ${var.images.operator.tag}
image: ${var.images.operator.registry}/${var.images.operator.repository}:${var.images.operator.tag}
imagePullPolicy: ${var.images.operator.pull_policy}
name: virt-operator
ports:
- containerPort: 8443
name: metrics
protocol: TCP
- containerPort: 8444
name: webhooks
protocol: TCP
readinessProbe:
httpGet:
path: /metrics
port: 8443
scheme: HTTPS
initialDelaySeconds: 5
timeoutSeconds: 10
resources:
requests:
cpu: 10m
memory: 450Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /etc/virt-operator/certificates
name: kubevirt-operator-certs
readOnly: true
- mountPath: /profile-data
name: profile-data
nodeSelector:
kubernetes.io/os: linux
priorityClassName: kubevirt-cluster-critical
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: kubevirt-operator
tolerations:
- key: CriticalAddonsOnly
operator: Exists
volumes:
- name: kubevirt-operator-certs
secret:
optional: true
secretName: kubevirt-operator-certs
- emptyDir: {}
name: profile-data
EOF
}

14
virt/kubevirt/policy_v1_PodDisruptionBudget_virt-controller-pdb.yaml.hbs
View File

@@ -1,14 +0,0 @@
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: virt-controller-pdb
name: virt-controller-pdb
namespace: "{{ namespace }}"
spec:
minAvailable: 1
selector:
matchLabels:
kubevirt.io: virt-controller

16
virt/kubevirt/rbac.authorization.k8s.io_v1_ClusterRoleBinding_kubevirt-apiserver-auth-delegator.yaml.hbs
View File

@@ -1,16 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: kubevirt
app.kubernetes.io/managed-by: virt-operator
kubevirt.io: ""
name: kubevirt-apiserver-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: kubevirt-apiserver
namespace: "{{ namespace }}"

Some files were not shown because too many files have changed in this diff Show More