diff --git a/crds/embedded/cdi.yaml b/crds/embedded/cdi.yaml index 1f1de8316..af3ef6f6d 100644 --- a/crds/embedded/cdi.yaml +++ b/crds/embedded/cdi.yaml @@ -3,17 +3,19 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.13.0 - name: cdis.x.virtualization.deckhouse.io + name: dvpinternalcdis.internal.virtualization.deckhouse.io spec: - group: x.virtualization.deckhouse.io + group: internal.virtualization.deckhouse.io names: - kind: CDI - listKind: CDIList - plural: cdis + categories: + - dvpinternal + kind: DVPInternalCDI + listKind: DVPInternalCDIList + plural: dvpinternalcdis shortNames: - - xcdi - - xcdis - singular: cdi + - dvpcdi + - dvpcdis + singular: dvpinternalcdi scope: Cluster versions: - additionalPrinterColumns: diff --git a/crds/embedded/kubevirt.yaml b/crds/embedded/kubevirt.yaml index ec52253f0..5ced54ae6 100644 --- a/crds/embedded/kubevirt.yaml +++ b/crds/embedded/kubevirt.yaml @@ -1,25 +1,28 @@ # Source: # https://github.com/kubevirt/kubevirt/releases/download/v1.0.0/kubevirt-operator.yaml # Changes: +# - 2024.04.16 +# - Add prefixes xinternal, XInternal # - 2023.12.12 # - Add x.virtualization.deckhouse prefix # - Remove short names. # - Remove all category, add kubevirt category. + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: operator.kubevirt.io: "" - name: kubevirts.x.virtualization.deckhouse.io + name: dvpinternalkubevirts.internal.virtualization.deckhouse.io spec: - group: x.virtualization.deckhouse.io + group: internal.virtualization.deckhouse.io names: categories: - - kubevirt - kind: KubeVirt - plural: kubevirts - singular: kubevirt + - dvpinternal + kind: DVPInternalKubeVirt + plural: dvpinternalkubevirts + singular: dvpinternalkubevirt scope: Namespaced versions: - additionalPrinterColumns: diff --git a/images/kube-api-proxy/pkg/kubevirt/kubevirt_rules.go b/images/kube-api-proxy/pkg/kubevirt/kubevirt_rules.go index b0446f7b6..7f4a401bb 100644 --- a/images/kube-api-proxy/pkg/kubevirt/kubevirt_rules.go +++ b/images/kube-api-proxy/pkg/kubevirt/kubevirt_rules.go @@ -5,11 +5,11 @@ import ( ) var KubevirtRewriteRules = &RewriteRules{ - KindPrefix: "", // KV - ResourceTypePrefix: "", // kv - ShortNamePrefix: "x", + KindPrefix: "DVPInternal", // KV + ResourceTypePrefix: "dvpinternal", // kv + ShortNamePrefix: "dvp", Categories: []string{"kubevirt"}, - RenamedGroup: "x.virtualization.deckhouse.io", + RenamedGroup: "internal.virtualization.deckhouse.io", Rules: KubevirtAPIGroupsRules, Webhooks: KubevirtWebhooks, } diff --git a/images/kube-api-proxy/pkg/rewriter/target_request.go b/images/kube-api-proxy/pkg/rewriter/target_request.go index e0408f629..d38c7b751 100644 --- a/images/kube-api-proxy/pkg/rewriter/target_request.go +++ b/images/kube-api-proxy/pkg/rewriter/target_request.go @@ -136,6 +136,11 @@ func (tr *TargetRequest) ShouldRewriteRequest() bool { return true } + // Rewrite request body when creating CRD. + if tr.originEndpoint.ResourceType == "customresourcedefinitions" && tr.originEndpoint.Name == "" { + return true + } + // Should not rewrite request if path is not rewritten. return false } diff --git a/images/pre-delete-hook/entrypoint.sh b/images/pre-delete-hook/entrypoint.sh index ef787561f..b0a404abc 100644 --- a/images/pre-delete-hook/entrypoint.sh +++ b/images/pre-delete-hook/entrypoint.sh @@ -1,7 +1,14 @@ #!/bin/bash set -eu -o pipefail -kubectl delete -n d8-virtualization kubevirts.x.virtualization.deckhouse.io kubevirt -kubectl delete cdis.x.virtualization.deckhouse.io cdi -kubectl wait --for=delete cdis.x.virtualization.deckhouse.io cdi --timeout=180s -kubectl wait --for=delete -n d8-virtualization kubevirts.x.virtualization.deckhouse.io kubevirt --timeout=180s +KUBEVIRT_RESOURCE="dvpinternalkubevirts.internal.virtualization.deckhouse.io" +echo "Delete Kubevirt configuration ..." +kubectl delete -n d8-virtualization ${KUBEVIRT_RESOURCE} kubevirt || true +echo "Wait for Kubevirt deletion ..." +kubectl wait --for=delete -n d8-virtualization ${KUBEVIRT_RESOURCE} kubevirt --timeout=180s || true + +CDI_RESOURCE="dvpinternalcdis.internal.virtualization.deckhouse.io" +echo "Delete CDI configuration ..." +kubectl delete ${CDI_RESOURCE} cdi || true +echo "Wait for CDI deletion ..." +kubectl wait --for=delete ${CDI_RESOURCE} cdi --timeout=180s || true diff --git a/images/virtualization-artifact/cmd/virtualization-controller/main.go b/images/virtualization-artifact/cmd/virtualization-controller/main.go index 83e8750e9..5695c727f 100644 --- a/images/virtualization-artifact/cmd/virtualization-controller/main.go +++ b/images/virtualization-artifact/cmd/virtualization-controller/main.go @@ -11,9 +11,7 @@ import ( "go.uber.org/zap/zapcore" extv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" apiruntime "k8s.io/apimachinery/pkg/runtime" - apiruntimeschema "k8s.io/apimachinery/pkg/runtime/schema" clientgoscheme "k8s.io/client-go/kubernetes/scheme" virtv1 "kubevirt.io/api/core/v1" cdiv1beta1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1" @@ -47,9 +45,9 @@ var ( ) const ( - defaultVerbosity = "1" - kubevirtCoreGroupName = "x.virtualization.deckhouse.io" - cdiCoreGroupName = "x.virtualization.deckhouse.io" + defaultVerbosity = "1" + //kubevirtCoreGroupName = "x.virtualization.deckhouse.io" + //cdiCoreGroupName = "x.virtualization.deckhouse.io" ) func init() { @@ -57,8 +55,8 @@ func init() { uploaderImage = getRequiredEnvVar(common.UploaderPodImageNameVar) controllerNamespace = getRequiredEnvVar(common.PodNamespaceVar) - overrideKubevirtCoreGroupName(kubevirtCoreGroupName) - overrideCDICoreGroupName(cdiCoreGroupName) + //overrideKubevirtCoreGroupName(kubevirtCoreGroupName) + //overrideCDICoreGroupName(cdiCoreGroupName) } func setupLogger() { @@ -99,60 +97,60 @@ func getRequiredEnvVar(name string) string { return val } -func overrideKubevirtCoreGroupName(groupName string) { - virtv1.GroupVersion.Group = groupName - virtv1.SchemeGroupVersion.Group = groupName - virtv1.StorageGroupVersion.Group = groupName - for i := range virtv1.GroupVersions { - virtv1.GroupVersions[i].Group = groupName - } - - virtv1.VirtualMachineInstanceGroupVersionKind.Group = groupName - virtv1.VirtualMachineInstanceReplicaSetGroupVersionKind.Group = groupName - virtv1.VirtualMachineInstancePresetGroupVersionKind.Group = groupName - virtv1.VirtualMachineGroupVersionKind.Group = groupName - virtv1.VirtualMachineInstanceMigrationGroupVersionKind.Group = groupName - virtv1.KubeVirtGroupVersionKind.Group = groupName - - virtv1.SchemeBuilder = apiruntime.NewSchemeBuilder(virtv1.AddKnownTypesGenerator([]apiruntimeschema.GroupVersion{virtv1.GroupVersion})) - virtv1.AddToScheme = virtv1.SchemeBuilder.AddToScheme -} - -func overrideCDICoreGroupName(groupName string) { - cdiv1beta1.SchemeGroupVersion.Group = groupName - cdiv1beta1.CDIGroupVersionKind.Group = groupName - - cdiv1beta1.SchemeBuilder = apiruntime.NewSchemeBuilder(addKnownTypes) - cdiv1beta1.AddToScheme = cdiv1beta1.SchemeBuilder.AddToScheme -} +//func overrideKubevirtCoreGroupName(groupName string) { +// virtv1.GroupVersion.Group = groupName +// virtv1.SchemeGroupVersion.Group = groupName +// virtv1.StorageGroupVersion.Group = groupName +// for i := range virtv1.GroupVersions { +// virtv1.GroupVersions[i].Group = groupName +// } +// +// virtv1.VirtualMachineInstanceGroupVersionKind.Group = groupName +// virtv1.VirtualMachineInstanceReplicaSetGroupVersionKind.Group = groupName +// virtv1.VirtualMachineInstancePresetGroupVersionKind.Group = groupName +// virtv1.VirtualMachineGroupVersionKind.Group = groupName +// virtv1.VirtualMachineInstanceMigrationGroupVersionKind.Group = groupName +// virtv1.KubeVirtGroupVersionKind.Group = groupName +// +// virtv1.SchemeBuilder = apiruntime.NewSchemeBuilder(virtv1.AddKnownTypesGenerator([]apiruntimeschema.GroupVersion{virtv1.GroupVersion})) +// virtv1.AddToScheme = virtv1.SchemeBuilder.AddToScheme +//} + +//func overrideCDICoreGroupName(groupName string) { +// cdiv1beta1.SchemeGroupVersion.Group = groupName +// cdiv1beta1.CDIGroupVersionKind.Group = groupName +// +// cdiv1beta1.SchemeBuilder = apiruntime.NewSchemeBuilder(addKnownTypes) +// cdiv1beta1.AddToScheme = cdiv1beta1.SchemeBuilder.AddToScheme +//} // Adds the list of known types to Scheme. -func addKnownTypes(scheme *apiruntime.Scheme) error { - scheme.AddKnownTypes(cdiv1beta1.SchemeGroupVersion, - &cdiv1beta1.DataVolume{}, - &cdiv1beta1.DataVolumeList{}, - &cdiv1beta1.CDIConfig{}, - &cdiv1beta1.CDIConfigList{}, - &cdiv1beta1.CDI{}, - &cdiv1beta1.CDIList{}, - &cdiv1beta1.StorageProfile{}, - &cdiv1beta1.StorageProfileList{}, - &cdiv1beta1.DataSource{}, - &cdiv1beta1.DataSourceList{}, - &cdiv1beta1.DataImportCron{}, - &cdiv1beta1.DataImportCronList{}, - &cdiv1beta1.ObjectTransfer{}, - &cdiv1beta1.ObjectTransferList{}, - &cdiv1beta1.VolumeImportSource{}, - &cdiv1beta1.VolumeImportSourceList{}, - &cdiv1beta1.VolumeUploadSource{}, - &cdiv1beta1.VolumeUploadSourceList{}, - &cdiv1beta1.VolumeCloneSource{}, - &cdiv1beta1.VolumeCloneSourceList{}, - ) - metav1.AddToGroupVersion(scheme, cdiv1beta1.SchemeGroupVersion) - return nil -} +//func addKnownTypes(scheme *apiruntime.Scheme) error { +// scheme.AddKnownTypes(cdiv1beta1.SchemeGroupVersion, +// &cdiv1beta1.DataVolume{}, +// &cdiv1beta1.DataVolumeList{}, +// &cdiv1beta1.CDIConfig{}, +// &cdiv1beta1.CDIConfigList{}, +// &cdiv1beta1.CDI{}, +// &cdiv1beta1.CDIList{}, +// &cdiv1beta1.StorageProfile{}, +// &cdiv1beta1.StorageProfileList{}, +// &cdiv1beta1.DataSource{}, +// &cdiv1beta1.DataSourceList{}, +// &cdiv1beta1.DataImportCron{}, +// &cdiv1beta1.DataImportCronList{}, +// &cdiv1beta1.ObjectTransfer{}, +// &cdiv1beta1.ObjectTransferList{}, +// &cdiv1beta1.VolumeImportSource{}, +// &cdiv1beta1.VolumeImportSourceList{}, +// &cdiv1beta1.VolumeUploadSource{}, +// &cdiv1beta1.VolumeUploadSourceList{}, +// &cdiv1beta1.VolumeCloneSource{}, +// &cdiv1beta1.VolumeCloneSourceList{}, +// ) +// metav1.AddToGroupVersion(scheme, cdiv1beta1.SchemeGroupVersion) +// return nil +//} func main() { flag.Parse() diff --git a/templates/cdi/cdi-api/service-webhook-proxy.yaml b/templates/cdi/cdi-api/service-webhook-proxy.yaml new file mode 100644 index 000000000..704739055 --- /dev/null +++ b/templates/cdi/cdi-api/service-webhook-proxy.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: cdi-api-webhook-proxy + namespace: d8-{{ .Chart.Name }} + {{- include "helm_lib_module_labels" (list . (dict "app" "cdi-apiserver")) | nindent 2 }} +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 24192 + selector: + cdi.kubevirt.io: cdi-apiserver + sessionAffinity: None + type: ClusterIP diff --git a/templates/cdi/cdi-operator/rbac-for-us.yaml b/templates/cdi/cdi-operator/rbac-for-us.yaml index 9bcb328d0..810371ea6 100644 --- a/templates/cdi/cdi-operator/rbac-for-us.yaml +++ b/templates/cdi/cdi-operator/rbac-for-us.yaml @@ -40,7 +40,7 @@ rules: - update - delete - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io - upload.cdi.kubevirt.io resources: - '*' @@ -123,28 +123,28 @@ rules: verbs: - get - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - datavolumes + - dvpinternaldatavolumes verbs: - list - get - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - datasources + - dvpinternaldatasources verbs: - get - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - cdis + - dvpinternalcdis verbs: - get - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - cdis/finalizers + - dvpinternalcdis/finalizers verbs: - update - apiGroups: @@ -219,7 +219,7 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - '*' verbs: @@ -286,9 +286,9 @@ rules: verbs: - get - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - dataimportcrons + - dvpinternaldataimportcrons verbs: - get - list diff --git a/templates/cdi/cdi.yaml b/templates/cdi/cdi.yaml index 2d9f5e18a..a553680ec 100644 --- a/templates/cdi/cdi.yaml +++ b/templates/cdi/cdi.yaml @@ -2,9 +2,10 @@ {{- $nodeSelectorMaster := index (include "helm_lib_node_selector" (tuple . "master") | fromYaml) "nodeSelector" | default (dict) | toJson }} {{- $tolerationsSystem := index (include "helm_lib_tolerations" (tuple . "system") | fromYaml) "tolerations" | default (list) | toJson }} {{- $tolerationsAnyNode := index (include "helm_lib_tolerations" (tuple . "any-node") | fromYaml) "tolerations" | default (list) | toJson }} +{{- $kubeAPIProxyRewriter := true }} --- -apiVersion: x.virtualization.deckhouse.io/v1beta1 -kind: CDI +apiVersion: internal.virtualization.deckhouse.io/v1beta1 +kind: DVPInternalCDI metadata: name: cdi namespace: d8-{{ .Chart.Name }} @@ -85,6 +86,150 @@ spec: patch: {{ include "cdi.strategic_affinity_patch" (list "containerized-data-importer") }} type: strategic {{- end }} + + {{- if $kubeAPIProxyRewriter }} + - resourceType: Deployment + resourceName: cdi-deployment + patch: | + {"spec":{"template":{"spec":{ + "volumes": [{ + "name":"kube-api-proxy-kubeconfig", + "configMap": {"name": "kube-api-proxy-kubeconfig" } + }], + "containers":[{ + "name":"cdi-controller", + "volumeMounts":[{ + "name": "kube-api-proxy-kubeconfig", + "mountPath": "/kubeconfig.local" + }], + "env":[{ + "name":"KUBECONFIG", + "value":"/kubeconfig.local/proxy.kubeconfig" + }] + }, { + "name": "proxy", + "image": "dev-registry.deckhouse.io/virt/dev/diafour/kube-api-proxy:latest", + "imagePullPolicy": "Always", + "command": ["/proxy"], + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": {"drop": ["ALL"]}, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "env": [ + {"name": "WEBHOOK_PROXY", + "value": "no" + } + ] + }] + }}}} + type: strategic + - resourceType: Deployment + resourceName: cdi-apiserver + patch: | + {"spec":{"template":{"spec":{ + "volumes": [{ + "name":"kube-api-proxy-kubeconfig", + "configMap": {"name": "kube-api-proxy-kubeconfig" } + }], + "containers":[{ + "name":"cdi-apiserver", + "volumeMounts":[{ + "name": "kube-api-proxy-kubeconfig", + "mountPath": "/kubeconfig.local" + }], + "env":[{ + "name":"KUBECONFIG", + "value":"/kubeconfig.local/proxy.kubeconfig" + }] + }, { + "name": "proxy", + "image": "dev-registry.deckhouse.io/virt/dev/diafour/kube-api-proxy:latest", + "imagePullPolicy": "Always", + "command": ["/proxy"], + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": {"drop": ["ALL"]}, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "env": [ + { "name": "WEBHOOK_ADDRESS", + "value": "https://127.0.0.1:8443" + }, + { "name": "WEBHOOK_CERT_FILE", + "value": "/var/run/certs/cdi-apiserver-server-cert/tls.crt" + }, + { "name": "WEBHOOK_KEY_FILE", + "value": "/var/run/certs/cdi-apiserver-server-cert/tls.key" + } + ], + "volumeMounts":[{ + "name": "server-cert", + "mountPath": "/var/run/certs/cdi-apiserver-server-cert", + "readOnly": true + }] + }] + }}}} + type: strategic + # Change service in webhook configurations to point to the rewriter proxy. + # cdi-api-webhook-proxy service is created separately. + - resourceName: cdi-api-datavolume-mutate + resourceType: MutatingWebhookConfiguration + patch: | + {"webhook":[ + { "name":"datavolume-mutate.cdi.kubevirt.io", + "clientConfig":{"service":{"name":"cdi-api-webhook-proxy"}}} + ]} + type: strategic + - resourceName: cdi-api-dataimportcron-validate + resourceType: ValidatingWebhookConfiguration + patch: | + {"webhook":[ + { "name":"dataimportcron-validate.cdi.kubevirt.io", + "clientConfig":{"service":{"name":"cdi-api-webhook-proxy"}}} + ]} + type: strategic + - resourceName: cdi-api-datavolume-validate + resourceType: ValidatingWebhookConfiguration + patch: | + {"webhook":[ + { "name":"datavolume-validate.cdi.kubevirt.io", + "clientConfig":{"service":{"name":"cdi-api-webhook-proxy"}}} + ]} + type: strategic + - resourceName: cdi-api-populator-validate + resourceType: ValidatingWebhookConfiguration + patch: | + {"webhook":[ + { "name":"populator-validate.cdi.kubevirt.io", + "clientConfig":{"service":{"name":"cdi-api-webhook-proxy"}}} + ]} + type: strategic + - resourceName: cdi-api-validate + resourceType: ValidatingWebhookConfiguration + patch: | + {"webhook":[ + { "name":"cdi-validate.cdi.kubevirt.io", + "clientConfig":{"service":{"name":"cdi-api-webhook-proxy"}}} + ]} + type: strategic + - resourceName: objecttransfer-api-validate + resourceType: ValidatingWebhookConfiguration + patch: | + {"webhook":[ + { "name":"objecttransfer-validate.cdi.kubevirt.io", + "clientConfig":{"service":{"name":"cdi-api-webhook-proxy"}}} + ]} + type: strategic + {{- end }} workload: nodeSelector: kubernetes.io/os: linux diff --git a/templates/kubevirt/kubevirt.yaml b/templates/kubevirt/kubevirt.yaml index ccb0d6042..bb2bf105c 100644 --- a/templates/kubevirt/kubevirt.yaml +++ b/templates/kubevirt/kubevirt.yaml @@ -4,8 +4,8 @@ {{- $tolerationsAnyNode := index (include "helm_lib_tolerations" (tuple . "any-node") | fromYaml) "tolerations" | default (list) | toJson }} {{- $kubeAPIProxyRewriter := true }} --- -apiVersion: x.virtualization.deckhouse.io/v1 -kind: KubeVirt +apiVersion: internal.virtualization.deckhouse.io/v1 +kind: DVPInternalKubeVirt metadata: name: kubevirt namespace: d8-{{ .Chart.Name }} @@ -78,7 +78,10 @@ spec: type: json {{- end }} {{- if $kubeAPIProxyRewriter }} - - patch: | + #"image": "{{ include "helm_lib_module_image" (list . "kubeApiProxy") }}", + - resourceName: virt-controller + resourceType: Deployment + patch: | {"spec":{"template":{"spec":{ "volumes": [{ "name":"kube-api-proxy-kubeconfig", @@ -93,8 +96,7 @@ spec: }] }, { "name": "proxy", - #"image": "{{ include "helm_lib_module_image" (list . "kubeApiProxy") }}", - "image": "image": "dev-registry.deckhouse.io/virt/dev/diafour/kube-api-proxy:latest", + "image": "dev-registry.deckhouse.io/virt/dev/diafour/kube-api-proxy:latest", "imagePullPolicy": "Always", "command": ["/proxy"], "securityContext": { @@ -107,21 +109,16 @@ spec: "terminationMessagePath": "/dev/termination-log", "terminationMessagePolicy": "File", "env": [ - {"name": "POD_NAMESPACE", - "valueFrom": { - "fieldRef": {"fieldPath": "metadata.namespace"} - } - }, {"name": "WEBHOOK_PROXY", "value": "no" } ] }] }}}} - resourceName: virt-controller - resourceType: Deployment type: strategic - - patch: | + - resourceName: virt-api + resourceType: Deployment + patch: | {"spec":{"template":{"spec":{ "volumes": [{ "name":"kube-api-proxy-kubeconfig", @@ -130,13 +127,21 @@ spec: "containers":[{ "name":"virt-api", "command": ["virt-api", "--kubeconfig=/kubeconfig.local/proxy.kubeconfig"], + "args": [ + "--port", + "8443", + "--console-server-port", + "8186", + "--subresources-only", + "-v", + "8" + ], "volumeMounts":[{ "name": "kube-api-proxy-kubeconfig", "mountPath": "/kubeconfig.local" }] }, { "name": "proxy", - #"image": "{{ include "helm_lib_module_image" (list . "kubeApiProxy") }}", "image": "dev-registry.deckhouse.io/virt/dev/diafour/kube-api-proxy:latest", "imagePullPolicy": "Always", "command": ["/proxy"], @@ -167,14 +172,14 @@ spec: }] }] }}}} - resourceName: virt-api - resourceType: Deployment type: strategic # Change service in webhook configuration to point to the rewriter proxy. # Patch was produced with this jq command: # kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io virt-api-validator -o json | jq '{"webhooks": .webhooks|map({"name":.name, "clientConfig":{"service":{"name":"virt-api-webhook"}}}) }' # virt-api-webhook-proxy service is created separately. - - patch: | + - resourceName: virt-api-validator + resourceType: ValidatingWebhookConfiguration + patch: | { "webhooks": [ { @@ -331,14 +336,14 @@ spec: } ] } - resourceName: virt-api-validator - resourceType: ValidatingWebhookConfiguration type: strategic # Change service in webhook configuration to point to the rewriter proxy. # Patch was produced with this jq command: # kubectl get mutatingwebhookconfigurations.admissionregistration.k8s.io virt-api-mutator -o json | jq '{"webhooks": .webhooks|map({"name":.name, "clientConfig":{"service":{"name":"virt-api-webhook"}}}) }' # virt-api-webhook-proxy service is created separately. - - patch: | + - resourceName: virt-api-mutator + resourceType: MutatingWebhookConfiguration + patch: | { "webhooks": [ { @@ -375,21 +380,21 @@ spec: } ] } - resourceName: virt-api-mutator - resourceType: MutatingWebhookConfiguration type: strategic # Change service in webhook configuration to point to the rewriter proxy. # Patch was produced with this jq command: # kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io virt-operator-validator -o json | jq '{"webhooks": .webhooks|map({"name":.name, "clientConfig":{"service":{"name":"kubevirt-api-webhook-proxy"}}}) }' - # kubevirt-operator-webhook-proxy service is created separately. - - patch: | + # virt-api-webhook-proxy service is created separately. + - resourceName: virt-operator-validator + resourceType: ValidatingWebhookConfiguration + patch: | { "webhooks": [ { "name": "kubevirt-validator.kubevirt.io", "clientConfig": { "service": { - "name": "kubevirt-api-webhook-proxy" + "name": "virt-api-webhook-proxy" } } }, @@ -397,14 +402,13 @@ spec: "name": "kubevirt-update-validator.kubevirt.io", "clientConfig": { "service": { - "name": "kubevirt-api-webhook-proxy" + "name": "virt-api-webhook-proxy" } } } ] } - resourceName: virt-operator-validator - resourceType: ValidatingWebhookConfiguration + type: strategic {{- end }} imagePullPolicy: IfNotPresent diff --git a/templates/kubevirt/virt-operator/rbac-for-us.yaml b/templates/kubevirt/virt-operator/rbac-for-us.yaml index 97d02eb39..26c39807d 100644 --- a/templates/kubevirt/virt-operator/rbac-for-us.yaml +++ b/templates/kubevirt/virt-operator/rbac-for-us.yaml @@ -86,9 +86,9 @@ metadata: name: d8:virtualization:kubevirt-operator rules: - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - kubevirts + - dvpinternalkubevirts verbs: - get - list @@ -294,10 +294,10 @@ rules: - delete - patch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachines - - virtualmachineinstances + - dvpinternalvirtualmachines + - dvpinternalvirtualmachineinstances verbs: - get - list @@ -311,15 +311,15 @@ rules: verbs: - get - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachines/status + - dvpinternalvirtualmachines/status verbs: - patch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancemigrations + - dvpinternalvirtualmachineinstancemigrations verbs: - create - get @@ -327,9 +327,9 @@ rules: - watch - patch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancepresets + - dvpinternalvirtualmachineinstancepresets verbs: - watch - list @@ -357,50 +357,50 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - kubevirts + - dvpinternalkubevirts verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinesnapshots - - virtualmachinerestores - - virtualmachinesnapshotcontents + - dvpinternalvirtualmachinesnapshots + - dvpinternalvirtualmachinerestores + - dvpinternalvirtualmachinesnapshotcontents verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - datasources - - datavolumes + - dvpinternaldatasources + - dvpinternaldatavolumes verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancetypes - - virtualmachineclusterinstancetypes - - virtualmachinepreferences - - virtualmachineclusterpreferences + - dvpinternalvirtualmachineinstancetypes + - dvpinternalvirtualmachineclusterinstancetypes + - dvpinternalvirtualmachinepreferences + - dvpinternalvirtualmachineclusterpreferences verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancetypes - - virtualmachineclusterinstancetypes - - virtualmachinepreferences - - virtualmachineclusterpreferences + - dvpinternalvirtualmachineinstancetypes + - dvpinternalvirtualmachineclusterinstancetypes + - dvpinternalvirtualmachinepreferences + - dvpinternalvirtualmachineclusterpreferences verbs: - delete - create @@ -408,9 +408,9 @@ rules: - patch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - migrationpolicies + - dvpinternalmigrationpolicies verbs: - get - list @@ -550,24 +550,24 @@ rules: - delete - patch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - '*' verbs: - '*' - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - '*' verbs: - '*' - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinepools - - virtualmachinepools/finalizers - - virtualmachinepools/status - - virtualmachinepools/scale + - dvpinternalvirtualmachinepools + - dvpinternalvirtualmachinepools/finalizers + - dvpinternalvirtualmachinepools/status + - dvpinternalvirtualmachinepools/scale verbs: - watch - list @@ -577,7 +577,7 @@ rules: - patch - get - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - '*' verbs: @@ -593,7 +593,7 @@ rules: verbs: - update - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - '*' verbs: @@ -648,30 +648,30 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancetypes - - virtualmachineclusterinstancetypes - - virtualmachinepreferences - - virtualmachineclusterpreferences + - dvpinternalvirtualmachineinstancetypes + - dvpinternalvirtualmachineclusterinstancetypes + - dvpinternalvirtualmachinepreferences + - dvpinternalvirtualmachineclusterpreferences verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - migrationpolicies + - dvpinternalmigrationpolicies verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineclones - - virtualmachineclones/status - - virtualmachineclones/finalizers + - dvpinternalvirtualmachineclones + - dvpinternalvirtualmachineclones/status + - dvpinternalvirtualmachineclones/finalizers verbs: - get - list @@ -717,9 +717,9 @@ rules: - get - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstances + - dvpinternalvirtualmachineinstances verbs: - update - list @@ -757,17 +757,17 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - kubevirts + - dvpinternalkubevirts verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - migrationpolicies + - dvpinternalmigrationpolicies verbs: - get - list @@ -781,17 +781,17 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineexports + - dvpinternalvirtualmachineexports verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - kubevirts + - dvpinternalkubevirts verbs: - list - watch @@ -864,13 +864,13 @@ rules: verbs: - update - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachines - - virtualmachineinstances - - virtualmachineinstancepresets - - virtualmachineinstancereplicasets - - virtualmachineinstancemigrations + - dvpinternalvirtualmachines + - dvpinternalvirtualmachineinstances + - dvpinternalvirtualmachineinstancepresets + - dvpinternalvirtualmachineinstancereplicasets + - dvpinternalvirtualmachineinstancemigrations verbs: - get - delete @@ -881,11 +881,11 @@ rules: - watch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinesnapshots - - virtualmachinesnapshotcontents - - virtualmachinerestores + - dvpinternalvirtualmachinesnapshots + - dvpinternalvirtualmachinesnapshotcontents + - dvpinternalvirtualmachinerestores verbs: - get - delete @@ -896,9 +896,9 @@ rules: - watch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineexports + - dvpinternalvirtualmachineexports verbs: - get - delete @@ -909,9 +909,9 @@ rules: - watch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineclones + - dvpinternalvirtualmachineclones verbs: - get - delete @@ -922,12 +922,12 @@ rules: - watch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancetypes - - virtualmachineclusterinstancetypes - - virtualmachinepreferences - - virtualmachineclusterpreferences + - dvpinternalvirtualmachineinstancetypes + - dvpinternalvirtualmachineclusterinstancetypes + - dvpinternalvirtualmachinepreferences + - dvpinternalvirtualmachineclusterpreferences verbs: - get - delete @@ -938,9 +938,9 @@ rules: - watch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinepools + - dvpinternalvirtualmachinepools verbs: - get - delete @@ -951,9 +951,9 @@ rules: - watch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - migrationpolicies + - dvpinternalmigrationpolicies verbs: - get - list @@ -1009,13 +1009,13 @@ rules: verbs: - update - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachines - - virtualmachineinstances - - virtualmachineinstancepresets - - virtualmachineinstancereplicasets - - virtualmachineinstancemigrations + - dvpinternalvirtualmachines + - dvpinternalvirtualmachineinstances + - dvpinternalvirtualmachineinstancepresets + - dvpinternalvirtualmachineinstancereplicasets + - dvpinternalvirtualmachineinstancemigrations verbs: - get - delete @@ -1025,11 +1025,11 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinesnapshots - - virtualmachinesnapshotcontents - - virtualmachinerestores + - dvpinternalvirtualmachinesnapshots + - dvpinternalvirtualmachinesnapshotcontents + - dvpinternalvirtualmachinerestores verbs: - get - delete @@ -1039,9 +1039,9 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineexports + - dvpinternalvirtualmachineexports verbs: - get - delete @@ -1051,9 +1051,9 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineclones + - dvpinternalvirtualmachineclones verbs: - get - delete @@ -1063,12 +1063,12 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancetypes - - virtualmachineclusterinstancetypes - - virtualmachinepreferences - - virtualmachineclusterpreferences + - dvpinternalvirtualmachineinstancetypes + - dvpinternalvirtualmachineclusterinstancetypes + - dvpinternalvirtualmachinepreferences + - dvpinternalvirtualmachineclusterpreferences verbs: - get - delete @@ -1078,9 +1078,9 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinepools + - dvpinternalvirtualmachinepools verbs: - get - delete @@ -1090,16 +1090,16 @@ rules: - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - kubevirts + - dvpinternalkubevirts verbs: - get - list - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - migrationpolicies + - dvpinternalmigrationpolicies verbs: - get - list @@ -1120,67 +1120,67 @@ rules: verbs: - update - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachines - - virtualmachineinstances - - virtualmachineinstancepresets - - virtualmachineinstancereplicasets - - virtualmachineinstancemigrations + - dvpinternalvirtualmachines + - dvpinternalvirtualmachineinstances + - dvpinternalvirtualmachineinstancepresets + - dvpinternalvirtualmachineinstancereplicasets + - dvpinternalvirtualmachineinstancemigrations verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinesnapshots - - virtualmachinesnapshotcontents - - virtualmachinerestores + - dvpinternalvirtualmachinesnapshots + - dvpinternalvirtualmachinesnapshotcontents + - dvpinternalvirtualmachinerestores verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineexports + - dvpinternalvirtualmachineexports verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineclones + - dvpinternalvirtualmachineclones verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstancetypes - - virtualmachineclusterinstancetypes - - virtualmachinepreferences - - virtualmachineclusterpreferences + - dvpinternalvirtualmachineinstancetypes + - dvpinternalvirtualmachineclusterinstancetypes + - dvpinternalvirtualmachinepreferences + - dvpinternalvirtualmachineclusterpreferences verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachinepools + - dvpinternalvirtualmachinepools verbs: - get - list - watch - deletecollection - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - migrationpolicies + - dvpinternalmigrationpolicies verbs: - get - list diff --git a/templates/kubevirt/vmi-router/rbac-for-us.yaml b/templates/kubevirt/vmi-router/rbac-for-us.yaml index ca191d4e4..dbf02f66b 100644 --- a/templates/kubevirt/vmi-router/rbac-for-us.yaml +++ b/templates/kubevirt/vmi-router/rbac-for-us.yaml @@ -14,9 +14,9 @@ metadata: {{- include "helm_lib_module_labels" (list . (dict "app" "vmi-router")) | nindent 2 }} rules: - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachineinstances + - dvpinternalvirtualmachineinstances verbs: - get - list diff --git a/templates/pre-delete-hook/rbac-for-us.yaml b/templates/pre-delete-hook/rbac-for-us.yaml index 96bf862c9..84b4d0f43 100644 --- a/templates/pre-delete-hook/rbac-for-us.yaml +++ b/templates/pre-delete-hook/rbac-for-us.yaml @@ -15,10 +15,10 @@ metadata: {{- include "helm_lib_module_labels" (list . (dict "app" "virtualization-pre-delete-hook")) | nindent 2 }} rules: - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - cdis - - kubevirts + - dvpinternalcdis + - dvpinternalkubevirts verbs: - get - delete diff --git a/templates/virtualization-controller/deployment.yaml b/templates/virtualization-controller/deployment.yaml index 9f86fe578..6746c2afd 100644 --- a/templates/virtualization-controller/deployment.yaml +++ b/templates/virtualization-controller/deployment.yaml @@ -80,6 +80,26 @@ spec: {{- include "virtualization_controller_resources" . | nindent 12 }} {{- end }} env: {{ include "virtualization-controller.envs" . | nindent 12 }} + - name: proxy + #image: {{ include "helm_lib_module_image" (list . "kubeApiProxy") }} + image: "dev-registry.deckhouse.io/virt/dev/diafour/kube-api-proxy:latest" + imagePullPolicy: Always + command: + - /proxy + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + env: + - name: "WEBHOOK_PROXY" + value: "no" + dnsPolicy: ClusterFirst serviceAccountName: virtualization-controller {{- include "helm_lib_priority_class" (tuple . "system-cluster-critical") | nindent 6 }} diff --git a/templates/virtualization-controller/rbac-for-us.yaml b/templates/virtualization-controller/rbac-for-us.yaml index f7d4ef69c..a4617a464 100644 --- a/templates/virtualization-controller/rbac-for-us.yaml +++ b/templates/virtualization-controller/rbac-for-us.yaml @@ -87,9 +87,9 @@ rules: - create - patch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - datavolumes + - dvpinternaldatavolumes verbs: - get - create @@ -98,10 +98,10 @@ rules: - watch - list - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachines - - virtualmachineinstances + - dvpinternalvirtualmachines + - dvpinternalvirtualmachineinstances verbs: - get - watch @@ -111,17 +111,17 @@ rules: - list - delete - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - kubevirts + - dvpinternalkubevirts verbs: - get - list - watch - apiGroups: - - x.virtualization.deckhouse.io + - internal.virtualization.deckhouse.io resources: - - virtualmachines/status + - dvpinternalvirtualmachines/status verbs: - patch - update