From 5b2dd4c601d3c2718fc692eb7671f7dd2e82c003 Mon Sep 17 00:00:00 2001 From: Gleb Aronsky Date: Tue, 23 May 2023 13:17:37 -0700 Subject: [PATCH] Up version and enhance KubeVirt and CDI - Add support for imagePullSecrets for KubeVirt and CDI. - Update Helm Charts to match KubeVirt v0.59.0. - Update Helm Charts to match CDI v1.57.0. - Add a symlink for `virtctl` during installation. - Framework creates the namespaces; Helm manages them. - Update `values.yaml` to scope KubeVirt and CDI values. - Upgrade `virtctl` and symlink it. - Add support for Helm chart overrides. - Add support for namespace label `app.starlingx.io/component`. - Add overrides for certificate rotation policy. - Add support for application overrides - Enable plugin tests - Enable Zuul supported tox testing for flake8, pylint, bandit, and yamllint Test Plan: PASS: Install the kubevirt-app on AIO-SX. PASS: Cleanly remove the kubevirt-app. PASS: Import Ubuntu image, create an instance of the Ubuntu VM, login using `virtctl console`, restart VM. PASS: Use `cdi-uploadproxy` for CirrOS VM image, create an instance, login using `virtctl console`. PASS: Verify KubeVirt and CDI namespaces have default label. PASS: After changing the component type to `application`, verify pods restart and type is updated. PASS: After reverting type to `platform`, verify update and pod restart. PASS: Invalid type shouldn't apply the label. PASS: Override CDI certificate duration and `renewBefore`, then verify values. PASS: Override KubeVirt certificate duration and `renewBefore`, then verify values. Story: 2010931 Task: 48855 Task: 48858 Task: 48860 Task: 48862 Task: 48863 Task: 48873 Task: 48874 Task: 48875 Task: 48876 Task: 48989 Change-Id: I2682299de234ccdb3157e3572c3b90bc66646b39 Signed-off-by: Gleb Aronsky --- .zuul.yaml | 53 +- bindep.txt | 10 + .../k8sapp_kubevirt/.gitignore | 35 + .../k8sapp_kubevirt/.stestr.conf | 4 + .../k8sapp_kubevirt/__init__.py | 8 - .../k8sapp_kubevirt/common/__init__.py | 8 - .../k8sapp_kubevirt/common/constants.py | 29 +- .../k8sapp_kubevirt/helm/__init__.py | 5 - .../k8sapp_kubevirt/helm/kubevirt.py | 70 +- .../k8sapp_kubevirt/lifecycle/__init__.py | 8 - .../lifecycle/lifecycle_kubevirt.py | 284 +- .../k8sapp_kubevirt/tests/__init__.py | 0 .../k8sapp_kubevirt/tests/test_kubevirt.py | 34 + .../k8sapp_kubevirt/tests/test_plugins.py | 53 + .../k8sapp_kubevirt/pylint.rc | 829 ++- .../k8sapp_kubevirt/requirements.txt | 4 +- .../k8sapp_kubevirt/setup.cfg | 4 +- .../k8sapp_kubevirt/setup.py | 4 +- .../k8sapp_kubevirt/test-requirements.txt | 19 +- .../k8sapp_kubevirt/tox.ini | 124 +- .../k8sapp_kubevirt/upper-constraints.txt | 1 + stx-kubevirt-app-helm/docker/Dockerfile | 4 +- .../fluxcd-manifests/base/helmrepository.yaml | 1 + .../fluxcd-manifests/base/kustomization.yaml | 1 - .../fluxcd-manifests/base/namespace.yaml | 14 - .../kubevirt-app/helmrelease.yaml | 2 + .../kubevirt-app/kustomization.yaml | 2 +- .../fluxcd-manifests/kustomization.yaml | 4 +- .../kubevirt-app/crds/cdi-crd.yaml | 4453 +++++++++-------- .../helm-charts/kubevirt-app/crds/crd.yaml | 276 +- .../templates/cdi-clusterrole.yaml | 18 +- .../kubevirt-app/templates/cdi-configmap.yaml | 25 - .../templates/cdi-deployment.yaml | 36 +- .../kubevirt-app/templates/cdi-namespace.yaml | 6 +- .../templates/cdi-rolebinding.yaml | 14 + .../templates/cdi-rolebinding2.yaml | 31 - .../templates/cdi-serviceaccount.yaml | 2 - .../kubevirt-app/templates/cdi.yaml | 22 +- .../kubevirt-app/templates/clusterrole.yaml | 264 +- .../kubevirt-app/templates/clusterrole2.yaml | 39 - .../kubevirt-app/templates/clusterrole3.yaml | 37 - .../kubevirt-app/templates/deployment.yaml | 46 +- .../kubevirt-app/templates/kubevirt.yaml | 17 +- .../kubevirt-app/templates/namespace.yaml | 9 +- .../kubevirt-app/templates/role.yaml | 17 + .../kubevirt-app/templates/rolebinding.yaml | 14 + .../kubevirt-app/templates/rolebinding2.yaml | 31 - .../templates/serviceaccount.yaml | 2 - .../helm-charts/kubevirt-app/values.yaml | 123 +- test-requirements.txt | 3 +- tox.ini | 30 +- 51 files changed, 4241 insertions(+), 2888 deletions(-) create mode 100644 bindep.txt create mode 100644 python3-k8sapp-kubevirt/k8sapp_kubevirt/.gitignore create mode 100644 python3-k8sapp-kubevirt/k8sapp_kubevirt/.stestr.conf create mode 100644 python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/tests/__init__.py create mode 100644 python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/tests/test_kubevirt.py create mode 100644 python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/tests/test_plugins.py create mode 100644 python3-k8sapp-kubevirt/k8sapp_kubevirt/upper-constraints.txt delete mode 100644 stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/base/namespace.yaml delete mode 100644 stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-configmap.yaml delete mode 100644 stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-rolebinding2.yaml delete mode 100644 stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/clusterrole2.yaml delete mode 100644 stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/clusterrole3.yaml delete mode 100644 stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/rolebinding2.yaml diff --git a/.zuul.yaml b/.zuul.yaml index c4b0f02..469e784 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -1,33 +1,78 @@ --- - project: + vars: + ensure_tox_version: '<4' check: jobs: - openstack-tox-linters - k8sapp-kubevirt-tox-py39 + - k8sapp-kubevirt-tox-flake8 - k8sapp-kubevirt-tox-pylint gate: jobs: - openstack-tox-linters - k8sapp-kubevirt-tox-py39 + - k8sapp-kubevirt-tox-flake8 - k8sapp-kubevirt-tox-pylint + - job: name: k8sapp-kubevirt-tox-py39 parent: tox-py39 description: | - Run py39 for KubeVirt app + Run py39 for kubevirt app + nodeset: debian-bullseye + required-projects: + - starlingx/config + - starlingx/fault + - starlingx/root + - starlingx/update + - starlingx/utilities + files: + - python3-k8sapp-kubevirt/* + vars: + tox_envlist: py39 + tox_extra_args: -c python3-k8sapp-kubevirt/k8sapp_kubevirt/tox.ini + tox_constraints_file: '{{ ansible_user_dir }}/src/opendev.org/starlingx/root/build-tools/requirements/debian/upper-constraints.txt' + +- job: + name: k8sapp-kubevirt-tox-flake8 + parent: tox + description: | + Run flake8 for kubevirt nodeset: debian-bullseye files: - python3-k8sapp-kubevirt/* vars: - tox_envlist: py39 - python_version: 3.9 + tox_envlist: flake8 + tox_extra_args: -c python3-k8sapp-kubevirt/k8sapp_kubevirt/tox.ini + - job: name: k8sapp-kubevirt-tox-pylint parent: tox description: | - Run pylint test for k8sapp_kubevirt + Run pylint test for k8sapp_kubevirt + required-projects: + - starlingx/config + - starlingx/fault + - starlingx/root + - starlingx/update + - starlingx/utilities + nodeset: debian-bullseye files: - python3-k8sapp-kubevirt/* vars: tox_envlist: pylint + tox_extra_args: -c python3-k8sapp-kubevirt/k8sapp_kubevirt/tox.ini + tox_constraints_file: '{{ ansible_user_dir }}/src/opendev.org/starlingx/root/build-tools/requirements/debian/upper-constraints.txt' +- job: + name: k8sapp-kubevirt-tox-bandit + parent: tox + description: | + Run bandit for kubevirt + nodeset: debian-bullseye + files: + - python3-k8sapp-kubevirt/* + vars: + tox_envlist: bandit + tox_extra_args: -c python3-k8sapp-kubevirt/k8sapp_kubevirt/tox.ini diff --git a/bindep.txt b/bindep.txt new file mode 100644 index 0000000..3ffe69f --- /dev/null +++ b/bindep.txt @@ -0,0 +1,10 @@ +# This is a cross-platform list tracking distribution packages needed for install and tests; +# see https://docs.openstack.org/infra/bindep/ for additional information. + +libffi-dev [platform:dpkg] +libldap2-dev [platform:dpkg] +libxml2-dev [platform:dpkg] +libxslt1-dev [platform:dpkg] +libsasl2-dev [platform:dpkg] +libffi-devel [platform:rpm] +python3-all-dev [platform:dpkg] diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/.gitignore b/python3-k8sapp-kubevirt/k8sapp_kubevirt/.gitignore new file mode 100644 index 0000000..78c457c --- /dev/null +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/.gitignore @@ -0,0 +1,35 @@ +# Compiled files +*.py[co] +*.a +*.o +*.so + +# Sphinx +_build +doc/source/api/ + +# Packages/installer info +*.egg +*.egg-info +dist +build +eggs +parts +var +sdist +develop-eggs +.installed.cfg + +# Other +*.DS_Store +.stestr +.testrepository +.tox +.venv +.*.swp +.coverage +bandit.xml +cover +AUTHORS +ChangeLog +*.sqlite diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/.stestr.conf b/python3-k8sapp-kubevirt/k8sapp_kubevirt/.stestr.conf new file mode 100644 index 0000000..91b6436 --- /dev/null +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/.stestr.conf @@ -0,0 +1,4 @@ +[DEFAULT] +test_path=./k8sapp_kubevirt/tests +top_dir=./k8sapp_kubevirt +#parallel_class=True diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/__init__.py b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/__init__.py index 604df0a..e69de29 100644 --- a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/__init__.py +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/__init__.py @@ -1,8 +0,0 @@ -# -# Copyright (c) 2022 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# -# All Rights Reserved. -# - diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/common/__init__.py b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/common/__init__.py index 604df0a..e69de29 100644 --- a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/common/__init__.py +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/common/__init__.py @@ -1,8 +0,0 @@ -# -# Copyright (c) 2022 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# -# All Rights Reserved. -# - diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/common/constants.py b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/common/constants.py index 26b66e3..2db8b0e 100644 --- a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/common/constants.py +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/common/constants.py @@ -1,25 +1,42 @@ -# -# Copyright (c) 2022 Wind River Systems, Inc. +# Copyright (c) 2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # # All Rights Reserved. # +""" Kubevirt application predefined constants """ -HELM_APP_KUBEVIRT = 'kubevirt' +HELM_APP_KUBEVIRT = 'kubevirt-app' HELM_APP_KUBEVIRT_CR = 'kubevirt.kubevirt.io/kubevirt' HELM_APP_KUBEVIRT_CRD = 'kubevirts.kubevirt.io' HELM_RELEASE_KUBEVIRT = 'kubevirt' HELM_CHART_KUBEVIRT = 'kubevirt' +HELM_CHART_CDI = 'cdi' +HELM_CHART_COMPONENT_LABEL = 'app.starlingx.io/component' +HELM_CHART_COMPONENT_APPLICATION = 'application' +HELM_CHART_COMPONENT_PLATFORM = 'platform' HELM_NS_KUBEVIRT = 'kubevirt' +HELM_RELEASE_NS = 'kube-system' +HELM_RELEASE_TOOL_KIT_GROUP = 'helm.toolkit.fluxcd.io' +HELM_RELEASE_TOOL_KIT_VERSION = 'v2beta1' +HELM_RELEASE_TOOL_KIT_PLURAL = 'helmreleases' HELM_APP_CDI = 'cdi' HELM_APP_CDI_CR = 'cdi.cdi.kubevirt.io/cdi' HELM_APP_CDI_CRD = 'cdis.cdi.kubevirt.io' HELM_NS_CDI = 'cdi' -HELM_APP_CDI_UPLOAD_API_V1_ALPHA_1 = 'v1alpha1.upload.cdi.kubevirt.io' -HELM_APP_CDI_UPLOAD_API_V1_BETA_1 = 'v1beta1.upload.cdi.kubevirt.io' HELM_VIRTCTL_DIR = '/var/opt/kubevirt/' -HELM_VIRTCTL_FILE_NAME = 'virtctl-v0.53.1-linux-amd64' +HELM_VIRTCTL_FILE_NAME = 'virtctl-v0.59.0-linux-amd64' +HELM_VIRTCTL_LINK_NAME = 'virtctl' HELM_VIRTCTL_PATH = HELM_VIRTCTL_DIR + HELM_VIRTCTL_FILE_NAME +HELM_VIRTCTL_LINK_PATH = HELM_VIRTCTL_DIR + HELM_VIRTCTL_LINK_NAME + +CDI_CERTIFICATE_ROTATE_CA_DURATION = '720h' +CDI_CERTIFICATE_ROTATE_CA_RENEW_BEFORE = '360h' +CDI_CERTIFICATE_ROTATE_SERVER_DURATION = '720h' +CDI_CERTIFICATE_ROTATE_SERVER_RENEW_BEFORE = '360h' +KUBEVIRT_CERTIFICATE_ROTATE_CA_DURATION = '720h' +KUBEVIRT_CERTIFICATE_ROTATE_CA_RENEW_BEFORE = '360h' +KUBEVIRT_CERTIFICATE_ROTATE_SERVER_DURATION = '720h' +KUBEVIRT_CERTIFICATE_ROTATE_SERVER_RENEW_BEFORE = '360h' diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/helm/__init__.py b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/helm/__init__.py index 0c6559b..e69de29 100644 --- a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/helm/__init__.py +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/helm/__init__.py @@ -1,5 +0,0 @@ -# Copyright (c) 2022 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# - diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/helm/kubevirt.py b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/helm/kubevirt.py index d89ad66..abc5870 100644 --- a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/helm/kubevirt.py +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/helm/kubevirt.py @@ -1,16 +1,23 @@ -# Copyright (c) 2022 Wind River Systems, Inc. +# Copyright (c) 2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # -from k8sapp_kubevirt.common import constants as app_constants + +""" +This module provides functionality related to KubeVirt Helm charts and deployment. +""" + +from oslo_log import log as logging from sysinv.common import exception from sysinv.common import utils -from sysinv.helm import base -from oslo_log import log as logging from sysinv.db import api as dbapi +from sysinv.helm import base + +from k8sapp_kubevirt.common import constants as app_constants LOG = logging.getLogger(__name__) + class KubeVirtHelm(base.FluxCDBaseHelm): """Class to encapsulate helm operations for the kubevirt chart""" @@ -18,31 +25,64 @@ class KubeVirtHelm(base.FluxCDBaseHelm): HELM_RELEASE = app_constants.HELM_RELEASE_KUBEVIRT SERVICE_NAME = 'kubevirt' - SUPPORTED_NAMESPACES = base.BaseHelm.SUPPORTED_NAMESPACES + \ [app_constants.HELM_NS_KUBEVIRT] + [app_constants.HELM_NS_CDI] SUPPORTED_APP_NAMESPACES = { app_constants.HELM_APP_KUBEVIRT: - base.BaseHelm.SUPPORTED_NAMESPACES + [app_constants.HELM_NS_KUBEVIRT] + [app_constants.HELM_NS_CDI], + base.BaseHelm.SUPPORTED_NAMESPACES + [ + app_constants.HELM_NS_KUBEVIRT] + [app_constants.HELM_NS_CDI], } def get_namespaces(self): + """Returns the supported namespaces for this application.""" return self.SUPPORTED_NAMESPACES def get_overrides(self, namespace=None): + """Returns application overrides for the given namespace parameter. + + :param namespace: The namespace for which overrides are requested (optional). + :return: Application overrides. + """ overrides = { - app_constants.HELM_NS_KUBEVIRT: { + app_constants.HELM_CHART_KUBEVIRT: { 'featureGates': ['Snapshot'], 'useEmulation': utils.is_virtual(), - 'replicas': '1' if utils.is_single_controller(dbapi.get_instance()) else '2' + 'replicas': '1' if utils.is_single_controller(dbapi.get_instance()) else '2', + app_constants.HELM_CHART_COMPONENT_LABEL: + app_constants.HELM_CHART_COMPONENT_PLATFORM, + 'certificateRotate': { + 'ca': { + 'duration': app_constants.KUBEVIRT_CERTIFICATE_ROTATE_CA_DURATION, + 'renewBefore': app_constants.KUBEVIRT_CERTIFICATE_ROTATE_CA_RENEW_BEFORE, + }, + 'server': { + 'duration': app_constants.KUBEVIRT_CERTIFICATE_ROTATE_SERVER_DURATION, + 'renewBefore': + app_constants.KUBEVIRT_CERTIFICATE_ROTATE_SERVER_RENEW_BEFORE, + } + } + }, + app_constants.HELM_CHART_CDI: { + 'featureGates': ['HonorWaitForFirstConsumer'], + 'replicas': '1' if utils.is_single_controller(dbapi.get_instance()) else '2', + app_constants.HELM_CHART_COMPONENT_LABEL: + app_constants.HELM_CHART_COMPONENT_PLATFORM, + 'certificateRotate': { + 'ca': { + 'duration': app_constants.CDI_CERTIFICATE_ROTATE_CA_DURATION, + 'renewBefore': app_constants.CDI_CERTIFICATE_ROTATE_CA_RENEW_BEFORE, + }, + 'server': { + 'duration': app_constants.CDI_CERTIFICATE_ROTATE_SERVER_DURATION, + 'renewBefore': app_constants.CDI_CERTIFICATE_ROTATE_SERVER_RENEW_BEFORE, + } + } } } - if namespace in self.SUPPORTED_NAMESPACES: - return overrides[namespace] - elif namespace: - raise exception.InvalidHelmNamespace(chart=self.CHART, - namespace=namespace) - else: - return overrides + if namespace: + if namespace in self.SUPPORTED_NAMESPACES: + return overrides[namespace] + raise exception.InvalidHelmNamespace(chart=self.CHART, namespace=namespace) + return overrides diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/lifecycle/__init__.py b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/lifecycle/__init__.py index 604df0a..e69de29 100644 --- a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/lifecycle/__init__.py +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/lifecycle/__init__.py @@ -1,8 +0,0 @@ -# -# Copyright (c) 2022 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# -# All Rights Reserved. -# - diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/lifecycle/lifecycle_kubevirt.py b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/lifecycle/lifecycle_kubevirt.py index 730c3eb..d9e4594 100644 --- a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/lifecycle/lifecycle_kubevirt.py +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/lifecycle/lifecycle_kubevirt.py @@ -1,5 +1,5 @@ # -# Copyright (c) 2022 Wind River Systems, Inc. +# Copyright (c) 2022-2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -9,20 +9,29 @@ """ System inventory App lifecycle operator.""" import os +import yaml -from k8sapp_kubevirt.common import constants as app_constants +from kubernetes import client from oslo_log import log as logging from sysinv.common import constants from sysinv.common import exception from sysinv.common import kubernetes from sysinv.common import utils as cutils from sysinv.helm import lifecycle_base as base -from sysinv.helm.lifecycle_constants import LifecycleConstants +from k8sapp_kubevirt.common import constants as app_constants LOG = logging.getLogger(__name__) + class KubeVirtAppLifecycleOperator(base.AppLifecycleOperator): + """Custom KubeVirt-specific AppLifecycleOperator class. + + This class is derived from the base AppLifecycleOperator and provides + KubeVirt-specific lifecycle actions for applications. + + :param base.AppLifecycleOperator: The base class to inherit from. + """ def app_lifecycle_actions(self, context, conductor_obj, app_op, app, hook_info): """Perform lifecycle actions for an operation @@ -33,72 +42,239 @@ class KubeVirtAppLifecycleOperator(base.AppLifecycleOperator): :param hook_info: LifecycleHookInfo object """ - if hook_info.lifecycle_type == constants.APP_LIFECYCLE_TYPE_OPERATION: - if hook_info.operation == constants.APP_REMOVE_OP: - if hook_info.relative_timing == constants.APP_LIFECYCLE_TIMING_PRE: - return self.pre_remove(app) - elif hook_info.relative_timing == constants.APP_LIFECYCLE_TIMING_POST: - return self.post_remove(app) - super(KubeVirtAppLifecycleOperator, self).app_lifecycle_actions( - context, conductor_obj, app_op, app, hook_info - ) + # Define a dictionary to map values to lifecycle functions + action_map = { + (constants.APP_LIFECYCLE_TYPE_FLUXCD_REQUEST, constants.APP_APPLY_OP, + constants.APP_LIFECYCLE_TIMING_PRE): self.pre_apply, + (constants.APP_LIFECYCLE_TYPE_FLUXCD_REQUEST, constants.APP_APPLY_OP, + constants.APP_LIFECYCLE_TIMING_POST): lambda: self.post_apply(app_op, app), + (constants.APP_LIFECYCLE_TYPE_OPERATION, constants.APP_REMOVE_OP, + constants.APP_LIFECYCLE_TIMING_PRE): lambda: self.pre_remove(app), + (constants.APP_LIFECYCLE_TYPE_OPERATION, constants.APP_REMOVE_OP, + constants.APP_LIFECYCLE_TIMING_POST): lambda: self.post_remove(app) + } + + # Get the appropriate lifecylce function from the dictionary based on the values + action_function = action_map.get((hook_info.lifecycle_type, hook_info.operation, + hook_info.relative_timing)) + + if action_function is not None: + action_function() + + super().app_lifecycle_actions(context, conductor_obj, app_op, app, hook_info) + + def pre_apply(self): + """Prepare KubeVirt namespaces for Helm management. + + Patches CDI and KubeVirt namespaces with labels and annotations for Helm + before applying the KubeVirt application. + """ + + LOG.debug(f"Executing pre_apply for {app_constants.HELM_APP_KUBEVIRT} app") + + # Create a Kubernetes client object + client_v1 = client.CoreV1Api() + + patches = [{"metadata": {"labels": {"app.kubernetes.io/managed-by": "Helm"}}}, + {"metadata": {"annotations": {"meta.helm.sh/release-name": + app_constants.HELM_APP_KUBEVIRT}}}, + {"metadata": {"annotations": {"meta.helm.sh/release-namespace": + app_constants.HELM_RELEASE_NS}}}] + + for patch in patches: + client_v1.patch_namespace(name=app_constants.HELM_NS_KUBEVIRT, body=patch) + client_v1.patch_namespace(name=app_constants.HELM_NS_CDI, body=patch) + + LOG.debug(f"Patched namespaces {app_constants.HELM_NS_KUBEVIRT} \ + and {app_constants.HELM_NS_CDI}") + + def post_apply(self, app_op, app): + """Perform post-apply actions for the KubeVirt application. """ + + LOG.debug(f"Executing post_apply for {app_constants.HELM_APP_KUBEVIRT} app") + + self.update_namespace_override(app_op, app, app_constants.HELM_NS_KUBEVIRT) + self.update_namespace_override(app_op, app, app_constants.HELM_NS_CDI) + + def update_namespace_override(self, app_op, app, namespace): + """Update the namespace override based on Helm chart user overrides. + + This method updates the namespace label based on user overrides specified + in the Helm chart. It ensures that the namespace label is either 'platform' + or 'application' and may restart pods when the label changes. + + :param app_op: The AppOperator instance. + :param app: The Application object. + :param namespace: The namespace to update. + """ + + dbapi_instance = app_op._dbapi + db_app_id = dbapi_instance.kube_app_get(app.name).id + + # chart overrides + chart_overrides = self._get_helm_user_overrides( + dbapi_instance, + db_app_id, + namespace) + + override_label = {} + client_core = app_op._kube._get_kubernetesclient_core() + + # Namespaces variables + read_namespace = client_core.read_namespace(namespace) + + # Old namespace variable + old_namespace_label = read_namespace.metadata.labels.get( + app_constants.HELM_CHART_COMPONENT_LABEL, None) + + if app_constants.HELM_CHART_COMPONENT_LABEL in chart_overrides: + # User Override variables + dict_chart_overrides = yaml.safe_load(chart_overrides) + override_label = dict_chart_overrides.get(app_constants.HELM_CHART_COMPONENT_LABEL) + + if override_label == app_constants.HELM_CHART_COMPONENT_APPLICATION: + read_namespace.metadata.labels.update({app_constants.HELM_CHART_COMPONENT_LABEL: + app_constants.HELM_CHART_COMPONENT_APPLICATION}) + app_op._kube.kube_patch_namespace(namespace, read_namespace) + elif override_label == app_constants.HELM_CHART_COMPONENT_PLATFORM: + read_namespace.metadata.labels.update({app_constants.HELM_CHART_COMPONENT_LABEL: + app_constants.HELM_CHART_COMPONENT_PLATFORM}) + app_op._kube.kube_patch_namespace(namespace, read_namespace) + elif not override_label: + read_namespace.metadata.labels.update({app_constants.HELM_CHART_COMPONENT_LABEL: + app_constants.HELM_CHART_COMPONENT_PLATFORM}) + app_op._kube.kube_patch_namespace(namespace, read_namespace) + else: + LOG.warning(f'WARNING: Namespace label {override_label} not supported') + + namespace_label = read_namespace.metadata.labels.get( + app_constants.HELM_CHART_COMPONENT_LABEL) + if old_namespace_label != namespace_label: + self._delete_pods(app_op, client_core, namespace) + + def _get_helm_user_overrides(self, dbapi_instance, db_app_id, namespace): + """Retrieve Helm user overrides for the specified namespace. + + This method attempts to retrieve Helm user overrides for the given namespace + from the database. If no overrides are found, it creates them and returns an + empty string. + + :param dbapi_instance: The database API instance. + :param db_app_id: The application ID in the database. + :param namespace: The namespace for which Helm user overrides are needed. + :return: Helm user overrides as a string. + """ + try: + overrides = dbapi_instance.helm_override_get( + app_id=db_app_id, + name=app_constants.HELM_APP_KUBEVIRT, + namespace=namespace, + ) + except exception.HelmOverrideNotFound: + values = { + "name": app_constants.HELM_APP_KUBEVIRT, + "namespace": namespace, + "db_app_id": db_app_id, + } + overrides = dbapi_instance.helm_override_create(values=values) + return overrides.user_overrides or "" + + def _delete_pods(self, app_op, client_core, namespace): + """Delete pods in the specified namespace to force restart on label change. + + This method lists pods in the given namespace and deletes them with a grace period + of 0 seconds, effectively forcing a restart when there is a label change on the namespace. + + :param app_op: The AppOperator object. + :param client_core: The Kubernetes CoreV1Api client. + :param namespace: The namespace in which pods should be deleted. + """ + + # pod list + system_pods = client_core.list_namespaced_pod(namespace) + + # On namespace label change delete pods to force restart + for pod in system_pods.items: + app_op._kube.kube_delete_pod( + name=pod.metadata.name, + namespace=namespace, + grace_periods_seconds=0 + ) def pre_remove(self, app): - # Due to ordering of deletes, to prevent the namespace finalizer from waiting indefinitely, - # we need to ensure that the kubevirt and cdi custom resource. + """Pre application removal tasks. - LOG.debug( - "Executing pre_remove for {} app".format(app_constants.HELM_APP_KUBEVIRT) - ) - cmd = ['kubectl', '--kubeconfig', kubernetes.KUBERNETES_ADMIN_CONF, - 'delete', app_constants.HELM_APP_CDI_CR, '-n', app_constants.HELM_NS_CDI] - stdout, stderr = cutils.trycmd(*cmd) - LOG.debug("{} app: cmd={} stdout={} stderr={}".format(app.name, cmd, stdout, stderr)) + Due to the ordering of deletes, to prevent the namespace finalizer from + waiting indefinitely, we need to ensure that the kubevirt and cdi custom + resources are deleted, and the finalizer removed from the + helmreleases.helm.toolkit.fluxcd.io resource, in the kubevirt namespace. - cmd = ['kubectl', '--kubeconfig', kubernetes.KUBERNETES_ADMIN_CONF, - 'delete', app_constants.HELM_APP_KUBEVIRT_CR, '-n', app_constants.HELM_NS_KUBEVIRT] + :param app: The application object. + """ + + LOG.debug(f"Executing pre_remove for {app_constants.HELM_APP_KUBEVIRT} app") + + cmd = [ + 'kubectl', '--kubeconfig', kubernetes.KUBERNETES_ADMIN_CONF, + 'delete', app_constants.HELM_APP_CDI_CR, '-n', app_constants.HELM_NS_CDI + ] stdout, stderr = cutils.trycmd(*cmd) - LOG.debug("{} app: cmd={} stdout={} stderr={}".format(app.name, cmd, stdout, stderr)) + LOG.debug(f"{app.name} app: cmd={cmd} stdout={stdout} stderr={stderr}") + + cmd = [ + 'kubectl', '--kubeconfig', kubernetes.KUBERNETES_ADMIN_CONF, + 'delete', app_constants.HELM_APP_KUBEVIRT_CR, '-n', app_constants.HELM_NS_KUBEVIRT + ] + stdout, stderr = cutils.trycmd(*cmd) + LOG.debug(f"{app.name} app: cmd={cmd} stdout={stdout} stderr={stderr}") def post_remove(self, app): - LOG.debug( - "Executing post_remove for {} app".format(app_constants.HELM_APP_KUBEVIRT) - ) + """Execute post-remove actions for the applications - # Due to ordering of deletes, to prevent the namespace finalizer from waiting indefinitely, - # we need to ensure we delete 2 APIs - cmd = ['kubectl', '--kubeconfig', kubernetes.KUBERNETES_ADMIN_CONF, - 'delete', 'apiservices.apiregistration.k8s.io', app_constants.HELM_APP_CDI_UPLOAD_API_V1_ALPHA_1] - stdout, stderr = cutils.trycmd(*cmd) - LOG.debug("{} app: cmd={} stdout={} stderr={}".format(app.name, cmd, stdout, stderr)) - - cmd = ['kubectl', '--kubeconfig', kubernetes.KUBERNETES_ADMIN_CONF, - 'delete', 'apiservices.apiregistration.k8s.io', app_constants.HELM_APP_CDI_UPLOAD_API_V1_BETA_1] - stdout, stderr = cutils.trycmd(*cmd) - LOG.debug("{} app: cmd={} stdout={} stderr={}".format(app.name, cmd, stdout, stderr)) - - # Helm doesn't delete CRDs. To clean up after application-remove, we need to explicitly delete the CRDs. - cmd = ['kubectl', '--kubeconfig', kubernetes.KUBERNETES_ADMIN_CONF, - 'delete','crd', app_constants.HELM_APP_CDI_CRD] - stdout, stderr = cutils.trycmd(*cmd) - LOG.debug("{} app: cmd={} stdout={} stderr={}".format(app.name, cmd, stdout, stderr)) + This method is responsible for performing cleanup actions after an + application has been removed. It includes deleting Custom Resource Definitions + (CRDs), removing symbolic links and binaries, and cleaning up directories. - cmd = ['kubectl', '--kubeconfig', kubernetes.KUBERNETES_ADMIN_CONF, - 'delete','crd', app_constants.HELM_APP_KUBEVIRT_CRD] + :param app: The application object. + """ + + LOG.debug(f"Executing post_remove for {app_constants.HELM_APP_KUBEVIRT} app") + + # Helm doesn't delete CRDs. To clean up after application-remove, we need to explicitly + # delete the CRDs. + cmd = [ + 'kubectl', '--kubeconfig', kubernetes.KUBERNETES_ADMIN_CONF, + 'delete', 'crd', app_constants.HELM_APP_CDI_CRD + ] stdout, stderr = cutils.trycmd(*cmd) - LOG.debug("{} app: cmd={} stdout={} stderr={}".format(app.name, cmd, stdout, stderr)) + + # CDI and KubeVirt CRDs are independent of each other; the CRD for CDI can be + # safely deleted even if deleting the KubeVirt CRD fails above. + cmd = [ + 'kubectl', '--kubeconfig', kubernetes.KUBERNETES_ADMIN_CONF, + 'delete', 'crd', app_constants.HELM_APP_KUBEVIRT_CRD + ] + stdout, stderr = cutils.trycmd(*cmd) + LOG.debug(f"{app.name} app: cmd={cmd} stdout={stdout} stderr={stderr}") + + # Remove virtctl sym link + if os.path.exists(app_constants.HELM_VIRTCTL_LINK_PATH): + os.remove(app_constants.HELM_VIRTCTL_LINK_PATH) + else: + LOG.warning(f"Failed to delete {app_constants.HELM_VIRTCTL_LINK_PATH}") # Remove virtctl binary if os.path.exists(app_constants.HELM_VIRTCTL_PATH): - os.remove(app_constants.HELM_VIRTCTL_PATH) + os.remove(app_constants.HELM_VIRTCTL_PATH) else: - LOG.warning("Failed to delete {}".format(app_constants.HELM_VIRTCTL_PATH)) + LOG.warning(f"Failed to delete {app_constants.HELM_VIRTCTL_PATH}") # Remove /var/opt/kubevirt if it is empty - dir = os.listdir(app_constants.HELM_VIRTCTL_DIR) - if len(dir) == 0: - os.rmdir(app_constants.HELM_VIRTCTL_DIR) - LOG.debug("Deleted directory {}".format(app_constants.HELM_VIRTCTL_DIR)) + directory = os.listdir(app_constants.HELM_VIRTCTL_DIR) + if len(directory) == 0: + os.rmdir(app_constants.HELM_VIRTCTL_DIR) + LOG.debug(f"Deleted directory {app_constants.HELM_VIRTCTL_DIR}") else: - LOG.warning("Directory {} is not empty - will not be deleted.".format(app_constants.HELM_VIRTCTL_DIR)) + LOG.info(f"Directory {app_constants.HELM_VIRTCTL_DIR} is not empty \ + - will not be deleted.") diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/tests/__init__.py b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/tests/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/tests/test_kubevirt.py b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/tests/test_kubevirt.py new file mode 100644 index 0000000..9bb5307 --- /dev/null +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/tests/test_kubevirt.py @@ -0,0 +1,34 @@ +# +# Copyright (c) 2023 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +"""Module for application testing.""" + +from sysinv.db import api as dbapi +from sysinv.tests.db import base as dbbase +from sysinv.tests.db import utils as dbutils +from sysinv.tests.helm import base + +from k8sapp_kubevirt.tests import test_plugins + + +class KubevirtTestCase(test_plugins.K8SAppKubevirtAppMixin, + base.HelmTestCaseMixin): + """Base Test Case Class.""" + + def setUp(self): + """Common Test Case Setup.""" + super().setUp() + self.app = dbutils.create_test_app(name='kubevirt') + self.dbapi = dbapi.get_instance() + + +# pylint: disable=too-many-ancestors +class KubevirtTestCaseDummy(KubevirtTestCase, + dbbase.ProvisionedControllerHostTestCase): + """Dummy Test Case Class""" + + def test_dummy(self): + """Dummy Test Case.""" + # without a test zuul will fail diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/tests/test_plugins.py b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/tests/test_plugins.py new file mode 100644 index 0000000..ff28c60 --- /dev/null +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/k8sapp_kubevirt/tests/test_plugins.py @@ -0,0 +1,53 @@ +# +# Copyright (c) 2023 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +"""Module provides high-level plugin test framework.""" + +from sysinv.tests.db import base as dbbase + +from k8sapp_kubevirt.common import constants as app_constants + + +# pylint: disable=useless-object-inheritance +class K8SAppKubevirtAppMixin(object): + """Class for specific plugin testcases.""" + + app_name = app_constants.HELM_APP_KUBEVIRT + path_name = app_name + '.tgz' + + # pylint: disable=invalid-name,useless-parent-delegation + def setUp(self): + """Setup test cases.""" + super().setUp() + + def test_stub(self): + """Test Case Stub.""" + # Replace this with a real unit test. + + +# Test Configuration: +# - Controller +# - IPv6 +# - Ceph Storage +# - kubevirt app + +# pylint: disable=too-many-ancestors +class K8sAppKubevirtControllerTestCase(K8SAppKubevirtAppMixin, + dbbase.BaseIPv6Mixin, + dbbase.BaseCephStorageBackendMixin, + dbbase.ControllerHostTestCase): + """Class to test IPv6 Standard w/Ceph.""" + + +# Test Configuration: +# - AIO +# - IPv4 +# - Ceph Storage +# - kubevirt app +# pylint: disable=too-many-ancestors +class K8SAppKubevirtAIOTestCase(K8SAppKubevirtAppMixin, + dbbase.BaseCephStorageBackendMixin, + dbbase.AIOSimplexHostTestCase): + """Class to test IPv4 AIO w/Ceph.""" diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/pylint.rc b/python3-k8sapp-kubevirt/k8sapp_kubevirt/pylint.rc index 4fbc73c..50e4946 100644 --- a/python3-k8sapp-kubevirt/k8sapp_kubevirt/pylint.rc +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/pylint.rc @@ -1,320 +1,631 @@ -[MASTER] -# Specify a configuration file. -rcfile=pylint.rc +[MAIN] + +# Analyse import fallback blocks. This can be used to support both Python 2 and +# 3 compatible code, which means that the block might have code that exists +# only in one or another interpreter, leading to false positives when analysed. +analyse-fallback-blocks=no + +# Clear in-memory caches upon conclusion of linting. Useful if running pylint +# in a server-like mode. +clear-cache-post-run=no + +# Load and enable all available extensions. Use --list-extensions to see a list +# all available extensions. +#enable-all-extensions= + +# In error mode, messages with a category besides ERROR or FATAL are +# suppressed, and no reports are done by default. Error mode is compatible with +# disabling specific errors. +#errors-only= + +# Always return a 0 (non-error) status code, even if lint errors are found. +# This is primarily useful in continuous integration scripts. +#exit-zero= + +# A comma-separated list of package or module names from where C extensions may +# be loaded. Extensions are loading into the active Python interpreter and may +# run arbitrary code. +extension-pkg-allow-list= + +# A comma-separated list of package or module names from where C extensions may +# be loaded. Extensions are loading into the active Python interpreter and may +# run arbitrary code. (This is an alternative name to extension-pkg-allow-list +# for backward compatibility.) +extension-pkg-whitelist= + +# Return non-zero exit code if any of these messages/categories are detected, +# even if score is above --fail-under value. Syntax same as enable. Messages +# specified are enabled, while categories only check already-enabled messages. +fail-on= + +# Specify a score threshold under which the program will exit with error. +fail-under=10 + +# Interpret the stdin as a python script, whose filename needs to be passed as +# the module_or_package argument. +#from-stdin= + +# Files or directories to be skipped. They should be base names, not paths. +ignore=CVS + +# Add files or directories matching the regular expressions patterns to the +# ignore-list. The regex matches against paths and can be in Posix or Windows +# format. Because '\\' represents the directory delimiter on Windows systems, +# it can't be used as an escape character. +ignore-paths= + +# Files or directories matching the regular expression patterns are skipped. +# The regex matches against base names, not paths. The default value ignores +# Emacs file locks +ignore-patterns=^\.# + +# List of module names for which member attributes should not be checked +# (useful for modules/projects where namespaces are manipulated during runtime +# and thus existing member attributes cannot be deduced by static analysis). It +# supports qualified module names, as well as Unix pattern matching. +ignored-modules= # Python code to execute, usually for sys.path manipulation such as # pygtk.require(). #init-hook= -# Add files or directories to the blacklist. Should be base names, not paths. -ignore=tests +# Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the +# number of processors available to use, and will cap the count on Windows to +# avoid hangs. +jobs=1 + +# Control the amount of potential inferred values when inferring a single +# object. This can help the performance when dealing with large functions or +# complex, nested conditions. +limit-inference-results=100 + +# List of plugins (as comma separated values of python module names) to load, +# usually to register additional checkers. +load-plugins= # Pickle collected data for later comparisons. persistent=yes -# List of plugins (as comma separated values of python modules names) to load, -# usually to register additional checkers. -load-plugins= +# Minimum Python version to use for version dependent checks. Will default to +# the version used to run pylint. +py-version=3.9 -# Use multiple processes to speed up Pylint. -jobs=4 +# Discover python modules and packages in the file system subtree. +recursive=no + +# Add paths to the list of the source roots. Supports globbing patterns. The +# source root is an absolute path or a path relative to the current working +# directory used to determine a package namespace for modules located under the +# source root. +source-roots= + +# When enabled, pylint would attempt to guess common misconfiguration and emit +# user-friendly hints instead of false-positive error messages. +suggestion-mode=yes # Allow loading of arbitrary C extensions. Extensions are imported into the # active Python interpreter and may run arbitrary code. unsafe-load-any-extension=no -# A comma-separated list of package or module names from where C extensions may -# be loaded. Extensions are loading into the active Python interpreter and may -# run arbitrary code -extension-pkg-whitelist=lxml.etree,greenlet - - - -[MESSAGES CONTROL] -# Enable the message, report, category or checker with the given id(s). You can -# either give multiple identifier separated by comma (,) or put this option -# multiple time. -# -# Python3 checker: -# -# E1601: print-statement -# E1602: parameter-unpacking -# E1603: unpacking-in-except -# E1604: old-raise-syntax -# E1605: backtick -# E1606: long-suffix -# E1607: old-ne-operator -# E1608: old-octal-literal -# E1609: import-star-module-level -# E1610: non-ascii-bytes-literal -# E1611: invalid-unicode-literal -# W1601: apply-builtin -# W1602: basestring-builtin -# W1603: buffer-builtin -# W1604: cmp-builtin -# W1605: coerce-builtin -# W1606: execfile-builtin -# W1607: file-builtin -# W1608: long-builtin -# W1609: raw_input-builtin -# W1610: reduce-builtin -# W1611: standarderror-builtin -# W1612: unicode-builtin -# W1613: xrange-builtin -# W1614: coerce-method -# W1615: delslice-method -# W1616: getslice-method -# W1617: setslice-method -# W1618: no-absolute-import -# W1619: old-division -# W1620: dict-iter-method -# W1621: dict-view-method -# W1622: next-method-called -# W1623: metaclass-assignment -# W1624: indexing-exception -# W1625: raising-string -# W1626: reload-builtin -# W1627: oct-method -# W1628: hex-method -# W1629: nonzero-method -# W1630: cmp-method -# W1632: input-builtin -# W1633: round-builtin -# W1634: intern-builtin -# W1635: unichr-builtin -# W1636: map-builtin-not-iterating -# W1637: zip-builtin-not-iterating -# W1638: range-builtin-not-iterating -# W1639: filter-builtin-not-iterating -# W1640: using-cmp-argument -# W1641: eq-without-hash -# W1642: div-method -# W1643: idiv-method -# W1644: rdiv-method -# W1645: exception-message-attribute -# W1646: invalid-str-codec -# W1647: sys-max-int -# W1648: bad-python3-import -# W1649: deprecated-string-function -# W1650: deprecated-str-translate-call -# W1651: deprecated-itertools-function -# W1652: deprecated-types-field -# W1653: next-method-defined -# W1654: dict-items-not-iterating -# W1655: dict-keys-not-iterating -# W1656: dict-values-not-iterating -# W1657: deprecated-operator-function -# W1658: deprecated-urllib-function -# W1659: xreadlines-attribute -# W1660: deprecated-sys-function -# W1661: exception-escape -# W1662: comprehension-escape -enable=E1603,E1609,E1610,E1602,E1606,E1608,E1607,E1605,E1604,E1601,E1611,W1652, - W1651,W1649,W1657,W1660,W1658,W1659,W1623,W1622,W1620,W1621,W1645,W1641, - W1624,W1648,W1625,W1611,W1662,W1661,W1650,W1640,W1630,W1614,W1615,W1642, - W1616,W1628,W1643,W1629,W1627,W1644,W1617,W1601,W1602,W1603,W1604,W1605, - W1654,W1655,W1656,W1619,W1606,W1607,W1639,W1632,W1634,W1608,W1636, - W1653,W1646,W1638,W1609,W1610,W1626,W1633,W1647,W1635,W1612,W1613,W1637 - - -# Disable the message, report, category or checker with the given id(s). You -# can either give multiple identifier separated by comma (,) or put this option -# multiple time (only on the command line, not in the configuration file where -# it should appear only once). -# See "Messages Control" section of -# https://pylint.readthedocs.io/en/latest/user_guide -# We are disabling (C)onvention -# We are disabling (R)efactor -# W1618: no-absolute-import -disable=C, R, W1618 - -[REPORTS] -# Set the output format. Available formats are text, parseable, colorized, msvs -# (visual studio) and html -output-format=text - -# Put messages in a separate file for each module / package specified on the -# command line instead of printing them on stdout. Reports (if any) will be -# written in a file name "pylint_global.[txt|html]". -files-output=no - -# Tells whether to display a full report or only the messages -reports=yes - -# Python expression which should return a note less than 10 (10 is the highest -# note). You have access to the variables errors warning, statement which -# respectively contain the number of errors / warnings messages and the total -# number of statements analyzed. This is used by the global evaluation report -# (RP0004). -evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10) - - -[SIMILARITIES] -# Minimum lines number of a similarity. -min-similarity-lines=4 - -# Ignore comments when computing similarities. -ignore-comments=yes - -# Ignore docstrings when computing similarities. -ignore-docstrings=yes - - -[FORMAT] -# Maximum number of characters on a single line. -max-line-length=85 - -# Maximum number of lines in a module -max-module-lines=1000 - -# String used as indentation unit. This is usually 4 spaces or "\t" (1 tab). -indent-string=' ' - - -[TYPECHECK] -# Tells whether missing members accessed in mixin class should be ignored. A -# mixin class is detected if its name ends with "mixin" (case insensitive). -ignore-mixin-members=yes - -# List of module names for which member attributes should not be checked -# (useful for modules/projects where namespaces are manipulated during runtime -# and thus existing member attributes cannot be deduced by static analysis -ignored-modules=distutils,eventlet.green.subprocess,six,six.moves - -# List of classes names for which member attributes should not be checked -# (useful for classes with attributes dynamically set). -# pylint is confused by sqlalchemy Table, as well as sqlalchemy Enum types -# ie: (unprovisioned, identity) -# LookupDict in requests library confuses pylint -ignored-classes=SQLObject, optparse.Values, thread._local, _thread._local, - Table, unprovisioned, identity, LookupDict - -# List of members which are set dynamically and missed by pylint inference -# system, and so shouldn't trigger E0201 when accessed. Python regular -# expressions are accepted. -generated-members=REQUEST,acl_users,aq_parent +# In verbose mode, extra non-checker-related info will be displayed. +#verbose= [BASIC] -# List of builtins function names that should not be used, separated by a comma -bad-functions=map,filter,apply,input -# Regular expression which should only match correct module names -module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ +# Naming style matching correct argument names. +argument-naming-style=snake_case -# Regular expression which should only match correct module level names -const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$ +# Regular expression matching correct argument names. Overrides argument- +# naming-style. If left empty, argument names will be checked with the set +# naming style. +#argument-rgx= -# Regular expression which should only match correct class names -class-rgx=[A-Z_][a-zA-Z0-9]+$ +# Naming style matching correct attribute names. +attr-naming-style=snake_case -# Regular expression which should only match correct function names -function-rgx=[a-z_][a-z0-9_]{2,30}$ +# Regular expression matching correct attribute names. Overrides attr-naming- +# style. If left empty, attribute names will be checked with the set naming +# style. +#attr-rgx= -# Regular expression which should only match correct method names -method-rgx=[a-z_][a-z0-9_]{2,30}$ +# Bad variable names which should always be refused, separated by a comma. +bad-names=foo, + bar, + baz, + toto, + tutu, + tata -# Regular expression which should only match correct instance attribute names -attr-rgx=[a-z_][a-z0-9_]{2,30}$ +# Bad variable names regexes, separated by a comma. If names match any regex, +# they will always be refused +bad-names-rgxs= -# Regular expression which should only match correct argument names -argument-rgx=[a-z_][a-z0-9_]{2,30}$ +# Naming style matching correct class attribute names. +class-attribute-naming-style=any -# Regular expression which should only match correct variable names -variable-rgx=[a-z_][a-z0-9_]{2,30}$ +# Regular expression matching correct class attribute names. Overrides class- +# attribute-naming-style. If left empty, class attribute names will be checked +# with the set naming style. +#class-attribute-rgx= -# Regular expression which should only match correct list comprehension / -# generator expression variable names -inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$ +# Naming style matching correct class constant names. +class-const-naming-style=UPPER_CASE -# Good variable names which should always be accepted, separated by a comma -good-names=i,j,k,ex,Run,_ +# Regular expression matching correct class constant names. Overrides class- +# const-naming-style. If left empty, class constant names will be checked with +# the set naming style. +#class-const-rgx= -# Bad variable names which should always be refused, separated by a comma -bad-names=foo,bar,baz,toto,tutu,tata +# Naming style matching correct class names. +class-naming-style=PascalCase -# Regular expression which should only match functions or classes name which do -# not require a docstring -no-docstring-rgx=__.*__ +# Regular expression matching correct class names. Overrides class-naming- +# style. If left empty, class names will be checked with the set naming style. +#class-rgx= +# Naming style matching correct constant names. +const-naming-style=UPPER_CASE -[MISCELLANEOUS] -# List of note tags to take in consideration, separated by a comma. -notes=FIXME,XXX,TODO +# Regular expression matching correct constant names. Overrides const-naming- +# style. If left empty, constant names will be checked with the set naming +# style. +#const-rgx= +# Minimum line length for functions/classes that require docstrings, shorter +# ones are exempt. +docstring-min-length=-1 -[VARIABLES] -# Tells whether we should check for unused import in __init__ files. -init-import=no +# Naming style matching correct function names. +function-naming-style=snake_case -# A regular expression matching the beginning of the name of dummy variables -# (i.e. not used). -dummy-variables-rgx=_|dummy +# Regular expression matching correct function names. Overrides function- +# naming-style. If left empty, function names will be checked with the set +# naming style. +#function-rgx= -# List of additional names supposed to be defined in builtins. Remember that -# you should avoid to define new builtins when possible. -additional-builtins= +# Good variable names which should always be accepted, separated by a comma. +good-names=i, + j, + k, + ex, + Run, + _ +# Good variable names regexes, separated by a comma. If names match any regex, +# they will always be accepted +good-names-rgxs= -[IMPORTS] -# Deprecated modules which should not be used, separated by a comma -deprecated-modules=regsub,string,TERMIOS,Bastion,rexec +# Include a hint for the correct naming format with invalid-name. +include-naming-hint=no -# Create a graph of every (i.e. internal and external) dependencies in the -# given file (report RP0402 must not be disabled) -import-graph= +# Naming style matching correct inline iteration names. +inlinevar-naming-style=any -# Create a graph of external dependencies in the given file (report RP0402 must -# not be disabled) -ext-import-graph= +# Regular expression matching correct inline iteration names. Overrides +# inlinevar-naming-style. If left empty, inline iteration names will be checked +# with the set naming style. +#inlinevar-rgx= -# Create a graph of internal dependencies in the given file (report RP0402 must -# not be disabled) -int-import-graph= +# Naming style matching correct method names. +method-naming-style=snake_case +# Regular expression matching correct method names. Overrides method-naming- +# style. If left empty, method names will be checked with the set naming style. +#method-rgx= -[DESIGN] -# Maximum number of arguments for function / method -max-args=5 +# Naming style matching correct module names. +module-naming-style=snake_case -# Argument names that match this expression will be ignored. Default to name -# with leading underscore -ignored-argument-names=_.* +# Regular expression matching correct module names. Overrides module-naming- +# style. If left empty, module names will be checked with the set naming style. +#module-rgx= -# Maximum number of locals for function / method body -max-locals=15 +# Colon-delimited sets of names that determine each other's naming style when +# the name regexes allow several styles. +name-group= -# Maximum number of return / yield for function / method body -max-returns=6 +# Regular expression which should only match function or class names that do +# not require a docstring. +no-docstring-rgx=^_ -# Maximum number of branch for function / method body -max-branchs=12 +# List of decorators that produce properties, such as abc.abstractproperty. Add +# to this list to register other decorators that produce valid properties. +# These decorators are taken in consideration only for invalid-name. +property-classes=abc.abstractproperty -# Maximum number of statements in function / method body -max-statements=50 +# Regular expression matching correct type alias names. If left empty, type +# alias names will be checked with the set naming style. +#typealias-rgx= -# Maximum number of parents for a class (see R0901). -max-parents=7 +# Regular expression matching correct type variable names. If left empty, type +# variable names will be checked with the set naming style. +#typevar-rgx= -# Maximum number of attributes for a class (see R0902). -max-attributes=7 +# Naming style matching correct variable names. +variable-naming-style=snake_case -# Minimum number of public methods for a class (see R0903). -min-public-methods=2 - -# Maximum number of public methods for a class (see R0904). -max-public-methods=20 +# Regular expression matching correct variable names. Overrides variable- +# naming-style. If left empty, variable names will be checked with the set +# naming style. +#variable-rgx= [CLASSES] + +# Warn about protected attribute access inside special methods +check-protected-access-in-special-methods=no + # List of method names used to declare (i.e. assign) instance attributes. -defining-attr-methods=__init__,__new__,setUp +defining-attr-methods=__init__, + __new__, + setUp, + asyncSetUp, + __post_init__ + +# List of member names, which should be excluded from the protected access +# warning. +exclude-protected=_asdict,_fields,_replace,_source,_make,os._exit # List of valid names for the first argument in a class method. valid-classmethod-first-arg=cls +# List of valid names for the first argument in a metaclass class method. +valid-metaclass-classmethod-first-arg=mcs + + +[DESIGN] + +# List of regular expressions of class ancestor names to ignore when counting +# public methods (see R0903) +exclude-too-few-public-methods= + +# List of qualified class names to ignore when counting class parents (see +# R0901) +ignored-parents= + +# Maximum number of arguments for function / method. +max-args=5 + +# Maximum number of attributes for a class (see R0902). +max-attributes=7 + +# Maximum number of boolean expressions in an if statement (see R0916). +max-bool-expr=5 + +# Maximum number of branch for function / method body. +max-branches=12 + +# Maximum number of locals for function / method body. +max-locals=15 + +# Maximum number of parents for a class (see R0901). +max-parents=7 + +# Maximum number of public methods for a class (see R0904). +max-public-methods=20 + +# Maximum number of return / yield for function / method body. +max-returns=6 + +# Maximum number of statements in function / method body. +max-statements=50 + +# Minimum number of public methods for a class (see R0903). +min-public-methods=2 + [EXCEPTIONS] -# Exceptions that will emit a warning when being caught. Defaults to -# "Exception" -overgeneral-exceptions=Exception + +# Exceptions that will emit a warning when caught. +overgeneral-exceptions=builtins.BaseException,builtins.Exception + + +[FORMAT] + +# Expected format of line ending, e.g. empty (any line ending), LF or CRLF. +expected-line-ending-format= + +# Regexp for a line that is allowed to be longer than the limit. +ignore-long-lines=^\s*(# )??$ + +# Number of spaces of indent required inside a hanging or continued line. +indent-after-paren=4 + +# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 +# tab). +indent-string=' ' + +# Maximum number of characters on a single line. +max-line-length=100 + +# Maximum number of lines in a module. +max-module-lines=1000 + +# Allow the body of a class to be on the same line as the declaration if body +# contains single statement. +single-line-class-stmt=no + +# Allow the body of an if to be on the same line as the test if there is no +# else. +single-line-if-stmt=no + + +[IMPORTS] + +# List of modules that can be imported at any level, not just the top level +# one. +allow-any-import-level= + +# Allow explicit reexports by alias from a package __init__. +allow-reexport-from-package=no + +# Allow wildcard imports from modules that define __all__. +allow-wildcard-with-all=no + +# Deprecated modules which should not be used, separated by a comma. +deprecated-modules= + +# Output a graph (.gv or any supported image format) of external dependencies +# to the given file (report RP0402 must not be disabled). +ext-import-graph= + +# Output a graph (.gv or any supported image format) of all (i.e. internal and +# external) dependencies to the given file (report RP0402 must not be +# disabled). +import-graph= + +# Output a graph (.gv or any supported image format) of internal dependencies +# to the given file (report RP0402 must not be disabled). +int-import-graph= + +# Force import order to recognize a module as part of the standard +# compatibility libraries. +known-standard-library= + +# Force import order to recognize a module as part of a third party library. +known-third-party=enchant + +# Couples of modules and preferred modules, separated by a comma. +preferred-modules= + + +[LOGGING] + +# The type of string formatting that logging methods do. `old` means using % +# formatting, `new` is for `{}` formatting. +logging-format-style=old + +# Logging modules to check that the string format arguments are in logging +# function parameter format. +logging-modules=logging + + +[MESSAGES CONTROL] + +# Only show warnings with the listed confidence levels. Leave empty to show +# all. Valid levels: HIGH, CONTROL_FLOW, INFERENCE, INFERENCE_FAILURE, +# UNDEFINED. +confidence=HIGH, + CONTROL_FLOW, + INFERENCE, + INFERENCE_FAILURE, + UNDEFINED + +# Disable the message, report, category or checker with the given id(s). You +# can either give multiple identifiers separated by comma (,) or put this +# option multiple times (only on the command line, not in the configuration +# file where it should appear only once). You can also use "--disable=all" to +# disable everything first and then re-enable specific checks. For example, if +# you want to run only the similarities checker, you can use "--disable=all +# --enable=similarities". If you want to run only the classes checker, but have +# no Warning level messages displayed, use "--disable=all --enable=classes +# --disable=W". +disable=raw-checker-failed, + bad-inline-option, + locally-disabled, + file-ignored, + suppressed-message, + useless-suppression, + deprecated-pragma, + use-symbolic-message-instead, + R0913, E0401, W0212 +# Enable the message, report, category or checker with the given id(s). You can +# either give multiple identifier separated by comma (,) or put this option +# multiple time (only on the command line, not in the configuration file where +# it should appear only once). See also the "--disable" option for examples. +enable=c-extension-no-member, C0301 + + +[METHOD_ARGS] + +# List of qualified names (i.e., library.method) which require a timeout +# parameter e.g. 'requests.api.get,requests.api.post' +timeout-methods=requests.api.delete,requests.api.get,requests.api.head,requests.api.options,requests.api.patch,requests.api.post,requests.api.put,requests.api.request + + +[MISCELLANEOUS] + +# List of note tags to take in consideration, separated by a comma. +notes=FIXME, + XXX, + TODO + +# Regular expression of note tags to take in consideration. +notes-rgx= + + +[REFACTORING] + +# Maximum number of nested blocks for function / method body +max-nested-blocks=5 + +# Complete name of functions that never returns. When checking for +# inconsistent-return-statements if a never returning function is called then +# it will be considered as an explicit return statement and no message will be +# printed. +never-returning-functions=sys.exit,argparse.parse_error + + +[REPORTS] + +# Python expression which should return a score less than or equal to 10. You +# have access to the variables 'fatal', 'error', 'warning', 'refactor', +# 'convention', and 'info' which contain the number of messages in each +# category, as well as 'statement' which is the total number of statements +# analyzed. This score is used by the global evaluation report (RP0004). +evaluation=max(0, 0 if fatal else 10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10)) + +# Template used to display messages. This is a python new-style format string +# used to format the message information. See doc for all details. +msg-template= + +# Set the output format. Available formats are text, parseable, colorized, json +# and msvs (visual studio). You can also give a reporter class, e.g. +# mypackage.mymodule.MyReporterClass. +#output-format= + +# Tells whether to display a full report or only the messages. +reports=no + +# Activate the evaluation score. +score=yes + + +[SIMILARITIES] + +# Comments are removed from the similarity computation +ignore-comments=yes + +# Docstrings are removed from the similarity computation +ignore-docstrings=yes + +# Imports are removed from the similarity computation +ignore-imports=yes + +# Signatures are removed from the similarity computation +ignore-signatures=yes + +# Minimum lines number of a similarity. +min-similarity-lines=4 + + +[SPELLING] + +# Limits count of emitted suggestions for spelling mistakes. +max-spelling-suggestions=4 + +# Spelling dictionary name. No available dictionaries : You need to install +# both the python package and the system dependency for enchant to work.. +spelling-dict= + +# List of comma separated words that should be considered directives if they +# appear at the beginning of a comment and should not be checked. +spelling-ignore-comment-directives=fmt: on,fmt: off,noqa:,noqa,nosec,isort:skip,mypy: + +# List of comma separated words that should not be checked. +spelling-ignore-words= + +# A path to a file that contains the private dictionary; one word per line. +spelling-private-dict-file= + +# Tells whether to store unknown words to the private dictionary (see the +# --spelling-private-dict-file option) instead of raising a message. +spelling-store-unknown-words=no + + +[STRING] + +# This flag controls whether inconsistent-quotes generates a warning when the +# character used as a quote delimiter is used inconsistently within a module. +check-quote-consistency=no + +# This flag controls whether the implicit-str-concat should generate a warning +# on implicit string concatenation in sequences defined over several lines. +check-str-concat-over-line-jumps=no + + +[TYPECHECK] + +# List of decorators that produce context managers, such as +# contextlib.contextmanager. Add to this list to register other decorators that +# produce valid context managers. +contextmanager-decorators=contextlib.contextmanager + +# List of members which are set dynamically and missed by pylint inference +# system, and so shouldn't trigger E1101 when accessed. Python regular +# expressions are accepted. +generated-members= + +# Tells whether to warn about missing members when the owner of the attribute +# is inferred to be None. +ignore-none=yes + +# This flag controls whether pylint should warn about no-member and similar +# checks whenever an opaque object is returned when inferring. The inference +# can return multiple potential results while evaluating a Python object, but +# some branches might not be evaluated, which results in partial inference. In +# that case, it might be useful to still emit no-member and other checks for +# the rest of the inferred objects. +ignore-on-opaque-inference=yes + +# List of symbolic message names to ignore for Mixin members. +ignored-checks-for-mixins=no-member, + not-async-context-manager, + not-context-manager, + attribute-defined-outside-init + +# List of class names for which member attributes should not be checked (useful +# for classes with dynamically set attributes). This supports the use of +# qualified names. +ignored-classes=optparse.Values,thread._local,_thread._local,argparse.Namespace + +# Show a hint with possible names when a member name was not found. The aspect +# of finding the hint is based on edit distance. +missing-member-hint=yes + +# The minimum edit distance a name should have in order to be considered a +# similar match for a missing member name. +missing-member-hint-distance=1 + +# The total number of similar names that should be taken in consideration when +# showing a hint for a missing member. +missing-member-max-choices=1 + +# Regex pattern to define which classes are considered mixins. +mixin-class-rgx=.*[Mm]ixin + +# List of decorators that change the signature of a decorated function. +signature-mutators= + + +[VARIABLES] + +# List of additional names supposed to be defined in builtins. Remember that +# you should avoid defining new builtins when possible. +additional-builtins= + +# Tells whether unused global variables should be treated as a violation. +allow-global-unused-variables=yes + +# List of names allowed to shadow builtins +allowed-redefined-builtins= + +# List of strings which can identify a callback function by name. A callback +# name must start or end with one of those strings. +callbacks=cb_, + _cb + +# A regular expression matching the name of dummy variables (i.e. expected to +# not be used). +dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_ + +# Argument names that match this expression will be ignored. +ignored-argument-names=_.*|^ignored_|^unused_ + +# Tells whether we should check for unused import in __init__ files. +init-import=no + +# List of qualified module names which can have objects that can redefine +# builtins. +redefining-builtins-modules=six.moves,past.builtins,future.builtins,builtins,io diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/requirements.txt b/python3-k8sapp-kubevirt/k8sapp_kubevirt/requirements.txt index 5bc15a1..45ac3bd 100644 --- a/python3-k8sapp-kubevirt/k8sapp_kubevirt/requirements.txt +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/requirements.txt @@ -1,2 +1,2 @@ -pbr>=0.5 -PyYAML==3.10 +pbr>=5.1.3 +PyYAML==6.0.0 diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/setup.cfg b/python3-k8sapp-kubevirt/k8sapp_kubevirt/setup.cfg index d72338b..c345e14 100644 --- a/python3-k8sapp-kubevirt/k8sapp_kubevirt/setup.cfg +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/setup.cfg @@ -8,10 +8,8 @@ classifier = License :: OSI Approved :: Apache Software License Operating System :: POSIX :: Linux Programming Language :: Python - Programming Language :: Python :: 2 - Programming Language :: Python :: 2.7 Programming Language :: Python :: 3 - Programming Language :: Python :: 3.6 + Programming Language :: Python :: 3.9 [files] packages = diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/setup.py b/python3-k8sapp-kubevirt/k8sapp_kubevirt/setup.py index 32bcc7d..355a970 100644 --- a/python3-k8sapp-kubevirt/k8sapp_kubevirt/setup.py +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/setup.py @@ -1,9 +1,11 @@ # -# copyright (c) 2022 Wind River Systems, Inc. +# copyright (c) 2022-2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # import setuptools + + setuptools.setup( setup_requires=['pbr>=2.0.0'], pbr=True) diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/test-requirements.txt b/python3-k8sapp-kubevirt/k8sapp_kubevirt/test-requirements.txt index 352a10f..a140bcc 100644 --- a/python3-k8sapp-kubevirt/k8sapp_kubevirt/test-requirements.txt +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/test-requirements.txt @@ -1,23 +1,20 @@ # The order of packages is significant, because pip processes them in the order # of appearance. Changing the order has an impact on the overall integration # process, which may cause wedges in the gate later. -pycodestyle<2.6.0 # MIT License hacking>=1.1.0,<=2.0.0 # Apache-2.0 +astroid +bandit<1.7.2;python_version>="3.0" coverage>=3.6 -discover fixtures>=3.0.0 # Apache-2.0/BSD mock>=2.0.0 # BSD -passlib>=1.7.0 -psycopg2-binary -python-barbicanclient>=4.5.2 # Apache-2.0 -python-subunit>=1.4.0 +python-subunit>=0.0.18 requests-mock>=0.6.0 # Apache-2.0 +sphinx +oslosphinx oslotest>=3.2.0 # Apache-2.0 stestr>=1.0.0 # Apache-2.0 testrepository>=0.0.18 testtools!=1.2.0,>=0.9.36 -pytest -pyudev -migrate -python-ldap>=3.1.0 -markupsafe +isort<5;python_version>="3.0" +pylint +pycryptodomex diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/tox.ini b/python3-k8sapp-kubevirt/k8sapp_kubevirt/tox.ini index 5ca4f4e..1a2af7c 100644 --- a/python3-k8sapp-kubevirt/k8sapp_kubevirt/tox.ini +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/tox.ini @@ -1,28 +1,32 @@ [tox] -envlist = pylint -minversion = 2.3 +envlist = flake8,py39,pylint,bandit,yamllint +minversion = 2.9 +skipsdist = True # tox does not work if the path to the workdir is too long, so move it to /tmp -toxworkdir = /tmp/{env:USER}_k8sapp_kubevirt +toxworkdir = /tmp/{env:USER}_k8skubvirt +stxdir = {toxinidir}/../../.. distshare={toxworkdir}/.tox/distshare [testenv] -sitepackages = False +basepython = python3.9 +usedevelop = True -# these need to be separated by a newline.... allowlist_externals = bash find install_command = pip install -v -v -v \ + -c{toxinidir}/upper-constraints.txt \ -c{env:UPPER_CONSTRAINTS_FILE:https://opendev.org/starlingx/root/raw/branch/master/build-tools/requirements/debian/upper-constraints.txt} \ {opts} {packages} -commands = - find . -type f -name "*.pyc" -delete - +# Note the hash seed is set to 0 until can be tested with a +# random hash seed successfully. setenv = VIRTUAL_ENV={envdir} PYTHONHASHSEED=0 + PIP_RESOLVER_DEBUG=0 PYTHONDONTWRITEBYTECODE=1 + OS_TEST_PATH=./k8sapp_kubevirt/tests LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_ALL=C @@ -32,12 +36,106 @@ setenv = VIRTUAL_ENV={envdir} deps = -r{toxinidir}/requirements.txt -r{toxinidir}/test-requirements.txt + -e{[tox]stxdir}/config/sysinv/sysinv/sysinv + -e{[tox]stxdir}/config/tsconfig/tsconfig + -e{[tox]stxdir}/fault/fm-api/source + -e{[tox]stxdir}/fault/python-fmclient/fmclient + -e{[tox]stxdir}/utilities/ceph/python-cephclient/python-cephclient + -e{[tox]stxdir}/update/sw-patch/cgcs-patch + +commands = + find . -type f -name "*.pyc" -delete + +[flake8] +exclude = build,dist,tools,.eggs +max-line-length=100 + +[testenv:flake8] +deps = -r{toxinidir}/test-requirements.txt +commands = + flake8 {posargs} . + +[testenv:py39] +commands = + {[testenv]commands} + stestr run {posargs} + stestr slowest + +[testenv:pep8] +deps = {[testenv:flake8]deps} +commands = {[testenv:flake8]commands} + +[testenv:venv] +commands = {posargs} + +[bandit] +# The following bandit tests are being skipped: +# B101: Test for use of assert +# B103: Test for setting permissive file permissions +# B104: Test for binding to all interfaces +# B105: Test for use of hard-coded password strings +# B108: Test for insecure usage of tmp file/directory +# B110: Try, Except, Pass detected. +# B303: Use of insecure MD2, MD4, MD5, or SHA1 hash function. +# B307: Blacklisted call to eval. +# B310: Audit url open for permitted schemes +# B311: Standard pseudo-random generators are not suitable for security/cryptographic purposes +# B314: Blacklisted calls to xml.etree.ElementTree +# B318: Blacklisted calls to xml.dom.minidom +# B320: Blacklisted calls to lxml.etree +# B404: Import of subprocess module +# B405: import xml.etree +# B408: import xml.minidom +# B410: import lxml +# B506: Test for use of yaml load +# B602: Test for use of popen with shell equals true +# B603: Test for use of subprocess without shell equals true +# B604: Test for any function with shell equals true +# B605: Test for starting a process with a shell +# B607: Test for starting a process with a partial path +# B608: Possible SQL injection vector through string-based query +# +# Note: 'skips' entry cannot be split across multiple lines +# +#skips = B101,B103,B104,B105,B108,B110,B303,B307,B310,B311,B314,B318,B320,B404,B405,B408,B410,B506,B602,B603,B604,B605,B607,B608 +#exclude = tests + +[testenv:bandit] +deps = -r{toxinidir}/test-requirements.txt +commands = bandit --ini tox.ini -n 5 -r k8sapp_kubevirt [testenv:pylint] -basepython = python3 -sitepackages = False - -deps = {[testenv]deps} - pylint commands = pylint {posargs} k8sapp_kubevirt --rcfile=./pylint.rc + +[testenv:yamllint] +deps = yamllint +commands = bash -c "find ./ -iname '*.yaml' -type f -not -name 'metadata.yaml' -print0 | xargs -0 cat | sed 's/\s*\{\{.*\}\}//' | yamllint -d relaxed -f parsable - ;[ $? -eq 0 ] && exit 0 || exit 1" + +[stestr] +test_path = ./k8sapp_kubevirt + +[testenv:cover] +# not sure is passenv is still needed +passenv = CURL_CA_BUNDLE +deps = {[testenv]deps} +setenv = {[testenv]setenv} + PYTHON=coverage run --parallel-mode + +commands = + {[testenv]commands} + coverage erase + stestr run {posargs} + coverage combine + coverage html -d cover + coverage xml -o cover/coverage.xml + coverage report + +[testenv:pip-missing-reqs] +# do not install test-requirements as that will pollute the virtualenv for +# determining missing packages +# this also means that pip-missing-reqs must be installed separately, outside +# of the requirements.txt files +deps = pip_missing_reqs + -rrequirements.txt +commands=pip-missing-reqs -d k8sapp_kubevirt diff --git a/python3-k8sapp-kubevirt/k8sapp_kubevirt/upper-constraints.txt b/python3-k8sapp-kubevirt/k8sapp_kubevirt/upper-constraints.txt new file mode 100644 index 0000000..9c30188 --- /dev/null +++ b/python3-k8sapp-kubevirt/k8sapp_kubevirt/upper-constraints.txt @@ -0,0 +1 @@ +# Override upstream constraints based on StarlingX load diff --git a/stx-kubevirt-app-helm/docker/Dockerfile b/stx-kubevirt-app-helm/docker/Dockerfile index af50c78..75a54f0 100644 --- a/stx-kubevirt-app-helm/docker/Dockerfile +++ b/stx-kubevirt-app-helm/docker/Dockerfile @@ -6,5 +6,5 @@ # All Rights Reserved. # FROM alpine:3.16.2 -ADD https://github.com/kubevirt/kubevirt/releases/download/v0.53.1/virtctl-v0.53.1-linux-amd64 . -RUN chmod a+rwx ./virtctl-v0.53.1-linux-amd64 +ADD https://github.com/kubevirt/kubevirt/releases/download/v0.59.0/virtctl-v0.59.0-linux-amd64 . +RUN chmod a+rwx ./virtctl-v0.59.0-linux-amd64 diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/base/helmrepository.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/base/helmrepository.yaml index 6984fe8..d394062 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/base/helmrepository.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/base/helmrepository.yaml @@ -8,6 +8,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta1 kind: HelmRepository metadata: name: stx-platform + namespace: kube-system spec: url: http://192.168.206.1:8080/helm_charts/stx-platform interval: 1m diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/base/kustomization.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/base/kustomization.yaml index 1629676..184380e 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/base/kustomization.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/base/kustomization.yaml @@ -6,4 +6,3 @@ --- resources: - helmrepository.yaml - - namespace.yaml diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/base/namespace.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/base/namespace.yaml deleted file mode 100644 index a607027..0000000 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/base/namespace.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright (c) 2022 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: v1 -kind: Namespace -metadata: - name: kubevirt - labels: - app.kubernetes.io/managed-by: Helm - annotations: - meta.helm.sh/release-name: kubevirt-app - meta.helm.sh/release-namespace: kubevirt diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/kubevirt-app/helmrelease.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/kubevirt-app/helmrelease.yaml index 6c3c347..0af4e91 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/kubevirt-app/helmrelease.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/kubevirt-app/helmrelease.yaml @@ -8,6 +8,7 @@ apiVersion: "helm.toolkit.fluxcd.io/v2beta1" kind: HelmRelease metadata: name: kubevirt-app + namespace: kubevirt labels: chart_group: starlingx-kubevirt-charts spec: @@ -19,6 +20,7 @@ spec: sourceRef: kind: HelmRepository name: stx-platform + namespace: kube-system interval: 1m timeout: 30m test: diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/kubevirt-app/kustomization.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/kubevirt-app/kustomization.yaml index 4a0eea6..205fbf5 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/kubevirt-app/kustomization.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/kubevirt-app/kustomization.yaml @@ -3,7 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 # --- -namespace: kubevirt +namespace: kube-system resources: - helmrelease.yaml secretGenerator: diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/kustomization.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/kustomization.yaml index 204f577..1e65dca 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/kustomization.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/fluxcd-manifests/kustomization.yaml @@ -1,11 +1,11 @@ -# Copyright (c) 2022 Wind River Systems, Inc. +# Copyright (c) 2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # --- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: kubevirt +namespace: kube-system resources: - base - kubevirt-app diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/crds/cdi-crd.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/crds/cdi-crd.yaml index dff67af..1fca356 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/crds/cdi-crd.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/crds/cdi-crd.yaml @@ -11,7 +11,7 @@ # limitations under the License. # -# Copyright (c) 2022 Wind River Systems, Inc. +# Copyright (c) 2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -20,7 +20,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.2 + controller-gen.kubebuilder.io/version: v0.11.3 name: cdis.cdi.kubevirt.io spec: group: cdi.kubevirt.io @@ -98,2129 +98,15 @@ spec: enum: - copy - snapshot - type: string - config: - description: CDIConfig at CDI level - properties: - featureGates: - description: FeatureGates are a list of specific enabled feature - gates - items: - type: string - type: array - filesystemOverhead: - description: FilesystemOverhead describes the space reserved for - overhead when using Filesystem volumes. A value is between 0 - and 1, if not defined it is 0.055 (5.5% overhead) - properties: - global: - description: Global is how much space of a Filesystem volume - should be reserved for overhead. This value is used unless - overridden by a more specific value (per storageClass) - pattern: ^(0(?:\.\d{1,3})?|1)$ - type: string - storageClass: - additionalProperties: - description: 'Percent is a string that can only be a value - between [0,1) (Note: we actually rely on reconcile to - reject invalid values)' - pattern: ^(0(?:\.\d{1,3})?|1)$ - type: string - description: StorageClass specifies how much space of a Filesystem - volume should be reserved for safety. The keys are the storageClass - and the values are the overhead. This value overrides the - global value - type: object - type: object - importProxy: - description: ImportProxy contains importer pod proxy configuration. - properties: - HTTPProxy: - description: HTTPProxy is the URL http://:@: - of the import proxy for HTTP requests. Empty means unset - and will not result in the import pod env var. - type: string - HTTPSProxy: - description: HTTPSProxy is the URL https://:@: - of the import proxy for HTTPS requests. Empty means unset - and will not result in the import pod env var. - type: string - noProxy: - description: NoProxy is a comma-separated list of hostnames - and/or CIDRs for which the proxy should not be used. Empty - means unset and will not result in the import pod env var. - type: string - trustedCAProxy: - description: "TrustedCAProxy is the name of a ConfigMap in - the cdi namespace that contains a user-provided trusted - certificate authority (CA) bundle. The TrustedCAProxy field - is consumed by the import controller that is resposible - for coping it to a config map named trusted-ca-proxy-bundle-cm - in the cdi namespace. Here is an example of the ConfigMap - (in yaml): \n apiVersion: v1 kind: ConfigMap metadata: name: - trusted-ca-proxy-bundle-cm namespace: cdi data: ca.pem: - | -----BEGIN CERTIFICATE----- ... - ... -----END CERTIFICATE-----" - type: string - type: object - insecureRegistries: - description: InsecureRegistries is a list of TLS disabled registries - items: - type: string - type: array - podResourceRequirements: - description: ResourceRequirements describes the compute resource - requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - preallocation: - description: Preallocation controls whether storage for DataVolumes - should be allocated in advance. - type: boolean - scratchSpaceStorageClass: - description: 'Override the storage class to used for scratch space - during transfer operations. The scratch space storage class - is determined in the following order: 1. value of scratchSpaceStorageClass, - if that doesn''t exist, use the default storage class, if there - is no default storage class, use the storage class of the DataVolume, - if no storage class specified, use no storage class for scratch - space' - type: string - uploadProxyURLOverride: - description: Override the URL used when uploading to a DataVolume - type: string - type: object - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull a container - image - enum: - - Always - - IfNotPresent - - Never - type: string - infra: - description: Rules on which nodes CDI infrastructure pods will be - scheduled - properties: - affinity: - description: affinity enables pod affinity/anti-affinity placement - expanding the types of constraints that can be expressed with - nodeSelector. affinity is going to be applied to the relevant - kind of pods in parallel with nodeSelector See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for - the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. - items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with - the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the - corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - type: array - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. - co-locate this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules - (e.g. avoid putting this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: 'nodeSelector is the node selector applied to the - relevant kind of pods It specifies a map of key-value pairs: - for the pod to be eligible to run on a node, the node must have - each of the indicated key-value pairs as labels (it can have - additional labels as well). See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector' - type: object - tolerations: - description: tolerations is a list of tolerations applied to the - relevant kind of pods See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - for more info. These are additional tolerations other than default - ones. - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - type: object - uninstallStrategy: - description: CDIUninstallStrategy defines the state to leave CDI on - uninstall - enum: - - RemoveWorkloads - - BlockUninstallIfWorkloadsExist - type: string - workload: - description: Restrict on which nodes CDI workload pods will be scheduled - properties: - affinity: - description: affinity enables pod affinity/anti-affinity placement - expanding the types of constraints that can be expressed with - nodeSelector. affinity is going to be applied to the relevant - kind of pods in parallel with nodeSelector See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for - the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. - items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with - the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the - corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - type: array - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. - co-locate this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules - (e.g. avoid putting this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: 'nodeSelector is the node selector applied to the - relevant kind of pods It specifies a map of key-value pairs: - for the pod to be eligible to run on a node, the node must have - each of the indicated key-value pairs as labels (it can have - additional labels as well). See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector' - type: object - tolerations: - description: tolerations is a list of tolerations applied to the - relevant kind of pods See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - for more info. These are additional tolerations other than default - ones. - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - type: object - type: object - status: - description: CDIStatus defines the status of the installation - properties: - conditions: - description: A list of current conditions of the resource - items: - description: Condition represents the state of the operator's reconciliation - functionality. - properties: - lastHeartbeatTime: - format: date-time - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: ConditionType is the state of the operator's reconciliation - functionality. - type: string - required: - - status - - type - type: object - type: array - observedVersion: - description: The observed version of the resource - type: string - operatorVersion: - description: The version of the resource as defined by the operator - type: string - phase: - description: Phase is the current phase of the deployment - type: string - targetVersion: - description: The desired version of the resource - type: string - type: object - required: - - spec - type: object - served: true - storage: false - subresources: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.phase - name: Phase - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: CDI is the CDI Operator CRD - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CDISpec defines our specification for the CDI installation - properties: - certConfig: - description: certificate configuration - properties: - ca: - description: CA configuration CA certs are kept in the CA bundle - as long as they are valid - properties: - duration: - description: The requested 'duration' (i.e. lifetime) of the - Certificate. - type: string - renewBefore: - description: The amount of time before the currently issued - certificate's `notAfter` time that we will begin to attempt - to renew the certificate. - type: string - type: object - server: - description: Server configuration Certs are rotated and discarded - properties: - duration: - description: The requested 'duration' (i.e. lifetime) of the - Certificate. - type: string - renewBefore: - description: The amount of time before the currently issued - certificate's `notAfter` time that we will begin to attempt - to renew the certificate. - type: string - type: object - type: object - cloneStrategyOverride: - description: 'Clone strategy override: should we use a host-assisted - copy even if snapshots are available?' - enum: - - copy - - snapshot + - csi-clone type: string config: description: CDIConfig at CDI level properties: dataVolumeTTLSeconds: description: DataVolumeTTLSeconds is the time in seconds after - DataVolume completion it can be garbage collected. + DataVolume completion it can be garbage collected. Disabled + by default. format: int32 type: integer featureGates: @@ -2253,6 +139,19 @@ spec: global value type: object type: object + imagePullSecrets: + description: The imagePullSecrets used to pull the container images + items: + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array importProxy: description: ImportProxy contains importer pod proxy configuration. properties: @@ -2274,12 +173,12 @@ spec: trustedCAProxy: description: "TrustedCAProxy is the name of a ConfigMap in the cdi namespace that contains a user-provided trusted - certificate authority (CA) bundle. The TrustedCAProxy field - is consumed by the import controller that is resposible - for coping it to a config map named trusted-ca-proxy-bundle-cm - in the cdi namespace. Here is an example of the ConfigMap - (in yaml): \n apiVersion: v1 kind: ConfigMap metadata: name: - trusted-ca-proxy-bundle-cm namespace: cdi data: ca.pem: + certificate authority (CA) bundle. The TrustedCAProxy ConfigMap + is consumed by the DataImportCron controller for creating + cronjobs, and by the import controller referring a copy + of the ConfigMap in the import namespace. Here is an example + of the ConfigMap (in yaml): \n apiVersion: v1 kind: ConfigMap + metadata: name: my-ca-proxy-cm namespace: cdi data: ca.pem: | -----BEGIN CERTIFICATE----- ... ... -----END CERTIFICATE-----" type: string @@ -2293,6 +192,27 @@ spec: description: ResourceRequirements describes the compute resource requirements. properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2745,9 +665,7 @@ spec: this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. + selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list @@ -2805,7 +723,7 @@ spec: listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -2910,9 +828,7 @@ spec: field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label @@ -2968,7 +884,7 @@ spec: term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" + and null namespaceSelector means "this pod's namespace". items: type: string type: array @@ -3073,9 +989,7 @@ spec: this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. + selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list @@ -3133,7 +1047,7 @@ spec: listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -3238,9 +1152,7 @@ spec: field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label @@ -3296,7 +1208,7 @@ spec: term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" + and null namespaceSelector means "this pod's namespace". items: type: string type: array @@ -3691,9 +1603,7 @@ spec: this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. + selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list @@ -3751,7 +1661,7 @@ spec: listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -3856,9 +1766,7 @@ spec: field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label @@ -3914,7 +1822,7 @@ spec: term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" + and null namespaceSelector means "this pod's namespace". items: type: string type: array @@ -4019,9 +1927,7 @@ spec: this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. + selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list @@ -4079,7 +1985,7 @@ spec: listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -4184,9 +2090,7 @@ spec: field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label @@ -4242,7 +2146,2242 @@ spec: term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'nodeSelector is the node selector applied to the + relevant kind of pods It specifies a map of key-value pairs: + for the pod to be eligible to run on a node, the node must have + each of the indicated key-value pairs as labels (it can have + additional labels as well). See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector' + type: object + tolerations: + description: tolerations is a list of tolerations applied to the + relevant kind of pods See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for more info. These are additional tolerations other than default + ones. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + status: + description: CDIStatus defines the status of the installation + properties: + conditions: + description: A list of current conditions of the resource + items: + description: Condition represents the state of the operator's reconciliation + functionality. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + description: ConditionType is the state of the operator's reconciliation + functionality. + type: string + required: + - status + - type + type: object + type: array + observedVersion: + description: The observed version of the resource + type: string + operatorVersion: + description: The version of the resource as defined by the operator + type: string + phase: + description: Phase is the current phase of the deployment + type: string + targetVersion: + description: The desired version of the resource + type: string + type: object + required: + - spec + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.phase + name: Phase + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: CDI is the CDI Operator CRD + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CDISpec defines our specification for the CDI installation + properties: + certConfig: + description: certificate configuration + properties: + ca: + description: CA configuration CA certs are kept in the CA bundle + as long as they are valid + properties: + duration: + description: The requested 'duration' (i.e. lifetime) of the + Certificate. + type: string + renewBefore: + description: The amount of time before the currently issued + certificate's `notAfter` time that we will begin to attempt + to renew the certificate. + type: string + type: object + server: + description: Server configuration Certs are rotated and discarded + properties: + duration: + description: The requested 'duration' (i.e. lifetime) of the + Certificate. + type: string + renewBefore: + description: The amount of time before the currently issued + certificate's `notAfter` time that we will begin to attempt + to renew the certificate. + type: string + type: object + type: object + cloneStrategyOverride: + description: 'Clone strategy override: should we use a host-assisted + copy even if snapshots are available?' + enum: + - copy + - snapshot + - csi-clone + type: string + config: + description: CDIConfig at CDI level + properties: + dataVolumeTTLSeconds: + description: DataVolumeTTLSeconds is the time in seconds after + DataVolume completion it can be garbage collected. Disabled + by default. + format: int32 + type: integer + featureGates: + description: FeatureGates are a list of specific enabled feature + gates + items: + type: string + type: array + filesystemOverhead: + description: FilesystemOverhead describes the space reserved for + overhead when using Filesystem volumes. A value is between 0 + and 1, if not defined it is 0.055 (5.5% overhead) + properties: + global: + description: Global is how much space of a Filesystem volume + should be reserved for overhead. This value is used unless + overridden by a more specific value (per storageClass) + pattern: ^(0(?:\.\d{1,3})?|1)$ + type: string + storageClass: + additionalProperties: + description: 'Percent is a string that can only be a value + between [0,1) (Note: we actually rely on reconcile to + reject invalid values)' + pattern: ^(0(?:\.\d{1,3})?|1)$ + type: string + description: StorageClass specifies how much space of a Filesystem + volume should be reserved for safety. The keys are the storageClass + and the values are the overhead. This value overrides the + global value + type: object + type: object + imagePullSecrets: + description: The imagePullSecrets used to pull the container images + items: + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + importProxy: + description: ImportProxy contains importer pod proxy configuration. + properties: + HTTPProxy: + description: HTTPProxy is the URL http://:@: + of the import proxy for HTTP requests. Empty means unset + and will not result in the import pod env var. + type: string + HTTPSProxy: + description: HTTPSProxy is the URL https://:@: + of the import proxy for HTTPS requests. Empty means unset + and will not result in the import pod env var. + type: string + noProxy: + description: NoProxy is a comma-separated list of hostnames + and/or CIDRs for which the proxy should not be used. Empty + means unset and will not result in the import pod env var. + type: string + trustedCAProxy: + description: "TrustedCAProxy is the name of a ConfigMap in + the cdi namespace that contains a user-provided trusted + certificate authority (CA) bundle. The TrustedCAProxy ConfigMap + is consumed by the DataImportCron controller for creating + cronjobs, and by the import controller referring a copy + of the ConfigMap in the import namespace. Here is an example + of the ConfigMap (in yaml): \n apiVersion: v1 kind: ConfigMap + metadata: name: my-ca-proxy-cm namespace: cdi data: ca.pem: + | -----BEGIN CERTIFICATE----- ... + ... -----END CERTIFICATE-----" + type: string + type: object + insecureRegistries: + description: InsecureRegistries is a list of TLS disabled registries + items: + type: string + type: array + podResourceRequirements: + description: ResourceRequirements describes the compute resource + requirements. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + preallocation: + description: Preallocation controls whether storage for DataVolumes + should be allocated in advance. + type: boolean + scratchSpaceStorageClass: + description: 'Override the storage class to used for scratch space + during transfer operations. The scratch space storage class + is determined in the following order: 1. value of scratchSpaceStorageClass, + if that doesn''t exist, use the default storage class, if there + is no default storage class, use the storage class of the DataVolume, + if no storage class specified, use no storage class for scratch + space' + type: string + tlsSecurityProfile: + description: TLSSecurityProfile is used by operators to apply + cluster-wide TLS security settings to operands. + properties: + custom: + description: "custom is a user-defined TLS security profile. + Be extremely careful using a custom profile as invalid configurations + can be catastrophic. An example custom profile looks like + this: \n ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 + minTLSVersion: TLSv1.1" + nullable: true + properties: + ciphers: + description: "ciphers is used to specify the cipher algorithms + that are negotiated during the TLS handshake. Operators + may remove entries their operands do not support. For + example, to use DES-CBC3-SHA (yaml): \n ciphers: - + DES-CBC3-SHA" + items: + type: string + type: array + minTLSVersion: + description: "minTLSVersion is used to specify the minimal + version of the TLS protocol that is negotiated during + the TLS handshake. For example, to use TLS versions + 1.1, 1.2 and 1.3 (yaml): \n minTLSVersion: TLSv1.1 \n + NOTE: currently the highest minTLSVersion allowed is + VersionTLS12" + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: "intermediate is a TLS security profile based + on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 + minTLSVersion: TLSv1.2" + nullable: true + type: object + modern: + description: "modern is a TLS security profile based on: \n + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 + minTLSVersion: TLSv1.3 \n NOTE: Currently unsupported." + nullable: true + type: object + old: + description: "old is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA384 - + ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 + - AES128-SHA256 - AES256-SHA256 - AES128-SHA - AES256-SHA + - DES-CBC3-SHA minTLSVersion: TLSv1.0" + nullable: true + type: object + type: + description: "type is one of Old, Intermediate, Modern or + Custom. Custom provides the ability to specify individual + TLS security profile parameters. Old, Intermediate and Modern + are TLS security profiles based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + \n The profiles are intent based, so they may change over + time as new ciphers are developed and existing ciphers are + found to be insecure. Depending on precisely which ciphers + are available to a process, the list may be reduced. \n + Note that the Modern profile is currently not supported + because it is not yet well adopted by common software libraries." + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + uploadProxyURLOverride: + description: Override the URL used when uploading to a DataVolume + type: string + type: object + imagePullPolicy: + description: PullPolicy describes a policy for if/when to pull a container + image + enum: + - Always + - IfNotPresent + - Never + type: string + infra: + description: Rules on which nodes CDI infrastructure pods will be + scheduled + properties: + affinity: + description: affinity enables pod affinity/anti-affinity placement + expanding the types of constraints that can be expressed with + nodeSelector. affinity is going to be applied to the relevant + kind of pods in parallel with nodeSelector See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for + the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects + (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the + corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them are + ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to a pod label update), + the system may or may not try to eventually evict the + pod from its node. When there are multiple elements, + the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node that + violates one or more of the expressions. The node that + is most preferred is the one with the greatest sum of + weights, i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the pod + will not be scheduled onto the node. If the anti-affinity + requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod + label update), the system may or may not try to eventually + evict the pod from its node. When there are multiple + elements, the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'nodeSelector is the node selector applied to the + relevant kind of pods It specifies a map of key-value pairs: + for the pod to be eligible to run on a node, the node must have + each of the indicated key-value pairs as labels (it can have + additional labels as well). See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector' + type: object + tolerations: + description: tolerations is a list of tolerations applied to the + relevant kind of pods See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for more info. These are additional tolerations other than default + ones. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + priorityClass: + description: PriorityClass of the CDI control plane + type: string + uninstallStrategy: + description: CDIUninstallStrategy defines the state to leave CDI on + uninstall + enum: + - RemoveWorkloads + - BlockUninstallIfWorkloadsExist + type: string + workload: + description: Restrict on which nodes CDI workload pods will be scheduled + properties: + affinity: + description: affinity enables pod affinity/anti-affinity placement + expanding the types of constraints that can be expressed with + nodeSelector. affinity is going to be applied to the relevant + kind of pods in parallel with nodeSelector See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for + the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects + (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the + corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them are + ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to a pod label update), + the system may or may not try to eventually evict the + pod from its node. When there are multiple elements, + the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node that + violates one or more of the expressions. The node that + is most preferred is the one with the greatest sum of + weights, i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the pod + will not be scheduled onto the node. If the anti-affinity + requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod + label update), the system may or may not try to eventually + evict the pod from its node. When there are multiple + elements, the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". items: type: string type: array diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/crds/crd.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/crds/crd.yaml index bf0baaa..fce087c 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/crds/crd.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/crds/crd.yaml @@ -11,7 +11,7 @@ # limitations under the License. # -# Copyright (c) 2022 Wind River Systems, Inc. +# Copyright (c) 2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -183,6 +183,15 @@ spec: description: DeveloperConfiguration holds developer options properties: cpuAllocationRatio: + description: 'For each requested virtual CPU, CPUAllocationRatio + defines how much physical CPU to request per VMI from the + hosting node. The value is in fraction of a CPU thread (or + core on non-hyperthreaded nodes). For example, a value of + 1 means 1 physical CPU thread per VMI CPU thread. A value + of 100 would be 1% of a physical thread allocated for each + requested VMI thread. This option has no effect on VMIs + that request dedicated CPUs. More information at: https://kubevirt.io/user-guide/operations/node_overcommit/#node-cpu-allocation-ratio + Defaults to 10' type: integer diskVerification: description: DiskVerification holds container disks verification @@ -198,6 +207,8 @@ spec: - memoryLimit type: object featureGates: + description: FeatureGates is the list of experimental features + to enable. Defaults to none items: type: string type: array @@ -223,6 +234,13 @@ spec: type: integer type: object memoryOvercommit: + description: MemoryOvercommit is the percentage of memory + we want to give VMIs compared to the amount given to its + parent pod (virt-launcher). For example, a value of 102 + means the VMI will "see" 2% more memory than its parent + pod. Values under 100 are effectively "undercommits". Overcommits + can lead to memory exhaustion, which in turn can lead to + crashes. Use carefully. Defaults to 100 type: integer minimumClusterTSCFrequency: description: Allow overriding the automatically determined @@ -231,18 +249,26 @@ spec: format: int64 type: integer minimumReservePVCBytes: + description: MinimumReservePVCBytes is the amount of space, + in bytes, to leave unused on disks. Defaults to 131072 (128KiB) format: int64 type: integer nodeSelectors: additionalProperties: type: string + description: NodeSelectors allows restricting VMI creation + to nodes that match a set of labels. Defaults to none type: object pvcTolerateLessSpaceUpToPercent: + description: LessPVCSpaceToleration determines how much smaller, + in percentage, disk PVCs are allowed to be compared to the + requested size (to account for various overheads). Defaults + to 10 type: integer useEmulation: description: UseEmulation can be set to true to allow fallback to software emulation in case hardware-assisted emulation - is not available. + is not available. Defaults to false type: boolean type: object emulatedMachines: @@ -296,7 +322,13 @@ spec: description: MediatedDevicesConfiguration holds information about MDEV types to be defined, if available properties: + mediatedDeviceTypes: + items: + type: string + type: array + x-kubernetes-list-type: atomic mediatedDevicesTypes: + description: Deprecated. Use mediatedDeviceTypes instead. items: type: string type: array @@ -307,7 +339,13 @@ spec: about MDEV types to be defined in a specifc node that matches the NodeSelector field. properties: + mediatedDeviceTypes: + items: + type: string + type: array + x-kubernetes-list-type: atomic mediatedDevicesTypes: + description: Deprecated. Use mediatedDeviceTypes instead. items: type: string type: array @@ -321,7 +359,6 @@ spec: on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' type: object required: - - mediatedDevicesTypes - nodeSelector type: object type: array @@ -331,37 +368,80 @@ spec: format: int32 type: integer migrations: - description: MigrationConfiguration holds migration options + description: MigrationConfiguration holds migration options. Can + be overridden for specific groups of VMs though migration policies. + Visit https://kubevirt.io/user-guide/operations/migration_policies/ + for more information. properties: allowAutoConverge: + description: AllowAutoConverge allows the platform to compromise + performance/availability of VMIs to guarantee successful + VMI live migrations. Defaults to false type: boolean allowPostCopy: + description: AllowPostCopy enables post-copy live migrations. + Such migrations allow even the busiest VMIs to successfully + live-migrate. However, events like a network failure can + cause a VMI crash. If set to true, migrations will still + start in pre-copy, but switch to post-copy when CompletionTimeoutPerGiB + triggers. Defaults to false type: boolean bandwidthPerMigration: anyOf: - type: integer - type: string + description: BandwidthPerMigration limits the amount of network + bandwith live migrations are allowed to use. The value is + in quantity per second. Defaults to 0 (no limit) pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true completionTimeoutPerGiB: + description: CompletionTimeoutPerGiB is the maximum number + of seconds per GiB a migration is allowed to take. If a + live-migration takes longer to migrate than this value multiplied + by the size of the VMI, the migration will be cancelled, + unless AllowPostCopy is true. Defaults to 800 format: int64 type: integer disableTLS: + description: When set to true, DisableTLS will disable the + additional layer of live migration encryption provided by + KubeVirt. This is usually a bad idea. Defaults to false type: boolean network: + description: Network is the name of the CNI network to use + for live migrations. By default, migrations go through the + pod network. type: string nodeDrainTaintKey: + description: 'NodeDrainTaintKey defines the taint key that + indicates a node should be drained. Note: this option relies + on the deprecated node taint feature. Default: kubevirt.io/drain' type: string parallelMigrationsPerCluster: + description: ParallelMigrationsPerCluster is the total number + of concurrent live migrations allowed cluster-wide. Defaults + to 5 format: int32 type: integer parallelOutboundMigrationsPerNode: + description: ParallelOutboundMigrationsPerNode is the maximum + number of concurrent outgoing live migrations allowed per + node. Defaults to 2 format: int32 type: integer progressTimeout: + description: ProgressTimeout is the maximum number of seconds + a live migration is allowed to make no progress. Hitting + this timeout means a migration transferred 0 data for that + many seconds. The migration is then considered stuck and + therefore cancelled. Defaults to 150 format: int64 type: integer unsafeMigrationOverride: + description: UnsafeMigrationOverride allows live migrations + to occur even if the compatibility check indicates the migration + will be unsafe to the guest. Defaults to false type: boolean type: object minCPUModel: @@ -431,6 +511,25 @@ spec: type: array x-kubernetes-list-type: atomic type: object + seccompConfiguration: + description: SeccompConfiguration holds Seccomp configuration + for Kubevirt components + properties: + virtualMachineInstanceProfile: + description: VirtualMachineInstanceProfile defines what profile + should be used with virt-launcher. Defaults to none + properties: + customProfile: + description: CustomProfile allows to request arbitrary + profile for virt-launcher + properties: + localhostProfile: + type: string + runtimeDefaultProfile: + type: boolean + type: object + type: object + type: object selinuxLauncherType: type: string smbios: @@ -451,6 +550,28 @@ spec: items: type: string type: array + tlsConfiguration: + description: TLSConfiguration holds TLS options + properties: + ciphers: + items: + type: string + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: "MinTLSVersion is a way to specify the minimum + protocol version that is acceptable for TLS connections. + Protocol versions are based on the following most common + TLS configurations: \n https://ssl-config.mozilla.org/ + \n Note that SSLv3.0 is not a supported protocol version + due to well known vulnerabilities such as POODLE: https://en.wikipedia.org/wiki/POODLE" + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object virtualMachineInstancesPerNode: type: integer webhookConfiguration: @@ -529,6 +650,20 @@ spec: imagePullPolicy: description: The ImagePullPolicy to use. type: string + imagePullSecrets: + description: The imagePullSecrets to pull the container images from + Defaults to none + items: + description: LocalObjectReference contains enough information to + let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + type: array + x-kubernetes-list-type: atomic imageRegistry: description: The image registry to pull the container images from Defaults to the same registry the operator's container image is @@ -1537,6 +1672,11 @@ spec: components. Useful if KubeVirt is included as part of a product. If ProductVersion is not specified, KubeVirt's version will be used. type: string + serviceMonitorNamespace: + description: The namespace the service monitor will be deployed When + ServiceMonitorNamespace is set, then we'll install the service monitor + object in that namespace otherwise we will use the monitoring namespace. + type: string uninstallStrategy: description: Specifies if kubevirt can be deleted if workloads are still present. This is mainly a precaution to avoid accidental data @@ -2795,6 +2935,15 @@ spec: description: DeveloperConfiguration holds developer options properties: cpuAllocationRatio: + description: 'For each requested virtual CPU, CPUAllocationRatio + defines how much physical CPU to request per VMI from the + hosting node. The value is in fraction of a CPU thread (or + core on non-hyperthreaded nodes). For example, a value of + 1 means 1 physical CPU thread per VMI CPU thread. A value + of 100 would be 1% of a physical thread allocated for each + requested VMI thread. This option has no effect on VMIs + that request dedicated CPUs. More information at: https://kubevirt.io/user-guide/operations/node_overcommit/#node-cpu-allocation-ratio + Defaults to 10' type: integer diskVerification: description: DiskVerification holds container disks verification @@ -2810,6 +2959,8 @@ spec: - memoryLimit type: object featureGates: + description: FeatureGates is the list of experimental features + to enable. Defaults to none items: type: string type: array @@ -2835,6 +2986,13 @@ spec: type: integer type: object memoryOvercommit: + description: MemoryOvercommit is the percentage of memory + we want to give VMIs compared to the amount given to its + parent pod (virt-launcher). For example, a value of 102 + means the VMI will "see" 2% more memory than its parent + pod. Values under 100 are effectively "undercommits". Overcommits + can lead to memory exhaustion, which in turn can lead to + crashes. Use carefully. Defaults to 100 type: integer minimumClusterTSCFrequency: description: Allow overriding the automatically determined @@ -2843,18 +3001,26 @@ spec: format: int64 type: integer minimumReservePVCBytes: + description: MinimumReservePVCBytes is the amount of space, + in bytes, to leave unused on disks. Defaults to 131072 (128KiB) format: int64 type: integer nodeSelectors: additionalProperties: type: string + description: NodeSelectors allows restricting VMI creation + to nodes that match a set of labels. Defaults to none type: object pvcTolerateLessSpaceUpToPercent: + description: LessPVCSpaceToleration determines how much smaller, + in percentage, disk PVCs are allowed to be compared to the + requested size (to account for various overheads). Defaults + to 10 type: integer useEmulation: description: UseEmulation can be set to true to allow fallback to software emulation in case hardware-assisted emulation - is not available. + is not available. Defaults to false type: boolean type: object emulatedMachines: @@ -2908,7 +3074,13 @@ spec: description: MediatedDevicesConfiguration holds information about MDEV types to be defined, if available properties: + mediatedDeviceTypes: + items: + type: string + type: array + x-kubernetes-list-type: atomic mediatedDevicesTypes: + description: Deprecated. Use mediatedDeviceTypes instead. items: type: string type: array @@ -2919,7 +3091,13 @@ spec: about MDEV types to be defined in a specifc node that matches the NodeSelector field. properties: + mediatedDeviceTypes: + items: + type: string + type: array + x-kubernetes-list-type: atomic mediatedDevicesTypes: + description: Deprecated. Use mediatedDeviceTypes instead. items: type: string type: array @@ -2933,7 +3111,6 @@ spec: on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' type: object required: - - mediatedDevicesTypes - nodeSelector type: object type: array @@ -2943,37 +3120,80 @@ spec: format: int32 type: integer migrations: - description: MigrationConfiguration holds migration options + description: MigrationConfiguration holds migration options. Can + be overridden for specific groups of VMs though migration policies. + Visit https://kubevirt.io/user-guide/operations/migration_policies/ + for more information. properties: allowAutoConverge: + description: AllowAutoConverge allows the platform to compromise + performance/availability of VMIs to guarantee successful + VMI live migrations. Defaults to false type: boolean allowPostCopy: + description: AllowPostCopy enables post-copy live migrations. + Such migrations allow even the busiest VMIs to successfully + live-migrate. However, events like a network failure can + cause a VMI crash. If set to true, migrations will still + start in pre-copy, but switch to post-copy when CompletionTimeoutPerGiB + triggers. Defaults to false type: boolean bandwidthPerMigration: anyOf: - type: integer - type: string + description: BandwidthPerMigration limits the amount of network + bandwith live migrations are allowed to use. The value is + in quantity per second. Defaults to 0 (no limit) pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true completionTimeoutPerGiB: + description: CompletionTimeoutPerGiB is the maximum number + of seconds per GiB a migration is allowed to take. If a + live-migration takes longer to migrate than this value multiplied + by the size of the VMI, the migration will be cancelled, + unless AllowPostCopy is true. Defaults to 800 format: int64 type: integer disableTLS: + description: When set to true, DisableTLS will disable the + additional layer of live migration encryption provided by + KubeVirt. This is usually a bad idea. Defaults to false type: boolean network: + description: Network is the name of the CNI network to use + for live migrations. By default, migrations go through the + pod network. type: string nodeDrainTaintKey: + description: 'NodeDrainTaintKey defines the taint key that + indicates a node should be drained. Note: this option relies + on the deprecated node taint feature. Default: kubevirt.io/drain' type: string parallelMigrationsPerCluster: + description: ParallelMigrationsPerCluster is the total number + of concurrent live migrations allowed cluster-wide. Defaults + to 5 format: int32 type: integer parallelOutboundMigrationsPerNode: + description: ParallelOutboundMigrationsPerNode is the maximum + number of concurrent outgoing live migrations allowed per + node. Defaults to 2 format: int32 type: integer progressTimeout: + description: ProgressTimeout is the maximum number of seconds + a live migration is allowed to make no progress. Hitting + this timeout means a migration transferred 0 data for that + many seconds. The migration is then considered stuck and + therefore cancelled. Defaults to 150 format: int64 type: integer unsafeMigrationOverride: + description: UnsafeMigrationOverride allows live migrations + to occur even if the compatibility check indicates the migration + will be unsafe to the guest. Defaults to false type: boolean type: object minCPUModel: @@ -3063,6 +3283,28 @@ spec: items: type: string type: array + tlsConfiguration: + description: TLSConfiguration holds TLS options + properties: + ciphers: + items: + type: string + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: "MinTLSVersion is a way to specify the minimum + protocol version that is acceptable for TLS connections. + Protocol versions are based on the following most common + TLS configurations: \n https://ssl-config.mozilla.org/ + \n Note that SSLv3.0 is not a supported protocol version + due to well known vulnerabilities such as POODLE: https://en.wikipedia.org/wiki/POODLE" + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object virtualMachineInstancesPerNode: type: integer webhookConfiguration: @@ -3141,6 +3383,20 @@ spec: imagePullPolicy: description: The ImagePullPolicy to use. type: string + imagePullSecrets: + description: The imagePullSecrets to pull the container images from + Defaults to none + items: + description: LocalObjectReference contains enough information to + let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + type: array + x-kubernetes-list-type: atomic imageRegistry: description: The image registry to pull the container images from Defaults to the same registry the operator's container image is @@ -4149,6 +4405,11 @@ spec: components. Useful if KubeVirt is included as part of a product. If ProductVersion is not specified, KubeVirt's version will be used. type: string + serviceMonitorNamespace: + description: The namespace the service monitor will be deployed When + ServiceMonitorNamespace is set, then we'll install the service monitor + object in that namespace otherwise we will use the monitoring namespace. + type: string uninstallStrategy: description: Specifies if kubevirt can be deleted if workloads are still present. This is mainly a precaution to avoid accidental data @@ -5259,4 +5520,3 @@ spec: storage: true subresources: status: {} - diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-clusterrole.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-clusterrole.yaml index a586a80..b252043 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-clusterrole.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-clusterrole.yaml @@ -54,6 +54,7 @@ rules: - apiextensions.k8s.io resources: - customresourcedefinitions + - customresourcedefinitions/status verbs: - '*' - apiGroups: @@ -102,6 +103,12 @@ rules: - namespaces verbs: - get +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - get - apiGroups: - cdi.kubevirt.io resources: @@ -140,7 +147,6 @@ rules: resources: - persistentvolumes - persistentvolumeclaims - - volumesnapshots verbs: - get - list @@ -148,12 +154,13 @@ rules: - create - update - delete + - deletecollection + - patch - apiGroups: - "" resources: - persistentvolumeclaims/finalizers - pods/finalizers - - volumesnapshots/finalizers verbs: - update - apiGroups: @@ -173,6 +180,7 @@ rules: - configmaps verbs: - get + - create - apiGroups: - storage.k8s.io resources: @@ -246,6 +254,12 @@ rules: verbs: - list - watch +- apiGroups: + - kubevirt.io + resources: + - virtualmachines/finalizers + verbs: + - update - apiGroups: - "" resources: diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-configmap.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-configmap.yaml deleted file mode 100644 index 6905713..0000000 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-configmap.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# -# Copyright (c) 2022 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - operator.cdi.kubevirt.io: "" - name: cdi-operator-leader-election-helper - namespace: cdi diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-deployment.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-deployment.yaml index 9a71edf..72c3862 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-deployment.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-deployment.yaml @@ -11,7 +11,7 @@ # limitations under the License. # -# Copyright (c) 2022 Wind River Systems, Inc. +# Copyright (c) 2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -26,7 +26,7 @@ metadata: name: cdi-operator namespace: cdi spec: - replicas: 1 + replicas: {{ .Values.cdi.replicas }} selector: matchLabels: name: cdi-operator @@ -44,42 +44,44 @@ spec: - name: DEPLOY_CLUSTER_RESOURCES value: "true" - name: OPERATOR_VERSION - value: v1.54.0 + value: {{ .Values.cdi.cdiVersion }} - name: CONTROLLER_IMAGE - value: {{ .Values.images.tags.cdiControlerImage }} + value: {{ .Values.cdi.images.tags.cdiControlerImage }} - name: IMPORTER_IMAGE - value: {{ .Values.images.tags.cdiImporterImage }} + value: {{ .Values.cdi.images.tags.cdiImporterImage }} - name: CLONER_IMAGE - value: {{ .Values.images.tags.cdiClonerImage }} + value: {{ .Values.cdi.images.tags.cdiClonerImage }} - name: APISERVER_IMAGE - value: {{ .Values.images.tags.cdiApiServerImage }} + value: {{ .Values.cdi.images.tags.cdiApiServerImage }} - name: UPLOAD_SERVER_IMAGE - value: {{ .Values.images.tags.cdiUploadServerImage }} + value: {{ .Values.cdi.images.tags.cdiUploadServerImage }} - name: UPLOAD_PROXY_IMAGE - value: {{ .Values.images.tags.cdiUploadProxyImage }} + value: {{ .Values.cdi.images.tags.cdiUploadProxyImage }} - name: VERBOSITY value: "1" - name: PULL_POLICY value: IfNotPresent - name: MONITORING_NAMESPACE - image: {{ .Values.images.tags.cdiOperatorImage }} + image: {{ .Values.cdi.images.tags.cdiOperatorImage }} imagePullPolicy: IfNotPresent name: cdi-operator ports: - - containerPort: {{ .Values.containerPorts.cdiMetricsPort }} + - containerPort: {{ .Values.cdi.containerPorts.metricsPort }} name: metrics protocol: TCP resources: requests: - memory: {{ .Values.resources.requests.memory }} + memory: {{ .Values.cdi.resources.requests.memory }} + imagePullSecrets: + - name: {{ .Values.cdi.imagePullSecrets }} +{{- if .Values.cdi.nodeSelector }} + nodeSelector: +{{ .Values.cdi.nodeSelector | toYaml | trim | indent 8 }} +{{- end }} securityContext: runAsNonRoot: true serviceAccountName: cdi-operator -{{- with .Values.tolerations }} +{{- with .Values.cdi.tolerations }} tolerations: {{ toYaml . | indent 6 }} {{- end }} -{{- if .Values.nodeSelector }} - nodeSelector: -{{ .Values.nodeSelector | toYaml | trim | indent 8 }} -{{- end }} diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-namespace.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-namespace.yaml index d662d08..4611669 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-namespace.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-namespace.yaml @@ -11,7 +11,7 @@ # limitations under the License. # -# Copyright (c) 2022 Wind River Systems, Inc. +# Copyright (c) 2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -21,8 +21,6 @@ kind: Namespace metadata: labels: cdi.kubevirt.io: "" - app.kubernetes.io/managed-by: Helm + app.starlingx.io/component: {{ .Values.cdi.componentType }} name: cdi annotations: - meta.helm.sh/release-name: kubevirt-cdi-app - meta.helm.sh/release-namespace: cdi diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-rolebinding.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-rolebinding.yaml index 46ca0db..f0071ce 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-rolebinding.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-rolebinding.yaml @@ -33,3 +33,17 @@ subjects: - kind: ServiceAccount name: cdi-operator namespace: cdi +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cdi-registry-rolebinding + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubevirt-registry-cr +subjects: +- kind: ServiceAccount + name: cdi-operator + namespace: cdi diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-rolebinding2.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-rolebinding2.yaml deleted file mode 100644 index d60c025..0000000 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-rolebinding2.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# -# Copyright (c) 202 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cdi-registry-rolebinding - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kubevirt-registry-cr -subjects: -- kind: ServiceAccount - name: cdi-operator - namespace: cdi diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-serviceaccount.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-serviceaccount.yaml index b264fb6..93a47b2 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-serviceaccount.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi-serviceaccount.yaml @@ -23,5 +23,3 @@ metadata: operator.cdi.kubevirt.io: "" name: cdi-operator namespace: cdi -imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi.yaml index 9e55664..e16059c 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/cdi.yaml @@ -21,15 +21,25 @@ kind: CDI metadata: name: cdi spec: + certConfig: + ca: + duration: {{ .Values.cdi.certificateRotate.ca.duration }} + renewBefore: {{ .Values.cdi.certificateRotate.ca.renewBefore }} + server: + duration: {{ .Values.cdi.certificateRotate.server.duration }} + renewBefore: {{ .Values.cdi.certificateRotate.server.renewBefore }} + config: + imagePullSecrets: + - name: {{ .Values.cdi.imagePullSecrets }} + featureGates: {{ .Values.cdi.featureGates }} imagePullPolicy: IfNotPresent infra: - nodeSelector: - kubernetes.io/os: linux tolerations: - key: CriticalAddonsOnly operator: Exists workload: -{{- if .Values.nodeSelector }} - nodeSelector: -{{ .Values.nodeSelector | toYaml | trim | indent 8 }} -{{- end }} + {{- if .Values.cdi.nodeSelector }} + nodeSelector: + {{- .Values.cdi.nodeSelector | toYaml | trim | nindent 6 }} + {{- end }} + diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/clusterrole.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/clusterrole.yaml index fbedb82..5f5c90a 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/clusterrole.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/clusterrole.yaml @@ -11,7 +11,7 @@ # limitations under the License. # -# Copyright (c) 202 Wind River Systems, Inc. +# Copyright (c) 2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -185,19 +185,6 @@ rules: - delete - update - patch -- apiGroups: - - subresources.kubevirt.io - resources: - - virtualmachineinstances/pause - - virtualmachineinstances/unpause - - virtualmachineinstances/addvolume - - virtualmachineinstances/removevolume - - virtualmachineinstances/freeze - - virtualmachineinstances/unfreeze - - virtualmachineinstances/softreboot - verbs: - - update - - get - apiGroups: - "" resources: @@ -207,6 +194,22 @@ rules: - list - watch - patch +- apiGroups: + - flavor.kubevirt.io + resources: + - virtualmachineflavors + - virtualmachineclusterflavors + - virtualmachinepreferences + - virtualmachineclusterpreferences + verbs: + - get + - delete + - create + - update + - patch + - list + - watch + - deletecollection - apiGroups: - "" resources: @@ -227,6 +230,12 @@ rules: - watch - patch - update +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get - apiGroups: - kubevirt.io resources: @@ -286,6 +295,7 @@ rules: resources: - virtualmachinesnapshots - virtualmachinerestores + - virtualmachinesnapshotcontents verbs: - get - list @@ -294,16 +304,20 @@ rules: - cdi.kubevirt.io resources: - datasources + - datavolumes verbs: - get - list - watch - apiGroups: - - flavor.kubevirt.io + - instancetype.kubevirt.io resources: - - virtualmachineflavors - - virtualmachineclusterflavors + - virtualmachineinstancetypes + - virtualmachineclusterinstancetypes + - virtualmachinepreferences + - virtualmachineclusterpreferences verbs: + - get - list - watch - apiGroups: @@ -314,6 +328,14 @@ rules: - get - list - watch +- apiGroups: + - apps + resources: + - controllerrevisions + verbs: + - create + - list + - get - apiGroups: - "" resources: @@ -322,6 +344,15 @@ rules: - get - list - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - patch - apiGroups: - policy resources: @@ -339,6 +370,7 @@ rules: - pods - configmaps - endpoints + - services verbs: - get - list @@ -346,6 +378,7 @@ rules: - delete - update - create + - patch - apiGroups: - "" resources: @@ -354,6 +387,12 @@ rules: - update - create - patch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create - apiGroups: - "" resources: @@ -397,6 +436,8 @@ rules: - list - create - delete + - get + - update - apiGroups: - "" resources: @@ -415,11 +456,19 @@ rules: - '*' verbs: - '*' +- apiGroups: + - export.kubevirt.io + resources: + - '*' + verbs: + - '*' - apiGroups: - pool.kubevirt.io resources: - virtualmachinepools - virtualmachinepools/finalizers + - virtualmachinepools/status + - virtualmachinepools/scale verbs: - watch - list @@ -500,11 +549,14 @@ rules: - list - watch - apiGroups: - - flavor.kubevirt.io + - instancetype.kubevirt.io resources: - - virtualmachineflavors - - virtualmachineclusterflavors + - virtualmachineinstancetypes + - virtualmachineclusterinstancetypes + - virtualmachinepreferences + - virtualmachineclusterpreferences verbs: + - get - list - watch - apiGroups: @@ -515,12 +567,49 @@ rules: - get - list - watch +- apiGroups: + - clone.kubevirt.io + resources: + - virtualmachineclones + - virtualmachineclones/status + - virtualmachineclones/finalizers + verbs: + - get + - list + - watch + - update + - patch + - delete - apiGroups: - "" resources: - namespaces verbs: - get +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - list + - get + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - list + - get + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - list + - get + - watch - apiGroups: - kubevirt.io resources: @@ -585,10 +674,36 @@ rules: - get - list - watch +- apiGroups: + - export.kubevirt.io + resources: + - virtualmachineexports + verbs: + - get + - list + - watch +- apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - list + - watch +- apiGroups: + - "" + resourceNames: + - kubevirt-export-ca + resources: + - configmaps + verbs: + - get + - list + - watch - apiGroups: - subresources.kubevirt.io resources: - version + - guestfs verbs: - get - list @@ -597,6 +712,8 @@ rules: resources: - virtualmachineinstances/console - virtualmachineinstances/vnc + - virtualmachineinstances/vnc/screenshot + - virtualmachineinstances/portforward - virtualmachineinstances/guestosinfo - virtualmachineinstances/filesystemlist - virtualmachineinstances/userlist @@ -614,6 +731,13 @@ rules: - virtualmachineinstances/softreboot verbs: - update +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachines/expand-spec + - virtualmachines/portforward + verbs: + - get - apiGroups: - subresources.kubevirt.io resources: @@ -622,6 +746,14 @@ rules: - virtualmachines/restart - virtualmachines/addvolume - virtualmachines/removevolume + - virtualmachines/migrate + - virtualmachines/memorydump + verbs: + - update +- apiGroups: + - subresources.kubevirt.io + resources: + - expand-vm-spec verbs: - update - apiGroups: @@ -657,10 +789,12 @@ rules: - watch - deletecollection - apiGroups: - - flavor.kubevirt.io + - instancetype.kubevirt.io resources: - - virtualmachineflavors - - virtualmachineclusterflavors + - virtualmachineinstancetypes + - virtualmachineclusterinstancetypes + - virtualmachinepreferences + - virtualmachineclusterpreferences verbs: - get - delete @@ -696,6 +830,7 @@ rules: resources: - virtualmachineinstances/console - virtualmachineinstances/vnc + - virtualmachineinstances/vnc/screenshot - virtualmachineinstances/guestosinfo - virtualmachineinstances/filesystemlist - virtualmachineinstances/userlist @@ -711,16 +846,31 @@ rules: - virtualmachineinstances/freeze - virtualmachineinstances/unfreeze - virtualmachineinstances/softreboot + - virtualmachineinstances/portforward verbs: - update +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachines/expand-spec + verbs: + - get - apiGroups: - subresources.kubevirt.io resources: - virtualmachines/start - virtualmachines/stop - virtualmachines/restart - - virtualmachines/addvolume | + - virtualmachines/addvolume - virtualmachines/removevolume + - virtualmachines/migrate + - virtualmachines/memorydump + verbs: + - update +- apiGroups: + - subresources.kubevirt.io + resources: + - expand-vm-spec verbs: - update - apiGroups: @@ -754,10 +904,12 @@ rules: - list - watch - apiGroups: - - flavor.kubevirt.io + - instancetype.kubevirt.io resources: - - virtualmachineflavors - - virtualmachineclusterflavors + - virtualmachineinstancetypes + - virtualmachineclusterinstancetypes + - virtualmachinepreferences + - virtualmachineclusterpreferences verbs: - get - delete @@ -796,11 +948,18 @@ rules: - apiGroups: - subresources.kubevirt.io resources: + - virtualmachines/expand-spec - virtualmachineinstances/guestosinfo - virtualmachineinstances/filesystemlist - virtualmachineinstances/userlist verbs: - get +- apiGroups: + - subresources.kubevirt.io + resources: + - expand-vm-spec + verbs: + - update - apiGroups: - kubevirt.io resources: @@ -824,10 +983,12 @@ rules: - list - watch - apiGroups: - - flavor.kubevirt.io + - instancetype.kubevirt.io resources: - - virtualmachineflavors - - virtualmachineclusterflavors + - virtualmachineinstancetypes + - virtualmachineclusterinstancetypes + - virtualmachinepreferences + - virtualmachineclusterpreferences verbs: - get - list @@ -860,4 +1021,45 @@ rules: - subjectaccessreviews verbs: - create - +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubevirt.io:operator + labels: + operator.kubevirt.io: "" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - get + - delete + - create + - update + - patch + - list + - watch + - deletecollection +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + kubevirt.io: "" + name: kubevirt-registry-cr + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - watch + - patch + - delete diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/clusterrole2.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/clusterrole2.yaml deleted file mode 100644 index 4109ef4..0000000 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/clusterrole2.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# -# Copyright (c) 202 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kubevirt.io:operator - labels: - operator.kubevirt.io: "" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - kubevirt.io - resources: - - kubevirts - verbs: - - get - - delete - - create - - update - - patch - - list - - watch - - deletecollection diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/clusterrole3.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/clusterrole3.yaml deleted file mode 100644 index 8a739e3..0000000 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/clusterrole3.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations the License. - -# -# Copyright (c) 2022 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - kubevirt.io: "" - name: kubevirt-registry-cr - namespace: kube-system -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - list - - watch - - patch - - delete diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/deployment.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/deployment.yaml index 37bde1f..2785aa7 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/deployment.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/deployment.yaml @@ -11,7 +11,7 @@ # limitations under the License. # -# Copyright (c) 202 Wind River Systems, Inc. +# Copyright (c) 2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -24,7 +24,7 @@ metadata: name: virt-operator namespace: kubevirt spec: - replicas: {{ .Values.replicas }} + replicas: {{ .Values.kubevirt.replicas }} selector: matchLabels: kubevirt.io: virt-operator @@ -51,39 +51,49 @@ spec: topologyKey: kubernetes.io/hostname weight: 1 containers: - - command: - - virt-operator + - args: - --port - "8443" - -v - "2" + command: + - virt-operator env: - - name: OPERATOR_IMAGE - value: {{ .Values.images.tags.virtOperatorImage }} + - name: VIRT_OPERATOR_IMAGE + value: {{ .Values.kubevirt.images.tags.virtOperatorImage }} - name: WATCH_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.annotations['olm.targetNamespaces'] - image: {{ .Values.images.tags.virtOperatorImage }} + - name: KUBEVIRT_VERSION + value: {{ .Values.kubevirt.kubeVirtVersion }} + image: {{ .Values.kubevirt.images.tags.virtOperatorImage }} imagePullPolicy: IfNotPresent name: virt-operator ports: - - containerPort: {{ .Values.containerPorts.metricsPort }} + - containerPort: {{ .Values.kubevirt.containerPorts.metricsPort }} name: metrics protocol: TCP - - containerPort: {{ .Values.containerPorts.webhooksPort }} + - containerPort: {{ .Values.kubevirt.containerPorts.webhooksPort }} name: webhooks protocol: TCP readinessProbe: httpGet: path: /metrics - port: {{ .Values.containerPorts.readinessProbePort }} + port: {{ .Values.kubevirt.containerPorts.readinessProbePort }} scheme: HTTPS initialDelaySeconds: 5 timeoutSeconds: 10 resources: requests: - memory: {{ .Values.resources.requests.memory }} + memory: {{ .Values.kubevirt.resources.requests.memory }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /etc/virt-operator/certificates name: kubevirt-operator-certs @@ -92,23 +102,27 @@ spec: name: profile-data initContainers: - name: virtctl-init-container - image: {{ .Values.images.tags.virtCtlImage }} + image: {{ .Values.kubevirt.images.tags.virtCtlImage }} imagePullPolicy: IfNotPresent volumeMounts: - name: controller-dir mountPath: /var/opt/ - command: ['sh', '-c', "mkdir -p /var/opt/kubevirt/; mv /virtctl-v* /var/opt/kubevirt; chmod 755 /var/opt/kubevirt;"] + command: ['sh', '-c', "mkdir -p /var/opt/kubevirt/; mv /virtctl-v* /var/opt/kubevirt; chmod 755 /var/opt/kubevirt; cp -s /var/opt/kubevirt/virtctl-v* /var/opt/kubevirt/virtctl"] + imagePullSecrets: + - name: {{ .Values.kubevirt.imagePullSecrets }} priorityClassName: kubevirt-cluster-critical securityContext: runAsNonRoot: false + seccompProfile: + type: RuntimeDefault serviceAccountName: kubevirt-operator -{{- with .Values.tolerations }} +{{- with .Values.kubevirt.tolerations }} tolerations: {{ toYaml . | indent 6 }} {{- end }} -{{- if .Values.nodeSelector }} +{{- if .Values.kubevirt.nodeSelector }} nodeSelector: -{{ .Values.nodeSelector | toYaml | trim | indent 8 }} +{{ .Values.kubevirt.nodeSelector | toYaml | trim | indent 8 }} {{- end }} volumes: - name: kubevirt-operator-certs diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/kubevirt.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/kubevirt.yaml index 42a0975..8cbde31 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/kubevirt.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/kubevirt.yaml @@ -22,13 +22,22 @@ metadata: name: kubevirt namespace: kubevirt spec: - certificateRotateStrategy: {} + certificateRotateStrategy: + selfSigned: + ca: + duration: {{ .Values.kubevirt.certificateRotate.ca.duration }} + renewBefore: {{ .Values.kubevirt.certificateRotate.ca.renewBefore }} + server: + duration: {{ .Values.kubevirt.certificateRotate.server.duration }} + renewBefore: {{ .Values.kubevirt.certificateRotate.server.renewBefore }} configuration: developerConfiguration: - featureGates: {{ .Values.featureGates }} - useEmulation: {{ .Values.useEmulation }} + featureGates: {{ .Values.kubevirt.featureGates }} + useEmulation: {{ .Values.kubevirt.useEmulation }} customizeComponents: {} imagePullPolicy: IfNotPresent + imagePullSecrets: + - name: {{ .Values.kubevirt.imagePullSecrets }} infra: - replicas: {{ .Values.replicas }} + replicas: {{ .Values.kubevirt.replicas }} workloadUpdateStrategy: {} diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/namespace.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/namespace.yaml index f9a7b14..b2f4a86 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/namespace.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/namespace.yaml @@ -11,7 +11,7 @@ # limitations under the License. # -# Copyright (c) 202 Wind River Systems, Inc. +# Copyright (c) 2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -21,10 +21,7 @@ kind: Namespace metadata: labels: kubevirt.io: "" - app.kubernetes.io/managed-by: Helm + pod-security.kubernetes.io/enforce: "privileged" + app.starlingx.io/component: {{ .Values.kubevirt.componentType }} annotations: - meta.helm.sh/release-name: kubevirt-app - meta.helm.sh/release-namespace: kubevirt name: kubevirt -spec: - finalizers: diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/role.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/role.yaml index ace769e..938b546 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/role.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/role.yaml @@ -46,3 +46,20 @@ rules: - watch - patch - delete +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - create + - get + - list + - watch + - patch + - delete +- apiGroups: + - route.openshift.io + resources: + - routes/custom-host + verbs: + - create diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/rolebinding.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/rolebinding.yaml index aae0689..0d37f09 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/rolebinding.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/rolebinding.yaml @@ -31,3 +31,17 @@ subjects: - kind: ServiceAccount name: kubevirt-operator namespace: kubevirt +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubevirt-registry-rolebinding + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubevirt-registry-cr +subjects: +- kind: ServiceAccount + name: kubevirt-operator + namespace: kubevirt diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/rolebinding2.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/rolebinding2.yaml deleted file mode 100644 index ecc2488..0000000 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/rolebinding2.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# -# Copyright (c) 202 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: kubevirt-registry-rolebinding - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kubevirt-registry-cr -subjects: -- kind: ServiceAccount - name: kubevirt-operator - namespace: kubevirt diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/serviceaccount.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/serviceaccount.yaml index 27fd07f..f00b3d4 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/serviceaccount.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/templates/serviceaccount.yaml @@ -23,5 +23,3 @@ metadata: kubevirt.io: "" name: kubevirt-operator namespace: kubevirt -imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} diff --git a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/values.yaml b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/values.yaml index 3501cd3..f07aa7d 100644 --- a/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/values.yaml +++ b/stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/values.yaml @@ -1,4 +1,4 @@ -# Copyright (c) 2022 Wind River Systems, Inc. +# Copyright (c) 2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -7,44 +7,87 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. --- -replicas: 1 -images: - tags: - virtCtlImage: docker.io/starlingx/stx-kubevirt-app:stx.8.0-v0.53.1 - virtOperatorImage: quay.io/kubevirt/virt-operator:v0.53.1 - virtControllerImage: quay.io/kubevirt/virt-controller:v0.53.1 - virtLauncherImage: quay.io/kubevirt/virt-launcher:v0.53.1 - virtHandlerImage: quay.io/kubevirt/virt-handler:v0.53.1 - virtApiImage: quay.io/kubevirt/virt-api:v0.53.1 - cdiOperatorImage: quay.io/kubevirt/cdi-operator:v1.54.0 - cdiControlerImage: quay.io/kubevirt/cdi-controller:v1.54.0 - cdiImporterImage: quay.io/kubevirt/cdi-importer:v1.54.0 - cdiClonerImage: quay.io/kubevirt/cdi-cloner:v1.54.0 - cdiApiServerImage: quay.io/kubevirt/cdi-apiserver:v1.54.0 - cdiUploadServerImage: quay.io/kubevirt/cdi-uploadserver:v1.54.0 - cdiUploadProxyImage: quay.io/kubevirt/cdi-uploadproxy:v1.54.0 +# KubeVirt configuration +kubevirt: + kubeVirtVersion: v0.59.0 + replicas: 1 + componentType: "platform" + certificateRotate: + ca: + duration: 720h + renewBefore: 360h + server: + duration: 720h + renewBefore: 360h + images: + tags: + virtCtlImage: docker.io/starlingx/stx-kubevirt-app:stx.8.0-v0.59.0 + virtOperatorImage: quay.io/kubevirt/virt-operator:v0.59.0 + virtControllerImage: quay.io/kubevirt/virt-controller:v0.59.0 + virtLauncherImage: quay.io/kubevirt/virt-launcher:v0.59.0 + virtHandlerImage: quay.io/kubevirt/virt-handler:v0.59.0 + virtApiImage: quay.io/kubevirt/virt-api:v0.59.0 + imagePullSecrets: default-registry-key + resources: + requests: + memory: 400Mi + nodeSelector: + node-role.kubernetes.io/control-plane: "" + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + containerPorts: + metricsPort: 8443 + webhooksPort: 8444 + readinessProbePort: 8443 -imagePullSecrets: default-registry-key - -resources: - requests: - memory: 150Mi - -nodeSelector: { node-role.kubernetes.io/control-plane: "" } - -tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" - - key: "node-role.kubernetes.io/control-plane" - operator: "Exists" - effect: "NoSchedule" - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" - -containerPorts: - metricsPort: 8443 - webhooksPort: 8444 - readinessProbePort: 8443 - cdiMetricsPort: 8080 +# CDI (Containerized Data Importer) configuration +cdi: + cdiVersion: v1.57.0 + replicas: 1 + componentType: "platform" + certificateRotate: + ca: + duration: 720h + renewBefore: 360h + server: + duration: 720h + renewBefore: 360h + featureGates: + - HonorWaitForFirstConsumer + images: + tags: + cdiOperatorImage: quay.io/kubevirt/cdi-operator:v1.57.0 + cdiControlerImage: quay.io/kubevirt/cdi-controller:v1.57.0 + cdiImporterImage: quay.io/kubevirt/cdi-importer:v1.57.0 + cdiClonerImage: quay.io/kubevirt/cdi-cloner:v1.57.0 + cdiApiServerImage: quay.io/kubevirt/cdi-apiserver:v1.57.0 + cdiUploadServerImage: quay.io/kubevirt/cdi-uploadserver:v1.57.0 + cdiUploadProxyImage: quay.io/kubevirt/cdi-uploadproxy:v1.57.0 + imagePullSecrets: default-registry-key + resources: + requests: + memory: 400Mi + nodeSelector: + node-role.kubernetes.io/control-plane: "" + kubernetes.io/os: linux + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + containerPorts: + metricsPort: 8080 + webhooksPort: 8444 + readinessProbePort: 8443 diff --git a/test-requirements.txt b/test-requirements.txt index 9339379..fa7c694 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,4 +1,3 @@ # hacking pulls in flake8 -hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 +hacking>=1.1.0,<=2.0.0 # Apache-2.0 bashate >= 0.2 -yamllint>=0.5.2 diff --git a/tox.ini b/tox.ini index a188335..2d33788 100644 --- a/tox.ini +++ b/tox.ini @@ -1,15 +1,13 @@ [tox] envlist = linters -minversion = 2.3 +minversion = 2.9 skipsdist = True sitepackages=False -toxhelmdir = {toxinidir}/helm-charts-rendered [testenv] -stxdir = {toxinidir} -kubevirtdir = {[testenv]stxdir}/ -helmdir = {[testenv]kubevirtdir}stx-kubevirt-app-helm/stx-kubevirt-app-helm/helm-charts/kubevirt-app/ -install_command = pip install -U {opts} {packages} +install_command = pip install -U \ + {opts} {packages} \ + -c{env:TOX_CONSTRAINTS_FILE:https://opendev.org/starlingx/root/raw/branch/master/build-tools/requirements/debian/upper-constraints.txt} setenv = VIRTUAL_ENV={envdir} OS_STDOUT_CAPTURE=1 @@ -21,6 +19,9 @@ deps = -r{toxinidir}/test-requirements.txt allowlist_externals = bash +passenv = + XDG_CACHE_HOME + [testenv:bashate] # Treat all E* codes as Errors rather than warnings using: -e 'E*' @@ -31,18 +32,25 @@ commands = -not -name \*~ \ -not -name \*.md \ -name \*.sh \ - -print0 | xargs -r -n 1 -0 bashate -v\ + -print0 | xargs -r -n 1 -0 bashate -v \ -e 'E*'" [testenv:linters] commands = {[testenv:bashate]commands} - {[testenv:yamllint]commands} -[testenv:yamllint] -basepython=python3 -commands = bash -c "find ./ -iname '*.yaml' -type f -not -name 'metadata.yaml' -print0 | xargs -0 cat | sed 's/\s*\{\{.*\}\}//' | yamllint -d relaxed -f parsable - ;[ $? -eq 0 ] && exit 0 || exit 1" +[testenv:flake8] +basepython = python3 +description = Dummy environment to allow flake8 to be run in subdir tox + +[testenv:py39] +basepython = python3 +description = Dummy environment to allow pylint to be run in subdir tox [testenv:pylint] basepython = python3 description = Dummy environment to allow pylint to be run in subdir tox + +[testenv:bandit] +basepython = python3 +description = Dummy environment to allow bandit to be run in subdir tox