fix uploading vm images using virtctl (#422)

Upstream fix: kubevirt/containerized-data-importer#3461 Signed-off-by: Andrei Kvapil <[email protected]>  ## Summary by CodeRabbit - **New Features** - Introduced a new version (`v1beta1`) for the CDI operator alongside the existing version, enhancing configuration options. - Expanded `spec` section with detailed descriptions for various configurations including data volume management and TLS security profiles. - Added a new Ingress resource for the `cdi-uploadproxy` service, improving traffic routing capabilities. - Introduced new configuration parameters for dynamic upload proxy URL management. - **Improvements** - Updated permissions for the CDI operator to manage additional resources, improving its data handling capabilities. - Refined deployment configuration with updated container image references and environment variables for better operational control. - Enhanced network policy definitions by adding specific rules for new services while maintaining existing policies.  --------- Signed-off-by: Andrei Kvapil <[email protected]>
aenix-io · Oct 16, 2024 · 4812874 · 4812874
1 parent ced8e5b
commit 4812874
Show file tree

Hide file tree

Showing 14 changed files with 104 additions and 41 deletions.
diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml
@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.4.0
+version: 1.5.0
diff --git a/packages/apps/tenant/templates/networkpolicy.yaml b/packages/apps/tenant/templates/networkpolicy.yaml
@@ -159,6 +159,18 @@ spec:
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
+metadata:
+  name: allow-to-cdi-upload-proxy
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  egress:
+  - toEndpoints:
+      - matchLabels:
+          "k8s:io.kubernetes.pod.namespace": cozy-kubevirt-cdi
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
 metadata:
   name: allow-to-ingress
   namespace: {{ include "tenant.name" . }}

diff --git a/packages/apps/versions_map b/packages/apps/versions_map
@@ -75,7 +75,8 @@ tenant 1.1.0 4da8ac3b
 tenant 1.2.0 15478a88
 tenant 1.3.0 ceefae03
 tenant 1.3.1 c56e5769
-tenant 1.4.0 HEAD
+tenant 1.4.0 94c688f7
+tenant 1.5.0 HEAD
 vm-disk 0.1.0 HEAD
 vm-instance 0.1.0 HEAD
 vpn 0.1.0 f642698

diff --git a/packages/extra/ingress/Chart.yaml b/packages/extra/ingress/Chart.yaml
@@ -3,4 +3,4 @@ name: ingress
 description: NGINX Ingress Controller
 icon: /logos/ingress-nginx.svg
 type: application
-version: 1.2.0
+version: 1.3.0
diff --git a/packages/extra/ingress/README.md b/packages/extra/ingress/README.md
@@ -11,4 +11,5 @@
 | `whitelist`      | List of client networks                                           | `[]`    |
 | `clouflareProxy` | Restoring original visitor IPs when Cloudflare proxied is enabled | `false` |
 | `dashboard`      | Should ingress serve Cozystack service dashboard                  | `false` |
+| `cdiUploadProxy` | Should ingress serve CDI upload proxy                             | `false` |
 
diff --git a/packages/extra/ingress/templates/cdi-uploadproxy.yaml b/packages/extra/ingress/templates/cdi-uploadproxy.yaml
@@ -0,0 +1,37 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
+
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+
+{{- if .Values.cdiUploadProxy }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    {{- if eq $issuerType "cloudflare" }} 
+    {{- else }}
+    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}
+    {{- end }}
+  name: cdi-uploadproxy-{{ .Release.Namespace }}
+  namespace: cozy-kubevirt-cdi
+spec:
+  ingressClassName: {{ .Release.Namespace }}
+  rules:
+  - host: cdi-uploadproxy.{{ $host }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: cdi-uploadproxy
+            port:
+              number: 443
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - cdi-uploadproxy.{{ $host }}
+    secretName: cdi-uploadproxy-{{ .Release.Namespace }}-tls
+{{- end }}
diff --git a/packages/extra/ingress/templates/dashboard.yaml b/packages/extra/ingress/templates/dashboard.yaml
@@ -1,36 +1,36 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
-{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}  
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
 
-{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}  
-{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}  
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
 
-{{- if .Values.dashboard }}  
-apiVersion: networking.k8s.io/v1  
-kind: Ingress  
-metadata:  
-  annotations:  
-    cert-manager.io/cluster-issuer: letsencrypt-prod  
+{{- if .Values.dashboard }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
     {{- if eq $issuerType "cloudflare" }} 
-    {{- else }}  
-    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}  
-    {{- end }}  
-  name: dashboard-{{ .Release.Namespace }}  
-  namespace: cozy-dashboard  
-spec:  
-  ingressClassName: {{ .Release.Namespace }}  
-  rules:  
-  - host: dashboard.{{ $host }}  
-    http:  
-      paths:  
-      - backend:  
-          service:  
-            name: dashboard  
-            port:  
-              number: 80  
-        path: /  
-        pathType: Prefix  
-  tls:  
-  - hosts:  
-    - dashboard.{{ $host }}  
-    secretName: dashboard-{{ .Release.Namespace }}-tls  
+    {{- else }}
+    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}
+    {{- end }}
+  name: dashboard-{{ .Release.Namespace }}
+  namespace: cozy-dashboard
+spec:
+  ingressClassName: {{ .Release.Namespace }}
+  rules:
+  - host: dashboard.{{ $host }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: dashboard
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - dashboard.{{ $host }}
+    secretName: dashboard-{{ .Release.Namespace }}-tls
 {{- end }}
diff --git a/packages/extra/ingress/values.schema.json b/packages/extra/ingress/values.schema.json
@@ -30,6 +30,11 @@
             "type": "boolean",
             "description": "Should ingress serve Cozystack service dashboard",
             "default": false
+        },
+        "cdiUploadProxy": {
+            "type": "boolean",
+            "description": "Should ingress serve CDI upload proxy",
+            "default": false
         }
     }
 }
diff --git a/packages/extra/ingress/values.yaml b/packages/extra/ingress/values.yaml
@@ -27,3 +27,6 @@ clouflareProxy: false
 
 ## @param dashboard Should ingress serve Cozystack service dashboard
 dashboard: false
+
+## @param cdiUploadProxy Should ingress serve CDI upload proxy
+cdiUploadProxy: false
diff --git a/packages/extra/monitoring/templates/alerta/alerta.yaml b/packages/extra/monitoring/templates/alerta/alerta.yaml
@@ -1,4 +1,4 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
 
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
@@ -36,7 +36,7 @@ data:
         'endpoint'    : "/api",
         'provider'    : "basic"
       })
-      .constant('colors', {});    
+      .constant('colors', {});  
 ---
 apiVersion: v1
 kind: Service

diff --git a/packages/extra/monitoring/templates/grafana/grafana.yaml b/packages/extra/monitoring/templates/grafana/grafana.yaml
@@ -1,4 +1,4 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }} 
 
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
@@ -94,7 +94,7 @@ spec:
     metadata:
       annotations:
         {{- if ne $issuerType "cloudflare" }}
-        acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}"  
+        acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}"
         {{- end }}
         cert-manager.io/cluster-issuer: letsencrypt-prod
     spec:

diff --git a/packages/system/kubevirt-cdi-operator/templates/cdi-operator.yaml b/packages/system/kubevirt-cdi-operator/templates/cdi-operator.yaml
@@ -5718,7 +5718,7 @@ spec:
         - name: APISERVER_IMAGE
           value: quay.io/kubevirt/cdi-apiserver:v1.60.2
         - name: UPLOAD_SERVER_IMAGE
-          value: quay.io/kubevirt/cdi-uploadserver:v1.60.2
+          value: ghcr.io/aenix-io/cozystack/cdi/cdi-uploadserver:v1.60.2-fix@sha256:2c0cfae427861521a204d020e2981fdb23c8b32b66261c03b2a2cdcd7089ac64
         - name: UPLOAD_PROXY_IMAGE
           value: quay.io/kubevirt/cdi-uploadproxy:v1.60.2
         - name: VERBOSITY
@@ -5753,4 +5753,4 @@ spec:
       tolerations:
       - key: CriticalAddonsOnly
         operator: Exists
----
+---
diff --git a/packages/system/kubevirt-cdi/templates/cdi-cr.yaml b/packages/system/kubevirt-cdi/templates/cdi-cr.yaml
@@ -4,6 +4,9 @@ metadata:
   name: cdi
 spec:
   config:
+    {{- with .Values.uploadProxyURL }}
+    uploadProxyURLOverride: {{ quote . }}
+    {{- end }}
     featureGates:
     - HonorWaitForFirstConsumer
     - ExpandDisks

diff --git a/packages/system/kubevirt-cdi/values.yaml b/packages/system/kubevirt-cdi/values.yaml
@@ -0,0 +1 @@
+uploadProxyURL: ""