From 4812874389c3b5a880a641b26189021da5b36f1e Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 16 Oct 2024 18:37:13 +0200 Subject: [PATCH] fix uploading vm images using virtctl (#422) Upstream fix: https://github.com/kubevirt/containerized-data-importer/pull/3461 Signed-off-by: Andrei Kvapil ## Summary by CodeRabbit - **New Features** - Introduced a new version (`v1beta1`) for the CDI operator alongside the existing version, enhancing configuration options. - Expanded `spec` section with detailed descriptions for various configurations including data volume management and TLS security profiles. - Added a new Ingress resource for the `cdi-uploadproxy` service, improving traffic routing capabilities. - Introduced new configuration parameters for dynamic upload proxy URL management. - **Improvements** - Updated permissions for the CDI operator to manage additional resources, improving its data handling capabilities. - Refined deployment configuration with updated container image references and environment variables for better operational control. - Enhanced network policy definitions by adding specific rules for new services while maintaining existing policies. --------- Signed-off-by: Andrei Kvapil --- packages/apps/tenant/Chart.yaml | 2 +- .../apps/tenant/templates/networkpolicy.yaml | 12 ++++ packages/apps/versions_map | 3 +- packages/extra/ingress/Chart.yaml | 2 +- packages/extra/ingress/README.md | 1 + .../ingress/templates/cdi-uploadproxy.yaml | 37 +++++++++++ .../extra/ingress/templates/dashboard.yaml | 64 +++++++++---------- packages/extra/ingress/values.schema.json | 5 ++ packages/extra/ingress/values.yaml | 3 + .../monitoring/templates/alerta/alerta.yaml | 4 +- .../monitoring/templates/grafana/grafana.yaml | 4 +- .../templates/cdi-operator.yaml | 4 +- .../system/kubevirt-cdi/templates/cdi-cr.yaml | 3 + packages/system/kubevirt-cdi/values.yaml | 1 + 14 files changed, 104 insertions(+), 41 deletions(-) create mode 100644 packages/extra/ingress/templates/cdi-uploadproxy.yaml create mode 100644 packages/system/kubevirt-cdi/values.yaml diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml index baefc0e2..25f68994 100644 --- a/packages/apps/tenant/Chart.yaml +++ b/packages/apps/tenant/Chart.yaml @@ -4,4 +4,4 @@ description: Separated tenant namespace icon: /logos/tenant.svg type: application -version: 1.4.0 +version: 1.5.0 diff --git a/packages/apps/tenant/templates/networkpolicy.yaml b/packages/apps/tenant/templates/networkpolicy.yaml index 6521bf61..aa8ed3ea 100644 --- a/packages/apps/tenant/templates/networkpolicy.yaml +++ b/packages/apps/tenant/templates/networkpolicy.yaml @@ -159,6 +159,18 @@ spec: --- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy +metadata: + name: allow-to-cdi-upload-proxy + namespace: {{ include "tenant.name" . }} +spec: + endpointSelector: {} + egress: + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": cozy-kubevirt-cdi +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy metadata: name: allow-to-ingress namespace: {{ include "tenant.name" . }} diff --git a/packages/apps/versions_map b/packages/apps/versions_map index 48e69ab4..27fbc47c 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -75,7 +75,8 @@ tenant 1.1.0 4da8ac3b tenant 1.2.0 15478a88 tenant 1.3.0 ceefae03 tenant 1.3.1 c56e5769 -tenant 1.4.0 HEAD +tenant 1.4.0 94c688f7 +tenant 1.5.0 HEAD vm-disk 0.1.0 HEAD vm-instance 0.1.0 HEAD vpn 0.1.0 f642698 diff --git a/packages/extra/ingress/Chart.yaml b/packages/extra/ingress/Chart.yaml index 664a41c5..f0ff843f 100644 --- a/packages/extra/ingress/Chart.yaml +++ b/packages/extra/ingress/Chart.yaml @@ -3,4 +3,4 @@ name: ingress description: NGINX Ingress Controller icon: /logos/ingress-nginx.svg type: application -version: 1.2.0 +version: 1.3.0 diff --git a/packages/extra/ingress/README.md b/packages/extra/ingress/README.md index 0d00844c..73aec882 100644 --- a/packages/extra/ingress/README.md +++ b/packages/extra/ingress/README.md @@ -11,4 +11,5 @@ | `whitelist` | List of client networks | `[]` | | `clouflareProxy` | Restoring original visitor IPs when Cloudflare proxied is enabled | `false` | | `dashboard` | Should ingress serve Cozystack service dashboard | `false` | +| `cdiUploadProxy` | Should ingress serve CDI upload proxy | `false` | diff --git a/packages/extra/ingress/templates/cdi-uploadproxy.yaml b/packages/extra/ingress/templates/cdi-uploadproxy.yaml new file mode 100644 index 00000000..e82e0d26 --- /dev/null +++ b/packages/extra/ingress/templates/cdi-uploadproxy.yaml @@ -0,0 +1,37 @@ +{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} +{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }} + +{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }} +{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }} + +{{- if .Values.cdiUploadProxy }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + cert-manager.io/cluster-issuer: letsencrypt-prod + {{- if eq $issuerType "cloudflare" }} + {{- else }} + acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }} + {{- end }} + name: cdi-uploadproxy-{{ .Release.Namespace }} + namespace: cozy-kubevirt-cdi +spec: + ingressClassName: {{ .Release.Namespace }} + rules: + - host: cdi-uploadproxy.{{ $host }} + http: + paths: + - backend: + service: + name: cdi-uploadproxy + port: + number: 443 + path: / + pathType: Prefix + tls: + - hosts: + - cdi-uploadproxy.{{ $host }} + secretName: cdi-uploadproxy-{{ .Release.Namespace }}-tls +{{- end }} diff --git a/packages/extra/ingress/templates/dashboard.yaml b/packages/extra/ingress/templates/dashboard.yaml index 106f2e6a..63b59e02 100644 --- a/packages/extra/ingress/templates/dashboard.yaml +++ b/packages/extra/ingress/templates/dashboard.yaml @@ -1,36 +1,36 @@ -{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} -{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }} +{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} +{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }} -{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }} -{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }} +{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }} +{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }} -{{- if .Values.dashboard }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod +{{- if .Values.dashboard }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod {{- if eq $issuerType "cloudflare" }} - {{- else }} - acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }} - {{- end }} - name: dashboard-{{ .Release.Namespace }} - namespace: cozy-dashboard -spec: - ingressClassName: {{ .Release.Namespace }} - rules: - - host: dashboard.{{ $host }} - http: - paths: - - backend: - service: - name: dashboard - port: - number: 80 - path: / - pathType: Prefix - tls: - - hosts: - - dashboard.{{ $host }} - secretName: dashboard-{{ .Release.Namespace }}-tls + {{- else }} + acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }} + {{- end }} + name: dashboard-{{ .Release.Namespace }} + namespace: cozy-dashboard +spec: + ingressClassName: {{ .Release.Namespace }} + rules: + - host: dashboard.{{ $host }} + http: + paths: + - backend: + service: + name: dashboard + port: + number: 80 + path: / + pathType: Prefix + tls: + - hosts: + - dashboard.{{ $host }} + secretName: dashboard-{{ .Release.Namespace }}-tls {{- end }} diff --git a/packages/extra/ingress/values.schema.json b/packages/extra/ingress/values.schema.json index e669d70e..7fcefe68 100644 --- a/packages/extra/ingress/values.schema.json +++ b/packages/extra/ingress/values.schema.json @@ -30,6 +30,11 @@ "type": "boolean", "description": "Should ingress serve Cozystack service dashboard", "default": false + }, + "cdiUploadProxy": { + "type": "boolean", + "description": "Should ingress serve CDI upload proxy", + "default": false } } } \ No newline at end of file diff --git a/packages/extra/ingress/values.yaml b/packages/extra/ingress/values.yaml index b05d6bb5..947808ae 100644 --- a/packages/extra/ingress/values.yaml +++ b/packages/extra/ingress/values.yaml @@ -27,3 +27,6 @@ clouflareProxy: false ## @param dashboard Should ingress serve Cozystack service dashboard dashboard: false + +## @param cdiUploadProxy Should ingress serve CDI upload proxy +cdiUploadProxy: false diff --git a/packages/extra/monitoring/templates/alerta/alerta.yaml b/packages/extra/monitoring/templates/alerta/alerta.yaml index 30aa2493..87d408f5 100644 --- a/packages/extra/monitoring/templates/alerta/alerta.yaml +++ b/packages/extra/monitoring/templates/alerta/alerta.yaml @@ -1,4 +1,4 @@ -{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} +{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} {{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }} {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }} @@ -36,7 +36,7 @@ data: 'endpoint' : "/api", 'provider' : "basic" }) - .constant('colors', {}); + .constant('colors', {}); --- apiVersion: v1 kind: Service diff --git a/packages/extra/monitoring/templates/grafana/grafana.yaml b/packages/extra/monitoring/templates/grafana/grafana.yaml index bce84d13..c86b0483 100644 --- a/packages/extra/monitoring/templates/grafana/grafana.yaml +++ b/packages/extra/monitoring/templates/grafana/grafana.yaml @@ -1,4 +1,4 @@ -{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} +{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} {{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }} {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }} @@ -94,7 +94,7 @@ spec: metadata: annotations: {{- if ne $issuerType "cloudflare" }} - acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}" + acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}" {{- end }} cert-manager.io/cluster-issuer: letsencrypt-prod spec: diff --git a/packages/system/kubevirt-cdi-operator/templates/cdi-operator.yaml b/packages/system/kubevirt-cdi-operator/templates/cdi-operator.yaml index 2698b895..585a5741 100644 --- a/packages/system/kubevirt-cdi-operator/templates/cdi-operator.yaml +++ b/packages/system/kubevirt-cdi-operator/templates/cdi-operator.yaml @@ -5718,7 +5718,7 @@ spec: - name: APISERVER_IMAGE value: quay.io/kubevirt/cdi-apiserver:v1.60.2 - name: UPLOAD_SERVER_IMAGE - value: quay.io/kubevirt/cdi-uploadserver:v1.60.2 + value: ghcr.io/aenix-io/cozystack/cdi/cdi-uploadserver:v1.60.2-fix@sha256:2c0cfae427861521a204d020e2981fdb23c8b32b66261c03b2a2cdcd7089ac64 - name: UPLOAD_PROXY_IMAGE value: quay.io/kubevirt/cdi-uploadproxy:v1.60.2 - name: VERBOSITY @@ -5753,4 +5753,4 @@ spec: tolerations: - key: CriticalAddonsOnly operator: Exists ---- \ No newline at end of file +--- diff --git a/packages/system/kubevirt-cdi/templates/cdi-cr.yaml b/packages/system/kubevirt-cdi/templates/cdi-cr.yaml index 3e1f683a..af905af2 100644 --- a/packages/system/kubevirt-cdi/templates/cdi-cr.yaml +++ b/packages/system/kubevirt-cdi/templates/cdi-cr.yaml @@ -4,6 +4,9 @@ metadata: name: cdi spec: config: + {{- with .Values.uploadProxyURL }} + uploadProxyURLOverride: {{ quote . }} + {{- end }} featureGates: - HonorWaitForFirstConsumer - ExpandDisks diff --git a/packages/system/kubevirt-cdi/values.yaml b/packages/system/kubevirt-cdi/values.yaml new file mode 100644 index 00000000..bd9e604a --- /dev/null +++ b/packages/system/kubevirt-cdi/values.yaml @@ -0,0 +1 @@ +uploadProxyURL: ""