Sync from SUSE:SLFO:Main kubevirt revision 490d0c417316d785bfe9527003c933ea

2024-08-06 14:04:59 +02:00 · 2024-08-06 14:04:59 +02:00 · 894818cd47
commit 894818cd47
parent c439df7abc
8 changed files with 517 additions and 40 deletions
--- a/0001-Collect-component-Role-rules-under-operator-Role-ins.patch
+++ b/0001-Collect-component-Role-rules-under-operator-Role-ins.patch
@ -0,0 +1,455 @@
 From 5b86f015a18b4f01ed5dd475509a7bd6ccd1dc67 Mon Sep 17 00:00:00 2001
 From: Jed Lejosne <jed@redhat.com>
 Date: Mon, 10 Jun 2024 11:34:23 -0400
 Subject: [PATCH] Collect component Role rules under operator Role instead of
 ClusterRole
 Signed-off-by: Jed Lejosne <jed@redhat.com>
 ---
 manifests/generated/operator-csv.yaml.in      | 124 +++++++++---------
 .../rbac-operator.authorization.k8s.yaml.in   | 124 +++++++++---------
 .../resource/generate/rbac/operator.go        |  35 +++--
 .../resource/generate/rbac/operator_test.go   |  18 +++
 4 files changed, 169 insertions(+), 132 deletions(-)
 diff --git a/manifests/generated/operator-csv.yaml.in b/manifests/generated/operator-csv.yaml.in
 index b50caafad..e70bb676b 100644
 --- a/manifests/generated/operator-csv.yaml.in
 +++ b/manifests/generated/operator-csv.yaml.in
@@ -464,14 +464,6 @@ spec:
           - create
           - list
           - get
 -        - apiGroups:
 -          - ""
 -          resources:
 -          - configmaps
 -          verbs:
 -          - get
 -          - list
 -          - watch
         - apiGroups:
           - ""
           resources:
@@ -721,42 +713,6 @@ spec:
           verbs:
           - list
           - watch
 -        - apiGroups:
 -          - route.openshift.io
 -          resources:
 -          - routes
 -          verbs:
 -          - list
 -          - get
 -          - watch
 -        - apiGroups:
 -          - ""
 -          resources:
 -          - secrets
 -          verbs:
 -          - list
 -          - get
 -          - watch
 -        - apiGroups:
 -          - networking.k8s.io
 -          resources:
 -          - ingresses
 -          verbs:
 -          - list
 -          - get
 -          - watch
 -        - apiGroups:
 -          - coordination.k8s.io
 -          resources:
 -          - leases
 -          verbs:
 -          - get
 -          - list
 -          - watch
 -          - delete
 -          - update
 -          - create
 -          - patch
         - apiGroups:
           - kubevirt.io
           resources:
@@ -813,14 +769,6 @@ spec:
           - get
           - list
           - watch
 -        - apiGroups:
 -          - ""
 -          resources:
 -          - configmaps
 -          verbs:
 -          - get
 -          - list
 -          - watch
         - apiGroups:
           - export.kubevirt.io
           resources:
@@ -836,16 +784,6 @@ spec:
           verbs:
           - list
           - watch
 -        - apiGroups:
 -          - ""
 -          resourceNames:
 -          - kubevirt-export-ca
 -          resources:
 -          - configmaps
 -          verbs:
 -          - get
 -          - list
 -          - watch
         - apiGroups:
           - kubevirt.io
           resources:
@@ -1445,6 +1383,68 @@ spec:
           - update
           - create
           - patch
 +        - apiGroups:
 +          - ""
 +          resources:
 +          - configmaps
 +          verbs:
 +          - get
 +          - list
 +          - watch
 +        - apiGroups:
 +          - route.openshift.io
 +          resources:
 +          - routes
 +          verbs:
 +          - list
 +          - get
 +          - watch
 +        - apiGroups:
 +          - ""
 +          resources:
 +          - secrets
 +          verbs:
 +          - list
 +          - get
 +          - watch
 +        - apiGroups:
 +          - networking.k8s.io
 +          resources:
 +          - ingresses
 +          verbs:
 +          - list
 +          - get
 +          - watch
 +        - apiGroups:
 +          - coordination.k8s.io
 +          resources:
 +          - leases
 +          verbs:
 +          - get
 +          - list
 +          - watch
 +          - delete
 +          - update
 +          - create
 +          - patch
 +        - apiGroups:
 +          - ""
 +          resources:
 +          - configmaps
 +          verbs:
 +          - get
 +          - list
 +          - watch
 +        - apiGroups:
 +          - ""
 +          resourceNames:
 +          - kubevirt-export-ca
 +          resources:
 +          - configmaps
 +          verbs:
 +          - get
 +          - list
 +          - watch
         serviceAccountName: kubevirt-operator
     strategy: deployment
   installModes:
 diff --git a/manifests/generated/rbac-operator.authorization.k8s.yaml.in b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
 index e8146bb1b..c0e76e8e6 100644
 --- a/manifests/generated/rbac-operator.authorization.k8s.yaml.in
 +++ b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
@@ -75,6 +75,68 @@ rules:
   - update
   - create
   - patch
 +- apiGroups:
 +  - ""
 +  resources:
 +  - configmaps
 +  verbs:
 +  - get
 +  - list
 +  - watch
 +- apiGroups:
 +  - route.openshift.io
 +  resources:
 +  - routes
 +  verbs:
 +  - list
 +  - get
 +  - watch
 +- apiGroups:
 +  - ""
 +  resources:
 +  - secrets
 +  verbs:
 +  - list
 +  - get
 +  - watch
 +- apiGroups:
 +  - networking.k8s.io
 +  resources:
 +  - ingresses
 +  verbs:
 +  - list
 +  - get
 +  - watch
 +- apiGroups:
 +  - coordination.k8s.io
 +  resources:
 +  - leases
 +  verbs:
 +  - get
 +  - list
 +  - watch
 +  - delete
 +  - update
 +  - create
 +  - patch
 +- apiGroups:
 +  - ""
 +  resources:
 +  - configmaps
 +  verbs:
 +  - get
 +  - list
 +  - watch
 +- apiGroups:
 +  - ""
 +  resourceNames:
 +  - kubevirt-export-ca
 +  resources:
 +  - configmaps
 +  verbs:
 +  - get
 +  - list
 +  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -404,14 +466,6 @@ rules:
   - create
   - list
   - get
 -- apiGroups:
 -  - ""
 -  resources:
 -  - configmaps
 -  verbs:
 -  - get
 -  - list
 -  - watch
 - apiGroups:
   - ""
   resources:
@@ -661,42 +715,6 @@ rules:
   verbs:
   - list
   - watch
 -- apiGroups:
 -  - route.openshift.io
 -  resources:
 -  - routes
 -  verbs:
 -  - list
 -  - get
 -  - watch
 -- apiGroups:
 -  - ""
 -  resources:
 -  - secrets
 -  verbs:
 -  - list
 -  - get
 -  - watch
 -- apiGroups:
 -  - networking.k8s.io
 -  resources:
 -  - ingresses
 -  verbs:
 -  - list
 -  - get
 -  - watch
 -- apiGroups:
 -  - coordination.k8s.io
 -  resources:
 -  - leases
 -  verbs:
 -  - get
 -  - list
 -  - watch
 -  - delete
 -  - update
 -  - create
 -  - patch
 - apiGroups:
   - kubevirt.io
   resources:
@@ -753,14 +771,6 @@ rules:
   - get
   - list
   - watch
 -- apiGroups:
 -  - ""
 -  resources:
 -  - configmaps
 -  verbs:
 -  - get
 -  - list
 -  - watch
 - apiGroups:
   - export.kubevirt.io
   resources:
@@ -776,16 +786,6 @@ rules:
   verbs:
   - list
   - watch
 -- apiGroups:
 -  - ""
 -  resourceNames:
 -  - kubevirt-export-ca
 -  resources:
 -  - configmaps
 -  verbs:
 -  - get
 -  - list
 -  - watch
 - apiGroups:
   - kubevirt.io
   resources:
 diff --git a/pkg/virt-operator/resource/generate/rbac/operator.go b/pkg/virt-operator/resource/generate/rbac/operator.go
 index 365fb0600..b90a5fae8 100644
 --- a/pkg/virt-operator/resource/generate/rbac/operator.go
 +++ b/pkg/virt-operator/resource/generate/rbac/operator.go
@@ -317,15 +317,14 @@ func NewOperatorClusterRole() *rbacv1.ClusterRole {
 	}
 	// now append all rules needed by KubeVirt's components
 -	operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsRules()...)
 +	operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsClusterRules()...)
 	return operatorRole
 }
 -func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
 -
 +func getKubeVirtComponentsClusterRules() []rbacv1.PolicyRule {
 	var rules []rbacv1.PolicyRule
 -	// namespace doesn't matter, we are only interested in the rules of both Roles and ClusterRoles
 +	// namespace doesn't matter, we are only interested in the rules of ClusterRoles
 	all := GetAllApiServer("")
 	all = append(all, GetAllController("")...)
 	all = append(all, GetAllHandler("")...)
@@ -337,9 +336,6 @@ func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
 		case *rbacv1.ClusterRole:
 			role, _ := resource.(*rbacv1.ClusterRole)
 			rules = append(rules, role.Rules...)
 -		case *rbacv1.Role:
 -			role, _ := resource.(*rbacv1.Role)
 -			rules = append(rules, role.Rules...)
 		}
 	}
@@ -375,6 +371,27 @@ func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
 	return rules
 }
 +func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
 +	var rules []rbacv1.PolicyRule
 +
 +	// namespace doesn't matter, we are only interested in the rules
 +	all := GetAllApiServer("")
 +	all = append(all, GetAllController("")...)
 +	all = append(all, GetAllHandler("")...)
 +	all = append(all, GetAllExportProxy("")...)
 +	all = append(all, GetAllCluster()...)
 +
 +	for _, resource := range all {
 +		switch resource.(type) {
 +		case *rbacv1.Role:
 +			role, _ := resource.(*rbacv1.Role)
 +			rules = append(rules, role.Rules...)
 +		}
 +	}
 +
 +	return rules
 +}
 +
 func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding {
 	return &rbacv1.ClusterRoleBinding{
 		TypeMeta: metav1.TypeMeta{
@@ -432,7 +449,7 @@ func newOperatorRoleBinding(namespace string) *rbacv1.RoleBinding {
 // NewOperatorRole creates a Role object for kubevirt-operator.
 func NewOperatorRole(namespace string) *rbacv1.Role {
 -	return &rbacv1.Role{
 +	operatorRole := &rbacv1.Role{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: VersionNamev1,
 			Kind:       "Role",
@@ -527,6 +544,8 @@ func NewOperatorRole(namespace string) *rbacv1.Role {
 			},
 		},
 	}
 +	operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsRules()...)
 +	return operatorRole
 }
 func GetKubevirtComponentsServiceAccounts(namespace string) map[string]bool {
 diff --git a/pkg/virt-operator/resource/generate/rbac/operator_test.go b/pkg/virt-operator/resource/generate/rbac/operator_test.go
 index 51bd479cc..22c7d30c0 100644
 --- a/pkg/virt-operator/resource/generate/rbac/operator_test.go
 +++ b/pkg/virt-operator/resource/generate/rbac/operator_test.go
@@ -67,6 +67,11 @@ var _ = Describe("RBAC", func() {
 			Expect(clusterRoleBinding.Subjects[0].Namespace).To(BeEquivalentTo(expectedNamespace))
 		})
 +		It("doesn't have critical cluster-wide permissions", func() {
 +			clusterRole := getFirstItemOfType(forOperator, reflect.TypeOf(&rbacv1.ClusterRole{})).(*rbacv1.ClusterRole)
 +			Expect(clusterRole).ToNot(BeNil())
 +			expectExactRuleDoesntExists(clusterRole.Rules, "", "secrets", "get", "list", "watch")
 +		})
 	})
 	Context("GetKubevirtComponentsServiceAccounts", func() {
@@ -96,3 +101,16 @@ func getFirstItemOfType(items []interface{}, tp reflect.Type) interface{} {
 	}
 	return nil
 }
 +
 +func expectExactRuleDoesntExists(rules []rbacv1.PolicyRule, apiGroup, resource string, verbs ...string) {
 +	for _, rule := range rules {
 +		if contains(rule.APIGroups, apiGroup) &&
 +			contains(rule.Resources, resource) {
 +			for _, verb := range verbs {
 +				if contains(rule.Verbs, verb) {
 +					Fail(fmt.Sprintf("Found rule (apiGroup: %s, resource: %s, verbs: %v)", apiGroup, resource, rule.Verbs))
 +				}
 +			}
 +		}
 +	}
 +}
 -- 
 2.45.2
--- a/0001-tests-Adapt-VM-phase-expectation.patch
+++ b/0001-tests-Adapt-VM-phase-expectation.patch
@ -1,29 +0,0 @@
 From aa6647c263408bdf0518d74da2d4c37d3bb42de0 Mon Sep 17 00:00:00 2001
 From: Vasiliy Ulyanov <vulyanov@suse.de>
 Date: Wed, 13 Dec 2023 08:10:37 +0100
 Subject: [PATCH] tests: Adapt VM phase expectation
 When CDI uses volume populators with malformed DataVolume, the VM
 initially transitions to Scheduling phase.
 Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
 ---
 tests/storage/datavolume.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/tests/storage/datavolume.go b/tests/storage/datavolume.go
 index 46677257d..9d86d0eac 100644
 --- a/tests/storage/datavolume.go
 +++ b/tests/storage/datavolume.go
@@ -536,7 +536,7 @@ var _ = SIGDescribe("DataVolume Integration", func() {
 				vm, err = virtClient.VirtualMachine(vm.Namespace).Create(context.Background(), vm)
 				Expect(err).ToNot(HaveOccurred())
 -				Eventually(ThisVMIWith(vm.Namespace, vm.Name), 100).Should(BeInPhase(v1.Pending))
 +				Eventually(ThisVMIWith(vm.Namespace, vm.Name), 100).Should(Or(BeInPhase(v1.Pending), BeInPhase(v1.Scheduling)))
 				By("Creating a service which makes the registry reachable")
 				_, err = virtClient.CoreV1().Services(vm.Namespace).Create(context.Background(), &k8sv1.Service{
 -- 
 2.43.0
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 <services>
  <service name="tar_scm" mode="manual">
    <param name="filename">kubevirt</param>
-    <param name="revision">v1.1.1</param>
+    <param name="revision">v1.2.2</param>
    <param name="scm">git</param>
    <param name="submodules">disable</param>
    <param name="url">https://github.com/kubevirt/kubevirt</param>
--- a/disks-images-provider.yaml
+++ b/disks-images-provider.yaml
@ -22,7 +22,7 @@ spec:
      serviceAccountName: kubevirt-testing
      containers:
        - name: target
-          image: quay.io/kubevirt/disks-images-provider:v1.1.1
+          image: quay.io/kubevirt/disks-images-provider:v1.2.2
          imagePullPolicy: Always
          lifecycle:
            preStop:
--- a/kubevirt-1.1.1.tar.gz
+++ b/kubevirt-1.1.1.tar.gz
--- a/kubevirt-1.2.2.tar.gz
+++ b/kubevirt-1.2.2.tar.gz
--- a/kubevirt.changes
+++ b/kubevirt.changes
@ -1,3 +1,46 @@
 -------------------------------------------------------------------
 Wed Jul 31 06:57:29 UTC 2024 - Vasily Ulyanov <vasily.ulyanov@suse.com>
 - Use the images based on SLE15 SP6 BCI: 1.2.2-150600.5.6.1
 -------------------------------------------------------------------
 Mon Jul  8 07:13:03 UTC 2024 - Vasily Ulyanov <vasily.ulyanov@suse.com>
 - Update to version 1.2.2
  Release notes https://github.com/kubevirt/kubevirt/releases/tag/v1.2.2
  Release notes https://github.com/kubevirt/kubevirt/releases/tag/v1.2.1
  Release notes https://github.com/kubevirt/kubevirt/releases/tag/v1.2.0
 - Drop patches
  0001-tests-Adapt-VM-phase-expectation.patch
  0002-Update-tls-error-string-in-migration-test.patch
  0003-tests-Expect-PendingPopulation-phase.patch
  0004-Improve-the-handling-of-ordinal-pod-interface-name-for-upgrade.patch
  0005-Collect-component-Role-rules-under-operator-Role-ins.patch
 - Add patch
  0001-Collect-component-Role-rules-under-operator-Role-ins.patch
 - Pack configuration files for libvirt
 -------------------------------------------------------------------
 Thu Jun 20 13:48:18 UTC 2024 - Vasily Ulyanov <vasily.ulyanov@suse.com>
 - Collect component Role rules under operator Role instead of
  ClusterRole (bsc#1223965, CVE-2024-33394)
  0005-Collect-component-Role-rules-under-operator-Role-ins.patch
 -------------------------------------------------------------------
 Fri Apr 12 05:51:30 UTC 2024 - Vasily Ulyanov <vasily.ulyanov@suse.com>
 - Improve the OrdinalPodInterfaceName mechanism (bsc#1222699)
  0004-Improve-the-handling-of-ordinal-pod-interface-name-for-upgrade.patch
 -------------------------------------------------------------------
 Wed Apr  3 11:55:41 UTC 2024 - Vasily Ulyanov <vasily.ulyanov@suse.com>
 - Fix test of secure migration with TLS (bsc#1221431)
  0002-Update-tls-error-string-in-migration-test.patch
 - Fix volume phase condition in migration test (bsc#1221430)
  0003-tests-Expect-PendingPopulation-phase.patch
 -------------------------------------------------------------------
 Mon Feb 12 08:48:49 UTC 2024 - Vasily Ulyanov <vasily.ulyanov@suse.com>
--- a/kubevirt.spec
+++ b/kubevirt.spec
@ -30,7 +30,7 @@
 %endif
 Name:           kubevirt
-Version:        1.1.1
+Version:        1.2.2
 Release:        0
 Summary:        Container native virtualization
 License:        Apache-2.0
@ -41,13 +41,13 @@ Source1:        kubevirt_containers_meta
 Source2:        kubevirt_containers_meta.service
 Source3:        %{url}/releases/download/v%{version}/disks-images-provider.yaml
 Source100:      %{name}-rpmlintrc
-Patch1:         0001-tests-Adapt-VM-phase-expectation.patch
+Patch1:         0001-Collect-component-Role-rules-under-operator-Role-ins.patch
 BuildRequires:  glibc-devel-static
 BuildRequires:  golang-packaging
 BuildRequires:  pkgconfig
 BuildRequires:  rsync
 BuildRequires:  sed
-BuildRequires:  golang(API) >= 1.19
+BuildRequires:  golang(API) >= 1.21
 BuildRequires:  pkgconfig(libvirt)
 ExclusiveArch:  %{_exclusive_arch}
@ -247,10 +247,10 @@ build_tests="true" \
    cmd/virtctl \
    %{nil}
-# Note: the generated manifests will point to the images based on SLE15 SP5 BCI.
+# Note: the generated manifests will point to the images based on SLE15 SP6 BCI.
 env \
-DOCKER_PREFIX=registry.suse.com/suse/sles/15.5 \
+DOCKER_PREFIX=registry.suse.com/suse/sles/15.6 \
-DOCKER_TAG=1.1.1-150500.8.9.1 \
+DOCKER_TAG=1.2.2-150600.5.6.1 \
 KUBEVIRT_NO_BAZEL=true \
 ./hack/build-manifests.sh
@ -285,6 +285,11 @@ install -p -m 0644 cmd/virt-handler/virt_launcher.cil %{buildroot}%{_datadir}/ku
 mkdir -p %{buildroot}%{_datadir}/kube-virt/pr-helper
 install -p -m 0644 cmd/pr-helper/multipath.conf %{buildroot}%{_datadir}/kube-virt/pr-helper/
 # Configuration files for libvirt
 mkdir -p %{buildroot}%{_datadir}/kube-virt/virt-launcher
 install -p -m 0644 cmd/virt-launcher/virtqemud.conf %{buildroot}%{_datadir}/kube-virt/virt-launcher
 install -p -m 0644 cmd/virt-launcher/qemu.conf %{buildroot}%{_datadir}/kube-virt/virt-launcher
 # Install release manifests
 mkdir -p %{buildroot}%{_datadir}/kube-virt/manifests/release
 install -m 0644 _out/manifests/release/kubevirt-operator.yaml %{buildroot}%{_datadir}/kube-virt/manifests/release/
@ -345,12 +350,15 @@ install -m 0644 %{S:2} %{buildroot}%{_prefix}/lib/obs/service
 %files virt-launcher
 %license LICENSE
 %doc README.md
 %dir %{_datadir}/kube-virt
 %dir %{_datadir}/kube-virt/virt-launcher
 %{_bindir}/virt-launcher
 %{_bindir}/virt-launcher-monitor
 %{_bindir}/virt-freezer
 %{_bindir}/virt-probe
 %{_bindir}/virt-tail
 %{_bindir}/node-labeller.sh
 %{_datadir}/kube-virt/virt-launcher
 %files virt-operator
 %license LICENSE