diff --git a/0001-Collect-component-Role-rules-under-operator-Role-ins.patch b/0001-Collect-component-Role-rules-under-operator-Role-ins.patch deleted file mode 100644 index 01f6017..0000000 --- a/0001-Collect-component-Role-rules-under-operator-Role-ins.patch +++ /dev/null @@ -1,455 +0,0 @@ -From 5b86f015a18b4f01ed5dd475509a7bd6ccd1dc67 Mon Sep 17 00:00:00 2001 -From: Jed Lejosne -Date: Mon, 10 Jun 2024 11:34:23 -0400 -Subject: [PATCH] Collect component Role rules under operator Role instead of - ClusterRole - -Signed-off-by: Jed Lejosne ---- - manifests/generated/operator-csv.yaml.in | 124 +++++++++--------- - .../rbac-operator.authorization.k8s.yaml.in | 124 +++++++++--------- - .../resource/generate/rbac/operator.go | 35 +++-- - .../resource/generate/rbac/operator_test.go | 18 +++ - 4 files changed, 169 insertions(+), 132 deletions(-) - -diff --git a/manifests/generated/operator-csv.yaml.in b/manifests/generated/operator-csv.yaml.in -index b50caafad..e70bb676b 100644 ---- a/manifests/generated/operator-csv.yaml.in -+++ b/manifests/generated/operator-csv.yaml.in -@@ -464,14 +464,6 @@ spec: - - create - - list - - get -- - apiGroups: -- - "" -- resources: -- - configmaps -- verbs: -- - get -- - list -- - watch - - apiGroups: - - "" - resources: -@@ -721,42 +713,6 @@ spec: - verbs: - - list - - watch -- - apiGroups: -- - route.openshift.io -- resources: -- - routes -- verbs: -- - list -- - get -- - watch -- - apiGroups: -- - "" -- resources: -- - secrets -- verbs: -- - list -- - get -- - watch -- - apiGroups: -- - networking.k8s.io -- resources: -- - ingresses -- verbs: -- - list -- - get -- - watch -- - apiGroups: -- - coordination.k8s.io -- resources: -- - leases -- verbs: -- - get -- - list -- - watch -- - delete -- - update -- - create -- - patch - - apiGroups: - - kubevirt.io - resources: -@@ -813,14 +769,6 @@ spec: - - get - - list - - watch -- - apiGroups: -- - "" -- resources: -- - configmaps -- verbs: -- - get -- - list -- - watch - - apiGroups: - - export.kubevirt.io - resources: -@@ -836,16 +784,6 @@ spec: - verbs: - - list - - watch -- - apiGroups: -- - "" -- resourceNames: -- - kubevirt-export-ca -- resources: -- - configmaps -- verbs: -- - get -- - list -- - watch - - apiGroups: - - kubevirt.io - resources: -@@ -1445,6 +1383,68 @@ spec: - - update - - create - - patch -+ - apiGroups: -+ - "" -+ resources: -+ - configmaps -+ verbs: -+ - get -+ - list -+ - watch -+ - apiGroups: -+ - route.openshift.io -+ resources: -+ - routes -+ verbs: -+ - list -+ - get -+ - watch -+ - apiGroups: -+ - "" -+ resources: -+ - secrets -+ verbs: -+ - list -+ - get -+ - watch -+ - apiGroups: -+ - networking.k8s.io -+ resources: -+ - ingresses -+ verbs: -+ - list -+ - get -+ - watch -+ - apiGroups: -+ - coordination.k8s.io -+ resources: -+ - leases -+ verbs: -+ - get -+ - list -+ - watch -+ - delete -+ - update -+ - create -+ - patch -+ - apiGroups: -+ - "" -+ resources: -+ - configmaps -+ verbs: -+ - get -+ - list -+ - watch -+ - apiGroups: -+ - "" -+ resourceNames: -+ - kubevirt-export-ca -+ resources: -+ - configmaps -+ verbs: -+ - get -+ - list -+ - watch - serviceAccountName: kubevirt-operator - strategy: deployment - installModes: -diff --git a/manifests/generated/rbac-operator.authorization.k8s.yaml.in b/manifests/generated/rbac-operator.authorization.k8s.yaml.in -index e8146bb1b..c0e76e8e6 100644 ---- a/manifests/generated/rbac-operator.authorization.k8s.yaml.in -+++ b/manifests/generated/rbac-operator.authorization.k8s.yaml.in -@@ -75,6 +75,68 @@ rules: - - update - - create - - patch -+- apiGroups: -+ - "" -+ resources: -+ - configmaps -+ verbs: -+ - get -+ - list -+ - watch -+- apiGroups: -+ - route.openshift.io -+ resources: -+ - routes -+ verbs: -+ - list -+ - get -+ - watch -+- apiGroups: -+ - "" -+ resources: -+ - secrets -+ verbs: -+ - list -+ - get -+ - watch -+- apiGroups: -+ - networking.k8s.io -+ resources: -+ - ingresses -+ verbs: -+ - list -+ - get -+ - watch -+- apiGroups: -+ - coordination.k8s.io -+ resources: -+ - leases -+ verbs: -+ - get -+ - list -+ - watch -+ - delete -+ - update -+ - create -+ - patch -+- apiGroups: -+ - "" -+ resources: -+ - configmaps -+ verbs: -+ - get -+ - list -+ - watch -+- apiGroups: -+ - "" -+ resourceNames: -+ - kubevirt-export-ca -+ resources: -+ - configmaps -+ verbs: -+ - get -+ - list -+ - watch - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding -@@ -404,14 +466,6 @@ rules: - - create - - list - - get --- apiGroups: -- - "" -- resources: -- - configmaps -- verbs: -- - get -- - list -- - watch - - apiGroups: - - "" - resources: -@@ -661,42 +715,6 @@ rules: - verbs: - - list - - watch --- apiGroups: -- - route.openshift.io -- resources: -- - routes -- verbs: -- - list -- - get -- - watch --- apiGroups: -- - "" -- resources: -- - secrets -- verbs: -- - list -- - get -- - watch --- apiGroups: -- - networking.k8s.io -- resources: -- - ingresses -- verbs: -- - list -- - get -- - watch --- apiGroups: -- - coordination.k8s.io -- resources: -- - leases -- verbs: -- - get -- - list -- - watch -- - delete -- - update -- - create -- - patch - - apiGroups: - - kubevirt.io - resources: -@@ -753,14 +771,6 @@ rules: - - get - - list - - watch --- apiGroups: -- - "" -- resources: -- - configmaps -- verbs: -- - get -- - list -- - watch - - apiGroups: - - export.kubevirt.io - resources: -@@ -776,16 +786,6 @@ rules: - verbs: - - list - - watch --- apiGroups: -- - "" -- resourceNames: -- - kubevirt-export-ca -- resources: -- - configmaps -- verbs: -- - get -- - list -- - watch - - apiGroups: - - kubevirt.io - resources: -diff --git a/pkg/virt-operator/resource/generate/rbac/operator.go b/pkg/virt-operator/resource/generate/rbac/operator.go -index 365fb0600..b90a5fae8 100644 ---- a/pkg/virt-operator/resource/generate/rbac/operator.go -+++ b/pkg/virt-operator/resource/generate/rbac/operator.go -@@ -317,15 +317,14 @@ func NewOperatorClusterRole() *rbacv1.ClusterRole { - } - - // now append all rules needed by KubeVirt's components -- operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsRules()...) -+ operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsClusterRules()...) - return operatorRole - } - --func getKubeVirtComponentsRules() []rbacv1.PolicyRule { -- -+func getKubeVirtComponentsClusterRules() []rbacv1.PolicyRule { - var rules []rbacv1.PolicyRule - -- // namespace doesn't matter, we are only interested in the rules of both Roles and ClusterRoles -+ // namespace doesn't matter, we are only interested in the rules of ClusterRoles - all := GetAllApiServer("") - all = append(all, GetAllController("")...) - all = append(all, GetAllHandler("")...) -@@ -337,9 +336,6 @@ func getKubeVirtComponentsRules() []rbacv1.PolicyRule { - case *rbacv1.ClusterRole: - role, _ := resource.(*rbacv1.ClusterRole) - rules = append(rules, role.Rules...) -- case *rbacv1.Role: -- role, _ := resource.(*rbacv1.Role) -- rules = append(rules, role.Rules...) - } - } - -@@ -375,6 +371,27 @@ func getKubeVirtComponentsRules() []rbacv1.PolicyRule { - return rules - } - -+func getKubeVirtComponentsRules() []rbacv1.PolicyRule { -+ var rules []rbacv1.PolicyRule -+ -+ // namespace doesn't matter, we are only interested in the rules -+ all := GetAllApiServer("") -+ all = append(all, GetAllController("")...) -+ all = append(all, GetAllHandler("")...) -+ all = append(all, GetAllExportProxy("")...) -+ all = append(all, GetAllCluster()...) -+ -+ for _, resource := range all { -+ switch resource.(type) { -+ case *rbacv1.Role: -+ role, _ := resource.(*rbacv1.Role) -+ rules = append(rules, role.Rules...) -+ } -+ } -+ -+ return rules -+} -+ - func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding { - return &rbacv1.ClusterRoleBinding{ - TypeMeta: metav1.TypeMeta{ -@@ -432,7 +449,7 @@ func newOperatorRoleBinding(namespace string) *rbacv1.RoleBinding { - - // NewOperatorRole creates a Role object for kubevirt-operator. - func NewOperatorRole(namespace string) *rbacv1.Role { -- return &rbacv1.Role{ -+ operatorRole := &rbacv1.Role{ - TypeMeta: metav1.TypeMeta{ - APIVersion: VersionNamev1, - Kind: "Role", -@@ -527,6 +544,8 @@ func NewOperatorRole(namespace string) *rbacv1.Role { - }, - }, - } -+ operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsRules()...) -+ return operatorRole - } - - func GetKubevirtComponentsServiceAccounts(namespace string) map[string]bool { -diff --git a/pkg/virt-operator/resource/generate/rbac/operator_test.go b/pkg/virt-operator/resource/generate/rbac/operator_test.go -index 51bd479cc..22c7d30c0 100644 ---- a/pkg/virt-operator/resource/generate/rbac/operator_test.go -+++ b/pkg/virt-operator/resource/generate/rbac/operator_test.go -@@ -67,6 +67,11 @@ var _ = Describe("RBAC", func() { - Expect(clusterRoleBinding.Subjects[0].Namespace).To(BeEquivalentTo(expectedNamespace)) - }) - -+ It("doesn't have critical cluster-wide permissions", func() { -+ clusterRole := getFirstItemOfType(forOperator, reflect.TypeOf(&rbacv1.ClusterRole{})).(*rbacv1.ClusterRole) -+ Expect(clusterRole).ToNot(BeNil()) -+ expectExactRuleDoesntExists(clusterRole.Rules, "", "secrets", "get", "list", "watch") -+ }) - }) - - Context("GetKubevirtComponentsServiceAccounts", func() { -@@ -96,3 +101,16 @@ func getFirstItemOfType(items []interface{}, tp reflect.Type) interface{} { - } - return nil - } -+ -+func expectExactRuleDoesntExists(rules []rbacv1.PolicyRule, apiGroup, resource string, verbs ...string) { -+ for _, rule := range rules { -+ if contains(rule.APIGroups, apiGroup) && -+ contains(rule.Resources, resource) { -+ for _, verb := range verbs { -+ if contains(rule.Verbs, verb) { -+ Fail(fmt.Sprintf("Found rule (apiGroup: %s, resource: %s, verbs: %v)", apiGroup, resource, rule.Verbs)) -+ } -+ } -+ } -+ } -+} --- -2.45.2 - diff --git a/0001-Consider-the-new-DV-reason-ImagePullFailed.patch b/0001-Consider-the-new-DV-reason-ImagePullFailed.patch new file mode 100644 index 0000000..b712d5f --- /dev/null +++ b/0001-Consider-the-new-DV-reason-ImagePullFailed.patch @@ -0,0 +1,30 @@ +From 0e1608be9df30a3765d3c17ca01d7c5bfa542edd Mon Sep 17 00:00:00 2001 +From: Vasiliy Ulyanov +Date: Thu, 22 Aug 2024 09:27:33 +0200 +Subject: [PATCH] Consider the new DV reason ImagePullFailed + +CDI v1.60.1 introduces a new reason ImagePullFailed for the DataVolume +Running condition. Take it into account to properly update the printable +status of a VM and to report the error. + +Signed-off-by: Vasiliy Ulyanov +--- + pkg/storage/types/dv.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pkg/storage/types/dv.go b/pkg/storage/types/dv.go +index d90011815..a96984dc4 100644 +--- a/pkg/storage/types/dv.go ++++ b/pkg/storage/types/dv.go +@@ -184,7 +184,7 @@ func HasDataVolumeErrors(namespace string, volumes []virtv1.Volume, dataVolumeSt + dvRunningCond := NewDataVolumeConditionManager().GetCondition(dv, cdiv1.DataVolumeRunning) + if dvRunningCond != nil && + dvRunningCond.Status == v1.ConditionFalse && +- dvRunningCond.Reason == "Error" { ++ (dvRunningCond.Reason == "Error" || dvRunningCond.Reason == "ImagePullFailed") { + return fmt.Errorf("DataVolume %s importer has stopped running due to an error: %v", + volume.DataVolume.Name, dvRunningCond.Message) + } +-- +2.46.0 + diff --git a/0002-tests-Set-FSGroup-to-ensure-proper-permissions.patch b/0002-tests-Set-FSGroup-to-ensure-proper-permissions.patch new file mode 100644 index 0000000..52acf87 --- /dev/null +++ b/0002-tests-Set-FSGroup-to-ensure-proper-permissions.patch @@ -0,0 +1,44 @@ +From 96bd87f47a1f0ba7c0079e8665f94d7cd38f3038 Mon Sep 17 00:00:00 2001 +From: Vasiliy Ulyanov +Date: Mon, 26 Aug 2024 08:18:52 +0200 +Subject: [PATCH] tests: Set FSGroup to ensure proper permissions + +This fixes 'Permission Denied' error with some storage providers. + +Signed-off-by: Vasiliy Ulyanov +--- + tests/storage/migration.go | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/tests/storage/migration.go b/tests/storage/migration.go +index c6911848b..bb17cfdde 100644 +--- a/tests/storage/migration.go ++++ b/tests/storage/migration.go +@@ -459,16 +459,20 @@ func createSmallImageForDestinationMigration(vm *virtv1.VirtualMachine, name, si + }, + }, + } ++ podSecurityContext := k8sv1.PodSecurityContext{ ++ FSGroup: pointer.P(int64(util.NonRootUID)), ++ } + pod := k8sv1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "create-img-", + Namespace: vmi.Namespace, + }, + Spec: k8sv1.PodSpec{ +- RestartPolicy: k8sv1.RestartPolicyNever, +- Volumes: []k8sv1.Volume{volume}, +- Containers: []k8sv1.Container{cont}, +- Affinity: &affinity, ++ RestartPolicy: k8sv1.RestartPolicyNever, ++ Volumes: []k8sv1.Volume{volume}, ++ Containers: []k8sv1.Container{cont}, ++ Affinity: &affinity, ++ SecurityContext: &podSecurityContext, + }, + } + p, err := virtCli.CoreV1().Pods(vmi.Namespace).Create(context.Background(), &pod, metav1.CreateOptions{}) +-- +2.46.0 + diff --git a/_service b/_service index fdcc23a..8ba08cb 100644 --- a/_service +++ b/_service @@ -1,7 +1,7 @@ kubevirt - v1.2.2 + v1.3.1 git disable https://github.com/kubevirt/kubevirt diff --git a/disks-images-provider.yaml b/disks-images-provider.yaml index c8c6bf6..99c98b6 100644 --- a/disks-images-provider.yaml +++ b/disks-images-provider.yaml @@ -22,8 +22,11 @@ spec: serviceAccountName: kubevirt-testing containers: - name: target - image: quay.io/kubevirt/disks-images-provider:v1.2.2 + image: quay.io/kubevirt/disks-images-provider:v1.3.1 imagePullPolicy: Always + env: + - name: NUM_TEST_IMAGE_REPLICAS + value: "6" lifecycle: preStop: exec: diff --git a/kubevirt-1.2.2.tar.gz b/kubevirt-1.2.2.tar.gz deleted file mode 100644 index 2ed304c..0000000 --- a/kubevirt-1.2.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:899afbef0d4dac04d0b6607c2aff9f92ae843830d0864935cfed41819d5da36b -size 17111049 diff --git a/kubevirt-1.3.1.tar.gz b/kubevirt-1.3.1.tar.gz new file mode 100644 index 0000000..357eb01 --- /dev/null +++ b/kubevirt-1.3.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:08ac9f81e6aa6072b1899618ddefce7305a5079c59560ba8a4fd7e681b76ec98 +size 17944610 diff --git a/kubevirt.changes b/kubevirt.changes index abbcaf2..d5c101f 100644 --- a/kubevirt.changes +++ b/kubevirt.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Fri Sep 6 05:49:19 UTC 2024 - Vasily Ulyanov + +- Update to version 1.3.1 + Release notes https://github.com/kubevirt/kubevirt/releases/tag/v1.3.1 + Release notes https://github.com/kubevirt/kubevirt/releases/tag/v1.3.0 +- Drop upstreamed patch + 0001-Collect-component-Role-rules-under-operator-Role-ins.patch +- Fix DV error report via VM printable status + 0001-Consider-the-new-DV-reason-ImagePullFailed.patch +- Fix permission error in storage migration tests + 0002-tests-Set-FSGroup-to-ensure-proper-permissions.patch +- Add registry path for SLE15 SP7 +- Bump to the latest tag 1.3.1-150600.5.9.1 + ------------------------------------------------------------------- Wed Jul 31 06:57:29 UTC 2024 - Vasily Ulyanov diff --git a/kubevirt.spec b/kubevirt.spec index d7aede0..d5ba734 100644 --- a/kubevirt.spec +++ b/kubevirt.spec @@ -30,7 +30,7 @@ %endif Name: kubevirt -Version: 1.2.2 +Version: 1.3.1 Release: 0 Summary: Container native virtualization License: Apache-2.0 @@ -41,13 +41,14 @@ Source1: kubevirt_containers_meta Source2: kubevirt_containers_meta.service Source3: %{url}/releases/download/v%{version}/disks-images-provider.yaml Source100: %{name}-rpmlintrc -Patch1: 0001-Collect-component-Role-rules-under-operator-Role-ins.patch +Patch1: 0001-Consider-the-new-DV-reason-ImagePullFailed.patch +Patch2: 0002-tests-Set-FSGroup-to-ensure-proper-permissions.patch BuildRequires: glibc-devel-static BuildRequires: golang-packaging BuildRequires: pkgconfig BuildRequires: rsync BuildRequires: sed -BuildRequires: golang(API) >= 1.21 +BuildRequires: golang(API) >= 1.22 BuildRequires: pkgconfig(libvirt) ExclusiveArch: %{_exclusive_arch} @@ -186,6 +187,11 @@ case "${distro}" in labelprefix=com.suse.kubevirt registry=registry.suse.com ;; +150700:0) + tagprefix=suse/sles/15.7 + labelprefix=com.suse.kubevirt + registry=registry.suse.com + ;; *:1) tagprefix=kubevirt labelprefix=org.opensuse.kubevirt @@ -250,7 +256,7 @@ build_tests="true" \ # Note: the generated manifests will point to the images based on SLE15 SP6 BCI. env \ DOCKER_PREFIX=registry.suse.com/suse/sles/15.6 \ -DOCKER_TAG=1.2.2-150600.5.6.1 \ +DOCKER_TAG=1.3.1-150600.5.9.1 \ KUBEVIRT_NO_BAZEL=true \ ./hack/build-manifests.sh