Sync from SUSE:SLFO:Main kubevirt revision 7d535ccb162d51a3641d2895638dc6bb

2024-09-06 15:27:44 +02:00 · 2024-09-06 15:27:44 +02:00 · bf235ddff0
commit bf235ddff0
parent 894818cd47
9 changed files with 107 additions and 464 deletions
--- a/0001-Collect-component-Role-rules-under-operator-Role-ins.patch
+++ b/0001-Collect-component-Role-rules-under-operator-Role-ins.patch
@ -1,455 +0,0 @@
 From 5b86f015a18b4f01ed5dd475509a7bd6ccd1dc67 Mon Sep 17 00:00:00 2001
 From: Jed Lejosne <jed@redhat.com>
 Date: Mon, 10 Jun 2024 11:34:23 -0400
 Subject: [PATCH] Collect component Role rules under operator Role instead of
 ClusterRole
 Signed-off-by: Jed Lejosne <jed@redhat.com>
 ---
 manifests/generated/operator-csv.yaml.in      | 124 +++++++++---------
 .../rbac-operator.authorization.k8s.yaml.in   | 124 +++++++++---------
 .../resource/generate/rbac/operator.go        |  35 +++--
 .../resource/generate/rbac/operator_test.go   |  18 +++
 4 files changed, 169 insertions(+), 132 deletions(-)
 diff --git a/manifests/generated/operator-csv.yaml.in b/manifests/generated/operator-csv.yaml.in
 index b50caafad..e70bb676b 100644
 --- a/manifests/generated/operator-csv.yaml.in
 +++ b/manifests/generated/operator-csv.yaml.in
@@ -464,14 +464,6 @@ spec:
           - create
           - list
           - get
 -        - apiGroups:
 -          - ""
 -          resources:
 -          - configmaps
 -          verbs:
 -          - get
 -          - list
 -          - watch
         - apiGroups:
           - ""
           resources:
@@ -721,42 +713,6 @@ spec:
           verbs:
           - list
           - watch
 -        - apiGroups:
 -          - route.openshift.io
 -          resources:
 -          - routes
 -          verbs:
 -          - list
 -          - get
 -          - watch
 -        - apiGroups:
 -          - ""
 -          resources:
 -          - secrets
 -          verbs:
 -          - list
 -          - get
 -          - watch
 -        - apiGroups:
 -          - networking.k8s.io
 -          resources:
 -          - ingresses
 -          verbs:
 -          - list
 -          - get
 -          - watch
 -        - apiGroups:
 -          - coordination.k8s.io
 -          resources:
 -          - leases
 -          verbs:
 -          - get
 -          - list
 -          - watch
 -          - delete
 -          - update
 -          - create
 -          - patch
         - apiGroups:
           - kubevirt.io
           resources:
@@ -813,14 +769,6 @@ spec:
           - get
           - list
           - watch
 -        - apiGroups:
 -          - ""
 -          resources:
 -          - configmaps
 -          verbs:
 -          - get
 -          - list
 -          - watch
         - apiGroups:
           - export.kubevirt.io
           resources:
@@ -836,16 +784,6 @@ spec:
           verbs:
           - list
           - watch
 -        - apiGroups:
 -          - ""
 -          resourceNames:
 -          - kubevirt-export-ca
 -          resources:
 -          - configmaps
 -          verbs:
 -          - get
 -          - list
 -          - watch
         - apiGroups:
           - kubevirt.io
           resources:
@@ -1445,6 +1383,68 @@ spec:
           - update
           - create
           - patch
 +        - apiGroups:
 +          - ""
 +          resources:
 +          - configmaps
 +          verbs:
 +          - get
 +          - list
 +          - watch
 +        - apiGroups:
 +          - route.openshift.io
 +          resources:
 +          - routes
 +          verbs:
 +          - list
 +          - get
 +          - watch
 +        - apiGroups:
 +          - ""
 +          resources:
 +          - secrets
 +          verbs:
 +          - list
 +          - get
 +          - watch
 +        - apiGroups:
 +          - networking.k8s.io
 +          resources:
 +          - ingresses
 +          verbs:
 +          - list
 +          - get
 +          - watch
 +        - apiGroups:
 +          - coordination.k8s.io
 +          resources:
 +          - leases
 +          verbs:
 +          - get
 +          - list
 +          - watch
 +          - delete
 +          - update
 +          - create
 +          - patch
 +        - apiGroups:
 +          - ""
 +          resources:
 +          - configmaps
 +          verbs:
 +          - get
 +          - list
 +          - watch
 +        - apiGroups:
 +          - ""
 +          resourceNames:
 +          - kubevirt-export-ca
 +          resources:
 +          - configmaps
 +          verbs:
 +          - get
 +          - list
 +          - watch
         serviceAccountName: kubevirt-operator
     strategy: deployment
   installModes:
 diff --git a/manifests/generated/rbac-operator.authorization.k8s.yaml.in b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
 index e8146bb1b..c0e76e8e6 100644
 --- a/manifests/generated/rbac-operator.authorization.k8s.yaml.in
 +++ b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
@@ -75,6 +75,68 @@ rules:
   - update
   - create
   - patch
 +- apiGroups:
 +  - ""
 +  resources:
 +  - configmaps
 +  verbs:
 +  - get
 +  - list
 +  - watch
 +- apiGroups:
 +  - route.openshift.io
 +  resources:
 +  - routes
 +  verbs:
 +  - list
 +  - get
 +  - watch
 +- apiGroups:
 +  - ""
 +  resources:
 +  - secrets
 +  verbs:
 +  - list
 +  - get
 +  - watch
 +- apiGroups:
 +  - networking.k8s.io
 +  resources:
 +  - ingresses
 +  verbs:
 +  - list
 +  - get
 +  - watch
 +- apiGroups:
 +  - coordination.k8s.io
 +  resources:
 +  - leases
 +  verbs:
 +  - get
 +  - list
 +  - watch
 +  - delete
 +  - update
 +  - create
 +  - patch
 +- apiGroups:
 +  - ""
 +  resources:
 +  - configmaps
 +  verbs:
 +  - get
 +  - list
 +  - watch
 +- apiGroups:
 +  - ""
 +  resourceNames:
 +  - kubevirt-export-ca
 +  resources:
 +  - configmaps
 +  verbs:
 +  - get
 +  - list
 +  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -404,14 +466,6 @@ rules:
   - create
   - list
   - get
 -- apiGroups:
 -  - ""
 -  resources:
 -  - configmaps
 -  verbs:
 -  - get
 -  - list
 -  - watch
 - apiGroups:
   - ""
   resources:
@@ -661,42 +715,6 @@ rules:
   verbs:
   - list
   - watch
 -- apiGroups:
 -  - route.openshift.io
 -  resources:
 -  - routes
 -  verbs:
 -  - list
 -  - get
 -  - watch
 -- apiGroups:
 -  - ""
 -  resources:
 -  - secrets
 -  verbs:
 -  - list
 -  - get
 -  - watch
 -- apiGroups:
 -  - networking.k8s.io
 -  resources:
 -  - ingresses
 -  verbs:
 -  - list
 -  - get
 -  - watch
 -- apiGroups:
 -  - coordination.k8s.io
 -  resources:
 -  - leases
 -  verbs:
 -  - get
 -  - list
 -  - watch
 -  - delete
 -  - update
 -  - create
 -  - patch
 - apiGroups:
   - kubevirt.io
   resources:
@@ -753,14 +771,6 @@ rules:
   - get
   - list
   - watch
 -- apiGroups:
 -  - ""
 -  resources:
 -  - configmaps
 -  verbs:
 -  - get
 -  - list
 -  - watch
 - apiGroups:
   - export.kubevirt.io
   resources:
@@ -776,16 +786,6 @@ rules:
   verbs:
   - list
   - watch
 -- apiGroups:
 -  - ""
 -  resourceNames:
 -  - kubevirt-export-ca
 -  resources:
 -  - configmaps
 -  verbs:
 -  - get
 -  - list
 -  - watch
 - apiGroups:
   - kubevirt.io
   resources:
 diff --git a/pkg/virt-operator/resource/generate/rbac/operator.go b/pkg/virt-operator/resource/generate/rbac/operator.go
 index 365fb0600..b90a5fae8 100644
 --- a/pkg/virt-operator/resource/generate/rbac/operator.go
 +++ b/pkg/virt-operator/resource/generate/rbac/operator.go
@@ -317,15 +317,14 @@ func NewOperatorClusterRole() *rbacv1.ClusterRole {
 	}
 	// now append all rules needed by KubeVirt's components
 -	operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsRules()...)
 +	operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsClusterRules()...)
 	return operatorRole
 }
 -func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
 -
 +func getKubeVirtComponentsClusterRules() []rbacv1.PolicyRule {
 	var rules []rbacv1.PolicyRule
 -	// namespace doesn't matter, we are only interested in the rules of both Roles and ClusterRoles
 +	// namespace doesn't matter, we are only interested in the rules of ClusterRoles
 	all := GetAllApiServer("")
 	all = append(all, GetAllController("")...)
 	all = append(all, GetAllHandler("")...)
@@ -337,9 +336,6 @@ func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
 		case *rbacv1.ClusterRole:
 			role, _ := resource.(*rbacv1.ClusterRole)
 			rules = append(rules, role.Rules...)
 -		case *rbacv1.Role:
 -			role, _ := resource.(*rbacv1.Role)
 -			rules = append(rules, role.Rules...)
 		}
 	}
@@ -375,6 +371,27 @@ func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
 	return rules
 }
 +func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
 +	var rules []rbacv1.PolicyRule
 +
 +	// namespace doesn't matter, we are only interested in the rules
 +	all := GetAllApiServer("")
 +	all = append(all, GetAllController("")...)
 +	all = append(all, GetAllHandler("")...)
 +	all = append(all, GetAllExportProxy("")...)
 +	all = append(all, GetAllCluster()...)
 +
 +	for _, resource := range all {
 +		switch resource.(type) {
 +		case *rbacv1.Role:
 +			role, _ := resource.(*rbacv1.Role)
 +			rules = append(rules, role.Rules...)
 +		}
 +	}
 +
 +	return rules
 +}
 +
 func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding {
 	return &rbacv1.ClusterRoleBinding{
 		TypeMeta: metav1.TypeMeta{
@@ -432,7 +449,7 @@ func newOperatorRoleBinding(namespace string) *rbacv1.RoleBinding {
 // NewOperatorRole creates a Role object for kubevirt-operator.
 func NewOperatorRole(namespace string) *rbacv1.Role {
 -	return &rbacv1.Role{
 +	operatorRole := &rbacv1.Role{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: VersionNamev1,
 			Kind:       "Role",
@@ -527,6 +544,8 @@ func NewOperatorRole(namespace string) *rbacv1.Role {
 			},
 		},
 	}
 +	operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsRules()...)
 +	return operatorRole
 }
 func GetKubevirtComponentsServiceAccounts(namespace string) map[string]bool {
 diff --git a/pkg/virt-operator/resource/generate/rbac/operator_test.go b/pkg/virt-operator/resource/generate/rbac/operator_test.go
 index 51bd479cc..22c7d30c0 100644
 --- a/pkg/virt-operator/resource/generate/rbac/operator_test.go
 +++ b/pkg/virt-operator/resource/generate/rbac/operator_test.go
@@ -67,6 +67,11 @@ var _ = Describe("RBAC", func() {
 			Expect(clusterRoleBinding.Subjects[0].Namespace).To(BeEquivalentTo(expectedNamespace))
 		})
 +		It("doesn't have critical cluster-wide permissions", func() {
 +			clusterRole := getFirstItemOfType(forOperator, reflect.TypeOf(&rbacv1.ClusterRole{})).(*rbacv1.ClusterRole)
 +			Expect(clusterRole).ToNot(BeNil())
 +			expectExactRuleDoesntExists(clusterRole.Rules, "", "secrets", "get", "list", "watch")
 +		})
 	})
 	Context("GetKubevirtComponentsServiceAccounts", func() {
@@ -96,3 +101,16 @@ func getFirstItemOfType(items []interface{}, tp reflect.Type) interface{} {
 	}
 	return nil
 }
 +
 +func expectExactRuleDoesntExists(rules []rbacv1.PolicyRule, apiGroup, resource string, verbs ...string) {
 +	for _, rule := range rules {
 +		if contains(rule.APIGroups, apiGroup) &&
 +			contains(rule.Resources, resource) {
 +			for _, verb := range verbs {
 +				if contains(rule.Verbs, verb) {
 +					Fail(fmt.Sprintf("Found rule (apiGroup: %s, resource: %s, verbs: %v)", apiGroup, resource, rule.Verbs))
 +				}
 +			}
 +		}
 +	}
 +}
 -- 
 2.45.2
--- a/0001-Consider-the-new-DV-reason-ImagePullFailed.patch
+++ b/0001-Consider-the-new-DV-reason-ImagePullFailed.patch
@ -0,0 +1,30 @@
 From 0e1608be9df30a3765d3c17ca01d7c5bfa542edd Mon Sep 17 00:00:00 2001
 From: Vasiliy Ulyanov <vulyanov@suse.de>
 Date: Thu, 22 Aug 2024 09:27:33 +0200
 Subject: [PATCH] Consider the new DV reason ImagePullFailed
 CDI v1.60.1 introduces a new reason ImagePullFailed for the DataVolume
 Running condition. Take it into account to properly update the printable
 status of a VM and to report the error.
 Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
 ---
 pkg/storage/types/dv.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/pkg/storage/types/dv.go b/pkg/storage/types/dv.go
 index d90011815..a96984dc4 100644
 --- a/pkg/storage/types/dv.go
 +++ b/pkg/storage/types/dv.go
@@ -184,7 +184,7 @@ func HasDataVolumeErrors(namespace string, volumes []virtv1.Volume, dataVolumeSt
 		dvRunningCond := NewDataVolumeConditionManager().GetCondition(dv, cdiv1.DataVolumeRunning)
 		if dvRunningCond != nil &&
 			dvRunningCond.Status == v1.ConditionFalse &&
 -			dvRunningCond.Reason == "Error" {
 +			(dvRunningCond.Reason == "Error" || dvRunningCond.Reason == "ImagePullFailed") {
 			return fmt.Errorf("DataVolume %s importer has stopped running due to an error: %v",
 				volume.DataVolume.Name, dvRunningCond.Message)
 		}
 -- 
 2.46.0
--- a/0002-tests-Set-FSGroup-to-ensure-proper-permissions.patch
+++ b/0002-tests-Set-FSGroup-to-ensure-proper-permissions.patch
@ -0,0 +1,44 @@
 From 96bd87f47a1f0ba7c0079e8665f94d7cd38f3038 Mon Sep 17 00:00:00 2001
 From: Vasiliy Ulyanov <vulyanov@suse.de>
 Date: Mon, 26 Aug 2024 08:18:52 +0200
 Subject: [PATCH] tests: Set FSGroup to ensure proper permissions
 This fixes 'Permission Denied' error with some storage providers.
 Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
 ---
 tests/storage/migration.go | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)
 diff --git a/tests/storage/migration.go b/tests/storage/migration.go
 index c6911848b..bb17cfdde 100644
 --- a/tests/storage/migration.go
 +++ b/tests/storage/migration.go
@@ -459,16 +459,20 @@ func createSmallImageForDestinationMigration(vm *virtv1.VirtualMachine, name, si
 			},
 		},
 	}
 +	podSecurityContext := k8sv1.PodSecurityContext{
 +		FSGroup: pointer.P(int64(util.NonRootUID)),
 +	}
 	pod := k8sv1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "create-img-",
 			Namespace:    vmi.Namespace,
 		},
 		Spec: k8sv1.PodSpec{
 -			RestartPolicy: k8sv1.RestartPolicyNever,
 -			Volumes:       []k8sv1.Volume{volume},
 -			Containers:    []k8sv1.Container{cont},
 -			Affinity:      &affinity,
 +			RestartPolicy:   k8sv1.RestartPolicyNever,
 +			Volumes:         []k8sv1.Volume{volume},
 +			Containers:      []k8sv1.Container{cont},
 +			Affinity:        &affinity,
 +			SecurityContext: &podSecurityContext,
 		},
 	}
 	p, err := virtCli.CoreV1().Pods(vmi.Namespace).Create(context.Background(), &pod, metav1.CreateOptions{})
 -- 
 2.46.0
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 <services>
  <service name="tar_scm" mode="manual">
    <param name="filename">kubevirt</param>
-    <param name="revision">v1.2.2</param>
+    <param name="revision">v1.3.1</param>
    <param name="scm">git</param>
    <param name="submodules">disable</param>
    <param name="url">https://github.com/kubevirt/kubevirt</param>
--- a/disks-images-provider.yaml
+++ b/disks-images-provider.yaml
@ -22,8 +22,11 @@ spec:
      serviceAccountName: kubevirt-testing
      containers:
        - name: target
-          image: quay.io/kubevirt/disks-images-provider:v1.2.2
+          image: quay.io/kubevirt/disks-images-provider:v1.3.1
          imagePullPolicy: Always
          env:
          - name: NUM_TEST_IMAGE_REPLICAS
            value: "6"
          lifecycle:
            preStop:
              exec:
--- a/kubevirt-1.2.2.tar.gz
+++ b/kubevirt-1.2.2.tar.gz
--- a/kubevirt-1.3.1.tar.gz
+++ b/kubevirt-1.3.1.tar.gz
--- a/kubevirt.changes
+++ b/kubevirt.changes
@ -1,3 +1,18 @@
 -------------------------------------------------------------------
 Fri Sep  6 05:49:19 UTC 2024 - Vasily Ulyanov <vasily.ulyanov@suse.com>
 - Update to version 1.3.1
  Release notes https://github.com/kubevirt/kubevirt/releases/tag/v1.3.1
  Release notes https://github.com/kubevirt/kubevirt/releases/tag/v1.3.0
 - Drop upstreamed patch
  0001-Collect-component-Role-rules-under-operator-Role-ins.patch
 - Fix DV error report via VM printable status
  0001-Consider-the-new-DV-reason-ImagePullFailed.patch
 - Fix permission error in storage migration tests
  0002-tests-Set-FSGroup-to-ensure-proper-permissions.patch
 - Add registry path for SLE15 SP7
 - Bump to the latest tag 1.3.1-150600.5.9.1
 -------------------------------------------------------------------
 Wed Jul 31 06:57:29 UTC 2024 - Vasily Ulyanov <vasily.ulyanov@suse.com>
--- a/kubevirt.spec
+++ b/kubevirt.spec
@ -30,7 +30,7 @@
 %endif
 Name:           kubevirt
-Version:        1.2.2
+Version:        1.3.1
 Release:        0
 Summary:        Container native virtualization
 License:        Apache-2.0
@ -41,13 +41,14 @@ Source1:        kubevirt_containers_meta
 Source2:        kubevirt_containers_meta.service
 Source3:        %{url}/releases/download/v%{version}/disks-images-provider.yaml
 Source100:      %{name}-rpmlintrc
-Patch1:         0001-Collect-component-Role-rules-under-operator-Role-ins.patch
+Patch1:         0001-Consider-the-new-DV-reason-ImagePullFailed.patch
 Patch2:         0002-tests-Set-FSGroup-to-ensure-proper-permissions.patch
 BuildRequires:  glibc-devel-static
 BuildRequires:  golang-packaging
 BuildRequires:  pkgconfig
 BuildRequires:  rsync
 BuildRequires:  sed
-BuildRequires:  golang(API) >= 1.21
+BuildRequires:  golang(API) >= 1.22
 BuildRequires:  pkgconfig(libvirt)
 ExclusiveArch:  %{_exclusive_arch}
@ -186,6 +187,11 @@ case "${distro}" in
    labelprefix=com.suse.kubevirt
    registry=registry.suse.com
    ;;
 150700:0)
    tagprefix=suse/sles/15.7
    labelprefix=com.suse.kubevirt
    registry=registry.suse.com
    ;;
 *:1)
    tagprefix=kubevirt
    labelprefix=org.opensuse.kubevirt
@ -250,7 +256,7 @@ build_tests="true" \
 # Note: the generated manifests will point to the images based on SLE15 SP6 BCI.
 env \
 DOCKER_PREFIX=registry.suse.com/suse/sles/15.6 \
-DOCKER_TAG=1.2.2-150600.5.6.1 \
+DOCKER_TAG=1.3.1-150600.5.9.1 \
 KUBEVIRT_NO_BAZEL=true \
 ./hack/build-manifests.sh