Accepting request 1098517 from home:vulyanov:branches:Virtualization

- Update to version 1.0.0 Release notes https://github.com/kubevirt/kubevirt/releases/tag/v1.0.0 - Drop upstreamed patches 0001-Vulnerability-fix-limit-operator-secrets-permission.patch - Add registry path for SLE15 SP6 OBS-URL: https://build.opensuse.org/request/show/1098517 OBS-URL: https://build.opensuse.org/package/show/Virtualization/kubevirt?expand=0&rev=119
2023-07-13 11:46:03 +00:00 · 2023-07-13 11:46:03 +00:00 · 5df5caf551
commit 5df5caf551
parent 564c604e1f
8 changed files with 40 additions and 813 deletions
--- a/0001-Fix-qemu-system-lookup.patch
+++ b/0001-Fix-qemu-system-lookup.patch
--- a/0001-Vulnerability-fix-limit-operator-secrets-permission.patch
+++ b/0001-Vulnerability-fix-limit-operator-secrets-permission.patch
@ -1,805 +0,0 @@
-From b53906b1295910964ba4b3b1b5a2d3668307f79c Mon Sep 17 00:00:00 2001
-From: Kyle Lane <kylelane@google.com>
-Date: Fri, 3 Feb 2023 00:49:59 +0000
-Subject: [PATCH] [Vulnerability fix] limit operator secrets permission
-
-Also change structure to hold service account names in resource/generate/components due to circular dependancy.
-
-Change-Id: I01c2619a9705b3c3f144d1d8567687df011d00fa
-Signed-off-by: Kyle Lane kylelane@google.com
---
- manifests/generated/operator-csv.yaml.in      |  9 +++++
- .../rbac-operator.authorization.k8s.yaml.in   |  9 +++++
- pkg/virt-api/webhooks/BUILD.bazel             |  2 +-
- .../mutating-webhook/mutators/BUILD.bazel     |  2 +-
- .../mutators/vmi-mutator_test.go              |  4 +-
- pkg/virt-api/webhooks/utils.go                |  8 ++--
- .../validating-webhook/admitters/BUILD.bazel  |  2 +-
- .../admitters/vmi-create-admitter_test.go     |  9 ++---
- .../admitters/vmi-update-admitter_test.go     | 10 ++---
- .../resource/generate/components/BUILD.bazel  |  2 +-
- .../generate/components/daemonsets.go         |  3 +-
- .../generate/components/deployments.go        |  7 ++--
- .../components/serviceaccountnames.go         |  9 +++++
- .../resource/generate/rbac/BUILD.bazel        |  2 +
- .../resource/generate/rbac/apiserver.go       | 24 ++++++------
- .../resource/generate/rbac/controller.go      | 22 +++++------
- .../resource/generate/rbac/handler.go         | 22 +++++------
- .../resource/generate/rbac/operator.go        | 37 ++++++++++++-------
- .../resource/generate/rbac/operator_test.go   | 10 +++--
- 19 files changed, 116 insertions(+), 77 deletions(-)
- create mode 100644 pkg/virt-operator/resource/generate/components/serviceaccountnames.go
-
-diff --git a/manifests/generated/operator-csv.yaml.in b/manifests/generated/operator-csv.yaml.in
-index 8c84822e0..53d2c30e5 100644
--- a/manifests/generated/operator-csv.yaml.in
-+++ b/manifests/generated/operator-csv.yaml.in
-@@ -1275,6 +1275,15 @@ spec:
-       - rules:
-         - apiGroups:
-           - ""
-+          resourceNames:
-+          - kubevirt-ca
-+          - kubevirt-export-ca
-+          - kubevirt-virt-handler-certs
-+          - kubevirt-virt-handler-server-certs
-+          - kubevirt-operator-certs
-+          - kubevirt-virt-api-certs
-+          - kubevirt-controller-certs
-+          - kubevirt-exportproxy-certs
-           resources:
-           - secrets
-           verbs:
-diff --git a/manifests/generated/rbac-operator.authorization.k8s.yaml.in b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
-index 71605ecda..254a1a977 100644
--- a/manifests/generated/rbac-operator.authorization.k8s.yaml.in
-+++ b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
-@@ -17,6 +17,15 @@ metadata:
- rules:
- - apiGroups:
-   - ""
-+  resourceNames:
-+  - kubevirt-ca
-+  - kubevirt-export-ca
-+  - kubevirt-virt-handler-certs
-+  - kubevirt-virt-handler-server-certs
-+  - kubevirt-operator-certs
-+  - kubevirt-virt-api-certs
-+  - kubevirt-controller-certs
-+  - kubevirt-exportproxy-certs
-   resources:
-   - secrets
-   verbs:
-diff --git a/pkg/virt-api/webhooks/BUILD.bazel b/pkg/virt-api/webhooks/BUILD.bazel
-index abe364190..1ea095692 100644
--- a/pkg/virt-api/webhooks/BUILD.bazel
-+++ b/pkg/virt-api/webhooks/BUILD.bazel
-@@ -15,7 +15,7 @@ go_library(
-         "//pkg/util:go_default_library",
-         "//pkg/virt-config:go_default_library",
-         "//pkg/virt-handler/node-labeller/util:go_default_library",
-        "//pkg/virt-operator/resource/generate/rbac:go_default_library",
-+        "//pkg/virt-operator/resource/generate/components:go_default_library",
-         "//staging/src/kubevirt.io/api/core/v1:go_default_library",
-         "//staging/src/kubevirt.io/api/pool/v1alpha1:go_default_library",
-         "//staging/src/kubevirt.io/client-go/log:go_default_library",
-diff --git a/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel b/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel
-index e956bf21e..5e03b0d9d 100644
--- a/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel
-+++ b/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel
-@@ -55,7 +55,7 @@ go_test(
-         "//pkg/virt-api/webhooks:go_default_library",
-         "//pkg/virt-config:go_default_library",
-         "//pkg/virt-handler/node-labeller/util:go_default_library",
-        "//pkg/virt-operator/resource/generate/rbac:go_default_library",
-+        "//pkg/virt-operator/resource/generate/components:go_default_library",
-         "//staging/src/kubevirt.io/api/clone:go_default_library",
-         "//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library",
-         "//staging/src/kubevirt.io/api/core:go_default_library",
-diff --git a/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go b/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go
-index 025bf368a..f156eca9a 100644
--- a/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go
-+++ b/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go
-@@ -46,10 +46,10 @@ import (
- 	"kubevirt.io/kubevirt/pkg/virt-api/webhooks"
- 	virtconfig "kubevirt.io/kubevirt/pkg/virt-config"
- 	nodelabellerutil "kubevirt.io/kubevirt/pkg/virt-handler/node-labeller/util"
-	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
-+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
- )
- 
-var privilegedUser = fmt.Sprintf("%s:%s:%s:%s", "system", "serviceaccount", "kubevirt", rbac.ControllerServiceAccountName)
-+var privilegedUser = fmt.Sprintf("%s:%s:%s:%s", "system", "serviceaccount", "kubevirt", components.ControllerServiceAccountName)
- 
- var _ = Describe("VirtualMachineInstance Mutator", func() {
- 	var vmi *v1.VirtualMachineInstance
-diff --git a/pkg/virt-api/webhooks/utils.go b/pkg/virt-api/webhooks/utils.go
-index 816a6beb3..653d41012 100644
--- a/pkg/virt-api/webhooks/utils.go
-+++ b/pkg/virt-api/webhooks/utils.go
-@@ -29,7 +29,7 @@ import (
- 	poolv1 "kubevirt.io/api/pool/v1alpha1"
- 	"kubevirt.io/client-go/log"
- 
-	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
-+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
- 
- 	v1 "kubevirt.io/api/core/v1"
- 	clientutil "kubevirt.io/client-go/util"
-@@ -89,9 +89,9 @@ func IsKubeVirtServiceAccount(serviceAccount string) bool {
- 	}
- 
- 	prefix := fmt.Sprintf("system:serviceaccount:%s", ns)
-	return serviceAccount == fmt.Sprintf("%s:%s", prefix, rbac.ApiServiceAccountName) ||
-		serviceAccount == fmt.Sprintf("%s:%s", prefix, rbac.HandlerServiceAccountName) ||
-		serviceAccount == fmt.Sprintf("%s:%s", prefix, rbac.ControllerServiceAccountName)
-+	return serviceAccount == fmt.Sprintf("%s:%s", prefix, components.ApiServiceAccountName) ||
-+		serviceAccount == fmt.Sprintf("%s:%s", prefix, components.HandlerServiceAccountName) ||
-+		serviceAccount == fmt.Sprintf("%s:%s", prefix, components.ControllerServiceAccountName)
- }
- 
- func IsARM64() bool {
-diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel b/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel
-index 03a74eb2f..65da66d1c 100644
--- a/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel
-+++ b/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel
-@@ -99,7 +99,7 @@ go_test(
-         "//pkg/virt-api/webhooks:go_default_library",
-         "//pkg/virt-config:go_default_library",
-         "//pkg/virt-handler/node-labeller/util:go_default_library",
-        "//pkg/virt-operator/resource/generate/rbac:go_default_library",
-+        "//pkg/virt-operator/resource/generate/components:go_default_library",
-         "//staging/src/kubevirt.io/api/clone:go_default_library",
-         "//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library",
-         "//staging/src/kubevirt.io/api/core:go_default_library",
-diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go
-index 685ddf5fc..51dda99f5 100644
--- a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go
-+++ b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go
-@@ -27,8 +27,6 @@ import (
- 
- 	"kubevirt.io/client-go/api"
- 
-	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
-
- 	. "github.com/onsi/ginkgo/v2"
- 	. "github.com/onsi/gomega"
- 	admissionv1 "k8s.io/api/admission/v1"
-@@ -49,6 +47,7 @@ import (
- 	"kubevirt.io/kubevirt/pkg/virt-api/webhooks"
- 	virtconfig "kubevirt.io/kubevirt/pkg/virt-config"
- 	nodelabellerutil "kubevirt.io/kubevirt/pkg/virt-handler/node-labeller/util"
-+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
- )
- 
- var _ = Describe("Validating VMICreate Admitter", func() {
-@@ -424,17 +423,17 @@ var _ = Describe("Validating VMICreate Admitter", func() {
- 			},
- 			Entry("Create restricted label by API",
- 				map[string]string{v1.NodeNameLabel: "someValue"},
-				rbac.ApiServiceAccountName,
-+				components.ApiServiceAccountName,
- 				true,
- 			),
- 			Entry("Create restricted label by Handler",
- 				map[string]string{v1.NodeNameLabel: "someValue"},
-				rbac.HandlerServiceAccountName,
-+				components.HandlerServiceAccountName,
- 				true,
- 			),
- 			Entry("Create restricted label by Controller",
- 				map[string]string{v1.NodeNameLabel: "someValue"},
-				rbac.ControllerServiceAccountName,
-+				components.ControllerServiceAccountName,
- 				true,
- 			),
- 			Entry("Create restricted label by non kubevirt user",
-diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go
-index 83a9d0390..a9f7af477 100644
--- a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go
-+++ b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go
-@@ -39,7 +39,7 @@ import (
- 	"kubevirt.io/kubevirt/pkg/testutils"
- 	webhookutils "kubevirt.io/kubevirt/pkg/util/webhooks"
- 	"kubevirt.io/kubevirt/pkg/virt-api/webhooks"
-	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
-+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
- )
- 
- var _ = Describe("Validating VMIUpdate Admitter", func() {
-@@ -190,17 +190,17 @@ var _ = Describe("Validating VMIUpdate Admitter", func() {
- 		Entry("Update by API",
- 			map[string]string{v1.NodeNameLabel: "someValue"},
- 			map[string]string{v1.NodeNameLabel: "someNewValue"},
-			rbac.ApiServiceAccountName,
-+			components.ApiServiceAccountName,
- 		),
- 		Entry("Update by Handler",
- 			map[string]string{v1.NodeNameLabel: "someValue"},
- 			map[string]string{v1.NodeNameLabel: "someNewValue"},
-			rbac.HandlerServiceAccountName,
-+			components.HandlerServiceAccountName,
- 		),
- 		Entry("Update by Controller",
- 			map[string]string{v1.NodeNameLabel: "someValue"},
- 			map[string]string{v1.NodeNameLabel: "someNewValue"},
-			rbac.ControllerServiceAccountName,
-+			components.ControllerServiceAccountName,
- 		),
- 	)
- 
-@@ -560,7 +560,7 @@ var _ = Describe("Validating VMIUpdate Admitter", func() {
- 		resp := vmiUpdateAdmitter.Admit(ar)
- 		Expect(resp.Allowed).To(expected)
- 	},
-		Entry("Should admit internal sa", "system:serviceaccount:kubevirt:"+rbac.ApiServiceAccountName, BeTrue()),
-+		Entry("Should admit internal sa", "system:serviceaccount:kubevirt:"+components.ApiServiceAccountName, BeTrue()),
- 		Entry("Should reject regular user", "system:serviceaccount:someNamespace:someUser", BeFalse()),
- 	)
- })
-diff --git a/pkg/virt-operator/resource/generate/components/BUILD.bazel b/pkg/virt-operator/resource/generate/components/BUILD.bazel
-index 583b63a04..22e1524c3 100644
--- a/pkg/virt-operator/resource/generate/components/BUILD.bazel
-+++ b/pkg/virt-operator/resource/generate/components/BUILD.bazel
-@@ -11,6 +11,7 @@ go_library(
-         "routes.go",
-         "scc.go",
-         "secrets.go",
-+        "serviceaccountnames.go",
-         "validations_generated.go",
-         "webhooks.go",
-     ],
-@@ -21,7 +22,6 @@ go_library(
-         "//pkg/certificates/triple:go_default_library",
-         "//pkg/certificates/triple/cert:go_default_library",
-         "//pkg/virt-config:go_default_library",
-        "//pkg/virt-operator/resource/generate/rbac:go_default_library",
-         "//pkg/virt-operator/util:go_default_library",
-         "//staging/src/kubevirt.io/api/clone:go_default_library",
-         "//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library",
-diff --git a/pkg/virt-operator/resource/generate/components/daemonsets.go b/pkg/virt-operator/resource/generate/components/daemonsets.go
-index 7524f7487..4717e4bec 100644
--- a/pkg/virt-operator/resource/generate/components/daemonsets.go
-+++ b/pkg/virt-operator/resource/generate/components/daemonsets.go
-@@ -13,7 +13,6 @@ import (
- 	virtv1 "kubevirt.io/api/core/v1"
- 
- 	virtconfig "kubevirt.io/kubevirt/pkg/virt-config"
-	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
- 	operatorutil "kubevirt.io/kubevirt/pkg/virt-operator/util"
- )
- 
-@@ -81,7 +80,7 @@ func NewHandlerDaemonSet(namespace, repository, imagePrefix, version, launcherVe
- 	}
- 
- 	pod := &daemonset.Spec.Template.Spec
-	pod.ServiceAccountName = rbac.HandlerServiceAccountName
-+	pod.ServiceAccountName = HandlerServiceAccountName
- 	pod.HostPID = true
- 
- 	// nodelabeller currently only support x86
-diff --git a/pkg/virt-operator/resource/generate/components/deployments.go b/pkg/virt-operator/resource/generate/components/deployments.go
-index 9d5666def..8a900e7f0 100644
--- a/pkg/virt-operator/resource/generate/components/deployments.go
-+++ b/pkg/virt-operator/resource/generate/components/deployments.go
-@@ -35,7 +35,6 @@ import (
- 
- 	virtv1 "kubevirt.io/api/core/v1"
- 
-	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
- 	operatorutil "kubevirt.io/kubevirt/pkg/virt-operator/util"
- )
- 
-@@ -326,7 +325,7 @@ func NewApiServerDeployment(namespace, repository, imagePrefix, version, product
- 	attachProfileVolume(&deployment.Spec.Template.Spec)
- 
- 	pod := &deployment.Spec.Template.Spec
-	pod.ServiceAccountName = rbac.ApiServiceAccountName
-+	pod.ServiceAccountName = ApiServiceAccountName
- 	pod.SecurityContext = &corev1.PodSecurityContext{
- 		RunAsNonRoot:   boolPtr(true),
- 		SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
-@@ -407,7 +406,7 @@ func NewControllerDeployment(namespace, repository, imagePrefix, controllerVersi
- 	}
- 
- 	pod := &deployment.Spec.Template.Spec
-	pod.ServiceAccountName = rbac.ControllerServiceAccountName
-+	pod.ServiceAccountName = ControllerServiceAccountName
- 	pod.SecurityContext = &corev1.PodSecurityContext{
- 		RunAsNonRoot:   boolPtr(true),
- 		SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
-@@ -645,7 +644,7 @@ func NewExportProxyDeployment(namespace, repository, imagePrefix, version, produ
- 	attachProfileVolume(&deployment.Spec.Template.Spec)
- 
- 	pod := &deployment.Spec.Template.Spec
-	pod.ServiceAccountName = rbac.ExportProxyServiceAccountName
-+	pod.ServiceAccountName = ExportProxyServiceAccountName
- 	pod.SecurityContext = &corev1.PodSecurityContext{
- 		RunAsNonRoot: boolPtr(true),
- 	}
-diff --git a/pkg/virt-operator/resource/generate/components/serviceaccountnames.go b/pkg/virt-operator/resource/generate/components/serviceaccountnames.go
-new file mode 100644
-index 000000000..0948629bb
--- /dev/null
-+++ b/pkg/virt-operator/resource/generate/components/serviceaccountnames.go
-@@ -0,0 +1,9 @@
-+package components
-+
-+const (
-+	ApiServiceAccountName         = "kubevirt-apiserver"
-+	ControllerServiceAccountName  = "kubevirt-controller"
-+	ExportProxyServiceAccountName = "kubevirt-exportproxy"
-+	HandlerServiceAccountName     = "kubevirt-handler"
-+	OperatorServiceAccountName    = "kubevirt-operator"
-+)
-diff --git a/pkg/virt-operator/resource/generate/rbac/BUILD.bazel b/pkg/virt-operator/resource/generate/rbac/BUILD.bazel
-index fb3952f7b..8de09055f 100644
--- a/pkg/virt-operator/resource/generate/rbac/BUILD.bazel
-+++ b/pkg/virt-operator/resource/generate/rbac/BUILD.bazel
-@@ -14,6 +14,7 @@ go_library(
-     importpath = "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac",
-     visibility = ["//visibility:public"],
-     deps = [
-+        "//pkg/virt-operator/resource/generate/components:go_default_library",
-         "//staging/src/kubevirt.io/api/clone:go_default_library",
-         "//staging/src/kubevirt.io/api/core/v1:go_default_library",
-         "//staging/src/kubevirt.io/api/instancetype:go_default_library",
-@@ -33,6 +34,7 @@ go_test(
-     ],
-     embed = [":go_default_library"],
-     deps = [
-+        "//pkg/virt-operator/resource/generate/components:go_default_library",
-         "//staging/src/kubevirt.io/client-go/testutils:go_default_library",
-         "//vendor/github.com/onsi/ginkgo/v2:go_default_library",
-         "//vendor/github.com/onsi/gomega:go_default_library",
-diff --git a/pkg/virt-operator/resource/generate/rbac/apiserver.go b/pkg/virt-operator/resource/generate/rbac/apiserver.go
-index 7263471a6..932f7391e 100644
--- a/pkg/virt-operator/resource/generate/rbac/apiserver.go
-+++ b/pkg/virt-operator/resource/generate/rbac/apiserver.go
-@@ -26,6 +26,8 @@ import (
- 
- 	"kubevirt.io/api/instancetype"
- 
-+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
-+
- 	virtv1 "kubevirt.io/api/core/v1"
- 	"kubevirt.io/api/migrations"
- )
-@@ -36,8 +38,6 @@ const (
- 	GroupName     = "kubevirt.io"
- )
- 
-const ApiServiceAccountName = "kubevirt-apiserver"
-
- func GetAllApiServer(namespace string) []runtime.Object {
- 	return []runtime.Object{
- 		newApiServerServiceAccount(namespace),
-@@ -57,7 +57,7 @@ func newApiServerServiceAccount(namespace string) *corev1.ServiceAccount {
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
- 			Namespace: namespace,
-			Name:      ApiServiceAccountName,
-+			Name:      components.ApiServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -72,7 +72,7 @@ func newApiServerClusterRole() *rbacv1.ClusterRole {
- 			Kind:       "ClusterRole",
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
-			Name: ApiServiceAccountName,
-+			Name: components.ApiServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -267,7 +267,7 @@ func newApiServerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding
- 			Kind:       "ClusterRoleBinding",
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
-			Name: ApiServiceAccountName,
-+			Name: components.ApiServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -275,13 +275,13 @@ func newApiServerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding
- 		RoleRef: rbacv1.RoleRef{
- 			APIGroup: VersionName,
- 			Kind:     "ClusterRole",
-			Name:     ApiServiceAccountName,
-+			Name:     components.ApiServiceAccountName,
- 		},
- 		Subjects: []rbacv1.Subject{
- 			{
- 				Kind:      "ServiceAccount",
- 				Namespace: namespace,
-				Name:      ApiServiceAccountName,
-+				Name:      components.ApiServiceAccountName,
- 			},
- 		},
- 	}
-@@ -308,7 +308,7 @@ func newApiServerAuthDelegatorClusterRoleBinding(namespace string) *rbacv1.Clust
- 			{
- 				Kind:      "ServiceAccount",
- 				Namespace: namespace,
-				Name:      ApiServiceAccountName,
-+				Name:      components.ApiServiceAccountName,
- 			},
- 		},
- 	}
-@@ -322,7 +322,7 @@ func newApiServerRole(namespace string) *rbacv1.Role {
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
- 			Namespace: namespace,
-			Name:      ApiServiceAccountName,
-+			Name:      components.ApiServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -351,7 +351,7 @@ func newApiServerRoleBinding(namespace string) *rbacv1.RoleBinding {
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
- 			Namespace: namespace,
-			Name:      ApiServiceAccountName,
-+			Name:      components.ApiServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -359,13 +359,13 @@ func newApiServerRoleBinding(namespace string) *rbacv1.RoleBinding {
- 		RoleRef: rbacv1.RoleRef{
- 			APIGroup: VersionName,
- 			Kind:     "Role",
-			Name:     ApiServiceAccountName,
-+			Name:     components.ApiServiceAccountName,
- 		},
- 		Subjects: []rbacv1.Subject{
- 			{
- 				Kind:      "ServiceAccount",
- 				Namespace: namespace,
-				Name:      ApiServiceAccountName,
-+				Name:      components.ApiServiceAccountName,
- 			},
- 		},
- 	}
-diff --git a/pkg/virt-operator/resource/generate/rbac/controller.go b/pkg/virt-operator/resource/generate/rbac/controller.go
-index 2adb51225..9542a24fe 100644
--- a/pkg/virt-operator/resource/generate/rbac/controller.go
-+++ b/pkg/virt-operator/resource/generate/rbac/controller.go
-@@ -26,14 +26,14 @@ import (
- 
- 	"kubevirt.io/api/clone"
- 
-+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
-+
- 	"kubevirt.io/api/instancetype"
- 
- 	virtv1 "kubevirt.io/api/core/v1"
- 	"kubevirt.io/api/migrations"
- )
- 
-const ControllerServiceAccountName = "kubevirt-controller"
-
- func GetAllController(namespace string) []runtime.Object {
- 	return []runtime.Object{
- 		newControllerServiceAccount(namespace),
-@@ -52,7 +52,7 @@ func newControllerServiceAccount(namespace string) *corev1.ServiceAccount {
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
- 			Namespace: namespace,
-			Name:      ControllerServiceAccountName,
-+			Name:      components.ControllerServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -67,7 +67,7 @@ func newControllerRole(namespace string) *rbacv1.Role {
- 			Kind:       "Role",
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
-			Name:      ControllerServiceAccountName,
-+			Name:      components.ControllerServiceAccountName,
- 			Namespace: namespace,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
-@@ -124,7 +124,7 @@ func newControllerRoleBinding(namespace string) *rbacv1.RoleBinding {
- 			Kind:       "RoleBinding",
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
-			Name:      ControllerServiceAccountName,
-+			Name:      components.ControllerServiceAccountName,
- 			Namespace: namespace,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
-@@ -133,13 +133,13 @@ func newControllerRoleBinding(namespace string) *rbacv1.RoleBinding {
- 		RoleRef: rbacv1.RoleRef{
- 			APIGroup: VersionName,
- 			Kind:     "Role",
-			Name:     ControllerServiceAccountName,
-+			Name:     components.ControllerServiceAccountName,
- 		},
- 		Subjects: []rbacv1.Subject{
- 			{
- 				Kind:      "ServiceAccount",
- 				Namespace: namespace,
-				Name:      ControllerServiceAccountName,
-+				Name:      components.ControllerServiceAccountName,
- 			},
- 		},
- 	}
-@@ -152,7 +152,7 @@ func newControllerClusterRole() *rbacv1.ClusterRole {
- 			Kind:       "ClusterRole",
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
-			Name: ControllerServiceAccountName,
-+			Name: components.ControllerServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -515,7 +515,7 @@ func newControllerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBindin
- 			Kind:       "ClusterRoleBinding",
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
-			Name: ControllerServiceAccountName,
-+			Name: components.ControllerServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -523,13 +523,13 @@ func newControllerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBindin
- 		RoleRef: rbacv1.RoleRef{
- 			APIGroup: "rbac.authorization.k8s.io",
- 			Kind:     "ClusterRole",
-			Name:     ControllerServiceAccountName,
-+			Name:     components.ControllerServiceAccountName,
- 		},
- 		Subjects: []rbacv1.Subject{
- 			{
- 				Kind:      "ServiceAccount",
- 				Namespace: namespace,
-				Name:      ControllerServiceAccountName,
-+				Name:      components.ControllerServiceAccountName,
- 			},
- 		},
- 	}
-diff --git a/pkg/virt-operator/resource/generate/rbac/handler.go b/pkg/virt-operator/resource/generate/rbac/handler.go
-index c47adc28a..e55a4044e 100644
--- a/pkg/virt-operator/resource/generate/rbac/handler.go
-+++ b/pkg/virt-operator/resource/generate/rbac/handler.go
-@@ -27,9 +27,9 @@ import (
- 
- 	virtv1 "kubevirt.io/api/core/v1"
- 	"kubevirt.io/api/migrations"
-)
- 
-const HandlerServiceAccountName = "kubevirt-handler"
-+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
-+)
- 
- func GetAllHandler(namespace string) []runtime.Object {
- 	return []runtime.Object{
-@@ -49,7 +49,7 @@ func newHandlerServiceAccount(namespace string) *corev1.ServiceAccount {
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
- 			Namespace: namespace,
-			Name:      HandlerServiceAccountName,
-+			Name:      components.HandlerServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -64,7 +64,7 @@ func newHandlerClusterRole() *rbacv1.ClusterRole {
- 			Kind:       "ClusterRole",
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
-			Name: HandlerServiceAccountName,
-+			Name: components.HandlerServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -167,7 +167,7 @@ func newHandlerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding {
- 			Kind:       "ClusterRoleBinding",
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
-			Name: HandlerServiceAccountName,
-+			Name: components.HandlerServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -175,13 +175,13 @@ func newHandlerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding {
- 		RoleRef: rbacv1.RoleRef{
- 			APIGroup: "rbac.authorization.k8s.io",
- 			Kind:     "ClusterRole",
-			Name:     HandlerServiceAccountName,
-+			Name:     components.HandlerServiceAccountName,
- 		},
- 		Subjects: []rbacv1.Subject{
- 			{
- 				Kind:      "ServiceAccount",
- 				Namespace: namespace,
-				Name:      HandlerServiceAccountName,
-+				Name:      components.HandlerServiceAccountName,
- 			},
- 		},
- 	}
-@@ -195,7 +195,7 @@ func newHandlerRole(namespace string) *rbacv1.Role {
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
- 			Namespace: namespace,
-			Name:      HandlerServiceAccountName,
-+			Name:      components.HandlerServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -224,7 +224,7 @@ func newHandlerRoleBinding(namespace string) *rbacv1.RoleBinding {
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
- 			Namespace: namespace,
-			Name:      HandlerServiceAccountName,
-+			Name:      components.HandlerServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -232,13 +232,13 @@ func newHandlerRoleBinding(namespace string) *rbacv1.RoleBinding {
- 		RoleRef: rbacv1.RoleRef{
- 			APIGroup: "rbac.authorization.k8s.io",
- 			Kind:     "Role",
-			Name:     HandlerServiceAccountName,
-+			Name:     components.HandlerServiceAccountName,
- 		},
- 		Subjects: []rbacv1.Subject{
- 			{
- 				Kind:      "ServiceAccount",
- 				Namespace: namespace,
-				Name:      HandlerServiceAccountName,
-+				Name:      components.HandlerServiceAccountName,
- 			},
- 		},
- 	}
-diff --git a/pkg/virt-operator/resource/generate/rbac/operator.go b/pkg/virt-operator/resource/generate/rbac/operator.go
-index 29ec8c85a..f15dfa554 100644
--- a/pkg/virt-operator/resource/generate/rbac/operator.go
-+++ b/pkg/virt-operator/resource/generate/rbac/operator.go
-@@ -26,6 +26,8 @@ import (
- 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- 
- 	virtv1 "kubevirt.io/api/core/v1"
-+
-+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
- )
- 
- const (
-@@ -33,7 +35,6 @@ const (
- 	GroupNameRoute    = "route.openshift.io"
- 	serviceAccountFmt = "%s:%s:%s"
- )
-const OperatorServiceAccountName = "kubevirt-operator"
- 
- // Used for manifest generation only, not by the operator itself
- func GetAllOperator(namespace string) []interface{} {
-@@ -54,7 +55,7 @@ func newOperatorServiceAccount(namespace string) *corev1.ServiceAccount {
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
- 			Namespace: namespace,
-			Name:      OperatorServiceAccountName,
-+			Name:      components.OperatorServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -74,7 +75,7 @@ func NewOperatorClusterRole() *rbacv1.ClusterRole {
- 			Kind:       "ClusterRole",
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
-			Name: OperatorServiceAccountName,
-+			Name: components.OperatorServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -396,7 +397,7 @@ func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding
- 			Kind:       "ClusterRoleBinding",
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
-			Name: OperatorServiceAccountName,
-+			Name: components.OperatorServiceAccountName,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
- 			},
-@@ -404,13 +405,13 @@ func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding
- 		RoleRef: rbacv1.RoleRef{
- 			APIGroup: VersionName,
- 			Kind:     "ClusterRole",
-			Name:     OperatorServiceAccountName,
-+			Name:     components.OperatorServiceAccountName,
- 		},
- 		Subjects: []rbacv1.Subject{
- 			{
- 				Kind:      "ServiceAccount",
- 				Namespace: namespace,
-				Name:      OperatorServiceAccountName,
-+				Name:      components.OperatorServiceAccountName,
- 			},
- 		},
- 	}
-@@ -432,13 +433,13 @@ func newOperatorRoleBinding(namespace string) *rbacv1.RoleBinding {
- 		RoleRef: rbacv1.RoleRef{
- 			APIGroup: VersionName,
- 			Kind:     "Role",
-			Name:     OperatorServiceAccountName,
-+			Name:     components.OperatorServiceAccountName,
- 		},
- 		Subjects: []rbacv1.Subject{
- 			{
- 				Kind:      "ServiceAccount",
- 				Namespace: namespace,
-				Name:      OperatorServiceAccountName,
-+				Name:      components.OperatorServiceAccountName,
- 			},
- 		},
- 	}
-@@ -452,7 +453,7 @@ func NewOperatorRole(namespace string) *rbacv1.Role {
- 			Kind:       "Role",
- 		},
- 		ObjectMeta: metav1.ObjectMeta{
-			Name:      OperatorServiceAccountName,
-+			Name:      components.OperatorServiceAccountName,
- 			Namespace: namespace,
- 			Labels: map[string]string{
- 				virtv1.AppLabel: "",
-@@ -466,6 +467,16 @@ func NewOperatorRole(namespace string) *rbacv1.Role {
- 				Resources: []string{
- 					"secrets",
- 				},
-+				ResourceNames: []string{
-+					components.KubeVirtCASecretName,
-+					components.KubeVirtExportCASecretName,
-+					components.VirtHandlerCertSecretName,
-+					components.VirtHandlerServerCertSecretName,
-+					components.VirtOperatorCertSecretName,
-+					components.VirtApiCertSecretName,
-+					components.VirtControllerCertSecretName,
-+					components.VirtExportProxyCertSecretName,
-+				},
- 				Verbs: []string{
- 					"create",
- 					"get",
-@@ -526,10 +537,10 @@ func GetKubevirtComponentsServiceAccounts(namespace string) map[string]bool {
- 	usermap := make(map[string]bool)
- 
- 	prefix := "system:serviceaccount"
-	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, HandlerServiceAccountName)] = true
-	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, ApiServiceAccountName)] = true
-	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, ControllerServiceAccountName)] = true
-	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, OperatorServiceAccountName)] = true
-+	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.HandlerServiceAccountName)] = true
-+	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.ApiServiceAccountName)] = true
-+	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.ControllerServiceAccountName)] = true
-+	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.OperatorServiceAccountName)] = true
- 
- 	return usermap
- }
-diff --git a/pkg/virt-operator/resource/generate/rbac/operator_test.go b/pkg/virt-operator/resource/generate/rbac/operator_test.go
-index 701a8c4f5..51bd479cc 100644
--- a/pkg/virt-operator/resource/generate/rbac/operator_test.go
-+++ b/pkg/virt-operator/resource/generate/rbac/operator_test.go
-@@ -26,6 +26,8 @@ import (
- 	. "github.com/onsi/gomega"
- 	v1 "k8s.io/api/core/v1"
- 	rbacv1 "k8s.io/api/rbac/v1"
-+
-+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
- )
- 
- var _ = Describe("RBAC", func() {
-@@ -75,10 +77,10 @@ var _ = Describe("RBAC", func() {
- 			func(name string) {
- 				Expect(serviceAccounts).To(HaveKey(MatchRegexp(fmt.Sprintf(".*%s.*", name))))
- 			},
-			Entry("for Handler", HandlerServiceAccountName),
-			Entry("for Api", ApiServiceAccountName),
-			Entry("for Controller", ControllerServiceAccountName),
-			Entry("for Operator", OperatorServiceAccountName),
-+			Entry("for Handler", components.HandlerServiceAccountName),
-+			Entry("for Api", components.ApiServiceAccountName),
-+			Entry("for Controller", components.ControllerServiceAccountName),
-+			Entry("for Operator", components.OperatorServiceAccountName),
- 		)
- 
- 	})
-- 
-2.39.2
-
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 <services>
  <service name="tar_scm" mode="disabled">
    <param name="filename">kubevirt</param>
-    <param name="revision">v0.59.2</param>
+    <param name="revision">v1.0.0</param>
    <param name="scm">git</param>
    <param name="submodules">disable</param>
    <param name="url">https://github.com/kubevirt/kubevirt</param>
--- a/disks-images-provider.yaml
+++ b/disks-images-provider.yaml
@ -22,7 +22,7 @@ spec:
      serviceAccountName: kubevirt-testing
      containers:
        - name: target
-          image: quay.io/kubevirt/disks-images-provider:v0.59.2
+          image: quay.io/kubevirt/disks-images-provider:v1.0.0
          imagePullPolicy: Always
          lifecycle:
            preStop:
--- a/kubevirt-0.59.2.tar.gz
+++ b/kubevirt-0.59.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:153d9ad1963a53d57b73880d1e2153fa5e2b4d70a2df560c10bb590c5f498ffb
-size 14813378
--- a/kubevirt-1.0.0.tar.gz
+++ b/kubevirt-1.0.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:af2e9ec3e7422b7a3fa769080d66db3faba49aaf25b41a04e451fc5171018952
+size 15289113
--- a/kubevirt.changes
+++ b/kubevirt.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Jul 12 07:54:37 UTC 2023 - Vasily Ulyanov <vasily.ulyanov@suse.com>
+
+- Update to version 1.0.0
+  Release notes https://github.com/kubevirt/kubevirt/releases/tag/v1.0.0
+- Drop upstreamed patches
+  0001-Vulnerability-fix-limit-operator-secrets-permission.patch
+- Add registry path for SLE15 SP6
+
 -------------------------------------------------------------------
 Mon Jul 10 11:19:52 UTC 2023 - Vasily Ulyanov <vasily.ulyanov@suse.com>

--- a/kubevirt.spec
+++ b/kubevirt.spec
@ -17,7 +17,7 @@


 Name:           kubevirt
-Version:        0.59.2
+Version:        1.0.0
 Release:        0
 Summary:        Container native virtualization
 License:        Apache-2.0
@ -28,8 +28,7 @@ Source1:        kubevirt_containers_meta
 Source2:        kubevirt_containers_meta.service
 Source3:        %{url}/releases/download/v%{version}/disks-images-provider.yaml
 Source100:      %{name}-rpmlintrc
-Patch0:         0001-Vulnerability-fix-limit-operator-secrets-permission.patch
-Patch1:         0002-Fix-qemu-system-lookup.patch
+Patch1:         0001-Fix-qemu-system-lookup.patch
 BuildRequires:  glibc-devel-static
 BuildRequires:  golang-packaging
 BuildRequires:  pkgconfig
@ -107,6 +106,14 @@ Group:          System/Packages
 %description    virt-operator
 The virt-opertor package provides an operator for kubevirt CRD

+%package        pr-helper-conf
+Summary:        Configuration files for persistent reservation helper
+Group:          System/Packages
+
+%description    pr-helper-conf
+The pr-helper-conf package provides configuration files for persistent
+reservation helper
+
 %package        manifests
 Summary:        YAML manifests used to install kubevirt
 Group:          System/Packages
@ -173,6 +180,11 @@ case "${distro}" in
    labelprefix=com.suse.kubevirt
    registry=registry.suse.com
    ;;
+150600:0)
+    tagprefix=suse/sles/15.6
+    labelprefix=com.suse.kubevirt
+    registry=registry.suse.com
+    ;;
 *:1)
    tagprefix=kubevirt
    labelprefix=org.opensuse.kubevirt
@ -255,6 +267,10 @@ install -p -m 0644 cmd/virt-handler/nsswitch.conf %{buildroot}%{_datadir}/kube-v
 # virt-launcher SELinux policy needs to land in virt-handler container
 install -p -m 0644 cmd/virt-handler/virt_launcher.cil %{buildroot}%{_datadir}/kube-virt/virt-handler/

+# Persistent reservation helper configuration files
+mkdir -p %{buildroot}%{_datadir}/kube-virt/pr-helper
+install -p -m 0644 cmd/pr-helper/multipath.conf %{buildroot}%{_datadir}/kube-virt/pr-helper/
+
 # Install release manifests
 mkdir -p %{buildroot}%{_datadir}/kube-virt/manifests/release
 install -m 0644 _out/manifests/release/kubevirt-operator.yaml %{buildroot}%{_datadir}/kube-virt/manifests/release/
@ -326,6 +342,13 @@ install -m 0644 %{S:2} %{buildroot}%{_prefix}/lib/obs/service
 %doc README.md
 %{_bindir}/virt-operator

+%files pr-helper-conf
+%license LICENSE
+%doc README.md
+%dir %{_datadir}/kube-virt
+%dir %{_datadir}/kube-virt/pr-helper
+%{_datadir}/kube-virt/pr-helper
+
 %files manifests
 %license LICENSE
 %doc README.md