Accepting request 846541 from home:jfehlig:branches:Virtualization

- spec: Generate the registry path for kubevirt-operator.yaml at build time. Prjconf macro 'registry_path' can be used to override registry path to the KubeVirt container images - spec: Add kubevirt-psp-caasp.yaml, a PSP based on CaaSP privileged PSP, to the manifests subpackage - spec: Don't add component name to DOCKER_PREFIX passed to build-manifests.sh OBS-URL: https://build.opensuse.org/request/show/846541 OBS-URL: https://build.opensuse.org/package/show/Virtualization/kubevirt?expand=0&rev=17
2020-11-06 21:27:48 +00:00 · 2020-11-06 21:27:48 +00:00 · dcabda7174
commit dcabda7174
parent f45410d4b5
3 changed files with 145 additions and 1 deletions
--- a/kubevirt-psp-caasp.yaml
+++ b/kubevirt-psp-caasp.yaml
@ -0,0 +1,91 @@
+#
+# A KubeVirt PSP for CaaSP-based Kubernetes clusters that makes use of the
+# CaaSP privileged PSP.
+#
+# After the KubeVirt operator has sucessfully deployed the KubeVirt service,
+# this PSP can be deployed to the cluster, giving virt-operator and
+# virt-handler access to cluster operations necessary for virtual machine
+# management.
+#
+# kubectl apply -f /usr/share/kube-virt/manifests/release/kubevirt-psp-caasp.yaml
+#
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubevirt-controller-caasp
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - suse.caasp.psp.privileged
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubevirt-handler-caasp
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - suse.caasp.psp.privileged
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubevirt-controller-caasp
+roleRef:
+  kind: ClusterRole
+  name: kubevirt-controller-caasp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: kubevirt-controller
+  namespace: kubevirt
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubevirt-handler-caasp
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubevirt-handler-caasp
+subjects:
+- kind: ServiceAccount
+  name: kubevirt-handler
+  namespace: kubevirt
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kubevirt-controller-caasp
+roleRef:
+  kind: Role
+  name: kubevirt-controller-caasp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: kubevirt-controller
+  namespace: kubevirt
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kubevirt-handler-caasp
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: kubevirt-handler-caasp
+subjects:
+- kind: ServiceAccount
+  name: kubevirt-handler
+  namespace: kubevirt
+
--- a/kubevirt.changes
+++ b/kubevirt.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Fri Nov  6 19:40:12 UTC 2020 - James Fehlig <jfehlig@suse.com>
+
+- spec: Generate the registry path for kubevirt-operator.yaml at
+  build time. Prjconf macro 'registry_path' can be used to
+  override registry path to the KubeVirt container images
+- spec: Add kubevirt-psp-caasp.yaml, a PSP based on CaaSP
+  privileged PSP, to the manifests subpackage
+- spec: Don't add component name to DOCKER_PREFIX passed to
+  build-manifests.sh
+
 -------------------------------------------------------------------
 Sat Oct 31 17:34:55 UTC 2020 - Jan Zerebecki <jzerebecki@suse.com>

--- a/kubevirt.spec
+++ b/kubevirt.spec
@ -24,6 +24,7 @@ License:        Apache-2.0
 Group:          System/Packages
 URL:            https://github.com/kubevirt/kubevirt
 Source0:        %{name}-%{version}.tar.gz
+Source1:        kubevirt-psp-caasp.yaml
 BuildRequires:  glibc-devel-static
 BuildRequires:  golang-packaging
 BuildRequires:  pkgconfig
@ -98,6 +99,41 @@ kubernetes installation with kubectl apply.
 %autosetup -p1

 %build
+# Hackery to determine which registry path to use in kubevirt-operator.yaml
+# when building the manifests
+#
+# The 'registry_path' macro can be used to define an explicit path in the
+# project config, e.g.
+#
+# Macros:
+# %registry_path registry.opensuse.org/Virtualization/container
+# :Macros
+#
+# 'registry_path' can also be defined when building locally, e.g.
+#
+# osc build --define='registry_path registry.opensuse.org/foo/bar/baz' ...
+#
+# If 'registry_path' is not specified, the standard publish location for SLE and
+# openSUSE-based containers is used.
+#
+# TODO:
+# 1. Determine "standard publish location" for SLE and openSUSE variants
+# 2. Support Leap when 1 is done
+#
+%if "%{?registry_path}" == ""
+distro='%{?sle_version}:%{is_opensuse}'
+case "${distro}" in
+    150200:0)
+	reg_path='registry.suse.de/suse/containers/sle-server/15/containers/suse/sles/15.2' ;;
+    150300:0)
+	reg_path='registry.suse.de/suse/containers/sle-server/15/containers/suse/sles/15.3' ;;
+    *)
+	reg_path='registry.opensuse.org/virtualization/container/opensuse/tumbleweed' ;;
+esac
+%else
+reg_path='%{registry_path}'
+%endif
+
 mkdir -p go/src/kubevirt.io go/pkg
 ln -s ../../../ go/src/kubevirt.io/kubevirt
 export GOPATH=${PWD}/go
@ -120,7 +156,8 @@ KUBEVIRT_GIT_TREE_STATE="clean" \
 	cmd/virt-operator \
 	tools/csv-generator \
 	%{nil}
-env DOCKER_PREFIX=registry.opensuse.org/opensuse/tumbleweed/virt-operator DOCKER_TAG=%{version} ./hack/build-manifests.sh --skipj2
+
+env DOCKER_PREFIX=$reg_path DOCKER_TAG=%{version} ./hack/build-manifests.sh --skipj2

 %install
 mkdir -p %{buildroot}%{_bindir}
@ -137,6 +174,11 @@ install -p -m 0755 _out/cmd/csv-generator/csv-generator %{buildroot}%{_bindir}/

 mkdir -p %{buildroot}%{_datadir}/kube-virt
 cp -r _out/manifests %{buildroot}%{_datadir}/kube-virt/
+# TODO:
+# Create a proper Pod Security Policy (PSP) for KubeVirt. For now, add one
+# that uses the CaaSP privileged PSP. It can be used with CaaSP-based
+# Kubernetes clusters.
+install -m 644 %{S:1} %{buildroot}/%{_datadir}/kube-virt/manifests/release/

 %files virtctl
 %license LICENSE