From dcabda7174abc1f9ae94e40c62e3f4d8ee1a899589bb8a84893b08c79a763a65 Mon Sep 17 00:00:00 2001
From: James Fehlig <jfehlig@suse.com>
Date: Fri, 6 Nov 2020 21:27:48 +0000
Subject: [PATCH] Accepting request 846541 from
 home:jfehlig:branches:Virtualization

- spec: Generate the registry path for kubevirt-operator.yaml at
  build time. Prjconf macro 'registry_path' can be used to
  override registry path to the KubeVirt container images
- spec: Add kubevirt-psp-caasp.yaml, a PSP based on CaaSP
  privileged PSP, to the manifests subpackage
- spec: Don't add component name to DOCKER_PREFIX passed to
  build-manifests.sh

OBS-URL: https://build.opensuse.org/request/show/846541
OBS-URL: https://build.opensuse.org/package/show/Virtualization/kubevirt?expand=0&rev=17
---
 kubevirt-psp-caasp.yaml | 91 +++++++++++++++++++++++++++++++++++++++++
 kubevirt.changes        | 11 +++++
 kubevirt.spec           | 44 +++++++++++++++++++-
 3 files changed, 145 insertions(+), 1 deletion(-)
 create mode 100644 kubevirt-psp-caasp.yaml

diff --git a/kubevirt-psp-caasp.yaml b/kubevirt-psp-caasp.yaml
new file mode 100644
index 0000000..c69653a
--- /dev/null
+++ b/kubevirt-psp-caasp.yaml
@@ -0,0 +1,91 @@
+#
+# A KubeVirt PSP for CaaSP-based Kubernetes clusters that makes use of the
+# CaaSP privileged PSP.
+#
+# After the KubeVirt operator has sucessfully deployed the KubeVirt service,
+# this PSP can be deployed to the cluster, giving virt-operator and
+# virt-handler access to cluster operations necessary for virtual machine
+# management.
+#
+# kubectl apply -f /usr/share/kube-virt/manifests/release/kubevirt-psp-caasp.yaml
+#
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubevirt-controller-caasp
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - suse.caasp.psp.privileged
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubevirt-handler-caasp
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - suse.caasp.psp.privileged
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubevirt-controller-caasp
+roleRef:
+  kind: ClusterRole
+  name: kubevirt-controller-caasp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: kubevirt-controller
+  namespace: kubevirt
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubevirt-handler-caasp
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubevirt-handler-caasp
+subjects:
+- kind: ServiceAccount
+  name: kubevirt-handler
+  namespace: kubevirt
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kubevirt-controller-caasp
+roleRef:
+  kind: Role
+  name: kubevirt-controller-caasp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: kubevirt-controller
+  namespace: kubevirt
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kubevirt-handler-caasp
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: kubevirt-handler-caasp
+subjects:
+- kind: ServiceAccount
+  name: kubevirt-handler
+  namespace: kubevirt
+
diff --git a/kubevirt.changes b/kubevirt.changes
index f78953d..6a1e305 100644
--- a/kubevirt.changes
+++ b/kubevirt.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Fri Nov  6 19:40:12 UTC 2020 - James Fehlig <jfehlig@suse.com>
+
+- spec: Generate the registry path for kubevirt-operator.yaml at
+  build time. Prjconf macro 'registry_path' can be used to
+  override registry path to the KubeVirt container images
+- spec: Add kubevirt-psp-caasp.yaml, a PSP based on CaaSP
+  privileged PSP, to the manifests subpackage
+- spec: Don't add component name to DOCKER_PREFIX passed to
+  build-manifests.sh
+
 -------------------------------------------------------------------
 Sat Oct 31 17:34:55 UTC 2020 - Jan Zerebecki <jzerebecki@suse.com>
 
diff --git a/kubevirt.spec b/kubevirt.spec
index b68d925..131c878 100644
--- a/kubevirt.spec
+++ b/kubevirt.spec
@@ -24,6 +24,7 @@ License:        Apache-2.0
 Group:          System/Packages
 URL:            https://github.com/kubevirt/kubevirt
 Source0:        %{name}-%{version}.tar.gz
+Source1:        kubevirt-psp-caasp.yaml
 BuildRequires:  glibc-devel-static
 BuildRequires:  golang-packaging
 BuildRequires:  pkgconfig
@@ -98,6 +99,41 @@ kubernetes installation with kubectl apply.
 %autosetup -p1
 
 %build
+# Hackery to determine which registry path to use in kubevirt-operator.yaml
+# when building the manifests
+#
+# The 'registry_path' macro can be used to define an explicit path in the
+# project config, e.g.
+#
+# Macros:
+# %registry_path registry.opensuse.org/Virtualization/container
+# :Macros
+#
+# 'registry_path' can also be defined when building locally, e.g.
+#
+# osc build --define='registry_path registry.opensuse.org/foo/bar/baz' ...
+#
+# If 'registry_path' is not specified, the standard publish location for SLE and
+# openSUSE-based containers is used.
+#
+# TODO:
+# 1. Determine "standard publish location" for SLE and openSUSE variants
+# 2. Support Leap when 1 is done
+#
+%if "%{?registry_path}" == ""
+distro='%{?sle_version}:%{is_opensuse}'
+case "${distro}" in
+    150200:0)
+	reg_path='registry.suse.de/suse/containers/sle-server/15/containers/suse/sles/15.2' ;;
+    150300:0)
+	reg_path='registry.suse.de/suse/containers/sle-server/15/containers/suse/sles/15.3' ;;
+    *)
+	reg_path='registry.opensuse.org/virtualization/container/opensuse/tumbleweed' ;;
+esac
+%else
+reg_path='%{registry_path}'
+%endif
+
 mkdir -p go/src/kubevirt.io go/pkg
 ln -s ../../../ go/src/kubevirt.io/kubevirt
 export GOPATH=${PWD}/go
@@ -120,7 +156,8 @@ KUBEVIRT_GIT_TREE_STATE="clean" \
 	cmd/virt-operator \
 	tools/csv-generator \
 	%{nil}
-env DOCKER_PREFIX=registry.opensuse.org/opensuse/tumbleweed/virt-operator DOCKER_TAG=%{version} ./hack/build-manifests.sh --skipj2
+
+env DOCKER_PREFIX=$reg_path DOCKER_TAG=%{version} ./hack/build-manifests.sh --skipj2
 
 %install
 mkdir -p %{buildroot}%{_bindir}
@@ -137,6 +174,11 @@ install -p -m 0755 _out/cmd/csv-generator/csv-generator %{buildroot}%{_bindir}/
 
 mkdir -p %{buildroot}%{_datadir}/kube-virt
 cp -r _out/manifests %{buildroot}%{_datadir}/kube-virt/
+# TODO:
+# Create a proper Pod Security Policy (PSP) for KubeVirt. For now, add one
+# that uses the CaaSP privileged PSP. It can be used with CaaSP-based
+# Kubernetes clusters.
+install -m 644 %{S:1} %{buildroot}/%{_datadir}/kube-virt/manifests/release/
 
 %files virtctl
 %license LICENSE