.obs/workflows.yml

@@ -210,3 +210,7 @@ staging_build:
       source_package: kiwi-builder-image
       source_project: isv:SUSE:Edge:Factory
       target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: kubevirt-chart
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging

kubevirt-chart/Chart.yaml

@@ -0,0 +1,9 @@
+#!BuildTag: %%IMG_PREFIX%%sriov-crd-chart:302.0.0_up0.4.0-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%sriov-crd-chart:302.0.0_up0.4.0
+apiVersion: v2
+appVersion: 1.3.1
+description: A Helm chart for KubeVirt
+icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/kubevirt/icon/color/kubevirt-icon-color.svg
+name: kubevirt
+type: application
+version: 302.0.0+up0.4.0

kubevirt-chart/_service

@@ -0,0 +1,8 @@
+<services>
+  <service mode="buildtime" name="kiwi_metainfo_helper"/>
+  <service name="replace_using_env" mode="buildtime">
+    <param name="file">Chart.yaml</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
+    <param name="var">IMG_PREFIX</param>
+  </service>
+</services>

kubevirt-chart/app-readme.md

@@ -0,0 +1 @@
+KubeVirt is a virtual machine management add-on for Kubernetes. The aim is to provide a common ground for virtualization solutions on top of Kubernetes.

kubevirt-chart/templates/NOTES.txt

@@ -0,0 +1,2 @@
+Verify that all KubeVirt components are installed correctly:
+  kubectl get all -n {{ .Release.Namespace }}

kubevirt-chart/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kubevirt.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kubevirt.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kubevirt.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "kubevirt.labels" -}}
+helm.sh/chart: {{ include "kubevirt.chart" . }}
+{{ include "kubevirt.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "kubevirt.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "kubevirt.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "kubevirt.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "kubevirt.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

kubevirt-chart/templates/_hooks.tpl

@@ -0,0 +1,47 @@
+{{/* Hook annotations */}}
+{{- define "kubevirt.hook.annotations" -}}
+  annotations:
+    "helm.sh/hook": {{ .hookType }}
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": {{ .hookWeight | quote }}
+{{- end -}}
+
+{{/* Namespace modifying hook annotations */}}
+{{- define "kubevirt.namespaceHook.annotations" -}}
+{{ template "kubevirt.hook.annotations" merge (dict "hookType" "pre-install") . }}
+{{- end -}}
+
+{{/* CRD upgrading hook annotations */}}
+{{- define "kubevirt.crdUpgradeHook.annotations" -}}
+{{ template "kubevirt.hook.annotations" merge (dict "hookType" "pre-upgrade") . }}
+{{- end -}}
+
+{{/* Custom resource uninstalling hook annotations */}}
+{{- define "kubevirt.crUninstallHook.annotations" -}}
+{{ template "kubevirt.hook.annotations" merge (dict "hookType" "pre-delete") . }}
+{{- end -}}
+
+{{/* CRD uninstalling hook annotations */}}
+{{- define "kubevirt.crdUninstallHook.annotations" -}}
+{{ template "kubevirt.hook.annotations" merge (dict "hookType" "post-delete") . }}
+{{- end -}}
+
+{{/* Namespace modifying hook name */}}
+{{- define "kubevirt.namespaceHook.name" -}}
+{{ include "kubevirt.fullname" . }}-namespace-modify
+{{- end }}
+
+{{/* CRD upgrading hook name */}}
+{{- define "kubevirt.crdUpgradeHook.name" -}}
+{{ include "kubevirt.fullname" . }}-crd-upgrade
+{{- end }}
+
+{{/* Custom resource uninstalling hook name */}}
+{{- define "kubevirt.crUninstallHook.name" -}}
+{{ include "kubevirt.fullname" . }}-uninstall
+{{- end }}
+
+{{/* CRD uninstalling hook name */}}
+{{- define "kubevirt.crdUninstallHook.name" -}}
+{{ include "kubevirt.fullname" . }}-crd-uninstall
+{{- end }}

kubevirt-chart/templates/crd-uninstall-hooks.yaml

@@ -0,0 +1,55 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ template "kubevirt.crdUninstallHook.name" . }}
+  {{ template "kubevirt.crdUninstallHook.annotations" (dict "hookWeight" 1) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kubevirt.crdUninstallHook.name" . }}
+  {{ template "kubevirt.crdUninstallHook.annotations" (dict "hookWeight" 1) }}
+rules:
+  - apiGroups: [ "apiextensions.k8s.io" ]
+    resources: [ "customresourcedefinitions" ]
+    resourceNames:
+      - "kubevirts.kubevirt.io"
+    verbs: [ "delete" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "kubevirt.crdUninstallHook.name" . }}
+  {{ template "kubevirt.crdUninstallHook.annotations" (dict "hookWeight" 2) }}
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: {{ template "kubevirt.crdUninstallHook.name" . }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "kubevirt.crdUninstallHook.name" . }}
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ template "kubevirt.crdUninstallHook.name" . }}
+  {{ template "kubevirt.crdUninstallHook.annotations" (dict "hookWeight" 3) }}
+spec:
+  template:
+    metadata:
+      name: {{ template "kubevirt.crdUninstallHook.name" . }}
+    spec:
+      serviceAccountName: {{ template "kubevirt.crdUninstallHook.name" . }}
+      restartPolicy: {{ .Values.hookRestartPolicy }}
+      containers:
+        - name: {{ template "kubevirt.crdUninstallHook.name" . }}
+          image: {{ .Values.hookImage }}
+          args:
+            - delete
+            - customresourcedefinitions
+            - kubevirts.kubevirt.io
+          securityContext:
+            {{- toYaml .Values.hookSecurityContext | nindent 12 }}

kubevirt-chart/templates/crd-upgrade-hooks.yaml

@@ -0,0 +1,80 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: kubevirt-crd-manifest
+  {{ template "kubevirt.crdUpgradeHook.annotations" (dict "hookWeight" 1) }}
+data:
+  crd: |-
+    {{ $.Files.Get "crds/kubevirt.yaml" | nindent 4 }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ template "kubevirt.crdUpgradeHook.name" . }}
+  {{ template "kubevirt.crdUpgradeHook.annotations" (dict "hookWeight" 2) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kubevirt.crdUpgradeHook.name" . }}
+  {{ template "kubevirt.crdUpgradeHook.annotations" (dict "hookWeight" 2) }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "configmaps" ]
+    resourceNames:
+      - "kubevirt-crd-manifest"
+    verbs: [ "get" ]
+  - apiGroups: [ "apiextensions.k8s.io" ]
+    resources: [ "customresourcedefinitions" ]
+    resourceNames:
+      - "kubevirts.kubevirt.io"
+    verbs: [ "get", "patch" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "kubevirt.crdUpgradeHook.name" . }}
+  {{ template "kubevirt.crdUpgradeHook.annotations" (dict "hookWeight" 3) }}
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: {{ template "kubevirt.crdUpgradeHook.name" . }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "kubevirt.crdUpgradeHook.name" . }}
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ template "kubevirt.crdUpgradeHook.name" . }}
+  {{ template "kubevirt.crdUpgradeHook.annotations" (dict "hookWeight" 4) }}
+spec:
+  template:
+    metadata:
+      name: {{ template "kubevirt.crdUpgradeHook.name" . }}
+    spec:
+      serviceAccountName: {{ template "kubevirt.crdUpgradeHook.name" . }}
+      restartPolicy: {{ .Values.hookRestartPolicy }}
+      containers:
+        - name: {{ template "kubevirt.crdUpgradeHook.name" . }}
+          securityContext:
+            {{- toYaml .Values.hookSecurityContext | nindent 12 }}
+          image: {{ .Values.hookImage }}
+          args:
+            - apply
+            - -f
+            - /etc/manifests/crd.yaml
+          volumeMounts:
+            - name: crd-volume
+              mountPath: /etc/manifests
+      volumes:
+        - name: crd-volume
+          configMap:
+            name: kubevirt-crd-manifest
+            items:
+              - key: crd
+                path: crd.yaml

kubevirt-chart/templates/kubevirt-uninstall-hooks.yaml

@@ -0,0 +1,71 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ template "kubevirt.crUninstallHook.name" . }}
+  {{ template "kubevirt.crUninstallHook.annotations" (dict "hookWeight" 1) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ template "kubevirt.crUninstallHook.name" . }}
+  {{ template "kubevirt.crUninstallHook.annotations" (dict "hookWeight" 1) }}
+rules:
+  - apiGroups: [ "kubevirt.io" ]
+    resources: [ "kubevirts" ]
+    resourceNames:
+      - "kubevirt"
+    verbs: [ "get", "list", "delete" ]
+  - apiGroups: [ "apps" ]
+    resources: [ "deployments", "daemonsets" ]
+    verbs: [ "get", "list" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ template "kubevirt.crUninstallHook.name" . }}
+  {{ template "kubevirt.crUninstallHook.annotations" (dict "hookWeight" 2) }}
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: {{ template "kubevirt.crUninstallHook.name" . }}
+roleRef:
+  kind: Role
+  name: {{ template "kubevirt.crUninstallHook.name" . }}
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ template "kubevirt.crUninstallHook.name" . }}
+  {{ template "kubevirt.crUninstallHook.annotations" (dict "hookWeight" 3) }}
+spec:
+  template:
+    metadata:
+      name: {{ template "kubevirt.crUninstallHook.name" . }}
+    spec:
+      serviceAccountName: {{ template "kubevirt.crUninstallHook.name" . }}
+      restartPolicy: {{ .Values.hookRestartPolicy }}
+      containers:
+        - name: {{ template "kubevirt.crUninstallHook.name" . }}
+          image: {{ .Values.hookImage }}
+          securityContext:
+            {{- toYaml .Values.hookSecurityContext | nindent 12 }}
+          args:
+            - delete
+            - kubevirt
+            - kubevirt
+        - name: {{ template "kubevirt.crUninstallHook.name" . }}-cleanup
+          image: {{ .Values.hookImage }}
+          securityContext:
+            {{- toYaml .Values.hookSecurityContext | nindent 12 }}
+          args:
+            - wait
+            - --for=delete
+            - deployments/virt-api
+            - deployments/virt-controller
+            - daemonsets/virt-handler
+            - --timeout=60s

kubevirt-chart/templates/kubevirt.yaml

@@ -0,0 +1,32 @@
+apiVersion: kubevirt.io/v1
+kind: KubeVirt
+metadata:
+  name: kubevirt
+  namespace: {{ .Release.Namespace }}
+spec:
+  {{- with .Values.kubevirt.configuration }}
+  configuration:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.kubevirt.customizeComponents }}
+  customizeComponents:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  imagePullPolicy: {{ .Values.kubevirt.imagePullPolicy }}
+  {{- with .Values.kubevirt.infra }}
+  infra:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if .Values.kubevirt.uninstallStrategy }}
+  uninstallStrategy: {{ .Values.kubevirt.uninstallStrategy }}
+  {{- end }}
+  {{- with .Values.kubevirt.workloadUpdateStrategy }}
+  workloadUpdateStrategy:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if .Values.kubevirt.monitorNamespace }}
+  monitorNamespace: {{ .Values.kubevirt.monitorNamespace }}
+  {{- end }}
+  {{- if .Values.kubevirt.monitorAccount }}
+  monitorAccount: {{ .Values.kubevirt.monitorAccount }}
+  {{- end }}

kubevirt-chart/templates/namespace-hooks.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ template "kubevirt.namespaceHook.name" . }}
+  {{ template "kubevirt.namespaceHook.annotations" (dict "hookWeight" 1) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kubevirt.namespaceHook.name" . }}
+  {{ template "kubevirt.namespaceHook.annotations" (dict "hookWeight" 1) }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "namespaces" ]
+    resourceNames:
+      - {{ .Release.Namespace | quote }}
+    verbs: [ "get", "patch" ]
+  - apiGroups: [ "management.cattle.io" ] # Rancher
+    resources: [ "projects" ]
+    verbs: [ "updatepsa" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "kubevirt.namespaceHook.name" . }}
+  {{ template "kubevirt.namespaceHook.annotations" (dict "hookWeight" 2) }}
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: {{ template "kubevirt.namespaceHook.name" . }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "kubevirt.namespaceHook.name" . }}
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ template "kubevirt.namespaceHook.name" . }}
+  {{ template "kubevirt.namespaceHook.annotations" (dict "hookWeight" 3) }}
+spec:
+  template:
+    metadata:
+      name: {{ template "kubevirt.namespaceHook.name" . }}
+    spec:
+      serviceAccountName: {{ template "kubevirt.namespaceHook.name" . }}
+      restartPolicy: {{ .Values.hookRestartPolicy }}
+      containers:
+        - name: {{ template "kubevirt.namespaceHook.name" . }}
+          securityContext:
+            {{- toYaml .Values.hookSecurityContext | nindent 12 }}
+          image: {{ .Values.hookImage }}
+          args:
+            - label
+            - namespace
+            - {{ .Release.Namespace }}
+            - kubevirt.io=
+            - pod-security.kubernetes.io/enforce=privileged

kubevirt-chart/values.yaml

@@ -0,0 +1,34 @@
+operator:
+  image: registry.suse.com/suse/sles/15.6/virt-operator
+  version: 1.3.1-150600.5.9.1
+  pullPolicy: IfNotPresent
+
+kubevirt:
+  # Holds kubevirt configurations. Same as the virt-configMap.
+  configuration: {}
+  customizeComponents: {}
+  # The ImagePullPolicy to use.
+  imagePullPolicy: IfNotPresent
+  # Selectors and tolerations that should apply to KubeVirt infrastructure components.
+  infra: {}
+  # Specifies if KubeVirt can be deleted if workloads are still present.
+  # This is mainly a precaution to avoid accidental data loss.
+  uninstallStrategy: ""
+  # WorkloadUpdateStrategy defines at the cluster level how to handle automated workload updates.
+  workloadUpdateStrategy: {}
+  # Optionally enable ServiceMonitor for prometheus, see
+  # https://kubevirt.io/user-guide/user_workloads/component_monitoring/
+  monitorAccount: ""
+  monitorNamespace: ""
+
+hookImage: rancher/kubectl:v1.30.2
+hookRestartPolicy: OnFailure
+hookSecurityContext:
+  seccompProfile:
+    type: RuntimeDefault
+  runAsNonRoot: true
+  runAsUser: 1000
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL