From e05e20ad22594720be3f511c8d8603220fa14400 Mon Sep 17 00:00:00 2001 From: Yaroslav Borbat Date: Tue, 31 Mar 2026 17:28:50 +0300 Subject: [PATCH 1/2] bump Signed-off-by: Yaroslav Borbat --- build/components/versions.yml | 2 +- images/virt-artifact/werf.inc.yaml | 1 + templates/_hostnetwork_ports.tpl | 47 +++++++ .../_customize_patch_helpers.tpl | 2 +- templates/kube-api-rewriter/_settings.tpl | 6 +- .../kube-api-rewriter/_sidecar_helpers.tpl | 54 ++++++-- .../cm-kubeconfig-local.yaml | 12 ++ templates/kubevirt/kubevirt.yaml | 116 +++++++++--------- .../kubevirt/virt-operator/deployment.yaml | 25 ++-- templates/virtualization-dra/daemonset.yaml | 11 +- templates/vm-route-forge/daemonset.yaml | 12 +- templates/vm-route-forge/service.yaml | 2 +- 12 files changed, 185 insertions(+), 105 deletions(-) create mode 100644 templates/_hostnetwork_ports.tpl diff --git a/build/components/versions.yml b/build/components/versions.yml index 438feffc2b..dafbd966d7 100644 --- a/build/components/versions.yml +++ b/build/components/versions.yml @@ -3,7 +3,7 @@ firmware: libvirt: v10.9.0 edk2: stable202411 core: - 3p-kubevirt: v1.6.2-v12n.20 + 3p-kubevirt: feat/virt-handler-to-hostnetwork # v1.6.2-v12n.20 3p-containerized-data-importer: v1.60.3-v12n.17 distribution: 2.8.3 package: diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml index f30560fba6..e7ca35c2b4 100644 --- a/images/virt-artifact/werf.inc.yaml +++ b/images/virt-artifact/werf.inc.yaml @@ -9,6 +9,7 @@ image: {{ .ModuleNamePrefix }}{{ .ImageName }}-src-artifact final: false fromImage: builder/src +fromCacheVersion: "012" # TODO: DELETE ME secrets: - id: SOURCE_REPO value: {{ $.SOURCE_REPO }} diff --git a/templates/_hostnetwork_ports.tpl b/templates/_hostnetwork_ports.tpl new file mode 100644 index 0000000000..874183edfb --- /dev/null +++ b/templates/_hostnetwork_ports.tpl @@ -0,0 +1,47 @@ +{{- /* +Port constants for DaemonSets running with hostNetwork: true. + +All three DaemonSets — virt-handler, vm-route-forge, virtualization-dra — +run with hostNetwork, so every bound port is exposed on the node's network +interfaces. Ports below are chosen outside the KubeVirt live-migration range +(4135-4199) and must not overlap with other well-known services on cluster nodes. + +Port map: + + virt-handler (kube-api-rewriter runs as its sidecar): + 4135-4199 virt-handler: live-migration tunnels (KubeVirt migration range). + 4100 virt-handler: healthz and Prometheus metrics (--port flag), kube-rbac-proxy implemented natively. + 4101 virt-handler: Console server port (--console-server-port flag). + 4102 kube-api-rewriter sidecar: Prometheus metrics (MONITORING_BIND_ADDRESS), bound to pod IP. + liveness and readiness probes (/proxy/healthz, /proxy/readyz). + 4103 kube-api-rewriter sidecar: pprof (PPROF_BIND_ADDRESS), bound to pod IP, debug mode only. + 4104 kube-api-rewriter sidecar: Kubernetes API proxy (CLIENT_PROXY_PORT), + virt-handler connects here instead of the real API server. + + vm-route-forge: + 4105 vm-route-forge: liveness and readiness probes (HEALTH_PROBE_BIND_ADDRESS). + 4106 vm-route-forge: pprof (PPROF_BIND_ADDRESS), debug mode only. + + virtualization-dra: + 4107 virtualization-dra: gRPC liveness and readiness probes. + 4280 virtualization-dra: USB/IP daemon (--usbipd-port flag). +*/ -}} + +{{- /* virt-handler */ -}} +{{- define "virt_handler.migration_port_first" -}}4135{{- end -}} +{{- define "virt_handler.migration_port_last" -}}4199{{- end -}} + +{{- define "virt_handler.port" -}}4100{{- end -}} +{{- define "virt_handler.console_server_port" -}}4101{{- end -}} +{{- define "virt_handler.rewriter_healthz_port" -}}4102{{- end -}} +{{- define "virt_handler.rewriter_monitoring_port" -}}4102{{- end -}} +{{- define "virt_handler.rewriter_pprof_port" -}}4103{{- end -}} +{{- define "virt_handler.rewriter_proxy_port" -}}4104{{- end -}} + +{{- /* vm-route-forge */ -}} +{{- define "vm_route_forge.health_port" -}}4105{{- end -}} +{{- define "vm_route_forge.pprof_port" -}}4106{{- end -}} + +{{- /* virtualization-dra */ -}} +{{- define "virtualization_dra.health_port" -}}4107{{- end -}} +{{- define "virtualization_dra.usbipd_port" -}}4280{{- end -}} diff --git a/templates/kube-api-rewriter/_customize_patch_helpers.tpl b/templates/kube-api-rewriter/_customize_patch_helpers.tpl index 72b1d18bbd..ad361d8d3e 100644 --- a/templates/kube-api-rewriter/_customize_patch_helpers.tpl +++ b/templates/kube-api-rewriter/_customize_patch_helpers.tpl @@ -30,7 +30,7 @@ spec: {{- include "kube_api_rewriter.sidecar_container" (tuple $ctx $settings) | nindent 6 }} - name: {{ $mainContainerName }} env: - {{- include "kube_api_rewriter.kubeconfig_env" . | nindent 8 }} + {{- include "kube_api_rewriter.kubeconfig_env" (tuple $ctx $settings) | nindent 8 }} volumeMounts: {{- include "kube_api_rewriter.kubeconfig_volume_mount" . | nindent 8 }} {{- end -}} diff --git a/templates/kube-api-rewriter/_settings.tpl b/templates/kube-api-rewriter/_settings.tpl index 8f54135195..f9703033a3 100644 --- a/templates/kube-api-rewriter/_settings.tpl +++ b/templates/kube-api-rewriter/_settings.tpl @@ -7,13 +7,11 @@ {{- define "kube_api_rewriter.pprof_port" -}}8129{{- end -}} +{{- define "kube_api_rewriter.client_proxy_port" -}}23915{{- end -}} + {{- define "kube_api_rewriter.env" -}} - name: LOG_LEVEL value: {{ include "moduleLogLevel" . }} -{{- if eq (include "moduleLogLevel" .) "debug" }} -- name: PPROF_BIND_ADDRESS - value: ":{{ include "kube_api_rewriter.pprof_port" . }}" -{{- end }} {{- end -}} {{- define "kube_api_rewriter.resources" -}} diff --git a/templates/kube-api-rewriter/_sidecar_helpers.tpl b/templates/kube-api-rewriter/_sidecar_helpers.tpl index 2ae379c146..5a49a6f41f 100644 --- a/templates/kube-api-rewriter/_sidecar_helpers.tpl +++ b/templates/kube-api-rewriter/_sidecar_helpers.tpl @@ -91,8 +91,15 @@ spec: {{- define "kube_api_rewriter.kubeconfig_env" -}} +{{- $settings := dict -}} +{{- if (kindIs "slice" .) -}} +{{- if ge (len .) 2 -}} +{{- $settings = index . 1 -}} +{{- end -}} +{{- end -}} +{{- $kubeconfigFilename := $settings.kubeconfigFilename | default "kube-api-rewriter.kubeconfig" -}} - name: KUBECONFIG - value: /kubeconfig.local/kube-api-rewriter.kubeconfig + value: /kubeconfig.local/{{ $kubeconfigFilename }} {{- end }} {{- define "kube_api_rewriter.kubeconfig_volume" -}} @@ -142,6 +149,15 @@ spec: {{- end -}} {{- end -}} {{- $isWebhook := hasKey $settings "WEBHOOK_ADDRESS" -}} + {{- $injectPodIP := $settings.injectPodIP | default false -}} + {{- $healthzPort := $settings.healthzPort | default 8082 -}} + {{- $healthzPath := $settings.healthzPath | default "/proxy/healthz" -}} + {{- $readyzPath := $settings.readyzPath | default "/proxy/readyz" -}} + {{- $clientProxyPort := $settings.clientProxyPort | default (include "kube_api_rewriter.client_proxy_port" $ctx | int) -}} + {{- $monitoringBindAddress := $settings.monitoringBindAddress | default "127.0.0.1:9090" -}} + {{- $pprofBindAddress := $settings.pprofBindAddress | default (printf ":%s" (include "kube_api_rewriter.pprof_port" $ctx)) -}} + {{- $pprofPort := last (splitList ":" $pprofBindAddress) | int -}} + {{- $probeScheme := $settings.probeScheme | default "HTTPS" -}} - name: {{ include "kube_api_rewriter.sidecar_name" $ctx }} image: {{ include "kube_api_rewriter.image" $ctx }} imagePullPolicy: IfNotPresent @@ -154,8 +170,20 @@ spec: - name: WEBHOOK_KEY_FILE value: "{{ $settings.WEBHOOK_KEY_FILE }}" {{- end }} + {{- if $injectPodIP }} + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- end }} + - name: CLIENT_PROXY_PORT + value: "{{ $clientProxyPort }}" - name: MONITORING_BIND_ADDRESS - value: "127.0.0.1:9090" + value: "{{ $monitoringBindAddress }}" + {{- if eq (include "moduleLogLevel" $ctx) "debug" }} + - name: PPROF_BIND_ADDRESS + value: "{{ $pprofBindAddress }}" + {{- end }} {{- include "kube_api_rewriter.env" $ctx | nindent 4 }} resources: requests: @@ -173,15 +201,15 @@ spec: type: RuntimeDefault livenessProbe: httpGet: - path: /proxy/healthz - port: 8082 - scheme: HTTPS + path: {{ $healthzPath }} + port: {{ $healthzPort }} + scheme: {{ $probeScheme }} initialDelaySeconds: 10 readinessProbe: httpGet: - path: /proxy/readyz - port: 8082 - scheme: HTTPS + path: {{ $readyzPath }} + port: {{ $healthzPort }} + scheme: {{ $probeScheme }} initialDelaySeconds: 10 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File @@ -191,9 +219,13 @@ spec: {{- end }} ports: {{- if eq (include "moduleLogLevel" $ctx) "debug" }} - {{- include "kube_api_rewriter.pprof_container_port" . | nindent 4 }} + - containerPort: {{ $pprofPort }} + name: pprof + protocol: TCP {{- end }} - {{- if $isWebhook -}} - {{- include "kube_api_rewriter.webhook_container_port" .| nindent 4 }} + {{- if $isWebhook }} + - containerPort: {{ include "kube_api_rewriter.webhook_port" $ctx }} + name: {{ include "kube_api_rewriter.webhook_port_name" $ctx }} + protocol: TCP {{- end -}} {{- end -}} diff --git a/templates/kube-api-rewriter/cm-kubeconfig-local.yaml b/templates/kube-api-rewriter/cm-kubeconfig-local.yaml index 966a348e5b..21d7a6b481 100644 --- a/templates/kube-api-rewriter/cm-kubeconfig-local.yaml +++ b/templates/kube-api-rewriter/cm-kubeconfig-local.yaml @@ -18,3 +18,15 @@ data: cluster: kube-api-rewriter name: kube-api-rewriter current-context: kube-api-rewriter + virt-handler-kube-api-rewriter.kubeconfig: | + apiVersion: v1 + kind: Config + clusters: + - cluster: + server: http://127.0.0.1:{{ include "virt_handler.rewriter_proxy_port" . }} + name: kube-api-rewriter + contexts: + - context: + cluster: kube-api-rewriter + name: kube-api-rewriter + current-context: kube-api-rewriter diff --git a/templates/kubevirt/kubevirt.yaml b/templates/kubevirt/kubevirt.yaml index 47c8ed8b67..1ecb249d82 100644 --- a/templates/kubevirt/kubevirt.yaml +++ b/templates/kubevirt/kubevirt.yaml @@ -75,22 +75,6 @@ spec: virtualMachineOptions: disableSerialConsoleLog: {} customizeComponents: - flags: - {{- if ne "delve/virt-api" ($delve | dig "debug" "component" "") }} - api: - metrics-listen: 127.0.0.1 - metrics-port: "8080" - {{- end }} - {{- if ne "delve/virt-controller" ($delve | dig "debug" "component" "") }} - controller: - metrics-listen: 127.0.0.1 - metrics-port: "8080" - {{- end }} - {{- if ne "delve/virt-handler" ($delve | dig "debug" "component" "") }} - handler: - metrics-listen: 127.0.0.1 - metrics-port: "8080" - {{- end }} patches: # Add node placement settings for virt-api, virt-controller, virt-operator, virt-handler. - resourceType: Deployment @@ -113,6 +97,10 @@ spec: resourceName: virt-handler patch: '[{"op":"replace","path":"/spec/template/spec/tolerations","value":{{ $tolerationsAnyNode }}}]' type: json + - resourceType: DaemonSet + resourceName: virt-handler + patch: '[{"op":"replace","path":"/spec/template/spec/hostNetwork","value":true}]' + type: json {{- if and $delve (hasKey $delve "debug") }} # Debug {{- if eq $delve.debug.component "delve/virt-api" }} @@ -176,9 +164,16 @@ spec: {{- end }} # Add kube-api-rewriter sidecar containers to virt-controller, virt-api, virt-handler and virt-exportproxy. + {{- $virtControllerRewriterSettings := dict }} + {{- $_ := set $virtControllerRewriterSettings "healthzPath" "/healthz" }} + {{- $_ := set $virtControllerRewriterSettings "readyzPath" "/readyz" }} + {{- $_ := set $virtControllerRewriterSettings "healthzPort" 9090 }} + {{- $_ := set $virtControllerRewriterSettings "probeScheme" "HTTP" }} + {{- $_ := set $virtControllerRewriterSettings "injectPodIP" true }} + {{- $_ := set $virtControllerRewriterSettings "monitoringBindAddress" "$(POD_IP):9090" }} - resourceName: virt-controller resourceType: Deployment - patch: {{ include "kube_api_rewriter.pod_spec_strategic_patch_json" (list . "virt-controller") }} + patch: {{ include "kube_api_rewriter.pod_spec_strategic_patch_json" (tuple . "virt-controller" $virtControllerRewriterSettings) }} type: strategic {{- $virtApiRewriterSettings := dict }} @@ -187,53 +182,30 @@ spec: {{- $_ := set $virtApiRewriterSettings "WEBHOOK_KEY_FILE" "/etc/virt-api/certificates/tls.key" }} {{- $_ := set $virtApiRewriterSettings "webhookCertsVolumeName" "kubevirt-virt-api-certs" }} {{- $_ := set $virtApiRewriterSettings "webhookCertsMountPath" "/etc/virt-api/certificates" }} + {{- $_ := set $virtApiRewriterSettings "healthzPath" "/healthz" }} + {{- $_ := set $virtApiRewriterSettings "readyzPath" "/readyz" }} + {{- $_ := set $virtApiRewriterSettings "healthzPort" 9090 }} + {{- $_ := set $virtApiRewriterSettings "probeScheme" "HTTP" }} + {{- $_ := set $virtApiRewriterSettings "injectPodIP" true }} + {{- $_ := set $virtApiRewriterSettings "monitoringBindAddress" "$(POD_IP):9090" }} - resourceName: virt-api resourceType: Deployment patch: {{ include "kube_api_rewriter.pod_spec_strategic_patch_json" (tuple . "virt-api" $virtApiRewriterSettings) }} type: strategic + {{- $virtHandlerRewriterSettings := dict }} + {{- $_ := set $virtHandlerRewriterSettings "injectPodIP" true }} + {{- $_ := set $virtHandlerRewriterSettings "healthzPath" "/healthz" }} + {{- $_ := set $virtHandlerRewriterSettings "readyzPath" "/readyz" }} + {{- $_ := set $virtHandlerRewriterSettings "healthzPort" (include "virt_handler.rewriter_healthz_port" . | int) }} + {{- $_ := set $virtHandlerRewriterSettings "probeScheme" "HTTP" }} + {{- $_ := set $virtHandlerRewriterSettings "clientProxyPort" (include "virt_handler.rewriter_proxy_port" . | int) }} + {{- $_ := set $virtHandlerRewriterSettings "kubeconfigFilename" "virt-handler-kube-api-rewriter.kubeconfig" }} + {{- $_ := set $virtHandlerRewriterSettings "monitoringBindAddress" (printf "$(POD_IP):%s" (include "virt_handler.rewriter_monitoring_port" .)) }} + {{- $_ := set $virtHandlerRewriterSettings "pprofBindAddress" (printf "$(POD_IP):%s" (include "virt_handler.rewriter_pprof_port" .)) }} - resourceName: virt-handler resourceType: DaemonSet - patch: {{ include "kube_api_rewriter.pod_spec_strategic_patch_json" (list . "virt-handler") }} - type: strategic - - # Add kube-api-rewriter sidecar containers to virt-controller, virt-api, virt-handler. - {{- $kubeRbacProxySettings := dict }} - {{- $_ := set $kubeRbacProxySettings "runAsUserNobody" true }} - {{- $_ := set $kubeRbacProxySettings "ignorePaths" "/proxy/healthz,/proxy/readyz" }} - {{- $_ := set $kubeRbacProxySettings "upstreams" (list - (dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "name" "kube-api-rewriter") - (dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "name" "virt-controller") - (dict "upstream" "http://127.0.0.1:9090/healthz" "path" "/proxy/healthz" "name" "kube-api-rewriter") - (dict "upstream" "http://127.0.0.1:9090/readyz" "path" "/proxy/readyz" "name" "kube-api-rewriter") - ) }} - - resourceName: virt-controller - resourceType: Deployment - patch: {{ include "kube_rbac_proxy.pod_spec_strategic_patch_json" (tuple . $kubeRbacProxySettings) }} - type: strategic - - {{- $_ := set $kubeRbacProxySettings "ignorePaths" "/proxy/healthz,/proxy/readyz" }} - {{- $_ := set $kubeRbacProxySettings "upstreams" (list - (dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "name" "kube-api-rewriter") - (dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "name" "virt-api") - (dict "upstream" "http://127.0.0.1:9090/healthz" "path" "/proxy/healthz" "name" "kube-api-rewriter") - (dict "upstream" "http://127.0.0.1:9090/readyz" "path" "/proxy/readyz" "name" "kube-api-rewriter") - ) }} - - resourceName: virt-api - resourceType: Deployment - patch: {{ include "kube_rbac_proxy.pod_spec_strategic_patch_json" (tuple . $kubeRbacProxySettings) }} - type: strategic - - {{- $_ := set $kubeRbacProxySettings "ignorePaths" "/proxy/healthz,/proxy/readyz" }} - {{- $_ := set $kubeRbacProxySettings "upstreams" (list - (dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "resource" "daemonsets" "name" "kube-api-rewriter") - (dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "resource" "daemonsets" "name" "virt-handler") - (dict "upstream" "http://127.0.0.1:9090/healthz" "path" "/proxy/healthz" "resource" "daemonsets" "name" "kube-api-rewriter") - (dict "upstream" "http://127.0.0.1:9090/readyz" "path" "/proxy/readyz" "resource" "daemonsets" "name" "kube-api-rewriter") - ) }} - - resourceName: virt-handler - resourceType: DaemonSet - patch: {{ include "kube_rbac_proxy.pod_spec_strategic_patch_json" (tuple . $kubeRbacProxySettings) }} + patch: {{ include "kube_api_rewriter.pod_spec_strategic_patch_json" (list . "virt-handler" $virtHandlerRewriterSettings) }} type: strategic # Add rewriter proxy container port to Services used by webhook configurations. @@ -330,10 +302,10 @@ spec: resourceName: virt-handler patch: {{ include "pod_spec_priority_class_name_patch" $priorityClassName }} type: strategic - # Patch service for https-metrics + # Patch service to target the main virt-handler port - resourceType: Service resourceName: kubevirt-prometheus-metrics - patch: '[{"op": "replace", "path": "/spec/ports/0/targetPort", "value": "https-metrics"}]' + patch: '[{"op": "replace", "path": "/spec/ports/0/targetPort", "value": "virt-handler"}]' type: json # Additional environment variables for virt-controller. @@ -356,6 +328,32 @@ env: patch: '{"spec":{"template":{"metadata":{"labels":{"security.deckhouse.io/security-policy-exception": "virt-handler-ds"}}}}}' type: strategic + # Expose virt-handler ports: health API (--port) and console server (--console-server-port). + - resourceName: virt-handler + resourceType: DaemonSet + patch: '{"spec":{"template":{"spec":{"containers":[{"name":"virt-handler","ports":[{"containerPort":{{ include "virt_handler.port" . | int }},"name":"virt-handler","protocol":"TCP"},{"containerPort":{{ include "virt_handler.console_server_port" . | int }},"name":"console","protocol":"TCP"}]}]}}}}' + type: strategic + + # Rewrite virt-api args, replacing the default ports baked into the image. + # This is required because customizeComponents.flags only appends flags and cannot replace existing ones. + - resourceName: virt-api + resourceType: Deployment + patch: '{"spec":{"template":{"spec":{"containers":[{"name":"virt-api","args":["--port","8443","--console-server-port","{{ include "virt_handler.console_server_port" . }}","--subresources-only","-v","2"]}]}}}}' + type: strategic + + # Rewrite virt-handler args with hostNetwork ports, replacing the default ports baked into the image. + # This is required because customizeComponents.flags only appends flags and cannot replace existing ones. + - resourceName: virt-handler + resourceType: DaemonSet + patch: '{"spec":{"template":{"spec":{"containers":[{"name":"virt-handler","args":["--port","{{ include "virt_handler.port" . }}","--hostname-override","$(NODE_NAME)","--pod-ip-address","$(MY_POD_IP)","--max-metric-requests","3","--console-server-port","{{ include "virt_handler.console_server_port" . }}","--migration-port-range-enabled","true","--migration-port-range-first","{{ include "virt_handler.migration_port_first" . }}","--migration-port-range-last","{{ include "virt_handler.migration_port_last" . }}","--graceful-shutdown-seconds","315","-v","2"]}]}}}}' + type: strategic + + # Override virt-handler liveness and readiness probes to use the new host-network port. + - resourceName: virt-handler + resourceType: DaemonSet + patch: '{"spec":{"template":{"spec":{"containers":[{"name":"virt-handler","livenessProbe":{"httpGet":{"path":"/healthz","port":{{ include "virt_handler.port" . | int }},"scheme":"HTTPS"},"failureThreshold":3,"initialDelaySeconds":15,"periodSeconds":45,"successThreshold":1,"timeoutSeconds":10},"readinessProbe":{"httpGet":{"path":"/healthz","port":{{ include "virt_handler.port" . | int }},"scheme":"HTTPS"},"failureThreshold":3,"initialDelaySeconds":15,"periodSeconds":20,"successThreshold":1,"timeoutSeconds":10}}]}}}}' + type: strategic + # Change host path for directory with capabilities xml files. We have custom qemu with different # machine types thus it conflicts with the original kubevirt. - resourceName: virt-handler diff --git a/templates/kubevirt/virt-operator/deployment.yaml b/templates/kubevirt/virt-operator/deployment.yaml index 833ef6ccf3..cb96481b25 100644 --- a/templates/kubevirt/virt-operator/deployment.yaml +++ b/templates/kubevirt/virt-operator/deployment.yaml @@ -33,7 +33,6 @@ spec: resourcePolicy: containerPolicies: {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }} - {{- include "kube_rbac_proxy.vpa_container_policy" . | nindent 4 }} - containerName: virt-operator minAllowed: {{- include "virt_operator_resources" . | nindent 8 }} @@ -95,26 +94,18 @@ spec: {{- $_ := set $rewriterSettings "WEBHOOK_KEY_FILE" "/etc/virt-operator/certificates/tls.key" }} {{- $_ := set $rewriterSettings "webhookCertsVolumeName" "kubevirt-operator-certs" }} {{- $_ := set $rewriterSettings "webhookCertsMountPath" "/etc/virt-operator/certificates" }} + {{- $_ := set $rewriterSettings "healthzPath" "/healthz" }} + {{- $_ := set $rewriterSettings "readyzPath" "/readyz" }} + {{- $_ := set $rewriterSettings "healthzPort" 9090 }} + {{- $_ := set $rewriterSettings "probeScheme" "HTTP" }} + {{- $_ := set $rewriterSettings "injectPodIP" true }} + {{- $_ := set $rewriterSettings "monitoringBindAddress" "$(POD_IP):9090" }} {{- include "kube_api_rewriter.sidecar_container" (tuple . $rewriterSettings) | nindent 6 }} - {{- $kubeRbacProxySettings := dict }} - {{- $_ := set $kubeRbacProxySettings "runAsUserNobody" true }} - {{- $_ := set $kubeRbacProxySettings "ignorePaths" "/proxy/healthz,/proxy/readyz" }} - {{- $_ := set $kubeRbacProxySettings "upstreams" (list - (dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "name" "kube-api-rewriter") - (dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "name" "virt-operator") - (dict "upstream" "http://127.0.0.1:9090/healthz" "path" "/proxy/healthz" "name" "kube-api-rewriter") - (dict "upstream" "http://127.0.0.1:9090/readyz" "path" "/proxy/readyz" "name" "kube-api-rewriter") - ) }} - {{- include "kube_rbac_proxy.sidecar_container" (tuple . $kubeRbacProxySettings) | nindent 6 }} - name: virt-operator {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 8 }} args: - --port - "8443" - - --metrics-listen - - 127.0.0.1 - - --metrics-port - - "8080" - -v - "2" command: @@ -136,13 +127,13 @@ spec: httpGet: path: /healthz port: 8443 - scheme: HTTP + scheme: HTTPS initialDelaySeconds: 10 livenessProbe: httpGet: path: /healthz port: 8443 - scheme: HTTP + scheme: HTTPS initialDelaySeconds: 10 resources: requests: diff --git a/templates/virtualization-dra/daemonset.yaml b/templates/virtualization-dra/daemonset.yaml index 16b04b81f0..871c2845f8 100644 --- a/templates/virtualization-dra/daemonset.yaml +++ b/templates/virtualization-dra/daemonset.yaml @@ -167,7 +167,8 @@ spec: args: - {{ include "virtualization-dra.featureGates" . }} {{/* https://github.com/deckhouse/deckhouse/pull/18139 */}} - - --usbipd-port=4280 + - --usbipd-port={{ include "virtualization_dra.usbipd_port" . }} + - --healthz-port={{ include "virtualization_dra.health_port" . }} {{- if eq (include "moduleLogLevel" .) "debug" }} - --log-level=debug - --log-debug-verbosity=10 @@ -189,23 +190,23 @@ spec: {{- include "virtualization-dra_resources" . | nindent 14 }} {{- end }} ports: - - containerPort: 4280 + - containerPort: {{ include "virtualization_dra.usbipd_port" . }} name: usbipd protocol: TCP - - containerPort: 51515 + - containerPort: {{ include "virtualization_dra.health_port" . }} name: health protocol: TCP {{- include "delvePorts" (list $delve "delve/virtualization-dra") | nindent 12 }} {{- if ne "delve/virtualization-dra" ($delve | dig "debug" "component" "") }} readinessProbe: grpc: - port: 51515 + port: {{ include "virtualization_dra.health_port" . }} service: liveness failureThreshold: 3 periodSeconds: 10 livenessProbe: grpc: - port: 51515 + port: {{ include "virtualization_dra.health_port" . }} service: liveness failureThreshold: 3 periodSeconds: 10 diff --git a/templates/vm-route-forge/daemonset.yaml b/templates/vm-route-forge/daemonset.yaml index e0816552e8..62b08cbc13 100644 --- a/templates/vm-route-forge/daemonset.yaml +++ b/templates/vm-route-forge/daemonset.yaml @@ -122,10 +122,10 @@ spec: {{- end }} {{- if eq (include "moduleLogLevel" .) "debug" }} - name: PPROF_BIND_ADDRESS - value: ":8119" + value: ":{{ include "vm_route_forge.pprof_port" . }}" {{- end }} - name: HEALTH_PROBE_BIND_ADDRESS - value: "127.0.0.1:8118" + value: "127.0.0.1:{{ include "vm_route_forge.health_port" . }}" resources: requests: {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 14 }} @@ -133,10 +133,10 @@ spec: {{- include "vm-route-forge_resources" . | nindent 14 }} {{- end }} ports: - - containerPort: 8119 + - containerPort: {{ include "vm_route_forge.pprof_port" . }} name: pprof protocol: TCP - - containerPort: 8118 + - containerPort: {{ include "vm_route_forge.health_port" . }} name: health protocol: TCP {{- include "delvePorts" (list $delve "delve/vm-route-forge") | nindent 12 }} @@ -145,7 +145,7 @@ spec: httpGet: host: localhost path: /readyz - port: 8118 + port: {{ include "vm_route_forge.health_port" . }} scheme: HTTP initialDelaySeconds: 5 failureThreshold: 2 @@ -154,7 +154,7 @@ spec: httpGet: host: localhost path: /healthz - port: 8118 + port: {{ include "vm_route_forge.health_port" . }} scheme: HTTP periodSeconds: 1 failureThreshold: 3 diff --git a/templates/vm-route-forge/service.yaml b/templates/vm-route-forge/service.yaml index e04086d5a0..df5a67f28b 100644 --- a/templates/vm-route-forge/service.yaml +++ b/templates/vm-route-forge/service.yaml @@ -9,7 +9,7 @@ metadata: spec: ports: - name: pprof - port: 8119 + port: {{ include "vm_route_forge.pprof_port" . }} protocol: TCP targetPort: pprof selector: From 63c832b19e21ce06c60874fa953384b56e4d3e37 Mon Sep 17 00:00:00 2001 From: Yaroslav Borbat Date: Fri, 3 Apr 2026 12:55:07 +0300 Subject: [PATCH 2/2] rbac Signed-off-by: Yaroslav Borbat --- images/kube-api-rewriter/go.mod | 11 +++ images/kube-api-rewriter/go.sum | 16 +-- .../kube-api-rewriter/_sidecar_helpers.tpl | 97 +------------------ templates/kubevirt/kubevirt.yaml | 3 + .../kubevirt/virt-operator/deployment.yaml | 1 + 5 files changed, 27 insertions(+), 101 deletions(-) diff --git a/images/kube-api-rewriter/go.mod b/images/kube-api-rewriter/go.mod index c4df163665..590de026cb 100644 --- a/images/kube-api-rewriter/go.mod +++ b/images/kube-api-rewriter/go.mod @@ -11,12 +11,17 @@ require ( github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect + github.com/emicklei/go-restful/v3 v3.12.2 // indirect github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/fxamacker/cbor/v2 v2.9.0 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-openapi/jsonpointer v0.21.1 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect github.com/go-openapi/swag v0.23.1 // indirect github.com/gogo/protobuf v1.3.2 // indirect + github.com/google/gnostic-models v0.6.9 // indirect + github.com/google/go-cmp v0.7.0 // indirect + github.com/google/uuid v1.6.0 // indirect github.com/josephburnett/jd v1.9.2 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect @@ -25,6 +30,7 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/pkg/errors v0.9.1 // indirect github.com/prometheus/client_golang v1.23.0 // indirect github.com/prometheus/client_model v0.6.2 // indirect github.com/prometheus/common v0.65.0 // indirect @@ -43,13 +49,16 @@ require ( golang.org/x/text v0.27.0 // indirect golang.org/x/time v0.12.0 // indirect google.golang.org/protobuf v1.36.6 // indirect + gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/api v0.33.3 // indirect k8s.io/apimachinery v0.33.3 // indirect + k8s.io/apiserver v0.33.3 // indirect k8s.io/client-go v0.33.3 // indirect k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect sigs.k8s.io/controller-runtime v0.21.0 // indirect sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect @@ -64,3 +73,5 @@ replace ( golang.org/x/net => golang.org/x/net v0.40.0 // CVE-2025-22870, CVE-2025-22872 golang.org/x/oauth2 => golang.org/x/oauth2 v0.27.0 // CVE-2025-22868 ) + +replace github.com/deckhouse/kube-api-rewriter => github.com/yaroslavborbat/kube-api-rewriter v0.0.0-20260402203155-ce012e9b14c8 // feat/auth-rbac-middleware diff --git a/images/kube-api-rewriter/go.sum b/images/kube-api-rewriter/go.sum index 5a6965736f..d23e00ca11 100644 --- a/images/kube-api-rewriter/go.sum +++ b/images/kube-api-rewriter/go.sum @@ -6,8 +6,6 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/deckhouse/kube-api-rewriter v0.1.2 h1:FQiVAbj73Sm5MmTvuA73wFM8mHQkJlq9oDlHLNw2Yy8= -github.com/deckhouse/kube-api-rewriter v0.1.2/go.mod h1:tZFw2byvVh4C0D/RxAAgp2x929yTUv9+sN2zZy59hNE= github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU= github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= @@ -30,8 +28,8 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo= -github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= +github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= +github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= @@ -104,6 +102,8 @@ github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY= github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/yaroslavborbat/kube-api-rewriter v0.0.0-20260402203155-ce012e9b14c8 h1:2sMKqgWgX9O80bAfJHmgw81EIBpfw4PxUH1uf6vU/d0= +github.com/yaroslavborbat/kube-api-rewriter v0.0.0-20260402203155-ce012e9b14c8/go.mod h1:6xreNakzKpoQ6btk+tViQ1F3QFRksDR7vHGNysoIymQ= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= @@ -190,12 +190,14 @@ k8s.io/api v0.33.3 h1:SRd5t//hhkI1buzxb288fy2xvjubstenEKL9K51KBI8= k8s.io/api v0.33.3/go.mod h1:01Y/iLUjNBM3TAvypct7DIj0M0NIZc+PzAHCIo0CYGE= k8s.io/apimachinery v0.33.3 h1:4ZSrmNa0c/ZpZJhAgRdcsFcZOw1PQU1bALVQ0B3I5LA= k8s.io/apimachinery v0.33.3/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= +k8s.io/apiserver v0.33.3 h1:Wv0hGc+QFdMJB4ZSiHrCgN3zL3QRatu56+rpccKC3J4= +k8s.io/apiserver v0.33.3/go.mod h1:05632ifFEe6TxwjdAIrwINHWE2hLwyADFk5mBsQa15E= k8s.io/client-go v0.33.3 h1:M5AfDnKfYmVJif92ngN532gFqakcGi6RvaOF16efrpA= k8s.io/client-go v0.33.3/go.mod h1:luqKBQggEf3shbxHY4uVENAxrDISLOarxpTKMiUuujg= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= +k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= +k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y= k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8= @@ -207,8 +209,6 @@ sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI= sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= -sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= -sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= diff --git a/templates/kube-api-rewriter/_sidecar_helpers.tpl b/templates/kube-api-rewriter/_sidecar_helpers.tpl index 5a49a6f41f..59013d0c1e 100644 --- a/templates/kube-api-rewriter/_sidecar_helpers.tpl +++ b/templates/kube-api-rewriter/_sidecar_helpers.tpl @@ -1,95 +1,7 @@ -{{- /* Helpers to add kube-api-rewriter sidecar container to a pod. - -To connect to kube-api-rewriter main controller should has KUBECONFIG env, -volumeMount with kubeconfig, and Pod should has volume with kubeconfig ConfigMap. - -These settings are provided by helpers: - -- kube_api_rewriter.kubeconfig_env defines KUBECONFIG env with file from the - mounted ConfigMap. -- kube_api_rewriter.kubeconfig_volume_mount defines volumeMount for kubeconfig ConfigMap. -- kube_api_rewriter.kubeconfig_volume defines volume with kubeconfig ConfigMap. - -Kube-api-rewriter sidecar should be the first container in the Pod, to -main controller not fail on start. - -Kube-api-rewriter sidecar works in 2 modes: without webhook or with webhook rewriting. - -Sidecar without webhook is the simplest one: - -spec: - template: - spec: - containers: - {{ include "kube_api_rewriter.sidecar_container" . | nindent 8 }} - - name: main-controller - ... - env: - {{- include "kube_api_rewriter.kubeconfig_env" . | nindent 12 }} - ... - volumeMounts: - {{- include "kube_api_rewriter.kubeconfig_volume_mount" . | nindent 12 }} - ... - volumes: - {{- include "kube_api_rewriter.kubeconfig_volume" | nindent 8 }} - ... - - -Webhook mode requires additional settings: - -- WEBHOOK_ADDRESS - address of the webhook in the main controller -- WEBHOOK_CERT_FILE - path to the webhook certificate file. -- WEBHOOK_KEY_FILE - path to the webhook key file. -- webhookCertsVolumeName - name of the Pod volume with webhook certificates. -- webhookCertsMountPath - path to mount the webhook certificates. - -The assumption here is that main controller has a webhook server and -certificates are already mounted in the Pod, so kube-api-rewriter -can use certificates from that volume to impersonate the webhook server. - -Example of adding kube-api-rewriter to the Deployment: - -spec: - template: - spec: - containers: - {{- $rewriterSettings := dict }} - {{- $_ := set $rewriterSettings "WEBHOOK_ADDRESS" "https://127.0.0.1:6443" }} - {{- $_ := set $rewriterSettings "WEBHOOK_CERT_FILE" "/etc/webhook-certificates/tls.crt" }} - {{- $_ := set $rewriterSettings "WEBHOOK_KEY_FILE" "/etc/webhook-certificates/tls.key" }} - {{- $_ := set $rewriterSettings "webhookCertsVolumeName" "webhook-certs" }} - {{- $_ := set $rewriterSettings "webhookCertsMountPath" "/etc/webhook-certificates" }} - {{- include "kube_api_rewriter.sidecar_container" (tuple . $rewriterSettings) | nindent 6 }} - - name: main-controller - ... - env: - {{- include "kube_api_rewriter.kubeconfig_env" . | nindent 12 }} - ... - ports: - - containerPort: 6443 # Goes to the WEBHOOK_ADDRESS - name: webhooks - protocol: TCP - volumeMounts: - {{- include "kube_api_rewriter.kubeconfig_volume_mount" . | nindent 12 }} - - name: webhook-certs - mountPath: /etc/webhook-certificates # Goes to the webhookCertsMountPath - readOnly: true - ... - volumes: - {{- include "kube_api_rewriter.kubeconfig_volume" | nindent 8 }} - - name: webhook-certs # Name of the existing volume goes to the webhookCertsVolumeName. - secret: - optional: true - secretName: webhook-certs - ... - - */ -}} - {{- define "kube_api_rewriter.image" -}} {{- include "helm_lib_module_image" (list . "kubeApiRewriter") | toJson -}} {{- end -}} - {{- define "kube_api_rewriter.kubeconfig_env" -}} {{- $settings := dict -}} {{- if (kindIs "slice" .) -}} @@ -114,7 +26,6 @@ spec: mountPath: /kubeconfig.local {{- end }} - {{- define "kube_api_rewriter.webhook_volume_mount" -}} {{- $volumeName := index . 0 -}} {{- $mountPath := index . 1 -}} @@ -129,16 +40,12 @@ spec: protocol: TCP {{- end }} -{{- /* Container port for the pprof server */ -}} {{- define "kube_api_rewriter.pprof_container_port" -}} - containerPort: {{ include "kube_api_rewriter.pprof_port" . }} name: pprof protocol: TCP {{- end }} -{{- /* Sidecar container spec with kube-api-rewriter */ -}} -{{- /* Usage without the webhook proxy: {{ include kube_api_rewriter.sidecar_container . }} */ -}} -{{- /* Usage with the webhook: {{ include kube_api_rewriter.sidecar_container (tuple . $webhookSettings) }} */ -}} {{- define "kube_api_rewriter.sidecar_container" -}} {{- $ctx := . -}} {{- $settings := dict -}} @@ -180,6 +87,10 @@ spec: value: "{{ $clientProxyPort }}" - name: MONITORING_BIND_ADDRESS value: "{{ $monitoringBindAddress }}" + {{- if $settings.monitoringAuth }} + - name: MONITORING_AUTH + value: {{ $settings.monitoringAuth | toJson | quote }} + {{- end }} {{- if eq (include "moduleLogLevel" $ctx) "debug" }} - name: PPROF_BIND_ADDRESS value: "{{ $pprofBindAddress }}" diff --git a/templates/kubevirt/kubevirt.yaml b/templates/kubevirt/kubevirt.yaml index 1ecb249d82..16b68ee343 100644 --- a/templates/kubevirt/kubevirt.yaml +++ b/templates/kubevirt/kubevirt.yaml @@ -171,6 +171,7 @@ spec: {{- $_ := set $virtControllerRewriterSettings "probeScheme" "HTTP" }} {{- $_ := set $virtControllerRewriterSettings "injectPodIP" true }} {{- $_ := set $virtControllerRewriterSettings "monitoringBindAddress" "$(POD_IP):9090" }} + {{- $_ := set $virtControllerRewriterSettings "monitoringAuth" (dict "group" "apps" "version" "v1" "resource" "deployments" "namespace" (printf "d8-%s" .Chart.Name) "name" "virt-controller" "subresource" "prometheus-metrics") }} - resourceName: virt-controller resourceType: Deployment patch: {{ include "kube_api_rewriter.pod_spec_strategic_patch_json" (tuple . "virt-controller" $virtControllerRewriterSettings) }} @@ -188,6 +189,7 @@ spec: {{- $_ := set $virtApiRewriterSettings "probeScheme" "HTTP" }} {{- $_ := set $virtApiRewriterSettings "injectPodIP" true }} {{- $_ := set $virtApiRewriterSettings "monitoringBindAddress" "$(POD_IP):9090" }} + {{- $_ := set $virtApiRewriterSettings "monitoringAuth" (dict "group" "apps" "version" "v1" "resource" "deployments" "namespace" (printf "d8-%s" .Chart.Name) "name" "virt-api" "subresource" "prometheus-metrics") }} - resourceName: virt-api resourceType: Deployment patch: {{ include "kube_api_rewriter.pod_spec_strategic_patch_json" (tuple . "virt-api" $virtApiRewriterSettings) }} @@ -203,6 +205,7 @@ spec: {{- $_ := set $virtHandlerRewriterSettings "kubeconfigFilename" "virt-handler-kube-api-rewriter.kubeconfig" }} {{- $_ := set $virtHandlerRewriterSettings "monitoringBindAddress" (printf "$(POD_IP):%s" (include "virt_handler.rewriter_monitoring_port" .)) }} {{- $_ := set $virtHandlerRewriterSettings "pprofBindAddress" (printf "$(POD_IP):%s" (include "virt_handler.rewriter_pprof_port" .)) }} + {{- $_ := set $virtHandlerRewriterSettings "monitoringAuth" (dict "group" "apps" "version" "v1" "resource" "daemonsets" "namespace" (printf "d8-%s" .Chart.Name) "name" "virt-handler" "subresource" "prometheus-metrics") }} - resourceName: virt-handler resourceType: DaemonSet patch: {{ include "kube_api_rewriter.pod_spec_strategic_patch_json" (list . "virt-handler" $virtHandlerRewriterSettings) }} diff --git a/templates/kubevirt/virt-operator/deployment.yaml b/templates/kubevirt/virt-operator/deployment.yaml index cb96481b25..2afa4e3c7d 100644 --- a/templates/kubevirt/virt-operator/deployment.yaml +++ b/templates/kubevirt/virt-operator/deployment.yaml @@ -100,6 +100,7 @@ spec: {{- $_ := set $rewriterSettings "probeScheme" "HTTP" }} {{- $_ := set $rewriterSettings "injectPodIP" true }} {{- $_ := set $rewriterSettings "monitoringBindAddress" "$(POD_IP):9090" }} + {{- $_ := set $rewriterSettings "monitoringAuth" (dict "group" "apps" "version" "v1" "resource" "deployments" "namespace" (printf "d8-%s" .Chart.Name) "name" "virt-operator" "subresource" "prometheus-metrics") }} {{- include "kube_api_rewriter.sidecar_container" (tuple . $rewriterSettings) | nindent 6 }} - name: virt-operator {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 8 }}