Skip to content

bump #2174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
yaroslavborbat wants to merge 13 commits into
base: main
Choose a base branch
from
Draft

bump #2174

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
1cde3a6
bump
yaroslavborbat Mar 31, 2026
83d3583
bump
yaroslavborbat Apr 1, 2026
52c73df
bump
yaroslavborbat Apr 1, 2026
7c5fc9e
impl
yaroslavborbat Apr 2, 2026
b6d569d
impl
yaroslavborbat Apr 2, 2026
76b2951
bump
yaroslavborbat Apr 2, 2026
86ff954
bump
yaroslavborbat Apr 2, 2026
38d8b8c
bump
yaroslavborbat Apr 2, 2026
7ad5a12
bump
yaroslavborbat Apr 2, 2026
1232420
bump
yaroslavborbat Apr 2, 2026
7cc60c5
bump
yaroslavborbat Apr 2, 2026
94be159
bump
yaroslavborbat Apr 2, 2026
059ea07
bump
yaroslavborbat Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion build/components/versions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ firmware:
libvirt: v10.9.0
edk2: stable202411
core:
3p-kubevirt: v1.6.2-v12n.20
3p-kubevirt: feat/virt-handler-to-hostnetwork # v1.6.2-v12n.20
3p-containerized-data-importer: v1.60.3-v12n.17
distribution: 2.8.3
package:
Expand Down
1 change: 1 addition & 0 deletions images/virt-artifact/werf.inc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
image: {{ .ModuleNamePrefix }}{{ .ImageName }}-src-artifact
final: false
fromImage: builder/src
fromCacheVersion: "012" # TODO: DELETE ME
secrets:
- id: SOURCE_REPO
value: {{ $.SOURCE_REPO }}
Expand Down
47 changes: 47 additions & 0 deletions templates/_hostnetwork_ports.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
{{- /*
Port constants for DaemonSets running with hostNetwork: true.

All three DaemonSets — virt-handler, vm-route-forge, virtualization-dra —
run with hostNetwork, so every bound port is exposed on the node's network
interfaces. Ports below are chosen outside the KubeVirt live-migration range
(4135-4199) and must not overlap with other well-known services on cluster nodes.

Port map:

virt-handler (kube-api-rewriter runs as its sidecar):
4135-4199 virt-handler: live-migration tunnels (KubeVirt migration range).
4100 virt-handler: healthz and Prometheus metrics (--port flag), kube-rbac-proxy implemented natively.
4101 virt-handler: Console server port (--console-server-port flag).
4102 kube-api-rewriter sidecar: Prometheus metrics (MONITORING_BIND_ADDRESS), bound to pod IP.
liveness and readiness probes (/proxy/healthz, /proxy/readyz).
4103 kube-api-rewriter sidecar: pprof (PPROF_BIND_ADDRESS), bound to pod IP, debug mode only.
4104 kube-api-rewriter sidecar: Kubernetes API proxy (CLIENT_PROXY_PORT),
virt-handler connects here instead of the real API server.

vm-route-forge:
4105 vm-route-forge: liveness and readiness probes (HEALTH_PROBE_BIND_ADDRESS).
4106 vm-route-forge: pprof (PPROF_BIND_ADDRESS), debug mode only.

virtualization-dra:
4107 virtualization-dra: gRPC liveness and readiness probes.
4280 virtualization-dra: USB/IP daemon (--usbipd-port flag).
*/ -}}

{{- /* virt-handler */ -}}
{{- define "virt_handler.migration_port_first" -}}4135{{- end -}}
{{- define "virt_handler.migration_port_last" -}}4199{{- end -}}

{{- define "virt_handler.port" -}}4100{{- end -}}
{{- define "virt_handler.console_server_port" -}}4101{{- end -}}
{{- define "virt_handler.rewriter_healthz_port" -}}4102{{- end -}}
{{- define "virt_handler.rewriter_monitoring_port" -}}4102{{- end -}}
{{- define "virt_handler.rewriter_pprof_port" -}}4103{{- end -}}
{{- define "virt_handler.rewriter_proxy_port" -}}4104{{- end -}}

{{- /* vm-route-forge */ -}}
{{- define "vm_route_forge.health_port" -}}4105{{- end -}}
{{- define "vm_route_forge.pprof_port" -}}4106{{- end -}}

{{- /* virtualization-dra */ -}}
{{- define "virtualization_dra.health_port" -}}4107{{- end -}}
{{- define "virtualization_dra.usbipd_port" -}}4280{{- end -}}
2 changes: 1 addition & 1 deletion templates/kube-api-rewriter/_customize_patch_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ spec:
{{- include "kube_api_rewriter.sidecar_container" (tuple $ctx $settings) | nindent 6 }}
- name: {{ $mainContainerName }}
env:
{{- include "kube_api_rewriter.kubeconfig_env" . | nindent 8 }}
{{- include "kube_api_rewriter.kubeconfig_env" (tuple $ctx $settings) | nindent 8 }}
volumeMounts:
{{- include "kube_api_rewriter.kubeconfig_volume_mount" . | nindent 8 }}
{{- end -}}
Expand Down
6 changes: 2 additions & 4 deletions templates/kube-api-rewriter/_settings.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,11 @@

{{- define "kube_api_rewriter.pprof_port" -}}8129{{- end -}}

{{- define "kube_api_rewriter.client_proxy_port" -}}23915{{- end -}}

{{- define "kube_api_rewriter.env" -}}
- name: LOG_LEVEL
value: {{ include "moduleLogLevel" . }}
{{- if eq (include "moduleLogLevel" .) "debug" }}
- name: PPROF_BIND_ADDRESS
value: ":{{ include "kube_api_rewriter.pprof_port" . }}"
{{- end }}
{{- end -}}

{{- define "kube_api_rewriter.resources" -}}
Expand Down
54 changes: 43 additions & 11 deletions templates/kube-api-rewriter/_sidecar_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,8 +91,15 @@ spec:


{{- define "kube_api_rewriter.kubeconfig_env" -}}
{{- $settings := dict -}}
{{- if (kindIs "slice" .) -}}
{{- if ge (len .) 2 -}}
{{- $settings = index . 1 -}}
{{- end -}}
{{- end -}}
{{- $kubeconfigFilename := $settings.kubeconfigFilename | default "kube-api-rewriter.kubeconfig" -}}
- name: KUBECONFIG
value: /kubeconfig.local/kube-api-rewriter.kubeconfig
value: /kubeconfig.local/{{ $kubeconfigFilename }}
{{- end }}

{{- define "kube_api_rewriter.kubeconfig_volume" -}}
Expand Down Expand Up @@ -142,6 +149,15 @@ spec:
{{- end -}}
{{- end -}}
{{- $isWebhook := hasKey $settings "WEBHOOK_ADDRESS" -}}
{{- $injectPodIP := $settings.injectPodIP | default false -}}
{{- $healthzPort := $settings.healthzPort | default 8082 -}}
{{- $healthzPath := $settings.healthzPath | default "/proxy/healthz" -}}
{{- $readyzPath := $settings.readyzPath | default "/proxy/readyz" -}}
{{- $clientProxyPort := $settings.clientProxyPort | default (include "kube_api_rewriter.client_proxy_port" $ctx | int) -}}
{{- $monitoringBindAddress := $settings.monitoringBindAddress | default "127.0.0.1:9090" -}}
{{- $pprofBindAddress := $settings.pprofBindAddress | default (printf ":%s" (include "kube_api_rewriter.pprof_port" $ctx)) -}}
{{- $pprofPort := last (splitList ":" $pprofBindAddress) | int -}}
{{- $probeScheme := $settings.probeScheme | default "HTTPS" -}}
- name: {{ include "kube_api_rewriter.sidecar_name" $ctx }}
image: {{ include "kube_api_rewriter.image" $ctx }}
imagePullPolicy: IfNotPresent
Expand All @@ -154,8 +170,20 @@ spec:
- name: WEBHOOK_KEY_FILE
value: "{{ $settings.WEBHOOK_KEY_FILE }}"
{{- end }}
{{- if $injectPodIP }}
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- end }}
- name: CLIENT_PROXY_PORT
value: "{{ $clientProxyPort }}"
- name: MONITORING_BIND_ADDRESS
value: "127.0.0.1:9090"
value: "{{ $monitoringBindAddress }}"
{{- if eq (include "moduleLogLevel" $ctx) "debug" }}
- name: PPROF_BIND_ADDRESS
value: "{{ $pprofBindAddress }}"
{{- end }}
{{- include "kube_api_rewriter.env" $ctx | nindent 4 }}
resources:
requests:
Expand All @@ -173,15 +201,15 @@ spec:
type: RuntimeDefault
livenessProbe:
httpGet:
path: /proxy/healthz
port: 8082
scheme: HTTPS
path: {{ $healthzPath }}
port: {{ $healthzPort }}
scheme: {{ $probeScheme }}
initialDelaySeconds: 10
readinessProbe:
httpGet:
path: /proxy/readyz
port: 8082
scheme: HTTPS
path: {{ $readyzPath }}
port: {{ $healthzPort }}
scheme: {{ $probeScheme }}
initialDelaySeconds: 10
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
Expand All @@ -191,9 +219,13 @@ spec:
{{- end }}
ports:
{{- if eq (include "moduleLogLevel" $ctx) "debug" }}
{{- include "kube_api_rewriter.pprof_container_port" . | nindent 4 }}
- containerPort: {{ $pprofPort }}
name: pprof
protocol: TCP
{{- end }}
{{- if $isWebhook -}}
{{- include "kube_api_rewriter.webhook_container_port" .| nindent 4 }}
{{- if $isWebhook }}
- containerPort: {{ include "kube_api_rewriter.webhook_port" $ctx }}
name: {{ include "kube_api_rewriter.webhook_port_name" $ctx }}
protocol: TCP
{{- end -}}
{{- end -}}
12 changes: 12 additions & 0 deletions templates/kube-api-rewriter/cm-kubeconfig-local.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,15 @@ data:
cluster: kube-api-rewriter
name: kube-api-rewriter
current-context: kube-api-rewriter
virt-handler-kube-api-rewriter.kubeconfig: |
apiVersion: v1
kind: Config
clusters:
- cluster:
server: http://127.0.0.1:{{ include "virt_handler.rewriter_proxy_port" . }}
name: kube-api-rewriter
contexts:
- context:
cluster: kube-api-rewriter
name: kube-api-rewriter
current-context: kube-api-rewriter
116 changes: 57 additions & 59 deletions templates/kubevirt/kubevirt.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,22 +75,6 @@ spec:
virtualMachineOptions:
disableSerialConsoleLog: {}
customizeComponents:
flags:
{{- if ne "delve/virt-api" ($delve | dig "debug" "component" "<missing>") }}
api:
metrics-listen: 127.0.0.1
metrics-port: "8080"
{{- end }}
{{- if ne "delve/virt-controller" ($delve | dig "debug" "component" "<missing>") }}
controller:
metrics-listen: 127.0.0.1
metrics-port: "8080"
{{- end }}
{{- if ne "delve/virt-handler" ($delve | dig "debug" "component" "<missing>") }}
handler:
metrics-listen: 127.0.0.1
metrics-port: "8080"
{{- end }}
patches:
# Add node placement settings for virt-api, virt-controller, virt-operator, virt-handler.
- resourceType: Deployment
Expand All @@ -113,6 +97,10 @@ spec:
resourceName: virt-handler
patch: '[{"op":"replace","path":"/spec/template/spec/tolerations","value":{{ $tolerationsAnyNode }}}]'
type: json
- resourceType: DaemonSet
resourceName: virt-handler
patch: '[{"op":"replace","path":"/spec/template/spec/hostNetwork","value":true}]'
type: json
{{- if and $delve (hasKey $delve "debug") }}
# Debug
{{- if eq $delve.debug.component "delve/virt-api" }}
Expand Down Expand Up @@ -176,9 +164,16 @@ spec:
{{- end }}

# Add kube-api-rewriter sidecar containers to virt-controller, virt-api, virt-handler and virt-exportproxy.
{{- $virtControllerRewriterSettings := dict }}
{{- $_ := set $virtControllerRewriterSettings "healthzPath" "/healthz" }}
{{- $_ := set $virtControllerRewriterSettings "readyzPath" "/readyz" }}
{{- $_ := set $virtControllerRewriterSettings "healthzPort" 9090 }}
{{- $_ := set $virtControllerRewriterSettings "probeScheme" "HTTP" }}
{{- $_ := set $virtControllerRewriterSettings "injectPodIP" true }}
{{- $_ := set $virtControllerRewriterSettings "monitoringBindAddress" "$(POD_IP):9090" }}
- resourceName: virt-controller
resourceType: Deployment
patch: {{ include "kube_api_rewriter.pod_spec_strategic_patch_json" (list . "virt-controller") }}
patch: {{ include "kube_api_rewriter.pod_spec_strategic_patch_json" (tuple . "virt-controller" $virtControllerRewriterSettings) }}
type: strategic

{{- $virtApiRewriterSettings := dict }}
Expand All @@ -187,53 +182,30 @@ spec:
{{- $_ := set $virtApiRewriterSettings "WEBHOOK_KEY_FILE" "/etc/virt-api/certificates/tls.key" }}
{{- $_ := set $virtApiRewriterSettings "webhookCertsVolumeName" "kubevirt-virt-api-certs" }}
{{- $_ := set $virtApiRewriterSettings "webhookCertsMountPath" "/etc/virt-api/certificates" }}
{{- $_ := set $virtApiRewriterSettings "healthzPath" "/healthz" }}
{{- $_ := set $virtApiRewriterSettings "readyzPath" "/readyz" }}
{{- $_ := set $virtApiRewriterSettings "healthzPort" 9090 }}
{{- $_ := set $virtApiRewriterSettings "probeScheme" "HTTP" }}
{{- $_ := set $virtApiRewriterSettings "injectPodIP" true }}
{{- $_ := set $virtApiRewriterSettings "monitoringBindAddress" "$(POD_IP):9090" }}
- resourceName: virt-api
resourceType: Deployment
patch: {{ include "kube_api_rewriter.pod_spec_strategic_patch_json" (tuple . "virt-api" $virtApiRewriterSettings) }}
type: strategic

{{- $virtHandlerRewriterSettings := dict }}
{{- $_ := set $virtHandlerRewriterSettings "injectPodIP" true }}
{{- $_ := set $virtHandlerRewriterSettings "healthzPath" "/healthz" }}
{{- $_ := set $virtHandlerRewriterSettings "readyzPath" "/readyz" }}
{{- $_ := set $virtHandlerRewriterSettings "healthzPort" (include "virt_handler.rewriter_healthz_port" . | int) }}
{{- $_ := set $virtHandlerRewriterSettings "probeScheme" "HTTP" }}
{{- $_ := set $virtHandlerRewriterSettings "clientProxyPort" (include "virt_handler.rewriter_proxy_port" . | int) }}
{{- $_ := set $virtHandlerRewriterSettings "kubeconfigFilename" "virt-handler-kube-api-rewriter.kubeconfig" }}
{{- $_ := set $virtHandlerRewriterSettings "monitoringBindAddress" (printf "$(POD_IP):%s" (include "virt_handler.rewriter_monitoring_port" .)) }}
{{- $_ := set $virtHandlerRewriterSettings "pprofBindAddress" (printf "$(POD_IP):%s" (include "virt_handler.rewriter_pprof_port" .)) }}
- resourceName: virt-handler
resourceType: DaemonSet
patch: {{ include "kube_api_rewriter.pod_spec_strategic_patch_json" (list . "virt-handler") }}
type: strategic

# Add kube-api-rewriter sidecar containers to virt-controller, virt-api, virt-handler.
{{- $kubeRbacProxySettings := dict }}
{{- $_ := set $kubeRbacProxySettings "runAsUserNobody" true }}
{{- $_ := set $kubeRbacProxySettings "ignorePaths" "/proxy/healthz,/proxy/readyz" }}
{{- $_ := set $kubeRbacProxySettings "upstreams" (list
(dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "name" "kube-api-rewriter")
(dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "name" "virt-controller")
(dict "upstream" "http://127.0.0.1:9090/healthz" "path" "/proxy/healthz" "name" "kube-api-rewriter")
(dict "upstream" "http://127.0.0.1:9090/readyz" "path" "/proxy/readyz" "name" "kube-api-rewriter")
) }}
- resourceName: virt-controller
resourceType: Deployment
patch: {{ include "kube_rbac_proxy.pod_spec_strategic_patch_json" (tuple . $kubeRbacProxySettings) }}
type: strategic

{{- $_ := set $kubeRbacProxySettings "ignorePaths" "/proxy/healthz,/proxy/readyz" }}
{{- $_ := set $kubeRbacProxySettings "upstreams" (list
(dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "name" "kube-api-rewriter")
(dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "name" "virt-api")
(dict "upstream" "http://127.0.0.1:9090/healthz" "path" "/proxy/healthz" "name" "kube-api-rewriter")
(dict "upstream" "http://127.0.0.1:9090/readyz" "path" "/proxy/readyz" "name" "kube-api-rewriter")
) }}
- resourceName: virt-api
resourceType: Deployment
patch: {{ include "kube_rbac_proxy.pod_spec_strategic_patch_json" (tuple . $kubeRbacProxySettings) }}
type: strategic

{{- $_ := set $kubeRbacProxySettings "ignorePaths" "/proxy/healthz,/proxy/readyz" }}
{{- $_ := set $kubeRbacProxySettings "upstreams" (list
(dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "resource" "daemonsets" "name" "kube-api-rewriter")
(dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "resource" "daemonsets" "name" "virt-handler")
(dict "upstream" "http://127.0.0.1:9090/healthz" "path" "/proxy/healthz" "resource" "daemonsets" "name" "kube-api-rewriter")
(dict "upstream" "http://127.0.0.1:9090/readyz" "path" "/proxy/readyz" "resource" "daemonsets" "name" "kube-api-rewriter")
) }}
- resourceName: virt-handler
resourceType: DaemonSet
patch: {{ include "kube_rbac_proxy.pod_spec_strategic_patch_json" (tuple . $kubeRbacProxySettings) }}
patch: {{ include "kube_api_rewriter.pod_spec_strategic_patch_json" (list . "virt-handler" $virtHandlerRewriterSettings) }}
type: strategic

# Add rewriter proxy container port to Services used by webhook configurations.
Expand Down Expand Up @@ -330,10 +302,10 @@ spec:
resourceName: virt-handler
patch: {{ include "pod_spec_priority_class_name_patch" $priorityClassName }}
type: strategic
# Patch service for https-metrics
# Patch service to target the main virt-handler port
- resourceType: Service
resourceName: kubevirt-prometheus-metrics
patch: '[{"op": "replace", "path": "/spec/ports/0/targetPort", "value": "https-metrics"}]'
patch: '[{"op": "replace", "path": "/spec/ports/0/targetPort", "value": "virt-handler"}]'
type: json

# Additional environment variables for virt-controller.
Expand All @@ -356,6 +328,32 @@ env:
patch: '{"spec":{"template":{"metadata":{"labels":{"security.deckhouse.io/security-policy-exception": "virt-handler-ds"}}}}}'
type: strategic

# Expose virt-handler ports: health API (--port) and console server (--console-server-port).
- resourceName: virt-handler
resourceType: DaemonSet
patch: '{"spec":{"template":{"spec":{"containers":[{"name":"virt-handler","ports":[{"containerPort":{{ include "virt_handler.port" . | int }},"name":"virt-handler","protocol":"TCP"},{"containerPort":{{ include "virt_handler.console_server_port" . | int }},"name":"console","protocol":"TCP"}]}]}}}}'
type: strategic

# Rewrite virt-api args, replacing the default ports baked into the image.
# This is required because customizeComponents.flags only appends flags and cannot replace existing ones.
- resourceName: virt-api
resourceType: Deployment
patch: '{"spec":{"template":{"spec":{"containers":[{"name":"virt-api","args":["--port","8443","--console-server-port","{{ include "virt_handler.console_server_port" . }}","--subresources-only","-v","2"]}]}}}}'
type: strategic

# Rewrite virt-handler args with hostNetwork ports, replacing the default ports baked into the image.
# This is required because customizeComponents.flags only appends flags and cannot replace existing ones.
- resourceName: virt-handler
resourceType: DaemonSet
patch: '{"spec":{"template":{"spec":{"containers":[{"name":"virt-handler","args":["--port","{{ include "virt_handler.port" . }}","--hostname-override","$(NODE_NAME)","--pod-ip-address","$(MY_POD_IP)","--max-metric-requests","3","--console-server-port","{{ include "virt_handler.console_server_port" . }}","--migration-port-range-enabled","true","--migration-port-range-first","{{ include "virt_handler.migration_port_first" . }}","--migration-port-range-last","{{ include "virt_handler.migration_port_last" . }}","--graceful-shutdown-seconds","315","-v","2"]}]}}}}'
type: strategic

# Override virt-handler liveness and readiness probes to use the new host-network port.
- resourceName: virt-handler
resourceType: DaemonSet
patch: '{"spec":{"template":{"spec":{"containers":[{"name":"virt-handler","livenessProbe":{"httpGet":{"path":"/healthz","port":{{ include "virt_handler.port" . | int }},"scheme":"HTTPS"},"failureThreshold":3,"initialDelaySeconds":15,"periodSeconds":45,"successThreshold":1,"timeoutSeconds":10},"readinessProbe":{"httpGet":{"path":"/healthz","port":{{ include "virt_handler.port" . | int }},"scheme":"HTTPS"},"failureThreshold":3,"initialDelaySeconds":15,"periodSeconds":20,"successThreshold":1,"timeoutSeconds":10}}]}}}}'
type: strategic

# Change host path for directory with capabilities xml files. We have custom qemu with different
# machine types thus it conflicts with the original kubevirt.
- resourceName: virt-handler
Expand Down
Loading
Loading