From 05152505e5d2d0b7473ef8177b846b6e643aa59a Mon Sep 17 00:00:00 2001 From: Andrej Krejcir Date: Fri, 30 Aug 2024 16:51:11 +0200 Subject: [PATCH] API: Use new token generation SSP API and remove feature gate The token generation API was stabilized in the SSP, and feature gate was removed: https://github.com/kubevirt/ssp-operator/pull/1018 This commit removes the same feature gate from HCO, and adds a new field in the .spec to enable this feature. Signed-off-by: Andrej Krejcir --- api/v1beta1/hyperconverged_types.go | 10 +++++-- api/v1beta1/zz_generated.deepcopy.go | 5 ++++ api/v1beta1/zz_generated.defaults.go | 8 ++--- api/v1beta1/zz_generated.openapi.go | 11 +++++-- assets/upgradePatches.json | 30 +++++++++++++++++++ .../hco.kubevirt.io_hyperconvergeds.yaml | 10 ++++++- .../hyperconverged_controller_test.go | 11 +++---- controllers/operands/ssp.go | 6 ++-- controllers/operands/ssp_test.go | 7 +++-- deploy/crds/hco00.crd.yaml | 10 ++++++- deploy/hco.cr.yaml | 1 + .../1.14.0/manifests/hco00.crd.yaml | 10 ++++++- .../1.13.0/manifests/hco00.crd.yaml | 9 +++++- .../1.14.0/manifests/hco00.crd.yaml | 10 ++++++- docs/api.md | 3 +- docs/cluster-configuration.md | 12 ++------ tests/func-tests/defaults_test.go | 2 -- 17 files changed, 120 insertions(+), 35 deletions(-) diff --git a/api/v1beta1/hyperconverged_types.go b/api/v1beta1/hyperconverged_types.go index 117dce2a1a..917a560e00 100644 --- a/api/v1beta1/hyperconverged_types.go +++ b/api/v1beta1/hyperconverged_types.go @@ -188,6 +188,12 @@ type HyperConvergedSpec struct { // Deprecated: This field is ignored. TektonTasksNamespace *string `json:"tektonTasksNamespace,omitempty"` + // EnableTokenGenerationApi enables the API service for generating + // time limited tokens to access VNC of a VM. + // +optional + // +default=true + EnableTokenGenerationApi *bool `json:"enableTokenGenerationApi,omitempty"` + // KubeSecondaryDNSNameServerIP defines name server IP used by KubeSecondaryDNS // +optional KubeSecondaryDNSNameServerIP *string `json:"kubeSecondaryDNSNameServerIP,omitempty"` @@ -429,8 +435,8 @@ type HyperConvergedFeatureGates struct { // deploy VM console proxy resources in SSP operator // +optional - // +kubebuilder:default=false - // +default=false + // +kubebuilder:deprecatedversion:warning="deployTektonTaskResources feature gate ignored" + // Deprecated: This field is ignored. DeployVMConsoleProxy *bool `json:"deployVmConsoleProxy,omitempty"` // Deploy KubeSecondaryDNS by CNAO diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index e6e0ab7050..982d503a52 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -486,6 +486,11 @@ func (in *HyperConvergedSpec) DeepCopyInto(out *HyperConvergedSpec) { *out = new(string) **out = **in } + if in.EnableTokenGenerationApi != nil { + in, out := &in.EnableTokenGenerationApi, &out.EnableTokenGenerationApi + *out = new(bool) + **out = **in + } if in.KubeSecondaryDNSNameServerIP != nil { in, out := &in.KubeSecondaryDNSNameServerIP, &out.KubeSecondaryDNSNameServerIP *out = new(string) diff --git a/api/v1beta1/zz_generated.defaults.go b/api/v1beta1/zz_generated.defaults.go index 8c96ac2826..f7acc000ee 100644 --- a/api/v1beta1/zz_generated.defaults.go +++ b/api/v1beta1/zz_generated.defaults.go @@ -56,10 +56,6 @@ func SetObjectDefaults_HyperConverged(in *HyperConverged) { var ptrVar1 bool = false in.Spec.FeatureGates.DeployTektonTaskResources = &ptrVar1 } - if in.Spec.FeatureGates.DeployVMConsoleProxy == nil { - var ptrVar1 bool = false - in.Spec.FeatureGates.DeployVMConsoleProxy = &ptrVar1 - } if in.Spec.FeatureGates.DeployKubeSecondaryDNS == nil { var ptrVar1 bool = false in.Spec.FeatureGates.DeployKubeSecondaryDNS = &ptrVar1 @@ -167,6 +163,10 @@ func SetObjectDefaults_HyperConverged(in *HyperConverged) { if in.Spec.UninstallStrategy == "" { in.Spec.UninstallStrategy = "BlockUninstallIfWorkloadsExist" } + if in.Spec.EnableTokenGenerationApi == nil { + var ptrVar1 bool = true + in.Spec.EnableTokenGenerationApi = &ptrVar1 + } if in.Spec.VirtualMachineOptions == nil { if err := json.Unmarshal([]byte(`{"disableFreePageReporting": false, "disableSerialConsoleLog": true}`), &in.Spec.VirtualMachineOptions); err != nil { panic(err) diff --git a/api/v1beta1/zz_generated.openapi.go b/api/v1beta1/zz_generated.openapi.go index 034205e6ee..701b6b22f9 100644 --- a/api/v1beta1/zz_generated.openapi.go +++ b/api/v1beta1/zz_generated.openapi.go @@ -265,8 +265,7 @@ func schema_kubevirt_hyperconverged_cluster_operator_api_v1beta1_HyperConvergedF }, "deployVmConsoleProxy": { SchemaProps: spec.SchemaProps{ - Description: "deploy VM console proxy resources in SSP operator", - Default: false, + Description: "deploy VM console proxy resources in SSP operator Deprecated: This field is ignored.", Type: []string{"boolean"}, Format: "", }, @@ -584,6 +583,14 @@ func schema_kubevirt_hyperconverged_cluster_operator_api_v1beta1_HyperConvergedS Format: "", }, }, + "enableTokenGenerationApi": { + SchemaProps: spec.SchemaProps{ + Description: "EnableTokenGenerationApi enables the API service for generating time limited tokens to access VNC of a VM.", + Default: true, + Type: []string{"boolean"}, + Format: "", + }, + }, "kubeSecondaryDNSNameServerIP": { SchemaProps: spec.SchemaProps{ Description: "KubeSecondaryDNSNameServerIP defines name server IP used by KubeSecondaryDNS", diff --git a/assets/upgradePatches.json b/assets/upgradePatches.json index 280c23265c..13c447b014 100644 --- a/assets/upgradePatches.json +++ b/assets/upgradePatches.json @@ -40,6 +40,36 @@ "jsonPatchApplyOptions": { "allowMissingPathOnRemove": true } + }, + { + "semverRange": "<1.14.0", + "jsonPatch": [ + { + "op": "test", + "path": "/spec/featureGates/deployVmConsoleProxy", + "value": true + }, + { + "op": "move", + "from": "/spec/featureGates/deployVmConsoleProxy", + "path": "/spec/enableTokenGenerationApi" + } + ] + }, + { + "semverRange": "<1.14.0", + "jsonPatch": [ + { + "op": "test", + "path": "/spec/featureGates/deployVmConsoleProxy", + "value": false + }, + { + "op": "move", + "from": "/spec/featureGates/deployVmConsoleProxy", + "path": "/spec/enableTokenGenerationApi" + } + ] } ], "objectsToBeRemoved": [ diff --git a/config/crd/bases/hco.kubevirt.io_hyperconvergeds.yaml b/config/crd/bases/hco.kubevirt.io_hyperconvergeds.yaml index 1764e9b257..d78592c86c 100644 --- a/config/crd/bases/hco.kubevirt.io_hyperconvergeds.yaml +++ b/config/crd/bases/hco.kubevirt.io_hyperconvergeds.yaml @@ -1022,6 +1022,12 @@ spec: Default RuntimeClass can be changed when kubevirt is running, existing VMIs are not impacted till the next restart/live-migration when they are eventually going to consume the new default RuntimeClass. type: string + enableTokenGenerationApi: + default: true + description: |- + EnableTokenGenerationApi enables the API service for generating + time limited tokens to access VNC of a VM. + type: boolean evictionStrategy: description: |- EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be @@ -1094,7 +1100,9 @@ spec: type: boolean deployVmConsoleProxy: default: false - description: deploy VM console proxy resources in SSP operator + description: |- + deploy VM console proxy resources in SSP operator + Deprecated: This field is ignored. type: boolean disableMDevConfiguration: default: false diff --git a/controllers/hyperconverged/hyperconverged_controller_test.go b/controllers/hyperconverged/hyperconverged_controller_test.go index 1b37fdb7cf..52e709bf62 100644 --- a/controllers/hyperconverged/hyperconverged_controller_test.go +++ b/controllers/hyperconverged/hyperconverged_controller_test.go @@ -1352,6 +1352,10 @@ var _ = Describe("HyperconvergedController", func() { verComp.Minor-- oldVersion = verComp.String() + // These need to be defined before calling getBasicDeployment() + _ = os.Setenv("VIRTIOWIN_CONTAINER", commontestutils.VirtioWinImage) + _ = os.Setenv("OPERATOR_NAMESPACE", namespace) + // this is used for version label and the tests below // assumes there is no change in labels. Therefore, it should be // set before getBasicDeployment so that the existing resource can @@ -1362,9 +1366,6 @@ var _ = Describe("HyperconvergedController", func() { origConditions = expected.hco.Status.Conditions okConds = expected.hco.Status.Conditions - _ = os.Setenv("VIRTIOWIN_CONTAINER", commontestutils.VirtioWinImage) - _ = os.Setenv("OPERATOR_NAMESPACE", namespace) - expected.kv.Status.ObservedKubeVirtVersion = newComponentVersion _ = os.Setenv(hcoutil.KubevirtVersionEnvV, newComponentVersion) @@ -1382,7 +1383,7 @@ var _ = Describe("HyperconvergedController", func() { expected.hco.Status.Conditions = origConditions }) - It("Should update OperatorCondition Upgradeable to False", func() { + FIt("Should update OperatorCondition Upgradeable to False", func() { _ = commontestutils.GetScheme() // ensure the scheme is loaded so this test can be focused // old HCO Version is set @@ -1421,7 +1422,7 @@ var _ = Describe("HyperconvergedController", func() { expected.hco.Status.Conditions = okConds }) - It("detect upgrade existing HCO Version", func() { + FIt("detect upgrade existing HCO Version", func() { // old HCO Version is set UpdateVersion(&expected.hco.Status, hcoVersionName, oldVersion) diff --git a/controllers/operands/ssp.go b/controllers/operands/ssp.go index 824680301b..24ca501f34 100644 --- a/controllers/operands/ssp.go +++ b/controllers/operands/ssp.go @@ -157,8 +157,10 @@ func NewSSP(hc *hcov1beta1.HyperConverged, opts ...string) (*sspv1beta2.SSP, []h FeatureGates: &sspv1beta2.FeatureGates{}, } - if hc.Spec.FeatureGates.DeployVMConsoleProxy != nil { - spec.FeatureGates.DeployVmConsoleProxy = *hc.Spec.FeatureGates.DeployVMConsoleProxy + if hc.Spec.EnableTokenGenerationApi != nil { + spec.TokenGenerationService = &sspv1beta2.TokenGenerationService{ + Enabled: *hc.Spec.EnableTokenGenerationApi, + } } // Disable common-instancetypes deployment by SSP from 4.16, now handled by virt-operator diff --git a/controllers/operands/ssp_test.go b/controllers/operands/ssp_test.go index 6bb1ececbd..8b7ec870a9 100644 --- a/controllers/operands/ssp_test.go +++ b/controllers/operands/ssp_test.go @@ -189,14 +189,15 @@ var _ = Describe("SSP Operands", func() { Expect(foundResource.Labels).To(HaveKeyWithValue(userLabelKey, userLabelValue)) }) - It("should create ssp with deployVmConsoleProxy feature gate enabled", func() { + It("should create ssp with TokenGenerationService enabled", func() { hco := commontestutils.NewHco() - hco.Spec.FeatureGates.DeployVMConsoleProxy = ptr.To(true) + hco.Spec.EnableTokenGenerationApi = ptr.To(true) expectedResource, _, err := NewSSP(hco) Expect(err).ToNot(HaveOccurred()) - Expect(expectedResource.Spec.FeatureGates.DeployVmConsoleProxy).To(BeTrue()) + Expect(expectedResource.Spec.TokenGenerationService).ToNot(BeNil()) + Expect(expectedResource.Spec.TokenGenerationService.Enabled).To(BeTrue()) }) It("should create with deployCommonInstancetypes feature gate disabled", func() { diff --git a/deploy/crds/hco00.crd.yaml b/deploy/crds/hco00.crd.yaml index 1764e9b257..d78592c86c 100644 --- a/deploy/crds/hco00.crd.yaml +++ b/deploy/crds/hco00.crd.yaml @@ -1022,6 +1022,12 @@ spec: Default RuntimeClass can be changed when kubevirt is running, existing VMIs are not impacted till the next restart/live-migration when they are eventually going to consume the new default RuntimeClass. type: string + enableTokenGenerationApi: + default: true + description: |- + EnableTokenGenerationApi enables the API service for generating + time limited tokens to access VNC of a VM. + type: boolean evictionStrategy: description: |- EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be @@ -1094,7 +1100,9 @@ spec: type: boolean deployVmConsoleProxy: default: false - description: deploy VM console proxy resources in SSP operator + description: |- + deploy VM console proxy resources in SSP operator + Deprecated: This field is ignored. type: boolean disableMDevConfiguration: default: false diff --git a/deploy/hco.cr.yaml b/deploy/hco.cr.yaml index 7d65787138..5ba4c3aae4 100644 --- a/deploy/hco.cr.yaml +++ b/deploy/hco.cr.yaml @@ -11,6 +11,7 @@ spec: server: duration: 24h0m0s renewBefore: 12h0m0s + enableTokenGenerationApi: true featureGates: alignCPUs: false autoResourceLimits: false diff --git a/deploy/index-image/community-kubevirt-hyperconverged/1.14.0/manifests/hco00.crd.yaml b/deploy/index-image/community-kubevirt-hyperconverged/1.14.0/manifests/hco00.crd.yaml index 1764e9b257..d78592c86c 100644 --- a/deploy/index-image/community-kubevirt-hyperconverged/1.14.0/manifests/hco00.crd.yaml +++ b/deploy/index-image/community-kubevirt-hyperconverged/1.14.0/manifests/hco00.crd.yaml @@ -1022,6 +1022,12 @@ spec: Default RuntimeClass can be changed when kubevirt is running, existing VMIs are not impacted till the next restart/live-migration when they are eventually going to consume the new default RuntimeClass. type: string + enableTokenGenerationApi: + default: true + description: |- + EnableTokenGenerationApi enables the API service for generating + time limited tokens to access VNC of a VM. + type: boolean evictionStrategy: description: |- EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be @@ -1094,7 +1100,9 @@ spec: type: boolean deployVmConsoleProxy: default: false - description: deploy VM console proxy resources in SSP operator + description: |- + deploy VM console proxy resources in SSP operator + Deprecated: This field is ignored. type: boolean disableMDevConfiguration: default: false diff --git a/deploy/olm-catalog/community-kubevirt-hyperconverged/1.13.0/manifests/hco00.crd.yaml b/deploy/olm-catalog/community-kubevirt-hyperconverged/1.13.0/manifests/hco00.crd.yaml index 1764e9b257..1e217e1314 100644 --- a/deploy/olm-catalog/community-kubevirt-hyperconverged/1.13.0/manifests/hco00.crd.yaml +++ b/deploy/olm-catalog/community-kubevirt-hyperconverged/1.13.0/manifests/hco00.crd.yaml @@ -1022,6 +1022,11 @@ spec: Default RuntimeClass can be changed when kubevirt is running, existing VMIs are not impacted till the next restart/live-migration when they are eventually going to consume the new default RuntimeClass. type: string + enableTokenGenerationApi: + description: |- + EnableTokenGenerationApi enables the API service for generating + time limited tokens to access VNC of a VM. + type: boolean evictionStrategy: description: |- EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be @@ -1094,7 +1099,9 @@ spec: type: boolean deployVmConsoleProxy: default: false - description: deploy VM console proxy resources in SSP operator + description: |- + deploy VM console proxy resources in SSP operator + Deprecated: This field is ignored. type: boolean disableMDevConfiguration: default: false diff --git a/deploy/olm-catalog/community-kubevirt-hyperconverged/1.14.0/manifests/hco00.crd.yaml b/deploy/olm-catalog/community-kubevirt-hyperconverged/1.14.0/manifests/hco00.crd.yaml index 1764e9b257..d78592c86c 100644 --- a/deploy/olm-catalog/community-kubevirt-hyperconverged/1.14.0/manifests/hco00.crd.yaml +++ b/deploy/olm-catalog/community-kubevirt-hyperconverged/1.14.0/manifests/hco00.crd.yaml @@ -1022,6 +1022,12 @@ spec: Default RuntimeClass can be changed when kubevirt is running, existing VMIs are not impacted till the next restart/live-migration when they are eventually going to consume the new default RuntimeClass. type: string + enableTokenGenerationApi: + default: true + description: |- + EnableTokenGenerationApi enables the API service for generating + time limited tokens to access VNC of a VM. + type: boolean evictionStrategy: description: |- EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be @@ -1094,7 +1100,9 @@ spec: type: boolean deployVmConsoleProxy: default: false - description: deploy VM console proxy resources in SSP operator + description: |- + deploy VM console proxy resources in SSP operator + Deprecated: This field is ignored. type: boolean disableMDevConfiguration: default: false diff --git a/docs/api.md b/docs/api.md index f8b2558e43..18244649ab 100644 --- a/docs/api.md +++ b/docs/api.md @@ -157,7 +157,7 @@ HyperConvergedFeatureGates is a set of optional feature gates to enable or disab | withHostPassthroughCPU | Allow migrating a virtual machine with CPU host-passthrough mode. This should be enabled only when the Cluster is homogeneous from CPU HW perspective doc here | *bool | false | false | | enableCommonBootImageImport | Opt-in to automatic delivery/updates of the common data import cron templates. There are two sources for the data import cron templates: hard coded list of common templates, and custom templates that can be added to the dataImportCronTemplates field. This feature gates only control the common templates. It is possible to use custom templates by adding them to the dataImportCronTemplates field. | *bool | true | false | | deployTektonTaskResources | deploy resources (kubevirt tekton tasks and example pipelines) in SSP operator Deprecated: This field is ignored. | *bool | false | false | -| deployVmConsoleProxy | deploy VM console proxy resources in SSP operator | *bool | false | false | +| deployVmConsoleProxy | deploy VM console proxy resources in SSP operator Deprecated: This field is ignored. | *bool | false | false | | deployKubeSecondaryDNS | Deploy KubeSecondaryDNS by CNAO | *bool | false | false | | deployKubevirtIpamController | Deploy KubevirtIpamController by CNAO. Allows having persistent IPs for Kubevirt user defined networks. | *bool | false | false | | nonRoot | Enables rootless virt-launcher.\n\nDeprecated: please use the root FG. | *bool | true | false | @@ -224,6 +224,7 @@ HyperConvergedSpec defines the desired state of HyperConverged | tlsSecurityProfile | TLSSecurityProfile specifies the settings for TLS connections to be propagated to all kubevirt-hyperconverged components. If unset, the hyperconverged cluster operator will consume the value set on the APIServer CR on OCP/OKD or Intermediate if on vanilla k8s. Note that only Old, Intermediate and Custom profiles are currently supported, and the maximum available MinTLSVersions is VersionTLS12. | *openshiftconfigv1.TLSSecurityProfile | | false | | tektonPipelinesNamespace | TektonPipelinesNamespace defines namespace in which example pipelines will be deployed. If unset, then the default value is the operator namespace. Deprecated: This field is ignored. | *string | | false | | tektonTasksNamespace | TektonTasksNamespace defines namespace in which tekton tasks will be deployed. If unset, then the default value is the operator namespace. Deprecated: This field is ignored. | *string | | false | +| enableTokenGenerationApi | EnableTokenGenerationApi enables the API service for generating time limited tokens to access VNC of a VM. | *bool | | false | | kubeSecondaryDNSNameServerIP | KubeSecondaryDNSNameServerIP defines name server IP used by KubeSecondaryDNS | *string | | false | | evictionStrategy | EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be migrated instead of shut-off in case of a node drain. If the VirtualMachineInstance specific field is set it overrides the cluster level one. Allowed values: - `None` no eviction strategy at cluster level. - `LiveMigrate` migrate the VM on eviction; a not live migratable VM with no specific strategy will block the drain of the node util manually evicted. - `LiveMigrateIfPossible` migrate the VM on eviction if live migration is possible, otherwise directly evict. - `External` block the drain, track eviction and notify an external controller. Defaults to LiveMigrate with multiple worker nodes, None on single worker clusters. | *v1.EvictionStrategy | | false | | vmStateStorageClass | VMStateStorageClass is the name of the storage class to use for the PVCs created to preserve VM state, like TPM. The storage class must support RWX in filesystem mode. | *string | | false | diff --git a/docs/cluster-configuration.md b/docs/cluster-configuration.md index 696ead1f75..9dfb4fd5fa 100644 --- a/docs/cluster-configuration.md +++ b/docs/cluster-configuration.md @@ -162,15 +162,6 @@ the [dataImportCronTemplates field](#configure-custom-golden-images), even if th **Default**: `true` -### deployVmConsoleProxy Feature Gate -Set the `deployVmConsoleProxy` feature gate to true to allow SSP operator to deploy its resources. SSP operator will -deploy a proxy that provides an access to the VNC console of a KubeVirt Virtual Machine (VM). - -**Note**: Once `deployVmConsoleProxy` is set to true, SSP operator will not delete deployed resources if `deployVmConsoleProxy` is -reverted back to false. - -**Default**: `false` - ### deployKubeSecondaryDNS Feature Gate Set the `deployKubeSecondaryDNS` feature gate to true to allow deploying KubeSecondaryDNS by CNAO. For additional information, see here: [KubeSecondaryDNS](https://github.com/kubevirt/kubesecondarydns) @@ -768,6 +759,9 @@ spec: ``` In case the namespace is unspecified, the operator namespace will serve as the default value. +## Enable token generation API +Deploys a service that provides API to generate tokens for time limited VNC access of a VM. + ## Enable eventual launcher updates by default us the HyperConverged `spec.workloadUpdateStrategy` object to define how to handle automated workload updates at the cluster level. diff --git a/tests/func-tests/defaults_test.go b/tests/func-tests/defaults_test.go index a3d467be2c..d0a73d5d9d 100644 --- a/tests/func-tests/defaults_test.go +++ b/tests/func-tests/defaults_test.go @@ -70,7 +70,6 @@ var _ = Describe("Check Default values", Label("defaults"), Serial, func() { DeployKubeSecondaryDNS: ptr.To(false), DeployKubevirtIpamController: ptr.To(false), DeployTektonTaskResources: ptr.To(false), - DeployVMConsoleProxy: ptr.To(false), DisableMDevConfiguration: ptr.To(false), EnableCommonBootImageImport: ptr.To(true), PersistentReservation: ptr.To(false), @@ -98,7 +97,6 @@ var _ = Describe("Check Default values", Label("defaults"), Serial, func() { Entry("when removing /spec/featureGates/deployKubeSecondaryDNS", "/spec/featureGates/deployKubeSecondaryDNS"), Entry("when removing /spec/featureGates/deployKubevirtIpamController", "/spec/featureGates/deployKubevirtIpamController"), Entry("when removing /spec/featureGates/deployTektonTaskResources", "/spec/featureGates/deployTektonTaskResources"), - Entry("when removing /spec/featureGates/deployVmConsoleProxy", "/spec/featureGates/deployVmConsoleProxy"), Entry("when removing /spec/featureGates/disableMDevConfiguration", "/spec/featureGates/disableMDevConfiguration"), Entry("when removing /spec/featureGates/enableCommonBootImageImport", "/spec/featureGates/enableCommonBootImageImport"), Entry("when removing /spec/featureGates/persistentReservation", "/spec/featureGates/persistentReservation"),