From 25eac4980b7ddacd8ac38b6225fa224143dde121 Mon Sep 17 00:00:00 2001 From: Andrej Krejcir Date: Fri, 30 Aug 2024 16:51:11 +0200 Subject: [PATCH] API: Use new token generation SSP API and remove feature gate The token generation API was stabilized in the SSP, and feature gate was removed: https://github.com/kubevirt/ssp-operator/pull/1018 This commit removes the same feature gate from HCO, and adds a new field in the .spec to enable this feature. Signed-off-by: Andrej Krejcir --- api/v1beta1/hyperconverged_types.go | 7 +++++++ api/v1beta1/zz_generated.deepcopy.go | 5 +++++ api/v1beta1/zz_generated.defaults.go | 4 ++++ api/v1beta1/zz_generated.openapi.go | 10 +++++++++- .../crd/bases/hco.kubevirt.io_hyperconvergeds.yaml | 9 ++++++++- controllers/operands/ssp.go | 6 ++++-- controllers/operands/ssp_test.go | 7 ++++--- deploy/crds/hco00.crd.yaml | 9 ++++++++- deploy/hco.cr.yaml | 1 + .../1.13.0/manifests/hco00.crd.yaml | 9 ++++++++- .../1.13.0/manifests/hco00.crd.yaml | 9 ++++++++- docs/api.md | 3 ++- docs/cluster-configuration.md | 12 +++--------- tests/func-tests/defaults_test.go | 2 -- 14 files changed, 71 insertions(+), 22 deletions(-) diff --git a/api/v1beta1/hyperconverged_types.go b/api/v1beta1/hyperconverged_types.go index 117dce2a1a..9fc2b079a3 100644 --- a/api/v1beta1/hyperconverged_types.go +++ b/api/v1beta1/hyperconverged_types.go @@ -188,6 +188,12 @@ type HyperConvergedSpec struct { // Deprecated: This field is ignored. TektonTasksNamespace *string `json:"tektonTasksNamespace,omitempty"` + // EnableTokenGenerationApi enables the API service for generating + // time limited tokens to access VNC of a VM. + // +optional + // +default=true + EnableTokenGenerationApi *bool `json:"enableTokenGenerationApi,omitempty"` + // KubeSecondaryDNSNameServerIP defines name server IP used by KubeSecondaryDNS // +optional KubeSecondaryDNSNameServerIP *string `json:"kubeSecondaryDNSNameServerIP,omitempty"` @@ -431,6 +437,7 @@ type HyperConvergedFeatureGates struct { // +optional // +kubebuilder:default=false // +default=false + // Deprecated: This field is ignored. DeployVMConsoleProxy *bool `json:"deployVmConsoleProxy,omitempty"` // Deploy KubeSecondaryDNS by CNAO diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index e6e0ab7050..982d503a52 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -486,6 +486,11 @@ func (in *HyperConvergedSpec) DeepCopyInto(out *HyperConvergedSpec) { *out = new(string) **out = **in } + if in.EnableTokenGenerationApi != nil { + in, out := &in.EnableTokenGenerationApi, &out.EnableTokenGenerationApi + *out = new(bool) + **out = **in + } if in.KubeSecondaryDNSNameServerIP != nil { in, out := &in.KubeSecondaryDNSNameServerIP, &out.KubeSecondaryDNSNameServerIP *out = new(string) diff --git a/api/v1beta1/zz_generated.defaults.go b/api/v1beta1/zz_generated.defaults.go index 8c96ac2826..1dc4661ebd 100644 --- a/api/v1beta1/zz_generated.defaults.go +++ b/api/v1beta1/zz_generated.defaults.go @@ -167,6 +167,10 @@ func SetObjectDefaults_HyperConverged(in *HyperConverged) { if in.Spec.UninstallStrategy == "" { in.Spec.UninstallStrategy = "BlockUninstallIfWorkloadsExist" } + if in.Spec.EnableTokenGenerationApi == nil { + var ptrVar1 bool = true + in.Spec.EnableTokenGenerationApi = &ptrVar1 + } if in.Spec.VirtualMachineOptions == nil { if err := json.Unmarshal([]byte(`{"disableFreePageReporting": false, "disableSerialConsoleLog": true}`), &in.Spec.VirtualMachineOptions); err != nil { panic(err) diff --git a/api/v1beta1/zz_generated.openapi.go b/api/v1beta1/zz_generated.openapi.go index 034205e6ee..563baef574 100644 --- a/api/v1beta1/zz_generated.openapi.go +++ b/api/v1beta1/zz_generated.openapi.go @@ -265,7 +265,7 @@ func schema_kubevirt_hyperconverged_cluster_operator_api_v1beta1_HyperConvergedF }, "deployVmConsoleProxy": { SchemaProps: spec.SchemaProps{ - Description: "deploy VM console proxy resources in SSP operator", + Description: "deploy VM console proxy resources in SSP operator Deprecated: This field is ignored.", Default: false, Type: []string{"boolean"}, Format: "", @@ -584,6 +584,14 @@ func schema_kubevirt_hyperconverged_cluster_operator_api_v1beta1_HyperConvergedS Format: "", }, }, + "enableTokenGenerationApi": { + SchemaProps: spec.SchemaProps{ + Description: "EnableTokenGenerationApi enables the API service for generating time limited tokens to access VNC of a VM.", + Default: true, + Type: []string{"boolean"}, + Format: "", + }, + }, "kubeSecondaryDNSNameServerIP": { SchemaProps: spec.SchemaProps{ Description: "KubeSecondaryDNSNameServerIP defines name server IP used by KubeSecondaryDNS", diff --git a/config/crd/bases/hco.kubevirt.io_hyperconvergeds.yaml b/config/crd/bases/hco.kubevirt.io_hyperconvergeds.yaml index 25fdb055aa..1954ccca56 100644 --- a/config/crd/bases/hco.kubevirt.io_hyperconvergeds.yaml +++ b/config/crd/bases/hco.kubevirt.io_hyperconvergeds.yaml @@ -1023,6 +1023,11 @@ spec: Default RuntimeClass can be changed when kubevirt is running, existing VMIs are not impacted till the next restart/live-migration when they are eventually going to consume the new default RuntimeClass. type: string + enableTokenGenerationApi: + description: |- + EnableTokenGenerationApi enables the API service for generating + time limited tokens to access VNC of a VM. + type: boolean evictionStrategy: description: |- EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be @@ -1095,7 +1100,9 @@ spec: type: boolean deployVmConsoleProxy: default: false - description: deploy VM console proxy resources in SSP operator + description: |- + deploy VM console proxy resources in SSP operator + Deprecated: This field is ignored. type: boolean disableMDevConfiguration: default: false diff --git a/controllers/operands/ssp.go b/controllers/operands/ssp.go index 824680301b..24ca501f34 100644 --- a/controllers/operands/ssp.go +++ b/controllers/operands/ssp.go @@ -157,8 +157,10 @@ func NewSSP(hc *hcov1beta1.HyperConverged, opts ...string) (*sspv1beta2.SSP, []h FeatureGates: &sspv1beta2.FeatureGates{}, } - if hc.Spec.FeatureGates.DeployVMConsoleProxy != nil { - spec.FeatureGates.DeployVmConsoleProxy = *hc.Spec.FeatureGates.DeployVMConsoleProxy + if hc.Spec.EnableTokenGenerationApi != nil { + spec.TokenGenerationService = &sspv1beta2.TokenGenerationService{ + Enabled: *hc.Spec.EnableTokenGenerationApi, + } } // Disable common-instancetypes deployment by SSP from 4.16, now handled by virt-operator diff --git a/controllers/operands/ssp_test.go b/controllers/operands/ssp_test.go index 6bb1ececbd..8b7ec870a9 100644 --- a/controllers/operands/ssp_test.go +++ b/controllers/operands/ssp_test.go @@ -189,14 +189,15 @@ var _ = Describe("SSP Operands", func() { Expect(foundResource.Labels).To(HaveKeyWithValue(userLabelKey, userLabelValue)) }) - It("should create ssp with deployVmConsoleProxy feature gate enabled", func() { + It("should create ssp with TokenGenerationService enabled", func() { hco := commontestutils.NewHco() - hco.Spec.FeatureGates.DeployVMConsoleProxy = ptr.To(true) + hco.Spec.EnableTokenGenerationApi = ptr.To(true) expectedResource, _, err := NewSSP(hco) Expect(err).ToNot(HaveOccurred()) - Expect(expectedResource.Spec.FeatureGates.DeployVmConsoleProxy).To(BeTrue()) + Expect(expectedResource.Spec.TokenGenerationService).ToNot(BeNil()) + Expect(expectedResource.Spec.TokenGenerationService.Enabled).To(BeTrue()) }) It("should create with deployCommonInstancetypes feature gate disabled", func() { diff --git a/deploy/crds/hco00.crd.yaml b/deploy/crds/hco00.crd.yaml index 25fdb055aa..1954ccca56 100644 --- a/deploy/crds/hco00.crd.yaml +++ b/deploy/crds/hco00.crd.yaml @@ -1023,6 +1023,11 @@ spec: Default RuntimeClass can be changed when kubevirt is running, existing VMIs are not impacted till the next restart/live-migration when they are eventually going to consume the new default RuntimeClass. type: string + enableTokenGenerationApi: + description: |- + EnableTokenGenerationApi enables the API service for generating + time limited tokens to access VNC of a VM. + type: boolean evictionStrategy: description: |- EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be @@ -1095,7 +1100,9 @@ spec: type: boolean deployVmConsoleProxy: default: false - description: deploy VM console proxy resources in SSP operator + description: |- + deploy VM console proxy resources in SSP operator + Deprecated: This field is ignored. type: boolean disableMDevConfiguration: default: false diff --git a/deploy/hco.cr.yaml b/deploy/hco.cr.yaml index 7d65787138..5ba4c3aae4 100644 --- a/deploy/hco.cr.yaml +++ b/deploy/hco.cr.yaml @@ -11,6 +11,7 @@ spec: server: duration: 24h0m0s renewBefore: 12h0m0s + enableTokenGenerationApi: true featureGates: alignCPUs: false autoResourceLimits: false diff --git a/deploy/index-image/community-kubevirt-hyperconverged/1.13.0/manifests/hco00.crd.yaml b/deploy/index-image/community-kubevirt-hyperconverged/1.13.0/manifests/hco00.crd.yaml index 25fdb055aa..1954ccca56 100644 --- a/deploy/index-image/community-kubevirt-hyperconverged/1.13.0/manifests/hco00.crd.yaml +++ b/deploy/index-image/community-kubevirt-hyperconverged/1.13.0/manifests/hco00.crd.yaml @@ -1023,6 +1023,11 @@ spec: Default RuntimeClass can be changed when kubevirt is running, existing VMIs are not impacted till the next restart/live-migration when they are eventually going to consume the new default RuntimeClass. type: string + enableTokenGenerationApi: + description: |- + EnableTokenGenerationApi enables the API service for generating + time limited tokens to access VNC of a VM. + type: boolean evictionStrategy: description: |- EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be @@ -1095,7 +1100,9 @@ spec: type: boolean deployVmConsoleProxy: default: false - description: deploy VM console proxy resources in SSP operator + description: |- + deploy VM console proxy resources in SSP operator + Deprecated: This field is ignored. type: boolean disableMDevConfiguration: default: false diff --git a/deploy/olm-catalog/community-kubevirt-hyperconverged/1.13.0/manifests/hco00.crd.yaml b/deploy/olm-catalog/community-kubevirt-hyperconverged/1.13.0/manifests/hco00.crd.yaml index 25fdb055aa..1954ccca56 100644 --- a/deploy/olm-catalog/community-kubevirt-hyperconverged/1.13.0/manifests/hco00.crd.yaml +++ b/deploy/olm-catalog/community-kubevirt-hyperconverged/1.13.0/manifests/hco00.crd.yaml @@ -1023,6 +1023,11 @@ spec: Default RuntimeClass can be changed when kubevirt is running, existing VMIs are not impacted till the next restart/live-migration when they are eventually going to consume the new default RuntimeClass. type: string + enableTokenGenerationApi: + description: |- + EnableTokenGenerationApi enables the API service for generating + time limited tokens to access VNC of a VM. + type: boolean evictionStrategy: description: |- EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be @@ -1095,7 +1100,9 @@ spec: type: boolean deployVmConsoleProxy: default: false - description: deploy VM console proxy resources in SSP operator + description: |- + deploy VM console proxy resources in SSP operator + Deprecated: This field is ignored. type: boolean disableMDevConfiguration: default: false diff --git a/docs/api.md b/docs/api.md index f8b2558e43..18244649ab 100644 --- a/docs/api.md +++ b/docs/api.md @@ -157,7 +157,7 @@ HyperConvergedFeatureGates is a set of optional feature gates to enable or disab | withHostPassthroughCPU | Allow migrating a virtual machine with CPU host-passthrough mode. This should be enabled only when the Cluster is homogeneous from CPU HW perspective doc here | *bool | false | false | | enableCommonBootImageImport | Opt-in to automatic delivery/updates of the common data import cron templates. There are two sources for the data import cron templates: hard coded list of common templates, and custom templates that can be added to the dataImportCronTemplates field. This feature gates only control the common templates. It is possible to use custom templates by adding them to the dataImportCronTemplates field. | *bool | true | false | | deployTektonTaskResources | deploy resources (kubevirt tekton tasks and example pipelines) in SSP operator Deprecated: This field is ignored. | *bool | false | false | -| deployVmConsoleProxy | deploy VM console proxy resources in SSP operator | *bool | false | false | +| deployVmConsoleProxy | deploy VM console proxy resources in SSP operator Deprecated: This field is ignored. | *bool | false | false | | deployKubeSecondaryDNS | Deploy KubeSecondaryDNS by CNAO | *bool | false | false | | deployKubevirtIpamController | Deploy KubevirtIpamController by CNAO. Allows having persistent IPs for Kubevirt user defined networks. | *bool | false | false | | nonRoot | Enables rootless virt-launcher.\n\nDeprecated: please use the root FG. | *bool | true | false | @@ -224,6 +224,7 @@ HyperConvergedSpec defines the desired state of HyperConverged | tlsSecurityProfile | TLSSecurityProfile specifies the settings for TLS connections to be propagated to all kubevirt-hyperconverged components. If unset, the hyperconverged cluster operator will consume the value set on the APIServer CR on OCP/OKD or Intermediate if on vanilla k8s. Note that only Old, Intermediate and Custom profiles are currently supported, and the maximum available MinTLSVersions is VersionTLS12. | *openshiftconfigv1.TLSSecurityProfile | | false | | tektonPipelinesNamespace | TektonPipelinesNamespace defines namespace in which example pipelines will be deployed. If unset, then the default value is the operator namespace. Deprecated: This field is ignored. | *string | | false | | tektonTasksNamespace | TektonTasksNamespace defines namespace in which tekton tasks will be deployed. If unset, then the default value is the operator namespace. Deprecated: This field is ignored. | *string | | false | +| enableTokenGenerationApi | EnableTokenGenerationApi enables the API service for generating time limited tokens to access VNC of a VM. | *bool | | false | | kubeSecondaryDNSNameServerIP | KubeSecondaryDNSNameServerIP defines name server IP used by KubeSecondaryDNS | *string | | false | | evictionStrategy | EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be migrated instead of shut-off in case of a node drain. If the VirtualMachineInstance specific field is set it overrides the cluster level one. Allowed values: - `None` no eviction strategy at cluster level. - `LiveMigrate` migrate the VM on eviction; a not live migratable VM with no specific strategy will block the drain of the node util manually evicted. - `LiveMigrateIfPossible` migrate the VM on eviction if live migration is possible, otherwise directly evict. - `External` block the drain, track eviction and notify an external controller. Defaults to LiveMigrate with multiple worker nodes, None on single worker clusters. | *v1.EvictionStrategy | | false | | vmStateStorageClass | VMStateStorageClass is the name of the storage class to use for the PVCs created to preserve VM state, like TPM. The storage class must support RWX in filesystem mode. | *string | | false | diff --git a/docs/cluster-configuration.md b/docs/cluster-configuration.md index 696ead1f75..9dfb4fd5fa 100644 --- a/docs/cluster-configuration.md +++ b/docs/cluster-configuration.md @@ -162,15 +162,6 @@ the [dataImportCronTemplates field](#configure-custom-golden-images), even if th **Default**: `true` -### deployVmConsoleProxy Feature Gate -Set the `deployVmConsoleProxy` feature gate to true to allow SSP operator to deploy its resources. SSP operator will -deploy a proxy that provides an access to the VNC console of a KubeVirt Virtual Machine (VM). - -**Note**: Once `deployVmConsoleProxy` is set to true, SSP operator will not delete deployed resources if `deployVmConsoleProxy` is -reverted back to false. - -**Default**: `false` - ### deployKubeSecondaryDNS Feature Gate Set the `deployKubeSecondaryDNS` feature gate to true to allow deploying KubeSecondaryDNS by CNAO. For additional information, see here: [KubeSecondaryDNS](https://github.com/kubevirt/kubesecondarydns) @@ -768,6 +759,9 @@ spec: ``` In case the namespace is unspecified, the operator namespace will serve as the default value. +## Enable token generation API +Deploys a service that provides API to generate tokens for time limited VNC access of a VM. + ## Enable eventual launcher updates by default us the HyperConverged `spec.workloadUpdateStrategy` object to define how to handle automated workload updates at the cluster level. diff --git a/tests/func-tests/defaults_test.go b/tests/func-tests/defaults_test.go index a3d467be2c..d0a73d5d9d 100644 --- a/tests/func-tests/defaults_test.go +++ b/tests/func-tests/defaults_test.go @@ -70,7 +70,6 @@ var _ = Describe("Check Default values", Label("defaults"), Serial, func() { DeployKubeSecondaryDNS: ptr.To(false), DeployKubevirtIpamController: ptr.To(false), DeployTektonTaskResources: ptr.To(false), - DeployVMConsoleProxy: ptr.To(false), DisableMDevConfiguration: ptr.To(false), EnableCommonBootImageImport: ptr.To(true), PersistentReservation: ptr.To(false), @@ -98,7 +97,6 @@ var _ = Describe("Check Default values", Label("defaults"), Serial, func() { Entry("when removing /spec/featureGates/deployKubeSecondaryDNS", "/spec/featureGates/deployKubeSecondaryDNS"), Entry("when removing /spec/featureGates/deployKubevirtIpamController", "/spec/featureGates/deployKubevirtIpamController"), Entry("when removing /spec/featureGates/deployTektonTaskResources", "/spec/featureGates/deployTektonTaskResources"), - Entry("when removing /spec/featureGates/deployVmConsoleProxy", "/spec/featureGates/deployVmConsoleProxy"), Entry("when removing /spec/featureGates/disableMDevConfiguration", "/spec/featureGates/disableMDevConfiguration"), Entry("when removing /spec/featureGates/enableCommonBootImageImport", "/spec/featureGates/enableCommonBootImageImport"), Entry("when removing /spec/featureGates/persistentReservation", "/spec/featureGates/persistentReservation"),