API: Use new token generation SSP API and remove feature gate

The token generation API was stabilized in the SSP, and feature gate was removed: kubevirt/ssp-operator#1018 This commit removes the same feature gate from HCO, and adds a new field in the .spec to enable this feature. Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
kubevirt · Sep 10, 2024 · 7dc0c86 · 7dc0c86
1 parent 6303a55
commit 7dc0c86
Show file tree

Hide file tree

Showing 17 changed files with 118 additions and 38 deletions.
diff --git a/api/v1beta1/hyperconverged_types.go b/api/v1beta1/hyperconverged_types.go
@@ -188,6 +188,12 @@ type HyperConvergedSpec struct {
 	// Deprecated: This field is ignored.
 	TektonTasksNamespace *string `json:"tektonTasksNamespace,omitempty"`
 
+	// EnableTokenGenerationApi enables the API service for generating
+	// time limited tokens to access VNC of a VM.
+	// +optional
+	// +default=true
+	EnableTokenGenerationApi *bool `json:"enableTokenGenerationApi,omitempty"`
+
 	// KubeSecondaryDNSNameServerIP defines name server IP used by KubeSecondaryDNS
 	// +optional
 	KubeSecondaryDNSNameServerIP *string `json:"kubeSecondaryDNSNameServerIP,omitempty"`
@@ -429,8 +435,8 @@ type HyperConvergedFeatureGates struct {
 
 	// deploy VM console proxy resources in SSP operator
 	// +optional
-	// +kubebuilder:default=false
-	// +default=false
+	// +kubebuilder:deprecatedversion:warning="deployTektonTaskResources feature gate ignored"
+	// Deprecated: This field is ignored.
 	DeployVMConsoleProxy *bool `json:"deployVmConsoleProxy,omitempty"`
 
 	// Deploy KubeSecondaryDNS by CNAO

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/api/v1beta1/zz_generated.defaults.go b/api/v1beta1/zz_generated.defaults.go
diff --git a/api/v1beta1/zz_generated.openapi.go b/api/v1beta1/zz_generated.openapi.go
diff --git a/assets/upgradePatches.json b/assets/upgradePatches.json
@@ -40,6 +40,36 @@
       "jsonPatchApplyOptions": {
         "allowMissingPathOnRemove": true
       }
+    },
+    {
+      "semverRange": "<1.14.0",
+      "jsonPatch": [
+        {
+          "op": "test",
+          "path": "/spec/featureGates/deployVmConsoleProxy",
+          "value": true
+        },
+        {
+          "op": "move",
+          "from": "/spec/featureGates/deployVmConsoleProxy",
+          "path": "/spec/enableTokenGenerationApi"
+        }
+      ]
+    },
+    {
+      "semverRange": "<1.14.0",
+      "jsonPatch": [
+        {
+          "op": "test",
+          "path": "/spec/featureGates/deployVmConsoleProxy",
+          "value": false
+        },
+        {
+          "op": "move",
+          "from": "/spec/featureGates/deployVmConsoleProxy",
+          "path": "/spec/enableTokenGenerationApi"
+        }
+      ]
     }
   ],
   "objectsToBeRemoved": [

diff --git a/config/crd/bases/hco.kubevirt.io_hyperconvergeds.yaml b/config/crd/bases/hco.kubevirt.io_hyperconvergeds.yaml
@@ -1022,6 +1022,12 @@ spec:
                   Default RuntimeClass can be changed when kubevirt is running, existing VMIs are not impacted till
                   the next restart/live-migration when they are eventually going to consume the new default RuntimeClass.
                 type: string
+              enableTokenGenerationApi:
+                default: true
+                description: |-
+                  EnableTokenGenerationApi enables the API service for generating
+                  time limited tokens to access VNC of a VM.
+                type: boolean
               evictionStrategy:
                 description: |-
                   EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be
@@ -1093,8 +1099,9 @@ spec:
                       Deprecated: This field is ignored.
                     type: boolean
                   deployVmConsoleProxy:
-                    default: false
-                    description: deploy VM console proxy resources in SSP operator
+                    description: |-
+                      deploy VM console proxy resources in SSP operator
+                      Deprecated: This field is ignored.
                     type: boolean
                   disableMDevConfiguration:
                     default: false

diff --git a/controllers/hyperconverged/hyperconverged_controller_test.go b/controllers/hyperconverged/hyperconverged_controller_test.go
@@ -1352,6 +1352,10 @@ var _ = Describe("HyperconvergedController", func() {
 				verComp.Minor--
 				oldVersion = verComp.String()
 
+				// These need to be defined before calling getBasicDeployment()
+				_ = os.Setenv("VIRTIOWIN_CONTAINER", commontestutils.VirtioWinImage)
+				_ = os.Setenv("OPERATOR_NAMESPACE", namespace)
+
 				// this is used for version label and the tests below
 				// assumes there is no change in labels. Therefore, it should be
 				// set before getBasicDeployment so that the existing resource can
@@ -1362,9 +1366,6 @@ var _ = Describe("HyperconvergedController", func() {
 				origConditions = expected.hco.Status.Conditions
 				okConds = expected.hco.Status.Conditions
 
-				_ = os.Setenv("VIRTIOWIN_CONTAINER", commontestutils.VirtioWinImage)
-				_ = os.Setenv("OPERATOR_NAMESPACE", namespace)
-
 				expected.kv.Status.ObservedKubeVirtVersion = newComponentVersion
 				_ = os.Setenv(hcoutil.KubevirtVersionEnvV, newComponentVersion)
 

diff --git a/controllers/operands/ssp.go b/controllers/operands/ssp.go
@@ -157,8 +157,10 @@ func NewSSP(hc *hcov1beta1.HyperConverged, opts ...string) (*sspv1beta2.SSP, []h
 		FeatureGates:       &sspv1beta2.FeatureGates{},
 	}
 
-	if hc.Spec.FeatureGates.DeployVMConsoleProxy != nil {
-		spec.FeatureGates.DeployVmConsoleProxy = *hc.Spec.FeatureGates.DeployVMConsoleProxy
+	if hc.Spec.EnableTokenGenerationApi != nil {
+		spec.TokenGenerationService = &sspv1beta2.TokenGenerationService{
+			Enabled: *hc.Spec.EnableTokenGenerationApi,
+		}
 	}
 
 	// Disable common-instancetypes deployment by SSP from 4.16, now handled by virt-operator

diff --git a/controllers/operands/ssp_test.go b/controllers/operands/ssp_test.go
@@ -189,14 +189,15 @@ var _ = Describe("SSP Operands", func() {
 			Expect(foundResource.Labels).To(HaveKeyWithValue(userLabelKey, userLabelValue))
 		})
 
-		It("should create ssp with deployVmConsoleProxy feature gate enabled", func() {
+		It("should create ssp with TokenGenerationService enabled", func() {
 			hco := commontestutils.NewHco()
-			hco.Spec.FeatureGates.DeployVMConsoleProxy = ptr.To(true)
+			hco.Spec.EnableTokenGenerationApi = ptr.To(true)
 
 			expectedResource, _, err := NewSSP(hco)
 			Expect(err).ToNot(HaveOccurred())
 
-			Expect(expectedResource.Spec.FeatureGates.DeployVmConsoleProxy).To(BeTrue())
+			Expect(expectedResource.Spec.TokenGenerationService).ToNot(BeNil())
+			Expect(expectedResource.Spec.TokenGenerationService.Enabled).To(BeTrue())
 		})
 
 		It("should create with deployCommonInstancetypes feature gate disabled", func() {

diff --git a/deploy/crds/hco00.crd.yaml b/deploy/crds/hco00.crd.yaml
@@ -1022,6 +1022,12 @@ spec:
                   Default RuntimeClass can be changed when kubevirt is running, existing VMIs are not impacted till
                   the next restart/live-migration when they are eventually going to consume the new default RuntimeClass.
                 type: string
+              enableTokenGenerationApi:
+                default: true
+                description: |-
+                  EnableTokenGenerationApi enables the API service for generating
+                  time limited tokens to access VNC of a VM.
+                type: boolean
               evictionStrategy:
                 description: |-
                   EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be
@@ -1093,8 +1099,9 @@ spec:
                       Deprecated: This field is ignored.
                     type: boolean
                   deployVmConsoleProxy:
-                    default: false
-                    description: deploy VM console proxy resources in SSP operator
+                    description: |-
+                      deploy VM console proxy resources in SSP operator
+                      Deprecated: This field is ignored.
                     type: boolean
                   disableMDevConfiguration:
                     default: false

diff --git a/deploy/hco.cr.yaml b/deploy/hco.cr.yaml
@@ -11,13 +11,13 @@ spec:
     server:
       duration: 24h0m0s
       renewBefore: 12h0m0s
+  enableTokenGenerationApi: true
   featureGates:
     alignCPUs: false
     autoResourceLimits: false
     deployKubeSecondaryDNS: false
     deployKubevirtIpamController: false
     deployTektonTaskResources: false
-    deployVmConsoleProxy: false
     disableMDevConfiguration: false
     downwardMetrics: false
     enableApplicationAwareQuota: false

diff --git a/deploy/index-image/community-kubevirt-hyperconverged/1.14.0/manifests/hco00.crd.yaml b/deploy/index-image/community-kubevirt-hyperconverged/1.14.0/manifests/hco00.crd.yaml
@@ -1022,6 +1022,12 @@ spec:
                   Default RuntimeClass can be changed when kubevirt is running, existing VMIs are not impacted till
                   the next restart/live-migration when they are eventually going to consume the new default RuntimeClass.
                 type: string
+              enableTokenGenerationApi:
+                default: true
+                description: |-
+                  EnableTokenGenerationApi enables the API service for generating
+                  time limited tokens to access VNC of a VM.
+                type: boolean
               evictionStrategy:
                 description: |-
                   EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be
@@ -1093,8 +1099,9 @@ spec:
                       Deprecated: This field is ignored.
                     type: boolean
                   deployVmConsoleProxy:
-                    default: false
-                    description: deploy VM console proxy resources in SSP operator
+                    description: |-
+                      deploy VM console proxy resources in SSP operator
+                      Deprecated: This field is ignored.
                     type: boolean
                   disableMDevConfiguration:
                     default: false

diff --git a/deploy/olm-catalog/community-kubevirt-hyperconverged/1.13.0/manifests/hco00.crd.yaml b/deploy/olm-catalog/community-kubevirt-hyperconverged/1.13.0/manifests/hco00.crd.yaml
@@ -1022,6 +1022,11 @@ spec:
                   Default RuntimeClass can be changed when kubevirt is running, existing VMIs are not impacted till
                   the next restart/live-migration when they are eventually going to consume the new default RuntimeClass.
                 type: string
+              enableTokenGenerationApi:
+                description: |-
+                  EnableTokenGenerationApi enables the API service for generating
+                  time limited tokens to access VNC of a VM.
+                type: boolean
               evictionStrategy:
                 description: |-
                   EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be
@@ -1094,7 +1099,9 @@ spec:
                     type: boolean
                   deployVmConsoleProxy:
                     default: false
-                    description: deploy VM console proxy resources in SSP operator
+                    description: |-
+                      deploy VM console proxy resources in SSP operator
+                      Deprecated: This field is ignored.
                     type: boolean
                   disableMDevConfiguration:
                     default: false

diff --git a/deploy/olm-catalog/community-kubevirt-hyperconverged/1.14.0/manifests/hco00.crd.yaml b/deploy/olm-catalog/community-kubevirt-hyperconverged/1.14.0/manifests/hco00.crd.yaml
@@ -1022,6 +1022,12 @@ spec:
                   Default RuntimeClass can be changed when kubevirt is running, existing VMIs are not impacted till
                   the next restart/live-migration when they are eventually going to consume the new default RuntimeClass.
                 type: string
+              enableTokenGenerationApi:
+                default: true
+                description: |-
+                  EnableTokenGenerationApi enables the API service for generating
+                  time limited tokens to access VNC of a VM.
+                type: boolean
               evictionStrategy:
                 description: |-
                   EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be
@@ -1093,8 +1099,9 @@ spec:
                       Deprecated: This field is ignored.
                     type: boolean
                   deployVmConsoleProxy:
-                    default: false
-                    description: deploy VM console proxy resources in SSP operator
+                    description: |-
+                      deploy VM console proxy resources in SSP operator
+                      Deprecated: This field is ignored.
                     type: boolean
                   disableMDevConfiguration:
                     default: false

diff --git a/docs/api.md b/docs/api.md
@@ -157,7 +157,7 @@ HyperConvergedFeatureGates is a set of optional feature gates to enable or disab
 | withHostPassthroughCPU | Allow migrating a virtual machine with CPU host-passthrough mode. This should be enabled only when the Cluster is homogeneous from CPU HW perspective doc here | *bool | false | false |
 | enableCommonBootImageImport | Opt-in to automatic delivery/updates of the common data import cron templates. There are two sources for the data import cron templates: hard coded list of common templates, and custom templates that can be added to the dataImportCronTemplates field. This feature gates only control the common templates. It is possible to use custom templates by adding them to the dataImportCronTemplates field. | *bool | true | false |
 | deployTektonTaskResources | deploy resources (kubevirt tekton tasks and example pipelines) in SSP operator Deprecated: This field is ignored. | *bool | false | false |
-| deployVmConsoleProxy | deploy VM console proxy resources in SSP operator | *bool | false | false |
+| deployVmConsoleProxy | deploy VM console proxy resources in SSP operator Deprecated: This field is ignored. | *bool |  | false |
 | deployKubeSecondaryDNS | Deploy KubeSecondaryDNS by CNAO | *bool | false | false |
 | deployKubevirtIpamController | Deploy KubevirtIpamController by CNAO. Allows having persistent IPs for Kubevirt user defined networks. | *bool | false | false |
 | nonRoot | Enables rootless virt-launcher.\n\nDeprecated: please use the root FG. | *bool | true | false |
@@ -224,6 +224,7 @@ HyperConvergedSpec defines the desired state of HyperConverged
 | tlsSecurityProfile | TLSSecurityProfile specifies the settings for TLS connections to be propagated to all kubevirt-hyperconverged components. If unset, the hyperconverged cluster operator will consume the value set on the APIServer CR on OCP/OKD or Intermediate if on vanilla k8s. Note that only Old, Intermediate and Custom profiles are currently supported, and the maximum available MinTLSVersions is VersionTLS12. | *openshiftconfigv1.TLSSecurityProfile |  | false |
 | tektonPipelinesNamespace | TektonPipelinesNamespace defines namespace in which example pipelines will be deployed. If unset, then the default value is the operator namespace. Deprecated: This field is ignored. | *string |  | false |
 | tektonTasksNamespace | TektonTasksNamespace defines namespace in which tekton tasks will be deployed. If unset, then the default value is the operator namespace. Deprecated: This field is ignored. | *string |  | false |
+| enableTokenGenerationApi | EnableTokenGenerationApi enables the API service for generating time limited tokens to access VNC of a VM. | *bool |  | false |
 | kubeSecondaryDNSNameServerIP | KubeSecondaryDNSNameServerIP defines name server IP used by KubeSecondaryDNS | *string |  | false |
 | evictionStrategy | EvictionStrategy defines at the cluster level if the VirtualMachineInstance should be migrated instead of shut-off in case of a node drain. If the VirtualMachineInstance specific field is set it overrides the cluster level one. Allowed values: - `None` no eviction strategy at cluster level. - `LiveMigrate` migrate the VM on eviction; a not live migratable VM with no specific strategy will block the drain of the node util manually evicted. - `LiveMigrateIfPossible` migrate the VM on eviction if live migration is possible, otherwise directly evict. - `External` block the drain, track eviction and notify an external controller. Defaults to LiveMigrate with multiple worker nodes, None on single worker clusters. | *v1.EvictionStrategy |  | false |
 | vmStateStorageClass | VMStateStorageClass is the name of the storage class to use for the PVCs created to preserve VM state, like TPM. The storage class must support RWX in filesystem mode. | *string |  | false |

diff --git a/docs/cluster-configuration.md b/docs/cluster-configuration.md
@@ -162,15 +162,6 @@ the [dataImportCronTemplates field](#configure-custom-golden-images), even if th
 
 **Default**: `true`
 
-### deployVmConsoleProxy Feature Gate
-Set the `deployVmConsoleProxy` feature gate to true to allow SSP operator to deploy its resources. SSP operator will 
-deploy a proxy that provides an access to the VNC console of a KubeVirt Virtual Machine (VM).
-
-**Note**: Once `deployVmConsoleProxy` is set to true, SSP operator will not delete deployed resources if `deployVmConsoleProxy` is 
-reverted back to false.
-
-**Default**: `false`
-
 ### deployKubeSecondaryDNS Feature Gate
 Set the `deployKubeSecondaryDNS` feature gate to true to allow deploying KubeSecondaryDNS by CNAO.
 For additional information, see here: [KubeSecondaryDNS](https://github.com/kubevirt/kubesecondarydns)
@@ -768,6 +759,9 @@ spec:
 ```
 In case the namespace is unspecified, the operator namespace will serve as the default value.
 
+## Enable token generation API
+Deploys a service that provides API to generate tokens for time limited VNC access of a VM.
+
 ## Enable eventual launcher updates by default
 us the HyperConverged `spec.workloadUpdateStrategy` object to define how to handle automated workload updates at the cluster
 level.

diff --git a/tests/func-tests/defaults_test.go b/tests/func-tests/defaults_test.go
@@ -70,7 +70,6 @@ var _ = Describe("Check Default values", Label("defaults"), Serial, func() {
 			DeployKubeSecondaryDNS:           ptr.To(false),
 			DeployKubevirtIpamController:     ptr.To(false),
 			DeployTektonTaskResources:        ptr.To(false),
-			DeployVMConsoleProxy:             ptr.To(false),
 			DisableMDevConfiguration:         ptr.To(false),
 			EnableCommonBootImageImport:      ptr.To(true),
 			PersistentReservation:            ptr.To(false),
@@ -98,7 +97,6 @@ var _ = Describe("Check Default values", Label("defaults"), Serial, func() {
 			Entry("when removing /spec/featureGates/deployKubeSecondaryDNS", "/spec/featureGates/deployKubeSecondaryDNS"),
 			Entry("when removing /spec/featureGates/deployKubevirtIpamController", "/spec/featureGates/deployKubevirtIpamController"),
 			Entry("when removing /spec/featureGates/deployTektonTaskResources", "/spec/featureGates/deployTektonTaskResources"),
-			Entry("when removing /spec/featureGates/deployVmConsoleProxy", "/spec/featureGates/deployVmConsoleProxy"),
 			Entry("when removing /spec/featureGates/disableMDevConfiguration", "/spec/featureGates/disableMDevConfiguration"),
 			Entry("when removing /spec/featureGates/enableCommonBootImageImport", "/spec/featureGates/enableCommonBootImageImport"),
 			Entry("when removing /spec/featureGates/persistentReservation", "/spec/featureGates/persistentReservation"),