From a99aa8015594cbfd9d46bbc8313f72321a95cc1f Mon Sep 17 00:00:00 2001 From: Todd Malsbary Date: Fri, 4 Jun 2021 14:24:56 -0700 Subject: Add kubevirt and cdi addon helm charts Issue-ID: MULTICLOUD-1324 Signed-off-by: Todd Malsbary Change-Id: I6ba134140f0aca6717c656ffa35c6576426a8b98 --- .../helm/kubevirt-operator/templates/_helpers.tpl | 70 +++ .../kubevirt-operator/templates/clusterrole.yaml | 668 +++++++++++++++++++++ .../templates/clusterrolebinding.yaml | 15 + .../kubevirt-operator/templates/deployment.yaml | 86 +++ .../kubevirt-operator/templates/priorityclass.yaml | 7 + .../helm/kubevirt-operator/templates/role.yaml | 30 + .../kubevirt-operator/templates/rolebinding.yaml | 15 + .../templates/serviceaccount.yaml | 11 + 8 files changed, 902 insertions(+) create mode 100644 kud/deployment_infra/helm/kubevirt-operator/templates/_helpers.tpl create mode 100644 kud/deployment_infra/helm/kubevirt-operator/templates/clusterrole.yaml create mode 100644 kud/deployment_infra/helm/kubevirt-operator/templates/clusterrolebinding.yaml create mode 100644 kud/deployment_infra/helm/kubevirt-operator/templates/deployment.yaml create mode 100644 kud/deployment_infra/helm/kubevirt-operator/templates/priorityclass.yaml create mode 100644 kud/deployment_infra/helm/kubevirt-operator/templates/role.yaml create mode 100644 kud/deployment_infra/helm/kubevirt-operator/templates/rolebinding.yaml create mode 100644 kud/deployment_infra/helm/kubevirt-operator/templates/serviceaccount.yaml (limited to 'kud/deployment_infra/helm/kubevirt-operator/templates') diff --git a/kud/deployment_infra/helm/kubevirt-operator/templates/_helpers.tpl b/kud/deployment_infra/helm/kubevirt-operator/templates/_helpers.tpl new file mode 100644 index 00000000..369224de --- /dev/null +++ b/kud/deployment_infra/helm/kubevirt-operator/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "kubevirt-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubevirt-operator.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubevirt-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "kubevirt-operator.labels" -}} +helm.sh/chart: {{ include "kubevirt-operator.chart" . }} +{{ include "kubevirt-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "kubevirt-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "kubevirt-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "kubevirt-operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubevirt-operator.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the priority class to use +*/}} +{{- define "kubevirt-operator.priorityClassName" -}} +{{ default (include "kubevirt-operator.fullname" .) .Values.priorityClass.name }} +{{- end -}} diff --git a/kud/deployment_infra/helm/kubevirt-operator/templates/clusterrole.yaml b/kud/deployment_infra/helm/kubevirt-operator/templates/clusterrole.yaml new file mode 100644 index 00000000..ae8faf3b --- /dev/null +++ b/kud/deployment_infra/helm/kubevirt-operator/templates/clusterrole.yaml @@ -0,0 +1,668 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubevirt.io:operator + labels: + {{- include "kubevirt-operator.labels" . | nindent 4 }} + operator.kubevirt.io: "" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - get + - delete + - create + - update + - patch + - list + - watch + - deletecollection +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubevirt-operator + labels: + {{- include "kubevirt-operator.labels" . | nindent 4 }} + kubevirt.io: "" +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - update +- apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - get + - list + - watch + - patch + - update + - patch +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - endpoints + - pods/exec + verbs: + - get + - list + - watch + - create + - update + - delete + - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - patch + - delete +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - get + - list + - watch + - create + - delete + - patch + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + verbs: + - create + - get + - list + - watch +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - get + - patch + - update +- apiGroups: + - security.openshift.io + resourceNames: + - kubevirt-handler + - kubevirt-controller + resources: + - securitycontextconstraints + verbs: + - get + - list + - watch + - update + - delete +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - delete + - update + - patch +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - watch + - create + - delete + - update + - patch +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + - prometheusrules + verbs: + - get + - list + - watch + - create + - delete + - update + - patch +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachines/start + - virtualmachines/stop + - virtualmachines/restart + verbs: + - put +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - delete + - patch +- apiGroups: + - kubevirt.io + resources: + - virtualmachines + - virtualmachineinstances + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: + - kubevirt.io + resources: + - virtualmachines/status + verbs: + - patch +- apiGroups: + - kubevirt.io + resources: + - virtualmachineinstancemigrations + verbs: + - create + - get + - list + - watch + - patch +- apiGroups: + - kubevirt.io + resources: + - virtualmachineinstancepresets + verbs: + - watch + - list +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - limitranges + verbs: + - watch + - list +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - get + - list + - watch +- apiGroups: + - snapshot.kubevirt.io + resources: + - virtualmachinesnapshots + - virtualmachinerestores + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + - delete + - create + - patch +- apiGroups: + - "" + resources: + - pods + - configmaps + - endpoints + verbs: + - get + - list + - watch + - delete + - update + - create +- apiGroups: + - "" + resources: + - events + verbs: + - update + - create + - patch +- apiGroups: + - "" + resources: + - pods/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - apps + resources: + - daemonsets + verbs: + - list +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - create + - update + - delete + - patch +- apiGroups: + - snapshot.kubevirt.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - kubevirt.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachineinstances/addvolume + - virtualmachineinstances/removevolume + verbs: + - get + - update +- apiGroups: + - cdi.kubevirt.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotclasses + verbs: + - get + - list + - watch +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - get + - list + - watch + - create + - update + - delete +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch +- apiGroups: + - kubevirt.io + resources: + - virtualmachineinstances + verbs: + - update + - list + - watch +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - patch + - list + - watch + - get +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - subresources.kubevirt.io + resources: + - version + verbs: + - get + - list +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachineinstances/console + - virtualmachineinstances/vnc + verbs: + - get +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachineinstances/pause + - virtualmachineinstances/unpause + - virtualmachineinstances/addvolume + - virtualmachineinstances/removevolume + verbs: + - get + - update +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachines/start + - virtualmachines/stop + - virtualmachines/restart + verbs: + - update +- apiGroups: + - kubevirt.io + resources: + - virtualmachines + - virtualmachineinstances + - virtualmachineinstancepresets + - virtualmachineinstancereplicasets + - virtualmachineinstancemigrations + verbs: + - get + - delete + - create + - update + - patch + - list + - watch + - deletecollection +- apiGroups: + - snapshot.kubevirt.io + resources: + - virtualmachinesnapshots + - virtualmachinesnapshotcontents + - virtualmachinerestores + verbs: + - get + - delete + - create + - update + - patch + - list + - watch + - deletecollection +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachineinstances/console + - virtualmachineinstances/vnc + verbs: + - get +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachineinstances/pause + - virtualmachineinstances/unpause + - virtualmachineinstances/addvolume + - virtualmachineinstances/removevolume + verbs: + - get + - update +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachines/start + - virtualmachines/stop + - virtualmachines/restart + verbs: + - update +- apiGroups: + - kubevirt.io + resources: + - virtualmachines + - virtualmachineinstances + - virtualmachineinstancepresets + - virtualmachineinstancereplicasets + - virtualmachineinstancemigrations + verbs: + - get + - delete + - create + - update + - patch + - list + - watch +- apiGroups: + - snapshot.kubevirt.io + resources: + - virtualmachinesnapshots + - virtualmachinesnapshotcontents + - virtualmachinerestores + verbs: + - get + - delete + - create + - update + - patch + - list + - watch +- apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - get + - list +- apiGroups: + - kubevirt.io + resources: + - virtualmachines + - virtualmachineinstances + - virtualmachineinstancepresets + - virtualmachineinstancereplicasets + - virtualmachineinstancemigrations + verbs: + - get + - list + - watch +- apiGroups: + - snapshot.kubevirt.io + resources: + - virtualmachinesnapshots + - virtualmachinesnapshotcontents + - virtualmachinerestores + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/kud/deployment_infra/helm/kubevirt-operator/templates/clusterrolebinding.yaml b/kud/deployment_infra/helm/kubevirt-operator/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..a1e5a642 --- /dev/null +++ b/kud/deployment_infra/helm/kubevirt-operator/templates/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubevirt-operator + labels: + {{- include "kubevirt-operator.labels" . | nindent 4 }} + kubevirt.io: "" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubevirt-operator +subjects: +- kind: ServiceAccount + name: {{ include "kubevirt-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/kud/deployment_infra/helm/kubevirt-operator/templates/deployment.yaml b/kud/deployment_infra/helm/kubevirt-operator/templates/deployment.yaml new file mode 100644 index 00000000..1cd64725 --- /dev/null +++ b/kud/deployment_infra/helm/kubevirt-operator/templates/deployment.yaml @@ -0,0 +1,86 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubevirt-operator.fullname" . }} + labels: + {{- include "kubevirt-operator.labels" . | nindent 4 }} + kubevirt.io: virt-operator +spec: + replicas: 2 + selector: + matchLabels: + {{- include "kubevirt-operator.selectorLabels" . | nindent 6 }} + kubevirt.io: virt-operator + strategy: + type: RollingUpdate + template: + metadata: + annotations: + scheduler.alpha.kubernetes.io/critical-pod: "" + labels: + {{- include "kubevirt-operator.selectorLabels" . | nindent 8 }} + kubevirt.io: virt-operator + prometheus.kubevirt.io: "" + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "kubevirt-operator.serviceAccountName" . }} + containers: + - name: virt-operator + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - virt-operator + - --port + - "8443" + - -v + - "2" + env: + - name: OPERATOR_IMAGE + value: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.annotations['olm.targetNamespaces'] + ports: + - containerPort: 8443 + name: metrics + protocol: TCP + - containerPort: 8444 + name: webhooks + protocol: TCP + readinessProbe: + httpGet: + path: /metrics + port: 8443 + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 10 + resources: + {{- toYaml .Values.resources | nindent 10 }} + volumeMounts: + - mountPath: /etc/virt-operator/certificates + name: kubevirt-operator-certs + readOnly: true + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 6 }} + {{- end }} + priorityClassName: {{ include "kubevirt-operator.priorityClassName" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} + volumes: + - name: kubevirt-operator-certs + secret: + optional: true + secretName: kubevirt-operator-certs diff --git a/kud/deployment_infra/helm/kubevirt-operator/templates/priorityclass.yaml b/kud/deployment_infra/helm/kubevirt-operator/templates/priorityclass.yaml new file mode 100644 index 00000000..c3e533dd --- /dev/null +++ b/kud/deployment_infra/helm/kubevirt-operator/templates/priorityclass.yaml @@ -0,0 +1,7 @@ +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: {{ include "kubevirt-operator.priorityClassName" . }} +value: 1000000000 +globalDefault: false +description: "This priority class should be used for core kubevirt components only." diff --git a/kud/deployment_infra/helm/kubevirt-operator/templates/role.yaml b/kud/deployment_infra/helm/kubevirt-operator/templates/role.yaml new file mode 100644 index 00000000..42aa2d75 --- /dev/null +++ b/kud/deployment_infra/helm/kubevirt-operator/templates/role.yaml @@ -0,0 +1,30 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kubevirt-operator + labels: + {{- include "kubevirt-operator.labels" . | nindent 4 }} + kubevirt.io: "" +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - watch + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - list + - watch + - patch + - delete diff --git a/kud/deployment_infra/helm/kubevirt-operator/templates/rolebinding.yaml b/kud/deployment_infra/helm/kubevirt-operator/templates/rolebinding.yaml new file mode 100644 index 00000000..89489f9a --- /dev/null +++ b/kud/deployment_infra/helm/kubevirt-operator/templates/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubevirt-operator-rolebinding + labels: + {{- include "kubevirt-operator.labels" . | nindent 4 }} + kubevirt.io: "" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubevirt-operator +subjects: +- kind: ServiceAccount + name: {{ include "kubevirt-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/kud/deployment_infra/helm/kubevirt-operator/templates/serviceaccount.yaml b/kud/deployment_infra/helm/kubevirt-operator/templates/serviceaccount.yaml new file mode 100644 index 00000000..99703a03 --- /dev/null +++ b/kud/deployment_infra/helm/kubevirt-operator/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubevirt-operator.serviceAccountName" . }} + labels: + {{- include "kubevirt-operator.labels" . | nindent 4 }} + kubevirt.io: "" + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} -- cgit 1.2.3-korg