charts/libvirt/values.yaml

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Default values for libvirt.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value

---
release_group: null

labels:
  agent:
    libvirt:
      node_selector_key: openstack-compute-node
      node_selector_value: enabled

images:
  tags:
    libvirt: docker.io/openstackhelm/libvirt:latest-ubuntu_focal
    libvirt_exporter: vexxhost/libvirtd-exporter:latest
    ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_focal_17.2.6-1-20230508'
    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
    image_repo_sync: docker.io/library/docker:17.07.0
    kubectl: docker.io/bitnami/kubectl:latest
  pull_policy: "IfNotPresent"
  local_registry:
    active: false
    exclude:
      - dep_check
      - image_repo_sync

network:
  # provide what type of network wiring will be used
  # possible options: openvswitch, linuxbridge, sriov
  backend:
    - openvswitch

endpoints:
  cluster_domain_suffix: cluster.local
  local_image_registry:
    name: docker-registry
    namespace: docker-registry
    hosts:
      default: localhost
      internal: docker-registry
      node: localhost
    host_fqdn_override:
      default: null
    port:
      registry:
        node: 5000
  oci_image_registry:
    name: oci-image-registry
    namespace: oci-image-registry
    auth:
      enabled: false
      libvirt:
        username: libvirt
        password: password
    hosts:
      default: localhost
    host_fqdn_override:
      default: null
    port:
      registry:
        default: null
  libvirt_exporter:
    port:
      metrics:
        default: 9474

network_policy:
  libvirt:
    ingress:
      - {}
    egress:
      - {}

ceph_client:
  configmap: ceph-etc
  user_secret_name: pvc-ceph-client-key

# Issuers for TLS certificates
issuers:
  # Issuer to issue a certificate for libvirt api when listen_tls is enabled
  libvirt:
    kind: ClusterIssuer
    name: ca-clusterissuer
  # Issuer to issue a certificate for vencrypt
  vencrypt:
    kind: ClusterIssuer
    name: ca-clusterissuer

conf:
  ceph:
    enabled: true
    admin_keyring: null
    cinder:
      user: "cinder"
      keyring: null
      secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
      # Cinder Ceph backend that is not configured by the k8s cluter
      external_ceph:
        enabled: false
        user: null
        secret_uuid: null
        user_secret_name: null
  libvirt:
    listen_tcp: "1"
    listen_tls: "0"
    auth_tcp: "none"
    ca_file: "/etc/pki/CA/cacert.pem"
    cert_file: "/etc/pki/libvirt/servercert.pem"
    key_file: "/etc/pki/libvirt/private/serverkey.pem"
    auth_unix_rw: "none"
    listen_addr: 127.0.0.1
    log_level: "3"
    log_outputs: "1:file:/var/log/libvirt/libvirtd.log"
  qemu:
    vnc_tls: "0"
    vnc_tls_x509_verify: "0"
    stdio_handler: "file"
    user: "nova"
    group: "kvm"
    default_tls_x509_cert_dir: /etc/pki/qemu
  kubernetes:
    cgroup: "kubepods.slice"

pod:
  probes:
    libvirt:
      libvirt:
        liveness:
          enabled: true
          params:
            initialDelaySeconds: 30
            periodSeconds: 60
            timeoutSeconds: 5
        readiness:
          enabled: true
          params:
            initialDelaySeconds: 15
            periodSeconds: 60
            timeoutSeconds: 5
  security_context:
    libvirt:
      pod:
        runAsUser: 0
      container:
        ceph_admin_keyring_placement:
          readOnlyRootFilesystem: false
        ceph_keyring_placement:
          readOnlyRootFilesystem: false
        libvirt:
          privileged: true
          readOnlyRootFilesystem: false
        libvirt_exporter:
          privileged: true
  sidecars:
    libvirt_exporter: false

  affinity:
    anti:
      type:
        default: preferredDuringSchedulingIgnoredDuringExecution
      topologyKey:
        default: kubernetes.io/hostname
      weight:
        default: 10
  tolerations:
    libvirt:
      enabled: false
      tolerations:
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: NoSchedule
      - key: node-role.kubernetes.io/control-plane
        operator: Exists
        effect: NoSchedule
  dns_policy: "ClusterFirstWithHostNet"
  mounts:
    libvirt:
      init_container: null
      libvirt:
  lifecycle:
    upgrades:
      daemonsets:
        pod_replacement_strategy: RollingUpdate
        libvirt:
          enabled: true
          min_ready_seconds: 0
          max_unavailable: 1
  resources:
    enabled: false
    libvirt:
      requests:
        memory: "128Mi"
        cpu: "100m"
      limits:
        memory: "1024Mi"
        cpu: "2000m"
    jobs:
      image_repo_sync:
        requests:
          memory: "128Mi"
          cpu: "100m"
        limits:
          memory: "1024Mi"
          cpu: "2000m"
    libvirt_exporter:
      requests:
        memory: "128Mi"
        cpu: "100m"
      limits:
        memory: "256Mi"
        cpu: "500m"

dependencies:
  dynamic:
    common:
      local_image_registry:
        jobs:
          - libvirt-image-repo-sync
        services:
          - endpoint: node
            service: local_image_registry
    targeted:
      ovn:
        libvirt:
          pod:
            - requireSameNode: true
              labels:
                application: ovn
                component: ovn-controller
      openvswitch:
        libvirt:
          pod:
            - requireSameNode: true
              labels:
                application: neutron
                component: neutron-ovs-agent
      linuxbridge:
        libvirt:
          pod:
            - requireSameNode: true
              labels:
                application: neutron
                component: neutron-lb-agent
      sriov:
        libvirt:
          pod:
            - requireSameNode: true
              labels:
                application: neutron
                component: neutron-sriov-agent
  static:
    libvirt:
      services: null
    image_repo_sync:
      services:
        - endpoint: internal
          service: local_image_registry

scripts:
  # Script is included here (vs in bin/) to allow overriding.
  cert_init_sh: |
    #!/bin/bash
    set -x

    # Script to create certs for each libvirt pod based on pod IP (by default).

    cat <<EOF | kubectl apply -f -
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: ${POD_NAME}-${TYPE}
      namespace: ${POD_NAMESPACE}
      ownerReferences:
        - apiVersion: v1
          kind: Pod
          name: ${POD_NAME}
          uid: ${POD_UID}
    spec:
      secretName: ${POD_NAME}-${TYPE}
      commonName: ${POD_IP}
      usages:
      - client auth
      - server auth
      dnsNames:
      - ${HOSTNAME}
      ipAddresses:
      - ${POD_IP}
      issuerRef:
        kind: ${ISSUER_KIND}
        name: ${ISSUER_NAME}
    EOF

    kubectl -n ${POD_NAMESPACE} wait --for=condition=Ready --timeout=300s \
      certificate/${POD_NAME}-${TYPE}

    # NOTE(mnaser): cert-manager does not clean-up the secrets when the certificate
    #               is deleted, so we should add an owner reference to the secret
    #               to ensure that it is cleaned up when the pod is deleted.
    kubectl -n ${POD_NAMESPACE} patch secret ${POD_NAME}-${TYPE} \
      --type=json -p='[{"op": "add", "path": "/metadata/ownerReferences", "value": [{"apiVersion": "v1", "kind": "Pod", "name": "'${POD_NAME}'", "uid": "'${POD_UID}'"}]}]'

    kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/${TYPE}.crt
    kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/${TYPE}.key
    kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/${TYPE}-ca.crt

manifests:
  configmap_bin: true
  configmap_etc: true
  daemonset_libvirt: true
  job_image_repo_sync: true
  network_policy: false
  role_cert_manager: false
  secret_registry: true

secrets:
  oci_image_registry:
    libvirt: libvirt-oci-image-registry-key
  tls:
    server: libvirt-tls-server
    client: libvirt-tls-client
...