charts/libvirt/templates/daemonset-libvirt.yaml

{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}

{{- define "libvirtReadinessProbeTemplate" }}
exec:
  command:
    - bash
    - -c
    - /usr/bin/virsh list
{{- end }}
{{- define "libvirtLivenessProbeTemplate" }}
exec:
  command:
    - bash
    - -c
    - /usr/bin/virsh list
{{- end }}

{{- define "libvirt.daemonset" }}
{{- $daemonset := index . 0 }}
{{- $configMapName := index . 1 }}
{{- $serviceAccountName := index . 2 }}
{{- $envAll := index . 3 }}
{{- with $envAll }}

{{- $mounts_libvirt := .Values.pod.mounts.libvirt.libvirt }}
{{- $mounts_libvirt_init := .Values.pod.mounts.libvirt.init_container }}

---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: libvirt
  annotations:
    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
  labels:
{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
  selector:
    matchLabels:
{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
{{ tuple $envAll $daemonset | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
  template:
    metadata:
      labels:
{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
      annotations:
        kubectl.kubernetes.io/default-container: libvirt
{{- dict "envAll" $envAll "podName" "libvirt-libvirt-default" "containerNames" (list "libvirt") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
{{ dict "envAll" $envAll "application" "libvirt" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      nodeSelector:
        {{ .Values.labels.agent.libvirt.node_selector_key }}: {{ .Values.labels.agent.libvirt.node_selector_value }}
{{ if $envAll.Values.pod.tolerations.libvirt.enabled }}
{{ tuple $envAll "libvirt" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
{{ end }}
      hostNetwork: true
      hostPID: true
      hostIPC: true
      dnsPolicy: {{ .Values.pod.dns_policy }}
      initContainers:
{{ tuple $envAll "pod_dependency" $mounts_libvirt_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
{{ dict "envAll" $envAll | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" | indent 8 }}
{{- if .Values.conf.ceph.enabled }}
        {{- if empty .Values.conf.ceph.cinder.keyring }}
        - name: ceph-admin-keyring-placement
{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "libvirt" "container" "ceph_admin_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/ceph-admin-keyring.sh
          volumeMounts:
            - name: pod-tmp
              mountPath: /tmp
            - name: etcceph
              mountPath: /etc/ceph
            - name: libvirt-bin
              mountPath: /tmp/ceph-admin-keyring.sh
              subPath: ceph-admin-keyring.sh
              readOnly: true
            {{- if empty .Values.conf.ceph.admin_keyring }}
            - name: ceph-keyring
              mountPath: /tmp/client-keyring
              subPath: key
              readOnly: true
            {{ end }}
        {{ end }}
        - name: ceph-keyring-placement
{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "libvirt" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
            - name: CEPH_CINDER_USER
              value: "{{ .Values.conf.ceph.cinder.user }}"
            {{- if .Values.conf.ceph.cinder.keyring }}
            - name: CEPH_CINDER_KEYRING
              value: "{{ .Values.conf.ceph.cinder.keyring }}"
            {{ end }}
            - name: LIBVIRT_CEPH_CINDER_SECRET_UUID
              value: "{{ .Values.conf.ceph.cinder.secret_uuid }}"
          command:
            - /tmp/ceph-keyring.sh
          volumeMounts:
            - name: pod-tmp
              mountPath: /tmp
            - name: etcceph
              mountPath: /etc/ceph
            - name: libvirt-bin
              mountPath: /tmp/ceph-keyring.sh
              subPath: ceph-keyring.sh
              readOnly: true
            - name: ceph-etc
              mountPath: /etc/ceph/ceph.conf.template
              subPath: ceph.conf
              readOnly: true
{{- end }}
      containers:
        - name: tls-sidecar
{{ tuple $envAll "libvirt_tls_sidecar" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.libvirt_tls_sidecar | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "libvirt" "container" "libvirt_tls_sidecar" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
            - name: API_ISSUER_KIND
              value: {{ .Values.issuers.libvirt.kind }}
            - name: API_ISSUER_NAME
              value: {{ .Values.issuers.libvirt.name }}
            - name: VNC_ISSUER_KIND
              value: {{ .Values.issuers.vencrypt.kind }}
            - name: VNC_ISSUER_NAME
              value: {{ .Values.issuers.vencrypt.name }}
            - name: POD_UID
              valueFrom:
                fieldRef:
                  fieldPath: metadata.uid
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
          volumeMounts:
            - name: etc-pki-qemu
              mountPath: /etc/pki/qemu
            - name: etc-pki-ca
              mountPath: /etc/pki/CA
            - name: etc-pki-libvirt
              mountPath: /etc/pki/libvirt
            - name: etc-pki-libvirt-vnc
              mountPath: /etc/pki/libvirt-vnc
        - name: libvirt
{{ tuple $envAll "libvirt" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.libvirt | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "libvirt" "container" "libvirt" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
          {{- if .Values.conf.ceph.enabled }}
            - name: CEPH_CINDER_USER
              value: "{{ .Values.conf.ceph.cinder.user }}"
            {{- if .Values.conf.ceph.cinder.keyring }}
            - name: CEPH_CINDER_KEYRING
              value: "{{ .Values.conf.ceph.cinder.keyring }}"
            {{ end }}
            - name: LIBVIRT_CEPH_CINDER_SECRET_UUID
              value: "{{ .Values.conf.ceph.cinder.secret_uuid }}"
          {{ end }}
          {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
            - name: EXTERNAL_CEPH_CINDER_USER
              value: "{{ .Values.conf.ceph.cinder.external_ceph.user }}"
            - name: LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID
              value: "{{ .Values.conf.ceph.cinder.external_ceph.secret_uuid }}"
            {{ end }}
{{ dict "envAll" . "component" "libvirt" "container" "libvirt" "type" "readiness" "probeTemplate" (include "libvirtReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
{{ dict "envAll" . "component" "libvirt" "container" "libvirt" "type" "liveness" "probeTemplate" (include "libvirtLivenessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
          command:
            - /tmp/libvirt.sh
          lifecycle:
            postStart:
              exec:
                command:
                  - /tmp/wait-for-libvirt.sh
            preStop:
              exec:
                command:
                  - bash
                  - -c
                  - |-
                    kill $(cat /var/run/libvirtd.pid)
          volumeMounts:
            - name: etc-pki-qemu
              mountPath: /etc/pki/qemu
            - name: etc-pki-ca
              mountPath: /etc/pki/CA
            - name: etc-pki-libvirt
              mountPath: /etc/pki/libvirt
            - name: etc-pki-libvirt-vnc
              mountPath: /etc/pki/libvirt-vnc
            - name: pod-tmp
              mountPath: /tmp
            - name: libvirt-bin
              mountPath: /tmp/libvirt.sh
              subPath: libvirt.sh
              readOnly: true
            - name: libvirt-bin
              mountPath: /tmp/wait-for-libvirt.sh
              subPath: wait-for-libvirt.sh
              readOnly: true
            - name: libvirt-etc
              mountPath: /etc/libvirt/libvirtd.conf
              subPath: libvirtd.conf
              readOnly: true
            - name: libvirt-etc
              mountPath: /etc/libvirt/qemu.conf
              subPath: qemu.conf
              readOnly: true
            - name: etc-libvirt-qemu
              mountPath: /etc/libvirt/qemu
            - mountPath: /lib/modules
              name: libmodules
              readOnly: true
            - name: var-lib-libvirt
              mountPath: /var/lib/libvirt
              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
              mountPropagation: Bidirectional
              {{- end }}
            - name: var-lib-nova
              mountPath: /var/lib/nova
              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
              mountPropagation: Bidirectional
              {{- end }}
            - name: run
              mountPath: /run
            - name: dev
              mountPath: /dev
            - name: cgroup
              mountPath: /sys/fs/cgroup
            - name: logs
              mountPath: /var/log/libvirt
            - name: machine-id
              mountPath: /etc/machine-id
              readOnly: true
            {{- if .Values.conf.ceph.enabled }}
            - name: etcceph
              mountPath: /etc/ceph
              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
              mountPropagation: Bidirectional
              {{- end }}
            {{- if empty .Values.conf.ceph.cinder.keyring }}
            - name: ceph-keyring
              mountPath: /tmp/client-keyring
              subPath: key
              readOnly: true
            {{- end }}
            {{- end }}
            {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
            - name: external-ceph-keyring
              mountPath: /tmp/external-ceph-client-keyring
              subPath: key
              readOnly: true
            {{- end }}
{{ if $mounts_libvirt.volumeMounts }}{{ toYaml $mounts_libvirt.volumeMounts | indent 12 }}{{ end }}
        {{- if .Values.pod.sidecars.libvirt_exporter }}
        - name: libvirt-exporter
{{ tuple $envAll "libvirt_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.libvirt_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "libvirt" "container" "libvirt_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          args:
            - "--libvirt.nova"
          ports:
            - name: metrics
              protocol: TCP
              containerPort: {{ tuple "libvirt_exporter" "direct" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
          livenessProbe:
            httpGet:
              path: /
              port: metrics
          readinessProbe:
            httpGet:
              path: /
              port: metrics
          volumeMounts:
            - name: run
              mountPath: /run
              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
              mountPropagation: Bidirectional
              {{- end }}
        {{- end }}
      volumes:
        - name: etc-pki-qemu
          hostPath:
            path: /etc/pki/qemu
        - name: etc-pki-ca
          emptyDir: {}
        - name: etc-pki-libvirt
          emptyDir: {}
        - name: etc-pki-libvirt-vnc
          hostPath:
            path: /etc/pki/libvirt-vnc
        - name: pod-tmp
          emptyDir: {}
        - name: libvirt-bin
          configMap:
            name: libvirt-bin
            defaultMode: 0555
        - name: libvirt-etc
          secret:
            secretName: {{ $configMapName }}
            defaultMode: 0444
        {{- if .Values.conf.ceph.enabled }}
        - name: etcceph
          hostPath:
            path: /var/lib/openstack-helm/compute/libvirt
        - name: ceph-etc
          configMap:
            name: {{ .Values.ceph_client.configmap }}
            defaultMode: 0444
        {{- if empty .Values.conf.ceph.cinder.keyring }}
        - name: ceph-keyring
          secret:
            secretName: {{ .Values.ceph_client.user_secret_name }}
        {{ end }}
        {{ end }}
        {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
        - name: external-ceph-keyring
          secret:
            secretName: {{ .Values.conf.ceph.cinder.external_ceph.user_secret_name }}
        {{ end }}
        - name: libmodules
          hostPath:
            path: /lib/modules
        - name: var-lib-libvirt
          hostPath:
            path: /var/lib/libvirt
        - name: var-lib-nova
          hostPath:
            path: /var/lib/nova
        - name: run
          hostPath:
            path: /run
        - name: dev
          hostPath:
            path: /dev
        - name: logs
          hostPath:
            path: /var/log/libvirt
        - name: cgroup
          hostPath:
            path: /sys/fs/cgroup
        - name: machine-id
          hostPath:
            path: /etc/machine-id
        - name: etc-libvirt-qemu
          hostPath:
            path: /etc/libvirt/qemu
{{ dict "envAll" $envAll "component" "libvirt" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" | indent 8 }}
{{ if $mounts_libvirt.volumes }}{{ toYaml $mounts_libvirt.volumes | indent 8 }}{{ end }}
{{- end }}
{{- end }}

{{- if .Values.manifests.daemonset_libvirt }}

{{- $envAll := . }}
{{- $daemonset := "libvirt" }}
{{- $configMapName := "libvirt-etc" }}
{{- $serviceAccountName := "libvirt" }}

{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "libvirt" -}}
{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}

{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "libvirt.daemonset" | toString | fromYaml }}
{{- $configmap_yaml := "libvirt.configmap.etc" }}
{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}

{{- end }}