feat(module): add migration disable tls annotation support

images/hooks/pkg/hooks/migration-config/hook.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"strconv"
+	"strings"
 
 	"k8s.io/utils/ptr"
 
@@ -36,16 +37,19 @@ const (
 	completionTimeoutPerGiBAnnotation           = "virtualization.deckhouse.io/completion-timeout-per-gib"
 	parallelOutboundMigrationsPerNodeAnnotation = "virtualization.deckhouse.io/parallel-outbound-migrations-per-node"
 	progressTimeoutAnnotation                   = "virtualization.deckhouse.io/progress-timeout"
+	disableTLSAnnotation                        = "virtualization.deckhouse.io/disable-tls"
 
 	bandwidthPerMigrationValuesPath             = "virtualization.internal.virtConfig.bandwidthPerMigration"
 	completionTimeoutPerGiBValuesPath           = "virtualization.internal.virtConfig.completionTimeoutPerGiB"
 	parallelOutboundMigrationsPerNodeValuesPath = "virtualization.internal.virtConfig.parallelOutboundMigrationsPerNode"
 	progressTimeoutValuesPath                   = "virtualization.internal.virtConfig.progressTimeout"
+	disableTLSValuesPath                        = "virtualization.internal.virtConfig.disableTLS"
 
 	defaultBandwidthPerMigration             = "640Mi"
 	defaultCompletionTimeoutPerGiB           = 800
 	defaultParallelOutboundMigrationsPerNode = 1
 	defaultProgressTimeout                   = 150
+	defaultDisableTLS                        = false
 )
 
 // migrationParams defines migration parameters configurable via ModuleConfig annotations.
@@ -72,6 +76,11 @@ var migrationParams = []migrationParam{
 		valuesPath:   progressTimeoutValuesPath,
 		defaultValue: defaultProgressTimeout,
 	},
+	{
+		annotation:   disableTLSAnnotation,
+		valuesPath:   disableTLSValuesPath,
+		defaultValue: defaultDisableTLS,
+	},
 }
 
 type migrationParam struct {
@@ -87,6 +96,12 @@ func (p migrationParam) resolve(annos map[string]string) (any, error) {
 	}
 
 	switch p.defaultValue.(type) {
+	case bool:
+		v, err := strconv.ParseBool(strings.ToLower(val))
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse %q annotation: %w", p.annotation, err)
+		}
+		return v, nil
 	case int:
 		v, err := strconv.Atoi(val)
 		if err != nil {
@@ -102,6 +117,8 @@ func (p migrationParam) resolve(annos map[string]string) (any, error) {
 
 func (p migrationParam) getCurrent(input *pkg.HookInput) any {
 	switch p.defaultValue.(type) {
+	case bool:
+		return input.Values.Get(p.valuesPath).Bool()
 	case int:
 		return int(input.Values.Get(p.valuesPath).Int())
 	case string:

images/hooks/pkg/hooks/migration-config/hook_test.go

@@ -84,6 +84,7 @@ var _ = Describe("MigrationConfig", func() {
 			completionTimeoutPerGiBAnnotation:           "1200",
 			parallelOutboundMigrationsPerNodeAnnotation: "5",
 			progressTimeoutAnnotation:                   "300",
+			disableTLSAnnotation:                        "true",
 		}))
 
 		values.GetMock.Set(func(path string) gjson.Result {
@@ -96,6 +97,8 @@ var _ = Describe("MigrationConfig", func() {
 				return gjson.Result{Type: gjson.Number, Num: defaultParallelOutboundMigrationsPerNode}
 			case progressTimeoutValuesPath:
 				return gjson.Result{Type: gjson.Number, Num: defaultProgressTimeout}
+			case disableTLSValuesPath:
+				return gjson.Result{Type: gjson.False}
 			}
 			return gjson.Result{}
 		})
@@ -111,6 +114,7 @@ var _ = Describe("MigrationConfig", func() {
 		Expect(setValues).To(HaveKeyWithValue(completionTimeoutPerGiBValuesPath, 1200))
 		Expect(setValues).To(HaveKeyWithValue(parallelOutboundMigrationsPerNodeValuesPath, 5))
 		Expect(setValues).To(HaveKeyWithValue(progressTimeoutValuesPath, 300))
+		Expect(setValues).To(HaveKeyWithValue(disableTLSValuesPath, true))
 	})
 
 	It("Should set defaults when no annotations present", func() {
@@ -126,6 +130,8 @@ var _ = Describe("MigrationConfig", func() {
 				return gjson.Result{Type: gjson.Number, Num: 9999}
 			case progressTimeoutValuesPath:
 				return gjson.Result{Type: gjson.Number, Num: 9999}
+			case disableTLSValuesPath:
+				return gjson.Result{Type: gjson.True}
 			}
 			return gjson.Result{}
 		})
@@ -141,6 +147,7 @@ var _ = Describe("MigrationConfig", func() {
 		Expect(setValues).To(HaveKeyWithValue(completionTimeoutPerGiBValuesPath, defaultCompletionTimeoutPerGiB))
 		Expect(setValues).To(HaveKeyWithValue(parallelOutboundMigrationsPerNodeValuesPath, defaultParallelOutboundMigrationsPerNode))
 		Expect(setValues).To(HaveKeyWithValue(progressTimeoutValuesPath, defaultProgressTimeout))
+		Expect(setValues).To(HaveKeyWithValue(disableTLSValuesPath, defaultDisableTLS))
 	})
 
 	It("Should not set values when current matches target", func() {
@@ -149,6 +156,7 @@ var _ = Describe("MigrationConfig", func() {
 			completionTimeoutPerGiBAnnotation:           "800",
 			parallelOutboundMigrationsPerNodeAnnotation: "1",
 			progressTimeoutAnnotation:                   "150",
+			disableTLSAnnotation:                        "false",
 		}))
 
 		values.GetMock.Set(func(path string) gjson.Result {
@@ -161,6 +169,8 @@ var _ = Describe("MigrationConfig", func() {
 				return gjson.Result{Type: gjson.Number, Num: defaultParallelOutboundMigrationsPerNode}
 			case progressTimeoutValuesPath:
 				return gjson.Result{Type: gjson.Number, Num: defaultProgressTimeout}
+			case disableTLSValuesPath:
+				return gjson.Result{Type: gjson.False}
 			}
 			return gjson.Result{}
 		})
@@ -175,6 +185,8 @@ var _ = Describe("MigrationConfig", func() {
 
 		values.GetMock.Set(func(path string) gjson.Result {
 			switch path {
+			case disableTLSValuesPath:
+				return gjson.Result{Type: gjson.False}
 			case bandwidthPerMigrationValuesPath:
 				return gjson.Result{Type: gjson.String, Str: defaultBandwidthPerMigration}
 			default:
@@ -189,6 +201,35 @@ var _ = Describe("MigrationConfig", func() {
 		))))
 	})
 
+	It("Should fail on invalid boolean annotation", func() {
+		setSnapshots(newSnapshot(map[string]string{
+			disableTLSAnnotation: "not-a-bool",
+		}))
+
+		values.GetMock.Set(func(path string) gjson.Result {
+			switch path {
+			case bandwidthPerMigrationValuesPath:
+				return gjson.Result{Type: gjson.String, Str: defaultBandwidthPerMigration}
+			case completionTimeoutPerGiBValuesPath:
+				return gjson.Result{Type: gjson.Number, Num: defaultCompletionTimeoutPerGiB}
+			case parallelOutboundMigrationsPerNodeValuesPath:
+				return gjson.Result{Type: gjson.Number, Num: defaultParallelOutboundMigrationsPerNode}
+			case progressTimeoutValuesPath:
+				return gjson.Result{Type: gjson.Number, Num: defaultProgressTimeout}
+			case disableTLSValuesPath:
+				return gjson.Result{Type: gjson.False}
+			default:
+				return gjson.Result{}
+			}
+		})
+
+		err := reconcile(context.Background(), newInput())
+		Expect(err).To(MatchError(ContainSubstring(fmt.Sprintf(
+			"failed to parse %q annotation:",
+			disableTLSAnnotation,
+		))))
+	})
+
 	It("Should set only one param from annotation and defaults for the rest", func() {
 		setSnapshots(newSnapshot(map[string]string{
 			parallelOutboundMigrationsPerNodeAnnotation: "5",
@@ -204,6 +245,8 @@ var _ = Describe("MigrationConfig", func() {
 				return gjson.Result{Type: gjson.Number, Num: defaultParallelOutboundMigrationsPerNode}
 			case progressTimeoutValuesPath:
 				return gjson.Result{Type: gjson.Number, Num: defaultProgressTimeout}
+			case disableTLSValuesPath:
+				return gjson.Result{Type: gjson.False}
 			}
 			return gjson.Result{}
 		})

images/virtualization-artifact/pkg/controller/livemigration/internal/dynamic_settings_handler_test.go

@@ -108,6 +108,26 @@ var _ = Describe("TestDynamicSettingsHandler", func() {
 
 			Expect(kvvmi.Status.MigrationState.MigrationConfiguration).ShouldNot(BeNil(), "Should set migrationConfiguration")
 		})
+
+		It("Should propagate DisableTLS from KubeVirt config", func() {
+			vm := newVM()
+			kvvmi := newKVVMI()
+			kvvmi.Status.MigrationState = &virtv1.VirtualMachineInstanceMigrationState{}
+
+			kvConfig := newKVConfig()
+			kvConfig.Spec.Configuration.MigrationConfiguration = &virtv1.MigrationConfiguration{
+				DisableTLS: ptr.To(true),
+			}
+
+			fakeClient := setupEnvironment(kvvmi, vm, kvConfig)
+			h := NewDynamicSettingsHandler(fakeClient)
+			_, err := h.Handle(ctx, kvvmi)
+			Expect(err).NotTo(HaveOccurred())
+
+			Expect(kvvmi.Status.MigrationState.MigrationConfiguration).ShouldNot(BeNil(), "Should set migrationConfiguration")
+			Expect(kvvmi.Status.MigrationState.MigrationConfiguration.DisableTLS).ShouldNot(BeNil(), "Should propagate DisableTLS")
+			Expect(*kvvmi.Status.MigrationState.MigrationConfiguration.DisableTLS).To(BeTrue())
+		})
 	})
 
 	When("Observe KVVMI with completed migration", func() {

images/virtualization-artifact/pkg/livemigration/migration_configuration.go

@@ -63,6 +63,10 @@ func NewMigrationConfiguration(allowAutoConverge bool, kvconfig virtv1.KubeVirt)
 	progressTimeout := MigrationProgressTimeout
 	completionTimeoutPerGiB := MigrationCompletionTimeoutPerGiB
 	defaultUnsafeMigrationOverride := DefaultUnsafeMigrationOverride
+	disableTLS := false
+	if kvconfig.Spec.Configuration.MigrationConfiguration != nil && kvconfig.Spec.Configuration.MigrationConfiguration.DisableTLS != nil {
+		disableTLS = *kvconfig.Spec.Configuration.MigrationConfiguration.DisableTLS
+	}
 	allowPostCopy := MigrationAllowPostCopy
 	allowWorkloadDisruption := MigrationAllowWorkloadDisruption
 
@@ -77,7 +81,7 @@ func NewMigrationConfiguration(allowAutoConverge bool, kvconfig virtv1.KubeVirt)
 		AllowAutoConverge:                 &allowAutoConverge,
 		AllowPostCopy:                     &allowPostCopy,
 		AllowWorkloadDisruption:           &allowWorkloadDisruption,
-		DisableTLS:                        nil,
+		DisableTLS:                        &disableTLS,
 		Network:                           nil,
 		MatchSELinuxLevelOnMigration:      nil,
 	}

openapi/values.yaml

@@ -141,6 +141,8 @@ properties:
             type: integer
           progressTimeout:
             type: integer
+          disableTLS:
+            type: boolean
       moduleConfig:
         type: object
         additionalProperties: true

templates/kubevirt/_kubevirt_helpers.tpl

@@ -102,9 +102,14 @@ spec:
 {{- .Values.virtualization.internal | dig "virtConfig" "progressTimeout" 150 -}}
 {{- end -}}
 
+{{- define "kubevirt.disable_tls" -}}
+{{- .Values.virtualization.internal | dig "virtConfig" "disableTLS" false -}}
+{{- end -}}
+
 {{- define "kubevirt.migrations" -}}
 bandwidthPerMigration: {{ include "kubevirt.bandwidth_per_migration" . }}
 completionTimeoutPerGiB: {{ include "kubevirt.completion_timeout_per_gib" . }}
+disableTLS: {{ include "kubevirt.disable_tls" . }}
 parallelMigrationsPerCluster: {{ include "kubevirt.parallel_migrations_per_cluster" . }}
 parallelOutboundMigrationsPerNode: {{ include "kubevirt.parallel_outbound_migrations_per_node" . }}
 progressTimeout: {{ include "kubevirt.progress_timeout" . }}

tools/kubeconform/fixtures/module-values.yaml

@@ -402,6 +402,7 @@ virtualization:
       phase: Deployed
       bandwidthPerMigration: 640Mi
       completionTimeoutPerGiB: 800
+      disableTLS: false
       parallelMigrationsPerCluster: 2
       parallelOutboundMigrationsPerNode: 10
       progressTimeout: 150