Merge 426ed47 into 9d5c6f3

BUILD.bazel

@@ -55,6 +55,7 @@ container_bundle(
         "$(container_prefix)/cdi-uploadserver:$(container_tag)": "//cmd/cdi-uploadserver:cdi-uploadserver-image",
         # test images
         "$(container_prefix)/cdi-func-test-bad-webserver:$(container_tag)": "//tools/cdi-func-test-bad-webserver:cdi-func-test-bad-webserver-image",
+        "$(container_prefix)/cdi-func-test-proxy:$(container_tag)": "//tools/cdi-func-test-proxy:cdi-func-test-proxy-image",
         "$(container_prefix)/cdi-func-test-file-host-init:$(container_tag)": "//tools/cdi-func-test-file-host-init:cdi-func-test-file-host-init-image",
         "$(container_prefix)/cdi-func-test-file-host-http:$(container_tag)": "//tools/cdi-func-test-file-host-init:cdi-func-test-file-host-http-image",
         "$(container_prefix)/cdi-func-test-registry-init:$(container_tag)": "//tools/cdi-func-test-registry-init:cdi-func-test-registry-init-image",

api/openapi-spec/swagger.json

@@ -3442,6 +3442,10 @@
       "description": "FilesystemOverhead describes the space reserved for overhead when using Filesystem volumes. A value is between 0 and 1, if not defined it is 0.055 (5.5% overhead)",
       "$ref": "#/definitions/v1beta1.FilesystemOverhead"
      },
+     "importProxy": {
+      "description": "ImportProxy contains importer pod proxy configuration.",
+      "$ref": "#/definitions/v1beta1.ImportProxy"
+     },
      "podResourceRequirements": {
       "description": "ResourceRequirements describes the compute resource requirements.",
       "$ref": "#/definitions/v1.ResourceRequirements"
@@ -3472,6 +3476,10 @@
       "description": "FilesystemOverhead describes the space reserved for overhead when using Filesystem volumes. A percentage value is between 0 and 1",
       "$ref": "#/definitions/v1beta1.FilesystemOverhead"
      },
+     "importProxy": {
+      "description": "ImportProxy contains importer pod proxy configuration.",
+      "$ref": "#/definitions/v1beta1.ImportProxy"
+     },
      "preallocation": {
       "description": "Preallocation controls whether storage for DataVolumes should be allocated in advance.",
       "type": "boolean"
@@ -3935,6 +3943,28 @@
      }
     }
    },
+   "v1beta1.ImportProxy": {
+    "description": "ImportProxy provides the information on how to configure the importer pod proxy.",
+    "type": "object",
+    "properties": {
+     "HTTPProxy": {
+      "description": "HTTPProxy is the URL http://\u003cusername\u003e:\u003cpswd\u003e@\u003cip\u003e:\u003cport\u003e of the import proxy for HTTP requests.  Empty means unset and will not result in the import pod env var. If username and pswd is given in the URL, the CDIConfig controller will crete a secret trusted-ca-proxy-bundle-crt with both the accessKeyId and secretKey keys. Here is an example of the Secret (in yaml):\n\napiVersion: v1 kind: Secret metadata: name: trusted-ca-proxy-bundle-crt labels:\n  app: containerized-data-importer\ntype: Opaque data:\n  accessKeyId: \"\"  # \u003coptional: your key or user name, base64 encoded\u003e\n\t secretKey:    \"\" # \u003coptional: your secret or password, base64 encoded\u003e",
+      "type": "string"
+     },
+     "HTTPSProxy": {
+      "description": "HTTPSProxy is the URL https://\u003cusername\u003e:\u003cpswd\u003e@\u003cip\u003e:\u003cport\u003e of the import proxy for HTTPS requests.  Empty means unset and will not result in the import pod env var. If username and pswd is given in the URL, the CDIConfig controller will crete a secret trusted-ca-proxy-bundle-crt with both the accessKeyId and secretKey keys.",
+      "type": "string"
+     },
+     "noProxy": {
+      "description": "NoProxy is a comma-separated list of hostnames and/or CIDRs for which the proxy should not be used. Empty means unset and will not result in the import pod env var.",
+      "type": "string"
+     },
+     "trustedCAProxy": {
+      "description": "TrustedCAProxy is the name of a ConfigMap in the cdi namespace that contains a user-provided trusted certificate authority (CA) bundle. The TrustedCAProxy field is consumed by the import controller that is resposible for coping it to a config map named trusted-ca-proxy-bundle-cm in the cdi namespace. Here is an example of the ConfigMap (in yaml):\n\napiVersion: v1 kind: ConfigMap metadata:\n  name: trusted-ca-proxy-bundle-cm\n  namespace: cdi\ndata:\n  ca.pem: |\n    -----BEGIN CERTIFICATE-----\n\t   ... \u003cbase64 encoded cert\u003e ...\n\t   -----END CERTIFICATE-----",
+      "type": "string"
+     }
+    }
+   },
    "v1beta1.UploadTokenRequest": {
     "description": "UploadTokenRequest is the CR used to initiate a CDI upload",
     "type": "object",

cluster-sync/sync-os-ci.sh

@@ -95,6 +95,7 @@ configure_storage
 _kubectl apply -f "./_out/manifests/bad-webserver.yaml"
 _kubectl apply -f "./_out/manifests/file-host.yaml"
 _kubectl apply -f "./_out/manifests/registry-host.yaml"
+_kubectl apply -f "./_out/manifests/test-proxy.yaml"
 # Imageio test service:
 _kubectl apply -f "./_out/manifests/imageio.yaml"
 # vCenter (VDDK) test service:

cluster-sync/sync.sh

@@ -118,6 +118,7 @@ if [ "${KUBEVIRT_PROVIDER}" != "external" ] && [ "${CDI_SYNC}" == "test-infra" ]
   _kubectl apply -f "./_out/manifests/bad-webserver.yaml"
   _kubectl apply -f "./_out/manifests/file-host.yaml"
   _kubectl apply -f "./_out/manifests/registry-host.yaml"
+  _kubectl apply -f "./_out/manifests/test-proxy.yaml"
   # Imageio test service:
   _kubectl apply -f "./_out/manifests/imageio.yaml"
   # vCenter (VDDK) test service:

cmd/cdi-operator/BUILD.bazel

@@ -9,6 +9,7 @@ go_library(
         "//pkg/apis/core/v1beta1:go_default_library",
         "//pkg/operator/controller:go_default_library",
         "//pkg/util:go_default_library",
+        "//vendor/github.com/openshift/api/config/v1:go_default_library",
         "//vendor/github.com/openshift/api/route/v1:go_default_library",
         "//vendor/github.com/openshift/api/security/v1:go_default_library",
         "//vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1:go_default_library",

cmd/cdi-operator/operator.go

@@ -22,6 +22,7 @@ import (
 	"os"
 	"runtime"
 
+	ocpconfigv1 "github.com/openshift/api/config/v1"
 	routev1 "github.com/openshift/api/route/v1"
 	secv1 "github.com/openshift/api/security/v1"
 	extv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -105,6 +106,11 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err := ocpconfigv1.Install(mgr.GetScheme()); err != nil {
+		log.Error(err, "")
+		os.Exit(1)
+	}
+
 	// Setup the controller
 	if err := controller.Add(mgr); err != nil {
 		log.Error(err, "")

doc/cdi-config.md

@@ -16,7 +16,7 @@ CDI configuration in specified by administrators in the `spec.config` of the `CD
 | global                   | "0.055"       | The amount to reserve for a Filesystem volume unless a per-storageClass value is chosen.                                                                                                                                     |
 | storageClass             | nil           | A value of `local: "0.6"` is understood to mean that the overhead for the local storageClass is 0.6.                                                                                                                         |
 | preallocation            | nil           | Preallocation setting to use unless a per-dataVolume value is set                                                                                                                                                            |
-
+| ImportProxy              | nil           | updated when a CDIConfig is updated or when Cluster Wide-Proxy (Openshift) is updated. If `ImportProxy` is set, importer pod URL will be ignored and `ImportProxy.HTTPSProxy` or `ImportProxy.HTTPProxy` will be updated with the user defined URL. HTTPS has priority. If `ImportProxy.NoProxy` is set, the proxy URL will be ignored if it contains any of the listed hostnames and/or CIDRs. If `ImportProxy.HTTPSProxy` is set, the `ImportProxy.TrustedCAProxy` must be provided. |
 ### Example
 
 ```bash

hack/README.md

@@ -248,6 +248,7 @@ not supported, then you can use the following example to run Functional Tests.
    Run servers
    ```
    # ./cluster-up/kubectl.sh apply -f ./_out/manifests/bad-webserver.yaml
+   # ./cluster-up/kubectl.sh apply -f ./_out/manifests/test-proxy.yaml
    # ./cluster-up/kubectl.sh apply -f ./_out/manifests/file-host.yaml
    # ./cluster-up/kubectl.sh apply -f ./_out/manifests/registry-host.yaml
    # ./cluster-up/kubectl.sh apply -f ./_out/manifests/imageio.yaml

hack/build/config.sh

@@ -25,12 +25,13 @@ FUNC_TEST_REGISTRY="cdi-func-test-registry"
 FUNC_TEST_REGISTRY_POPULATE="cdi-func-test-registry-populate"
 FUNC_TEST_REGISTRY_INIT="cdi-func-test-registry-init"
 FUNC_TEST_BAD_WEBSERVER="cdi-func-test-bad-webserver"
+FUNC_TEST_PROXY="cdi-func-test-proxy"
 # update this whenever builder Dockerfile is updated
 BUILDER_TAG=${BUILDER_TAG:-0.0.10}
 BUILDER_IMAGE=${BUILDER_IMAGE:-kubevirt/kubevirt-cdi-bazel-builder@sha256:13de53f8b31aed4b1b66ac9533ab27d29e0dde8d70eba28908673085d9b0fe39
 }
 
-BINARIES="cmd/${OPERATOR} cmd/${CONTROLLER} cmd/${IMPORTER} cmd/${CLONER} cmd/${APISERVER} cmd/${UPLOADPROXY} cmd/${UPLOADSERVER} cmd/${OPERATOR} tools/${FUNC_TEST_INIT} tools/${FUNC_TEST_REGISTRY_INIT} tools/${FUNC_TEST_BAD_WEBSERVER}"
+BINARIES="cmd/${OPERATOR} cmd/${CONTROLLER} cmd/${IMPORTER} cmd/${CLONER} cmd/${APISERVER} cmd/${UPLOADPROXY} cmd/${UPLOADSERVER} cmd/${OPERATOR} tools/${FUNC_TEST_INIT} tools/${FUNC_TEST_REGISTRY_INIT} tools/${FUNC_TEST_BAD_WEBSERVER} tools/${FUNC_TEST_PROXY}"
 CDI_PKGS="cmd/ pkg/ test/"
 
 OPERATOR_MAIN="cmd/${OPERATOR}"
@@ -41,7 +42,7 @@ APISERVER_MAIN="cmd/${APISERVER}"
 UPLOADPROXY_MAIN="cmd/${UPLOADPROXY}"
 UPLOADSERVER_MAIN="cmd/${UPLOADSERVER}"
 
-DOCKER_IMAGES="cmd/${OPERATOR} cmd/${CONTROLLER} cmd/${IMPORTER} cmd/${CLONER} cmd/${APISERVER} cmd/${UPLOADPROXY} cmd/${UPLOADSERVER} cmd/${OPERATOR} tools/${FUNC_TEST_INIT} tools/${FUNC_TEST_HTTP} tools/${FUNC_TEST_REGISTRY} tools/${FUNC_TEST_REGISTRY_POPULATE} tools/${FUNC_TEST_REGISTRY_INIT} tools/${FUNC_TEST_BAD_WEBSERVER}"
+DOCKER_IMAGES="cmd/${OPERATOR} cmd/${CONTROLLER} cmd/${IMPORTER} cmd/${CLONER} cmd/${APISERVER} cmd/${UPLOADPROXY} cmd/${UPLOADSERVER} cmd/${OPERATOR} tools/${FUNC_TEST_INIT} tools/${FUNC_TEST_HTTP} tools/${FUNC_TEST_REGISTRY} tools/${FUNC_TEST_REGISTRY_POPULATE} tools/${FUNC_TEST_REGISTRY_INIT} tools/${FUNC_TEST_BAD_WEBSERVER} tools/${FUNC_TEST_PROXY}"
 DOCKER_PREFIX=${DOCKER_PREFIX:-kubevirt}
 CONTROLLER_IMAGE_NAME=${CONTROLLER_IMAGE_NAME:-cdi-controller}
 IMPORTER_IMAGE_NAME=${IMPORTER_IMAGE_NAME:-cdi-importer}

manifests/templates/test-proxy.yaml.in

@@ -0,0 +1,64 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cdi-test-proxy
+  namespace: {{ .Namespace }}
+  labels:
+    cdi.kubevirt.io/testing: ""
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: cdi-test-proxy
+  template:
+    metadata:
+      labels:
+        name: cdi-test-proxy
+        cdi.kubevirt.io/testing: ""
+    spec:
+      serviceAccountName: cdi-sa
+      containers:
+      - name: http
+        image: {{ .DockerRepo }}/cdi-func-test-proxy:{{ .DockerTag }}
+        imagePullPolicy: {{ .PullPolicy }}
+        command: ["/app/tools/cdi-func-test-proxy/cdi-func-test-proxy-image.binary"]
+        env:
+        - name: CDI_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        ports:
+        - name: http-no-auth
+          containerPort: 8080
+        - name: http-auth
+          containerPort: 8081
+        - name: https-no-auth
+          containerPort: 443
+        - name: https-auth
+          containerPort: 8443
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: cdi-test-proxy
+  namespace: {{ .Namespace }}
+  labels:
+    cdi.kubevirt.io/testing: ""
+spec:
+  selector:
+      name: cdi-test-proxy
+  type: NodePort
+  ports:
+  - name: http-no-auth
+    port: 8080
+    targetPort: 8080
+  - name: http-auth
+    port: 8081
+    targetPort: 8081
+  - name: https-no-auth
+    port: 443
+    targetPort: 443
+  - name: https-auth
+    port: 8443
+    targetPort: 8443