Hello community, here is the log from the commit of package kubevirt for openSUSE:Factory checked in at 2020-11-06 23:45:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kubevirt (Old) and /work/SRC/openSUSE:Factory/.kubevirt.new.11331 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kubevirt" Fri Nov 6 23:45:43 2020 rev:5 rq:846542 version:0.34.0 Changes: -------- --- /work/SRC/openSUSE:Factory/kubevirt/kubevirt.changes 2020-11-03 15:16:31.980038157 +0100 +++ /work/SRC/openSUSE:Factory/.kubevirt.new.11331/kubevirt.changes 2020-11-06 23:46:42.867077454 +0100 @@ -1,0 +2,11 @@ +Fri Nov 6 19:40:12 UTC 2020 - James Fehlig <[email protected]> + +- spec: Generate the registry path for kubevirt-operator.yaml at + build time. Prjconf macro 'registry_path' can be used to + override registry path to the KubeVirt container images +- spec: Add kubevirt-psp-caasp.yaml, a PSP based on CaaSP + privileged PSP, to the manifests subpackage +- spec: Don't add component name to DOCKER_PREFIX passed to + build-manifests.sh + +------------------------------------------------------------------- New: ---- kubevirt-psp-caasp.yaml ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kubevirt.spec ++++++ --- /var/tmp/diff_new_pack.jXH8eF/_old 2020-11-06 23:46:43.471076293 +0100 +++ /var/tmp/diff_new_pack.jXH8eF/_new 2020-11-06 23:46:43.475076285 +0100 @@ -24,6 +24,7 @@ Group: System/Packages URL: https://github.com/kubevirt/kubevirt Source0: %{name}-%{version}.tar.gz +Source1: kubevirt-psp-caasp.yaml BuildRequires: glibc-devel-static BuildRequires: golang-packaging BuildRequires: pkgconfig @@ -98,6 +99,41 @@ %autosetup -p1 %build +# Hackery to determine which registry path to use in kubevirt-operator.yaml +# when building the manifests +# +# The 'registry_path' macro can be used to define an explicit path in the +# project config, e.g. +# +# Macros: +# %registry_path registry.opensuse.org/Virtualization/container +# :Macros +# +# 'registry_path' can also be defined when building locally, e.g. +# +# osc build --define='registry_path registry.opensuse.org/foo/bar/baz' ... +# +# If 'registry_path' is not specified, the standard publish location for SLE and +# openSUSE-based containers is used. +# +# TODO: +# 1. Determine "standard publish location" for SLE and openSUSE variants +# 2. Support Leap when 1 is done +# +%if "%{?registry_path}" == "" +distro='%{?sle_version}:%{is_opensuse}' +case "${distro}" in + 150200:0) + reg_path='registry.suse.de/suse/containers/sle-server/15/containers/suse/sles/15.2' ;; + 150300:0) + reg_path='registry.suse.de/suse/containers/sle-server/15/containers/suse/sles/15.3' ;; + *) + reg_path='registry.opensuse.org/virtualization/container/opensuse/tumbleweed' ;; +esac +%else +reg_path='%{registry_path}' +%endif + mkdir -p go/src/kubevirt.io go/pkg ln -s ../../../ go/src/kubevirt.io/kubevirt export GOPATH=${PWD}/go @@ -120,7 +156,8 @@ cmd/virt-operator \ tools/csv-generator \ %{nil} -env DOCKER_PREFIX=registry.opensuse.org/opensuse/tumbleweed/virt-operator DOCKER_TAG=%{version} ./hack/build-manifests.sh --skipj2 + +env DOCKER_PREFIX=$reg_path DOCKER_TAG=%{version} ./hack/build-manifests.sh --skipj2 %install mkdir -p %{buildroot}%{_bindir} @@ -137,6 +174,11 @@ mkdir -p %{buildroot}%{_datadir}/kube-virt cp -r _out/manifests %{buildroot}%{_datadir}/kube-virt/ +# TODO: +# Create a proper Pod Security Policy (PSP) for KubeVirt. For now, add one +# that uses the CaaSP privileged PSP. It can be used with CaaSP-based +# Kubernetes clusters. +install -m 644 %{S:1} %{buildroot}/%{_datadir}/kube-virt/manifests/release/ %files virtctl %license LICENSE ++++++ kubevirt-psp-caasp.yaml ++++++ # # A KubeVirt PSP for CaaSP-based Kubernetes clusters that makes use of the # CaaSP privileged PSP. # # After the KubeVirt operator has sucessfully deployed the KubeVirt service, # this PSP can be deployed to the cluster, giving virt-operator and # virt-handler access to cluster operations necessary for virtual machine # management. # # kubectl apply -f /usr/share/kube-virt/manifests/release/kubevirt-psp-caasp.yaml # apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kubevirt-controller-caasp rules: - apiGroups: - policy resources: - podsecuritypolicies verbs: - use resourceNames: - suse.caasp.psp.privileged --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kubevirt-handler-caasp rules: - apiGroups: - policy resources: - podsecuritypolicies verbs: - use resourceNames: - suse.caasp.psp.privileged --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubevirt-controller-caasp roleRef: kind: ClusterRole name: kubevirt-controller-caasp apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: kubevirt-controller namespace: kubevirt --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubevirt-handler-caasp roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubevirt-handler-caasp subjects: - kind: ServiceAccount name: kubevirt-handler namespace: kubevirt --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kubevirt-controller-caasp roleRef: kind: Role name: kubevirt-controller-caasp apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: kubevirt-controller namespace: kubevirt --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kubevirt-handler-caasp roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kubevirt-handler-caasp subjects: - kind: ServiceAccount name: kubevirt-handler namespace: kubevirt
