Create new migrations/v1alpha1 group version for migration policies

- Adjust functests and move rbac permissions from virt-handler to virt-controller
- Refactor - Use migration's ResourceMigrationPolicies and GroupName
    These strings were duplicated in a lot of places in the code.
    Also delete left-over debug logs
- Add selectors to MigrationPolicy
- Move api from client-go to align with PR kubevirt#6802
- Change MigrationPolicy CRD scope to Cluster instead of Namespace
- Adjust tests to not fail (although some of them don't make
sense ATM)
- Migration policy admitter test is currently commented out

Signed-off-by: Itamar Holder <[email protected]>

hack/generate.sh

@@ -15,8 +15,9 @@ swagger-doc -in ${KUBEVIRT_DIR}/staging/src/kubevirt.io/api/core/v1/schema.go
 swagger-doc -in ${KUBEVIRT_DIR}/staging/src/kubevirt.io/api/snapshot/v1alpha1/types.go
 swagger-doc -in ${KUBEVIRT_DIR}/staging/src/kubevirt.io/api/flavor/v1alpha1/types.go
 swagger-doc -in ${KUBEVIRT_DIR}/staging/src/kubevirt.io/api/pool/v1alpha1/types.go
+swagger-doc -in ${KUBEVIRT_DIR}/staging/src/kubevirt.io/api/migrations/v1alpha1/types.go
 
-deepcopy-gen --input-dirs kubevirt.io/api/snapshot/v1alpha1,kubevirt.io/api/flavor/v1alpha1,kubevirt.io/api/pool/v1alpha1,kubevirt.io/api/core/v1 \
+deepcopy-gen --input-dirs kubevirt.io/api/snapshot/v1alpha1,kubevirt.io/api/flavor/v1alpha1,kubevirt.io/api/pool/v1alpha1,kubevirt.io/api/migrations/v1alpha1,kubevirt.io/api/core/v1 \
     --bounding-dirs kubevirt.io/api \
     --go-header-file ${KUBEVIRT_DIR}/hack/boilerplate/boilerplate.go.txt
 
@@ -25,7 +26,7 @@ defaulter-gen --input-dirs kubevirt.io/api/core/v1 \
     --output-package kubevirt.io/api/core/v1 \
     --go-header-file ${KUBEVIRT_DIR}/hack/boilerplate/boilerplate.go.txt
 
-openapi-gen --input-dirs kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1,k8s.io/apimachinery/pkg/util/intstr,k8s.io/apimachinery/pkg/api/resource,k8s.io/apimachinery/pkg/apis/meta/v1,k8s.io/apimachinery/pkg/runtime,k8s.io/api/core/v1,k8s.io/apimachinery/pkg/apis/meta/v1,kubevirt.io/api/core/v1,kubevirt.io/api/snapshot/v1alpha1,kubevirt.io/api/flavor/v1alpha1,kubevirt.io/api/pool/v1alpha1 \
+openapi-gen --input-dirs kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1,k8s.io/apimachinery/pkg/util/intstr,k8s.io/apimachinery/pkg/api/resource,k8s.io/apimachinery/pkg/apis/meta/v1,k8s.io/apimachinery/pkg/runtime,k8s.io/api/core/v1,k8s.io/apimachinery/pkg/apis/meta/v1,kubevirt.io/api/core/v1,kubevirt.io/api/snapshot/v1alpha1,kubevirt.io/api/flavor/v1alpha1,kubevirt.io/api/pool/v1alpha1,kubevirt.io/api/migrations/v1alpha1 \
     --output-base ${KUBEVIRT_DIR}/staging/src \
     --output-package kubevirt.io/client-go/api/ \
     --go-header-file ${KUBEVIRT_DIR}/hack/boilerplate/boilerplate.go.txt >${KUBEVIRT_DIR}/api/api-rule-violations.list
@@ -41,7 +42,7 @@ fi
 
 client-gen --clientset-name versioned \
     --input-base kubevirt.io/api \
-    --input snapshot/v1alpha1,flavor/v1alpha1,pool/v1alpha1 \
+    --input snapshot/v1alpha1,flavor/v1alpha1,pool/v1alpha1,migrations/v1alpha1 \
     --output-base ${KUBEVIRT_DIR}/staging/src \
     --output-package ${CLIENT_GEN_BASE}/kubevirt/clientset \
     --go-header-file ${KUBEVIRT_DIR}/hack/boilerplate/boilerplate.go.txt
@@ -96,6 +97,9 @@ deepcopy-gen --input-dirs ./pkg/virt-launcher/virtwrap/api \
     #include pool
     GOFLAGS= controller-gen crd paths=../api/pool/v1alpha1/
 
+    #include migrations
+    GOFLAGS= controller-gen crd paths=../api/migrations/v1alpha1/
+
     #remove some weird stuff from controller-gen
     cd config/crd
     for file in *; do

manifests/generated/operator-csv.yaml.in

@@ -443,7 +443,7 @@ spec:
           - list
           - watch
         - apiGroups:
-          - kubevirt.io
+          - migrations.kubevirt.io
           resources:
           - migrationpolicies
           verbs:
@@ -642,6 +642,20 @@ spec:
           verbs:
           - list
           - watch
+        - apiGroups:
+          - migrations.kubevirt.io
+          resources:
+          - migrationpolicies
+          verbs:
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - ""
+          resources:
+          - namespaces
+          verbs:
+          - get
         - apiGroups:
           - kubevirt.io
           resources:
@@ -691,19 +705,13 @@ spec:
           - list
           - watch
         - apiGroups:
-          - kubevirt.io
+          - migrations.kubevirt.io
           resources:
           - migrationpolicies
           verbs:
           - get
           - list
           - watch
-        - apiGroups:
-          - ""
-          resources:
-          - namespaces
-          verbs:
-          - get
         - apiGroups:
           - ""
           resources:
@@ -808,6 +816,14 @@ spec:
           - list
           - watch
           - deletecollection
+        - apiGroups:
+          - migrations.kubevirt.io
+          resources:
+          - migrationpolicies
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - subresources.kubevirt.io
           resources:
@@ -900,6 +916,14 @@ spec:
           verbs:
           - get
           - list
+        - apiGroups:
+          - migrations.kubevirt.io
+          resources:
+          - migrationpolicies
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - subresources.kubevirt.io
           resources:
@@ -947,6 +971,14 @@ spec:
           - get
           - list
           - watch
+        - apiGroups:
+          - migrations.kubevirt.io
+          resources:
+          - migrationpolicies
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - authentication.k8s.io
           resources:

manifests/generated/rbac-operator.authorization.k8s.yaml.in

@@ -345,7 +345,7 @@ rules:
   - list
   - watch
 - apiGroups:
-  - kubevirt.io
+  - migrations.kubevirt.io
   resources:
   - migrationpolicies
   verbs:
@@ -544,6 +544,20 @@ rules:
   verbs:
   - list
   - watch
+- apiGroups:
+  - migrations.kubevirt.io
+  resources:
+  - migrationpolicies
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
 - apiGroups:
   - kubevirt.io
   resources:
@@ -593,19 +607,13 @@ rules:
   - list
   - watch
 - apiGroups:
-  - kubevirt.io
+  - migrations.kubevirt.io
   resources:
   - migrationpolicies
   verbs:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
 - apiGroups:
   - ""
   resources:
@@ -710,6 +718,14 @@ rules:
   - list
   - watch
   - deletecollection
+- apiGroups:
+  - migrations.kubevirt.io
+  resources:
+  - migrationpolicies
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - subresources.kubevirt.io
   resources:
@@ -802,6 +818,14 @@ rules:
   verbs:
   - get
   - list
+- apiGroups:
+  - migrations.kubevirt.io
+  resources:
+  - migrationpolicies
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - subresources.kubevirt.io
   resources:
@@ -849,6 +873,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - migrations.kubevirt.io
+  resources:
+  - migrationpolicies
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - authentication.k8s.io
   resources:

pkg/virt-api/rest/BUILD.bazel

@@ -25,6 +25,8 @@ go_library(
         "//pkg/virt-config:go_default_library",
         "//staging/src/kubevirt.io/api/core/v1:go_default_library",
         "//staging/src/kubevirt.io/api/flavor/v1alpha1:go_default_library",
+        "//staging/src/kubevirt.io/api/migrations:go_default_library",
+        "//staging/src/kubevirt.io/api/migrations/v1alpha1:go_default_library",
         "//staging/src/kubevirt.io/api/snapshot/v1alpha1:go_default_library",
         "//staging/src/kubevirt.io/client-go/kubecli:go_default_library",
         "//staging/src/kubevirt.io/client-go/log:go_default_library",

pkg/virt-api/rest/definitions.go

@@ -25,6 +25,10 @@ import (
 	"reflect"
 	"strings"
 
+	"kubevirt.io/api/migrations"
+
+	migrationsv1 "kubevirt.io/api/migrations/v1alpha1"
+
 	restful "github.com/emicklei/go-restful"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -42,6 +46,7 @@ func ComposeAPIDefinitions() []*restful.WebService {
 		kubevirtApiServiceDefinitions,
 		snapshotApiServiceDefinitions,
 		flavorApiServiceDefinitions,
+		migrationPoliciesApiServiceDefinitions,
 	} {
 		result = append(result, f()...)
 	}
@@ -131,6 +136,26 @@ func snapshotApiServiceDefinitions() []*restful.WebService {
 	return []*restful.WebService{ws, ws2}
 }
 
+func migrationPoliciesApiServiceDefinitions() []*restful.WebService {
+	mpGVR := migrationsv1.SchemeGroupVersion.WithResource(migrations.ResourceMigrationPolicies)
+
+	ws, err := GroupVersionProxyBase(schema.GroupVersion{Group: migrationsv1.SchemeGroupVersion.Group, Version: migrationsv1.SchemeGroupVersion.Version})
+	if err != nil {
+		panic(err)
+	}
+
+	ws, err = GenericClusterResourceProxy(ws, mpGVR, &migrationsv1.MigrationPolicy{}, migrationsv1.MigrationPolicyKind.Kind, &migrationsv1.MigrationPolicyList{})
+	if err != nil {
+		panic(err)
+	}
+
+	ws2, err := ResourceProxyAutodiscovery(mpGVR)
+	if err != nil {
+		panic(err)
+	}
+	return []*restful.WebService{ws, ws2}
+}
+
 func flavorApiServiceDefinitions() []*restful.WebService {
 	flavorGVR := flavorv1alpha1.SchemeGroupVersion.WithResource("virtualmachineflavors")
 	clusterFlavorGVR := flavorv1alpha1.SchemeGroupVersion.WithResource("virtualmachineclusterflavors")

pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel

@@ -35,6 +35,8 @@ go_library(
         "//staging/src/kubevirt.io/api/core:go_default_library",
         "//staging/src/kubevirt.io/api/core/v1:go_default_library",
         "//staging/src/kubevirt.io/api/flavor/v1alpha1:go_default_library",
+        "//staging/src/kubevirt.io/api/migrations:go_default_library",
+        "//staging/src/kubevirt.io/api/migrations/v1alpha1:go_default_library",
         "//staging/src/kubevirt.io/api/pool/v1alpha1:go_default_library",
         "//staging/src/kubevirt.io/api/snapshot/v1alpha1:go_default_library",
         "//staging/src/kubevirt.io/client-go/kubecli:go_default_library",

pkg/virt-api/webhooks/validating-webhook/admitters/migrationpolicy-admitter.go

@@ -23,13 +23,13 @@ import (
 	"encoding/json"
 	"fmt"
 
-	v12 "kubevirt.io/client-go/apis/core/v1"
+	"kubevirt.io/api/migrations"
+
+	migrationsv1 "kubevirt.io/api/migrations/v1alpha1"
 
 	admissionv1 "k8s.io/api/admission/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	v1 "kubevirt.io/client-go/api/v1"
 	"kubevirt.io/client-go/kubecli"
 	webhookutils "kubevirt.io/kubevirt/pkg/util/webhooks"
 )
@@ -48,12 +48,12 @@ func NewMigrationPolicyAdmitter(client kubecli.KubevirtClient) *MigrationPolicyA
 
 // Admit validates an AdmissionReview
 func (admitter *MigrationPolicyAdmitter) Admit(ar *admissionv1.AdmissionReview) *admissionv1.AdmissionResponse {
-	if ar.Request.Resource.Group != v1.MigrationPolicyKind.Group ||
-		ar.Request.Resource.Resource != "migrationpolicies" {
+	if ar.Request.Resource.Group != migrationsv1.MigrationPolicyKind.Group ||
+		ar.Request.Resource.Resource != migrations.ResourceMigrationPolicies {
 		return webhookutils.ToAdmissionResponseError(fmt.Errorf("unexpected resource %+v", ar.Request.Resource))
 	}
 
-	policy := &v12.MigrationPolicy{}
+	policy := &migrationsv1.MigrationPolicy{}
 	err := json.Unmarshal(ar.Request.Object.Raw, policy)
 	if err != nil {
 		return webhookutils.ToAdmissionResponseError(err)
@@ -63,28 +63,7 @@ func (admitter *MigrationPolicyAdmitter) Admit(ar *admissionv1.AdmissionReview)
 
 	switch ar.Request.Operation {
 	case admissionv1.Create:
-		policies, err := admitter.Client.MigrationPolicy(ar.Request.Namespace).List(&metav1.ListOptions{})
-
-		if errors.IsNotFound(err) {
-			// That's perfectly fine
-		} else if err != nil {
-			return webhookutils.ToAdmissionResponseError(err)
-		}
-
-		if policiesFound := len(policies.Items); policiesFound > 0 {
-			const errMessage = "%s namespace already has a policy named %s defined; number of policies per namespace must be at most 1"
-			return webhookutils.ToAdmissionResponseError(fmt.Errorf(errMessage, ar.Request.Namespace, policies.Items[0].Name))
-		}
-
-		for _, existingPolicy := range policies.Items {
-			if existingPolicy.Name != ar.Request.Name {
-				const errMessage = "a migration policy (named %s) creation is denied since another migration policy (named %s) " +
-					"already exists in this namespace (%s). Please remove existing policy to add the current one, or update " +
-					"the existing policy"
-				return webhookutils.ToAdmissionResponseError(fmt.Errorf(errMessage, ar.Request.Name, existingPolicy.Name,
-					ar.Request.Namespace))
-			}
-		}
+		break
 
 	case admissionv1.Update:
 		break