Merge branch 'main' of https://git.kvant.cloud/phoenix-oss/tenant-demo

.gitattributes

@@ -0,0 +1,3 @@
+*.sh	text eol=lf
+*.yml	text eol=lf
+*.yaml	text eol=lf

.gitignore

@@ -0,0 +1,33 @@
+# Eclipse
+.project
+.classpath
+.settings/
+bin/
+
+# IntelliJ
+.idea
+*.ipr
+*.iml
+*.iws
+
+# NetBeans
+nb-configuration.xml
+
+# Visual Studio Code
+.vscode
+.factorypath
+
+# OSX
+.DS_Store
+
+# Vim
+*.swp
+*.swo
+
+# patch
+*.orig
+*.rej
+
+# Local environment
+.env
+

container/debug/alpine.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: alpine-test
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  containers:
+    - name: alpine
+      image: alpine:latest
+      command: ["/bin/sh"]
+      args: ["-c", "while true; do sleep 3600; done"]
+      stdin: true
+      tty: true
+  restartPolicy: Never

container/debug2/alpine.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: alpine-test2
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  containers:
+    - name: alpine2
+      image: alpine:latest
+      command: ["/bin/sh"]
+      args: ["-c", "while true; do sleep 3600; done"]
+      stdin: true
+      tty: true
+  restartPolicy: Never

container/ks-debug.yaml

@@ -1,13 +1,13 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: &app dv
+  name: &app debug
   namespace: ${TENANT_NAMESPACE}
 spec:
   commonMetadata:
     labels:
       app.kubernetes.io/name: *app
-  path: ./templates/windowsserver/dv
+  path: ./container/debug
   prune: true
   sourceRef:
     kind: GitRepository

echo-server/app/helmrelease.yaml

@@ -1,103 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: &app echo-server
-spec:
-  serviceAccountName: ${TECHNICAL_ACCOUNT}
-  interval: 30m
-  chart:
-    spec:
-      chart: app-template
-      version: 3.2.1
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: ${TENANT_NAMESPACE}
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      strategy: rollback
-      retries: 3
-  values:
-    controllers:
-      echo-server:
-        replicas: 2
-        strategy: RollingUpdate
-        containers:
-          app:
-            image:
-              repository: ghcr.io/mendhak/http-https-echo
-              tag: 33
-            env:
-              HTTP_PORT: &port 8080
-              LOG_WITHOUT_NEWLINE: true
-              LOG_IGNORE_PATH: /healthz
-              PROMETHEUS_ENABLED: true
-            probes:
-              liveness: &probes
-                enabled: true
-                custom: true
-                spec:
-                  httpGet:
-                    path: /healthz
-                    port: *port
-                  initialDelaySeconds: 0
-                  periodSeconds: 10
-                  timeoutSeconds: 1
-                  failureThreshold: 3
-              readiness: *probes
-            securityContext:
-              allowPrivilegeEscalation: false
-              readOnlyRootFilesystem: true
-              capabilities: { drop: ["ALL"] }
-              seccompProfile:
-                type: RuntimeDefault
-            resources:
-              requests:
-                cpu: 10m
-                memory: 64Mi
-              limits:
-                memory: 64Mi
-                cpu: 100m
-    defaultPodOptions:
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile: { type: RuntimeDefault }
-      topologySpreadConstraints:
-        - maxSkew: 1
-          topologyKey: kubernetes.io/hostname
-          whenUnsatisfiable: DoNotSchedule
-          labelSelector:
-            matchLabels:
-              app.kubernetes.io/name: *app
-    service:
-      app:
-        controller: echo-server
-        ports:
-          http:
-            port: *port
-    serviceMonitor:
-      app:
-        serviceName: echo-server
-        endpoints:
-          - port: http
-            scheme: http
-            path: /metrics
-            interval: 1m
-            scrapeTimeout: 10s
-    ingress:
-      app:
-        className: external
-        hosts:
-          - host: "{{ .Release.Name }}-${TENANT_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-

firewall-s3/ks-vm.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app fortigate-s3
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./firewall-s3/vm/ksd
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: tenant-repos
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

firewall-s3/vm/ksd/loadbalancers/fortigate-wan.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: fortigate-lb
+  namespace: ${TENANT_NAMESPACE}
+  labels:
+    app.kubernetes.io/component: fortigate-lb
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  ports:
+    - port: 4500
+      name: ipsec-nat
+      targetPort: 4500
+      protocol: UDP
+    - port: 500
+      name: key-management
+      targetPort: 500
+      protocol: UDP
+    #- port: 22
+    #  name: ssh
+    #  targetPort: 22
+    #  protocol: TCP
+    - port: 443
+      name: https
+      targetPort: 443
+      protocol: TCP
+  selector:
+    kubevirt.io/domain: fortigate-ksd

firewall-s3/vm/ksd/network-definitions/lan.yaml

@@ -0,0 +1,20 @@
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  name: lan-net
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  config: '{
+    "cniVersion": "0.3.1",
+    "type": "bridge",
+    "bridge": "br-lan",
+    "ipam": {
+      "type": "static",
+      "addresses": [
+        {
+          "address": "172.168.100.0/24",
+          "gateway": "172.168.100.1"
+        }
+      ]
+    }
+  }'

firewall-s3/vm/ksd/network-definitions/mgmt.yaml

@@ -0,0 +1,20 @@
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  name: mgmt-net
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  config: '{
+    "cniVersion": "0.3.1",
+    "type": "bridge",
+    "bridge": "br-mgmt",
+    "ipam": {
+      "type": "static",
+      "addresses": [
+        {
+          "address": "192.168.10.0/24",
+          "gateway": "192.168.10.1"
+        }
+      ]
+    }
+  }'

firewall-s3/vm/ksd/vm/fortigate.yaml

@@ -0,0 +1,77 @@
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: fortigate-ksd
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  dataVolumeTemplates:
+    - metadata:
+        name: fortigate-rootdisk-ksd
+      spec:
+        source:
+          http:
+            url: "https://glacier-1.kvant.cloud/ocp-virt-images/sources/fortios_7_6_3.qcow2"
+            #secretRef: s3-virt-credentials
+        storage:
+          resources:
+            requests:
+              storage: 30Gi
+  runStrategy: Always
+  template:
+    metadata:
+      labels:
+        kubevirt.io/domain: fortigate-ksd
+    spec:
+      domain:
+        cpu:
+          cores: 1
+        memory:
+          guest: 2Gi
+        features:
+          acpi: {}
+          smm:
+            enabled: true
+        firmware:
+          bootloader:
+            efi:
+              secureBoot: false
+        devices:
+          rng: {}
+          networkInterfaceMultiqueue: true
+          interfaces:
+            - name: wan
+              masquerade: {}
+              ports:
+              - port: 4500
+              - port: 443
+              - port: 22
+              - port: 500
+            - name: mgmt
+              bridge: {}
+            - name: lan
+              bridge: {}
+          disks:
+            - disk:
+                bus: sata
+              name: rootdisk
+        resources:
+          requests:
+            memory: 2Gi
+            cpu: 1
+          limits:
+            memory: 2Gi
+            cpu: 1
+      networks:
+        - name: wan
+          pod: {}
+        - name: mgmt
+          multus:
+            networkName: ${TENANT_NAMESPACE}/mgmt-net
+        - name: lan
+          multus:
+            networkName: ${TENANT_NAMESPACE}/lan-net
+      terminationGracePeriodSeconds: 180
+      volumes:
+        - name: rootdisk
+          dataVolume:
+            name: fortigate-rootdisk-ksd

firewall-s3/vm/ksd/vm/strongswan.yaml

@@ -0,0 +1,73 @@
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: strongswan
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  running: true
+  template:
+    metadata:
+      labels:
+        kubevirt.io/domain: strongswan
+    spec:
+      domain:
+        cpu:
+          cores: 2
+        resources:
+          requests:
+            memory: 2Gi
+            cpu: 1
+          limits:
+            memory: 2Gi
+            cpu: 2
+        memory:
+          guest: 2Gi
+        devices:
+          rng: {}
+          networkInterfaceMultiqueue: true
+          disks:
+            - name: containerdisk
+              disk:
+                bus: virtio
+            - name: cloudinitdisk
+              disk:
+                bus: virtio
+          interfaces:
+            - name: wan
+              masquerade: {}
+              ports:
+                - port: 4500
+                - port: 443
+                - port: 22
+                - port: 500
+            - name: mgmt
+              bridge: {}
+            - name: lan
+              bridge: {}
+      networks:
+        - name: wan
+          pod: {}
+        - name: mgmt
+          multus:
+            networkName: ${TENANT_NAMESPACE}/mgmt-net
+        - name: lan
+          multus:
+            networkName: ${TENANT_NAMESPACE}/lan-net
+      terminationGracePeriodSeconds: 180
+      volumes:
+        - name: containerdisk
+          containerDisk:
+            image: quay.io/containerdisks/ubuntu:22.04
+        - name: cloudinitdisk
+          cloudInitNoCloud:
+            userData: |
+              #cloud-config
+              users:
+                - name: testuser
+                  groups: [sudo]
+                  sudo: "ALL=(ALL) NOPASSWD:ALL"
+                  lock_passwd: false
+                  passwd: "$6$oMZf5uou7t0.oAJ1$825Te06yt7JZwHSSj4MGQMjpd87LflANQpajCwIVPASkKZdOJo4L2bAEDDuK.jtu.fsRNc9bZAsYefmoqdN8O1"
+              chpasswd:
+                expire: false
+              ssh_pwauth: true

kustomization.yaml

@@ -3,10 +3,22 @@ kind: Kustomization
 resources:
   - vars/ks.yaml
   - repos/ks.yaml
-  - echo-server/ks.yaml
+  - network/ks-lb.yaml
+  - firewall-s3/ks-vm.yaml
+  - windows-vm-standard/ks-vm.yaml
+  - windows-vm-standard/ks-pvc.yaml
+  - windows-vm-standard-dev/ks-vm.yaml
+  - windows-vm-standard-dev/ks-pvc.yaml
   - ubuntu-vm-1/ks.yaml
   - ubuntu-vm-2/ks.yaml
+  - ubuntu-vm-3-john/ks.yaml
+  - container/ks-debug.yaml
   - templates/image-server/ks-nginx.yaml
   - templates/image-server/ks-pvc.yaml
-  - templates/windowsserver/ks-dv.yaml
+  - templates/image-server/ks-route.yaml
   - templates/windowsserver/ks-flavor.yaml
+  - templates/windowsserver-rh/ks-flavor.yaml
+  - postgres/ks.yaml
+# - windows-vm-standard-john/ks-vm.yaml
+# - windows-vm-standard-john/ks-pvc.yaml
+# - windows-vm-standard-john/windows-lb.yaml

network/ks-lb.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app lb
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./network/loadbalancers
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: tenant-repos
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

network/loadbalancers/fortigate-lb.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: fortigate-lb
+  namespace: ${TENANT_NAMESPACE}
+  labels:
+    app.kubernetes.io/component: fortigate-lb
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 4500
+      name: ipsec-nat
+      targetPort: 4500
+      protocol: UDP
+    - port: 500
+      name: key-management
+      targetPort: 500
+      protocol: UDP
+    - port: 22
+      name: ssh
+      targetPort: 22
+      protocol: TCP
+    - port: 443
+      name: https
+      targetPort: 443
+      protocol: TCP
+  selector:
+    kubevirt.io/domain: fortigate-s3

network/loadbalancers/windows-lb.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: windows-lb
+  namespace: ${TENANT_NAMESPACE}
+  labels:
+    app.kubernetes.io/component: windows-lb
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 8080
+      name: http
+      targetPort: 8080
+      protocol: TCP
+    - port: 443
+      name: https
+      targetPort: 443
+      protocol: TCP
+    - port: 65022
+      name: ssh
+      targetPort: 22
+      protocol: TCP
+    - port: 3389
+      name: rdp
+      targetPort: 3389
+      protocol: TCP
+  selector:
+    kubevirt.io/domain: windows-vm-standard

postgres/app/helmrelease.yaml

@@ -0,0 +1,122 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: postgres
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  serviceAccountName: ${TECHNICAL_ACCOUNT}
+  interval: 30m
+  chart:
+    spec:
+      chart: cluster
+      version: 0.3.1
+      sourceRef:
+        kind: HelmRepository
+        name: cloudnative-pg
+        namespace: ${TENANT_NAMESPACE}
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    # check the complete configuration options at
+    # https://raw.githubusercontent.com/cloudnative-pg/charts/refs/tags/cluster-v0.3.1/charts/cluster/values.yaml
+    type: postgresql
+    mode: standalone
+    version:
+      postgresql: "17.5"
+    cluster:
+      instances: 3
+      storage:
+        size: 10Gi
+        # default storage class on ai-2 cluster, on basel or staging you
+        # should use 'ocs-storagecluster-ceph-rbd' instead
+        storageClass: ibm-spectrum-scale-fileset
+      walStorage:
+        # It's not mandatory to split WAL from the main data volume. 
+        # However, doing so helps to avoid issues with the main data volume 
+        # in cases where WAL exporting to the backup server experiences
+        # issues. For example, in scenarios where there's network congestion
+        # or even failures, the WAL may end up accumulating too much data
+        # to the point where the volume fills up, blocking the cluster from
+        # operating properly.
+        enabled: true 
+        size: 10Gi
+        storageClass: ibm-spectrum-scale-fileset
+      resources:
+        requests:
+          cpu: "500m"
+          memory: 1Gi
+        limits:
+          cpu: "1"
+          memory: 1Gi
+      enableSuperuserAccess: true
+      superuserSecret: postgres-superuser
+      affinity:
+        topologyKey: failure-domain.beta.kubernetes.io/zone
+      postgresql:
+        parameters:
+          shared_buffers: 256MB
+          max_connections: "400"
+      initdb:
+        database: app
+        owner: app
+        options: []
+        encoding: UTF8
+    backups:
+      # As indicated by the 'enabled' flag, backups are disabled on
+      # this deployment. But the remaining of the block serves as an
+      # example of how to configure this cluster to export backups to
+      # a S3 bucket hosted on a MinIO server.
+      # 
+      # For more information, refer to the helm chart's values.yaml 
+      # or the official documentation at 
+      # https://cloudnative-pg.io/documentation/1.26/backup/
+      enabled: false
+      endpointURL: https://glacier-1.kvant.cloud
+      provider: s3
+      s3:
+        bucket: phoenix-openshift-backups
+        path: /demo-postgres
+        # Ideally, you will never commit credentials in plain text;
+        # these values are here just for illustration. For a way to
+        # properly load them from kubernetes' secrets, refer to the
+        # commented-ou section 'valuesFrom' placed right below
+        accessKey: your-access-key
+        secretKey: your-secret-key
+      secret:
+        create: true
+      wal:
+        # If exporting to MinIO S3, you may have to disable encryption.
+        # This is how you achieve it
+        encryption: ""
+      data:
+        encryption: ""
+      scheduledBackups:
+        # You can give it any name and change the scheduled time to what
+        # fits your strategy. This serves as an example of how to configure
+        # the cluster to export a daily backup to the S3 bucket using
+        # barman object storage. You can also back up volumes instead.
+        # Check the backup documentation to find more information on
+        # which option suits you best.
+        - name: daily-minio
+          schedule: "@daily"
+          backupOwnerReference: self
+          method: barmanObjectStore
+      retentionPolicy: "180d" # It is mandatory to match this value with the bucket's retention period
+#  valuesFrom:
+#    - kind: Secret
+#      name: postgres-backup-s3 # name of the pre-existing secret that holds the key pair
+#      valuesKey: ACCESS_KEY_ID # name of the key inside the secret that holds the access key value
+#      targetPath: backups.s3.accessKey # path of the configuration that will be assigned the access key value
+#      optional: false
+#    - kind: Secret
+#      name: postgres-backup-s3 # name of the pre-existing secret that holds the key pair
+#      valuesKey: ACCESS_SECRET_KEY # name of the key inside the secret that holds the secret key value
+#      targetPath: backups.s3.secretKey # path of the configuration that will be assigned the secret key value
+#      optional: false

postgres/ks.yaml

@@ -3,18 +3,21 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: &app echo-server
+  name: &app postgres
   namespace: ${TENANT_NAMESPACE}
 spec:
+  targetNamespace: ${TENANT_NAMESPACE}
   commonMetadata:
     labels:
       app.kubernetes.io/name: *app
-  path: ./echo-server/app
+  path: ./postgres/app
   prune: true
   sourceRef:
     kind: GitRepository
     name: tenant-repos
-  wait: false
-  interval: 30m
+  wait: true
+  interval: 10m
   retryInterval: 1m
   timeout: 5m
+  dependsOn:
+    - name: vars

repos/helm/bitnami.yaml

@@ -5,5 +5,5 @@ metadata:
   namespace: ${TENANT_NAMESPACE}
 spec:
   type: oci
-  interval: 5m
+  interval: 60m
   url: oci://registry-1.docker.io/bitnamicharts

repos/helm/cloudnative-pg.yaml

@@ -3,10 +3,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: bjw-s
-  namespace: ${TENANT_NAMESPACE}-ns
+  name: cloudnative-pg
+  namespace: ${TENANT_NAMESPACE}
 spec:
-  type: oci
-  interval: 5m
-  url: oci://ghcr.io/bjw-s/helm
-
+  interval: 5m0s
+  url: https://cloudnative-pg.github.io/charts

templates/image-server/ks-pvc.yaml

@@ -15,4 +15,5 @@ spec:
   wait: false
   interval: 30m
   retryInterval: 1m
+  targetNamespace: ${TENANT_NAMESPACE}
   timeout: 5m

templates/image-server/ks-route.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app route
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./templates/image-server/route
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: tenant-repos
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

templates/image-server/nginx/helmrelease.yaml

@@ -1,15 +1,15 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: nginx
   namespace: ${TENANT_NAMESPACE}
 spec:
   serviceAccountName: ${TECHNICAL_ACCOUNT}
-  interval: 5m
+  interval: 10m
   chart:
     spec:
       chart: nginx
-      version: 20.0.0
+      version: 19.1.1
       sourceRef:
         kind: HelmRepository
         name: bitnami
@@ -17,19 +17,14 @@ spec:
   values:
     service:
       type: ClusterIP
-      ports:
-        http: 80
-        https: 443
     ingress:
       enabled: true
-      hostname: nginx.${TENANT_DOMAIN}.apps.ai-2.kvant.cloud
-      tls:
-        - hosts:
-            - nginx.${TENANT_DOMAIN}.apps.ai-2.kvant.cloud
+      hostname: nginx.${TENANT_DOMAIN}
+      ingressClassName: external
     extraVolumes:
       - name: ${TENANT_NAMESPACE}-image-storage
         persistentVolumeClaim:
           claimName: ${TENANT_NAMESPACE}-image-storage
     extraVolumeMounts:
       - name: ${TENANT_NAMESPACE}-image-storage
-        mountPath: /usr/share/nginx/html
+        mountPath: /app

templates/image-server/pvc/image-storage.yaml

@@ -2,11 +2,11 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: ${TENANT_NAMESPACE}-image-storage
-  namespace: ${TENANT_NAMESPACE}
+  annotations:
+    helm.sh/resource-policy: keep
 spec:
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
       storage: 120Gi
-  storageClassName: ocs-storagecluster-ceph-rbd

templates/image-server/route/http.yaml

@@ -0,0 +1,14 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: nginx
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  to:
+    kind: Service
+    name: nginx
+  port:
+    targetPort: 8080
+  tls:
+    termination: edge
+    insecureEdgeTerminationPolicy: Allow

templates/windowsserver-rh/flavor/small.yaml

@@ -0,0 +1,87 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  name: windows-server-2022-small-redhat
+  namespace: '${TENANT_NAMESPACE}'
+  labels:
+    template.kubevirt.io/type: 'vm'
+    os.template.kubevirt.io/win2k22: 'true'
+    workload.template.kubevirt.io/server: 'true'
+  annotations:
+    name.os.template.kubevirt.io/win2k22: Windows Server 2022
+    description: Windows Server 2022 VM
+    openshift.io/display-name: Windows Server 2022
+    iconClass: icon-windows
+objects:
+  - apiVersion: kubevirt.io/v1
+    kind: VirtualMachine
+    metadata:
+      name: windows-server-2022-small-redhat
+      annotations:
+        description: Windows Server 2022 VM example
+      labels:
+        app: windows-server-2022-small-redhat
+        vm.kubevirt.io/template: 'windows-server-2022-template'
+        os.template.kubevirt.io/win2k22: 'true'
+    spec:
+      running: false
+      template:
+        metadata:
+          annotations:
+            vm.kubevirt.io/flavor: small
+            vm.kubevirt.io/os: win2k22
+            vm.kubevirt.io/workload: server
+          labels:
+            kubevirt.io/domain: windows-server-2022-small-redhat
+            kubevirt.io/size: small
+        spec:
+          domain:
+            cpu:
+              cores: 1
+              sockets: 1
+              threads: 1
+            devices:
+              disks:
+                - disk:
+                    bus: virtio
+                  name: rootdisk
+              interfaces:
+                - masquerade: {}
+                  model: virtio
+                  name: default
+              networkInterfaceMultiqueue: true
+              rng: {}
+            features:
+              acpi: {}
+              smm:
+                enabled: true
+            firmware:
+              bootloader:
+                efi: {}
+            memory:
+              guest: 4Gi
+          hostname: windows-server-2022-small-redhat
+          networks:
+            - name: default
+              pod: {}
+          terminationGracePeriodSeconds: 180
+          volumes:
+            - name: rootdisk
+              dataVolume:
+                name: windows-server-2022-small-redhat-dv
+  - apiVersion: cdi.kubevirt.io/v1beta1
+    kind: DataVolume
+    metadata:
+      name: windows-server-2022-small-redhat-dv
+      namespace: '${TENANT_NAMESPACE}'
+    spec:
+      source:
+        http:
+          url: http://nginx.demo.svc.cluster.local:8080/windows-server-2022-uefi-ns.qcow2
+      pvc:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 120Gi
+        storageClassName: ibm-spectrum-scale-fileset

templates/windowsserver-rh/ks-flavor.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app flavor-rh
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./templates/windowsserver-rh/flavor
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: tenant-repos
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

templates/windowsserver/dv/windows-1-dv.yaml

@@ -1,15 +0,0 @@
-apiVersion: cdi.kubevirt.io/v1beta1
-kind: DataVolume
-metadata:
-  name: windows-server-datavolume
-  namespace: ${TENANT_NAMESPACE}
-spec:
-  source:
-    http:
-      url: "http://nginx.${TENANT_DOMAIN}.apps.ai-2.kvant.cloud/windows-server-2022.qcow2"
-  pvc:
-    accessModes:
-      - ReadWriteOnce
-    resources:
-      requests:
-        storage: 120Gi

templates/windowsserver/flavor/small.yaml

@@ -2,49 +2,94 @@ apiVersion: template.openshift.io/v1
 kind: Template
 metadata:
   name: windows-server-2022-small
-  namespace: ${TENANT_NAMESPACE}
+  namespace: '${TENANT_NAMESPACE}'
+  labels:
+    template.kubevirt.io/type: 'vm'
+    os.template.kubevirt.io/win2k22: 'true'
+    workload.template.kubevirt.io/server: 'true'
   annotations:
-    openshift.io/display-name: "Windows Server 2022 VM"
-    openshift.io/documentation-url: "https://docs.microsoft.com/en-us/windows-server/"
-    description: "Template for deploying a Windows Server 2022 Virtual Machine on OpenShift with KubeVirt."
-    tags: virtualmachine,windows,server,2022
+    name.os.template.kubevirt.io/win2k22: Windows Server 2022
+    description: Windows Server 2022 VM template (Small)
+    openshift.io/display-name: Windows Server 2022
+    iconClass: icon-windows
 objects:
   - apiVersion: kubevirt.io/v1
     kind: VirtualMachine
     metadata:
-      name: ${VM_NAME}
-      namespace: ${TENANT_NAMESPACE}
+      name: windows-server-demo
+      annotations:
+        description: Windows Server 2022 VM Demo
       labels:
-        app: windows-server
+        app: windows-server-demo
+        vm.kubevirt.io/template: 'windows-server-2022-template'
+        os.template.kubevirt.io/win2k22: 'true'
     spec:
       running: false
       template:
         metadata:
+          annotations:
+            vm.kubevirt.io/flavor: small
+            vm.kubevirt.io/os: win2k22
+            vm.kubevirt.io/workload: server
           labels:
-            kubevirt.io/domain: ${VM_NAME}
+            kubevirt.io/domain: windows-server-demo
+            kubevirt.io/size: small
         spec:
           domain:
             cpu:
-              cores: 4
+              cores: 2
+              sockets: 1
+              threads: 1
             devices:
               disks:
-                - name: rootdisk
-                  disk:
+                - disk:
                     bus: virtio
+                  name: rootdisk
+              interfaces:
+                - masquerade: {}
+                  model: virtio
+                  name: default
+              networkInterfaceMultiqueue: true
+              rng: {}
+            features:
+              acpi: {}
+              smm:
+                enabled: true
+            firmware:
+              bootloader:
+                efi: {}
             memory:
-              guest: 8Gi
+              guest: 4Gi
+          hostname: windows-server-demo
           networks:
             - name: default
               pod: {}
+          terminationGracePeriodSeconds: 180
           volumes:
             - name: rootdisk
-              persistentVolumeClaim:
-                claimName: windows-server-datavolume
+              dataVolume:
+                name: windows-server-datavolume-small
+  - apiVersion: cdi.kubevirt.io/v1beta1
+    kind: DataVolume
+    metadata:
+      name: windows-server-datavolume-small
+      namespace: '${TENANT_NAMESPACE}'
+    spec:
+      source:
+        http:
+          url: http://nginx.demo.pub.ai-2.kvant.cloud.apps.ai-2.kvant.cloud/win2022.qcow2
+      pvc:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: '${PVC_SIZE}'
 parameters:
-  - name: windows_server_2022_small
-    description: Name of the Virtual Machine
+  #- name: IMAGE_URL
+  # description: Public or internal HTTP(S) URL to a sysprepped Windows .qcow2 image
+  #  required: true
+  #  value: https://nginx.demo.pub.ai-2.kvant.cloud.apps.ai-2.kvant.cloud/win2022.qcow2
+  - name: PVC_SIZE
+    description: Size of the root disk PVC
     required: true
-  - name: NAMESPACE
-    description: Namespace where to deploy
-    required: true
-    value: ${TENANT_NAMESPACE}
+    value: 120Gi

ubuntu-vm-1/ubuntu/ubuntu-vm.yaml

@@ -38,11 +38,13 @@ spec:
           cloudInitNoCloud:
             userData: |
               #cloud-config
-              hostname: ubuntu-vm-1
-              ssh_pwauth: True
               users:
-                - name: ubuntu
-                  ssh-authorized-keys:
-                    - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPqlhZW/pPLK8zENt3o6tgl0QVinhGAF1sHvajqq3UvI ubuntu
-                  sudo: ['ALL=(ALL) NOPASSWD:ALL']
-                  shell: /bin/bash
+                - name: testuser
+                groups: [sudo]
+                sudo: "ALL=(ALL) NOPASSWD:ALL"
+                lock_passwd: false
+                passwd: "$6$oMZf5uou7t0.oAJ1$825Te06yt7JZwHSSj4MGQMjpd87LflANQpajCwIVPASkKZdOJo4L2bAEDDuK.jtu.fsRNc9bZAsYefmoqdN8O1"
+
+                chpasswd: 
+                expire: false
+                ssh_pwauth: true

ubuntu-vm-3 john/ks.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app ubuntu-vm-2
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./ubuntu-vm-2/ubuntu
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: tenant-repos
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

ubuntu-vm-3 john/ubuntu/ubuntu-vm.yaml

@@ -0,0 +1,48 @@
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: ubuntu-vm-3-
+  namespace: kubevirt-vms
+spec:
+  running: true
+  template:
+    metadata:
+      labels:
+        kubevirt.io/domain: ubuntu-vm-2
+    spec:
+      domain:
+        cpu:
+          cores: 2
+        devices:
+          disks:
+            - disk:
+                bus: virtio
+              name: containerdisk
+            - disk:
+                bus: virtio
+              name: cloudinitdisk
+        resources:
+          requests:
+            memory: 2Gi
+            cpu: 1
+          limits:
+            memory: 2Gi
+            cpu: 2
+        memory:
+          guest: 2Gi
+      volumes:
+        - name: containerdisk
+          containerDisk:
+            image: quay.io/containerdisks/ubuntu:22.04
+        - name: cloudinitdisk
+          cloudInitNoCloud:
+            userData: |
+              #cloud-config
+              hostname: ubuntu-vm-2
+              ssh_pwauth: True
+              users:
+                - name: ubuntu
+                  ssh-authorized-keys:
+                    - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPqlhZW/pPLK8zENt3o6tgl0QVinhGAF1sHvajqq3UvI ubuntu
+                  sudo: ['ALL=(ALL) NOPASSWD:ALL']
+                  shell: /bin/bash

vars/demo/s3-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: s3-virt-credentials
+  namespace: ${TENANT_NAMESPACE}
+type: Opaque
+data:
+  accessKeyId: WWozQTdUdHgzbjNOa3NsS2VodzM=
+  secretKey: SUZJRWtSbnJnWDRPcnlNWmtSSjlheG41UlpnSTZhMjBvVW82Tm1lRA==

windows-vm-standard-dev/ks-pvc.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app windows-pvc-dev
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./windows-vm-standard-dev/pvc
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: tenant-repos
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

windows-vm-standard-dev/ks-vm.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app windows-vm-standard-dev
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./windows-vm-standard-dev/vm
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: tenant-repos
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

windows-vm-standard-dev/pvc/datadisk.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: windows-vm-datadisk-dev
+spec:
+  storageClassName: ibm-spectrum-scale-fileset
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 50Gi

windows-vm-standard-dev/vm/server.yaml

@@ -0,0 +1,83 @@
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: windows-vm-standard-dev
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  dataVolumeTemplates:
+    - metadata:
+        name: windows-rootdisk-dev
+      spec:
+        source:
+          http:
+            url: "https://glacier-1.kvant.cloud/ocp-virt-images/sources/windows-server-2022-uefi-ns.qcow2"
+        storage:
+          resources:
+            requests:
+              storage: 80Gi
+        sourceRef:
+          kind: DataSource
+          name: win2k22
+          namespace: kubevirt-os-images
+  runStrategy: Always
+  template:
+    metadata:
+      labels:
+        kubevirt.io/domain: windows-vm-standard-dev
+    spec:
+      domain:
+        cpu:
+          cores: 4
+        memory:
+          guest: 8Gi
+        features:
+          acpi: {}
+          smm:
+            enabled: true
+        firmware:
+          bootloader:
+            efi:
+              secureBoot: true
+        devices:
+          rng: {}
+          networkInterfaceMultiqueue: true
+          interfaces:
+            - name: default
+              masquerade: {}
+              ports:
+              - port: 8080
+              - port: 443
+              - port: 22
+              - port: 3389
+          disks:
+            - disk:
+                bus: sata
+              name: rootdisk-dev
+            - disk:
+                bus: sata
+              name: datadisk-dev
+           # - disk:
+           #     bus: scsi
+           #   name: cloudinitdisk
+        resources:
+          requests:
+            memory: 8Gi
+            cpu: 4
+          limits:
+            memory: 8Gi
+            cpu: 4
+      networks:
+        - name: default
+          pod: {}
+      terminationGracePeriodSeconds: 180
+      volumes:
+        - name: rootdisk-dev
+          dataVolume:
+            name: windows-rootdisk-dev
+        - name: datadisk-dev
+          persistentVolumeClaim:
+            claimName: windows-vm-datadisk-dev
+        #- name: cloudinitdisk
+        #  cloudInitNoCloud:
+        #    secretRef:
+        #      name: windows-cloud-init

windows-vm-standard-john/ks-pvc.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app windows-pvc-john
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./windows-vm-standard-john/pvc
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: tenant-repos
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

windows-vm-standard-john/ks-vm.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app windows-vm-standard-john
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./windows-vm-standard-john/vm
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: tenant-repos
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

windows-vm-standard-john/pvc/datadisk.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: windows-vm-datadisk-john
+spec:
+  storageClassName: ibm-spectrum-scale-fileset
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 200Gi

windows-vm-standard-john/vm/server.yaml

@@ -0,0 +1,82 @@
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: windows-vm-standard-john
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  dataVolumeTemplates:
+    - metadata:
+        name: windows-rootdisk-john
+      spec:
+        source:
+          http:
+            url: http://nginx.demo.svc.cluster.local:80/windows-server-2022-uefi-ns.qcow2
+        storage:
+          resources:
+            requests:
+              storage: 80Gi
+#        sourceRef:
+#          kind: DataSource
+#          name: win2k22
+#          namespace: openshift-virtualization-os-images
+  runStrategy: Always
+  template:
+    metadata:
+      labels:
+        kubevirt.io/domain: windows-vm-standard-john
+    spec:
+      domain:
+        cpu:
+          cores: 4
+        memory:
+          guest: 8Gi
+        features:
+          acpi: {}
+          smm:
+            enabled: true
+        firmware:
+          bootloader:
+            efi: {}
+        devices:
+          rng: {}
+          networkInterfaceMultiqueue: true
+          interfaces:
+            - name: default
+              masquerade: {}
+              ports:
+              - port: 8080
+              - port: 443
+              - port: 22
+              - port: 3389
+          disks:
+            - disk:
+                bus: sata
+              name: rootdisk-john
+            - disk:
+                bus: sata
+              name: datadisk-john
+           # - disk:
+           #     bus: scsi
+           #   name: cloudinitdisk
+        resources:
+          requests:
+            memory: 8Gi
+            cpu: 4
+          limits:
+            memory: 8Gi
+            cpu: 4
+      networks:
+        - name: default
+          pod: {}
+      terminationGracePeriodSeconds: 180
+      volumes:
+        - name: rootdisk-john
+          dataVolume:
+            name: windows-rootdisk-john
+        - name: datadisk-john
+          persistentVolumeClaim:
+            claimName: windows-vm-datadisk-john
+        #- name: cloudinitdisk
+        #  cloudInitNoCloud:
+        #    secretRef:
+        #      name: windows-cloud-init

windows-vm-standard-john/windows-lb.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: windows-lb-john
+  namespace: ${TENANT_NAMESPACE}
+  labels:
+    app.kubernetes.io/component: windows-lb-john
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 8080
+      name: http
+      targetPort: 8080
+      protocol: TCP
+    - port: 443
+      name: https
+      targetPort: 443
+      protocol: TCP
+    - port: 65022
+      name: ssh
+      targetPort: 22
+      protocol: TCP
+    - port: 3389
+      name: rdp
+      targetPort: 3389
+      protocol: TCP
+  selector:
+    kubevirt.io/domain: windows-vm-standard-john

windows-vm-standard/ks-pvc.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app windows-pvc
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./windows-vm-standard/pvc
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: tenant-repos
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

windows-vm-standard/ks-vm.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app windows-vm-standard
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./windows-vm-standard/vm
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: tenant-repos
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

windows-vm-standard/pvc/datadisk.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: windows-vm-datadisk
+spec:
+  storageClassName: ibm-spectrum-scale-fileset
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 200Gi

windows-vm-standard/vm/server.yaml

@@ -0,0 +1,82 @@
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: windows-vm-standard
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  dataVolumeTemplates:
+    - metadata:
+        name: windows-rootdisk
+      spec:
+        source:
+          http:
+            url: http://nginx.demo.svc.cluster.local:8080/windows-server-2022-uefi-ns.qcow2
+        storage:
+          resources:
+            requests:
+              storage: 80Gi
+        sourceRef:
+          kind: DataSource
+          name: win2k22
+          namespace: kubevirt-os-images
+  runStrategy: Always
+  template:
+    metadata:
+      labels:
+        kubevirt.io/domain: windows-vm-standard
+    spec:
+      domain:
+        cpu:
+          cores: 4
+        memory:
+          guest: 8Gi
+        features:
+          acpi: {}
+          smm:
+            enabled: true
+        firmware:
+          bootloader:
+            efi: {}
+        devices:
+          rng: {}
+          networkInterfaceMultiqueue: true
+          interfaces:
+            - name: default
+              masquerade: {}
+              ports:
+              - port: 8080
+              - port: 443
+              - port: 22
+              - port: 3389
+          disks:
+            - disk:
+                bus: sata
+              name: rootdisk
+            - disk:
+                bus: sata
+              name: datadisk
+           # - disk:
+           #     bus: scsi
+           #   name: cloudinitdisk
+        resources:
+          requests:
+            memory: 8Gi
+            cpu: 4
+          limits:
+            memory: 8Gi
+            cpu: 4
+      networks:
+        - name: default
+          pod: {}
+      terminationGracePeriodSeconds: 180
+      volumes:
+        - name: rootdisk
+          dataVolume:
+            name: windows-rootdisk
+        - name: datadisk
+          persistentVolumeClaim:
+            claimName: windows-vm-datadisk
+        #- name: cloudinitdisk
+        #  cloudInitNoCloud:
+        #    secretRef:
+        #      name: windows-cloud-init