From 1c36fe3a0a90d037a0772021af5dbfecb89a93a5 Mon Sep 17 00:00:00 2001 From: Andrew Stoltz Date: Tue, 26 May 2026 11:24:34 -0500 Subject: [PATCH] ci1: expose WinRM/RDP/SSH ports on masquerade interface for Phase 2 bootstrap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Phase 1 VM has been Running for 9 days but Phase 2 (Puppet bootstrap + runner registration) was deferred because the operator-interactive virtctl-vnc path was the only way in. The masquerade interface listed no exposed ports, so virtctl ssh and kubectl port-forward both hit 'no route to host' — qemu user-mode NAT does not forward inbound by default. Adding 5985 (WinRM HTTP) lets a kubectl port-forward + PowerShell remoting path drive runner registration entirely from outside the VM. 3389 + 22 are reserved for desktop access via Guacamole or virtctl ssh once OpenSSH Server is installed. Co-Authored-By: Claude Opus 4.7 (1M context) --- apps/kubevirt-vms/ci1.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/apps/kubevirt-vms/ci1.yaml b/apps/kubevirt-vms/ci1.yaml index 5708ab5..87c381c 100644 --- a/apps/kubevirt-vms/ci1.yaml +++ b/apps/kubevirt-vms/ci1.yaml @@ -77,9 +77,23 @@ spec: interfaces: # Pod-network fallback for CI runner outbound traffic. Switch to # prod-vlan57 once the bridge/NAD lane is ready for L2 access. + # + # Ports exposed for runner bootstrap (Phase 2 access): WinRM HTTP + # (5985) for PowerShell remoting from kubectl port-forward, RDP + # (3389) for full desktop via virtctl/Guacamole, SSH (22) for + # OpenSSH-Server-based future automation. Outbound CI runner + # traffic does not need any of these — they exist so the operator + # can install + register the GitHub Actions runner inside the VM. - name: default masquerade: {} model: virtio + ports: + - name: winrm-http + port: 5985 + - name: rdp + port: 3389 + - name: ssh + port: 22 machine: type: q35 networks: