ci1: expose WinRM/RDP/SSH ports on masquerade interface for Phase 2 bootstrap

The Phase 1 VM has been Running for 9 days but Phase 2 (Puppet bootstrap + runner registration) was deferred because the operator-interactive virtctl-vnc path was the only way in. The masquerade interface listed no exposed ports, so virtctl ssh and kubectl port-forward both hit 'no route to host' — qemu user-mode NAT does not forward inbound by default. Adding 5985 (WinRM HTTP) lets a kubectl port-forward + PowerShell remoting path drive runner registration entirely from outside the VM. 3389 + 22 are reserved for desktop access via Guacamole or virtctl ssh once OpenSSH Server is installed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 11:24:34 -05:00
parent 2b420ce8a4
commit 1c36fe3a0a
1 changed files with 14 additions and 0 deletions
--- a/apps/kubevirt-vms/ci1.yaml
+++ b/apps/kubevirt-vms/ci1.yaml
@@ -77,9 +77,23 @@ spec:
          interfaces:
            # Pod-network fallback for CI runner outbound traffic. Switch to
            # prod-vlan57 once the bridge/NAD lane is ready for L2 access.
+            #
+            # Ports exposed for runner bootstrap (Phase 2 access): WinRM HTTP
+            # (5985) for PowerShell remoting from kubectl port-forward, RDP
+            # (3389) for full desktop via virtctl/Guacamole, SSH (22) for
+            # OpenSSH-Server-based future automation. Outbound CI runner
+            # traffic does not need any of these — they exist so the operator
+            # can install + register the GitHub Actions runner inside the VM.
            - name: default
              masquerade: {}
              model: virtio
+              ports:
+                - name: winrm-http
+                  port: 5985
+                - name: rdp
+                  port: 3389
+                - name: ssh
+                  port: 22
        machine:
          type: q35
      networks: