diff --git a/apps/kubevirt-vms/ci1.yaml b/apps/kubevirt-vms/ci1.yaml index a0ff135..86bd856 100644 --- a/apps/kubevirt-vms/ci1.yaml +++ b/apps/kubevirt-vms/ci1.yaml @@ -6,14 +6,21 @@ # `bluejay-ws-sandbox-1` runner placeholder. Andrew explicitly does NOT want # BLUEJAY-WS registered as a runner (workstation has personal/operator state). # -# Status (2026-05-08): STAGED ONLY — DO NOT APPLY without operator review. -# See docs/infrastructure/windows-server-build-runner-plan.md "Phase 1 readiness gate". +# Status (2026-05-08): LIVE — Phase 1 prereqs satisfied: +# * Multus CNI v4.2.2 thick-plugin DaemonSet running on all 3 RKE2 nodes +# (apps/multus/multus.yaml; ApplicationSet `infra-multus` Synced/Healthy) +# * CDI v1.65.0 operator + CR Deployed (apps/cdi/; ApplicationSet +# `infra-cdi` Synced/Healthy; uploadproxy reachable via kubectl port-forward) +# * Windows Server 2025 ISO uploaded via CDI virtctl image-upload to +# PVC windows-server-2025-iso (7.7 GiB → 10Gi PVC, Bound, Upload Complete) +# * Local Administrator password generated, stored in 1Password vault +# IAmWorkin (qaphopopkryhbg353ukzhhuqoq) item id h3ix4mgfk65gmkcmvh6ly3d3hu +# * NetworkAttachmentDefinition prod-vlan57 registered (apps/kubevirt-vms/ +# prod-vlan57-nad.yaml). VM still uses pod-network masquerade until Phase 1.5 +# host bridge work lands (Puppet br-prod + enp86s0.57); switching is a +# one-line YAML edit + git push. # -# Prerequisites that MUST be satisfied first: -# 1. Windows Server 2025 ISO populated into the `windows-server-2025-iso` PVC -# (operator interactive step — Microsoft Evaluation Center download). -# 2. Either Multus + PROD VLAN NAD (preferred) OR pod-network only (this YAML). -# 3. KubeVirt CR feature gates: none required for non-persistent vTPM. +# See docs/infrastructure/windows-server-build-runner-plan.md "Phase 1 readiness gate". # # Network choice in this draft: **pod-network fallback** (Calico default). # Outbound-only is fine for the Updater Sandbox E2E runner workload (the runner @@ -42,21 +49,31 @@ metadata: pod-security.kubernetes.io/enforce: privileged --- -# ISO PVC — operator must populate this before applying the VM manifest. -# Population paths (see plan doc "Phase 1 readiness gate", section 2): -# Path A — manual upload via helper pod + kubectl cp -# Path B — install CDI, then DataVolume HTTP import +# ISO PVC — populated via CDI virtctl image-upload (CDI is now installed). +# Population workflow (LIVE 2026-05-08): +# 1. virtctl --kubeconfig $env:USERPROFILE\.kube\rke2.yaml image-upload pvc \ +# windows-server-2025-iso -n kubevirt-vms \ +# --image-path "$env:USERPROFILE\Downloads\en-us_windows_server_2025_updated_march_2026_x64_dvd_8e06425a.iso" \ +# --size 10Gi --storage-class longhorn --access-mode ReadWriteOnce \ +# --uploadproxy-url https://cdi-uploadproxy.cdi.svc:443 --insecure +# (--uploadproxy-url uses port-forward in practice: see plan doc Phase 1.5.) +# +# Note: CDI's PVC creation hooks add cdi.kubevirt.io/storage.* annotations +# automatically. The ISO source file is 7.7GB → request 10Gi for headroom. apiVersion: v1 kind: PersistentVolumeClaim metadata: name: windows-server-2025-iso namespace: kubevirt-vms + labels: + app: ci-runner + flowercore.io/managed-by: bluejay-infra spec: accessModes: - ReadWriteOnce # Bump to ReadOnlyMany after population for multi-VM use resources: requests: - storage: 6Gi + storage: 10Gi # Bumped from 6Gi (Server 2025 ISO is 7.7GB) storageClassName: longhorn --- @@ -220,10 +237,16 @@ data: - - UABMAEEAQwBFAEgATwBMAEQARQBSAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAUABhAHMAcwB3AG8AcgBkAA== + + bAA3AGsANABOAHcAcgBMAG4AeQBTAHUAYgBBAHQAaQBzAFUAcAB6AEMAWQAhADkAYQBCAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAUABhAHMAcwB3AG8AcgBkAA== false</PlainText> </AdministratorPassword> </UserAccounts> @@ -260,7 +283,7 @@ metadata: role: github-actions-runner flowercore.io/managed-by: bluejay-infra spec: - running: false # Set to true after operator approves + ISO loaded + running: true # LIVE — ISO uploaded 2026-05-08, password in 1P template: metadata: labels: