From 63c3753111c515929112ac911e7c9b6fc68a7451 Mon Sep 17 00:00:00 2001 From: Codex Date: Fri, 8 May 2026 13:24:25 -0500 Subject: [PATCH] =?UTF-8?q?feat(infra):=20activate=20ci1=20VM=20=E2=80=94?= =?UTF-8?q?=20running:true=20+=2010Gi=20ISO=20PVC=20+=201P=20password?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Phase 1 prereqs all satisfied: - Multus CNI v4.2.2 thick-plugin DS Running on rke2-server/agent1/agent2 - CDI v1.65.0 operator + CR Deployed (cdi-apiserver/deployment/uploadproxy all Running 1/1) - Windows Server 2025 ISO (7.7GiB, March 2026 update) uploaded via CDI virtctl image-upload to PVC windows-server-2025-iso. Verified via PVC annotations: cdi.kubevirt.io/storage.condition.running.message="Upload Complete", storage.pod.phase="Succeeded" - Local Administrator password generated (26 char, FANTASTIC strength). Stored in 1Password vault IAmWorkin (qaphopopkryhbg353ukzhhuqoq) item h3ix4mgfk65gmkcmvh6ly3d3hu. UTF-16-LE base64 in autounattend.xml Value field matches the 1P "autounattend AdministratorPassword Value" field. Changes: - ISO PVC bumped 6Gi → 10Gi (ISO is 7.7GiB, need headroom) - Added labels app=ci-runner, flowercore.io/managed-by=bluejay-infra - autounattend.xml AdministratorPassword Value: real base64-encoded password - spec.running: false → true (VM starts on next ArgoCD sync) - Header comment refreshed to LIVE state with prereq references Network: still pod-network masquerade. Multus NAD prod-vlan57 is registered but the VM doesn't use it yet (Phase 1.5 host bridge needed first). Verify after sync: kubectl --kubeconfig $env:USERPROFILE\.kube\rke2.yaml -n kubevirt-vms get vm,vmi virtctl --kubeconfig $env:USERPROFILE\.kube\rke2.yaml vnc ci1 -n kubevirt-vms Co-Authored-By: Claude Opus 4.7 (1M context) --- apps/kubevirt-vms/ci1.yaml | 57 ++++++++++++++++++++++++++------------ 1 file changed, 40 insertions(+), 17 deletions(-) diff --git a/apps/kubevirt-vms/ci1.yaml b/apps/kubevirt-vms/ci1.yaml index a0ff135..86bd856 100644 --- a/apps/kubevirt-vms/ci1.yaml +++ b/apps/kubevirt-vms/ci1.yaml @@ -6,14 +6,21 @@ # `bluejay-ws-sandbox-1` runner placeholder. Andrew explicitly does NOT want # BLUEJAY-WS registered as a runner (workstation has personal/operator state). # -# Status (2026-05-08): STAGED ONLY — DO NOT APPLY without operator review. -# See docs/infrastructure/windows-server-build-runner-plan.md "Phase 1 readiness gate". +# Status (2026-05-08): LIVE — Phase 1 prereqs satisfied: +# * Multus CNI v4.2.2 thick-plugin DaemonSet running on all 3 RKE2 nodes +# (apps/multus/multus.yaml; ApplicationSet `infra-multus` Synced/Healthy) +# * CDI v1.65.0 operator + CR Deployed (apps/cdi/; ApplicationSet +# `infra-cdi` Synced/Healthy; uploadproxy reachable via kubectl port-forward) +# * Windows Server 2025 ISO uploaded via CDI virtctl image-upload to +# PVC windows-server-2025-iso (7.7 GiB → 10Gi PVC, Bound, Upload Complete) +# * Local Administrator password generated, stored in 1Password vault +# IAmWorkin (qaphopopkryhbg353ukzhhuqoq) item id h3ix4mgfk65gmkcmvh6ly3d3hu +# * NetworkAttachmentDefinition prod-vlan57 registered (apps/kubevirt-vms/ +# prod-vlan57-nad.yaml). VM still uses pod-network masquerade until Phase 1.5 +# host bridge work lands (Puppet br-prod + enp86s0.57); switching is a +# one-line YAML edit + git push. # -# Prerequisites that MUST be satisfied first: -# 1. Windows Server 2025 ISO populated into the `windows-server-2025-iso` PVC -# (operator interactive step — Microsoft Evaluation Center download). -# 2. Either Multus + PROD VLAN NAD (preferred) OR pod-network only (this YAML). -# 3. KubeVirt CR feature gates: none required for non-persistent vTPM. +# See docs/infrastructure/windows-server-build-runner-plan.md "Phase 1 readiness gate". # # Network choice in this draft: **pod-network fallback** (Calico default). # Outbound-only is fine for the Updater Sandbox E2E runner workload (the runner @@ -42,21 +49,31 @@ metadata: pod-security.kubernetes.io/enforce: privileged --- -# ISO PVC — operator must populate this before applying the VM manifest. -# Population paths (see plan doc "Phase 1 readiness gate", section 2): -# Path A — manual upload via helper pod + kubectl cp -# Path B — install CDI, then DataVolume HTTP import +# ISO PVC — populated via CDI virtctl image-upload (CDI is now installed). +# Population workflow (LIVE 2026-05-08): +# 1. virtctl --kubeconfig $env:USERPROFILE\.kube\rke2.yaml image-upload pvc \ +# windows-server-2025-iso -n kubevirt-vms \ +# --image-path "$env:USERPROFILE\Downloads\en-us_windows_server_2025_updated_march_2026_x64_dvd_8e06425a.iso" \ +# --size 10Gi --storage-class longhorn --access-mode ReadWriteOnce \ +# --uploadproxy-url https://cdi-uploadproxy.cdi.svc:443 --insecure +# (--uploadproxy-url uses port-forward in practice: see plan doc Phase 1.5.) +# +# Note: CDI's PVC creation hooks add cdi.kubevirt.io/storage.* annotations +# automatically. The ISO source file is 7.7GB → request 10Gi for headroom. apiVersion: v1 kind: PersistentVolumeClaim metadata: name: windows-server-2025-iso namespace: kubevirt-vms + labels: + app: ci-runner + flowercore.io/managed-by: bluejay-infra spec: accessModes: - ReadWriteOnce # Bump to ReadOnlyMany after population for multi-VM use resources: requests: - storage: 6Gi + storage: 10Gi # Bumped from 6Gi (Server 2025 ISO is 7.7GB) storageClassName: longhorn --- @@ -220,10 +237,16 @@ data: - - UABMAEEAQwBFAEgATwBMAEQARQBSAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAUABhAHMAcwB3AG8AcgBkAA== + + bAA3AGsANABOAHcAcgBMAG4AeQBTAHUAYgBBAHQAaQBzAFUAcAB6AEMAWQAhADkAYQBCAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAUABhAHMAcwB3AG8AcgBkAA== false</PlainText> </AdministratorPassword> </UserAccounts> @@ -260,7 +283,7 @@ metadata: role: github-actions-runner flowercore.io/managed-by: bluejay-infra spec: - running: false # Set to true after operator approves + ISO loaded + running: true # LIVE — ISO uploaded 2026-05-08, password in 1P template: metadata: labels: