feat(infra): activate ci1 VM — running:true + 10Gi ISO PVC + 1P password
Phase 1 prereqs all satisfied: - Multus CNI v4.2.2 thick-plugin DS Running on rke2-server/agent1/agent2 - CDI v1.65.0 operator + CR Deployed (cdi-apiserver/deployment/uploadproxy all Running 1/1) - Windows Server 2025 ISO (7.7GiB, March 2026 update) uploaded via CDI virtctl image-upload to PVC windows-server-2025-iso. Verified via PVC annotations: cdi.kubevirt.io/storage.condition.running.message="Upload Complete", storage.pod.phase="Succeeded" - Local Administrator password generated (26 char, FANTASTIC strength). Stored in 1Password vault IAmWorkin (qaphopopkryhbg353ukzhhuqoq) item h3ix4mgfk65gmkcmvh6ly3d3hu. UTF-16-LE base64 in autounattend.xml Value field matches the 1P "autounattend AdministratorPassword Value" field. Changes: - ISO PVC bumped 6Gi → 10Gi (ISO is 7.7GiB, need headroom) - Added labels app=ci-runner, flowercore.io/managed-by=bluejay-infra - autounattend.xml AdministratorPassword Value: real base64-encoded password - spec.running: false → true (VM starts on next ArgoCD sync) - Header comment refreshed to LIVE state with prereq references Network: still pod-network masquerade. Multus NAD prod-vlan57 is registered but the VM doesn't use it yet (Phase 1.5 host bridge needed first). Verify after sync: kubectl --kubeconfig $env:USERPROFILE\.kube\rke2.yaml -n kubevirt-vms get vm,vmi virtctl --kubeconfig $env:USERPROFILE\.kube\rke2.yaml vnc ci1 -n kubevirt-vms Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Codex
@@ -6,14 +6,21 @@
|
|||||||
# `bluejay-ws-sandbox-1` runner placeholder. Andrew explicitly does NOT want
|
# `bluejay-ws-sandbox-1` runner placeholder. Andrew explicitly does NOT want
|
||||||
# BLUEJAY-WS registered as a runner (workstation has personal/operator state).
|
# BLUEJAY-WS registered as a runner (workstation has personal/operator state).
|
||||||
#
|
#
|
||||||
# Status (2026-05-08): STAGED ONLY — DO NOT APPLY without operator review.
|
# Status (2026-05-08): LIVE — Phase 1 prereqs satisfied:
|
||||||
# See docs/infrastructure/windows-server-build-runner-plan.md "Phase 1 readiness gate".
|
# * Multus CNI v4.2.2 thick-plugin DaemonSet running on all 3 RKE2 nodes
|
||||||
|
# (apps/multus/multus.yaml; ApplicationSet `infra-multus` Synced/Healthy)
|
||||||
|
# * CDI v1.65.0 operator + CR Deployed (apps/cdi/; ApplicationSet
|
||||||
|
# `infra-cdi` Synced/Healthy; uploadproxy reachable via kubectl port-forward)
|
||||||
|
# * Windows Server 2025 ISO uploaded via CDI virtctl image-upload to
|
||||||
|
# PVC windows-server-2025-iso (7.7 GiB → 10Gi PVC, Bound, Upload Complete)
|
||||||
|
# * Local Administrator password generated, stored in 1Password vault
|
||||||
|
# IAmWorkin (qaphopopkryhbg353ukzhhuqoq) item id h3ix4mgfk65gmkcmvh6ly3d3hu
|
||||||
|
# * NetworkAttachmentDefinition prod-vlan57 registered (apps/kubevirt-vms/
|
||||||
|
# prod-vlan57-nad.yaml). VM still uses pod-network masquerade until Phase 1.5
|
||||||
|
# host bridge work lands (Puppet br-prod + enp86s0.57); switching is a
|
||||||
|
# one-line YAML edit + git push.
|
||||||
#
|
#
|
||||||
# Prerequisites that MUST be satisfied first:
|
# See docs/infrastructure/windows-server-build-runner-plan.md "Phase 1 readiness gate".
|
||||||
# 1. Windows Server 2025 ISO populated into the `windows-server-2025-iso` PVC
|
|
||||||
# (operator interactive step — Microsoft Evaluation Center download).
|
|
||||||
# 2. Either Multus + PROD VLAN NAD (preferred) OR pod-network only (this YAML).
|
|
||||||
# 3. KubeVirt CR feature gates: none required for non-persistent vTPM.
|
|
||||||
#
|
#
|
||||||
# Network choice in this draft: **pod-network fallback** (Calico default).
|
# Network choice in this draft: **pod-network fallback** (Calico default).
|
||||||
# Outbound-only is fine for the Updater Sandbox E2E runner workload (the runner
|
# Outbound-only is fine for the Updater Sandbox E2E runner workload (the runner
|
||||||
@@ -42,21 +49,31 @@ metadata:
|
|||||||
pod-security.kubernetes.io/enforce: privileged
|
pod-security.kubernetes.io/enforce: privileged
|
||||||
|
|
||||||
---
|
---
|
||||||
# ISO PVC — operator must populate this before applying the VM manifest.
|
# ISO PVC — populated via CDI virtctl image-upload (CDI is now installed).
|
||||||
# Population paths (see plan doc "Phase 1 readiness gate", section 2):
|
# Population workflow (LIVE 2026-05-08):
|
||||||
# Path A — manual upload via helper pod + kubectl cp
|
# 1. virtctl --kubeconfig $env:USERPROFILE\.kube\rke2.yaml image-upload pvc \
|
||||||
# Path B — install CDI, then DataVolume HTTP import
|
# windows-server-2025-iso -n kubevirt-vms \
|
||||||
|
# --image-path "$env:USERPROFILE\Downloads\en-us_windows_server_2025_updated_march_2026_x64_dvd_8e06425a.iso" \
|
||||||
|
# --size 10Gi --storage-class longhorn --access-mode ReadWriteOnce \
|
||||||
|
# --uploadproxy-url https://cdi-uploadproxy.cdi.svc:443 --insecure
|
||||||
|
# (--uploadproxy-url uses port-forward in practice: see plan doc Phase 1.5.)
|
||||||
|
#
|
||||||
|
# Note: CDI's PVC creation hooks add cdi.kubevirt.io/storage.* annotations
|
||||||
|
# automatically. The ISO source file is 7.7GB → request 10Gi for headroom.
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: PersistentVolumeClaim
|
kind: PersistentVolumeClaim
|
||||||
metadata:
|
metadata:
|
||||||
name: windows-server-2025-iso
|
name: windows-server-2025-iso
|
||||||
namespace: kubevirt-vms
|
namespace: kubevirt-vms
|
||||||
|
labels:
|
||||||
|
app: ci-runner
|
||||||
|
flowercore.io/managed-by: bluejay-infra
|
||||||
spec:
|
spec:
|
||||||
accessModes:
|
accessModes:
|
||||||
- ReadWriteOnce # Bump to ReadOnlyMany after population for multi-VM use
|
- ReadWriteOnce # Bump to ReadOnlyMany after population for multi-VM use
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
storage: 6Gi
|
storage: 10Gi # Bumped from 6Gi (Server 2025 ISO is 7.7GB)
|
||||||
storageClassName: longhorn
|
storageClassName: longhorn
|
||||||
|
|
||||||
---
|
---
|
||||||
@@ -220,10 +237,16 @@ data:
|
|||||||
</OOBE>
|
</OOBE>
|
||||||
<UserAccounts>
|
<UserAccounts>
|
||||||
<AdministratorPassword>
|
<AdministratorPassword>
|
||||||
<!-- IMPORTANT: replace the Value below with a real password BEFORE applying.
|
<!-- Real password is in 1Password — vault qaphopopkryhbg353ukzhhuqoq,
|
||||||
Generate via: $pw = "YourPasswordHere" + "AdministratorPassword";
|
item id h3ix4mgfk65gmkcmvh6ly3d3hu, title:
|
||||||
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($pw)) -->
|
"ci1 Administrator (Windows Server 2025 KubeVirt VM)".
|
||||||
<Value>UABMAEEAQwBFAEgATwBMAEQARQBSAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAUABhAHMAcwB3AG8AcgBkAA==</Value>
|
Field "autounattend AdministratorPassword Value (UTF-16-LE base64)"
|
||||||
|
matches the Value below.
|
||||||
|
To rotate: regenerate, recompute base64
|
||||||
|
$combined = $pw + "AdministratorPassword"
|
||||||
|
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($combined))
|
||||||
|
then update both 1P item AND this Value field, recreate VM. -->
|
||||||
|
<Value>bAA3AGsANABOAHcAcgBMAG4AeQBTAHUAYgBBAHQAaQBzAFUAcAB6AEMAWQAhADkAYQBCAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAUABhAHMAcwB3AG8AcgBkAA==</Value>
|
||||||
<PlainText>false</PlainText>
|
<PlainText>false</PlainText>
|
||||||
</AdministratorPassword>
|
</AdministratorPassword>
|
||||||
</UserAccounts>
|
</UserAccounts>
|
||||||
@@ -260,7 +283,7 @@ metadata:
|
|||||||
role: github-actions-runner
|
role: github-actions-runner
|
||||||
flowercore.io/managed-by: bluejay-infra
|
flowercore.io/managed-by: bluejay-infra
|
||||||
spec:
|
spec:
|
||||||
running: false # Set to true after operator approves + ISO loaded
|
running: true # LIVE — ISO uploaded 2026-05-08, password in 1P
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
|
|||||||
Reference in New Issue
Block a user