1c36fe3a0a
The Phase 1 VM has been Running for 9 days but Phase 2 (Puppet bootstrap + runner registration) was deferred because the operator-interactive virtctl-vnc path was the only way in. The masquerade interface listed no exposed ports, so virtctl ssh and kubectl port-forward both hit 'no route to host' — qemu user-mode NAT does not forward inbound by default. Adding 5985 (WinRM HTTP) lets a kubectl port-forward + PowerShell remoting path drive runner registration entirely from outside the VM. 3389 + 22 are reserved for desktop access via Guacamole or virtctl ssh once OpenSSH Server is installed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
108 lines
3.1 KiB
YAML
108 lines
3.1 KiB
YAML
# =============================================================================
|
|
# ci1 - Windows Server 2025 KubeVirt VM (GitHub Actions Self-Hosted Runner)
|
|
# =============================================================================
|
|
# Boots from the sysprepped containerDisk template built by the Windows VM
|
|
# sysprep pipeline. See docs/infrastructure/windows-vm-sysprep-pipeline.md.
|
|
# Path A/B/C install history is preserved in git log only.
|
|
# =============================================================================
|
|
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: kubevirt-vms
|
|
labels:
|
|
app.kubernetes.io/part-of: kubevirt-stack
|
|
pod-security.kubernetes.io/enforce: privileged
|
|
|
|
---
|
|
apiVersion: kubevirt.io/v1
|
|
kind: VirtualMachine
|
|
metadata:
|
|
name: ci1
|
|
namespace: kubevirt-vms
|
|
labels:
|
|
app: ci-runner
|
|
role: github-actions-runner
|
|
flowercore.io/managed-by: bluejay-infra
|
|
spec:
|
|
runStrategy: Always
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: ci-runner
|
|
role: github-actions-runner
|
|
kubevirt.io/vm: ci1
|
|
spec:
|
|
domain:
|
|
cpu:
|
|
cores: 8
|
|
sockets: 1
|
|
threads: 1
|
|
memory:
|
|
guest: 16Gi
|
|
resources:
|
|
requests:
|
|
memory: 16Gi
|
|
limits:
|
|
memory: 16Gi
|
|
clock:
|
|
utc: {}
|
|
timer:
|
|
hpet:
|
|
present: false
|
|
pit:
|
|
tickPolicy: delay
|
|
rtc:
|
|
tickPolicy: catchup
|
|
hyperv: {}
|
|
features:
|
|
acpi: {}
|
|
apic: {}
|
|
hyperv:
|
|
relaxed: {}
|
|
vapic: {}
|
|
spinlocks:
|
|
spinlocks: 8191
|
|
smm: {}
|
|
firmware:
|
|
bootloader:
|
|
efi:
|
|
secureBoot: false
|
|
devices:
|
|
tpm: {}
|
|
disks:
|
|
- name: rootdisk
|
|
disk:
|
|
bus: virtio
|
|
interfaces:
|
|
# Pod-network fallback for CI runner outbound traffic. Switch to
|
|
# prod-vlan57 once the bridge/NAD lane is ready for L2 access.
|
|
#
|
|
# Ports exposed for runner bootstrap (Phase 2 access): WinRM HTTP
|
|
# (5985) for PowerShell remoting from kubectl port-forward, RDP
|
|
# (3389) for full desktop via virtctl/Guacamole, SSH (22) for
|
|
# OpenSSH-Server-based future automation. Outbound CI runner
|
|
# traffic does not need any of these — they exist so the operator
|
|
# can install + register the GitHub Actions runner inside the VM.
|
|
- name: default
|
|
masquerade: {}
|
|
model: virtio
|
|
ports:
|
|
- name: winrm-http
|
|
port: 5985
|
|
- name: rdp
|
|
port: 3389
|
|
- name: ssh
|
|
port: 22
|
|
machine:
|
|
type: q35
|
|
networks:
|
|
- name: default
|
|
pod: {}
|
|
volumes:
|
|
- name: rootdisk
|
|
containerDisk:
|
|
image: localhost/fc-win-server-2025:v1
|
|
imagePullPolicy: Never
|
|
terminationGracePeriodSeconds: 3600
|