Merge remote-tracking branch 'upstream/main'

.github/workflows/e2e.yaml

@@ -21,7 +21,8 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  IMAGE_NAME: ghcr.io/${{ github.repository }}-ci:PR${{ github.event.number }}
+  REPOSITORY_NAME: ghcr.io/${{ github.repository }}-ci
+  TAG_NAME: PR${{ github.event.number }}
   VCLUSTER_SUFFIX: vcluster
   VCLUSTER_NAME: vcluster
   VCLUSTER_NAMESPACE: vcluster
@@ -53,8 +54,8 @@ jobs:
         run: |
           set -x
           TELEMETRY_PRIVATE_KEY="" goreleaser build --single-target --snapshot --id vcluster --clean --output ./vcluster
-          docker build -t ${{ env.IMAGE_NAME }} -f Dockerfile.release --build-arg TARGETARCH=amd64 --build-arg TARGETOS=linux .
-          docker save -o vcluster_syncer ${{ env.IMAGE_NAME }}
+          docker build -t "${{ env.REPOSITORY_NAME }}:${{ env.TAG_NAME }}" -f Dockerfile.release --build-arg TARGETARCH=amd64 --build-arg TARGETOS=linux .
+          docker save -o vcluster_syncer "${{ env.REPOSITORY_NAME }}:${{ env.TAG_NAME }}"
       - name: Upload syncer image to artifact
         uses: actions/upload-artifact@v4
         with:
@@ -139,6 +140,7 @@ jobs:
           name: e2e-binaries
           path: ./test/*/*.test
           retention-days: 7
+
   download-latest-cli:
     name: Execute test suites
     runs-on: ubuntu-latest
@@ -153,7 +155,6 @@ jobs:
           path: ./vcluster-current
           retention-days: 7
 
-
   upgrade-test:
     name: test if we can upgrade from older version
     needs:
@@ -192,6 +193,7 @@ jobs:
         with:
           name: vcluster
           path: vcluster-dev
+
       - name: Download current cli
         uses: actions/download-artifact@v4
         with:
@@ -201,6 +203,7 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           name: vcluster_syncer
+
       - name: install sed
         run: |
           sudo apt-get install -y sed
@@ -217,22 +220,24 @@ jobs:
           --distro=${{ matrix.distribution }}
 
           kubectl wait --for=condition=ready pod -l app=${{ env.VCLUSTER_SUFFIX }} -n ${{ env.VCLUSTER_NAMESPACE }} --timeout=300s
+
       - name: upgrade with the dev cli
         run: |
           chmod +x ./vcluster-dev/vcluster
           set -x
 
-          sed -i "s|REPLACE_IMAGE_NAME|${{ env.IMAGE_NAME }}|g" test/commonValues.yaml
+          sed -i "s|REPLACE_REPOSITORY_NAME|${{ env.REPOSITORY_NAME }}|g" test/commonValues.yaml
+          sed -i "s|REPLACE_TAG_NAME|${{ env.TAG_NAME }}|g" test/commonValues.yaml
 
           ./vcluster-dev/vcluster create vcluster --distro=${{ matrix.distribution }} \
           --connect=false \
           --upgrade \
+          --local-chart-dir ./chart \
           -f ./test/commonValues.yaml
 
           sleep 20
           kubectl wait --for=condition=ready pod -l app=${{ env.VCLUSTER_SUFFIX }} -n ${{ env.VCLUSTER_NAMESPACE }} --timeout=300s
 
-
   e2e-tests:
     name: Execute test suites
     needs:
@@ -340,7 +345,8 @@ jobs:
 
           sudo apt-get install -y sed
 
-          sed -i "s|REPLACE_IMAGE_NAME|${{ env.IMAGE_NAME }}|g" ${{ matrix.test-suite-path }}/../commonValues.yaml
+          sed -i "s|REPLACE_REPOSITORY_NAME|${{ env.REPOSITORY_NAME }}|g" ${{ matrix.test-suite-path }}/../commonValues.yaml
+          sed -i "s|REPLACE_TAG_NAME|${{ env.TAG_NAME }}|g" ${{ matrix.test-suite-path }}/../commonValues.yaml
 
           kind load image-archive vcluster_syncer
 
@@ -351,7 +357,7 @@ jobs:
           --debug \
           --connect=false \
           --distro=${{ matrix.distribution }} \
-          --local-chart-dir ./charts/${{ matrix.distribution }} \
+          --local-chart-dir ./chart \
           -f ./test/commonValues.yaml \
           $haValues \
           -f ${{ matrix.test-suite-path }}/values.yaml \

.github/workflows/lint.yaml

@@ -25,7 +25,7 @@ jobs:
         with:
           go-version-file: ./go.mod
           cache: false
-      - name: Generate Embedded Helm Charts
+      - name: Generate Embedded Helm Chart
         run: |
           go generate ./...
       - name: Run golangci-lint

.github/workflows/unit-tests.yaml

@@ -29,10 +29,7 @@ jobs:
           helm plugin install https://github.com/helm-unittest/helm-unittest
       - name: Run Helm Unit Tests
         run: |
-          helm unittest charts/eks -d
-          helm unittest charts/k3s -d
-          helm unittest charts/k0s -d
-          helm unittest charts/k8s -d
+          helm unittest chart
 
   go-unit-test:
     name: Execute all go tests

.golangci.yml

@@ -31,7 +31,6 @@ linters:
     - revive
     - staticcheck
     - stylecheck
-    - tagalign
     - typecheck
     - unconvert
     - unused

Dockerfile

@@ -26,6 +26,7 @@ COPY vendor/ vendor/
 COPY cmd/vcluster cmd/vcluster
 COPY cmd/vclusterctl cmd/vclusterctl
 COPY pkg/ pkg/
+COPY config/ config/
 
 ENV GO111MODULE on
 ENV DEBUG true

Justfile

@@ -91,7 +91,8 @@ e2e distribution="k3s" path="./test/e2e" multinamespace="false": create-kind &&
 
   cp test/commonValues.yaml dist/commonValues.yaml
 
-  sed -i.bak "s|REPLACE_IMAGE_NAME|vcluster:e2e-latest|g" dist/commonValues.yaml
+  sed -i.bak "s|REPLACE_REPOSITORY_NAME|vcluster|g" dist/commonValues.yaml
+  sed -i.bak "s|REPLACE_TAG_NAME|e2e-latest|g" dist/commonValues.yaml
   rm dist/commonValues.yaml.bak
 
   sed -i.bak "s|kind-control-plane|vcluster-control-plane|g" dist/commonValues.yaml

chart/templates/_init-containers.tpl

@@ -52,7 +52,7 @@
   resources:
 {{ toYaml .Values.controlPlane.distro.eks.resources | indent 4 }}
 {{- end }}
-{{- if .Values.controlPlane.virtualScheduler.enabled }}
+{{- if .Values.controlPlane.advanced.virtualScheduler.enabled }}
 - name: kube-scheduler-manager
   image: "{{ .Values.controlPlane.advanced.defaultImageRegistry }}{{ .Values.controlPlane.distro.eks.scheduler.image.repository }}:{{ .Values.controlPlane.distro.eks.scheduler.image.tag }}"
   volumeMounts:
@@ -136,7 +136,7 @@
   resources:
 {{ toYaml .Values.controlPlane.distro.k8s.resources | indent 4 }}
 {{- end }}
-{{- if .Values.controlPlane.virtualScheduler.enabled }}
+{{- if .Values.controlPlane.advanced.virtualScheduler.enabled }}
 - name: kube-scheduler-manager
   image: "{{ .Values.controlPlane.advanced.defaultImageRegistry }}{{ .Values.controlPlane.distro.k8s.scheduler.image.repository }}:{{ .Values.controlPlane.distro.k8s.scheduler.image.tag }}"
   volumeMounts:
@@ -256,8 +256,10 @@
   command: ["sh"]
   args: ["-c", "cp -r /plugin /plugins/{{ $key }}"]
   {{- end }}
+  {{- if $container.securityContext }}
   securityContext:
 {{ toYaml $container.securityContext | indent 4 }}
+  {{- end }}
   {{- if $container.volumeMounts }}
   volumeMounts:
 {{ toYaml $container.volumeMounts | indent 4 }}

chart/templates/_persistence.tpl

@@ -1,22 +1,18 @@
+{{/*
+  ControlPlane Kind
+*/}}
+{{- define "vcluster.kind" -}}
+{{ if include "vcluster.persistence.volumeClaim.enabled" . }}StatefulSet{{ else }}Deployment{{ end }}
+{{- end -}}
+
 {{/*
   StatefulSet Persistence Options
 */}}
 {{- define "vcluster.persistence" -}}
-{{- if and .Values.controlPlane.backingStore.embeddedEtcd.enabled (include "vcluster.externalEtcd.enabled" .) -}}
-{{- fail "embeddedEtcd and externalEtcd cannot be enabled at the same time together" }}
-{{- end -}}
 {{- if .Values.controlPlane.statefulSet.persistence.volumeClaimTemplates }}
-{{- if ge (int .Capabilities.KubeVersion.Minor) 27 }}
-persistentVolumeClaimRetentionPolicy:
-  whenDeleted: {{ .Values.controlPlane.statefulSet.persistence.volumeClaim.retentionPolicy }}
-{{- end }}
 volumeClaimTemplates:
 {{ toYaml .Values.controlPlane.statefulSet.persistence.volumeClaimTemplates | indent 2 }}
 {{- else if include "vcluster.persistence.volumeClaim.enabled" . }}
-{{- if ge (int .Capabilities.KubeVersion.Minor) 27 }}
-persistentVolumeClaimRetentionPolicy:
-  whenDeleted: {{ .Values.controlPlane.statefulSet.persistence.volumeClaim.retentionPolicy }}
-{{- end }}
 volumeClaimTemplates:
 - metadata:
     name: data
@@ -35,7 +31,9 @@ volumeClaimTemplates:
   is persistence enabled?
 */}}
 {{- define "vcluster.persistence.volumeClaim.enabled" -}}
-{{- if and (not .Values.controlPlane.statefulSet.persistence.volumeClaim.disabled) (not (include "vcluster.externalEtcd.enabled" .)) -}}
+{{- if .Values.controlPlane.statefulSet.persistence.volumeClaimTemplates -}}
+{{- true -}}
+{{- else if and (not .Values.controlPlane.statefulSet.persistence.volumeClaim.disabled) (not (include "vcluster.externalEtcd.enabled" .)) -}}
 {{- true -}}
 {{- end -}}
 {{- end -}}

chart/templates/_rbac.tpl

@@ -22,9 +22,10 @@
     .Values.sync.toHost.persistentVolumes.enabled
     .Values.sync.toHost.priorityClasses.enabled
     .Values.sync.toHost.volumeSnapshots.enabled
+    .Values.controlPlane.advanced.virtualScheduler.enabled
     .Values.sync.fromHost.ingressClasses.enabled
     .Values.sync.fromHost.storageClasses.enabled
-    .Values.sync.fromHost.nodes.real.enabled
+    .Values.sync.fromHost.nodes.enabled
     .Values.observability.metrics.proxy.nodes.enabled
     .Values.experimental.multiNamespaceMode.enabled
     .Values.networking.resolveServices -}}

chart/templates/clusterrole.yaml

@@ -21,7 +21,7 @@ rules:
     resources: ["features", "virtualclusters"]
     verbs: ["get", "list", "watch"]
   {{- end }}
-  {{- if or .Values.pro .Values.sync.fromHost.nodes.real.enabled }}
+  {{- if or .Values.pro .Values.sync.fromHost.nodes.enabled }}
   - apiGroups: [""]
     resources: ["pods", "nodes", "nodes/status", "nodes/metrics", "nodes/stats", "nodes/proxy"]
     verbs: ["get", "watch", "list"]
@@ -31,14 +31,14 @@ rules:
     resources: [ "pods"]
     verbs: ["get", "watch", "list"]
   {{- end }}
-  {{- if and .Values.sync.fromHost.nodes.real.enabled .Values.sync.fromHost.nodes.real.syncLabelsTaints }}
+  {{- if and .Values.sync.fromHost.nodes.enabled .Values.sync.fromHost.nodes.syncLabelsTaints }}
   - apiGroups: [""]
     resources: ["nodes", "nodes/status"]
     verbs: ["update", "patch"]
   {{- end }}
-  {{- if .Values.controlPlane.virtualScheduler.enabled }}
+  {{- if .Values.controlPlane.advanced.virtualScheduler.enabled }}
   - apiGroups: ["storage.k8s.io"]
-    resources: ["storageclasses","csinodes","csidrivers","csistoragecapacities"]
+    resources: ["storageclasses", "csinodes", "csidrivers", "csistoragecapacities"]
     verbs: ["get", "watch", "list"]
   {{- end }}
   {{- if .Values.sync.toHost.persistentVolumes.enabled }}

chart/templates/coredns-configmap.yaml

@@ -142,14 +142,14 @@ data:
           k8s-app: kube-dns
       template:
         metadata:
-          {{- if .Values.controlPlane.coredns.deployment.podAnnotations }}
+          {{- if .Values.controlPlane.coredns.deployment.pods.annotations }}
           annotations:
-{{ toYaml .Values.controlPlane.coredns.deployment.podAnnotations | indent 12 }}
+{{ toYaml .Values.controlPlane.coredns.deployment.pods.annotations | indent 12 }}
           {{- end }}
           labels:
             k8s-app: kube-dns
-          {{- if .Values.controlPlane.coredns.deployment.podLabels }}
-{{ toYaml .Values.controlPlane.coredns.deployment.podLabels | indent 12 }}
+          {{- if .Values.controlPlane.coredns.deployment.pods.labels }}
+{{ toYaml .Values.controlPlane.coredns.deployment.pods.labels | indent 12 }}
           {{- end }}
         spec:
           priorityClassName: "system-cluster-critical"

chart/templates/etcd-headless-service.yaml

@@ -1,5 +1,6 @@
 {{- if not .Values.experimental.isolatedControlPlane.headless }}
 {{- if or (include "vcluster.externalEtcd.enabled" .) (include "vcluster.externalEtcd.migrate" .) }}
+{{- if .Values.controlPlane.backingStore.externalEtcd.headlessService.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -32,3 +33,4 @@ spec:
     release: "{{ .Release.Name }}"
 {{- end }}
 {{- end }}
+{{- end }}

chart/templates/etcd-service.yaml

@@ -1,5 +1,6 @@
 {{- if not .Values.experimental.isolatedControlPlane.headless }}
 {{- if or (include "vcluster.externalEtcd.enabled" .) (include "vcluster.externalEtcd.migrate" .) }}
+{{- if .Values.controlPlane.backingStore.externalEtcd.service.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -31,3 +32,4 @@ spec:
     release: {{ .Release.Name }}
 {{- end }}
 {{- end }}
+{{- end }}

chart/templates/etcd-statefulset.yaml

@@ -1,5 +1,6 @@
 {{- if not .Values.experimental.isolatedControlPlane.headless }}
 {{- if or (include "vcluster.externalEtcd.enabled" .) (include "vcluster.externalEtcd.migrate" .) }}
+{{- if .Values.controlPlane.backingStore.externalEtcd.statefulSet.enabled }}
 {{- $externalEtcd := .Values.controlPlane.backingStore.externalEtcd.statefulSet }}
 apiVersion: apps/v1
 kind: StatefulSet
@@ -208,3 +209,4 @@ spec:
         {{- end }}
 {{- end }}
 {{- end }}
+{{- end }}

chart/templates/headless-service.yaml

@@ -1,4 +1,5 @@
 {{- if not .Values.experimental.isolatedControlPlane.headless }}
+{{- if eq (include "vcluster.kind" .) "StatefulSet" }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -39,3 +40,4 @@ spec:
     app: vcluster
     release: "{{ .Release.Name }}"
 {{- end }}
+{{- end }}

chart/templates/networkpolicy.yaml

@@ -43,15 +43,15 @@ spec:
     # Allows outgoing connections to the internet or
     # other vcluster workloads
     - to:
-        - podSelector:
-            matchLabels:
-              vcluster.loft.sh/managed-by: {{ .Release.Name }}
-        - ipBlock:
-            cidr: {{ .Values.policies.networkPolicy.outgoingConnections.ipBlock.cidr }}
-            except:
-              {{- range .Values.policies.networkPolicy.outgoingConnections.ipBlock.except }}
-              - {{ . }}
-              {{- end }}
+      - podSelector:
+          matchLabels:
+            vcluster.loft.sh/managed-by: {{ .Release.Name }}
+      - ipBlock:
+          cidr: {{ .Values.policies.networkPolicy.outgoingConnections.ipBlock.cidr }}
+          except:
+            {{- range .Values.policies.networkPolicy.outgoingConnections.ipBlock.except }}
+            - {{ . }}
+            {{- end }}
   policyTypes:
     - Egress
 ---

chart/templates/service.yaml

@@ -28,13 +28,15 @@ spec:
       {{- end }}
       nodePort: {{ .Values.controlPlane.service.httpsNodePort }}
       protocol: TCP
+   {{- if or .Values.networking.advanced.proxyKubelets.byHostname .Values.networking.advanced.proxyKubelets.byIP }}
     - name: kubelet
       port: 10250
       {{- if not .Values.experimental.isolatedControlPlane.headless }}
       targetPort: 8443
       {{- end }}
       nodePort: {{ .Values.controlPlane.service.kubeletNodePort }}
       protocol: TCP
+    {{- end }}
   {{- end }}
   {{- if and (not .Values.controlPlane.service.spec.selector) (not .Values.experimental.isolatedControlPlane.headless) }}
   selector: