Initial plan

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

roles/kubespray_defaults/defaults/main/main.yml

@@ -218,6 +218,21 @@ kube_network_plugin_multus: false
 # This enables to deploy cilium alongside another CNI to replace kube-proxy.
 cilium_deploy_additionally: false
 
+# Identity allocation mode selects how identities are shared between cilium
+# nodes by setting how they are stored. The options are "crd" or "kvstore".
+# - "crd" stores identities in kubernetes as CRDs (custom resource definition).
+#   These can be queried with:
+#     `kubectl get ciliumid`
+# - "kvstore" stores identities in an etcd kvstore.
+# - In order to support External Workloads, "crd" is required
+#   - Ref: https://docs.cilium.io/en/stable/gettingstarted/external-workloads/#setting-up-support-for-external-workloads-beta
+# - KVStore operations are only required when cilium-operator is running with any of the below options:
+#   - --synchronize-k8s-services
+#   - --synchronize-k8s-nodes
+#   - --identity-allocation-mode=kvstore
+#   - Ref: https://docs.cilium.io/en/stable/internals/cilium_operator/#kvstore-operations
+cilium_identity_allocation_mode: crd
+
 # Determines if calico_rr group exists
 peer_with_calico_rr: "{{ 'calico_rr' in groups and groups['calico_rr'] | length > 0 }}"
 

roles/network_plugin/cilium/defaults/main.yml

@@ -14,21 +14,6 @@ cilium_l2announcements: false
 # Cilium agent health port
 cilium_agent_health_port: "9879"
 
-# Identity allocation mode selects how identities are shared between cilium
-# nodes by setting how they are stored. The options are "crd" or "kvstore".
-# - "crd" stores identities in kubernetes as CRDs (custom resource definition).
-#   These can be queried with:
-#     `kubectl get ciliumid`
-# - "kvstore" stores identities in an etcd kvstore.
-# - In order to support External Workloads, "crd" is required
-#   - Ref: https://docs.cilium.io/en/stable/gettingstarted/external-workloads/#setting-up-support-for-external-workloads-beta
-# - KVStore operations are only required when cilium-operator is running with any of the below options:
-#   - --synchronize-k8s-services
-#   - --synchronize-k8s-nodes
-#   - --identity-allocation-mode=kvstore
-#   - Ref: https://docs.cilium.io/en/stable/internals/cilium_operator/#kvstore-operations
-cilium_identity_allocation_mode: crd
-
 # Etcd SSL dirs
 cilium_cert_dir: /etc/cilium/certs
 kube_etcd_cacert_file: ca.pem

roles/network_plugin/cilium/templates/values.yaml.j2

@@ -62,8 +62,8 @@ cni:
 
 autoDirectNodeRoutes: {{ cilium_auto_direct_node_routes | to_json }}
 
-ipv4NativeRoutingCIDR: {{ cilium_native_routing_cidr }}
+ipv4NativeRoutingCIDR: "{{ cilium_native_routing_cidr }}"
-ipv6NativeRoutingCIDR: {{ cilium_native_routing_cidr_ipv6 }}
+ipv6NativeRoutingCIDR: "{{ cilium_native_routing_cidr_ipv6 }}"
 
 encryption:
   enabled: {{ cilium_encryption_enabled | to_json }}

test-infra/image-builder/README.md

@@ -0,0 +1,57 @@
+# KubeVirt Image Builder
+
+Build and push KubeVirt VM disk images to quay.io for Kubespray CI testing.
+
+## How It Works
+
+The Ansible playbook downloads upstream cloud images, converts them to qcow2, resizes (+8G), wraps each in a Docker image based on `kubevirt/registry-disk-v1alpha`, and pushes to `quay.io/kubespray/vm-<os-name>:<tag>`.
+
+## Prerequisites
+
+- Docker, `qemu-img`, Ansible
+- Push access to [quay.io/kubespray](https://quay.io/organization/kubespray) (robot account `kubespray+buildvmimages`)
+
+## Image Definitions
+
+All OS images are defined in [`roles/kubevirt-images/defaults/main.yml`](roles/kubevirt-images/defaults/main.yml).
+
+Each entry specifies:
+
+| Field | Description |
+|-------|-------------|
+| `filename` | Downloaded file name |
+| `url` | Upstream cloud image URL |
+| `checksum` | Checksum for download verification |
+| `converted` | `true` if the source is already qcow2, `false` if conversion is needed |
+| `tag` | Docker image tag (usually `latest`) |
+
+## Usage
+
+### Build and push all images
+
+```bash
+cd test-infra/image-builder/
+make docker_password=<quay-robot-token>
+```
+
+### Add a new OS image
+
+1. Add a new entry to `roles/kubevirt-images/defaults/main.yml`:
+
+   ```yaml
+   new-os-name:
+     filename: cloud-image-file.qcow2
+     url: https://example.com/cloud-image-file.qcow2
+     checksum: sha256:<hash>
+     converted: true
+     tag: "latest"
+   ```
+
+2. Build and push the image:
+
+   ```bash
+   make docker_password=<quay-robot-token>
+   ```
+
+3. Submit a PR with the `defaults/main.yml` change so CI can use the new image.
+   See [#12379](https://github.com/kubernetes-sigs/kubespray/pull/12379) for an example.

tests/cloud_playbooks/roles/packet-ci/vars/main.yml

@@ -50,6 +50,8 @@ cloudinit_config: |
       partition: 'none'
   mounts:
     - ['/dev/disk/by-id/virtio-2825A83CBDC8A32D5E', '/tmp/releases']
+  runcmd:
+    - chmod 777 /tmp/releases
 
 ignition_config:
   ignition:
@@ -68,3 +70,9 @@ ignition_config:
         format: ext4
         path: /tmp/releases
         wipeFilesystem: true
+    directories:
+      - path: /tmp/releases
+        # ignition require a integer, so using the octal notation is easier
+        # than noting it in decimal form
+        # yamllint disable-line rule:octal-values
+        mode: 0777