Kubevirt Part 2

May 20, 2025

After installing kubevirt and pouring over documentation it seemed apparent that I was going to need to get the CDI operator installed as well. This operator was created to allow newly created PVCs to be populated with data before usage. I was going to need this to get a live iso of solaris loaded into a PVC so it could be mounted as a virtual cdrom drive of my vm.

Setup

Installation via terraform was again not terrible but without a helm chart had to fallback to kustomization/kubernetes_manifest pattern.

Operator Mutating CRDS

For CDI Operator however, this standard pattern had a bit of a wrinkle. At the time of writting, using v0.62.0 the CRDs distributed with this version contained two api versions v1beta1 and v1alpha1. This is pretty standard by itself for two versions to coexist. What was odd though is that when the operator started up it edited the CRD in situ to strip out the v1alpha version! Never seen an operator do this before. Needless to say this creates a conflict in terraform as it will just try to add it back every apply. So had to add a facility to stript out versions in a CRD before its applied so that everything matches up.

Certificates

Once installed and reading the docs to how to use it. Became apparent that I would have to expose the uploadproxy service outside the cluster in order to upload my target ISO. The operator manages self signed certs for this endpoint, which is fine but redundant on my cluster since having a service mesh to handle TLS. Unfortunaly this behaviour cant be disabled. Moreover the certificate signing process is all hardcoded so its not possible to have this cert signed by a well-known authority. This would be important in order to expose out the service with my perferred method of an HttpRoute object as the gateway api implemetation will need to be able to trust this certificate. The CDI operator did store the CA it uses in a Secret in the namespace, but unfortunatly its format was incompatible with gateway apis BackendTLSPolicy which can only use a Configmap with an key of ca.crt. There was an issue to make the certificate signing process more configurable and someone posted a workaround to add a patch specification to the operator to allow the certs to be provided by alternative means. This meant I could use cert-manager to get cluster trusted cert served by uploadproxy whose ca would be available for gateway api.

Usage

Figuring out to use CDI Operator was also a bit of a learning curve. Creating the initial DataVolume is intuitive enough, but creating the access token to upload to it was something I was so far unfamilar with. using kubectl apply to post what looks like a regular kubernetes resource but is actually an ephermeral resource being posted to an apiservice

Once I got that sorted away, ISO was uploaded to its new DataVolume home