impl

yaroslavborbat · yaroslavborbat · commit b6d569da0bbf · 2026-04-02T12:23:37.000+03:00
Signed-off-by: Yaroslav Borbat &lt;yaroslav.borbat@flant.com&gt;
diff --git a/templates/_hostnetwork_ports.tpl b/templates/_hostnetwork_ports.tpl
@@ -10,40 +10,38 @@ Port map:
 
   virt-handler (kube-api-rewriter runs as its sidecar):
   4135-4199  virt-handler: live-migration tunnels (KubeVirt migration range).
-  4100       virt-handler: Healthz port (--port flag).
+  4100       virt-handler: healthz and Prometheus metrics (--port flag), kube-rbac-proxy implemented natively.
   4101       virt-handler: Console server port (--console-server-port flag).
-  4102       virt-handler: Prometheus metrics (--metrics-port flag).
-  4103       kube-api-rewriter sidecar: Prometheus metrics (MONITORING_BIND_ADDRESS), bound to pod IP.
+  4102       kube-api-rewriter sidecar: Prometheus metrics (MONITORING_BIND_ADDRESS), bound to pod IP.
              liveness and readiness probes (/proxy/healthz, /proxy/readyz).
-  4104       kube-api-rewriter sidecar: pprof (PPROF_BIND_ADDRESS), bound to pod IP, debug mode only.
-  4105       kube-api-rewriter sidecar: Kubernetes API proxy (CLIENT_PROXY_PORT),
+  4103       kube-api-rewriter sidecar: pprof (PPROF_BIND_ADDRESS), bound to pod IP, debug mode only.
+  4104       kube-api-rewriter sidecar: Kubernetes API proxy (CLIENT_PROXY_PORT),
              virt-handler connects here instead of the real API server.
 
   vm-route-forge:
-  4106       vm-route-forge: liveness and readiness probes (HEALTH_PROBE_BIND_ADDRESS).
-  4107       vm-route-forge: pprof (PPROF_BIND_ADDRESS), debug mode only.
+  4105       vm-route-forge: liveness and readiness probes (HEALTH_PROBE_BIND_ADDRESS).
+  4106       vm-route-forge: pprof (PPROF_BIND_ADDRESS), debug mode only.
 
   virtualization-dra:
-  4108       virtualization-dra: gRPC liveness and readiness probes.
+  4107       virtualization-dra: gRPC liveness and readiness probes.
   4280       virtualization-dra: USB/IP daemon (--usbipd-port flag).
 */ -}}
 
 {{- /* virt-handler */ -}}
-{{- define "virt_handler.migration_port_first" -}}4100{{- end -}}
-{{- define "virt_handler.migration_port_last" -}}4148{{- end -}}
+{{- define "virt_handler.migration_port_first" -}}4135{{- end -}}
+{{- define "virt_handler.migration_port_last" -}}4199{{- end -}}
 
 {{- define "virt_handler.port" -}}4100{{- end -}}
 {{- define "virt_handler.console_server_port" -}}4101{{- end -}}
-{{- define "virt_handler.metrics_port" -}}4102{{- end -}}
-{{- define "virt_handler.rewriter_healthz_port" -}}4103{{- end -}}
-{{- define "virt_handler.rewriter_monitoring_port" -}}4103{{- end -}}
-{{- define "virt_handler.rewriter_pprof_port" -}}4104{{- end -}}
-{{- define "virt_handler.rewriter_proxy_port" -}}4105{{- end -}}
+{{- define "virt_handler.rewriter_healthz_port" -}}4102{{- end -}}
+{{- define "virt_handler.rewriter_monitoring_port" -}}4102{{- end -}}
+{{- define "virt_handler.rewriter_pprof_port" -}}4103{{- end -}}
+{{- define "virt_handler.rewriter_proxy_port" -}}4104{{- end -}}
 
 {{- /* vm-route-forge */ -}}
-{{- define "vm_route_forge.health_port" -}}4106{{- end -}}
-{{- define "vm_route_forge.pprof_port" -}}4157{{- end -}}
+{{- define "vm_route_forge.health_port" -}}4105{{- end -}}
+{{- define "vm_route_forge.pprof_port" -}}4106{{- end -}}
 
 {{- /* virtualization-dra */ -}}
-{{- define "virtualization_dra.health_port" -}}4108{{- end -}}
+{{- define "virtualization_dra.health_port" -}}4107{{- end -}}
 {{- define "virtualization_dra.usbipd_port" -}}4280{{- end -}}
diff --git a/templates/kubevirt/kubevirt.yaml b/templates/kubevirt/kubevirt.yaml
@@ -75,21 +75,6 @@ spec:
     virtualMachineOptions:
       disableSerialConsoleLog: {}
   customizeComponents:
-    flags:
-      {{- if ne "delve/virt-api" ($delve | dig "debug" "component" "<missing>") }}
-      api:
-        metrics-listen: 127.0.0.1
-        metrics-port: "8080"
-      {{- end }}
-      {{- if ne "delve/virt-controller" ($delve | dig "debug" "component" "<missing>") }}
-      controller:
-        metrics-listen: 127.0.0.1
-        metrics-port: "8080"
-      {{- end }}
-      {{- if ne "delve/virt-handler" ($delve | dig "debug" "component" "<missing>") }}
-      handler:
-        metrics-port: {{ include "virt_handler.metrics_port" . | quote }}
-      {{- end }}
     patches:
     # Add node placement settings for virt-api, virt-controller, virt-operator, virt-handler.
     - resourceType: Deployment
@@ -210,33 +195,6 @@ spec:
       patch: {{ include "kube_api_rewriter.pod_spec_strategic_patch_json" (list . "virt-handler" $virtHandlerRewriterSettings) }}
       type: strategic
 
-    # Add kube-api-rewriter sidecar containers to virt-controller, virt-api, virt-handler.
-    {{- $kubeRbacProxySettings := dict }}
-    {{- $_ := set $kubeRbacProxySettings "runAsUserNobody" true }}
-    {{- $_ := set $kubeRbacProxySettings "ignorePaths" "/proxy/healthz,/proxy/readyz" }}
-    {{- $_ := set $kubeRbacProxySettings "upstreams" (list
-        (dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "name" "kube-api-rewriter")
-        (dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "name" "virt-controller")
-        (dict "upstream" "http://127.0.0.1:9090/healthz" "path" "/proxy/healthz" "name" "kube-api-rewriter")
-        (dict "upstream" "http://127.0.0.1:9090/readyz" "path" "/proxy/readyz" "name" "kube-api-rewriter")
-    ) }}
-    - resourceName: virt-controller
-      resourceType: Deployment
-      patch: {{ include "kube_rbac_proxy.pod_spec_strategic_patch_json" (tuple . $kubeRbacProxySettings) }}
-      type: strategic
-
-    {{- $_ := set $kubeRbacProxySettings "ignorePaths" "/proxy/healthz,/proxy/readyz" }}
-    {{- $_ := set $kubeRbacProxySettings "upstreams" (list
-        (dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "name" "kube-api-rewriter")
-        (dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "name" "virt-api")
-        (dict "upstream" "http://127.0.0.1:9090/healthz" "path" "/proxy/healthz" "name" "kube-api-rewriter")
-        (dict "upstream" "http://127.0.0.1:9090/readyz" "path" "/proxy/readyz" "name" "kube-api-rewriter")
-    ) }}
-    - resourceName: virt-api
-      resourceType: Deployment
-      patch: {{ include "kube_rbac_proxy.pod_spec_strategic_patch_json" (tuple . $kubeRbacProxySettings) }}
-      type: strategic
-
     # Add rewriter proxy container port to Services used by webhook configurations.
     # First need to set name for existing port to make strategic patch works later.
     - resourceName: virt-api
@@ -331,10 +289,10 @@ spec:
       resourceName: virt-handler
       patch: {{ include "pod_spec_priority_class_name_patch" $priorityClassName }}
       type: strategic
-    # Patch service for https-metrics
+    # Patch service to target the main virt-handler port
     - resourceType: Service
       resourceName: kubevirt-prometheus-metrics
-      patch: '[{"op": "replace", "path": "/spec/ports/0/targetPort", "value": "https-metrics"}]'
+      patch: '[{"op": "replace", "path": "/spec/ports/0/targetPort", "value": "virt-handler"}]'
       type: json
 
 # Additional environment variables for virt-controller.
@@ -357,11 +315,10 @@ env:
       patch: '{"spec":{"template":{"metadata":{"labels":{"security.deckhouse.io/security-policy-exception": "virt-handler-ds"}}}}}'
       type: strategic
 
-    # Expose virt-handler ports: health API (--port), console server (--console-server-port),
-    # and HTTPS metrics so kubevirt-prometheus-metrics Service can resolve targetPort: https-metrics.
+    # Expose virt-handler ports: health API (--port) and console server (--console-server-port).
     - resourceName: virt-handler
       resourceType: DaemonSet
-      patch: '{"spec":{"template":{"spec":{"containers":[{"name":"virt-handler","ports":[{"containerPort":{{ include "virt_handler.port" . | int }},"name":"virt-handler","protocol":"TCP"},{"containerPort":{{ include "virt_handler.console_server_port" . | int }},"name":"console","protocol":"TCP"},{"containerPort":{{ include "virt_handler.metrics_port" . | int }},"name":"https-metrics","protocol":"TCP"}]}]}}}}'
+      patch: '{"spec":{"template":{"spec":{"containers":[{"name":"virt-handler","ports":[{"containerPort":{{ include "virt_handler.port" . | int }},"name":"virt-handler","protocol":"TCP"},{"containerPort":{{ include "virt_handler.console_server_port" . | int }},"name":"console","protocol":"TCP"}]}]}}}}'
       type: strategic
 
     # Rewrite virt-api args, replacing the default ports baked into the image.
@@ -375,13 +332,13 @@ env:
     # This is required because customizeComponents.flags only appends flags and cannot replace existing ones.
     - resourceName: virt-handler
       resourceType: DaemonSet
-      patch: '{"spec":{"template":{"spec":{"containers":[{"name":"virt-handler","args":["--port","{{ include "virt_handler.port" . }}","--hostname-override","$(NODE_NAME)","--pod-ip-address","$(MY_POD_IP)","--max-metric-requests","3","--console-server-port","{{ include "virt_handler.console_server_port" . }}","--metrics-port","{{ include "virt_handler.metrics_port" . }}","--migration-port-range-enabled","true","--migration-port-range-first","{{ include "virt_handler.migration_port_first" . }}","--migration-port-range-last","{{ include "virt_handler.migration_port_last" . }}","--graceful-shutdown-seconds","315","-v","2"]}]}}}}'
+      patch: '{"spec":{"template":{"spec":{"containers":[{"name":"virt-handler","args":["--port","{{ include "virt_handler.port" . }}","--hostname-override","$(NODE_NAME)","--pod-ip-address","$(MY_POD_IP)","--max-metric-requests","3","--console-server-port","{{ include "virt_handler.console_server_port" . }}","--migration-port-range-enabled","true","--migration-port-range-first","{{ include "virt_handler.migration_port_first" . }}","--migration-port-range-last","{{ include "virt_handler.migration_port_last" . }}","--graceful-shutdown-seconds","315","-v","2"]}]}}}}'
       type: strategic
 
     # Override virt-handler liveness and readiness probes to use the new host-network port.
     - resourceName: virt-handler
       resourceType: DaemonSet
-      patch: '{"spec":{"template":{"spec":{"containers":[{"name":"virt-handler","livenessProbe":{"httpGet":{"path":"/healthz","port":{{ include "virt_handler.port" . | int }},"scheme":"HTTP"},"failureThreshold":3,"initialDelaySeconds":15,"periodSeconds":45,"successThreshold":1,"timeoutSeconds":10},"readinessProbe":{"httpGet":{"path":"/healthz","port":{{ include "virt_handler.port" . | int }},"scheme":"HTTP"},"failureThreshold":3,"initialDelaySeconds":15,"periodSeconds":20,"successThreshold":1,"timeoutSeconds":10}}]}}}}'
+      patch: '{"spec":{"template":{"spec":{"containers":[{"name":"virt-handler","livenessProbe":{"httpGet":{"path":"/healthz","port":{{ include "virt_handler.port" . | int }},"scheme":"HTTPS"},"failureThreshold":3,"initialDelaySeconds":15,"periodSeconds":45,"successThreshold":1,"timeoutSeconds":10},"readinessProbe":{"httpGet":{"path":"/healthz","port":{{ include "virt_handler.port" . | int }},"scheme":"HTTPS"},"failureThreshold":3,"initialDelaySeconds":15,"periodSeconds":20,"successThreshold":1,"timeoutSeconds":10}}]}}}}'
       type: strategic
 
     # Change host path for directory with capabilities xml files. We have custom qemu with different
