From 224578196fe7841f128e7339a9211b450c7cd469 Mon Sep 17 00:00:00 2001 From: Oleg Pykhalov Date: Tue, 24 Oct 2023 16:59:00 +0300 Subject: [PATCH] infrastructure: base: containerized-data-importer: Update to 1.57.0. --- .../containerized-data-importer/cdi-cr.yaml | 4 +- .../cdi-operator.yaml | 331 +++++++++++++----- 2 files changed, 237 insertions(+), 98 deletions(-) diff --git a/infrastructure/base/containerized-data-importer/cdi-cr.yaml b/infrastructure/base/containerized-data-importer/cdi-cr.yaml index 921af7972..6c9863fa7 100644 --- a/infrastructure/base/containerized-data-importer/cdi-cr.yaml +++ b/infrastructure/base/containerized-data-importer/cdi-cr.yaml @@ -2,8 +2,10 @@ apiVersion: cdi.kubevirt.io/v1beta1 kind: CDI metadata: name: cdi - namespace: cdi spec: + config: + featureGates: + - HonorWaitForFirstConsumer imagePullPolicy: IfNotPresent infra: nodeSelector: diff --git a/infrastructure/base/containerized-data-importer/cdi-operator.yaml b/infrastructure/base/containerized-data-importer/cdi-operator.yaml index 5fcba436c..08aafd740 100644 --- a/infrastructure/base/containerized-data-importer/cdi-operator.yaml +++ b/infrastructure/base/containerized-data-importer/cdi-operator.yaml @@ -9,7 +9,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.2 + controller-gen.kubebuilder.io/version: v0.11.3 name: cdis.cdi.kubevirt.io spec: group: cdi.kubevirt.io @@ -87,10 +87,17 @@ spec: enum: - copy - snapshot + - csi-clone type: string config: description: CDIConfig at CDI level properties: + dataVolumeTTLSeconds: + description: DataVolumeTTLSeconds is the time in seconds after + DataVolume completion it can be garbage collected. Disabled + by default. + format: int32 + type: integer featureGates: description: FeatureGates are a list of specific enabled feature gates @@ -121,6 +128,19 @@ spec: global value type: object type: object + imagePullSecrets: + description: The imagePullSecrets used to pull the container images + items: + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array importProxy: description: ImportProxy contains importer pod proxy configuration. properties: @@ -142,12 +162,12 @@ spec: trustedCAProxy: description: "TrustedCAProxy is the name of a ConfigMap in the cdi namespace that contains a user-provided trusted - certificate authority (CA) bundle. The TrustedCAProxy field - is consumed by the import controller that is resposible - for coping it to a config map named trusted-ca-proxy-bundle-cm - in the cdi namespace. Here is an example of the ConfigMap - (in yaml): \n apiVersion: v1 kind: ConfigMap metadata: name: - trusted-ca-proxy-bundle-cm namespace: cdi data: ca.pem: + certificate authority (CA) bundle. The TrustedCAProxy ConfigMap + is consumed by the DataImportCron controller for creating + cronjobs, and by the import controller referring a copy + of the ConfigMap in the import namespace. Here is an example + of the ConfigMap (in yaml): \n apiVersion: v1 kind: ConfigMap + metadata: name: my-ca-proxy-cm namespace: cdi data: ca.pem: | -----BEGIN CERTIFICATE----- ... ... -----END CERTIFICATE-----" type: string @@ -161,6 +181,27 @@ spec: description: ResourceRequirements describes the compute resource requirements. properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -197,6 +238,97 @@ spec: if no storage class specified, use no storage class for scratch space' type: string + tlsSecurityProfile: + description: TLSSecurityProfile is used by operators to apply + cluster-wide TLS security settings to operands. + properties: + custom: + description: "custom is a user-defined TLS security profile. + Be extremely careful using a custom profile as invalid configurations + can be catastrophic. An example custom profile looks like + this: \n ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 + minTLSVersion: TLSv1.1" + nullable: true + properties: + ciphers: + description: "ciphers is used to specify the cipher algorithms + that are negotiated during the TLS handshake. Operators + may remove entries their operands do not support. For + example, to use DES-CBC3-SHA (yaml): \n ciphers: - + DES-CBC3-SHA" + items: + type: string + type: array + minTLSVersion: + description: "minTLSVersion is used to specify the minimal + version of the TLS protocol that is negotiated during + the TLS handshake. For example, to use TLS versions + 1.1, 1.2 and 1.3 (yaml): \n minTLSVersion: TLSv1.1 \n + NOTE: currently the highest minTLSVersion allowed is + VersionTLS12" + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: "intermediate is a TLS security profile based + on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 + minTLSVersion: TLSv1.2" + nullable: true + type: object + modern: + description: "modern is a TLS security profile based on: \n + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 + minTLSVersion: TLSv1.3 \n NOTE: Currently unsupported." + nullable: true + type: object + old: + description: "old is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA384 - + ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 + - AES128-SHA256 - AES256-SHA256 - AES128-SHA - AES256-SHA + - DES-CBC3-SHA minTLSVersion: TLSv1.0" + nullable: true + type: object + type: + description: "type is one of Old, Intermediate, Modern or + Custom. Custom provides the ability to specify individual + TLS security profile parameters. Old, Intermediate and Modern + are TLS security profiles based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + \n The profiles are intent based, so they may change over + time as new ciphers are developed and existing ciphers are + found to be insecure. Depending on precisely which ciphers + are available to a process, the list may be reduced. \n + Note that the Modern profile is currently not supported + because it is not yet well adopted by common software libraries." + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object uploadProxyURLOverride: description: Override the URL used when uploading to a DataVolume type: string @@ -522,9 +654,7 @@ spec: this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. + selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list @@ -582,7 +712,7 @@ spec: listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -687,9 +817,7 @@ spec: field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label @@ -745,7 +873,7 @@ spec: term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" + and null namespaceSelector means "this pod's namespace". items: type: string type: array @@ -850,9 +978,7 @@ spec: this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. + selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list @@ -910,7 +1036,7 @@ spec: listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -1015,9 +1141,7 @@ spec: field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label @@ -1073,7 +1197,7 @@ spec: term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" + and null namespaceSelector means "this pod's namespace". items: type: string type: array @@ -1146,6 +1270,9 @@ spec: type: object type: array type: object + priorityClass: + description: PriorityClass of the CDI control plane + type: string uninstallStrategy: description: CDIUninstallStrategy defines the state to leave CDI on uninstall @@ -1465,9 +1592,7 @@ spec: this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. + selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list @@ -1525,7 +1650,7 @@ spec: listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -1630,9 +1755,7 @@ spec: field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label @@ -1688,7 +1811,7 @@ spec: term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" + and null namespaceSelector means "this pod's namespace". items: type: string type: array @@ -1793,9 +1916,7 @@ spec: this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. + selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list @@ -1853,7 +1974,7 @@ spec: listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -1958,9 +2079,7 @@ spec: field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label @@ -2016,7 +2135,7 @@ spec: term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" + and null namespaceSelector means "this pod's namespace". items: type: string type: array @@ -2203,14 +2322,15 @@ spec: enum: - copy - snapshot + - csi-clone type: string config: description: CDIConfig at CDI level properties: dataVolumeTTLSeconds: description: DataVolumeTTLSeconds is the time in seconds after - DataVolume completion it can be garbage collected. The default - is 0 sec. To disable GC use -1. + DataVolume completion it can be garbage collected. Disabled + by default. format: int32 type: integer featureGates: @@ -2243,6 +2363,19 @@ spec: global value type: object type: object + imagePullSecrets: + description: The imagePullSecrets used to pull the container images + items: + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array importProxy: description: ImportProxy contains importer pod proxy configuration. properties: @@ -2264,12 +2397,12 @@ spec: trustedCAProxy: description: "TrustedCAProxy is the name of a ConfigMap in the cdi namespace that contains a user-provided trusted - certificate authority (CA) bundle. The TrustedCAProxy field - is consumed by the import controller that is resposible - for coping it to a config map named trusted-ca-proxy-bundle-cm - in the cdi namespace. Here is an example of the ConfigMap - (in yaml): \n apiVersion: v1 kind: ConfigMap metadata: name: - trusted-ca-proxy-bundle-cm namespace: cdi data: ca.pem: + certificate authority (CA) bundle. The TrustedCAProxy ConfigMap + is consumed by the DataImportCron controller for creating + cronjobs, and by the import controller referring a copy + of the ConfigMap in the import namespace. Here is an example + of the ConfigMap (in yaml): \n apiVersion: v1 kind: ConfigMap + metadata: name: my-ca-proxy-cm namespace: cdi data: ca.pem: | -----BEGIN CERTIFICATE----- ... ... -----END CERTIFICATE-----" type: string @@ -2283,6 +2416,27 @@ spec: description: ResourceRequirements describes the compute resource requirements. properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2735,9 +2889,7 @@ spec: this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. + selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list @@ -2795,7 +2947,7 @@ spec: listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -2900,9 +3052,7 @@ spec: field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label @@ -2958,7 +3108,7 @@ spec: term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" + and null namespaceSelector means "this pod's namespace". items: type: string type: array @@ -3063,9 +3213,7 @@ spec: this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. + selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list @@ -3123,7 +3271,7 @@ spec: listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -3228,9 +3376,7 @@ spec: field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label @@ -3286,7 +3432,7 @@ spec: term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" + and null namespaceSelector means "this pod's namespace". items: type: string type: array @@ -3681,9 +3827,7 @@ spec: this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. + selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list @@ -3741,7 +3885,7 @@ spec: listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -3846,9 +3990,7 @@ spec: field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label @@ -3904,7 +4046,7 @@ spec: term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" + and null namespaceSelector means "this pod's namespace". items: type: string type: array @@ -4009,9 +4151,7 @@ spec: this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. + selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list @@ -4069,7 +4209,7 @@ spec: listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -4174,9 +4314,7 @@ spec: field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label @@ -4232,7 +4370,7 @@ spec: term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" + and null namespaceSelector means "this pod's namespace". items: type: string type: array @@ -4394,6 +4532,7 @@ rules: - apiextensions.k8s.io resources: - customresourcedefinitions + - customresourcedefinitions/status verbs: - '*' - apiGroups: @@ -4442,6 +4581,12 @@ rules: - namespaces verbs: - get +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - get - apiGroups: - cdi.kubevirt.io resources: @@ -4480,7 +4625,6 @@ rules: resources: - persistentvolumes - persistentvolumeclaims - - volumesnapshots verbs: - get - list @@ -4489,12 +4633,12 @@ rules: - update - delete - deletecollection + - patch - apiGroups: - "" resources: - persistentvolumeclaims/finalizers - pods/finalizers - - volumesnapshots/finalizers verbs: - update - apiGroups: @@ -4514,6 +4658,7 @@ rules: - configmaps verbs: - get + - create - apiGroups: - storage.k8s.io resources: @@ -4746,25 +4891,25 @@ spec: - name: DEPLOY_CLUSTER_RESOURCES value: "true" - name: OPERATOR_VERSION - value: v1.55.2 + value: v1.57.0 - name: CONTROLLER_IMAGE - value: quay.io/kubevirt/cdi-controller:v1.55.2 + value: quay.io/kubevirt/cdi-controller:v1.57.0 - name: IMPORTER_IMAGE - value: quay.io/kubevirt/cdi-importer:v1.55.2 + value: quay.io/kubevirt/cdi-importer:v1.57.0 - name: CLONER_IMAGE - value: quay.io/kubevirt/cdi-cloner:v1.55.2 + value: quay.io/kubevirt/cdi-cloner:v1.57.0 - name: APISERVER_IMAGE - value: quay.io/kubevirt/cdi-apiserver:v1.55.2 + value: quay.io/kubevirt/cdi-apiserver:v1.57.0 - name: UPLOAD_SERVER_IMAGE - value: quay.io/kubevirt/cdi-uploadserver:v1.55.2 + value: quay.io/kubevirt/cdi-uploadserver:v1.57.0 - name: UPLOAD_PROXY_IMAGE - value: quay.io/kubevirt/cdi-uploadproxy:v1.55.2 + value: quay.io/kubevirt/cdi-uploadproxy:v1.57.0 - name: VERBOSITY value: "1" - name: PULL_POLICY value: IfNotPresent - name: MONITORING_NAMESPACE - image: quay.io/kubevirt/cdi-operator:v1.55.2 + image: quay.io/kubevirt/cdi-operator:v1.57.0 imagePullPolicy: IfNotPresent name: cdi-operator ports: @@ -4791,11 +4936,3 @@ spec: tolerations: - key: CriticalAddonsOnly operator: Exists ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - operator.cdi.kubevirt.io: "" - name: cdi-operator-leader-election-helper - namespace: cdi