feat(module): add migration disable tls annotation support (#2198)

danilrwx · web-flow · commit a98ea434792a · 2026-04-10T11:18:23.000+02:00
Add support for enabling and disabling KubeVirt live migration TLS via a temporary annotation on ModuleConfig/virtualization.

The change introduces parsing of the virtualization.deckhouse.io/disable-tls annotation in the module hook, stores the effective value in internal module values, passes it to the rendered KubeVirt migration configuration, and propagates it to the migration configuration injected into KVVMI status.

---------

Signed-off-by: Daniil Antoshin &lt;daniil.antoshin@flant.com&gt;
diff --git a/images/hooks/pkg/hooks/migration-config/hook.go b/images/hooks/pkg/hooks/migration-config/hook.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"strconv"
+	"strings"
 
 	"k8s.io/utils/ptr"
 
@@ -36,16 +37,19 @@ const (
 	completionTimeoutPerGiBAnnotation           = "virtualization.deckhouse.io/completion-timeout-per-gib"
 	parallelOutboundMigrationsPerNodeAnnotation = "virtualization.deckhouse.io/parallel-outbound-migrations-per-node"
 	progressTimeoutAnnotation                   = "virtualization.deckhouse.io/progress-timeout"
+	disableTLSAnnotation                        = "virtualization.deckhouse.io/disable-tls"
 
 	bandwidthPerMigrationValuesPath             = "virtualization.internal.virtConfig.bandwidthPerMigration"
 	completionTimeoutPerGiBValuesPath           = "virtualization.internal.virtConfig.completionTimeoutPerGiB"
 	parallelOutboundMigrationsPerNodeValuesPath = "virtualization.internal.virtConfig.parallelOutboundMigrationsPerNode"
 	progressTimeoutValuesPath                   = "virtualization.internal.virtConfig.progressTimeout"
+	disableTLSValuesPath                        = "virtualization.internal.virtConfig.disableTLS"
 
 	defaultBandwidthPerMigration             = "640Mi"
 	defaultCompletionTimeoutPerGiB           = 800
 	defaultParallelOutboundMigrationsPerNode = 1
 	defaultProgressTimeout                   = 150
+	defaultDisableTLS                        = false
 )
 
 // migrationParams defines migration parameters configurable via ModuleConfig annotations.
@@ -72,6 +76,11 @@ var migrationParams = []migrationParam{
 		valuesPath:   progressTimeoutValuesPath,
 		defaultValue: defaultProgressTimeout,
 	},
+	{
+		annotation:   disableTLSAnnotation,
+		valuesPath:   disableTLSValuesPath,
+		defaultValue: defaultDisableTLS,
+	},
 }
 
 type migrationParam struct {
@@ -87,6 +96,12 @@ func (p migrationParam) resolve(annos map[string]string) (any, error) {
 	}
 
 	switch p.defaultValue.(type) {
+	case bool:
+		v, err := strconv.ParseBool(strings.ToLower(val))
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse %q annotation: %w", p.annotation, err)
+		}
+		return v, nil
 	case int:
 		v, err := strconv.Atoi(val)
 		if err != nil {
@@ -102,6 +117,8 @@ func (p migrationParam) resolve(annos map[string]string) (any, error) {
 
 func (p migrationParam) getCurrent(input *pkg.HookInput) any {
 	switch p.defaultValue.(type) {
+	case bool:
+		return input.Values.Get(p.valuesPath).Bool()
 	case int:
 		return int(input.Values.Get(p.valuesPath).Int())
 	case string:
diff --git a/images/hooks/pkg/hooks/migration-config/hook_test.go b/images/hooks/pkg/hooks/migration-config/hook_test.go
@@ -84,6 +84,7 @@ var _ = Describe("MigrationConfig", func() {
 			completionTimeoutPerGiBAnnotation:           "1200",
 			parallelOutboundMigrationsPerNodeAnnotation: "5",
 			progressTimeoutAnnotation:                   "300",
+			disableTLSAnnotation:                        "true",
 		}))
 
 		values.GetMock.Set(func(path string) gjson.Result {
@@ -96,6 +97,8 @@ var _ = Describe("MigrationConfig", func() {
 				return gjson.Result{Type: gjson.Number, Num: defaultParallelOutboundMigrationsPerNode}
 			case progressTimeoutValuesPath:
 				return gjson.Result{Type: gjson.Number, Num: defaultProgressTimeout}
+			case disableTLSValuesPath:
+				return gjson.Result{Type: gjson.False}
 			}
 			return gjson.Result{}
 		})
@@ -111,6 +114,7 @@ var _ = Describe("MigrationConfig", func() {
 		Expect(setValues).To(HaveKeyWithValue(completionTimeoutPerGiBValuesPath, 1200))
 		Expect(setValues).To(HaveKeyWithValue(parallelOutboundMigrationsPerNodeValuesPath, 5))
 		Expect(setValues).To(HaveKeyWithValue(progressTimeoutValuesPath, 300))
+		Expect(setValues).To(HaveKeyWithValue(disableTLSValuesPath, true))
 	})
 
 	It("Should set defaults when no annotations present", func() {
@@ -126,6 +130,8 @@ var _ = Describe("MigrationConfig", func() {
 				return gjson.Result{Type: gjson.Number, Num: 9999}
 			case progressTimeoutValuesPath:
 				return gjson.Result{Type: gjson.Number, Num: 9999}
+			case disableTLSValuesPath:
+				return gjson.Result{Type: gjson.True}
 			}
 			return gjson.Result{}
 		})
@@ -141,6 +147,7 @@ var _ = Describe("MigrationConfig", func() {
 		Expect(setValues).To(HaveKeyWithValue(completionTimeoutPerGiBValuesPath, defaultCompletionTimeoutPerGiB))
 		Expect(setValues).To(HaveKeyWithValue(parallelOutboundMigrationsPerNodeValuesPath, defaultParallelOutboundMigrationsPerNode))
 		Expect(setValues).To(HaveKeyWithValue(progressTimeoutValuesPath, defaultProgressTimeout))
+		Expect(setValues).To(HaveKeyWithValue(disableTLSValuesPath, defaultDisableTLS))
 	})
 
 	It("Should not set values when current matches target", func() {
@@ -149,6 +156,7 @@ var _ = Describe("MigrationConfig", func() {
 			completionTimeoutPerGiBAnnotation:           "800",
 			parallelOutboundMigrationsPerNodeAnnotation: "1",
 			progressTimeoutAnnotation:                   "150",
+			disableTLSAnnotation:                        "false",
 		}))
 
 		values.GetMock.Set(func(path string) gjson.Result {
@@ -161,6 +169,8 @@ var _ = Describe("MigrationConfig", func() {
 				return gjson.Result{Type: gjson.Number, Num: defaultParallelOutboundMigrationsPerNode}
 			case progressTimeoutValuesPath:
 				return gjson.Result{Type: gjson.Number, Num: defaultProgressTimeout}
+			case disableTLSValuesPath:
+				return gjson.Result{Type: gjson.False}
 			}
 			return gjson.Result{}
 		})
@@ -175,6 +185,8 @@ var _ = Describe("MigrationConfig", func() {
 
 		values.GetMock.Set(func(path string) gjson.Result {
 			switch path {
+			case disableTLSValuesPath:
+				return gjson.Result{Type: gjson.False}
 			case bandwidthPerMigrationValuesPath:
 				return gjson.Result{Type: gjson.String, Str: defaultBandwidthPerMigration}
 			default:
@@ -189,6 +201,35 @@ var _ = Describe("MigrationConfig", func() {
 		))))
 	})
 
+	It("Should fail on invalid boolean annotation", func() {
+		setSnapshots(newSnapshot(map[string]string{
+			disableTLSAnnotation: "not-a-bool",
+		}))
+
+		values.GetMock.Set(func(path string) gjson.Result {
+			switch path {
+			case bandwidthPerMigrationValuesPath:
+				return gjson.Result{Type: gjson.String, Str: defaultBandwidthPerMigration}
+			case completionTimeoutPerGiBValuesPath:
+				return gjson.Result{Type: gjson.Number, Num: defaultCompletionTimeoutPerGiB}
+			case parallelOutboundMigrationsPerNodeValuesPath:
+				return gjson.Result{Type: gjson.Number, Num: defaultParallelOutboundMigrationsPerNode}
+			case progressTimeoutValuesPath:
+				return gjson.Result{Type: gjson.Number, Num: defaultProgressTimeout}
+			case disableTLSValuesPath:
+				return gjson.Result{Type: gjson.False}
+			default:
+				return gjson.Result{}
+			}
+		})
+
+		err := reconcile(context.Background(), newInput())
+		Expect(err).To(MatchError(ContainSubstring(fmt.Sprintf(
+			"failed to parse %q annotation:",
+			disableTLSAnnotation,
+		))))
+	})
+
 	It("Should set only one param from annotation and defaults for the rest", func() {
 		setSnapshots(newSnapshot(map[string]string{
 			parallelOutboundMigrationsPerNodeAnnotation: "5",
@@ -204,6 +245,8 @@ var _ = Describe("MigrationConfig", func() {
 				return gjson.Result{Type: gjson.Number, Num: defaultParallelOutboundMigrationsPerNode}
 			case progressTimeoutValuesPath:
 				return gjson.Result{Type: gjson.Number, Num: defaultProgressTimeout}
+			case disableTLSValuesPath:
+				return gjson.Result{Type: gjson.False}
 			}
 			return gjson.Result{}
 		})
diff --git a/images/virtualization-artifact/pkg/controller/livemigration/internal/dynamic_settings_handler_test.go b/images/virtualization-artifact/pkg/controller/livemigration/internal/dynamic_settings_handler_test.go
@@ -108,6 +108,26 @@ var _ = Describe("TestDynamicSettingsHandler", func() {
 
 			Expect(kvvmi.Status.MigrationState.MigrationConfiguration).ShouldNot(BeNil(), "Should set migrationConfiguration")
 		})
+
+		It("Should propagate DisableTLS from KubeVirt config", func() {
+			vm := newVM()
+			kvvmi := newKVVMI()
+			kvvmi.Status.MigrationState = &virtv1.VirtualMachineInstanceMigrationState{}
+
+			kvConfig := newKVConfig()
+			kvConfig.Spec.Configuration.MigrationConfiguration = &virtv1.MigrationConfiguration{
+				DisableTLS: ptr.To(true),
+			}
+
+			fakeClient := setupEnvironment(kvvmi, vm, kvConfig)
+			h := NewDynamicSettingsHandler(fakeClient)
+			_, err := h.Handle(ctx, kvvmi)
+			Expect(err).NotTo(HaveOccurred())
+
+			Expect(kvvmi.Status.MigrationState.MigrationConfiguration).ShouldNot(BeNil(), "Should set migrationConfiguration")
+			Expect(kvvmi.Status.MigrationState.MigrationConfiguration.DisableTLS).ShouldNot(BeNil(), "Should propagate DisableTLS")
+			Expect(*kvvmi.Status.MigrationState.MigrationConfiguration.DisableTLS).To(BeTrue())
+		})
 	})
 
 	When("Observe KVVMI with completed migration", func() {
diff --git a/images/virtualization-artifact/pkg/livemigration/migration_configuration.go b/images/virtualization-artifact/pkg/livemigration/migration_configuration.go
@@ -63,6 +63,10 @@ func NewMigrationConfiguration(allowAutoConverge bool, kvconfig virtv1.KubeVirt)
 	progressTimeout := MigrationProgressTimeout
 	completionTimeoutPerGiB := MigrationCompletionTimeoutPerGiB
 	defaultUnsafeMigrationOverride := DefaultUnsafeMigrationOverride
+	disableTLS := false
+	if kvconfig.Spec.Configuration.MigrationConfiguration != nil && kvconfig.Spec.Configuration.MigrationConfiguration.DisableTLS != nil {
+		disableTLS = *kvconfig.Spec.Configuration.MigrationConfiguration.DisableTLS
+	}
 	allowPostCopy := MigrationAllowPostCopy
 	allowWorkloadDisruption := MigrationAllowWorkloadDisruption
 
@@ -77,7 +81,7 @@ func NewMigrationConfiguration(allowAutoConverge bool, kvconfig virtv1.KubeVirt)
 		AllowAutoConverge:                 &allowAutoConverge,
 		AllowPostCopy:                     &allowPostCopy,
 		AllowWorkloadDisruption:           &allowWorkloadDisruption,
-		DisableTLS:                        nil,
+		DisableTLS:                        &disableTLS,
 		Network:                           nil,
 		MatchSELinuxLevelOnMigration:      nil,
 	}
diff --git a/openapi/values.yaml b/openapi/values.yaml
@@ -141,6 +141,8 @@ properties:
             type: integer
           progressTimeout:
             type: integer
+          disableTLS:
+            type: boolean
       moduleConfig:
         type: object
         additionalProperties: true
diff --git a/templates/kubevirt/_kubevirt_helpers.tpl b/templates/kubevirt/_kubevirt_helpers.tpl
@@ -102,9 +102,14 @@ spec:
 {{- .Values.virtualization.internal | dig "virtConfig" "progressTimeout" 150 -}}
 {{- end -}}
 
+{{- define "kubevirt.disable_tls" -}}
+{{- .Values.virtualization.internal | dig "virtConfig" "disableTLS" false -}}
+{{- end -}}
+
 {{- define "kubevirt.migrations" -}}
 bandwidthPerMigration: {{ include "kubevirt.bandwidth_per_migration" . }}
 completionTimeoutPerGiB: {{ include "kubevirt.completion_timeout_per_gib" . }}
+disableTLS: {{ include "kubevirt.disable_tls" . }}
 parallelMigrationsPerCluster: {{ include "kubevirt.parallel_migrations_per_cluster" . }}
 parallelOutboundMigrationsPerNode: {{ include "kubevirt.parallel_outbound_migrations_per_node" . }}
 progressTimeout: {{ include "kubevirt.progress_timeout" . }}
diff --git a/tools/kubeconform/fixtures/module-values.yaml b/tools/kubeconform/fixtures/module-values.yaml
@@ -403,6 +403,7 @@ virtualization:
       phase: Deployed
       bandwidthPerMigration: 640Mi
       completionTimeoutPerGiB: 800
+      disableTLS: false
       parallelMigrationsPerCluster: 2
       parallelOutboundMigrationsPerNode: 10
       progressTimeout: 150
