dotfiles/infrastructure/base/kubevirt-tekton-tasks/kubevirt-tekton-tasks-kubernetes.yaml

---
apiVersion: tekton.dev/v1beta1
kind: ClusterTask
metadata:
  annotations:
    task.kubevirt.io/associatedServiceAccount: cleanup-vm-task
    vmNamespace.params.task.kubevirt.io/type: namespace
    secretName.params.task.kubevirt.io/type: execute-in-vm-secret
    script.params.task.kubevirt.io/type: script
    delete.params.task.kubevirt.io/type: boolean
    stop.params.task.kubevirt.io/type: boolean
    timeout.params.task.kubevirt.io/type: duration
  labels:
    task.kubevirt.io/type: cleanup-vm
    task.kubevirt.io/category: execute-in-vm
  name: cleanup-vm
spec:
  params:
    - description: Name of a VM to execute the action in.
      name: vmName
      type: string
    - description: Namespace of a VM to execute the action in. (defaults to active namespace)
      name: vmNamespace
      type: string
      default: ""
    - description: Stops the VM after executing the commands when set to true.
      name: stop
      type: string
      default: "true"
    - description: Deletes the VM after executing the commands when set to true.
      name: delete
      type: string
      default: "false"
    - description: Timeout for the command/script (includes potential VM start). The VM will be stopped or deleted accordingly once the timout expires. Should be in a 3h2m1s format.
      name: timeout
      type: string
      default: "30m"
    - description: Secret to use when connecting to a VM.
      name: secretName
      type: string
      default: "__empty__"
    - description: Command to execute in a VM.
      name: command
      type: array
      default: []
    - description: Arguments of a command.
      name: args
      type: array
      default: []
    - description: Script to execute in a VM.
      name: script
      type: string
      default: ""
  steps:
    - name: execute-in-vm
      image: "quay.io/kubevirt/tekton-task-execute-in-vm:v0.13.2"
      command:
        - entrypoint
      args:
        - '--stop'
        - $(params.stop)
        - '--delete'
        - $(params.delete)
        - '--timeout'
        - $(params.timeout)
        - '--'
        - $(params.command)
        - $(params.args)
      env:
        - name: VM_NAME
          value: $(params.vmName)
        - name: VM_NAMESPACE
          value: $(params.vmNamespace)
        - name: EXECUTE_SCRIPT
          value: $(params.script)
        - name: CONNECTION_SECRET_NAME
          value: $(params.secretName)
      volumeMounts:
        - mountPath: /data/connectionsecret/
          name: connectionsecret
          readOnly: true
  volumes:
    - name: connectionsecret
      secret:
        secretName: $(params.secretName)
        optional: true

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cleanup-vm-task
rules:
  - verbs:
      - get
      - list
      - watch
      - delete
    apiGroups:
      - kubevirt.io
    resources:
      - virtualmachines
      - virtualmachineinstances
  - verbs:
      - update
    apiGroups:
      - subresources.kubevirt.io
    resources:
      - virtualmachines/start
      - virtualmachines/stop
      - virtualmachines/restart

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cleanup-vm-task

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cleanup-vm-task
roleRef:
  kind: ClusterRole
  name: cleanup-vm-task
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: cleanup-vm-task
---
apiVersion: tekton.dev/v1beta1
kind: ClusterTask
metadata:
  annotations:
    task.kubevirt.io/associatedServiceAccount: create-vm-from-manifest-task
    manifest.params.task.kubevirt.io/type: resource-yaml
    manifest.params.task.kubevirt.io/kind: VirtualMachine
    manifest.params.task.kubevirt.io/apiVersion: kubevirt.io/v1
    namespace.params.task.kubevirt.io/type: namespace
    dataVolumes.params.task.kubevirt.io/kind: DataVolume
    dataVolumes.params.task.kubevirt.io/apiVersion: cdi.kubevirt.io/v1beta1
    ownDataVolumes.params.task.kubevirt.io/kind: DataVolume
    ownDataVolumes.params.task.kubevirt.io/apiVersion: cdi.kubevirt.io/v1beta1
    persistentVolumeClaims.params.task.kubevirt.io/kind: PersistentVolumeClaim
    persistentVolumeClaims.params.task.kubevirt.io/apiVersion: v1
    ownPersistentVolumeClaims.params.task.kubevirt.io/kind: PersistentVolumeClaim
    ownPersistentVolumeClaims.params.task.kubevirt.io/apiVersion: v1
    startVM.params.task.kubevirt.io/type: boolean
  labels:
    task.kubevirt.io/type: create-vm-from-manifest
    task.kubevirt.io/category: create-vm
  name: create-vm-from-manifest
spec:
  params:
    - name: manifest
      description: YAML manifest of a VirtualMachine resource to be created.
      type: string
    - name: namespace
      description: Namespace where to create the VM. (defaults to manifest namespace or active namespace)
      default: ""
      type: string
    - name: startVM
      description: Set to true or false to start / not start vm after creation. In case of runStrategy is set to Always, startVM flag is ignored.
      default: ""
      type: string
    - name: runStrategy
      description: Set runStrategy to VM. If runStrategy is set, vm.spec.running attribute is set to nil.
      default: ""
      type: string
    - name: dataVolumes
      description: Add DVs to VM Volumes. Replaces a particular volume if in VOLUME_NAME:DV_NAME format. Eg. ["rootdisk:my-dv", "my-dv2"]
      default: []
      type: array
    - name: ownDataVolumes
      description: Add DVs to VM Volumes and add VM to DV ownerReferences. These DataVolumes will be deleted once the created VM gets deleted. Replaces a particular volume if in VOLUME_NAME:DV_NAME format. Eg. ["rootdisk:my-dv", "my-dv2"]
      default: []
      type: array
    - name: persistentVolumeClaims
      description: Add PVCs to VM Volumes. Replaces a particular volume if in VOLUME_NAME:PVC_NAME format. Eg. ["rootdisk:my-pvc", "my-pvc2"]
      default: []
      type: array
    - name: ownPersistentVolumeClaims
      description: Add PVCs to VM Volumes and add VM to PVC ownerReferences. These PVCs will be deleted once the created VM gets deleted. Replaces a particular volume if in VOLUME_NAME:PVC_NAME format. Eg. ["rootdisk:my-pvc", "my-pvc2"]
      default: []
      type: array
  results:
    - name: name
      description: The name of a VM that was created.
    - name: namespace
      description: The namespace of a VM that was created.
  steps:
    - name: createvm
      image: "quay.io/kubevirt/tekton-task-create-vm:v0.13.2"
      command:
        - create-vm
      args:
        - "--output=yaml"
        - '--dvs'
        - $(params.dataVolumes)
        - '--own-dvs'
        - $(params.ownDataVolumes)
        - '--pvcs'
        - $(params.persistentVolumeClaims)
        - '--own-pvcs'
        - $(params.ownPersistentVolumeClaims)
      env:
        - name: VM_MANIFEST
          value: $(params.manifest)
        - name: VM_NAMESPACE
          value: $(params.namespace)
        - name: START_VM
          value: $(params.startVM)
        - name: RUN_STRATEGY
          value: $(params.runStrategy)

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: create-vm-from-manifest-task
rules:
  - verbs:
      - get
      - list
      - watch
      - create
      - update
    apiGroups:
      - kubevirt.io
    resources:
      - virtualmachines
      - virtualmachineinstances
  - verbs:
      - 'update'
    apiGroups:
      - subresources.kubevirt.io
    resources:
      - virtualmachines/start
  - verbs:
      - '*'
    apiGroups:
      - kubevirt.io
    resources:
      - virtualmachines/finalizers
  - verbs:
      - '*'
    apiGroups:
      - ''
    resources:
      - persistentvolumeclaims
  - verbs:
      - '*'
    apiGroups:
      - cdi.kubevirt.io
    resources:
      - datavolumes

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: create-vm-from-manifest-task

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: create-vm-from-manifest-task
roleRef:
  kind: ClusterRole
  name: create-vm-from-manifest-task
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: create-vm-from-manifest-task
---
apiVersion: tekton.dev/v1beta1
kind: ClusterTask
metadata:
  annotations:
    pvc.params.task.kubevirt.io/kind: PersistentVolumeClaim
    pvc.params.task.kubevirt.io/apiVersion: v1
    customizeCommands.params.task.kubevirt.io/type: script
    verbose.params.task.kubevirt.io/type: boolean
  labels:
    task.kubevirt.io/type: disk-virt-customize
    task.kubevirt.io/category: disk-virt-customize
  name: disk-virt-customize
spec:
  params:
    - name: pvc
      description: PersistentVolumeClaim to run the the virt-customize script in. PVC should be in the same namespace as taskrun/pipelinerun.
      type: string
    - name: customizeCommands
      description: virt-customize commands in "--commands-from-file" format.
      type: string
      default: ""
    - name: verbose
      description: Enable verbose mode and tracing of libguestfs API calls.
      type: string
      default: 'false'
    - name: additionalOptions
      description: Additional options to pass to virt-customize.
      type: string
      default: ""
  steps:
    - name: run-virt-customize
      image: "quay.io/kubevirt/tekton-task-disk-virt-customize:v0.13.2"
      command:
        - entrypoint
      args:
        - '--verbose'
        - $(params.verbose)
      env:
        - name: CUSTOMIZE_COMMANDS
          value: $(params.customizeCommands)
        - name: ADDITIONAL_VIRT_CUSTOMIZE_OPTIONS
          value: $(params.additionalOptions)
        - name: LIBGUESTFS_BACKEND
          value: direct
      resources:
        limits:
          devices.kubevirt.io/kvm: '1'
          devices.kubevirt.io/tun: '1'
          devices.kubevirt.io/vhost-net: '1'
        requests:
          devices.kubevirt.io/kvm: '1'
          devices.kubevirt.io/tun: '1'
          devices.kubevirt.io/vhost-net: '1'
      volumeMounts:
        - mountPath: /mnt/appliance/
          name: guestfsappliance
        - mountPath: /mnt/targetpvc/
          name: targetpvc
  volumes:
    - name: guestfsappliance
      emptyDir: {}
    - name: targetpvc
      persistentVolumeClaim:
        claimName: $(params.pvc)
  workspaces:
    - name: data01
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data01
    - name: data02
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data02
    - name: data03
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data03
    - name: data04
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data04
    - name: data05
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data05
    - name: data06
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data06
    - name: data07
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data07
    - name: data08
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data08
    - name: data09
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data09
    - name: data10
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data10
---
apiVersion: tekton.dev/v1beta1
kind: ClusterTask
metadata:
  annotations:
    pvc.params.task.kubevirt.io/kind: PersistentVolumeClaim
    pvc.params.task.kubevirt.io/apiVersion: v1
    sysprepCommands.params.task.kubevirt.io/type: script
    verbose.params.task.kubevirt.io/type: boolean
  labels:
    task.kubevirt.io/type: disk-virt-sysprep
    task.kubevirt.io/category: disk-virt-sysprep
  name: disk-virt-sysprep
spec:
  params:
    - name: pvc
      description: PersistentVolumeClaim to run the the virt-sysprep script in. PVC should be in the same namespace as taskrun/pipelinerun.
      type: string
    - name: sysprepCommands
      description: virt-sysprep commands in "--commands-from-file" format.
      type: string
      default: ""
    - name: verbose
      description: Enable verbose mode and tracing of libguestfs API calls.
      type: string
      default: 'false'
    - name: additionalOptions
      description: Additional options to pass to virt-sysprep.
      type: string
      default: ""
  steps:
    - name: run-virt-sysprep
      image: "quay.io/kubevirt/tekton-task-disk-virt-sysprep:v0.13.2"
      command:
        - entrypoint
      args:
        - '--verbose'
        - $(params.verbose)
      env:
        - name: SYSPREP_COMMANDS
          value: $(params.sysprepCommands)
        - name: ADDITIONAL_VIRT_SYSPREP_OPTIONS
          value: $(params.additionalOptions)
        - name: LIBGUESTFS_BACKEND
          value: direct
      resources:
        limits:
          devices.kubevirt.io/kvm: '1'
          devices.kubevirt.io/tun: '1'
          devices.kubevirt.io/vhost-net: '1'
        requests:
          devices.kubevirt.io/kvm: '1'
          devices.kubevirt.io/tun: '1'
          devices.kubevirt.io/vhost-net: '1'
      volumeMounts:
        - mountPath: /mnt/appliance/
          name: guestfsappliance
        - mountPath: /mnt/targetpvc/
          name: targetpvc
  volumes:
    - name: guestfsappliance
      emptyDir: {}
    - name: targetpvc
      persistentVolumeClaim:
        claimName: $(params.pvc)
  workspaces:
    - name: data01
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data01
    - name: data02
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data02
    - name: data03
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data03
    - name: data04
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data04
    - name: data05
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data05
    - name: data06
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data06
    - name: data07
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data07
    - name: data08
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data08
    - name: data09
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data09
    - name: data10
      description: |
        An optional workspace that may contain files or secrets to be
        used during the virt-customize run.
      optional: true
      mountPath: /data10
---
apiVersion: tekton.dev/v1beta1
kind: ClusterTask
metadata:
  annotations:
    task.kubevirt.io/associatedServiceAccount: execute-in-vm-task
    vmNamespace.params.task.kubevirt.io/type: namespace
    secretName.params.task.kubevirt.io/type: execute-in-vm-secret
    script.params.task.kubevirt.io/type: script
  labels:
    task.kubevirt.io/type: execute-in-vm
    task.kubevirt.io/category: execute-in-vm
  name: execute-in-vm
spec:
  params:
    - description: Name of a VM to execute the action in.
      name: vmName
      type: string
    - description: Namespace of a VM to execute the action in. (defaults to active namespace)
      name: vmNamespace
      type: string
      default: ""
    - description: Secret to use when connecting to a VM.
      name: secretName
      type: string
      default: "__empty__"
    - description: Command to execute in a VM.
      name: command
      type: array
      default: []
    - description: Arguments of a command.
      name: args
      type: array
      default: []
    - description: Script to execute in a VM.
      name: script
      type: string
      default: ""
  steps:
    - name: execute-in-vm
      image: "quay.io/kubevirt/tekton-task-execute-in-vm:v0.13.2"
      command:
        - entrypoint
      args:
        - '--'
        - $(params.command)
        - $(params.args)
      env:
        - name: VM_NAME
          value: $(params.vmName)
        - name: VM_NAMESPACE
          value: $(params.vmNamespace)
        - name: EXECUTE_SCRIPT
          value: $(params.script)
        - name: CONNECTION_SECRET_NAME
          value: $(params.secretName)
      volumeMounts:
        - mountPath: /data/connectionsecret/
          name: connectionsecret
          readOnly: true
  volumes:
    - name: connectionsecret
      secret:
        secretName: $(params.secretName)
        optional: true

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: execute-in-vm-task
rules:
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - kubevirt.io
    resources:
      - virtualmachines
      - virtualmachineinstances
  - verbs:
      - update
    apiGroups:
      - subresources.kubevirt.io
    resources:
      - virtualmachines/start
      - virtualmachines/stop
      - virtualmachines/restart

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: execute-in-vm-task

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: execute-in-vm-task
roleRef:
  kind: ClusterRole
  name: execute-in-vm-task
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: execute-in-vm-task
---
apiVersion: tekton.dev/v1beta1
kind: ClusterTask
metadata:
  annotations:
    task.kubevirt.io/associatedServiceAccount: generate-ssh-keys-task
    publicKeySecretName.params.task.kubevirt.io/kind: Secret
    publicKeySecretName.params.task.kubevirt.io/apiVersion: v1
    publicKeySecretNamespace.params.task.kubevirt.io/type: namespace
    privateKeySecretName.params.task.kubevirt.io/kind: Secret
    privateKeySecretName.params.task.kubevirt.io/apiVersion: v1
    privateKeySecretNamespace.params.task.kubevirt.io/type: namespace
    privateKeyConnectionOptions.params.task.kubevirt.io/type: private-key-options-array
  labels:
    task.kubevirt.io/type: generate-ssh-keys
    task.kubevirt.io/category: generate-ssh-keys
  name: generate-ssh-keys
spec:
  params:
    - name: publicKeySecretName
      description: Name of a new or existing secret to append the generated public key to. The name will be generated and new secret created if not specified.
      default: ""
      type: string
    - name: publicKeySecretNamespace
      description: Namespace of publicKeySecretName. (defaults to active namespace)
      default: ""
      type: string
    - name: privateKeySecretName
      description: Name of a new secret to add the generated private key to. The name will be generated if not specified. The secret uses format of execute-in-vm task.
      default: ""
      type: string
    - name: privateKeySecretNamespace
      description: Namespace of privateKeySecretName. (defaults to active namespace)
      default: ""
      type: string
    - name: privateKeyConnectionOptions
      description: Additional options to use in SSH client. Please see execute-in-vm task SSH section for more details. Eg ["host-public-key:ssh-rsa AAAAB...", "additional-ssh-options:-p 8022"].
      default: []
      type: array
    - name: additionalSSHKeygenOptions
      description: Additional options to pass to the ssh-keygen command.
      default: ""
      type: string
  results:
    - name: publicKeySecretName
      description: The name of a public key secret.
    - name: publicKeySecretNamespace
      description: The namespace of a public key secret.
    - name: privateKeySecretName
      description: The name of a private key secret.
    - name: privateKeySecretNamespace
      description: The namespace of a private key secret.
  steps:
    - name: generate-ssh-keys
      image: "quay.io/kubevirt/tekton-task-generate-ssh-keys:v0.13.2"
      command:
        - entrypoint
        - '--'
        - $(params.privateKeyConnectionOptions)
      env:
        - name: PUBLIC_KEY_SECRET_NAME
          value: $(params.publicKeySecretName)
        - name: PUBLIC_KEY_SECRET_NAMESPACE
          value: $(params.publicKeySecretNamespace)
        - name: PRIVATE_KEY_SECRET_NAME
          value: $(params.privateKeySecretName)
        - name: PRIVATE_KEY_SECRET_NAMESPACE
          value: $(params.privateKeySecretNamespace)
        - name: ADDITIONAL_SSH_KEYGEN_OPTIONS
          value: $(params.additionalSSHKeygenOptions)

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: generate-ssh-keys-task
rules:
  - verbs:
      - '*'
    apiGroups:
      - ''
    resources:
      - secrets

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: generate-ssh-keys-task

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: generate-ssh-keys-task
roleRef:
  kind: ClusterRole
  name: generate-ssh-keys-task
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: generate-ssh-keys-task
---
apiVersion: tekton.dev/v1beta1
kind: ClusterTask
metadata:
  annotations:
    task.kubevirt.io/associatedServiceAccount: modify-data-object-task
    manifest.params.task.kubevirt.io/type: resource-yaml
    manifest.params.task.kubevirt.io/apiVersion: cdi.kubevirt.io/v1beta1
    waitForSuccess.params.task.kubevirt.io/type: boolean
  labels:
    task.kubevirt.io/type: modify-data-object
    task.kubevirt.io/category: modify-data-object
  name: modify-data-object
spec:
  description: >-
    This task modifies a data object (DataVolume or DataSource). It can optionally wait until CDI imports finish.
  params:
    - name: manifest
      description: YAML manifest of a data object to be created.
      type: string
      default: ''
    - name: namespace
      description: Namespace where to create the data object. (defaults to manifest namespace or active namespace)
      default: ""
      type: string
    - name: waitForSuccess
      description: Set to "true" or "false" if container should wait for Ready condition of the data object.
      default: 'false'
      type: string
    - name: allowReplace
      description: Allow replacing an already existing data object (same combination name/namespace). Allowed values true/false
      type: string
      default: "false"
    - name: deleteObject
      description: Set to `true` or `false` if task should delete the specified DataVolume, DataSource or PersistentVolumeClaim. If set to 'true' the ds/dv/pvc will be deleted and all other parameters are ignored.
      default: 'false'
      type: string
    - name: deleteObjectKind
      description: Kind of the data object to delete. This parameter is used only for Delete operation.
      default: ""
      type: string
    - name: deleteObjectName
      description: Name of the data object to delete. This parameter is used only for Delete operation.
      default: ""
      type: string
  results:
    - name: name
      description: The name of the data object that was created.
    - name: namespace
      description: The namespace of the data object that was created.
  steps:
    - name: modify-data-object
      image: "quay.io/kubevirt/tekton-task-modify-data-object:v0.13.2"
      command:
        - modify-data-object
      args:
        - "--output=yaml"
      env:
        - name: DATA_OBJECT_MANIFEST
          value: $(params.manifest)
        - name: DATA_OBJECT_NAMESPACE
          value: $(params.namespace)
        - name: WAIT_FOR_SUCCESS
          value: $(params.waitForSuccess)
        - name: ALLOW_REPLACE
          value: $(params.allowReplace)
        - name: DELETE_OBJECT
          value: $(params.deleteObject)
        - name: DELETE_OBJECT_KIND
          value: $(params.deleteObjectKind)
        - name: DELETE_OBJECT_NAME
          value: $(params.deleteObjectName)

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: modify-data-object-task
rules:
  - verbs:
      - get
      - create
      - delete
    apiGroups:
      - cdi.kubevirt.io
    resources:
      - datavolumes
      - datasources
  - verbs:
      - create
    apiGroups:
      - ""
    resources:
      - pods
  - verbs:
      - get
      - delete
    apiGroups:
      - ""
    resources:
      - persistentvolumeclaims

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: modify-data-object-task

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: modify-data-object-task
roleRef:
  kind: ClusterRole
  name: modify-data-object-task
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: modify-data-object-task
---
apiVersion: tekton.dev/v1beta1
kind: ClusterTask
metadata:
  annotations:
    task.kubevirt.io/associatedServiceAccount: modify-windows-iso-file-task
  labels:
    task.kubevirt.io/type: modify-windows-iso-file
    task.kubevirt.io/category: modify-windows-iso-file
  name: modify-windows-iso-file
spec:
  params:
    - name: pvcName
      description: PersistentVolumeClaim which contains windows iso.
      type: string
      default: ""
  steps:
    - name: modify-iso-file
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - "ALL"
      image: "quay.io/kubevirt/tekton-task-disk-virt-customize:v0.13.2"
      script: |
        #!/bin/bash
        set -x

        export LIBGUESTFS_PATH=/usr/local/lib/guestfs/appliance
        export ISO_FILES_PATH="/tmp/extracted-iso-files"
        export EFI_BOOT="${ISO_FILES_PATH}/efi/microsoft/boot"
        export TARGET_IMG_FILE_PATH="tmp/target-pvc/disk.img"

        guestfish -a ${TARGET_IMG_FILE_PATH} -m /dev/sda tar-out / - | tar xvf - -C ${ISO_FILES_PATH} -m --no-overwrite-dir --owner=$(id -u) --group=$(id -g) --no-same-permissions
 
        chmod u+w "${ISO_FILES_PATH}/efi" "${ISO_FILES_PATH}/efi/microsoft" "${ISO_FILES_PATH}/efi/microsoft/boot"
        chmod u+w "${EFI_BOOT}/efisys.bin" "${EFI_BOOT}/cdboot.efi" "${EFI_BOOT}/efisys_noprompt.bin" "${EFI_BOOT}/cdboot_noprompt.efi"

        rm "${EFI_BOOT}/efisys.bin" "${EFI_BOOT}/cdboot.efi"

        mv "${EFI_BOOT}/efisys_noprompt.bin" "${EFI_BOOT}/efisys.bin"
        mv "${EFI_BOOT}/cdboot_noprompt.efi" "${EFI_BOOT}/cdboot.efi"
      env:
        - name: "LIBGUESTFS_BACKEND"
          value: "direct"
        - name: "HOME"
          value: "/usr/local/lib/guestfs/appliance"
      resources:
        limits:
          devices.kubevirt.io/kvm: '1'
        requests:
          devices.kubevirt.io/kvm: '1'
      volumeMounts:
        - mountPath: /tmp/target-pvc/
          name: target-pvc
        - mountPath: /tmp/extracted-iso-files/
          name: extracted-iso-files
    - name: create-iso-file
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - "ALL"
      image: "quay.io/kubevirt/tekton-task-modify-data-object:v0.13.2"
      script: |
        #!/bin/bash
        set -ex
        export ISO_FILES_PATH="/tmp/extracted-iso-files"
        export ISO_FILE_PATH="/tmp/iso-file/disk.iso"

        xorriso -as mkisofs -no-emul-boot \
            -e "efi/microsoft/boot/efisys.bin" \
            -boot-load-size 1 \
            -iso-level 4 \
            -J -l -D -N \
            -joliet-long \
            -relaxed-filenames \
            -V "WINDOWS" \
            -o ${ISO_FILE_PATH} ${ISO_FILES_PATH}
      volumeMounts:
        - mountPath: /tmp/extracted-iso-files/
          name: extracted-iso-files
        - mountPath: /tmp/iso-file/
          name: iso-file
    - name: convert-iso-file
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - "ALL"
      image: "quay.io/kubevirt/tekton-task-disk-virt-customize:v0.13.2"
      script: |
        #!/bin/bash
        set -x
        export ISO_FILE_PATH="/tmp/iso-file/disk.iso"
        export TARGET_IMG_FILE_PATH="/tmp/target-pvc/disk.img"

        rm ${TARGET_IMG_FILE_PATH}
        qemu-img convert -t writeback -p -O raw ${ISO_FILE_PATH} ${TARGET_IMG_FILE_PATH}
      volumeMounts:
        - mountPath: /tmp/target-pvc/
          name: target-pvc
        - mountPath: /tmp/iso-file/
          name: iso-file
  volumes:
    - name: target-pvc
      persistentVolumeClaim:
        claimName: "$(params.pvcName)"
    - name: extracted-iso-files
      emptyDir:
        sizeLimit: 7Gi
    - name: iso-file
      emptyDir:
        sizeLimit: 7Gi
---
apiVersion: tekton.dev/v1beta1
kind: ClusterTask
metadata:
  annotations:
    task.kubevirt.io/associatedServiceAccount: wait-for-vmi-status-task
    vmiNamespace.params.task.kubevirt.io/type: namespace
  labels:
    task.kubevirt.io/type: wait-for-vmi-status
    task.kubevirt.io/category: wait-for-vmi-status
  name: wait-for-vmi-status
spec:
  params:
    - name: vmiName
      description: Name of a VirtualMachineInstance to wait for.
      type: string
    - name: vmiNamespace
      description: Namespace of a VirtualMachineInstance to wait for. (defaults to manifest namespace or active namespace)
      default: ""
      type: string
    - name: successCondition
      default: ""
      description: A label selector expression to decide if the VirtualMachineInstance (VMI) is in a success state. Eg. "status.phase == Succeeded". It is evaluated on each VMI update and will result in this task succeeding if true.
    - name: failureCondition
      default: ""
      description: A label selector expression to decide if the VirtualMachineInstance (VMI) is in a failed state. Eg. "status.phase in (Failed, Unknown)". It is evaluated on each VMI update and will result in this task failing if true.
  steps:
    - name: wait-for-vmi-status
      image: "quay.io/kubevirt/tekton-task-wait-for-vmi-status:v0.13.2"
      command:
        - entrypoint
      env:
        - name: VMI_NAME
          value: $(params.vmiName)
        - name: VMI_NAMESPACE
          value: $(params.vmiNamespace)
        - name: SUCCESS_CONDITION
          value: $(params.successCondition)
        - name: FAILURE_CONDITION
          value: $(params.failureCondition)

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: wait-for-vmi-status-task
rules:
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - kubevirt.io
    resources:
      - virtualmachineinstances

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: wait-for-vmi-status-task

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: wait-for-vmi-status-task
roleRef:
  kind: ClusterRole
  name: wait-for-vmi-status-task
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: wait-for-vmi-status-task