Backport MTV-1354, MTV-1353, MTV-1377 to 2.6.6

pkg/controller/plan/kubevirt.go

@@ -24,6 +24,7 @@ import (
 	"github.com/openshift/library-go/pkg/template/templateprocessing"
 	batch "k8s.io/api/batch/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/conversion"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -1639,6 +1640,30 @@ func (r *KubeVirt) guestConversionPod(vm *plan.VMStatus, vmVolumes []cnv.Volume,
 					Type: core.SeccompProfileTypeRuntimeDefault,
 				},
 			},
+			Affinity: &core.Affinity{
+				PodAntiAffinity: &core.PodAntiAffinity{
+					PreferredDuringSchedulingIgnoredDuringExecution: []core.WeightedPodAffinityTerm{
+						{
+							Weight: 100,
+							PodAffinityTerm: core.PodAffinityTerm{
+								NamespaceSelector: &metav1.LabelSelector{},
+								TopologyKey:       "kubernetes.io/hostname",
+								LabelSelector: &metav1.LabelSelector{
+									MatchExpressions: []metav1.LabelSelectorRequirement{
+										{
+											Key: kApp,
+											Values: []string{
+												"virt-v2v",
+											},
+											Operator: metav1.LabelSelectorOpIn,
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
 			RestartPolicy:  core.RestartPolicyNever,
 			InitContainers: initContainers,
 			Containers: []core.Container{

pkg/controller/plan/migration.go

@@ -1133,7 +1133,7 @@ func (r *Migration) execute(vm *plan.VMStatus) (err error) {
 				return err
 			}
 
-			if pod.Status.Phase != core.PodSucceeded {
+			if pod != nil && pod.Status.Phase != core.PodSucceeded {
 				err := r.kubevirt.UpdateVmByConvertedConfig(vm, pod, step)
 				if err != nil {
 					return err

pkg/controller/provider/web/base/auth.go

@@ -39,70 +39,63 @@ type Auth struct {
 }
 
 // Authenticate token.
-func (r *Auth) Permit(ctx *gin.Context, p *api.Provider) (status int, err error) {
+func (r *Auth) Permit(ctx *gin.Context, p *api.Provider) (int, error) {
 	r.mutex.Lock()
 	ns := ""
 	defer r.mutex.Unlock()
-	status = http.StatusOK
 	if r.cache == nil {
 		r.cache = make(map[string]time.Time)
 	}
 	r.prune()
 	token := r.token(ctx)
 	if token == "" {
-		status = http.StatusUnauthorized
-		return
+		return http.StatusUnauthorized, nil
 	}
 	key := r.key(token, p)
 	if t, found := r.cache[key]; found {
 		if time.Since(t) <= r.TTL {
-			return
+			return http.StatusOK, nil
 		}
 	}
 	if p.ObjectMeta.UID == "" {
 		q := ctx.Request.URL.Query()
 		ns = q.Get(NsParam)
 	}
-	allowed, err := r.permit(token, ns, p)
-	if allowed && err != nil {
+	status, err := r.permit(token, ns, p)
+	if err != nil {
 		log.Error(err, "Authorization failed.")
-		status = http.StatusInternalServerError
-		return
+		return status, err
 	}
-	if allowed {
+	if status == http.StatusOK {
 		r.cache[key] = time.Now()
+		return http.StatusOK, nil
 	} else {
-		status = http.StatusForbidden
 		delete(r.cache, token)
 		log.Info(
 			http.StatusText(status),
 			"token",
 			token)
+		return status, nil
 	}
-
-	return
 }
 
 // Authenticate token.
-func (r *Auth) permit(token string, ns string, p *api.Provider) (allowed bool, err error) {
-	allowed = true
+func (r *Auth) permit(token string, ns string, p *api.Provider) (int, error) {
 	tr := &auth.TokenReview{
 		Spec: auth.TokenReviewSpec{
 			Token: token,
 		},
 	}
 	w, err := r.writer()
 	if err != nil {
-		err = liberr.Wrap(err)
-		return
+		return http.StatusInternalServerError, liberr.Wrap(err)
 	}
 	err = w.Create(context.TODO(), tr)
 	if err != nil {
-		err = liberr.Wrap(err)
-		return
+		return http.StatusInternalServerError, liberr.Wrap(err)
 	}
 	if !tr.Status.Authenticated {
-		return
+		return http.StatusUnauthorized, nil
 	}
 	user := tr.Status.User
 	extra := map[string]auth2.ExtraValue{}
@@ -115,8 +108,7 @@ func (r *Auth) permit(token string, ns string, p *api.Provider) (allowed bool, e
 	// only if they have permissions for list/get 'providers' in the K8s API
 	group, resource, err := api.GetGroupResource(p)
 	if err != nil {
-		err = liberr.Wrap(err)
-		return
+		return http.StatusInternalServerError, liberr.Wrap(err)
 	}
 	var verb, namespace string
 	if p.ObjectMeta.UID != "" {
@@ -143,19 +135,19 @@ func (r *Auth) permit(token string, ns string, p *api.Provider) (allowed bool, e
 	}
 	err = w.Create(context.TODO(), review)
 	if err != nil {
-		err = liberr.Wrap(err)
-		return
+		return http.StatusInternalServerError, liberr.Wrap(err)
 	}
 
-	if allowed = review.Status.Allowed; !allowed {
+	if !review.Status.Allowed {
 		groupResource := &schema.GroupResource{
 			Resource: resource,
 			Group:    group,
 		}
 		err = fmt.Errorf("%s is forbidden: User %q cannot %s resource %q in API group %q in the namespace %q",
 			groupResource, user.Username, verb, resource, group, namespace)
+		return http.StatusForbidden, liberr.Wrap(err)
 	}
-	return
+	return http.StatusOK, nil
 }
 
 // Extract token.