Use hypervisor CRD for filtering (#441)

## Background

For virtual machines spawned on the kvm hypervisor, we want to no longer
use nova and placement as source of truth. Instead, filters should use
the hypervisor crd exposed by the [hypervisor
operator](github.com/cobaltcore-dev/openstack-hypervisor-operator) and
populated by the [node
agent](https://github.com/cobaltcore-dev/kvm-node-agent). This
contribution replaces the implementation of all filters that were
originally ported from nova accordingly. Afterward, we can disable
filters in nova one-by-one, moving the compute placement logic over to
cortex.

> [!TIP]
> You can use the newly added [mirror
tool](93fdcc0)
to mirror hypervisor resources from our compute cluster over to the
local cluster.

## Completion

- [x]
~internal/scheduling/decisions/nova/plugins/filters/filter_compute_capabilities.go~
(REMOVED)
- [x]
internal/scheduling/decisions/nova/plugins/filters/filter_capabilities.go
(NEW)
- [x]
internal/scheduling/decisions/nova/plugins/filters/filter_correct_az.go
- [x]
internal/scheduling/decisions/nova/plugins/filters/filter_external_customer.go
- [x]
internal/scheduling/decisions/nova/plugins/filters/filter_has_accelerators.go
- [x]
internal/scheduling/decisions/nova/plugins/filters/filter_has_enough_capacity.go
- [x]
internal/scheduling/decisions/nova/plugins/filters/filter_has_requested_traits.go
- [x]
internal/scheduling/decisions/nova/plugins/filters/filter_host_instructions.go
- [x]
internal/scheduling/decisions/nova/plugins/filters/filter_maintenance.go
(NEW)
- [x]
internal/scheduling/decisions/nova/plugins/filters/filter_packed_virtqueue.go
- [x]
~internal/scheduling/decisions/nova/plugins/filters/filter_project_aggregates.go~
(REMOVED)
- [x]
internal/scheduling/decisions/nova/plugins/filters/filter_allowed_projects.go
(NEW)
- [x]
~internal/scheduling/decisions/nova/plugins/filters/filter_disabled.go~
(REMOVED)
- [x]
internal/scheduling/decisions/nova/plugins/filters/filter_status_conditions.go
(NEW)

## Dependencies

> [!NOTE]
> The scope of this PR is to establish a minimum viable scheduling
pipeline with the current state. Extensive refactorings, for example of
the filter for requested traits, are out of scope.

Hypervisor operator PR:
cobaltcore-dev/openstack-hypervisor-operator#217
KVM node agent PR:
cobaltcore-dev/kvm-node-agent#40

Author: PhilippMatthes

api/v1alpha1/step_types.go

@@ -60,18 +60,6 @@ type StepSpec struct {
 	// and decisions made by it.
 	// +kubebuilder:validation:Optional
 	Description string `json:"description,omitempty"`
-
-	// If needed, database credentials for fetching data from the database.
-	// The secret should contain the following keys:
-	// - "username": The database username.
-	// - "password": The database password.
-	// - "host": The database host.
-	// - "port": The database port.
-	// - "database": The database name.
-	// Note: this field will be removed in the future when db access in scheduler
-	// steps is no longer needed.
-	// +kubebuilder:validation:Optional
-	DatabaseSecretRef *corev1.SecretReference `json:"databaseSecretRef"`
 }
 
 const (

api/v1alpha1/zz_generated.deepcopy.go

@@ -59,6 +59,7 @@ import (
 	"github.com/cobaltcore-dev/cortex/pkg/monitoring"
 	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 	"github.com/cobaltcore-dev/cortex/pkg/task"
+	hv1 "github.com/cobaltcore-dev/openstack-hypervisor-operator/api/v1"
 	"github.com/sapcc/go-bits/httpext"
 	"github.com/sapcc/go-bits/must"
 	corev1 "k8s.io/api/core/v1"
@@ -76,6 +77,7 @@ func init() {
 	utilruntime.Must(v1alpha1.AddToScheme(scheme))
 	utilruntime.Must(ironcorev1alpha1.AddToScheme(scheme))
 	utilruntime.Must(corev1.AddToScheme(scheme))
+	utilruntime.Must(hv1.AddToScheme(scheme))
 	// +kubebuilder:scaffold:scheme
 }
 

cmd/main.go

@@ -55,28 +55,6 @@ spec:
           spec:
             description: spec defines the desired state of Step
             properties:
-              databaseSecretRef:
-                description: |-
-                  If needed, database credentials for fetching data from the database.
-                  The secret should contain the following keys:
-                  - "username": The database username.
-                  - "password": The database password.
-                  - "host": The database host.
-                  - "port": The database port.
-                  - "database": The database name.
-                  Note: this field will be removed in the future when db access in scheduler
-                  steps is no longer needed.
-                properties:
-                  name:
-                    description: name is unique within a namespace to reference a
-                      secret resource.
-                    type: string
-                  namespace:
-                    description: namespace defines the space within which the secret
-                      name must be unique.
-                    type: string
-                type: object
-                x-kubernetes-map-type: atomic
               description:
                 description: |-
                   Additional description of the step which helps understand its purpose

config/crd/bases/cortex.cloud_steps.yaml

@@ -55,28 +55,6 @@ spec:
           spec:
             description: spec defines the desired state of Step
             properties:
-              databaseSecretRef:
-                description: |-
-                  If needed, database credentials for fetching data from the database.
-                  The secret should contain the following keys:
-                  - "username": The database username.
-                  - "password": The database password.
-                  - "host": The database host.
-                  - "port": The database port.
-                  - "database": The database name.
-                  Note: this field will be removed in the future when db access in scheduler
-                  steps is no longer needed.
-                properties:
-                  name:
-                    description: name is unique within a namespace to reference a
-                      secret resource.
-                    type: string
-                  namespace:
-                    description: namespace defines the space within which the secret
-                      name must be unique.
-                    type: string
-                type: object
-                x-kubernetes-map-type: atomic
               description:
                 description: |-
                   Additional description of the step which helps understand its purpose

config/crd/cortex.cloud_steps.yaml

@@ -61,28 +61,6 @@ spec:
           spec:
             description: spec defines the desired state of Step
             properties:
-              databaseSecretRef:
-                description: |-
-                  If needed, database credentials for fetching data from the database.
-                  The secret should contain the following keys:
-                  - "username": The database username.
-                  - "password": The database password.
-                  - "host": The database host.
-                  - "port": The database port.
-                  - "database": The database name.
-                  Note: this field will be removed in the future when db access in scheduler
-                  steps is no longer needed.
-                properties:
-                  name:
-                    description: name is unique within a namespace to reference a
-                      secret resource.
-                    type: string
-                  namespace:
-                    description: namespace defines the space within which the secret
-                      name must be unique.
-                    type: string
-                type: object
-                x-kubernetes-map-type: atomic
               description:
                 description: |-
                   Additional description of the step which helps understand its purpose

dist/chart/templates/crd/cortex.cloud_steps.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.rbac.hypervisor.enable }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+  name: {{ .Values.namePrefix }}-manager-role-hypervisor
+rules:
+- apiGroups:
+  - kvm.cloud.sap
+  resources:
+  - hypervisors
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - kvm.cloud.sap
+  resources:
+  - hypervisors/status
+  verbs:
+  - get
+{{- end -}}

dist/chart/templates/rbac/hypervisor_role.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.rbac.hypervisor.enable }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+  name: {{ .Values.namePrefix }}-manager-rolebinding-hypervisor
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.namePrefix }}-manager-role-hypervisor
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.namePrefix }}-{{ .Values.controllerManager.serviceAccountName }}
+  namespace: {{ .Release.Namespace }}
+{{- end -}}

dist/chart/templates/rbac/hypervisor_role_binding.yaml

@@ -55,6 +55,10 @@ rbac:
     enable: false
   pods:
     enable: false
+  # Whether hypervisor operator/crd related roles should be deployed.
+  # See: https://github.com/cobaltcore-dev/openstack-hypervisor-operator
+  hypervisor:
+    enable: false
 
 # [CRDs]: To enable the CRDs
 crd:

dist/chart/values.yaml

@@ -3,6 +3,7 @@ module github.com/cobaltcore-dev/cortex
 go 1.25.0
 
 require (
+	github.com/cobaltcore-dev/openstack-hypervisor-operator v0.0.0-20251230105055-37950dd7ff29
 	github.com/go-gorp/gorp v2.2.0+incompatible
 	github.com/gophercloud/gophercloud/v2 v2.9.0
 	github.com/ironcore-dev/ironcore v0.2.4
@@ -20,27 +21,28 @@ require (
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
-	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cenkalti/backoff v2.2.1+incompatible // indirect
-	github.com/cenkalti/backoff/v5 v5.0.2 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/containerd/continuity v0.4.5 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
+	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
-	github.com/go-openapi/jsonpointer v0.21.1 // indirect
-	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/jsonpointer v0.22.1 // indirect
+	github.com/go-openapi/jsonreference v0.21.2 // indirect
 	github.com/go-openapi/swag v0.23.1 // indirect
+	github.com/go-openapi/swag/jsonname v0.25.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-migrate/migrate/v4 v4.19.1 // indirect
 	github.com/google/btree v1.1.3 // indirect
@@ -49,7 +51,7 @@ require (
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gotestyourself/gotestyourself v2.2.0+incompatible // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -73,21 +75,21 @@ require (
 	github.com/sapcc/go-api-declarations v1.18.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/cobra v1.10.1 // indirect
-	github.com/spf13/pflag v1.0.9 // indirect
-	github.com/stoewer/go-strcase v1.3.0 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/stoewer/go-strcase v1.3.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/ziutek/mymysql v1.5.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
 	go.opentelemetry.io/otel v1.37.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.36.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 // indirect
 	go.opentelemetry.io/otel/metric v1.37.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
 	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.7.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.27.0 // indirect
+	go.uber.org/zap v1.27.1 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
@@ -101,8 +103,8 @@ require (
 	golang.org/x/time v0.14.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c // indirect
-	google.golang.org/grpc v1.75.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4 // indirect
+	google.golang.org/grpc v1.75.1 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -117,6 +119,6 @@ require (
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.33.0 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.1 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )