Manifest Reference

Detailed reference for all 12 Kubernetes manifest templates generated by the golden path skeleton.

Manifest Overview

All manifests are Nunjucks templates stored in skeleton/manifests/. They are rendered by the Backstage scaffolder with the parameter values provided in the wizard. Some manifests are conditionally included based on feature toggles.

File	Kind	API Version	Condition
`virtualmachine.yaml`	VirtualMachine	`kubevirt.io/v1`	Always
`cloudinit-secret.yaml`	Secret	`v1`	Always
`ssh-secret.yaml`	Secret	`v1`	Always
`service.yaml`	Service	`v1`	Always
`route.yaml`	Route	`route.openshift.io/v1`	enableConnectivityLink
`gateway.yaml`	Gateway	`gateway.networking.k8s.io/v1`	enableConnectivityLink
`httproute.yaml`	HTTPRoute	`gateway.networking.k8s.io/v1`	enableConnectivityLink
`authpolicy.yaml`	AuthPolicy	`kuadrant.io/v1`	enableConnectivityLink && authModel != none
`ratelimitpolicy.yaml`	RateLimitPolicy	`kuadrant.io/v1`	enableConnectivityLink && rateLimitPerMinute > 0 && authModel != apikey
`planpolicy.yaml`	PlanPolicy	`extensions.kuadrant.io/v1alpha1`	enableConnectivityLink && authModel == apikey
`apiproduct.yaml`	APIProduct	`devportal.kuadrant.io/v1alpha1`	enableConnectivityLink && authModel == apikey
`apikey-secret.yaml`	Secret	`v1`	enableConnectivityLink && authModel == apikey

Core Manifests

virtualmachine.yaml

The primary resource. Defines the KubeVirt VirtualMachine CR with:

CPU topology: cores, sockets, threads from wizard inputs
Memory: guest memory allocation
Disks: root disk (DataVolume) + cloud-init disk
Network: masquerade interface with SSH port (22) and optionally HTTP (8080)
Boot firmware: UEFI (EFI bootloader with SMM enabled)
Run strategy: Always, RerunOnFailure, Manual, or Halted

The dataVolumeTemplates section provisions the root disk from either a traditional registry image (registry) or a bootc image, both pulled via CDI's registry source with pullMethod: node.

spec:
  runStrategy: Always
  template:
    spec:
      domain:
        cpu:
          cores: 2
          sockets: 1
          threads: 1
        memory:
          guest: 4Gi
        devices:
          disks:
            - name: rootdisk
              disk:
                bus: virtio
            - name: cloudinit
              disk:
                bus: virtio

cloudinit-secret.yaml

Contains the #cloud-config user-data for guest initialization. Configures:

Hostname, user (cloud-user), password, SSH keys
CentOS Stream repos for package installation (when httpd is enabled)
Apache HTTP Server on port 8080 with a styled landing page
bootc update timer and service (when boot source is bootc-image)
Extra packages and custom cloud-init YAML
qemu-guest-agent for VM metrics and management

ssh-secret.yaml

Stores the user's SSH public key as a Kubernetes Secret. Referenced by the cloud-init configuration for the cloud-user account.

service.yaml

A ClusterIP Service that selects the VM pod via kubevirt.io/domain: <vmName>. Exposes:

Port 22 (SSH) — always
Port 8080 (HTTP) — when Connectivity Link is enabled

Connectivity Link Manifests

gateway.yaml

Creates an Istio-backed Gateway with a single HTTP listener on port 8080. The annotation networking.istio.io/service-type: ClusterIP ensures the Istio ingress pods use ClusterIP (traffic enters via the OpenShift Route).

httproute.yaml

Defines an HTTPRoute attached to the Gateway. Matches requests by path prefix and forwards them to the VM Service on port 8080.

route.yaml

An OpenShift Route that exposes the Istio gateway service (<vmName>-gateway-istio) externally with TLS edge termination and HTTPS redirect.

authpolicy.yaml

A Kuadrant AuthPolicy targeting the HTTPRoute. Supports two authentication modes:

API Key: validates keys from Kubernetes Secrets via header (X-API-Key) or cookie (vm-api-key). Includes a custom HTML 401 response with a login form.
OIDC: validates JWT Bearer tokens against the Keycloak issuer URL.

ratelimitpolicy.yaml

Global rate limiting via Limitador. Enforces a per-minute request limit on the HTTPRoute. Only created when authModel is not apikey (API Key mode uses PlanPolicy instead).

planpolicy.yaml

Tiered rate limiting for the API Key model. Defines three plans (free, basic, pro) with different daily and per-minute limits. Plan selection is based on the secret.kuadrant.io/plan-id annotation on the API Key Secret.

apiproduct.yaml

Registers the VM service as an API Product in the Kuadrant Dev Portal. Configures automatic approval, published status, and links to the Gitea repository for documentation.

apikey-secret.yaml

A demo API Key Secret with the basic plan. The key value is <vmName>-demo-key. Labeled for Authorino discovery:

labels:
  kuadrant.io/apikey: "true"
  authorino.kuadrant.io/managed-by: authorino
  secret.kuadrant.io/plan-id: basic

Conditional Rendering Logic

  All VMs
    │
    ├── virtualmachine.yaml     (always)
    ├── cloudinit-secret.yaml   (always)
    ├── ssh-secret.yaml         (always)
    └── service.yaml            (always)
         │
         └── enableConnectivityLink?
              │
              ├── YES ─┬── gateway.yaml
              │        ├── httproute.yaml
              │        ├── route.yaml
              │        │
              │        └── authModel?
              │             │
              │             ├── "none" ─── ratelimitpolicy.yaml
              │             │              (if rateLimitPerMinute > 0)
              │             │
              │             ├── "oidc" ─── authpolicy.yaml (JWT)
              │             │              ratelimitpolicy.yaml
              │             │              (if rateLimitPerMinute > 0)
              │             │
              │             └── "apikey" ── authpolicy.yaml (API Key)
              │                             planpolicy.yaml
              │                             apiproduct.yaml
              │                             apikey-secret.yaml
              │
              └── NO ──── (no additional manifests)