feat: add KubeVirt and CDI for VM-based workloads

[devantler]

Summary

Adds KubeVirt (v1.8.0) and CDI (v1.65.0) to the platform for running VMs alongside containers. This enables the dev cluster and E2E testing of ksail's Omni provider.

What changed

KubeVirt operator + CR

• Vendored kubevirt-operator.yaml from v1.8.0 release
• KubeVirt CR with base configuration (no emulation by default)
• Namespace kubevirt with privileged pod-security labels

CDI (Containerized Data Importer) operator + CR

• Vendored cdi-operator.yaml from v1.65.0 release
• CDI CR with default configuration
• Namespace cdi with privileged pod-security labels

Provider-specific configuration

• Docker (local): useEmulation: true patch — QEMU software emulation (no hardware KVM in Docker containers)
• Hetzner (prod): Talos worker patch to load kvm + kvm_intel kernel modules for native KVM acceleration

Design decisions

• Vendored manifests instead of Helm charts — KubeVirt has no official Helm chart. The operator manifests are release assets (not in the git tree), so Flux GitRepository sources aren't viable either. Vendoring keeps things simple and compatible with the existing Flux pipeline.
• Pod-security labels added via kustomize patches on the vendored namespace definitions, matching the platform convention (privileged + enforce-version: latest).
• Kernel modules only on Hetzner workers — control planes don't run VM workloads, and Docker nodes don't have real KVM.

How to update versions

# KubeVirt
curl -sSL -o k8s/bases/infrastructure/controllers/kubevirt/kubevirt-operator.yaml \
  https://github.com/kubevirt/kubevirt/releases/download/vX.Y.Z/kubevirt-operator.yaml

# CDI
curl -sSL -o k8s/bases/infrastructure/controllers/cdi/cdi-operator.yaml \
  https://github.com/kubevirt/containerized-data-importer/releases/download/vX.Y.Z/cdi-operator.yaml

Validation

• ✅ kubectl kustomize k8s/clusters/local/ — passes
• ✅ kubectl kustomize k8s/clusters/prod/ — passes
• ✅ Docker provider: KubeVirt CR includes useEmulation: true
• ✅ Hetzner provider: KubeVirt CR does NOT include useEmulation
• ✅ Both namespaces have correct pod-security labels

[Copilot]

Pull request overview

Adds KubeVirt and CDI to the platform GitOps repo so clusters can run VM-based workloads (enabling VM-capable local/dev clusters and E2E testing for ksail’s Omni provider).

Changes:

• Adds vendored KubeVirt (v1.8.0) and CDI (v1.65.0) operator manifests plus their corresponding CRs under k8s/bases/infrastructure/controllers/.
• Adds Docker-provider override to enable KubeVirt software emulation (useEmulation: true) for environments without KVM.
• Adds a Talos worker patch to load KVM kernel modules on Hetzner workers for hardware acceleration.

Reviewed changes

Copilot reviewed 8 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
talos/workers/kubevirt.yaml	Loads KVM kernel modules on Talos worker nodes for KubeVirt acceleration on Hetzner.
k8s/providers/docker/infrastructure/controllers/kustomization.yaml	Applies a Docker-provider Kustomize patch to the KubeVirt CR.
k8s/providers/docker/infrastructure/controllers/kubevirt/patches/kubevirt-cr-patch.yaml	Enables useEmulation: true for KubeVirt on Docker-based clusters.
k8s/bases/infrastructure/controllers/kustomization.yaml	Registers CDI and KubeVirt controller components in the shared controllers base.
k8s/bases/infrastructure/controllers/kubevirt/kustomization.yaml	Wires KubeVirt operator + CR and patches Pod Security enforce-version label.
k8s/bases/infrastructure/controllers/kubevirt/kubevirt-cr.yaml	Adds the base KubeVirt custom resource instance.
k8s/bases/infrastructure/controllers/cdi/kustomization.yaml	Wires CDI operator + CR and patches Pod Security enforce/enforce-version labels.
k8s/bases/infrastructure/controllers/cdi/cdi-operator.yaml	Vendored CDI operator release manifest (CRDs/RBAC/Deployments, etc.).
k8s/bases/infrastructure/controllers/cdi/cdi-cr.yaml	Adds the CDI custom resource instance.