From 666de867efef15c53cf31f734347e29d0e0c35ed Mon Sep 17 00:00:00 2001 From: adrianc Date: Thu, 27 Jun 2024 17:43:13 +0300 Subject: [PATCH] Update NFD version to v0.15.4 Signed-off-by: adrianc --- deployment/network-operator/Chart.yaml | 2 +- .../charts/node-feature-discovery/Chart.yaml | 4 +- .../charts/node-feature-discovery/README.md | 2 +- .../crds/nfd-api-crds.yaml | 111 ++++++++++++++---- .../templates/_helpers.tpl | 10 +- .../templates/cert-manager-certs.yaml | 7 +- .../templates/clusterrole.yaml | 30 ++++- .../templates/clusterrolebinding.yaml | 12 +- .../templates/master.yaml | 52 ++++---- .../{topology-gc.yaml => nfd-gc.yaml} | 49 +++++--- .../templates/nfd-master-conf.yaml | 2 + .../templates/nfd-worker-conf.yaml | 2 + .../templates/prometheus.yaml | 26 ++++ .../templates/role.yaml | 3 +- .../templates/rolebinding.yaml | 3 +- .../templates/service.yaml | 2 + .../templates/serviceaccount.yaml | 12 +- .../templates/topologyupdater.yaml | 16 ++- .../templates/worker.yaml | 26 +++- .../charts/node-feature-discovery/values.yaml | 82 ++++++++++--- deployment/network-operator/values.yaml | 21 ++-- hack/templates/values/values.template | 21 ++-- 22 files changed, 362 insertions(+), 133 deletions(-) rename deployment/network-operator/charts/node-feature-discovery/templates/{topology-gc.yaml => nfd-gc.yaml} (50%) create mode 100644 deployment/network-operator/charts/node-feature-discovery/templates/prometheus.yaml diff --git a/deployment/network-operator/Chart.yaml b/deployment/network-operator/Chart.yaml index c755fad9..8263ac95 100644 --- a/deployment/network-operator/Chart.yaml +++ b/deployment/network-operator/Chart.yaml @@ -15,7 +15,7 @@ dependencies: - condition: nfd.enabled name: node-feature-discovery repository: http://kubernetes-sigs.github.io/node-feature-discovery/charts - version: 0.13.2 + version: 0.15.4 - condition: sriovNetworkOperator.enabled name: sriov-network-operator repository: '' diff --git a/deployment/network-operator/charts/node-feature-discovery/Chart.yaml b/deployment/network-operator/charts/node-feature-discovery/Chart.yaml index 40bc42c0..a57e62ed 100644 --- a/deployment/network-operator/charts/node-feature-discovery/Chart.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: v0.13.2 +appVersion: v0.15.4 description: 'Detects hardware features available on each node in a Kubernetes cluster, and advertises those features using node labels. ' home: https://github.com/kubernetes-sigs/node-feature-discovery @@ -11,4 +11,4 @@ name: node-feature-discovery sources: - https://github.com/kubernetes-sigs/node-feature-discovery type: application -version: 0.13.2 +version: 0.15.4 diff --git a/deployment/network-operator/charts/node-feature-discovery/README.md b/deployment/network-operator/charts/node-feature-discovery/README.md index 628ac6a3..b8b7d90c 100644 --- a/deployment/network-operator/charts/node-feature-discovery/README.md +++ b/deployment/network-operator/charts/node-feature-discovery/README.md @@ -6,5 +6,5 @@ labels. NFD provides flexible configuration and extension points for a wide range of vendor and application specific node labeling needs. See -[NFD documentation](https://kubernetes-sigs.github.io/node-feature-discovery/v0.13/deployment/helm.html) +[NFD documentation](https://kubernetes-sigs.github.io/node-feature-discovery/v0.15/deployment/helm.html) for deployment instructions. diff --git a/deployment/network-operator/charts/node-feature-discovery/crds/nfd-api-crds.yaml b/deployment/network-operator/charts/node-feature-discovery/crds/nfd-api-crds.yaml index 775536f2..4e630416 100644 --- a/deployment/network-operator/charts/node-feature-discovery/crds/nfd-api-crds.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/crds/nfd-api-crds.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.12.1 name: nodefeatures.nfd.k8s-sigs.io spec: group: nfd.k8s-sigs.io @@ -114,8 +113,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.12.1 name: nodefeaturerules.nfd.k8s-sigs.io spec: group: nfd.k8s-sigs.io @@ -155,6 +153,11 @@ spec: description: Rule defines a rule for node customization such as labeling. properties: + annotations: + additionalProperties: + type: string + description: Annotations to create if the rule matches. + type: object extendedResources: additionalProperties: type: string @@ -187,19 +190,16 @@ spec: in the feature set. properties: feature: + description: Feature is the name of the feature + set to match against. type: string matchExpressions: additionalProperties: - description: "MatchExpression specifies an expression + description: MatchExpression specifies an expression to evaluate against a set of input values. It contains an operator that is applied when matching the input and an array of values that the operator - evaluates the input against. \n NB: CreateMatchExpression - or MustCreateMatchExpression() should be used - for creating new instances. \n NB: Validate() - must be called if Op or Value fields are modified - or if a new instance is created from scratch - without using the helper functions." + evaluates the input against. properties: op: description: Op is the operator to be applied. @@ -231,13 +231,46 @@ spec: required: - op type: object - description: MatchExpressionSet contains a set of - MatchExpressions, each of which is evaluated against - a set of input values. + description: MatchExpressions is the set of per-element + expressions evaluated. These match against the + value of the specified elements. + type: object + matchName: + description: MatchName in an expression that is + matched against the name of each element in the + feature set. + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: Value is the list of values that + the operand evaluates the input against. Value + should be empty if the operator is Exists, + DoesNotExist, IsTrue or IsFalse. Value should + contain exactly one element if the operator + is Gt or Lt and exactly two elements if the + operator is GtLt. In other cases Value should + contain at least one element. + items: + type: string + type: array + required: + - op type: object required: - feature - - matchExpressions type: object type: array required: @@ -253,18 +286,16 @@ spec: are evaluated against each element in the feature set. properties: feature: + description: Feature is the name of the feature set to + match against. type: string matchExpressions: additionalProperties: - description: "MatchExpression specifies an expression + description: MatchExpression specifies an expression to evaluate against a set of input values. It contains an operator that is applied when matching the input and an array of values that the operator evaluates - the input against. \n NB: CreateMatchExpression or - MustCreateMatchExpression() should be used for creating - new instances. \n NB: Validate() must be called if - Op or Value fields are modified or if a new instance - is created from scratch without using the helper functions." + the input against. properties: op: description: Op is the operator to be applied. @@ -294,12 +325,44 @@ spec: required: - op type: object - description: MatchExpressionSet contains a set of MatchExpressions, - each of which is evaluated against a set of input values. + description: MatchExpressions is the set of per-element + expressions evaluated. These match against the value + of the specified elements. + type: object + matchName: + description: MatchName in an expression that is matched + against the name of each element in the feature set. + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: Value is the list of values that the + operand evaluates the input against. Value should + be empty if the operator is Exists, DoesNotExist, + IsTrue or IsFalse. Value should contain exactly + one element if the operator is Gt or Lt and exactly + two elements if the operator is GtLt. In other cases + Value should contain at least one element. + items: + type: string + type: array + required: + - op type: object required: - feature - - matchExpressions type: object type: array name: diff --git a/deployment/network-operator/charts/node-feature-discovery/templates/_helpers.tpl b/deployment/network-operator/charts/node-feature-discovery/templates/_helpers.tpl index 5a0a5c97..928ece78 100644 --- a/deployment/network-operator/charts/node-feature-discovery/templates/_helpers.tpl +++ b/deployment/network-operator/charts/node-feature-discovery/templates/_helpers.tpl @@ -96,12 +96,12 @@ Create the name of the service account which topologyUpdater will use {{- end -}} {{/* -Create the name of the service account which topologyGC will use +Create the name of the service account which nfd-gc will use */}} -{{- define "node-feature-discovery.topologyGC.serviceAccountName" -}} -{{- if .Values.topologyGC.serviceAccount.create -}} - {{ default (printf "%s-topology-gc" (include "node-feature-discovery.fullname" .)) .Values.topologyGC.serviceAccount.name }} +{{- define "node-feature-discovery.gc.serviceAccountName" -}} +{{- if .Values.gc.serviceAccount.create -}} + {{ default (printf "%s-gc" (include "node-feature-discovery.fullname" .)) .Values.gc.serviceAccount.name }} {{- else -}} - {{ default "default" .Values.topologyGC.serviceAccount.name }} + {{ default "default" .Values.gc.serviceAccount.name }} {{- end -}} {{- end -}} diff --git a/deployment/network-operator/charts/node-feature-discovery/templates/cert-manager-certs.yaml b/deployment/network-operator/charts/node-feature-discovery/templates/cert-manager-certs.yaml index ac2e51fc..8af11531 100644 --- a/deployment/network-operator/charts/node-feature-discovery/templates/cert-manager-certs.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/templates/cert-manager-certs.yaml @@ -1,4 +1,5 @@ {{- if .Values.tls.certManager }} +{{- if .Values.master.enable }} --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -17,14 +18,13 @@ spec: # first one is configured for use by the worker; below are for completeness - {{ include "node-feature-discovery.fullname" . }}-master.{{ include "node-feature-discovery.namespace" . }}.svc - {{ include "node-feature-discovery.fullname" . }}-master.{{ include "node-feature-discovery.namespace" . }}.svc.cluster.local - # localhost needed for grpc_health_probe - - localhost issuerRef: name: nfd-ca-issuer kind: Issuer group: cert-manager.io - +{{- end }} --- +{{- if .Values.worker.enable }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -42,6 +42,7 @@ spec: name: nfd-ca-issuer kind: Issuer group: cert-manager.io +{{- end }} {{- if .Values.topologyUpdater.enable }} --- diff --git a/deployment/network-operator/charts/node-feature-discovery/templates/clusterrole.yaml b/deployment/network-operator/charts/node-feature-discovery/templates/clusterrole.yaml index 84b32644..e652e1df 100644 --- a/deployment/network-operator/charts/node-feature-discovery/templates/clusterrole.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/templates/clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if .Values.master.rbac.create }} +{{- if and .Values.master.enable .Values.master.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -25,10 +25,25 @@ rules: - get - list - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - "nfd-master.nfd.kubernetes.io" + verbs: + - get + - update {{- end }} ---- {{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.rbac.create }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -65,12 +80,12 @@ rules: - update {{- end }} +{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }} --- -{{- if and .Values.topologyGC.enable .Values.topologyGC.rbac.create .Values.topologyUpdater.enable }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "node-feature-discovery.fullname" . }}-topology-gc + name: {{ include "node-feature-discovery.fullname" . }}-gc labels: {{- include "node-feature-discovery.labels" . | nindent 4 }} rules: @@ -94,4 +109,11 @@ rules: verbs: - delete - list +- apiGroups: + - nfd.k8s-sigs.io + resources: + - nodefeatures + verbs: + - delete + - list {{- end }} diff --git a/deployment/network-operator/charts/node-feature-discovery/templates/clusterrolebinding.yaml b/deployment/network-operator/charts/node-feature-discovery/templates/clusterrolebinding.yaml index b0a69012..99134a1c 100644 --- a/deployment/network-operator/charts/node-feature-discovery/templates/clusterrolebinding.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/templates/clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.master.rbac.create }} +{{- if and .Values.master.enable .Values.master.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -15,8 +15,8 @@ subjects: namespace: {{ include "node-feature-discovery.namespace" . }} {{- end }} ---- {{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.rbac.create }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -33,20 +33,20 @@ subjects: namespace: {{ include "node-feature-discovery.namespace" . }} {{- end }} +{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }} --- -{{- if and .Values.topologyGC.enable .Values.topologyGC.rbac.create .Values.topologyUpdater.enable }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "node-feature-discovery.fullname" . }}-topology-gc + name: {{ include "node-feature-discovery.fullname" . }}-gc labels: {{- include "node-feature-discovery.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "node-feature-discovery.fullname" . }}-topology-gc + name: {{ include "node-feature-discovery.fullname" . }}-gc subjects: - kind: ServiceAccount - name: {{ .Values.topologyGC.serviceAccount.name | default "nfd-topology-gc" }} + name: {{ include "node-feature-discovery.gc.serviceAccountName" . }} namespace: {{ include "node-feature-discovery.namespace" . }} {{- end }} diff --git a/deployment/network-operator/charts/node-feature-discovery/templates/master.yaml b/deployment/network-operator/charts/node-feature-discovery/templates/master.yaml index 418ac089..53a291e0 100644 --- a/deployment/network-operator/charts/node-feature-discovery/templates/master.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/templates/master.yaml @@ -1,3 +1,4 @@ +{{- if .Values.master.enable }} apiVersion: apps/v1 kind: Deployment metadata: @@ -6,8 +7,10 @@ metadata: labels: {{- include "node-feature-discovery.labels" . | nindent 4 }} role: master + {{- with .Values.master.deploymentAnnotations }} annotations: - {{- toYaml .Values.master.deploymentAnnotations | nindent 4 }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.master.replicaCount }} selector: @@ -19,8 +22,10 @@ spec: labels: {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} role: master + {{- with .Values.master.annotations }} annotations: - {{- toYaml .Values.master.annotations | nindent 8 }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -37,35 +42,21 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} livenessProbe: - exec: - command: - - "/usr/bin/grpc_health_probe" - - "-addr=:{{ .Values.master.port | default "8080" }}" - {{- if .Values.tls.enable }} - - "-tls" - - "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt" - - "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key" - - "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt" - {{- end }} + grpc: + port: 8080 initialDelaySeconds: 10 periodSeconds: 10 readinessProbe: - exec: - command: - - "/usr/bin/grpc_health_probe" - - "-addr=:{{ .Values.master.port | default "8080" }}" - {{- if .Values.tls.enable }} - - "-tls" - - "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt" - - "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key" - - "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt" - {{- end }} + grpc: + port: 8080 initialDelaySeconds: 5 periodSeconds: 10 failureThreshold: 10 ports: - containerPort: {{ .Values.master.port | default "8080" }} name: grpc + - containerPort: {{ .Values.master.metricsPort | default "8081" }} + name: metrics env: - name: NODE_NAME valueFrom: @@ -79,9 +70,11 @@ spec: {{- if .Values.master.instance | empty | not }} - "-instance={{ .Values.master.instance }}" {{- end }} + {{- if not .Values.enableNodeFeatureApi }} - "-port={{ .Values.master.port | default "8080" }}" - {{- if .Values.enableNodeFeatureApi }} - - "-enable-nodefeature-api" + - "-enable-nodefeature-api=false" + {{- else if gt (int .Values.master.replicaCount) 1 }} + - "-enable-leader-election" {{- end }} {{- if .Values.master.extraLabelNs | empty | not }} - "-extra-label-ns={{- join "," .Values.master.extraLabelNs }}" @@ -99,16 +92,23 @@ spec: - "-crd-controller={{ .Values.master.crdController }}" {{- else }} ## By default, disable crd controller for other than the default instances - - "-featurerules-controller={{ .Values.master.instance | empty }}" + - "-crd-controller={{ .Values.master.instance | empty }}" {{- end }} {{- if .Values.master.featureRulesController | kindIs "invalid" | not }} - "-featurerules-controller={{ .Values.master.featureRulesController }}" {{- end }} + {{- if .Values.master.resyncPeriod }} + - "-resync-period={{ .Values.master.resyncPeriod }}" + {{- end }} + {{- if .Values.master.nfdApiParallelism | empty | not }} + - "-nfd-api-parallelism={{ .Values.master.nfdApiParallelism }}" + {{- end }} {{- if .Values.tls.enable }} - "-ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt" - "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key" - "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt" {{- end }} + - "-metrics={{ .Values.master.metricsPort | default "8081" }}" volumeMounts: {{- if .Values.tls.enable }} - name: nfd-master-cert @@ -130,7 +130,6 @@ spec: items: - key: nfd-master.conf path: nfd-master.conf - {{- with .Values.master.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -143,3 +142,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} +{{- end }} diff --git a/deployment/network-operator/charts/node-feature-discovery/templates/topology-gc.yaml b/deployment/network-operator/charts/node-feature-discovery/templates/nfd-gc.yaml similarity index 50% rename from deployment/network-operator/charts/node-feature-discovery/templates/topology-gc.yaml rename to deployment/network-operator/charts/node-feature-discovery/templates/nfd-gc.yaml index 642fec45..1e0e1232 100644 --- a/deployment/network-operator/charts/node-feature-discovery/templates/topology-gc.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/templates/nfd-gc.yaml @@ -1,36 +1,42 @@ -{{- if and .Values.topologyGC.enable .Values.topologyUpdater.enable -}} +{{- if and .Values.gc.enable (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) -}} apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "node-feature-discovery.fullname" . }}-topology-gc + name: {{ include "node-feature-discovery.fullname" . }}-gc namespace: {{ include "node-feature-discovery.namespace" . }} labels: {{- include "node-feature-discovery.labels" . | nindent 4 }} - role: topology-gc + role: gc + {{- with .Values.gc.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: - replicas: {{ .Values.topologyGC.replicaCount | default 1 }} + replicas: {{ .Values.gc.replicaCount | default 1 }} selector: matchLabels: {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }} - role: topology-gc + role: gc template: metadata: labels: {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} - role: topology-gc + role: gc + {{- with .Values.gc.annotations }} annotations: - {{- toYaml .Values.topologyGC.annotations | nindent 8 }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: - serviceAccountName: {{ .Values.topologyGC.serviceAccountName | default "nfd-topology-gc" }} + serviceAccountName: {{ include "node-feature-discovery.gc.serviceAccountName" . }} dnsPolicy: ClusterFirstWithHostNet {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} securityContext: - {{- toYaml .Values.topologyGC.podSecurityContext | nindent 8 }} + {{- toYaml .Values.gc.podSecurityContext | nindent 8 }} containers: - - name: topology-gc + - name: gc image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: "{{ .Values.image.pullPolicy }}" env: @@ -39,25 +45,32 @@ spec: fieldRef: fieldPath: spec.nodeName command: - - "nfd-topology-gc" + - "nfd-gc" args: - {{- if .Values.topologyGC.interval | empty | not }} - - "-gc-interval={{ .Values.topologyGC.interval }}" + {{- if .Values.gc.interval | empty | not }} + - "-gc-interval={{ .Values.gc.interval }}" {{- end }} resources: - {{- toYaml .Values.topologyGC.resources | nindent 12 }} + {{- toYaml .Values.gc.resources | nindent 12 }} securityContext: - {{- toYaml .Values.topologyGC.securityContext | nindent 12 }} + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + readOnlyRootFilesystem: true + runAsNonRoot: true + ports: + - name: metrics + containerPort: {{ .Values.gc.metricsPort | default "8081"}} - {{- with .Values.topologyGC.nodeSelector }} + {{- with .Values.gc.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.topologyGC.affinity }} + {{- with .Values.gc.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.topologyGC.tolerations }} + {{- with .Values.gc.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/deployment/network-operator/charts/node-feature-discovery/templates/nfd-master-conf.yaml b/deployment/network-operator/charts/node-feature-discovery/templates/nfd-master-conf.yaml index c806a8e5..9c6e01cd 100644 --- a/deployment/network-operator/charts/node-feature-discovery/templates/nfd-master-conf.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/templates/nfd-master-conf.yaml @@ -1,3 +1,4 @@ +{{- if .Values.master.enable }} apiVersion: v1 kind: ConfigMap metadata: @@ -8,3 +9,4 @@ metadata: data: nfd-master.conf: |- {{- .Values.master.config | toYaml | nindent 4 }} +{{- end }} diff --git a/deployment/network-operator/charts/node-feature-discovery/templates/nfd-worker-conf.yaml b/deployment/network-operator/charts/node-feature-discovery/templates/nfd-worker-conf.yaml index 61d2a481..a2299dea 100644 --- a/deployment/network-operator/charts/node-feature-discovery/templates/nfd-worker-conf.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/templates/nfd-worker-conf.yaml @@ -1,3 +1,4 @@ +{{- if .Values.worker.enable }} apiVersion: v1 kind: ConfigMap metadata: @@ -8,3 +9,4 @@ metadata: data: nfd-worker.conf: |- {{- .Values.worker.config | toYaml | nindent 4 }} +{{- end }} diff --git a/deployment/network-operator/charts/node-feature-discovery/templates/prometheus.yaml b/deployment/network-operator/charts/node-feature-discovery/templates/prometheus.yaml new file mode 100644 index 00000000..b9f4b464 --- /dev/null +++ b/deployment/network-operator/charts/node-feature-discovery/templates/prometheus.yaml @@ -0,0 +1,26 @@ +{{- if .Values.prometheus.enable }} +# Prometheus Monitor Service (Metrics) +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ include "node-feature-discovery.fullname" . }} + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 4 }} + {{- with .Values.prometheus.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +spec: + podMetricsEndpoints: + - honorLabels: true + interval: 10s + path: /metrics + port: metrics + scheme: http + namespaceSelector: + matchNames: + - {{ include "node-feature-discovery.namespace" . }} + selector: + matchExpressions: + - {key: app.kubernetes.io/instance, operator: In, values: ["{{ .Release.Name }}"]} + - {key: app.kubernetes.io/name, operator: In, values: ["{{ include "node-feature-discovery.name" . }}"]} +{{- end }} diff --git a/deployment/network-operator/charts/node-feature-discovery/templates/role.yaml b/deployment/network-operator/charts/node-feature-discovery/templates/role.yaml index f63cb8ff..3a872e57 100644 --- a/deployment/network-operator/charts/node-feature-discovery/templates/role.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/templates/role.yaml @@ -1,8 +1,9 @@ -{{- if .Values.worker.rbac.create }} +{{- if and .Values.worker.enable .Values.worker.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "node-feature-discovery.fullname" . }}-worker + namespace: {{ include "node-feature-discovery.namespace" . }} labels: {{- include "node-feature-discovery.labels" . | nindent 4 }} rules: diff --git a/deployment/network-operator/charts/node-feature-discovery/templates/rolebinding.yaml b/deployment/network-operator/charts/node-feature-discovery/templates/rolebinding.yaml index 30a00381..a640d5f8 100644 --- a/deployment/network-operator/charts/node-feature-discovery/templates/rolebinding.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/templates/rolebinding.yaml @@ -1,8 +1,9 @@ -{{- if .Values.worker.rbac.create }} +{{- if and .Values.worker.enable .Values.worker.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "node-feature-discovery.fullname" . }}-worker + namespace: {{ include "node-feature-discovery.namespace" . }} labels: {{- include "node-feature-discovery.labels" . | nindent 4 }} roleRef: diff --git a/deployment/network-operator/charts/node-feature-discovery/templates/service.yaml b/deployment/network-operator/charts/node-feature-discovery/templates/service.yaml index 0d478981..d71d1555 100644 --- a/deployment/network-operator/charts/node-feature-discovery/templates/service.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/templates/service.yaml @@ -1,3 +1,4 @@ +{{- if and (not .Values.enableNodeFeatureApi) .Values.master.enable }} apiVersion: v1 kind: Service metadata: @@ -16,3 +17,4 @@ spec: selector: {{- include "node-feature-discovery.selectorLabels" . | nindent 4 }} role: master +{{- end}} diff --git a/deployment/network-operator/charts/node-feature-discovery/templates/serviceaccount.yaml b/deployment/network-operator/charts/node-feature-discovery/templates/serviceaccount.yaml index 03211e7c..7da2c877 100644 --- a/deployment/network-operator/charts/node-feature-discovery/templates/serviceaccount.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/templates/serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if .Values.master.serviceAccount.create -}} +{{- if and .Values.master.enable .Values.master.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: @@ -12,8 +12,8 @@ metadata: {{- end }} {{- end }} ---- {{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.serviceAccount.create }} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -27,23 +27,23 @@ metadata: {{- end }} {{- end }} +{{- if and .Values.gc.enable .Values.gc.serviceAccount.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }} --- -{{- if and .Values.topologyGC.enable .Values.topologyGC.serviceAccount.create .Values.topologyUpdater.enable }} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ .Values.topologyGC.serviceAccount.name | default "nfd-topology-gc" }} + name: {{ include "node-feature-discovery.gc.serviceAccountName" . }} namespace: {{ include "node-feature-discovery.namespace" . }} labels: {{- include "node-feature-discovery.labels" . | nindent 4 }} - {{- with .Values.topologyUpdater.serviceAccount.annotations }} + {{- with .Values.gc.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} +{{- if and .Values.worker.enable .Values.worker.serviceAccount.create }} --- -{{- if .Values.worker.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/deployment/network-operator/charts/node-feature-discovery/templates/topologyupdater.yaml b/deployment/network-operator/charts/node-feature-discovery/templates/topologyupdater.yaml index cd3fca05..f51c10e6 100644 --- a/deployment/network-operator/charts/node-feature-discovery/templates/topologyupdater.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/templates/topologyupdater.yaml @@ -7,6 +7,10 @@ metadata: labels: {{- include "node-feature-discovery.labels" . | nindent 4 }} role: topology-updater + {{- with .Values.topologyUpdater.daemonsetAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: selector: matchLabels: @@ -17,8 +21,10 @@ spec: labels: {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} role: topology-updater + {{- with .Values.topologyUpdater.annotations }} annotations: - {{- toYaml .Values.topologyUpdater.annotations | nindent 8 }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: serviceAccountName: {{ include "node-feature-discovery.topologyUpdater.serviceAccountName" . }} dnsPolicy: ClusterFirstWithHostNet @@ -37,6 +43,10 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + - name: NODE_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.hostIP command: - "nfd-topology-updater" args: @@ -66,6 +76,10 @@ spec: # Disable kubelet state tracking by giving an empty path - "-kubelet-state-dir=" {{- end }} + - -metrics={{ .Values.topologyUpdater.metricsPort | default "8081"}} + ports: + - name: metrics + containerPort: {{ .Values.topologyUpdater.metricsPort | default "8081"}} volumeMounts: {{- if .Values.topologyUpdater.kubeletConfigPath | empty | not }} - name: kubelet-config diff --git a/deployment/network-operator/charts/node-feature-discovery/templates/worker.yaml b/deployment/network-operator/charts/node-feature-discovery/templates/worker.yaml index c1240bdc..f49f9bd6 100644 --- a/deployment/network-operator/charts/node-feature-discovery/templates/worker.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/templates/worker.yaml @@ -1,3 +1,4 @@ +{{- if .Values.worker.enable }} apiVersion: apps/v1 kind: DaemonSet metadata: @@ -6,8 +7,10 @@ metadata: labels: {{- include "node-feature-discovery.labels" . | nindent 4 }} role: worker + {{- with .Values.worker.daemonsetAnnotations }} annotations: - {{- toYaml .Values.worker.daemonsetAnnotations | nindent 4 }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: selector: matchLabels: @@ -18,8 +21,10 @@ spec: labels: {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} role: worker + {{- with .Values.worker.annotations }} annotations: - {{- toYaml .Values.worker.annotations | nindent 8 }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: dnsPolicy: ClusterFirstWithHostNet {{- with .Values.imagePullSecrets }} @@ -40,20 +45,32 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid resources: {{- toYaml .Values.worker.resources | nindent 12 }} command: - "nfd-worker" args: + {{- if not .Values.enableNodeFeatureApi }} - "-server={{ include "node-feature-discovery.fullname" . }}-master:{{ .Values.master.service.port }}" - {{- if .Values.enableNodeFeatureApi }} - - "-enable-nodefeature-api" + - "-enable-nodefeature-api=false" {{- end }} {{- if .Values.tls.enable }} - "-ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt" - "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key" - "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt" {{- end }} + - "-metrics={{ .Values.worker.metricsPort | default "8081"}}" + ports: + - name: metrics + containerPort: {{ .Values.worker.metricsPort | default "8081"}} volumeMounts: - name: host-boot mountPath: "/host-boot" @@ -142,3 +159,4 @@ spec: {{- with .Values.worker.priorityClassName }} priorityClassName: {{ . | quote }} {{- end }} +{{- end }} diff --git a/deployment/network-operator/charts/node-feature-discovery/values.yaml b/deployment/network-operator/charts/node-feature-discovery/values.yaml index d3db4355..d4919bca 100644 --- a/deployment/network-operator/charts/node-feature-discovery/values.yaml +++ b/deployment/network-operator/charts/node-feature-discovery/values.yaml @@ -10,27 +10,57 @@ nameOverride: "" fullnameOverride: "" namespaceOverride: "" -enableNodeFeatureApi: false +enableNodeFeatureApi: true master: + enable: true config: ### # noPublish: false + # autoDefaultNs: true # extraLabelNs: ["added.ns.io","added.kubernets.io"] # denyLabelNs: ["denied.ns.io","denied.kubernetes.io"] # resourceLabels: ["vendor-1.com/feature-1","vendor-2.io/feature-2"] # enableTaints: false # labelWhiteList: "foo" + # resyncPeriod: "2h" + # klog: + # addDirHeader: false + # alsologtostderr: false + # logBacktraceAt: + # logtostderr: true + # skipHeaders: false + # stderrthreshold: 2 + # v: 0 + # vmodule: + ## NOTE: the following options are not dynamically run-time configurable + ## and require a nfd-master restart to take effect after being changed + # logDir: + # logFile: + # logFileMaxSize: 1800 + # skipLogHeaders: false + # leaderElection: + # leaseDuration: 15s + # # this value has to be lower than leaseDuration and greater than retryPeriod*1.2 + # renewDeadline: 10s + # # this value has to be greater than 0 + # retryPeriod: 2s + # nfdApiParallelism: 10 ### # The TCP port that nfd-master listens for incoming requests. Default: 8080 + # Deprecated this parameter is related to the deprecated gRPC API and will + # be removed with it in a future release port: 8080 + metricsPort: 8081 instance: featureApi: + resyncPeriod: denyLabelNs: [] extraLabelNs: [] resourceLabels: [] enableTaints: false crdController: null featureRulesController: null + nfdApiParallelism: null deploymentAnnotations: {} replicaCount: 1 @@ -104,6 +134,7 @@ master: values: [""] worker: + enable: true config: ### #core: # labelWhiteList: @@ -154,6 +185,7 @@ worker: # - "SSE4" # - "SSE42" # - "SSSE3" + # - "TDX_GUEST" # attributeWhitelist: # kernel: # kconfigFile: "/path/to/kconfig" @@ -183,12 +215,12 @@ worker: # - "vendor" # - "device" # local: - # hooksEnabled: true + # hooksEnabled: false # custom: # # The following feature demonstrates the capabilities of the matchFeatures # - name: "my custom rule" # labels: - # my-ng-feature: "true" + # "vendor.io/my-ng-feature": "true" # # matchFeatures implements a logical AND over all matcher terms in the # # list (i.e. all of the terms, or per-feature matchers, must match) # matchFeatures: @@ -259,7 +291,7 @@ worker: # # The following feature demonstrates the capabilities of the matchAny # - name: "my matchAny rule" # labels: - # my-ng-feature-2: "my-value" + # "vendor.io/my-ng-feature-2": "my-value" # # matchAny implements a logical IF over all elements (sub-matchers) in # # the list (i.e. at least one feature matcher must match) # matchAny: @@ -280,10 +312,17 @@ worker: # vendor: {op: In, value: ["8086"]} # class: {op: In, value: ["02"]} # + # - name: "avx wildcard rule" + # labels: + # "my-avx-feature": "true" + # matchFeatures: + # - feature: cpu.cpuid + # matchName: {op: InRegexp, value: ["^AVX512"]} + # # # The following features demonstreate label templating capabilities # - name: "my template rule" # labelsTemplate: | - # {{ range .system.osrelease }}my-system-feature.{{ .Name }}={{ .Value }} + # {{ range .system.osrelease }}vendor.io/my-system-feature.{{ .Name }}={{ .Value }} # {{ end }} # matchFeatures: # - feature: system.osrelease @@ -293,7 +332,7 @@ worker: # # - name: "my template rule 2" # labelsTemplate: | - # {{ range .pci.device }}my-pci-device.{{ .class }}-{{ .device }}=with-cpuid + # {{ range .pci.device }}vendor.io/my-pci-device.{{ .class }}-{{ .device }}=with-cpuid # {{ end }} # matchFeatures: # - feature: pci.device @@ -308,7 +347,7 @@ worker: # # previous labels and vars # - name: "my dummy kernel rule" # labels: - # "my.kernel.feature": "true" + # "vendor.io/my.kernel.feature": "true" # matchFeatures: # - feature: kernel.version # matchExpressions: @@ -323,15 +362,23 @@ worker: # # - name: "my rule using backrefs" # labels: - # "my.backref.feature": "true" + # "vendor.io/my.backref.feature": "true" # matchFeatures: # - feature: rule.matched # matchExpressions: - # my.kernel.feature: {op: IsTrue} + # vendor.io/my.kernel.feature: {op: IsTrue} # my.dummy.var: {op: Gt, value: ["0"]} # + # - name: "kconfig template rule" + # labelsTemplate: | + # {{ range .kernel.config }}kconfig-{{ .Name }}={{ .Value }} + # {{ end }} + # matchFeatures: + # - feature: kernel.config + # matchName: {op: In, value: ["SWAP", "X86", "ARM"]} ### + metricsPort: 8081 daemonsetAnnotations: {} podSecurityContext: {} # fsGroup: 2000 @@ -404,6 +451,7 @@ topologyUpdater: rbac: create: true + metricsPort: 8081 kubeletConfigPath: kubeletPodResourcesSockPath: updateInterval: 60s @@ -433,10 +481,11 @@ topologyUpdater: nodeSelector: {} tolerations: [] annotations: {} + daemonsetAnnotations: {} affinity: {} podSetFingerprint: true -topologyGC: +gc: enable: true replicaCount: 1 @@ -450,12 +499,6 @@ topologyGC: interval: 1h podSecurityContext: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: [ "ALL" ] - readOnlyRootFilesystem: true - runAsNonRoot: true resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -469,9 +512,12 @@ topologyGC: # cpu: 100m # memory: 128Mi + metricsPort: 8081 + nodeSelector: {} tolerations: [] annotations: {} + deploymentAnnotations: {} affinity: {} # Optionally use encryption for worker <--> master comms @@ -482,3 +528,7 @@ topologyGC: tls: enable: false certManager: false + +prometheus: + enable: false + labels: {} diff --git a/deployment/network-operator/values.yaml b/deployment/network-operator/values.yaml index 0cc1e23f..513fa442 100644 --- a/deployment/network-operator/values.yaml +++ b/deployment/network-operator/values.yaml @@ -28,10 +28,23 @@ sriovNetworkOperator: # Node Feature discovery chart related values node-feature-discovery: enableNodeFeatureApi: true + master: + serviceAccount: + name: node-feature-discovery + create: true + config: + extraLabelNs: ["nvidia.com"] + gc: + enable: true + replicaCount: 1 + serviceAccount: + # disable creation to avoid duplicate serviceaccount creation by master spec above + name: node-feature-discovery + create: false worker: serviceAccount: + # disable creation to avoid duplicate serviceaccount creation by master spec above name: node-feature-discovery - # disable creation to avoid duplicate serviceaccount creation by master spec below create: false tolerations: - key: "node-role.kubernetes.io/master" @@ -51,12 +64,6 @@ node-feature-discovery: - "0302" deviceLabelFields: - vendor - master: - serviceAccount: - name: node-feature-discovery - create: true - config: - extraLabelNs: ["nvidia.com"] # SR-IOV Network Operator chart related values sriov-network-operator: diff --git a/hack/templates/values/values.template b/hack/templates/values/values.template index b6d25719..4f0a4405 100644 --- a/hack/templates/values/values.template +++ b/hack/templates/values/values.template @@ -28,10 +28,23 @@ sriovNetworkOperator: # Node Feature discovery chart related values node-feature-discovery: enableNodeFeatureApi: true + master: + serviceAccount: + name: node-feature-discovery + create: true + config: + extraLabelNs: ["nvidia.com"] + gc: + enable: true + replicaCount: 1 + serviceAccount: + # disable creation to avoid duplicate serviceaccount creation by master spec above + name: node-feature-discovery + create: false worker: serviceAccount: + # disable creation to avoid duplicate serviceaccount creation by master spec above name: node-feature-discovery - # disable creation to avoid duplicate serviceaccount creation by master spec below create: false tolerations: - key: "node-role.kubernetes.io/master" @@ -51,12 +64,6 @@ node-feature-discovery: - "0302" deviceLabelFields: - vendor - master: - serviceAccount: - name: node-feature-discovery - create: true - config: - extraLabelNs: ["nvidia.com"] # SR-IOV Network Operator chart related values sriov-network-operator: