release by forward-port sriov 104.1.0+up0.1.0

rancher · Jul 17, 2024 · 23dcc73 · 23dcc73
1 parent 230e8b3
commit 23dcc73
Show file tree

Hide file tree

Showing 46 changed files with 3,566 additions and 0 deletions.
diff --git a/assets/sriov/sriov-104.1.0+up0.1.0.tgz b/assets/sriov/sriov-104.1.0+up0.1.0.tgz
diff --git a/charts/sriov/104.1.0+up0.1.0/.helmignore b/charts/sriov/104.1.0+up0.1.0/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/sriov/104.1.0+up0.1.0/Chart.yaml b/charts/sriov/104.1.0+up0.1.0/Chart.yaml
@@ -0,0 +1,36 @@
+annotations:
+  catalog.cattle.io/auto-install: sriov-crd=match
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/deprecated: "true"
+  catalog.cattle.io/experimental: "true"
+  catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.30.0-0'
+  catalog.cattle.io/namespace: cattle-sriov-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux
+  catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0'
+  catalog.cattle.io/release-name: sriov
+  catalog.cattle.io/upstream-version: 1.2.0
+apiVersion: v2
+appVersion: 1.2.0
+dependencies:
+- condition: rancher-nfd.enabled
+  name: rancher-nfd
+  repository: file://./charts/rancher-nfd
+  version: 0.15.4
+deprecated: true
+description: SR-IOV network operator configures and manages SR-IOV networks in the
+  kubernetes cluster
+home: https://github.com/k8snetworkplumbingwg/sriov-network-operator
+icon: https://charts.rancher.io/assets/logos/sr-iov.svg
+keywords:
+- sriov
+- Networking
+kubeVersion: '>= 1.16.0-0'
+maintainers:
+- email: charts@rancher.com
+  name: Rancher Labs
+name: sriov
+sources:
+- https://github.com/rancher/charts
+type: application
+version: 104.1.0+up0.1.0
diff --git a/charts/sriov/104.1.0+up0.1.0/README.md b/charts/sriov/104.1.0+up0.1.0/README.md
@@ -0,0 +1,129 @@
+# SR-IOV Network Operator Helm Chart
+
+SR-IOV Network Operator Helm Chart provides an easy way to install, configure and manage
+the lifecycle of SR-IOV network operator.
+
+## SR-IOV Network Operator
+SR-IOV Network Operator leverages [Kubernetes CRDs](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
+and [Operator SDK](https://github.com/operator-framework/operator-sdk) to configure and manage SR-IOV networks in a Kubernetes cluster.
+
+SR-IOV Network Operator features:
+- Initialize the supported SR-IOV NIC types on selected nodes.
+- Provision/upgrade SR-IOV device plugin executable on selected node.
+- Provision/upgrade SR-IOV CNI plugin executable on selected nodes.
+- Manage configuration of SR-IOV device plugin on host.
+- Generate net-att-def CRs for SR-IOV CNI plugin
+- Supports operation in a virtualized Kubernetes deployment
+  - Discovers VFs attached to the Virtual Machine (VM)
+  - Does not require attached of associated PFs
+  - VFs can be associated to SriovNetworks by selecting the appropriate PciAddress as the RootDevice in the SriovNetworkNodePolicy
+
+## QuickStart
+
+### Prerequisites
+
+- Kubernetes v1.17+
+- Helm v3
+
+### Install Helm
+
+Helm provides an install script to copy helm binary to your system:
+```
+$ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
+$ chmod 500 get_helm.sh
+$ ./get_helm.sh
+```
+
+For additional information and methods for installing Helm, refer to the official [helm website](https://helm.sh/)
+
+### Deploy SR-IOV Network Operator
+
+```
+# Install Operator
+$ helm install -n sriov-network-operator --create-namespace --wait sriov-network-operator ./
+
+# View deployed resources
+$ kubectl -n sriov-network-operator get pods
+```
+
+In the case that [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) is enabled, the sriov network operator namespace will require a security level of 'privileged'
+```
+$ kubectl label ns sriov-network-operator pod-security.kubernetes.io/enforce=privileged
+```
+
+## Chart parameters
+
+In order to tailor the deployment of the network operator to your cluster needs
+We have introduced the following Chart parameters.
+
+| Name | Type | Default | description |
+| ---- |------|---------|-------------|
+| `imagePullSecrets` | list | `[]` | An optional list of references to secrets to use for pulling any of the SR-IOV Network Operator image |
+
+### Operator parameters
+
+| Name | Type | Default | description |
+| ---- | ---- | ------- | ----------- |
+| `operator.tolerations` | list | `[{"key":"node-role.kubernetes.io/master","operator":"Exists","effect":"NoSchedule"},{"key":"node-role.kubernetes.io/control-plane","operator":"Exists","effect":"NoSchedule"}]` | Operator's tolerations |
+| `operator.nodeSelector` | object | {} | Operator's node selector |
+| `operator.affinity` | object | `{"nodeAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"weight":1,"preference":{"matchExpressions":[{"key":"node-role.kubernetes.io/master","operator":"In","values":[""]}]}},{"weight":1,"preference":{"matchExpressions":[{"key":"node-role.kubernetes.io/control-plane","operator":"In","values":[""]}]}}]}}` | Operator's afffinity configuration |
+| `operator.nameOverride` | string | `` | Operator's resource name override |
+| `operator.fullnameOverride` | string | `` | Operator's resource full name override |
+| `operator.resourcePrefix` | string | `openshift.io` | Device plugin resource prefix |
+| `operator.cniBinPath` | string | `/opt/cni/bin` | Path for CNI binary |
+| `operator.clustertype` | string | `kubernetes` | Cluster environment type |
+
+#### Admission Controllers parameters
+
+The admission controllers can be enabled by switching on a single parameter `operator.admissionControllers.enabled`. By
+default, the user needs to pre-create Kubernetes Secrets that match the names provided in
+`operator.admissionControllers.certificates.secretNames`. The secrets should have 3 fields populated with the relevant
+content:
+* `ca.crt` (value needs to be base64 encoded twice)
+* `tls.crt`
+* `tls.key`
+
+Aside from the aforementioned mode, the chart supports 3 more modes for certificate consumption by the admission
+controllers, which can be found in the table below. In a nutshell, the modes that are supported are:
+* Consume pre-created Certificates managed by cert-manager
+* Generate self signed Certificates managed by cert-manager
+* Specify the content of the certificates as Helm values
+
+| Name | Type | Default | description |
+| ---- | ---- | ------- | ----------- |
+| `operator.admissionControllers.enabled` | bool | false | Flag that switches on the admission controllers |
+| `operator.admissionControllers.certificates.secretNames.operator` | string | `operator-webhook-cert` | Secret that stores the certificate for the Operator's admission controller |
+| `operator.admissionControllers.certificates.secretNames.injector` | string | `network-resources-injector-cert` | Secret that stores the certificate for the Network Resources Injector's admission controller  |
+| `operator.admissionControllers.certificates.certManager.enabled` | bool | false | Flag that switches on consumption of certificates managed by cert-manager |
+| `operator.admissionControllers.certificates.certManager.generateSelfSigned` | bool | false | Flag that switches on generation of self signed certificates managed by cert-manager. The secrets in which the certificates are stored will have the names provided in `operator.admissionControllers.certificates.secretNames` |
+| `operator.admissionControllers.certificates.custom.enabled` | bool | false | Flag that switches on consumption of user provided certificates that are part of `operator.admissionControllers.certificates.custom.operator` and `operator.admissionControllers.certificates.custom.injector` objects |
+| `operator.admissionControllers.certificates.custom.operator.caCrt` | string | `` | The CA certificate to be used by the Operator's admission controller |
+| `operator.admissionControllers.certificates.custom.operator.tlsCrt` | string | `` | The public part of the certificate to be used by the Operator's admission controller |
+| `operator.admissionControllers.certificates.custom.operator.tlsKey` | string | `` | The private part of the certificate to be used by the Operator's admission controller |
+| `operator.admissionControllers.certificates.custom.injector.caCrt` | string | `` | The CA certificate to be used by the Network Resources Injector's admission controller |
+| `operator.admissionControllers.certificates.custom.injector.tlsCrt` | string | `` | The public part of the certificate to be used by the Network Resources Injector's admission controller |
+| `operator.admissionControllers.certificates.custom.injector.tlsKey` | string | `` | The private part of the certificate to be used by the Network Resources Injector's admission controller |
+
+### SR-IOV Operator Configuration Parameters
+
+This section contains general parameters that apply to both the operator and daemon componets of SR-IOV Network Operator.
+
+| Name | Type | Default | description |
+| ---- | ---- | ------- | ----------- |
+| `sriovOperatorConfig.deploy` | bool | `false` | deploy SriovOperatorConfig custom resource |
+| `sriovOperatorConfig.configDaemonNodeSelector` | map[string]string | `{}` | node slectors for sriov-network-config-daemon |
+| `sriovOperatorConfig.logLevel` | int | `2` | log level for both operator and sriov-network-config-daemon |
+| `sriovOperatorConfig.disableDrain` | bool | `false` | disable node draining when configuring SR-IOV, set to true in case of a single node cluster or any other justifiable reason |
+| `sriovOperatorConfig.configurationMode` | string | `daemon` | sriov-network-config-daemon configuration mode. either `daemon` or `systemd` |
+
+### Images parameters
+
+| Name | description |
+| ---- | ----------- |
+| `images.operator` | Operator controller image |
+| `images.sriovConfigDaemon` | Daemon node agent image |
+| `images.sriovCni` | SR-IOV CNI image |
+| `images.ibSriovCni` | InfiniBand SR-IOV CNI image |
+| `images.sriovDevicePlugin` | SR-IOV device plugin image |
+| `images.resourcesInjector` | Resources Injector image |
+| `images.webhook` | Operator Webhook image |
diff --git a/charts/sriov/104.1.0+up0.1.0/app-README.md b/charts/sriov/104.1.0+up0.1.0/app-README.md
@@ -0,0 +1,13 @@
+# Rancher SR-IOV Network Operator
+
+This chart is based on the upstream [k8snetworkplumbingwg/sriov-network-operator](https://github.com/k8snetworkplumbingwg/sriov-network-operator) project. The chart deploys the SR-IOV Operator and its CRDs, which are designed to help the user provision and configure the SR-IOV CNI in a cluster that uses [Multus CNI](https://github.com/k8snetworkplumbingwg/multus-cni), to provide high performing extra network interfaces to pods. This chart is expected to be deployed on an RKE2 cluster and only meant for advanced use cases where multiple CNI plugins and high performing network interfaces on pods are required. Users who do not need these features are not advised to install this chart.
+
+The chart installs the following components:
+
+ - SR-IOV Operator - An operator that helps provision and configure the SR-IOV CNI plugin and SR-IOV Device plugin
+ - SR-IOV Network Config Daemon - A Daemon deployed by the Operator that discovers SR-IOV NICs on each node
+
+Note that SR-IOV requires NICs that support SR-IOV and the activation of specific configuration options in the operating system. Nodes that fulfill these requirements should be labeled with: `feature.node.kubernetes.io/network-sriov.capable=true`.
+
+The SR-IOV Network Config Daemon will be deployed on such capable nodes. For more information on how to use this feature, refer to our RKE2 networking docs.
+
diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/.helmignore b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/Chart.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v2
+appVersion: v0.15.4
+description: Detects hardware features available on each node in a Kubernetes cluster,
+  and advertises those features using node labels
+home: https://github.com/kubernetes-sigs/node-feature-discovery
+keywords:
+- feature-discovery
+- feature-detection
+- node-labels
+name: rancher-nfd
+sources:
+- https://github.com/kubernetes-sigs/node-feature-discovery
+type: application
+version: 0.15.4
diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/README.md b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/README.md
@@ -0,0 +1,10 @@
+# Node Feature Discovery
+
+Node Feature Discovery (NFD) is a Kubernetes add-on for detecting hardware
+features and system configuration. Detected features are advertised as node
+labels. NFD provides flexible configuration and extension points for a wide
+range of vendor and application specific node labeling needs.
+
+See
+[NFD documentation](https://kubernetes-sigs.github.io/node-feature-discovery/v0.15/deployment/helm.html)
+for deployment instructions.