From 23dcc733fded1f4a549710243d5ba02b8d6cf5e8 Mon Sep 17 00:00:00 2001 From: nicholasSSUSE Date: Wed, 17 Jul 2024 20:38:06 -0300 Subject: [PATCH] release by forward-port sriov 104.1.0+up0.1.0 --- assets/sriov/sriov-104.1.0+up0.1.0.tgz | Bin 0 -> 23180 bytes charts/sriov/104.1.0+up0.1.0/.helmignore | 23 + charts/sriov/104.1.0+up0.1.0/Chart.yaml | 36 ++ charts/sriov/104.1.0+up0.1.0/README.md | 129 +++++ charts/sriov/104.1.0+up0.1.0/app-README.md | 13 + .../charts/rancher-nfd/.helmignore | 23 + .../charts/rancher-nfd/Chart.yaml | 14 + .../charts/rancher-nfd/README.md | 10 + .../charts/rancher-nfd/crds/nfd-api-crds.yaml | 426 ++++++++++++++ .../charts/rancher-nfd/templates/_helpers.tpl | 107 ++++ .../templates/cert-manager-certs.yaml | 68 +++ .../templates/cert-manager-issuer.yaml | 42 ++ .../rancher-nfd/templates/clusterrole.yaml | 119 ++++ .../templates/clusterrolebinding.yaml | 52 ++ .../charts/rancher-nfd/templates/master.yaml | 145 +++++ .../charts/rancher-nfd/templates/nfd-gc.yaml | 77 +++ .../templates/nfd-master-conf.yaml | 12 + .../templates/nfd-topologyupdater-conf.yaml | 10 + .../templates/nfd-worker-conf.yaml | 12 + .../rancher-nfd/templates/prometheus.yaml | 26 + .../charts/rancher-nfd/templates/role.yaml | 19 + .../rancher-nfd/templates/rolebinding.yaml | 18 + .../charts/rancher-nfd/templates/service.yaml | 20 + .../rancher-nfd/templates/serviceaccount.yaml | 58 ++ .../templates/topologyupdater-crds.yaml | 278 +++++++++ .../templates/topologyupdater.yaml | 156 +++++ .../charts/rancher-nfd/templates/worker.yaml | 162 ++++++ .../charts/rancher-nfd/values.yaml | 534 ++++++++++++++++++ .../sriov/104.1.0+up0.1.0/templates/NOTES.txt | 29 + .../104.1.0+up0.1.0/templates/_helpers.tpl | 85 +++ .../templates/_webhook-certs.tpl | 31 + .../templates/certificate.yaml | 71 +++ .../templates/certmanagercerts.yaml | 41 ++ .../templates/clusterrole.yaml | 111 ++++ .../templates/clusterrolebinding.yaml | 29 + .../104.1.0+up0.1.0/templates/configmap.yaml | 47 ++ .../104.1.0+up0.1.0/templates/operator.yaml | 116 ++++ .../sriov/104.1.0+up0.1.0/templates/role.yaml | 132 +++++ .../templates/rolebinding.yaml | 44 ++ .../104.1.0+up0.1.0/templates/secrets.yaml | 20 + .../templates/serviceaccount.yaml | 15 + .../templates/sriovoperatorconfig.yaml | 17 + .../templates/validate-install-crd.yaml | 19 + charts/sriov/104.1.0+up0.1.0/values.yaml | 129 +++++ index.yaml | 40 ++ release.yaml | 1 + 46 files changed, 3566 insertions(+) create mode 100644 assets/sriov/sriov-104.1.0+up0.1.0.tgz create mode 100644 charts/sriov/104.1.0+up0.1.0/.helmignore create mode 100644 charts/sriov/104.1.0+up0.1.0/Chart.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/README.md create mode 100644 charts/sriov/104.1.0+up0.1.0/app-README.md create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/.helmignore create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/Chart.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/README.md create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/crds/nfd-api-crds.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/_helpers.tpl create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-certs.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-issuer.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrole.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrolebinding.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/master.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-gc.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-master-conf.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-topologyupdater-conf.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-worker-conf.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/prometheus.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/role.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/rolebinding.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/service.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/serviceaccount.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater-crds.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/worker.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/values.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/templates/NOTES.txt create mode 100644 charts/sriov/104.1.0+up0.1.0/templates/_helpers.tpl create mode 100644 charts/sriov/104.1.0+up0.1.0/templates/_webhook-certs.tpl create mode 100644 charts/sriov/104.1.0+up0.1.0/templates/certificate.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/templates/certmanagercerts.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/templates/clusterrole.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/templates/clusterrolebinding.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/templates/configmap.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/templates/operator.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/templates/role.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/templates/rolebinding.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/templates/secrets.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/templates/serviceaccount.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/templates/sriovoperatorconfig.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/templates/validate-install-crd.yaml create mode 100644 charts/sriov/104.1.0+up0.1.0/values.yaml diff --git a/assets/sriov/sriov-104.1.0+up0.1.0.tgz b/assets/sriov/sriov-104.1.0+up0.1.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..c18aac737ca2c10f35409fcc5e45e5633039ca1d GIT binary patch literal 23180 zcmV)_K!3jDc zVQyr3R8em|NM&qo0PMYcf7`aQD7yc>{1jMn*DsG{QV+kfba(c-j_tHQjUTn$wCm*L zxDW|Rs40RaK-pSJ&S$?ryh!j($+DAnn|~xS2@D2R!E zczV5FZ+ClJ{NL;K^8XL|J6r$J-`?Ho4F)^C?ZJQa`h%^l!GD0>Lm-oXV#;9jAH93G zmG9i2>DfK-pP=t-_4v5({TiZZh8eZ% zODXDPksdhzR5%ZuehtnM@)4xS=D4eIDJ>U=ltl>6(pLJ;!0A~q#P9W+`M`o<_&!^} zLm>)06u21Cp=AS?1RiFhfJQtRdkzZV$VZ+9fW*Z3W&sePkWkD>v>1Xh_R+B0b-FH> zHnf{9nV{Em`a90HWwHk!bjw53jc_P2xV*5B&)$Oov0D<|01~1IG7@nl$9NJ)hyoaR zU@X`%ozM1kwal%dF)65fp|V<8=OyA#Z&@yKz>tb6l{DgdD$ z&qg?y+)lcZQPg`|<6&W!W2u424m+yDVpdU#814FGLTHypHYRh2&L`FlTHKPz69kuI zYJ*b=90wDNqx-&$#h+O-hyw<3fFe;D%^>!NK(_q<>6TqGO9tvfz60;zh*~BWQ4&Y4 z9P<(?C{U_T7F&d92w)ic*cD>LO8Km}?ev}AKjN^*|F^!jsC#-!9=ZO{p&ujqPzpf( z`rq$uZx8b8|IS|TY5jkUM@uZe_%q`3KeR3YfDLZYVhB0`@sJ%6A33SKC*PU=i`{(1!uKPc!<{DLJ}BZp@IX zBATyi9WmD{v?-h9LX>#u68Xp#uRndU0D$8$4lr9t;_(9enKuB05gMZ?Lf&B<;b5ZB z#KGiv5|HGz#F5KTRgHJy7U9X14M9J7r@^7XMML8)075rAx(g#jX*!zev)s6*PfCX4 zpzu-3kRkZc>3sZ3c$f0avgm_O2Yghkr54rPgsJmeEey9sUh^Gb{*kAp7NuwOz2fRJw*> z41Fq@S!vx|V@l{oksBd)%C*~+l*atgKkZvIni6tjb08_*aPYfg?~Yb*bXTdZKW6Ii z-zP%niqZx*z%Nr2Xq-2}4Bj9LVu}D6XV6yang>P;@!pnyM@|B&q~B#NWPrj5fe8wD zPmu@a7-nD#HIeb!d|<&X_I=5Q{H1(H#^SdmCN&!M&=?2E18_vNXvsAVs^|00l1bIKW%%B0zEAB7hk{fk#0cf)T>O z1VB#pIhex;bK2{Xa%0NKY*;sL8zw6zZ}<-8AYw!C*?0wj&7U_%-yffXgQJV98Hc}-{1W6 zVYrUwuDjza9+^y4~&BkNc-@4t9@OuRr-2 zULA+zbsfS9zIAOTg6fHnzOf$sIrzvDyPz{AjShqjf%6g<@u5!^pyWF^xJae)2>Ikz zsSp-WwUph0gW(Dbpi)_+U`!&AwHrvYh3!E!BV09+e;W_vd zU^^}hxzHVgXB>@ZUj!mPnE)TnkuQ)K5jIV2Ct|&+Maw6Xcf9ft3?y|hYyyfHU!FKRe0Aar5MNv&UtA^%jAg7dCnFgWCGr>o0GT|W}k#7+myI2{4PqK%F$(%~(4r1j71B;%o~oDi=0DWX^#;CKcn z2>g6;TsE?XWoj0Z00oR%m{$-QS#|+5jb+-*GKG7zKfTVgk5;jkggx=e2>R;4g86D2DJSe98pGIU7ifYhyunm~rGh^{L>D{=C*Ei@1NNc$f{v(V?erS9q3)zPKH?${dJXgdGf?)P){zwO>u z|H=OM7|-{J=>rC!6&$6%ATJeGd`lk1fmq+U!ZRkmPj2~NE}6|>;L)LFeJ74nT;>Bi z0G~bq=R%%QIj8!34Se|mCWwKMc+|4q^7Y-5hf2@~IG`+wU15I&Bmh%#%hiRLqN?Mb zO-mS(03-K4u(3XUvH>0g=e;zA>ksODYrklU0bjo8N_;o3E4nCR*V?%7<%@MSg~1J2 zkXVR8b&$#l#|b3Q-8p%{moJWG{jz^?dVKo*-@qmE$AAj!LDrfvg>$ZMqQJ0eaKK7b zQ^&fRB8o~XK|lgzFA$8lSr=8l2nJusi64yxAi>M z-~I;f|0pb>44$!giz)3`FS|-4ORF>JlrNzU zui622T9~WSnKe$Yk>(i+_zYMS2QJv%5aH<)-OoH7Udalfp>|55pp44m?)Vc@MG!%B04|D$oJ&2fsbcc+0+>q z=Fdk9L72nSOJ0`COBy2gg<~C$fpW-^KwKi6F|_;_?=VZGeoQ%@6hMKz!nQ4)^(jI7gabAPoxfB2@3fPH zB^zzeZI${+%7ez>^7*4YU--a^0an~1OZjkw{Pu$^Dy1Ww@0m$-`CGXKfzN#L_PMUz z`9}wIt~<+5FfyBwKq5?ABP@$cjHk$-Idm#@f+5#*ap3x~*VtW0BGg!%DtqWV)u>}| znWD#j;?Tyw!7$7jOA|MxR1Y_*d68n_EMZ>~Au5LaQk4z;MpzD%2U}`tFM2AK7eOddoO5|mW zIr8`vbYS-1kUP4Oj{4DQ1)zMdlh8yMv#u4y>qwciN+}@CVcO}l z)C^W4NxGet0Emw3KRPKsyc7A~k~@CEfk$o=4@# zb@_`5za!I6i7O|aJY`DJ(34!^ke!sNH?axne)?ZQ|2JJh*0c*~wEyky<@EpE-u9FJ z|0s``px-M~61aMInYA2cO-rYQp&^&-6oCO}MMO8HGYQw0BNR%<6^iC4f<9n)hNzsu zo1z5d>W6y+7_m@5<4CR;2m7MUyr&Kc`~@J1kJxuEJt{rV4n^)9v z1MIkgJ9aSXfUVt~7ZTbv2SyPC4xiy24&IX1t4-jM;28s4<}m^~6wg8*j~5+|?2IdS zx0p>y%;cUx^k@_CE-zB-ErW{SHW5$Kpf_6Z-3uNIA28>gXcb`;;$DRy#xv7Q^!^Muz-*wqbed+outT*Xpt#VOJ{Aa zzt-o1-x9%VTnPVkr2p$!3-jy0A-C3c9iUSuP^Fh$7q%D6eH6R=7!YO&yP2kp}t`IK{c&iR9Gm6yk2>^0LJMrs@@0r%2c^g>>J$(RBi5-MlMxuYe24NOPW*9 zm!^6c;W=dJN2IRUM=F@nIq|W(7=nHO7B1+zDBQd`xd*LlfeS@t{rjy)B7f%K^J`1I zr^kE>>%ZJTi{J{6XaCK|f7{vJe!BnhD32)>qY-o+7_%vf@V~`87RNss`6$`rg7_7t zs3qKN#u?R!_eMI8Wj75@&Nd8VZgQyR4 z6ph5o31Xd1(D5-9|KCF9PWg{e|Bw#!qFReKLgE#gc)3jFE}CO;MIsMH`ZtwaRfCeB^7N(WRpgCRKv)nILV~0 zAaMDM9z&1~%;f`a3(l-2QK`zq|9a|9gyQb)oV`vd1^J4J1BN=B%O=ybpd_ zDAiEOqVec=q-7U%2VnXA>)Oez_3gT=#WfyfL$AVG;vlq4jA&U z@pcbg|N86uy?!qZ>GTSM{?4}B$(9=Ie1CoU_I&WlC^#xB*zbLR{p()8$4jSW_Xhd0 zcaxDSyt8ApzPrW$*~u4tHQ3qPO-l9LfAW7|u4&QiuRA+?*ZWr-w1MhBYf*i(fAHh^ zyZzH6qej1>#^urVRa$&JE-Nlcdwsgq>m^<6c{{Jl%5HPe?|AW_GL(C@RSJ1$r*~CH zHA#=bK$qFt^9EpR&-F^mm_xO-=k@B!nFY7<1zmJ~Kt%W+ILE$^u8&^zd-lOkhx>!; zf%q>)`JV&OfA#90jkSOM_5I=gwoz|uiF#&xqgM5d3jLZ2A&hRWk6sP7(pYG(_{32a zPUqOe@OtLo?OY#_AV4nr)#jb(?~JxUztrrsWuHPJ-?Cfp# zx333xgB>oC`rBw5^mn~I{*PN)VQ*)r_v(6Z*YEYx8hblE(0|nveDIS`CfL3H19|BB zr+3>sys3iyD$FXwN79(N4|f3c5rocc6xpF>)`s}^q;%G3QpeJ^T24(>+yfKs!P8zO80r` zerf5qF<%6)4^H3ybH}K$%WLeG)#&%G4^I2NUyZ{5+t%FFD?`1nIqkcFNlae__H|rQ64+S8x45|?|u&89AaNa zklxz*y9Iz25(*)M&iwH+xHV!2fbKPaIQc{{?Sc!UnPx@rwsXl>3>b|33(ouugUmW8=gF4YaL(w-UGA}L2s6|qS{f0r$yij4OlH@8mSSt}K=~E6wRZtgR z)o_BB5yDgUNaHbrFJFc=1sR-Vkx=1Tvzc`4x_K#|%*l%R`i~e;ibhVhW=db8a7 z8JdY8lKo!q1RLK_FwdhT3I5Ce)xi(fr~4;Im*@KjM>%jJ_R8DHOf8}x5wVTGtzrI+GlFibma8t>X);NAFnTtF3*0x zI5@hzK0f`QM+aAD7Z22*LLm9Z{uFD}^ylpS=whE^&*x$}@{K|yKg^m&2WO{mkH5b@ z+&?-wd(h!F6CbpkYG#c_zSSN2<><{1XJ2SYrotxf--JcV3@g9KAjMwG!2W zf|AW~Rs~-4|N8vrckiw*j}9)5t}ZKE_?_SYbT&IJ7WUjk``T;6`PpIRq*!13<$XUp zJbIY6xi&78?bE8ZFOJ?F?Oz^UzdyRTJU%XwQ&o zR=q0d2k(BqygItLzWUdB^_(oiO%w8&fLD!^QHI$5;mPqOry&=FR~KjR-W^?BUK@#& zF0T{mE2mM75MK9v<(1G)mbynkH+!{qh0$rce0~o)@IS6k_D}b}Kf1U+I^BQs?&xrx zbST3%bE7sThmKEqUj{tbzdpFQYAXg=dH|I17g$ zh<*RhV|*{YXpvYHJDuEpgXD`yVWj_1HrDh73cQfufTeFjPG!naz~;n{XUO#-o*5P9 z$Sj?>VVP~D`G*r1XZcC`J(qR>h6+SU7rf-uByAXbG$K`bSkxEt4+7MaZ0wMNl;>UGCBfIj{=D#tL^$1SB; zRXZux(?s9BO92rdW&hIG*p?ijl8ZN0xa6+hG>wmsY5Iro$X~@MlQ)d;9Q$a3yy|%)LAoSh=#IH0pe%xk zkj_t9S~+8@$1f+gYi2^dOnBxJ5_vc<`TtoZ?FA>(XG>DJx);V;lmnN@S4HzR&){Md z5%_1Bxy>X0wKcu+r%eA}+r=OCG{t`!?B(zO?Ck7rJ?a0C@uc%nU;Jo2mH&*MHtnx{ zta|p}ray&CE{}3OiOcD=4)-^ta4j{kP5I65KZN(cptSbET77LzXL%*xRE|^| z`h0D<`B!=J>%X!xtkneAbpN+E$glrT`9B})Y06+-l5MPAYV74A?%p$Yp#WA~IP-~T z%w=Pciv`OC?jv-xO_aa;^tdVoOkLOil8H^8o>os${+q_d^(+Go^1rvcwVjXuyVZNT z|M4hKh4jkkcYnf-UQNvRhOT`>o0`WM|HAy|e{0m#LBM^5K$HHr)z6>*?rrTp>3@&% z@R@9+(&eLnrbb`7!aDMtE3fHPo)Dx)-peAelKG~bV3!P>EHyIi$Gn6$O~%Jd{-II) zMXH{w0xMkZDI=z9xEG%mt~OPDm4@W>F3fi~o8Y^-$mRFt%coCicE%xi_ILWM1HQZA z-?QT6)2Gz;C*ug@lgT?YM}DT`WytG-vYLk}@BLu}anM-RENu2w#gRNA9%_V9s3CRN zC-YE&xsPf47kTZ*Qyjl>hHho(;956LJ%W zpgN9jci!)SjuDng+}G`NUc3N3VJ_GZ;^jMWmzT>Z54+6xKoQd)tHacG=l!l&KaSt1 zJH{O_hC1{3Du5IiE>>l9`ZWT)WRRgX!8<3!mjZ810PhPXD}{^D)b-4&yW>VlJO)!J zQuL_SpEGjFA{&Qy4KYLSqsoMfo?8 zL|S}wl8f)P-824J!~B=>-CRopQio)&Q@Oj4|bm7|3A*N0nQ;~C<-WG z1V|PDw^I~=QH*`Ty&-gO#QidB16*-#RZ&SOpi|`gVB(XJj8A}r$tH-94;h{#5JEOJ z-owDNHb8(TVle^FLvfP~c~WWq+Y1Mr$&Bx!CPxW`C=yxb9m_eqyuM^4Le>U2AhQ_> z!25$s;Ngf`&IGfr_*bHDIir6^UGcAeF`abzKl)EP54tI!5p?;AH^x4q)=P)phSp1G z1aGXD4x91cB*GKx<^Q!dzs$|ctkBHj0oRc-6#9sqdXhn^1?nodk>Vh0Q7PXen9>V9Pow7 zvYN|)Fd}p8Aqrps5Tpxm3l~D9$fa&G+3+EeY)qanS$wVZ@ff)a*GGViH8x5kNzR2F z%i5?!wGura%~8Zf7x?gFJVH@`7@}eU|M+~$SV)K6?oIN6D?J`@MGQBln@R|Md>{hHP(T6|j|O=n z_zHC_8=UhY7leqzNd&zFJsHspgyPaXKzGQE8Q=aFz|=xHI6ZCwLSQ2A#AR&?1~+B# zApw{Y%6Pr+RmN~mP#ZFlZ3G-#P%!3$mq)|0!KGgMp$$oB;0)gFjdB6Z&Qj=j$~mKOHJJ17W;lWpA+A7v1IvtUO!76+Mg-b)kF{nMj)V7 zq%g5`vi(Aw!(8;*@Rk?!+St&`IOHo5LlG53B$20>3}T-|qHn2C<9PBng?{R(r@;xFqn_$?o3;y3VFTucF2KteSq#TPP`(+veK z5*sDuCdGfo6p0BM#&UMTV4>+!wFV0ez-KuZleZ@6m+iLsU*?zmi+8&$)>x+NpE@^a z(HV+#LbkXEn&llS^E#Uy4XHEi90|ioXS0LGW8|{VuyaZ-`O*~osPkpB38X6zQ|!=( z0a^yK7$!}*XVeUpmg}tgFS6r=3O1VZUrJ(8~RIZHPVreVl8af0N2NNHq(9G#ra~S)Z1Kunwb*d~E zW3I-@C5X%GFhWW@F_lmqbVw)*Vg|^SjW5_*@$>)=tOhKqqBZ>H08R_NZqO--eNQfj zTQUw01tAGzU+C(>B*xp1kdNjtV3txtht^B*n~du48+b0JRob%=0wYM#?lwSyOE|vl z7Q5&LucOlX|E7Q6pv7;NwNE+wjw3RY8-Ov15Fcht0_1@i@sOmTG+rlmzb!B$5fa~} za%%LN4>FBsa)BBxBwS4?%iw@ba685BR5OA!&8wY--0F>xPi`G>%()?mnXooWd}PaF ztYBnrTw#Pbi4Ft~$QWzSOzlk7c3QBVnG4!_nQjRw^2b0XJZ@X}GDI#OFVqQu7%;60 zn0&!^RC2E)#NxxQ_O){bdU;)oeK?VXmD5q~{aNKSZqZm{2$zD0%(?>e z`n-soq6#@iB1H3)6}-sbnF~t^+V{d*JJx2guJP+#0e`JAUTA1QySh~MXz4DMgc54a z4(1dm<1BAi%#M5EH&Ju)GRd3Y8dX(QVQS9lHdtqcHV%}?Do$uFg!qtpa$_gtdg=PH zD%<_GJOPDq^1fp$*3Ja~Os5m^8}h}0j90-f6#+2tRsoRCMyZ!CFOhPXI4(Sp^EImq zaz;4V&&*c2W7+qE*nS3!S`tg#CI!t|o-Gl>P}AhY#6&+KC`!@;F4KL0=}@MClz^9(Fzu@7Rq6@o3F7<{3h0k-$XmoT3oCJ zW~5eX%=C3Fr>86+JLmCYywAevLK{E$3&|3j!W)Va>HLHPY11a-bcZa!XiKX=d;tiX zq6qvRQ$B4(V-bS14(oz2n$>i2qXf($s-xAl&HfV5x}_I z0$Ri68K%yK!Z*z~=G51=*R)0* z-*En_tyKs=ZnTp<(Ja<2g!<-ni}JCgrrLF7$frExlhR+?Y2oQv+avvdU>MpD=L6K> z|2Np#%isSSZ0|hz|2@jH0WM(Rasgd=7<`p@r~*udh0)VCp*W;0LU0B?+`OV{NeD$Y z!(ehd>6V{QmU_f2QU3){j(2i*E-{lj3N?@2&dik@GwJxFt&V)(>LFzcU<6E&AEw6Q zQ2V5ax~V6Q0bR)K0KjDB6`Eg65d|MkWQMDQ)8qDim07WDH^478rI}jnxxo}qrXWPo zm_#$a7Na{B!Q{jh2Mk4Hs7@tA;!y`=#|zzs(pg68&B^Jy=o`5B@o13rfcKRI{sPPp z446=fpf`tsi#&14$u$qk^^^z!jxG*;WVpvr0U(cW38o|vn2Isb4%QC%nR5O4c1nOp zgttq8UNztQp3|My(VN8|>?!$&lrC!V)Vl@hM83wgib0bf-dpv8+?V zlpBO9qo_`0VQB-BHgsKrBQC7IF5}xVZ9fwRZtUhgtwMS7s;u|QH!7GY*Bb|%ruO=A z?2obZlBdb=izu4M?=;+h|Z%HK2JWLlI;YfC?eE0?QWd+p2weVcD1@RuTr%z6V+|H6si~ zlx5NETn~X7fd?G_%K0zPCf6bW>gWH~-uBL3e*O=3pYDG?$|I8$%H*Rexm3d9T|UWC zfIPc`a{PUy6%tT_ z4<9Yd^bQ(=PRGi-42hSCS7+v}B~RYC>ho4oZa>6BVaBs8>8O=PGEndJwfG^}*w_I7 zdHVLyKH0y#I=ZkA&Q9Ojmsk52SN7qVeR_6fUmTsBy+8Ud5gK3v1mrv(`It_J@_bLd zhA|_`V0=oGM)()8j}QrE`G*f3=y}L<0c6f^V=Q#J&h zF(I9_`9#L*83dML_5=O2Aad@^B#G7m+??>?El zf$j~9po{j|F!Ld;WDEoVfZpIxHb)EaWDPcr5SXG=abuWeRbf7y3kj1D4lk$5eGmAK=&dN4#5Y|*?;%013s!4>d-q2{KW+!jL&a% zODC0#Q5@{kQxfn38G$K2{7gBG`U$pXR4+Z#r8^#$HY;%m1$9ZF0^Avzi}Dkcoe;k> ztr|4uYzw`FdvhQqr3xdWXPERH9+%ZrmIOzYK9*rQxke>SP10u-Q-Recm%SVm*2mCH zSn2d#F0H5}S=-b2$DCl%2&&}knXaa!G_%GlKj7nY@y?iFmKh2^?dC6B;fm#of?P72 zp}-SeVMJMw7CP)xT3=e62$!#OWlVt-K;e(%ViIdf=S~SHnf8>6sr1s~#eGV+Y>GrW z1hLk*NSOpF=NhpwO?{cElqEi9%ttv5g>FhS5TxJ)2bilf4j+&OiGfGJEetZfF{;IZ z>@mx(yLw5&0WSo--(xCD%y<(4auKC4T5PJ-m5Vy*_z*|_0*oSIH!jQpg>>8-W+LvvE0u_QBbUs(O+71@dY_NERY+8C%j9!Sw-iJh+Qd2poufZuojG15 zNmS_;q#`i{<_(Y*&15en+^;pOIHmb3b!R~m(7X(yCEt=4Ld*p8@_q&v-ihi3(u*3| z#De)N8~L<@%Z!Nmr1Uxt3Lm9~fNSweFMoWzONMwg^sQSG-L%_~{c?8kWAld0B~hxx z<~Akzb;X_yP#>Z2IAAE6Lw^W%Q(aN%3YS{set^FJG1E%70hy*4 zhLqlEMK_GGH#9pZsddZwP+a=sdyO!{L|i;2bKVIbx;IIZE=3Z^ScFG0LvQrgq4`xU-yU6@To&KH?e88G-~MoQRebsGe;u5b zygoVkwe;oDuO)>~OUj;~otFZ>IK0?DJuG{Fd303z{_67Jy!ig|`;ta4FON!JmeBt4 z@@T8{?RNRwQV^vut`2{_{{H8q%WUTp-uXpyUBWvzT#ow&E8WORDP{-gbVJCdT}Ha< zwE^$-86lY9B=tKIyo!;|CWRp?>^jC8Cz@FAr|lvVBCpx4Vo>}}=W z^iA4Huwsw+R$TVV!*qFzc@WYFmVYZ@<=@hHB)3r4<+al9x%x33E!+P><7k|JGcJ@F zj~|B~K5?PRR#QT5=#jhykz0JE_o`7=Zqd@UM6I{L6M6Jlr0zYS%q~~&=7ch%Oueaf zCrLTonJp4`S*5`yy+{K_8($-tf!e5F7sSEke;(Ee|I1sxtQ6bpWJDd+4<(R{F#+{G#2uB`U z0o#kit9M%m`%8=grK_|v8avC60V5$-Z5J!Fr_Z~uh2s;~R-uQ3N$H?e;vknilA=q@xyABG`}W+bW`dWEA;pocuEaIZ2y`n_Hcwd4ZTBt#8Vc+X7{2;c|j_23L~K z9=euR=Mn@4bu&#jJYS(%56z`*wn(JFyY}E+IU~w2>xC*3lNP)v-T4Sr2QDihetcMl zz!-TXf}Ks!aZ$hsts|R4f-6-kj+e?|QXwS&kKFCszc$lDsG2f=#|o&Z=z;ol`z9cx z_Dp<#O?5w5lq;$F>pj&}d(aW^Y|)c4WtF#4s;3^mP1RJSKR>7O$kuA+3xIWmk zRalugsbwObY)(n7RZ;hYML|2Q(_O*R%V$gW0OH^b&rxJcIQFkii@$+K=;8_?yhQVI zWXmS(tKO^KQV}BL65DX$_fJE(7(cX%(Ta)b}CyobAx3 zPdXreez62!zGNh&{H|&1eEI}LsvGd-%j+Z&icTtQf=}|cEIS12UA>E=L_!oeFH70> z{n5qc@!9G1@u5?xJNLKv`rqHFdR_o$oU|)e^gnE|HN5#j)v?ixVw@w8VKRvrL&}t)9i`4sxx4n#v5A!-&d2S>k|Z z1l=23pDL#3>*Aji&okZNL@X{5j;QR+VZ{61U;pZ0_Brt~Des5qf%Jmm91@{1U3NHCy>*Ny$HtLL z=PDDYhRf=VUIMx?DrNjowxvkus7_qgu?S`?Uf|0Y1=@c2)vnprmQgwk+Fbs!f6kYp zUtjI=|Mo9VII&94|4Te6E4&V6^aF}YeD$6j^IAFPX_m8>m~#vAAN&hzihho)TW%Lcoa1M*bVS|80PM&Pyq&W)ih25<&AtY|(B^ zqb`lyOr|T}G~E>?aSzClAED2co#SQ}3^*{?^Vf;<#Hb2c3>(>0_dwLl3H3 zIt4GVtF!a7cW2-K%l`TNaKFU`oegk<7T~qK&&cPYT5!N?Bf_|5M0o)K-HE)xTJUX% z%TF))NA*PpZiT+D6Je-wFwiQrU{Y~Md78kJ?J4o<6LLd=k8c$FsWLe?H4pWN;DZ~+ zAI*1zA^0E%XH&P=l^dA-q}s<1l@BPP`=A&Lweg^ygTxRNlAmR;wc_{cY!E zCj}*v3m)QV2)c6^b$vYQsxP%({ojb5Ak~2vE&JNFpV2&a_P<$Jpw;r4$7l@?+*sTp~!x&`# zUCu&a#B&DEMW7&&3ML8AgS;1_mbmk`p@RSL4P79nfp9nzQ4Mb~MVm$#9zMob?=D3H zg5g!TW{XKfPeFA^5lM81Fd{R)5sgc0D5DXl;@7^ezxJmx{zIA){CbM~5Jl8s;cB5E z8sfj~^|o^H9|pbc-c$a^M|nPd>b?YXJR1r_!x;OBEkg8q#>wJN(Ga}siY)uxm)6l; zsG~xeRtyz#OO>-#yash=rw}tj_-)86$EvVc!yFm9L6`)kF_31Gy@1brVGUfcyCr_& z*=0N)<2%r?Q(!tpvPAbl8cbl)#yIAZ?~fSzc#M$;U>J&yIMy#nLKo#3Z-aM=f)R2d zmz0#uGRZkW`bE z6I?TImqt*ijAPLGJGK8#J2_~w-DTLW>bGP^X;#xYT{Hv8WN>o7uhI#5NUq1i(bPzw zm#*}}TiYeGk%)^TW%p9^PXLr103gR0g-DnsL>l1W&V4KOWTNij8njhP`1 z@>FOSNHa0OWht>zx1S-RQm2w1Om>yObzGUxVl%-z()mXRbgnzA$S0Y7TE&)Xi?TYE z6L54=N70QT`1FaZ?!v^=&|wFN#u|(3Y-sOPqpF_dmqM_eFJCMehPfM>NhqsNpGvBH z27knaAz%=w6pBjEVUHFPkY=b$WkD|`u-2xRC2_vjb}35AiLjZ7QUp8Y9ZP~yWV)qJ z#;WH;ehto_B&2Cdg0ZKyc^yEhH6dg@C%Z{Lty)n^OFQb=A{7V8YVf>?aOwKxyl7}8 zFbS3wKS_HX^`o;4tR~^K+(4);*3ttZ>$M$-($aMUVaPpMx3k>fyl7~8wb5w-YfYn* zHTN$+JUIYu$Em(r%K_6sY-w3uedrpnS#1oL0lJ>S491>4ahD&%iQ9JA3ME^P)WltR zY>G{;HXIFbN=D#oZ%?0|2Yy=Ef6RnvBAMN?Q9&E*KU;hK-JJbru)VeQWdC`LC%-27 znaq2jQq5CV-7jA(+qNw;if|@>9^V12YU8#ESK5(o$z z#$A)ls->6e#dcXJ=hXGXbhp3a^%%^Y=S?LlWwwv9E;90@o#b5`LDMcr?oGn%#n4JEwh>o{QJ*3s|q99 z{Tb?Htc3yrxy=+(a9YbxHRsAjrwi?*Cu@|LI-9k0&{(6Wcj0=4JEjNwiAPjk(x;8B zQMRW*>m;W+DD8#k`j{e--0LB;3uPaxD10wTU;ea_|8gl4;Wt-G2ht$_w|o7({O=F; z_MYVbV?0X!!@#T9;pg5)Bj{>_XKwoQV-o@UEPrXr#(a z5EK80eCscMNtIIk6d^VXO$B3*Q%oca;&Q6A-EkUVF7ra*Uygzb=xIwo^J2R$A(4jz zbI6Kqi<8M*1CkH!3sAo|6!%VQP;mrRGU-Ihd#T70S-x!3 z^Ht|S6~E<7>%pPoP0vz-1v z!hwf_$(qmqb_V@|{b#%Pr2jw0^VRhKH6wU5ov&cDYert;M8hPts_3f|7Y{ibPll$7Z#61cd{t5K$b#m*P z)$Xs!pA&bj99iMuw{|A{+6(%UPYeA|tt6{wg09#9`h&gQy#Ci4Y(M#bJ<8MM-DQe3 z7=|>JV28AGfCaou#Z%{D~kI#79Gr;Kt#JEAKgim0rV^Fw8sK2~Lds3(owq zCJj-dkA+m=0xBh9x6qG;E9(kdf%!bdWQR=M#*lFbb*1TeqKUJs;2F zbbWgTkYrgVoqQ|jMuz+Xyfl4&7C#@)g;VEwL`J!U zi<2mHvu|=4la2NR%rNv1kq;M_$R&YCRZ?lAs>qdG{#9m3c^EWyT4Mpg7-Bz;&{djX zFjIgxo5?$Ar`#qZbQFcI$dH|mWQQZ&$&P_u2zgJJ18zhI$+gk1XhYR7zMx>9?UF2b zdUkkpeY$^glmQ~*kiCs`A}oV)82Mh}cv1KwVp<82C#>G5Iw6C6Tr!)%z{}Rnoa}Wn z%#t}3(ogklO@rQ4&r=vpO5hc>9eoKCd*BB_K(e#AL`Y{) z;SJSpKTELS>{o(86<2l&0Axe9aZq5x5Wg0}yaailB97`r+}UJx8psRKFGE! zNG0T7hD>?=)X2l$JZhq}Ez}P?pszW|-w6&tXR~k@Gy{0Kkt}G0N%Ht+40+*p2%2E; zgyhO7e$sFu^;c2GQui-5w3f!ZeOmcqkS=bwnDd^x}4t?x(swv|}p6w=8 zOD1L(bSX7_it?a0Ho%)C$k!(DFqLtXA`hgkiHjT}ED~T-D1#ws0iY!kT^{3tM7-A! zDj9PT`-rYcW7El{9`%aG?mJf&fqO30jEcFj2wYq0AtgBF>fZyCVC?OO_#8&i_mPk3 zta;+{1s8_c4%12{C>8;)h9~o>VLd1?9<;~UN3Xkxx!u&Mr(3=+5zfZ6>q5tkSaB7* zL5mfjaRhJBq6khnfvyIxfL;Zycr!{_D;WY)@hj8(%qHfx~&FF(pSPdgAK#n@W?Bilk`R zi*#(oRgE=OO&LKS)7H#LkgGIUeLm5`{x3r+Jed8zx4qk)oaI*(&fAAq8fgS+0qI6k zWa$N@kq${|B&BPSF3F{l?yhC&T)L#YyFof+AHKgo;dwRZ%sq4F&Aga1_w~76T34sn z-oh$3h<*>77{xPR0h=nnfa=YKJwXo-nsZjg+wezXTpULGn@*Y;o(H3&b8*$ZGHOc2 zuX*5mCoc$cVB)XaYxJe33#3xJfkUfjj%emb)Vc$_pjvhKkaoW8r&=qp4Y$*olWF#K zft*c@FSe9lSCr9rj&J=cwiZ#1u8hmCk?j-j8zwyTO`A1Cmcr9>lVO!_d*~1F_g%d; z+8NRs8#o_6v6T~IEUc)63w-6KNv>0=TWH+9DptBdk?xA8eEpYYI6vF_PpparG23`M z%1{hXDK3Wis1O`pArg4^K43OkVW?kotjWp`rPpUuv_b7TOhw_}+WaF&2Z7Zegtu^u z@cm3$%(^Da4)E2=FFr@i~mbotR?H(3r>?C3r# z@J>nbwtLF?`3T35aKxNU;?G9}?DFCzA>gHQEB0>3Gw9wR3gv2a>`L-3Ye*;y=E0}< zTqQD+s4{$C^$jet_|S35_uqkxqASRQ=z*|yrIPG0H5RO>GjQ*tjaT=XA>`e9uV6!My=pZx>O z^HU9!o_>p?c9_+wR{ICuBmhTbA7S@YT*ECW%7`mFl0 zRgn1(e1)#^u(kz^5kt&*uKc4QLM}5%?btK$ln!-WO|BXgfay7ko?0QVx5 zmH8|E?dVXCN8Ap+Ac*gzp2ZxRBee#)=ZqOOx-EZ&2Cc>Cqu=ZAdD)J?rDbiIFWDnN zaK0kNrD#}$YHQmzx(pffNhp5$L7J@G6UMzs2*#+y9fOL6c=GbMXd9)U&`Xgq93r;$ zcRIGG44=z@-faJoo?u&d)oR4)iD)m_6Joh=2i_^cqtF6W_*K^91FdLUT)8kcVV|7M z*gS};PS4s_xqT9Q((#-cW@-I0teo&fXK~;@trA=~UfQDdcm&V(6|EP>PD}4Hs3Q2l zK-^;JhR<)g=WMiKbm|f3Ns$qM(cOnNNd(*7v-GNSCgA#E&Dh<6%K@=+cm_OqxnfNn zLo~hpUA?p%O{by%v2Y)6I6}mKvC!3Fxsp4F1+9rPO31VlF%n_d;Pkwpc#vT%9>sWw z5_ftZ-G;OAS9IAfA~epl9RCS>(nmiS!bT+|K%P#1{tXdEbsp(sraXG$Ku_k>nJ_Ze zKpvT502@#W(xv+mMdJ9;+OK%>GeX%q4PYmzx=_lhhKX`e(n?QlRK$N#sX=wI&=2{i zqr3fkBp4vR-%oH=rkV(wDx^0ha|h7M(a~Ry4fA|Vfs01Tzj6vHR*-}&0~46OhEw~u z=kT0KiDh)RC*HBr!w{dt0{&fY-RdW&&H+5anh9`sa58EuO9|;fsP+e4>BjB?(jVnZ zey`?+e-6ui8l?)XsJr!4q|bB$&QNiuI%GzKv6uD_s2e1(9DhJ1cufcTLL&rpSBX5g z#th>=5H`h>A=vpw`1l@Wgi;zCG{BGmKnVZjh~K!72|gbS{edq^|LUq>ucwd(j?F0^ z6#M%3XLgti+cl&QI zY}m3&Tm)ZzG1Ze|uoyVJ&RSswk^Y!MN{wi&Br zL-3XK451Xz%^;k>@Jxb9MQG0Nqv*C11FKydZfjL?4<;Rmd08KY z#3;762-9M)=(9%FDe;F&J%54?NGRy5Cy8|jK1-%ni+kuaKeYkq;PwPVT)}c#4&lZS zHM4e9WwHb-w1wEJx|SuJlXIv?eE8RN(KT`@&54R6Q`#ui&ZJ5$0xS(tvWCgm)Rq-C zG6D*Tljb2SU31^Z@V-(9(Gl{}Xk+U(MD&wv3r*tCQCSlN%)0XBQ z1*`<@Igi|j3`P2Gx8e6xejHlgAkXHdg!A>xA+faw;`=~o&~iUw+*NLOU|BYC2iY@< zOPPqbzxzhTyiFbyKk&IKVwPLNHr(tKWU{bWP92>95DG?cq!bt$4eR-@WAB7kq=9a= z4om_`tJRy-F4~fQ+GwDMDrH-2G-zq`HTpZKpea@-GKM47CY?-98Vvbw77M`3Z`EwqG)F@*AJi9zH@ce zUWjHh?Sm$y@*h2);35n}cZb$K@{UO6KPfNiF6}JubT_@&@7M|+2X7yro4~AhTP$x> zr5Upo^&dk+No13gkF1r81;-$&Za$erWy(MZb>kr)h)1G1`Pj(L)BmD*c&T=e`|!bo zzB2ee%v}C38Mi7a5R;Un6J`9Ki_J8a~tznm6}rekq%M!KM8TPDwjoHUG|A z{hI5)E^|j)G%Km>U{YV6Nkwg^1WjI2&%0pM(vlJ_Tdf?SFTXjhs9Y{DBc4`2D-YKD z2+Zcj9~FP8fA8&qS&%$7WiXOHhAc$F?d1@DxmwDiN+47t0whp`UDK9m_T|KOHt=x}~W%2I|;T>22shx;#n%jKo0 zOY?O3I-{`rxl!0dg$TzOSYy9zhS#4j1A&bee3`Xse9MC9&jSu`gKfcwm&q7Ac=6wY zQDCLjj^K)f-}x;@|A0(g`7Sf6aBzN4y2F!>c|k(KZc3E#ATI^##j`AbYEG5Xu+cB+ zmbNYJPyb59p5zXFuj{fd>w2#F3(UjbXz*WOUTk>jN7QKBEf;TPT9nCbw95b1k^^X3 zYS;|g4K>8_W4V6c;3jG_jXymyvrEK+lMHjZxrdfuwdlU7=4)nPok&oq1H(J^&`C_WU`et&EbG3YqLiW4J?7e?sri3ea7k&@g&=Oq{VT*=BQ;J3YSTK@}^$~d2!xi zkuV6fL3>86#kz#js_m4}Wp?oPbg3bv?(0$0@!_pxPT@kqxHO+Ko*%i|dUys$hv7LS zRY^U;PYZ*8IL*sS)452dbsBjjEDbGO4X=d8z$WOkNIo{ib?DbFu9?|@b8fEZx>h_D z^t~ySUD8mL#e}L&o{=`%^A$^*tkwM9FZgYfWTC+-JCyN*MtvuV-MPgm<71uVg%i%n zqR$1!jqA*GV9Lx9IX0al9BnxiQmVL8`m39%q$*&1Jtl?w%B%yNQ8f8{rWhyIli&~9 zZ@1&yMjW1eKiU2ZKEr)bxd&74ECBZYF8;# zYRso;W$FGjAcAuzf6D(?a>Zd2e_-n_8Mh6mB6$pBRfmg8V5>teh-r2hVQc4q%iT?1 zxPEsYrl(9w;PiXA>s^3>F7SPa{#ZscTxvxuFr_pDK_dGY$|O5B(gLPXx&(7&AzC`> zp#NN+Z<)tKFutNg76>S9h$m`?)&lp69Po?=&UM5X4>|lZEfd7QO5fs3Rbs^R2gkW% z(V1CuXoI}-UR-pFCDk?4KuSku8(O@4b2^l4L0N(xB2T~&saF!v)w%OvNeW-aELsHA zH81O)VjD+RoZCeI3J3ouw78QXK>wJQEuagu-2OYSbE^s&uao<#hV5tyzsV!Yz|&K= ze&mt(1^w@@sR7 z)x74sh+qb}vJL>H>f7GRs7_Zr33VaF%0Qk$rEH|5(Qu*95b*jET(m}gygiP16jr%J ze980~f`xuws0X=G1H@$frW#5ZIbvAesL6TL3NYnGH=&U2zA4mOOi$CmP zh(8du{~af8pS+@FA>;b?$tYxi-*mKVL_@od#@4nRyP}{#{KI#d!V8$5PO(4e#g8Mw z6ab@=iWWzc_9x*ECW;#BSuW@7KFmb6Q137|15d{@p{^VM=^id9GT+ZFL2(oZ2=#?9!&sN_q`)bDKI z9hbgjBnsduPZxYmW?p=^WE57)=fYpX5jhWMrH!&S_MFbTP=@nRJLcYO)D9 z=pM&eBJU-~hj;4o3ZoOjwE3FlA;`QoOO;{)ApH7e{0I}{Hmty4W4SEUJUhvHtO8d=hA zt}Ug72F=@6<2ZR})V?OE2+tUh$77kmie)9Xv^%ZQeqa74_9hs{I(EySTN2{{q>T?&r)}3Y zPqb$Ez|e1f1syiIUS*?8J8TFn?#L4S3qdQ|Utdk_@OD&7qz~`GtJ%F^UypxTo8yRw zyWB;KNJ-L*0;H(7G~zJP%8~X-)7ak56ZFKIHC}qLFTuR_D49@rjLu0SZefWcLe zZilIp;Gd>cZ~1#?H`M3ze1n<&)3~IFl-gnh3Qt7s2|n6pgcr~@CI}~biHDfWM}A&y zCngY!Pr`kJP&4|J+m1GE>UAi}gnBoqjiJ=HLvh1>Si-RM?n7ItvZ0#cM#WI_@~N&o z+E5X#w88UWb#0?dZjT7R~UW$Z}XB8t(ytn;x& z2!Y^CH4@>$g&vs#gXgQ}Ku&e#d%MJdD;75bpYe}gXDQC3#D9{>e(T3)#6tqX{Tb%l zSb!j>in(B-31@O~G#`}Yl>JV6?MGUxf*)z)uM^5gg*0!h-O~!GDPr9MVAs}}K8Hlf zPhHAk@4d+krP1<1)NY+KL|-5?&o;QLbur78tiO4`OuZSitCDV@|D%YmW~8SrI>Fz> znKkiPpF309<1DqC8YF*Z|3fy%4ZFgav!)EdW~F>`U5GxBmNb!?^d}{0DmiI3DQP-U zYZ8+5Cn4!ie9~lG(sXRnOia?-WrYJ7ygV}KOr%+4MVElBwBDRGPOTi%Q2F1AoLMW7 zXZ}*v-Oht*YSI+BMXG>C$rk&HcLi2O?go3wT6y*gd(jem-a`GfZIVv?QiDCLUKeWL zj1!j@S6A1!5`qlTt53tXF_$(R^ke6MCpL0f3mNvkU7OS^FR&T)=lsUR2}Pdkv~R%Y zGJj=Xlmo4O;Iux|Y*-FqsShfE6*%gRHMc|<+)A)FD=av_VY9nr0qL{Zmul7fFO2!6 zAF_|O8O_etjf~~3RDL@Vj&5lAl_dP@rX{Mtja1>7Gig<~ep$1A`Ahw(5_?U8js-~# z#Ch85wt9Lj2dcH`H&-2{wP@NOyMkFCuvo1>aE7#a-QiW_$Q5a&uU|a z49?pA%>QJfb-pv}&?Eo@wDiriTrakDOSkX3ww#Exhw!(|NY3=F&zObk2bQoE>oV8P zAz@RtQ(!ivoe zr|Pw-*xVEV1eXt*KmWa$1N`ejaCD6*;z*~4S*B7 zaRi?b7nSqxwx)E6LwKZ}I0{qMRs`AE@906AX2D)&LhaWCD~jFF?3P&7v4+in18h%H znVAf6(&piku+z=LnL}LzIwKa>Ktl(tN?2S6mK* qXa^@Zdgr!yGUw1hJy8*r@u|xzpvbRr1oew}8d0$|feCO#0{kCvsz-tV literal 0 HcmV?d00001 diff --git a/charts/sriov/104.1.0+up0.1.0/.helmignore b/charts/sriov/104.1.0+up0.1.0/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/sriov/104.1.0+up0.1.0/Chart.yaml b/charts/sriov/104.1.0+up0.1.0/Chart.yaml new file mode 100644 index 0000000000..bebfc5745f --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/Chart.yaml @@ -0,0 +1,36 @@ +annotations: + catalog.cattle.io/auto-install: sriov-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/deprecated: "true" + catalog.cattle.io/experimental: "true" + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.30.0-0' + catalog.cattle.io/namespace: cattle-sriov-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: sriov + catalog.cattle.io/upstream-version: 1.2.0 +apiVersion: v2 +appVersion: 1.2.0 +dependencies: +- condition: rancher-nfd.enabled + name: rancher-nfd + repository: file://./charts/rancher-nfd + version: 0.15.4 +deprecated: true +description: SR-IOV network operator configures and manages SR-IOV networks in the + kubernetes cluster +home: https://github.com/k8snetworkplumbingwg/sriov-network-operator +icon: https://charts.rancher.io/assets/logos/sr-iov.svg +keywords: +- sriov +- Networking +kubeVersion: '>= 1.16.0-0' +maintainers: +- email: charts@rancher.com + name: Rancher Labs +name: sriov +sources: +- https://github.com/rancher/charts +type: application +version: 104.1.0+up0.1.0 diff --git a/charts/sriov/104.1.0+up0.1.0/README.md b/charts/sriov/104.1.0+up0.1.0/README.md new file mode 100644 index 0000000000..b2a57c4185 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/README.md @@ -0,0 +1,129 @@ +# SR-IOV Network Operator Helm Chart + +SR-IOV Network Operator Helm Chart provides an easy way to install, configure and manage +the lifecycle of SR-IOV network operator. + +## SR-IOV Network Operator +SR-IOV Network Operator leverages [Kubernetes CRDs](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) +and [Operator SDK](https://github.com/operator-framework/operator-sdk) to configure and manage SR-IOV networks in a Kubernetes cluster. + +SR-IOV Network Operator features: +- Initialize the supported SR-IOV NIC types on selected nodes. +- Provision/upgrade SR-IOV device plugin executable on selected node. +- Provision/upgrade SR-IOV CNI plugin executable on selected nodes. +- Manage configuration of SR-IOV device plugin on host. +- Generate net-att-def CRs for SR-IOV CNI plugin +- Supports operation in a virtualized Kubernetes deployment + - Discovers VFs attached to the Virtual Machine (VM) + - Does not require attached of associated PFs + - VFs can be associated to SriovNetworks by selecting the appropriate PciAddress as the RootDevice in the SriovNetworkNodePolicy + +## QuickStart + +### Prerequisites + +- Kubernetes v1.17+ +- Helm v3 + +### Install Helm + +Helm provides an install script to copy helm binary to your system: +``` +$ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 +$ chmod 500 get_helm.sh +$ ./get_helm.sh +``` + +For additional information and methods for installing Helm, refer to the official [helm website](https://helm.sh/) + +### Deploy SR-IOV Network Operator + +``` +# Install Operator +$ helm install -n sriov-network-operator --create-namespace --wait sriov-network-operator ./ + +# View deployed resources +$ kubectl -n sriov-network-operator get pods +``` + +In the case that [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) is enabled, the sriov network operator namespace will require a security level of 'privileged' +``` +$ kubectl label ns sriov-network-operator pod-security.kubernetes.io/enforce=privileged +``` + +## Chart parameters + +In order to tailor the deployment of the network operator to your cluster needs +We have introduced the following Chart parameters. + +| Name | Type | Default | description | +| ---- |------|---------|-------------| +| `imagePullSecrets` | list | `[]` | An optional list of references to secrets to use for pulling any of the SR-IOV Network Operator image | + +### Operator parameters + +| Name | Type | Default | description | +| ---- | ---- | ------- | ----------- | +| `operator.tolerations` | list | `[{"key":"node-role.kubernetes.io/master","operator":"Exists","effect":"NoSchedule"},{"key":"node-role.kubernetes.io/control-plane","operator":"Exists","effect":"NoSchedule"}]` | Operator's tolerations | +| `operator.nodeSelector` | object | {} | Operator's node selector | +| `operator.affinity` | object | `{"nodeAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"weight":1,"preference":{"matchExpressions":[{"key":"node-role.kubernetes.io/master","operator":"In","values":[""]}]}},{"weight":1,"preference":{"matchExpressions":[{"key":"node-role.kubernetes.io/control-plane","operator":"In","values":[""]}]}}]}}` | Operator's afffinity configuration | +| `operator.nameOverride` | string | `` | Operator's resource name override | +| `operator.fullnameOverride` | string | `` | Operator's resource full name override | +| `operator.resourcePrefix` | string | `openshift.io` | Device plugin resource prefix | +| `operator.cniBinPath` | string | `/opt/cni/bin` | Path for CNI binary | +| `operator.clustertype` | string | `kubernetes` | Cluster environment type | + +#### Admission Controllers parameters + +The admission controllers can be enabled by switching on a single parameter `operator.admissionControllers.enabled`. By +default, the user needs to pre-create Kubernetes Secrets that match the names provided in +`operator.admissionControllers.certificates.secretNames`. The secrets should have 3 fields populated with the relevant +content: +* `ca.crt` (value needs to be base64 encoded twice) +* `tls.crt` +* `tls.key` + +Aside from the aforementioned mode, the chart supports 3 more modes for certificate consumption by the admission +controllers, which can be found in the table below. In a nutshell, the modes that are supported are: +* Consume pre-created Certificates managed by cert-manager +* Generate self signed Certificates managed by cert-manager +* Specify the content of the certificates as Helm values + +| Name | Type | Default | description | +| ---- | ---- | ------- | ----------- | +| `operator.admissionControllers.enabled` | bool | false | Flag that switches on the admission controllers | +| `operator.admissionControllers.certificates.secretNames.operator` | string | `operator-webhook-cert` | Secret that stores the certificate for the Operator's admission controller | +| `operator.admissionControllers.certificates.secretNames.injector` | string | `network-resources-injector-cert` | Secret that stores the certificate for the Network Resources Injector's admission controller | +| `operator.admissionControllers.certificates.certManager.enabled` | bool | false | Flag that switches on consumption of certificates managed by cert-manager | +| `operator.admissionControllers.certificates.certManager.generateSelfSigned` | bool | false | Flag that switches on generation of self signed certificates managed by cert-manager. The secrets in which the certificates are stored will have the names provided in `operator.admissionControllers.certificates.secretNames` | +| `operator.admissionControllers.certificates.custom.enabled` | bool | false | Flag that switches on consumption of user provided certificates that are part of `operator.admissionControllers.certificates.custom.operator` and `operator.admissionControllers.certificates.custom.injector` objects | +| `operator.admissionControllers.certificates.custom.operator.caCrt` | string | `` | The CA certificate to be used by the Operator's admission controller | +| `operator.admissionControllers.certificates.custom.operator.tlsCrt` | string | `` | The public part of the certificate to be used by the Operator's admission controller | +| `operator.admissionControllers.certificates.custom.operator.tlsKey` | string | `` | The private part of the certificate to be used by the Operator's admission controller | +| `operator.admissionControllers.certificates.custom.injector.caCrt` | string | `` | The CA certificate to be used by the Network Resources Injector's admission controller | +| `operator.admissionControllers.certificates.custom.injector.tlsCrt` | string | `` | The public part of the certificate to be used by the Network Resources Injector's admission controller | +| `operator.admissionControllers.certificates.custom.injector.tlsKey` | string | `` | The private part of the certificate to be used by the Network Resources Injector's admission controller | + +### SR-IOV Operator Configuration Parameters + +This section contains general parameters that apply to both the operator and daemon componets of SR-IOV Network Operator. + +| Name | Type | Default | description | +| ---- | ---- | ------- | ----------- | +| `sriovOperatorConfig.deploy` | bool | `false` | deploy SriovOperatorConfig custom resource | +| `sriovOperatorConfig.configDaemonNodeSelector` | map[string]string | `{}` | node slectors for sriov-network-config-daemon | +| `sriovOperatorConfig.logLevel` | int | `2` | log level for both operator and sriov-network-config-daemon | +| `sriovOperatorConfig.disableDrain` | bool | `false` | disable node draining when configuring SR-IOV, set to true in case of a single node cluster or any other justifiable reason | +| `sriovOperatorConfig.configurationMode` | string | `daemon` | sriov-network-config-daemon configuration mode. either `daemon` or `systemd` | + +### Images parameters + +| Name | description | +| ---- | ----------- | +| `images.operator` | Operator controller image | +| `images.sriovConfigDaemon` | Daemon node agent image | +| `images.sriovCni` | SR-IOV CNI image | +| `images.ibSriovCni` | InfiniBand SR-IOV CNI image | +| `images.sriovDevicePlugin` | SR-IOV device plugin image | +| `images.resourcesInjector` | Resources Injector image | +| `images.webhook` | Operator Webhook image | diff --git a/charts/sriov/104.1.0+up0.1.0/app-README.md b/charts/sriov/104.1.0+up0.1.0/app-README.md new file mode 100644 index 0000000000..4dda94a833 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/app-README.md @@ -0,0 +1,13 @@ +# Rancher SR-IOV Network Operator + +This chart is based on the upstream [k8snetworkplumbingwg/sriov-network-operator](https://github.com/k8snetworkplumbingwg/sriov-network-operator) project. The chart deploys the SR-IOV Operator and its CRDs, which are designed to help the user provision and configure the SR-IOV CNI in a cluster that uses [Multus CNI](https://github.com/k8snetworkplumbingwg/multus-cni), to provide high performing extra network interfaces to pods. This chart is expected to be deployed on an RKE2 cluster and only meant for advanced use cases where multiple CNI plugins and high performing network interfaces on pods are required. Users who do not need these features are not advised to install this chart. + +The chart installs the following components: + + - SR-IOV Operator - An operator that helps provision and configure the SR-IOV CNI plugin and SR-IOV Device plugin + - SR-IOV Network Config Daemon - A Daemon deployed by the Operator that discovers SR-IOV NICs on each node + +Note that SR-IOV requires NICs that support SR-IOV and the activation of specific configuration options in the operating system. Nodes that fulfill these requirements should be labeled with: `feature.node.kubernetes.io/network-sriov.capable=true`. + +The SR-IOV Network Config Daemon will be deployed on such capable nodes. For more information on how to use this feature, refer to our RKE2 networking docs. + diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/.helmignore b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/Chart.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/Chart.yaml new file mode 100644 index 0000000000..1c4c2093ff --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +appVersion: v0.15.4 +description: Detects hardware features available on each node in a Kubernetes cluster, + and advertises those features using node labels +home: https://github.com/kubernetes-sigs/node-feature-discovery +keywords: +- feature-discovery +- feature-detection +- node-labels +name: rancher-nfd +sources: +- https://github.com/kubernetes-sigs/node-feature-discovery +type: application +version: 0.15.4 diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/README.md b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/README.md new file mode 100644 index 0000000000..b8b7d90caf --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/README.md @@ -0,0 +1,10 @@ +# Node Feature Discovery + +Node Feature Discovery (NFD) is a Kubernetes add-on for detecting hardware +features and system configuration. Detected features are advertised as node +labels. NFD provides flexible configuration and extension points for a wide +range of vendor and application specific node labeling needs. + +See +[NFD documentation](https://kubernetes-sigs.github.io/node-feature-discovery/v0.15/deployment/helm.html) +for deployment instructions. diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/crds/nfd-api-crds.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/crds/nfd-api-crds.yaml new file mode 100644 index 0000000000..4e63041630 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/crds/nfd-api-crds.yaml @@ -0,0 +1,426 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + name: nodefeatures.nfd.k8s-sigs.io +spec: + group: nfd.k8s-sigs.io + names: + kind: NodeFeature + listKind: NodeFeatureList + plural: nodefeatures + singular: nodefeature + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: NodeFeature resource holds the features discovered for one node + in the cluster. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NodeFeatureSpec describes a NodeFeature object. + properties: + features: + description: Features is the full "raw" features data that has been + discovered. + properties: + attributes: + additionalProperties: + description: AttributeFeatureSet is a set of features having + string value. + properties: + elements: + additionalProperties: + type: string + type: object + required: + - elements + type: object + description: Attributes contains all the attribute-type features + of the node. + type: object + flags: + additionalProperties: + description: FlagFeatureSet is a set of simple features only + containing names without values. + properties: + elements: + additionalProperties: + description: Nil is a dummy empty struct for protobuf + compatibility + type: object + type: object + required: + - elements + type: object + description: Flags contains all the flag-type features of the + node. + type: object + instances: + additionalProperties: + description: InstanceFeatureSet is a set of features each of + which is an instance having multiple attributes. + properties: + elements: + items: + description: InstanceFeature represents one instance of + a complex features, e.g. a device. + properties: + attributes: + additionalProperties: + type: string + type: object + required: + - attributes + type: object + type: array + required: + - elements + type: object + description: Instances contains all the instance-type features + of the node. + type: object + type: object + labels: + additionalProperties: + type: string + description: Labels is the set of node labels that are requested to + be created. + type: object + type: object + required: + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + name: nodefeaturerules.nfd.k8s-sigs.io +spec: + group: nfd.k8s-sigs.io + names: + kind: NodeFeatureRule + listKind: NodeFeatureRuleList + plural: nodefeaturerules + shortNames: + - nfr + singular: nodefeaturerule + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: NodeFeatureRule resource specifies a configuration for feature-based + customization of node objects, such as node labeling. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NodeFeatureRuleSpec describes a NodeFeatureRule. + properties: + rules: + description: Rules is a list of node customization rules. + items: + description: Rule defines a rule for node customization such as + labeling. + properties: + annotations: + additionalProperties: + type: string + description: Annotations to create if the rule matches. + type: object + extendedResources: + additionalProperties: + type: string + description: ExtendedResources to create if the rule matches. + type: object + labels: + additionalProperties: + type: string + description: Labels to create if the rule matches. + type: object + labelsTemplate: + description: LabelsTemplate specifies a template to expand for + dynamically generating multiple labels. Data (after template + expansion) must be keys with an optional value ([=]) + separated by newlines. + type: string + matchAny: + description: MatchAny specifies a list of matchers one of which + must match. + items: + description: MatchAnyElem specifies one sub-matcher of MatchAny. + properties: + matchFeatures: + description: MatchFeatures specifies a set of matcher + terms all of which must match. + items: + description: FeatureMatcherTerm defines requirements + against one feature set. All requirements (specified + as MatchExpressions) are evaluated against each element + in the feature set. + properties: + feature: + description: Feature is the name of the feature + set to match against. + type: string + matchExpressions: + additionalProperties: + description: MatchExpression specifies an expression + to evaluate against a set of input values. It + contains an operator that is applied when matching + the input and an array of values that the operator + evaluates the input against. + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: Value is the list of values that + the operand evaluates the input against. + Value should be empty if the operator is + Exists, DoesNotExist, IsTrue or IsFalse. + Value should contain exactly one element + if the operator is Gt or Lt and exactly + two elements if the operator is GtLt. In + other cases Value should contain at least + one element. + items: + type: string + type: array + required: + - op + type: object + description: MatchExpressions is the set of per-element + expressions evaluated. These match against the + value of the specified elements. + type: object + matchName: + description: MatchName in an expression that is + matched against the name of each element in the + feature set. + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: Value is the list of values that + the operand evaluates the input against. Value + should be empty if the operator is Exists, + DoesNotExist, IsTrue or IsFalse. Value should + contain exactly one element if the operator + is Gt or Lt and exactly two elements if the + operator is GtLt. In other cases Value should + contain at least one element. + items: + type: string + type: array + required: + - op + type: object + required: + - feature + type: object + type: array + required: + - matchFeatures + type: object + type: array + matchFeatures: + description: MatchFeatures specifies a set of matcher terms + all of which must match. + items: + description: FeatureMatcherTerm defines requirements against + one feature set. All requirements (specified as MatchExpressions) + are evaluated against each element in the feature set. + properties: + feature: + description: Feature is the name of the feature set to + match against. + type: string + matchExpressions: + additionalProperties: + description: MatchExpression specifies an expression + to evaluate against a set of input values. It contains + an operator that is applied when matching the input + and an array of values that the operator evaluates + the input against. + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: Value is the list of values that the + operand evaluates the input against. Value should + be empty if the operator is Exists, DoesNotExist, + IsTrue or IsFalse. Value should contain exactly + one element if the operator is Gt or Lt and exactly + two elements if the operator is GtLt. In other + cases Value should contain at least one element. + items: + type: string + type: array + required: + - op + type: object + description: MatchExpressions is the set of per-element + expressions evaluated. These match against the value + of the specified elements. + type: object + matchName: + description: MatchName in an expression that is matched + against the name of each element in the feature set. + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: Value is the list of values that the + operand evaluates the input against. Value should + be empty if the operator is Exists, DoesNotExist, + IsTrue or IsFalse. Value should contain exactly + one element if the operator is Gt or Lt and exactly + two elements if the operator is GtLt. In other cases + Value should contain at least one element. + items: + type: string + type: array + required: + - op + type: object + required: + - feature + type: object + type: array + name: + description: Name of the rule. + type: string + taints: + description: Taints to create if the rule matches. + items: + description: The node this Taint is attached to has the "effect" + on any pod that does not tolerate the Taint. + properties: + effect: + description: Required. The effect of the taint on pods + that do not tolerate the taint. Valid effects are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Required. The taint key to be applied to + a node. + type: string + timeAdded: + description: TimeAdded represents the time at which the + taint was added. It is only written for NoExecute taints. + format: date-time + type: string + value: + description: The taint value corresponding to the taint + key. + type: string + required: + - effect + - key + type: object + type: array + vars: + additionalProperties: + type: string + description: Vars is the variables to store if the rule matches. + Variables do not directly inflict any changes in the node + object. However, they can be referenced from other rules enabling + more complex rule hierarchies, without exposing intermediary + output values as labels. + type: object + varsTemplate: + description: VarsTemplate specifies a template to expand for + dynamically generating multiple variables. Data (after template + expansion) must be keys with an optional value ([=]) + separated by newlines. + type: string + required: + - name + type: object + type: array + required: + - rules + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/_helpers.tpl b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/_helpers.tpl new file mode 100644 index 0000000000..928ece78f8 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/_helpers.tpl @@ -0,0 +1,107 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "node-feature-discovery.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "node-feature-discovery.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "node-feature-discovery.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "node-feature-discovery.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "node-feature-discovery.labels" -}} +helm.sh/chart: {{ include "node-feature-discovery.chart" . }} +{{ include "node-feature-discovery.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "node-feature-discovery.selectorLabels" -}} +app.kubernetes.io/name: {{ include "node-feature-discovery.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account which the nfd master will use +*/}} +{{- define "node-feature-discovery.master.serviceAccountName" -}} +{{- if .Values.master.serviceAccount.create -}} + {{ default (include "node-feature-discovery.fullname" .) .Values.master.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.master.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account which the nfd worker will use +*/}} +{{- define "node-feature-discovery.worker.serviceAccountName" -}} +{{- if .Values.worker.serviceAccount.create -}} + {{ default (printf "%s-worker" (include "node-feature-discovery.fullname" .)) .Values.worker.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.worker.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account which topologyUpdater will use +*/}} +{{- define "node-feature-discovery.topologyUpdater.serviceAccountName" -}} +{{- if .Values.topologyUpdater.serviceAccount.create -}} + {{ default (printf "%s-topology-updater" (include "node-feature-discovery.fullname" .)) .Values.topologyUpdater.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.topologyUpdater.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account which nfd-gc will use +*/}} +{{- define "node-feature-discovery.gc.serviceAccountName" -}} +{{- if .Values.gc.serviceAccount.create -}} + {{ default (printf "%s-gc" (include "node-feature-discovery.fullname" .)) .Values.gc.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.gc.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-certs.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-certs.yaml new file mode 100644 index 0000000000..8af115316b --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-certs.yaml @@ -0,0 +1,68 @@ +{{- if .Values.tls.certManager }} +{{- if .Values.master.enable }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nfd-master-cert + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + secretName: nfd-master-cert + subject: + organizations: + - node-feature-discovery + commonName: nfd-master + dnsNames: + # must match the service name + - {{ include "node-feature-discovery.fullname" . }}-master + # first one is configured for use by the worker; below are for completeness + - {{ include "node-feature-discovery.fullname" . }}-master.{{ include "node-feature-discovery.namespace" . }}.svc + - {{ include "node-feature-discovery.fullname" . }}-master.{{ include "node-feature-discovery.namespace" . }}.svc.cluster.local + issuerRef: + name: nfd-ca-issuer + kind: Issuer + group: cert-manager.io +{{- end }} +--- +{{- if .Values.worker.enable }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nfd-worker-cert + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + secretName: nfd-worker-cert + subject: + organizations: + - node-feature-discovery + commonName: nfd-worker + dnsNames: + - {{ include "node-feature-discovery.fullname" . }}-worker.{{ include "node-feature-discovery.namespace" . }}.svc.cluster.local + issuerRef: + name: nfd-ca-issuer + kind: Issuer + group: cert-manager.io +{{- end }} + +{{- if .Values.topologyUpdater.enable }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nfd-topology-updater-cert + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + secretName: nfd-topology-updater-cert + subject: + organizations: + - node-feature-discovery + commonName: nfd-topology-updater + dnsNames: + - {{ include "node-feature-discovery.fullname" . }}-topology-updater.{{ include "node-feature-discovery.namespace" . }}.svc.cluster.local + issuerRef: + name: nfd-ca-issuer + kind: Issuer + group: cert-manager.io +{{- end }} + +{{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-issuer.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-issuer.yaml new file mode 100644 index 0000000000..f3c57acea1 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-issuer.yaml @@ -0,0 +1,42 @@ +{{- if .Values.tls.certManager }} +# See https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers +# - Create a self signed issuer +# - Use this to create a CA cert +# - Use this to now create a CA issuer +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: nfd-ca-bootstrap + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + selfSigned: {} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nfd-ca-cert + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + isCA: true + secretName: nfd-ca-cert + subject: + organizations: + - node-feature-discovery + commonName: nfd-ca-cert + issuerRef: + name: nfd-ca-bootstrap + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: nfd-ca-issuer + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + ca: + secretName: nfd-ca-cert +{{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrole.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrole.yaml new file mode 100644 index 0000000000..e652e1df8c --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrole.yaml @@ -0,0 +1,119 @@ +{{- if and .Values.master.enable .Values.master.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "node-feature-discovery.fullname" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - nodes + - nodes/status + verbs: + - get + - patch + - update + - list +- apiGroups: + - nfd.k8s-sigs.io + resources: + - nodefeatures + - nodefeaturerules + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - "nfd-master.nfd.kubernetes.io" + verbs: + - get + - update +{{- end }} + +{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.rbac.create }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list +- apiGroups: + - "" + resources: + - nodes/proxy + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - topology.node.k8s.io + resources: + - noderesourcetopologies + verbs: + - create + - get + - update +{{- end }} + +{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-gc + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes/proxy + verbs: + - get +- apiGroups: + - topology.node.k8s.io + resources: + - noderesourcetopologies + verbs: + - delete + - list +- apiGroups: + - nfd.k8s-sigs.io + resources: + - nodefeatures + verbs: + - delete + - list +{{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrolebinding.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..99134a1c54 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrolebinding.yaml @@ -0,0 +1,52 @@ +{{- if and .Values.master.enable .Values.master.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "node-feature-discovery.fullname" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "node-feature-discovery.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "node-feature-discovery.master.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} +{{- end }} + +{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.rbac.create }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater +subjects: +- kind: ServiceAccount + name: {{ include "node-feature-discovery.topologyUpdater.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} +{{- end }} + +{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-gc + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "node-feature-discovery.fullname" . }}-gc +subjects: +- kind: ServiceAccount + name: {{ include "node-feature-discovery.gc.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} +{{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/master.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/master.yaml new file mode 100644 index 0000000000..53a291e0f7 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/master.yaml @@ -0,0 +1,145 @@ +{{- if .Values.master.enable }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-master + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + role: master + {{- with .Values.master.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.master.replicaCount }} + selector: + matchLabels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }} + role: master + template: + metadata: + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} + role: master + {{- with .Values.master.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "node-feature-discovery.master.serviceAccountName" . }} + enableServiceLinks: false + securityContext: + {{- toYaml .Values.master.podSecurityContext | nindent 8 }} + containers: + - name: master + securityContext: + {{- toYaml .Values.master.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + livenessProbe: + grpc: + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 10 + readinessProbe: + grpc: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 10 + ports: + - containerPort: {{ .Values.master.port | default "8080" }} + name: grpc + - containerPort: {{ .Values.master.metricsPort | default "8081" }} + name: metrics + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "nfd-master" + resources: + {{- toYaml .Values.master.resources | nindent 12 }} + args: + {{- if .Values.master.instance | empty | not }} + - "-instance={{ .Values.master.instance }}" + {{- end }} + {{- if not .Values.enableNodeFeatureApi }} + - "-port={{ .Values.master.port | default "8080" }}" + - "-enable-nodefeature-api=false" + {{- else if gt (int .Values.master.replicaCount) 1 }} + - "-enable-leader-election" + {{- end }} + {{- if .Values.master.extraLabelNs | empty | not }} + - "-extra-label-ns={{- join "," .Values.master.extraLabelNs }}" + {{- end }} + {{- if .Values.master.denyLabelNs | empty | not }} + - "-deny-label-ns={{- join "," .Values.master.denyLabelNs }}" + {{- end }} + {{- if .Values.master.resourceLabels | empty | not }} + - "-resource-labels={{- join "," .Values.master.resourceLabels }}" + {{- end }} + {{- if .Values.master.enableTaints }} + - "-enable-taints" + {{- end }} + {{- if .Values.master.crdController | kindIs "invalid" | not }} + - "-crd-controller={{ .Values.master.crdController }}" + {{- else }} + ## By default, disable crd controller for other than the default instances + - "-crd-controller={{ .Values.master.instance | empty }}" + {{- end }} + {{- if .Values.master.featureRulesController | kindIs "invalid" | not }} + - "-featurerules-controller={{ .Values.master.featureRulesController }}" + {{- end }} + {{- if .Values.master.resyncPeriod }} + - "-resync-period={{ .Values.master.resyncPeriod }}" + {{- end }} + {{- if .Values.master.nfdApiParallelism | empty | not }} + - "-nfd-api-parallelism={{ .Values.master.nfdApiParallelism }}" + {{- end }} + {{- if .Values.tls.enable }} + - "-ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt" + - "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key" + - "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt" + {{- end }} + - "-metrics={{ .Values.master.metricsPort | default "8081" }}" + volumeMounts: + {{- if .Values.tls.enable }} + - name: nfd-master-cert + mountPath: "/etc/kubernetes/node-feature-discovery/certs" + readOnly: true + {{- end }} + - name: nfd-master-conf + mountPath: "/etc/kubernetes/node-feature-discovery" + readOnly: true + volumes: + {{- if .Values.tls.enable }} + - name: nfd-master-cert + secret: + secretName: nfd-master-cert + {{- end }} + - name: nfd-master-conf + configMap: + name: {{ include "node-feature-discovery.fullname" . }}-master-conf + items: + - key: nfd-master.conf + path: nfd-master.conf + {{- with .Values.master.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.master.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.master.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-gc.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-gc.yaml new file mode 100644 index 0000000000..1e0e12327a --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-gc.yaml @@ -0,0 +1,77 @@ +{{- if and .Values.gc.enable (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-gc + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + role: gc + {{- with .Values.gc.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.gc.replicaCount | default 1 }} + selector: + matchLabels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }} + role: gc + template: + metadata: + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} + role: gc + {{- with .Values.gc.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "node-feature-discovery.gc.serviceAccountName" . }} + dnsPolicy: ClusterFirstWithHostNet + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.gc.podSecurityContext | nindent 8 }} + containers: + - name: gc + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "nfd-gc" + args: + {{- if .Values.gc.interval | empty | not }} + - "-gc-interval={{ .Values.gc.interval }}" + {{- end }} + resources: + {{- toYaml .Values.gc.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + readOnlyRootFilesystem: true + runAsNonRoot: true + ports: + - name: metrics + containerPort: {{ .Values.gc.metricsPort | default "8081"}} + + {{- with .Values.gc.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.gc.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.gc.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-master-conf.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-master-conf.yaml new file mode 100644 index 0000000000..9c6e01cde4 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-master-conf.yaml @@ -0,0 +1,12 @@ +{{- if .Values.master.enable }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-master-conf + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +data: + nfd-master.conf: |- + {{- .Values.master.config | toYaml | nindent 4 }} +{{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-topologyupdater-conf.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-topologyupdater-conf.yaml new file mode 100644 index 0000000000..9867f5089c --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-topologyupdater-conf.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater-conf + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +data: + nfd-topology-updater.conf: |- + {{- .Values.topologyUpdater.config | toYaml | nindent 4 }} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-worker-conf.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-worker-conf.yaml new file mode 100644 index 0000000000..a2299dea13 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-worker-conf.yaml @@ -0,0 +1,12 @@ +{{- if .Values.worker.enable }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-worker-conf + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +data: + nfd-worker.conf: |- + {{- .Values.worker.config | toYaml | nindent 4 }} +{{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/prometheus.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/prometheus.yaml new file mode 100644 index 0000000000..b9f4b46405 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/prometheus.yaml @@ -0,0 +1,26 @@ +{{- if .Values.prometheus.enable }} +# Prometheus Monitor Service (Metrics) +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ include "node-feature-discovery.fullname" . }} + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 4 }} + {{- with .Values.prometheus.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +spec: + podMetricsEndpoints: + - honorLabels: true + interval: 10s + path: /metrics + port: metrics + scheme: http + namespaceSelector: + matchNames: + - {{ include "node-feature-discovery.namespace" . }} + selector: + matchExpressions: + - {key: app.kubernetes.io/instance, operator: In, values: ["{{ .Release.Name }}"]} + - {key: app.kubernetes.io/name, operator: In, values: ["{{ include "node-feature-discovery.name" . }}"]} +{{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/role.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/role.yaml new file mode 100644 index 0000000000..3a872e5723 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/role.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.worker.enable .Values.worker.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-worker + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +rules: +- apiGroups: + - nfd.k8s-sigs.io + resources: + - nodefeatures + verbs: + - create + - get + - update +{{- end }} + diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/rolebinding.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/rolebinding.yaml new file mode 100644 index 0000000000..a640d5f8bc --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/rolebinding.yaml @@ -0,0 +1,18 @@ +{{- if and .Values.worker.enable .Values.worker.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-worker + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "node-feature-discovery.fullname" . }}-worker +subjects: +- kind: ServiceAccount + name: {{ include "node-feature-discovery.worker.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} +{{- end }} + diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/service.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/service.yaml new file mode 100644 index 0000000000..d71d1555f7 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/service.yaml @@ -0,0 +1,20 @@ +{{- if and (not .Values.enableNodeFeatureApi) .Values.master.enable }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-master + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + role: master +spec: + type: {{ .Values.master.service.type }} + ports: + - port: {{ .Values.master.service.port | default "8080" }} + targetPort: grpc + protocol: TCP + name: grpc + selector: + {{- include "node-feature-discovery.selectorLabels" . | nindent 4 }} + role: master +{{- end}} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/serviceaccount.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/serviceaccount.yaml new file mode 100644 index 0000000000..7da2c877e9 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/serviceaccount.yaml @@ -0,0 +1,58 @@ +{{- if and .Values.master.enable .Values.master.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "node-feature-discovery.master.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + {{- with .Values.master.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.serviceAccount.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "node-feature-discovery.topologyUpdater.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + {{- with .Values.topologyUpdater.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +{{- if and .Values.gc.enable .Values.gc.serviceAccount.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "node-feature-discovery.gc.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + {{- with .Values.gc.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +{{- if and .Values.worker.enable .Values.worker.serviceAccount.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "node-feature-discovery.worker.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + {{- with .Values.worker.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater-crds.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater-crds.yaml new file mode 100644 index 0000000000..b6b919689c --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater-crds.yaml @@ -0,0 +1,278 @@ +{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.createCRDs -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes/enhancements/pull/1870 + controller-gen.kubebuilder.io/version: v0.11.2 + creationTimestamp: null + name: noderesourcetopologies.topology.node.k8s.io +spec: + group: topology.node.k8s.io + names: + kind: NodeResourceTopology + listKind: NodeResourceTopologyList + plural: noderesourcetopologies + shortNames: + - node-res-topo + singular: noderesourcetopology + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: NodeResourceTopology describes node resources and their topology. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + topologyPolicies: + items: + type: string + type: array + zones: + description: ZoneList contains an array of Zone objects. + items: + description: Zone represents a resource topology zone, e.g. socket, + node, die or core. + properties: + attributes: + description: AttributeList contains an array of AttributeInfo objects. + items: + description: AttributeInfo contains one attribute of a Zone. + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + costs: + description: CostList contains an array of CostInfo objects. + items: + description: CostInfo describes the cost (or distance) between + two Zones. + properties: + name: + type: string + value: + format: int64 + type: integer + required: + - name + - value + type: object + type: array + name: + type: string + parent: + type: string + resources: + description: ResourceInfoList contains an array of ResourceInfo + objects. + items: + description: ResourceInfo contains information about one resource + type. + properties: + allocatable: + anyOf: + - type: integer + - type: string + description: Allocatable quantity of the resource, corresponding + to allocatable in node status, i.e. total amount of this + resource available to be used by pods. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + available: + anyOf: + - type: integer + - type: string + description: Available is the amount of this resource currently + available for new (to be scheduled) pods, i.e. Allocatable + minus the resources reserved by currently running pods. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + capacity: + anyOf: + - type: integer + - type: string + description: Capacity of the resource, corresponding to capacity + in node status, i.e. total amount of this resource that + the node has. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + name: + description: Name of the resource. + type: string + required: + - allocatable + - available + - capacity + - name + type: object + type: array + type: + type: string + required: + - name + - type + type: object + type: array + required: + - topologyPolicies + - zones + type: object + served: true + storage: false + - name: v1alpha2 + schema: + openAPIV3Schema: + description: NodeResourceTopology describes node resources and their topology. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + attributes: + description: AttributeList contains an array of AttributeInfo objects. + items: + description: AttributeInfo contains one attribute of a Zone. + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + topologyPolicies: + description: 'DEPRECATED (to be removed in v1beta1): use top level attributes + if needed' + items: + type: string + type: array + zones: + description: ZoneList contains an array of Zone objects. + items: + description: Zone represents a resource topology zone, e.g. socket, + node, die or core. + properties: + attributes: + description: AttributeList contains an array of AttributeInfo objects. + items: + description: AttributeInfo contains one attribute of a Zone. + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + costs: + description: CostList contains an array of CostInfo objects. + items: + description: CostInfo describes the cost (or distance) between + two Zones. + properties: + name: + type: string + value: + format: int64 + type: integer + required: + - name + - value + type: object + type: array + name: + type: string + parent: + type: string + resources: + description: ResourceInfoList contains an array of ResourceInfo + objects. + items: + description: ResourceInfo contains information about one resource + type. + properties: + allocatable: + anyOf: + - type: integer + - type: string + description: Allocatable quantity of the resource, corresponding + to allocatable in node status, i.e. total amount of this + resource available to be used by pods. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + available: + anyOf: + - type: integer + - type: string + description: Available is the amount of this resource currently + available for new (to be scheduled) pods, i.e. Allocatable + minus the resources reserved by currently running pods. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + capacity: + anyOf: + - type: integer + - type: string + description: Capacity of the resource, corresponding to capacity + in node status, i.e. total amount of this resource that + the node has. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + name: + description: Name of the resource. + type: string + required: + - allocatable + - available + - capacity + - name + type: object + type: array + type: + type: string + required: + - name + - type + type: object + type: array + required: + - zones + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater.yaml new file mode 100644 index 0000000000..f51c10e6dc --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater.yaml @@ -0,0 +1,156 @@ +{{- if .Values.topologyUpdater.enable -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + role: topology-updater + {{- with .Values.topologyUpdater.daemonsetAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }} + role: topology-updater + template: + metadata: + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} + role: topology-updater + {{- with .Values.topologyUpdater.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "node-feature-discovery.topologyUpdater.serviceAccountName" . }} + dnsPolicy: ClusterFirstWithHostNet + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.topologyUpdater.podSecurityContext | nindent 8 }} + containers: + - name: topology-updater + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: NODE_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.hostIP + command: + - "nfd-topology-updater" + args: + - "-podresources-socket=/host-var/lib/kubelet-podresources/kubelet.sock" + {{- if .Values.topologyUpdater.updateInterval | empty | not }} + - "-sleep-interval={{ .Values.topologyUpdater.updateInterval }}" + {{- else }} + - "-sleep-interval=3s" + {{- end }} + {{- if .Values.topologyUpdater.watchNamespace | empty | not }} + - "-watch-namespace={{ .Values.topologyUpdater.watchNamespace }}" + {{- else }} + - "-watch-namespace=*" + {{- end }} + {{- if .Values.tls.enable }} + - "-ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt" + - "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key" + - "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt" + {{- end }} + {{- if .Values.topologyUpdater.podSetFingerprint }} + - "-pods-fingerprint" + {{- end }} + {{- if .Values.topologyUpdater.kubeletConfigPath | empty | not }} + - "-kubelet-config-uri=file:///host-var/kubelet-config" + {{- end }} + {{- if .Values.topologyUpdater.kubeletStateDir | empty }} + # Disable kubelet state tracking by giving an empty path + - "-kubelet-state-dir=" + {{- end }} + - -metrics={{ .Values.topologyUpdater.metricsPort | default "8081"}} + ports: + - name: metrics + containerPort: {{ .Values.topologyUpdater.metricsPort | default "8081"}} + volumeMounts: + {{- if .Values.topologyUpdater.kubeletConfigPath | empty | not }} + - name: kubelet-config + mountPath: /host-var/kubelet-config + {{- end }} + - name: kubelet-podresources-sock + mountPath: /host-var/lib/kubelet-podresources/kubelet.sock + - name: host-sys + mountPath: /host-sys + {{- if .Values.topologyUpdater.kubeletStateDir | empty | not }} + - name: kubelet-state-files + mountPath: /host-var/lib/kubelet + readOnly: true + {{- end }} + {{- if .Values.tls.enable }} + - name: nfd-topology-updater-cert + mountPath: "/etc/kubernetes/node-feature-discovery/certs" + readOnly: true + {{- end }} + - name: nfd-topology-updater-conf + mountPath: "/etc/kubernetes/node-feature-discovery" + readOnly: true + + resources: + {{- toYaml .Values.topologyUpdater.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.topologyUpdater.securityContext | nindent 12 }} + volumes: + - name: host-sys + hostPath: + path: "/sys" + {{- if .Values.topologyUpdater.kubeletConfigPath | empty | not }} + - name: kubelet-config + hostPath: + path: {{ .Values.topologyUpdater.kubeletConfigPath }} + {{- end }} + - name: kubelet-podresources-sock + hostPath: + {{- if .Values.topologyUpdater.kubeletPodResourcesSockPath | empty | not }} + path: {{ .Values.topologyUpdater.kubeletPodResourcesSockPath }} + {{- else }} + path: /var/lib/kubelet/pod-resources/kubelet.sock + {{- end }} + {{- if .Values.topologyUpdater.kubeletStateDir | empty | not }} + - name: kubelet-state-files + hostPath: + path: {{ .Values.topologyUpdater.kubeletStateDir }} + {{- end }} + - name: nfd-topology-updater-conf + configMap: + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater-conf + items: + - key: nfd-topology-updater.conf + path: nfd-topology-updater.conf + {{- if .Values.tls.enable }} + - name: nfd-topology-updater-cert + secret: + secretName: nfd-topology-updater-cert + {{- end }} + + + {{- with .Values.topologyUpdater.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologyUpdater.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologyUpdater.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/worker.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/worker.yaml new file mode 100644 index 0000000000..f49f9bd644 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/templates/worker.yaml @@ -0,0 +1,162 @@ +{{- if .Values.worker.enable }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-worker + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + role: worker + {{- with .Values.worker.daemonsetAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }} + role: worker + template: + metadata: + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} + role: worker + {{- with .Values.worker.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + dnsPolicy: ClusterFirstWithHostNet + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "node-feature-discovery.worker.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.worker.podSecurityContext | nindent 8 }} + containers: + - name: worker + securityContext: + {{- toYaml .Values.worker.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + resources: + {{- toYaml .Values.worker.resources | nindent 12 }} + command: + - "nfd-worker" + args: + {{- if not .Values.enableNodeFeatureApi }} + - "-server={{ include "node-feature-discovery.fullname" . }}-master:{{ .Values.master.service.port }}" + - "-enable-nodefeature-api=false" + {{- end }} +{{- if .Values.tls.enable }} + - "-ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt" + - "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key" + - "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt" +{{- end }} + - "-metrics={{ .Values.worker.metricsPort | default "8081"}}" + ports: + - name: metrics + containerPort: {{ .Values.worker.metricsPort | default "8081"}} + volumeMounts: + - name: host-boot + mountPath: "/host-boot" + readOnly: true + - name: host-os-release + mountPath: "/host-etc/os-release" + readOnly: true + - name: host-sys + mountPath: "/host-sys" + readOnly: true + - name: host-usr-lib + mountPath: "/host-usr/lib" + readOnly: true + - name: host-lib + mountPath: "/host-lib" + readOnly: true + {{- if .Values.worker.mountUsrSrc }} + - name: host-usr-src + mountPath: "/host-usr/src" + readOnly: true + {{- end }} + - name: source-d + mountPath: "/etc/kubernetes/node-feature-discovery/source.d/" + readOnly: true + - name: features-d + mountPath: "/etc/kubernetes/node-feature-discovery/features.d/" + readOnly: true + - name: nfd-worker-conf + mountPath: "/etc/kubernetes/node-feature-discovery" + readOnly: true +{{- if .Values.tls.enable }} + - name: nfd-worker-cert + mountPath: "/etc/kubernetes/node-feature-discovery/certs" + readOnly: true +{{- end }} + volumes: + - name: host-boot + hostPath: + path: "/boot" + - name: host-os-release + hostPath: + path: "/etc/os-release" + - name: host-sys + hostPath: + path: "/sys" + - name: host-usr-lib + hostPath: + path: "/usr/lib" + - name: host-lib + hostPath: + path: "/lib" + {{- if .Values.worker.mountUsrSrc }} + - name: host-usr-src + hostPath: + path: "/usr/src" + {{- end }} + - name: source-d + hostPath: + path: "/etc/kubernetes/node-feature-discovery/source.d/" + - name: features-d + hostPath: + path: "/etc/kubernetes/node-feature-discovery/features.d/" + - name: nfd-worker-conf + configMap: + name: {{ include "node-feature-discovery.fullname" . }}-worker-conf + items: + - key: nfd-worker.conf + path: nfd-worker.conf +{{- if .Values.tls.enable }} + - name: nfd-worker-cert + secret: + secretName: nfd-worker-cert +{{- end }} + {{- with .Values.worker.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.worker.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.worker.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.worker.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} +{{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/values.yaml b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/values.yaml new file mode 100644 index 0000000000..1753e757c7 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/charts/rancher-nfd/values.yaml @@ -0,0 +1,534 @@ +image: + repository: rancher/hardened-node-feature-discovery + # This should be set to 'IfNotPresent' for released version + pullPolicy: IfNotPresent + # tag, if defined will use the given image tag, else Chart.AppVersion will be used + tag: v0.15.4-build20240513 +imagePullSecrets: [] + +nameOverride: "" +fullnameOverride: "" +namespaceOverride: "" + +enableNodeFeatureApi: true + +master: + enable: true + config: ### + # noPublish: false + # autoDefaultNs: true + # extraLabelNs: ["added.ns.io","added.kubernets.io"] + # denyLabelNs: ["denied.ns.io","denied.kubernetes.io"] + # resourceLabels: ["vendor-1.com/feature-1","vendor-2.io/feature-2"] + # enableTaints: false + # labelWhiteList: "foo" + # resyncPeriod: "2h" + # klog: + # addDirHeader: false + # alsologtostderr: false + # logBacktraceAt: + # logtostderr: true + # skipHeaders: false + # stderrthreshold: 2 + # v: 0 + # vmodule: + ## NOTE: the following options are not dynamically run-time configurable + ## and require a nfd-master restart to take effect after being changed + # logDir: + # logFile: + # logFileMaxSize: 1800 + # skipLogHeaders: false + # leaderElection: + # leaseDuration: 15s + # # this value has to be lower than leaseDuration and greater than retryPeriod*1.2 + # renewDeadline: 10s + # # this value has to be greater than 0 + # retryPeriod: 2s + # nfdApiParallelism: 10 + ### + # The TCP port that nfd-master listens for incoming requests. Default: 8080 + # Deprecated this parameter is related to the deprecated gRPC API and will + # be removed with it in a future release + port: 8080 + metricsPort: 8081 + instance: + featureApi: + resyncPeriod: + denyLabelNs: [] + extraLabelNs: [] + resourceLabels: [] + enableTaints: false + crdController: null + featureRulesController: null + nfdApiParallelism: null + deploymentAnnotations: {} + replicaCount: 1 + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + readOnlyRootFilesystem: true + runAsNonRoot: true + # runAsUser: 1000 + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + + rbac: + create: true + + service: + type: ClusterIP + port: 8080 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Equal" + value: "" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Equal" + value: "" + effect: "NoSchedule" + + annotations: {} + + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: "node-role.kubernetes.io/master" + operator: In + values: [""] + - weight: 1 + preference: + matchExpressions: + - key: "node-role.kubernetes.io/control-plane" + operator: In + values: [""] + +worker: + enable: true + config: ### + #core: + # labelWhiteList: + # noPublish: false + # sleepInterval: 60s + # featureSources: [all] + # labelSources: [all] + # klog: + # addDirHeader: false + # alsologtostderr: false + # logBacktraceAt: + # logtostderr: true + # skipHeaders: false + # stderrthreshold: 2 + # v: 0 + # vmodule: + ## NOTE: the following options are not dynamically run-time configurable + ## and require a nfd-worker restart to take effect after being changed + # logDir: + # logFile: + # logFileMaxSize: 1800 + # skipLogHeaders: false + #sources: + # cpu: + # cpuid: + ## NOTE: whitelist has priority over blacklist + # attributeBlacklist: + # - "BMI1" + # - "BMI2" + # - "CLMUL" + # - "CMOV" + # - "CX16" + # - "ERMS" + # - "F16C" + # - "HTT" + # - "LZCNT" + # - "MMX" + # - "MMXEXT" + # - "NX" + # - "POPCNT" + # - "RDRAND" + # - "RDSEED" + # - "RDTSCP" + # - "SGX" + # - "SSE" + # - "SSE2" + # - "SSE3" + # - "SSE4" + # - "SSE42" + # - "SSSE3" + # - "TDX_GUEST" + # attributeWhitelist: + # kernel: + # kconfigFile: "/path/to/kconfig" + # configOpts: + # - "NO_HZ" + # - "X86" + # - "DMI" + # pci: + # deviceClassWhitelist: + # - "0200" + # - "03" + # - "12" + # deviceLabelFields: + # - "class" + # - "vendor" + # - "device" + # - "subsystem_vendor" + # - "subsystem_device" + # usb: + # deviceClassWhitelist: + # - "0e" + # - "ef" + # - "fe" + # - "ff" + # deviceLabelFields: + # - "class" + # - "vendor" + # - "device" + # local: + # hooksEnabled: false + # custom: + # # The following feature demonstrates the capabilities of the matchFeatures + # - name: "my custom rule" + # labels: + # "vendor.io/my-ng-feature": "true" + # # matchFeatures implements a logical AND over all matcher terms in the + # # list (i.e. all of the terms, or per-feature matchers, must match) + # matchFeatures: + # - feature: cpu.cpuid + # matchExpressions: + # AVX512F: {op: Exists} + # - feature: cpu.cstate + # matchExpressions: + # enabled: {op: IsTrue} + # - feature: cpu.pstate + # matchExpressions: + # no_turbo: {op: IsFalse} + # scaling_governor: {op: In, value: ["performance"]} + # - feature: cpu.rdt + # matchExpressions: + # RDTL3CA: {op: Exists} + # - feature: cpu.sst + # matchExpressions: + # bf.enabled: {op: IsTrue} + # - feature: cpu.topology + # matchExpressions: + # hardware_multithreading: {op: IsFalse} + # + # - feature: kernel.config + # matchExpressions: + # X86: {op: Exists} + # LSM: {op: InRegexp, value: ["apparmor"]} + # - feature: kernel.loadedmodule + # matchExpressions: + # e1000e: {op: Exists} + # - feature: kernel.selinux + # matchExpressions: + # enabled: {op: IsFalse} + # - feature: kernel.version + # matchExpressions: + # major: {op: In, value: ["5"]} + # minor: {op: Gt, value: ["10"]} + # + # - feature: storage.block + # matchExpressions: + # rotational: {op: In, value: ["0"]} + # dax: {op: In, value: ["0"]} + # + # - feature: network.device + # matchExpressions: + # operstate: {op: In, value: ["up"]} + # speed: {op: Gt, value: ["100"]} + # + # - feature: memory.numa + # matchExpressions: + # node_count: {op: Gt, value: ["2"]} + # - feature: memory.nv + # matchExpressions: + # devtype: {op: In, value: ["nd_dax"]} + # mode: {op: In, value: ["memory"]} + # + # - feature: system.osrelease + # matchExpressions: + # ID: {op: In, value: ["fedora", "centos"]} + # - feature: system.name + # matchExpressions: + # nodename: {op: InRegexp, value: ["^worker-X"]} + # + # - feature: local.label + # matchExpressions: + # custom-feature-knob: {op: Gt, value: ["100"]} + # + # # The following feature demonstrates the capabilities of the matchAny + # - name: "my matchAny rule" + # labels: + # "vendor.io/my-ng-feature-2": "my-value" + # # matchAny implements a logical IF over all elements (sub-matchers) in + # # the list (i.e. at least one feature matcher must match) + # matchAny: + # - matchFeatures: + # - feature: kernel.loadedmodule + # matchExpressions: + # driver-module-X: {op: Exists} + # - feature: pci.device + # matchExpressions: + # vendor: {op: In, value: ["8086"]} + # class: {op: In, value: ["0200"]} + # - matchFeatures: + # - feature: kernel.loadedmodule + # matchExpressions: + # driver-module-Y: {op: Exists} + # - feature: usb.device + # matchExpressions: + # vendor: {op: In, value: ["8086"]} + # class: {op: In, value: ["02"]} + # + # - name: "avx wildcard rule" + # labels: + # "my-avx-feature": "true" + # matchFeatures: + # - feature: cpu.cpuid + # matchName: {op: InRegexp, value: ["^AVX512"]} + # + # # The following features demonstreate label templating capabilities + # - name: "my template rule" + # labelsTemplate: | + # {{ range .system.osrelease }}vendor.io/my-system-feature.{{ .Name }}={{ .Value }} + # {{ end }} + # matchFeatures: + # - feature: system.osrelease + # matchExpressions: + # ID: {op: InRegexp, value: ["^open.*"]} + # VERSION_ID.major: {op: In, value: ["13", "15"]} + # + # - name: "my template rule 2" + # labelsTemplate: | + # {{ range .pci.device }}vendor.io/my-pci-device.{{ .class }}-{{ .device }}=with-cpuid + # {{ end }} + # matchFeatures: + # - feature: pci.device + # matchExpressions: + # class: {op: InRegexp, value: ["^06"]} + # vendor: ["8086"] + # - feature: cpu.cpuid + # matchExpressions: + # AVX: {op: Exists} + # + # # The following examples demonstrate vars field and back-referencing + # # previous labels and vars + # - name: "my dummy kernel rule" + # labels: + # "vendor.io/my.kernel.feature": "true" + # matchFeatures: + # - feature: kernel.version + # matchExpressions: + # major: {op: Gt, value: ["2"]} + # + # - name: "my dummy rule with no labels" + # vars: + # "my.dummy.var": "1" + # matchFeatures: + # - feature: cpu.cpuid + # matchExpressions: {} + # + # - name: "my rule using backrefs" + # labels: + # "vendor.io/my.backref.feature": "true" + # matchFeatures: + # - feature: rule.matched + # matchExpressions: + # vendor.io/my.kernel.feature: {op: IsTrue} + # my.dummy.var: {op: Gt, value: ["0"]} + # + # - name: "kconfig template rule" + # labelsTemplate: | + # {{ range .kernel.config }}kconfig-{{ .Name }}={{ .Value }} + # {{ end }} + # matchFeatures: + # - feature: kernel.config + # matchName: {op: In, value: ["SWAP", "X86", "ARM"]} +### + + metricsPort: 8081 + daemonsetAnnotations: {} + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + readOnlyRootFilesystem: true + runAsNonRoot: true + # runAsUser: 1000 + + serviceAccount: + # Specifies whether a service account should be created. + # We create this by default to make it easier for downstream users to apply PodSecurityPolicies. + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + + rbac: + create: true + + # Allow users to mount the hostPath /usr/src, useful for RHCOS on s390x + # Does not work on systems without /usr/src AND a read-only /usr, such as Talos + mountUsrSrc: false + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + + tolerations: [] + + annotations: {} + + affinity: {} + + priorityClassName: "" + +topologyUpdater: + config: ### + ## key = node name, value = list of resources to be excluded. + ## use * to exclude from all nodes. + ## an example for how the exclude list should looks like + #excludeList: + # node1: [cpu] + # node2: [memory, example/deviceA] + # *: [hugepages-2Mi] +### + + enable: false + createCRDs: false + + serviceAccount: + create: true + annotations: {} + name: + rbac: + create: true + + metricsPort: 8081 + kubeletConfigPath: + kubeletPodResourcesSockPath: + updateInterval: 60s + watchNamespace: "*" + kubeletStateDir: /var/lib/kubelet + + podSecurityContext: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + readOnlyRootFilesystem: true + runAsUser: 0 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + tolerations: [] + annotations: {} + daemonsetAnnotations: {} + affinity: {} + podSetFingerprint: true + +gc: + enable: true + replicaCount: 1 + + serviceAccount: + create: true + annotations: {} + name: + rbac: + create: true + + interval: 1h + + podSecurityContext: {} + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + metricsPort: 8081 + + nodeSelector: {} + tolerations: [] + annotations: {} + deploymentAnnotations: {} + affinity: {} + +# Optionally use encryption for worker <--> master comms +# TODO: verify hostname is not yet supported +# +# If you do not enable certManager (and have it installed) you will +# need to manually, or otherwise, provision the TLS certs as secrets +tls: + enable: false + certManager: false + +prometheus: + enable: false + labels: {} diff --git a/charts/sriov/104.1.0+up0.1.0/templates/NOTES.txt b/charts/sriov/104.1.0+up0.1.0/templates/NOTES.txt new file mode 100644 index 0000000000..ea9a6ebc9b --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/templates/NOTES.txt @@ -0,0 +1,29 @@ +Get Network Operator deployed resources by running the following commands: + +$ kubectl -n {{ .Release.Namespace }} get pods + +For additional instructions on how to use SR-IOV network operator, +refer to: https://github.com/k8snetworkplumbingwg/sriov-network-operator + +{{- if .Values.operator.enableAdmissionController }} +{{- if not .Values.cert_manager }} +Thank you for installing {{ .Chart.Name }}. + +WARNING! Self signed certificates have been generated for webhooks. +These certificates have a one-year validity and will not be rotated +automatically. This should not be a production cluster. Please deploy +and use cert-manager for production clusters. +{{- end }} +{{- end }} + +{{- if .Chart.Deprecated }} + +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! !! +!! WARNING: This chart is deprecated and will be removed! !! +!! !! +!! Future updates can be obtained from following chart repository: !! +!! https://suse-edge.github.io/charts/ !! +!! !! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +{{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/templates/_helpers.tpl b/charts/sriov/104.1.0+up0.1.0/templates/_helpers.tpl new file mode 100644 index 0000000000..dff1d171fe --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/templates/_helpers.tpl @@ -0,0 +1,85 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "sriov-network-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "sriov-network-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "sriov-network-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "sriov-network-operator.labels" -}} +helm.sh/chart: {{ include "sriov-network-operator.chart" . }} +{{ include "sriov-network-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "sriov-network-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "sriov-network-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "sriov-network-operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "sriov-network-operator.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/sriov/104.1.0+up0.1.0/templates/_webhook-certs.tpl b/charts/sriov/104.1.0+up0.1.0/templates/_webhook-certs.tpl new file mode 100644 index 0000000000..f1448968b2 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/templates/_webhook-certs.tpl @@ -0,0 +1,31 @@ +{{/* +Generate TLS certificates for webhooks. +Note: these 2 lines, that are repeated several times below, are a trick to +ensure the CA certs are generated only once: + $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) + $_ := set . "ca" $ca +Please, don't try to "simplify" them as without this trick, every generated +certificate would be signed by a different CA. +*/}} +{{- define "sriov_operator_ca_cert" }} +{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}} +{{- $_ := set . "ca" $ca -}} +{{- printf "%s" $ca.Cert | b64enc -}} +{{- end }} +{{- define "sriov_operator_cert" }} +{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}} +{{- $_ := set . "ca" $ca -}} +{{- $cn := printf "operator-webhook-service.%s.svc" .Release.Namespace -}} +{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end }} +{{- define "sriov_resource_injector_cert" }} +{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}} +{{- $_ := set . "ca" $ca -}} +{{- $cn := printf "network-resources-injector-service.%s.svc" .Release.Namespace -}} +{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end }} + diff --git a/charts/sriov/104.1.0+up0.1.0/templates/certificate.yaml b/charts/sriov/104.1.0+up0.1.0/templates/certificate.yaml new file mode 100644 index 0000000000..add29a9bec --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/templates/certificate.yaml @@ -0,0 +1,71 @@ +{{- if .Values.operator.admissionControllers.enabled }} +{{- if and (.Values.operator.admissionControllers.certificates.certManager.enabled) (.Values.operator.admissionControllers.certificates.certManager.generateSelfSigned) }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }} + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - operator-webhook-service.{{ .Release.Namespace }}.svc + - operator-webhook-service.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: operator-webhook-selfsigned-issuer + secretName: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: operator-webhook-selfsigned-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }} + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - network-resources-injector-service.{{ .Release.Namespace }}.svc + - network-resources-injector-service.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: network-resources-injector-selfsigned-issuer + secretName: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: network-resources-injector-selfsigned-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +{{- else if and (not .Values.operator.admissionControllers.certificates.certManager.enabled) (.Values.operator.admissionControllers.certificates.custom.enabled) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ca.crt: {{ .Values.operator.admissionControllers.certificates.custom.operator.caCrt | b64enc | b64enc | quote }} + tls.crt: {{ .Values.operator.admissionControllers.certificates.custom.operator.tlsCrt | b64enc | quote }} + tls.key: {{ .Values.operator.admissionControllers.certificates.custom.operator.tlsKey | b64enc | quote }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ca.crt: {{ .Values.operator.admissionControllers.certificates.custom.injector.caCrt | b64enc | b64enc | quote }} + tls.crt: {{ .Values.operator.admissionControllers.certificates.custom.injector.tlsCrt | b64enc | quote }} + tls.key: {{ .Values.operator.admissionControllers.certificates.custom.injector.tlsKey | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/templates/certmanagercerts.yaml b/charts/sriov/104.1.0+up0.1.0/templates/certmanagercerts.yaml new file mode 100644 index 0000000000..e3575aa565 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/templates/certmanagercerts.yaml @@ -0,0 +1,41 @@ +{{- if and (.Values.operator.enableAdmissionController) (.Values.cert_manager) -}} +{{- if not (.Capabilities.APIVersions.Has "cert-manager.io/v1") -}} +{{- required "cert-manager is required but not found" "" -}} +{{- end -}} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: sriov-network-operator-selfsigned-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: operator-webhook-service + namespace: {{ .Release.Namespace }} +spec: + secretName: operator-webhook-service + dnsNames: + - operator-webhook-service.{{ .Release.Namespace }}.svc + issuerRef: + name: sriov-network-operator-selfsigned-issuer + privateKey: + rotationPolicy: Always +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: network-resources-injector-service + namespace: {{ .Release.Namespace }} +spec: + secretName: network-resources-injector-secret + dnsNames: + - network-resources-injector-service.{{ .Release.Namespace }}.svc + issuerRef: + name: sriov-network-operator-selfsigned-issuer + privateKey: + rotationPolicy: Always +{{- end -}} + diff --git a/charts/sriov/104.1.0+up0.1.0/templates/clusterrole.yaml b/charts/sriov/104.1.0+up0.1.0/templates/clusterrole.yaml new file mode 100644 index 0000000000..0edf69c338 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/templates/clusterrole.yaml @@ -0,0 +1,111 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "sriov-network-operator.fullname" . }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "patch", "update"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["*"] + - apiGroups: [""] + resources: ["pods/eviction"] + verbs: ["create"] + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["get"] + - apiGroups: [""] + resources: ["namespaces", "serviceaccounts"] + verbs: ["*"] + - apiGroups: ["k8s.cni.cncf.io"] + resources: ["network-attachment-definitions"] + verbs: ["*"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: [clusterroles, clusterrolebindings] + verbs: ["*"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["*"] + - apiGroups: ["sriovnetwork.openshift.io"] + resources: ["*"] + verbs: ["*"] + - apiGroups: ["machineconfiguration.openshift.io"] + resources: ["*"] + verbs: ["*"] + - apiGroups: ["config.openshift.io"] + resources: ["infrastructures"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sriov-network-config-daemon + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "patch", "update"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["*"] + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["get"] + - apiGroups: [ "config.openshift.io" ] + resources: [ "infrastructures" ] + verbs: [ "get", "list", "watch" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sriov-admin + {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }} + rbac.authorization.k8s.io/aggregate-to-admin: "true" + {{- end }} +rules: +- apiGroups: + - sriovnetwork.openshift.io + resources: + - '*' + verbs: + - "get" + - "watch" + - "list" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sriov-edit + {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }} + rbac.authorization.k8s.io/aggregate-to-edit: "true" + {{- end }} +rules: +- apiGroups: + - sriovnetwork.openshift.io + resources: + - '*' + verbs: + - "get" + - "watch" + - "list" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sriov-view + {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }} + rbac.authorization.k8s.io/aggregate-to-view: "true" + {{- end }} +rules: +- apiGroups: + - sriovnetwork.openshift.io + resources: + - '*' + verbs: + - "get" + - "watch" + - "list" diff --git a/charts/sriov/104.1.0+up0.1.0/templates/clusterrolebinding.yaml b/charts/sriov/104.1.0+up0.1.0/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..c10aa9be73 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/templates/clusterrolebinding.yaml @@ -0,0 +1,29 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "sriov-network-operator.fullname" . }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +roleRef: + kind: ClusterRole + name: {{ include "sriov-network-operator.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: {{ include "sriov-network-operator.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: sriov-network-config-daemon + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +roleRef: + kind: ClusterRole + name: sriov-network-config-daemon + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: sriov-network-config-daemon diff --git a/charts/sriov/104.1.0+up0.1.0/templates/configmap.yaml b/charts/sriov/104.1.0+up0.1.0/templates/configmap.yaml new file mode 100644 index 0000000000..de53e8e369 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/templates/configmap.yaml @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: supported-nic-ids +data: + Intel_i40e_XXV710: "8086 158a 154c" + Intel_i40e_25G_SFP28: "8086 158b 154c" + Intel_i40e_10G_X710_SFP: "8086 1572 154c" + Intel_ixgbe_10G_X550: "8086 1563 1565" + Intel_ixgbe_82576: "8086 10c9 10ca" + Intel_i40e_X710_X557_AT_10G: "8086 1589 154c" + Intel_i40e_10G_X710_BACKPLANE: "8086 1581 154c" + Intel_i40e_10G_X710_BASE_T: "8086 15ff 154c" + Intel_i40e_XXV710_N3000: "8086 0d58 154c" + Intel_i40e_40G_XL710_QSFP: "8086 1583 154c" + Intel_i40e_X550T: "8086 1563 1565" + Intel_i40e_X722: "8086 37d2 37cd" + Intel_i40e_X722_SFP: "8086 37d0 37cd" + Intel_i40e_X722_SFPP: "8086 37d3 37cd" + Intel_ice_Columbiaville_E810-CQDA2_2CQDA2: "8086 1592 1889" + Intel_ice_Columbiaville_E810-XXVDA4: "8086 1593 1889" + Intel_ice_Columbiaville_E810-XXVDA2: "8086 159b 1889" + Intel_ice_Columbiaville_E810: "8086 1591 1889" + Intel_ice_Columbiapark_E823C: "8086 188a 1889" + Nvidia_mlx5_ConnectX-4: "15b3 1013 1014" + Nvidia_mlx5_ConnectX-4LX: "15b3 1015 1016" + Nvidia_mlx5_ConnectX-5: "15b3 1017 1018" + Nvidia_mlx5_ConnectX-5_Ex: "15b3 1019 101a" + Nvidia_mlx5_ConnectX-6: "15b3 101b 101c" + Nvidia_mlx5_ConnectX-6_Dx: "15b3 101d 101e" + Nvidia_mlx5_ConnectX-6_Lx: "15b3 101f 101e" + Nvidia_mlx5_ConnectX-7: "15b3 1021 101e" + Nvidia_mlx5_MT42822_BlueField-2_integrated_ConnectX-6_Dx: "15b3 a2d6 101e" + Nvidia_mlx5_MT43244_BlueField-3_integrated_ConnectX-7_Dx: "15b3 a2dc 101e" + Broadcom_bnxt_BCM57414_2x25G: "14e4 16d7 16dc" + Broadcom_bnxt_BCM75508_2x100G: "14e4 1750 1806" + Qlogic_qede_QL45000_50G: "1077 1654 1664" + Red_Hat_Virtio_network_device: "1af4 1000 1000" + Red_Hat_Virtio_1_0_network_device: "1af4 1041 1041" + Marvell_OCTEON_TX2_CN96XX: "177d b200 b203" + Marvell_OCTEON_TX2_CN98XX: "177d b100 b103" + Marvell_OCTEON_Fusion_CNF95XX: "177d b600 b603" + Marvell_OCTEON10_CN10XXX: "177d b900 b903" + Marvell_OCTEON_Fusion_CNF105XX: "177d ba00 ba03" + {{- range .Values.supportedExtraNICs }} + {{ . }} + {{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/templates/operator.yaml b/charts/sriov/104.1.0+up0.1.0/templates/operator.yaml new file mode 100644 index 0000000000..70f1cb65c1 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/templates/operator.yaml @@ -0,0 +1,116 @@ +{{- if not (.Capabilities.APIVersions.Has "k8s.cni.cncf.io/v1/NetworkAttachmentDefinition") -}} +{{- required "rke2-multus is required but not found" "" -}} +{{- end -}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "sriov-network-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + name: sriov-network-operator + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 33% + template: + metadata: + labels: + name: sriov-network-operator + spec: + {{- with .Values.operator.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.affinity }} + affinity: + {{- toYaml . | nindent 8}} + {{- end }} + {{- with .Values.operator.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "sriov-network-operator.fullname" . }} + priorityClassName: "system-node-critical" + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + containers: + - name: {{ include "sriov-network-operator.fullname" . }} + image: {{ include "system_default_registry" . }}{{ .Values.images.operator.repository }}:{{ .Values.images.operator.tag }} + command: + - sriov-network-operator + resources: + requests: + cpu: 100m + memory: 100Mi + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SRIOV_CNI_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.sriovCni.repository }}:{{ .Values.images.sriovCni.tag }} + - name: SRIOV_INFINIBAND_CNI_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.ibSriovCni.repository }}:{{ .Values.images.ibSriovCni.tag }} + - name: SRIOV_DEVICE_PLUGIN_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.sriovDevicePlugin.repository }}:{{ .Values.images.sriovDevicePlugin.tag }} + - name: NETWORK_RESOURCES_INJECTOR_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.resourcesInjector.repository }}:{{ .Values.images.resourcesInjector.tag }} + - name: OPERATOR_NAME + value: sriov-network-operator + - name: SRIOV_NETWORK_CONFIG_DAEMON_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.sriovConfigDaemon.repository }}:{{ .Values.images.sriovConfigDaemon.tag }} + - name: SRIOV_NETWORK_WEBHOOK_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.webhook.repository }}:{{ .Values.images.webhook.tag }} + - name: RESOURCE_PREFIX + value: {{ .Values.operator.resourcePrefix }} + - name: IMAGE_PULL_SECRETS + value: {{ join "," .Values.imagePullSecrets }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: RELEASE_VERSION + value: {{ .Release.AppVersion }} + - name: SRIOV_CNI_BIN_PATH + value: {{ .Values.operator.cniBinPath }} + - name: CLUSTER_TYPE + value: {{ .Values.operator.clusterType }} + {{- if .Values.operator.admissionControllers.enabled }} + - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME + value: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }} + - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME + value: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }} + {{- if .Values.operator.admissionControllers.certificates.certManager.enabled }} + - name: ADMISSION_CONTROLLERS_CERTIFICATES_CERT_MANAGER_ENABLED + value: {{ .Values.operator.admissionControllers.certificates.certManager.enabled | quote }} + {{- else }} + - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_CA_CRT + valueFrom: + secretKeyRef: + name: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }} + key: ca.crt + - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT + valueFrom: + secretKeyRef: + name: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }} + key: ca.crt + {{- end }} + {{- end }} diff --git a/charts/sriov/104.1.0+up0.1.0/templates/role.yaml b/charts/sriov/104.1.0+up0.1.0/templates/role.yaml new file mode 100644 index 0000000000..6058a86e1b --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/templates/role.yaml @@ -0,0 +1,132 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: {{ include "sriov-network-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - pods + - services + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - '*' + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - '*' + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - sriov-network-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - serviceaccounts + - roles + - rolebindings + verbs: + - '*' + - apiGroups: + - config.openshift.io + resources: + - infrastructures + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sriov-network-config-daemon + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - '*' + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - '*' + - apiGroups: + - sriovnetwork.openshift.io + resources: + - '*' + - sriovnetworknodestates + verbs: + - '*' + - apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - 'coordination.k8s.io' + resources: + - 'leases' + verbs: + - '*' + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: operator-webhook-sa + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get diff --git a/charts/sriov/104.1.0+up0.1.0/templates/rolebinding.yaml b/charts/sriov/104.1.0+up0.1.0/templates/rolebinding.yaml new file mode 100644 index 0000000000..d2cf1849a7 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/templates/rolebinding.yaml @@ -0,0 +1,44 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "sriov-network-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "sriov-network-operator.fullname" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ include "sriov-network-operator.fullname" . }} + apiGroup: rbac.authorization.k8s.io +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: sriov-network-config-daemon + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: sriov-network-config-daemon + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: sriov-network-config-daemon + apiGroup: rbac.authorization.k8s.io +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: operator-webhook-sa + namespace: {{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: operator-webhook-sa +roleRef: + kind: Role + name: operator-webhook-sa + apiGroup: rbac.authorization.k8s.io diff --git a/charts/sriov/104.1.0+up0.1.0/templates/secrets.yaml b/charts/sriov/104.1.0+up0.1.0/templates/secrets.yaml new file mode 100644 index 0000000000..3d345be460 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/templates/secrets.yaml @@ -0,0 +1,20 @@ +{{- if not .Values.cert_manager -}} +{{- if .Values.operator.enableAdmissionController }} +apiVersion: v1 +kind: Secret +metadata: + name: operator-webhook-service + namespace: {{ .Release.Namespace }} +data: {{ include "sriov_operator_cert" . | nindent 2 }} +{{- end }} +--- +{{- if .Values.operator.enableAdmissionController }} +apiVersion: v1 +kind: Secret +metadata: + name: network-resources-injector-secret + namespace: {{ .Release.Namespace }} +data: {{ include "sriov_resource_injector_cert" . | nindent 2 }} +{{- end }} +{{- end }} + diff --git a/charts/sriov/104.1.0+up0.1.0/templates/serviceaccount.yaml b/charts/sriov/104.1.0+up0.1.0/templates/serviceaccount.yaml new file mode 100644 index 0000000000..fc0bb57056 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "sriov-network-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sriov-network-config-daemon + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} diff --git a/charts/sriov/104.1.0+up0.1.0/templates/sriovoperatorconfig.yaml b/charts/sriov/104.1.0+up0.1.0/templates/sriovoperatorconfig.yaml new file mode 100644 index 0000000000..41877365ad --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/templates/sriovoperatorconfig.yaml @@ -0,0 +1,17 @@ +{{ if .Values.sriovOperatorConfig.deploy }} +apiVersion: sriovnetwork.openshift.io/v1 +kind: SriovOperatorConfig +metadata: + name: default + namespace: {{ .Release.Namespace }} +spec: + enableInjector: {{ .Values.operator.admissionControllers.enabled }} + enableOperatorWebhook: {{ .Values.operator.admissionControllers.enabled }} + {{- with .Values.sriovOperatorConfig.configDaemonNodeSelector }} + configDaemonNodeSelector: + {{- range $k, $v := .}}{{printf "%s: '%s'" $k $v | nindent 4 }}{{ end }} + {{- end }} + logLevel: {{ .Values.sriovOperatorConfig.logLevel }} + disableDrain: {{ .Values.sriovOperatorConfig.disableDrain }} + configurationMode: {{ .Values.sriovOperatorConfig.configurationMode }} +{{ end }} diff --git a/charts/sriov/104.1.0+up0.1.0/templates/validate-install-crd.yaml b/charts/sriov/104.1.0+up0.1.0/templates/validate-install-crd.yaml new file mode 100644 index 0000000000..48ffe70751 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/templates/validate-install-crd.yaml @@ -0,0 +1,19 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovIBNetwork" false -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkNodePolicy" false -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkNodeState" false -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkPoolConfig" false -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetwork" false -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovOperatorConfig" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/sriov/104.1.0+up0.1.0/values.yaml b/charts/sriov/104.1.0+up0.1.0/values.yaml new file mode 100644 index 0000000000..656e375ad0 --- /dev/null +++ b/charts/sriov/104.1.0+up0.1.0/values.yaml @@ -0,0 +1,129 @@ +operator: + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - effect: NoExecute + key: node-role.kubernetes.io/etcd + operator: Exists + nodeSelector: {} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: "node-role.kubernetes.io/master" + operator: In + values: [""] + - weight: 1 + preference: + matchExpressions: + - key: "node-role.kubernetes.io/control-plane" + operator: In + values: [ "" ] + nameOverride: "" + fullnameOverride: "" + resourcePrefix: "rancher.io" + cniBinPath: "/opt/cni/bin" + clusterType: "kubernetes" + admissionControllers: + enabled: false + certificates: + secretNames: + operator: "operator-webhook-cert" + injector: "network-resources-injector-cert" + certManager: + # When enabled, makes use of certificates managed by cert-manager. + enabled: false + # When enabled, certificates are generated via cert-manager and then name will match the name of the secrets + # defined above + generateSelfSigned: false + # If not specified, no secret is created and secrets with the names defined above are expected to exist in the + # cluster. In that case, the ca.crt must be base64 encoded twice since it ends up being an env variable. + custom: + enabled: false + # operator: + # caCrt: | + # -----BEGIN CERTIFICATE----- + # MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G + # ... + # -----END CERTIFICATE----- + # tlsCrt: | + # -----BEGIN CERTIFICATE----- + # MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G + # ... + # -----END CERTIFICATE----- + # tlsKey: | + # -----BEGIN EC PRIVATE KEY----- + # MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo= + # ... + # -----END EC PRIVATE KEY----- + # injector: + # caCrt: | + # -----BEGIN CERTIFICATE----- + # MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G + # ... + # -----END CERTIFICATE----- + # tlsCrt: | + # -----BEGIN CERTIFICATE----- + # MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G + # ... + # -----END CERTIFICATE----- + # tlsKey: | + # -----BEGIN EC PRIVATE KEY----- + # MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo= + # ... + # -----END EC PRIVATE KEY----- + +sriovOperatorConfig: + # deploy sriovOperatorConfig CR with the below values + deploy: true + # node slectors for sriov-network-config-daemon + configDaemonNodeSelector: {feature.node.kubernetes.io/network-sriov.capable: 'true'} + # log level for both operator and sriov-network-config-daemon + logLevel: 2 + # disable node draining when configuring SR-IOV, set to true in case of a single node + # cluster or any other justifiable reason + disableDrain: false + # sriov-network-config-daemon configuration mode. either "daemon" or "systemd" + configurationMode: daemon + +# Image URIs for sriov-network-operator components +images: + operator: + repository: rancher/hardened-sriov-network-operator + tag: v1.2.0-build20240327 + sriovConfigDaemon: + repository: rancher/hardened-sriov-network-config-daemon + tag: v1.2.0-build20240327 + sriovCni: + repository: rancher/hardened-sriov-cni + tag: v2.7.0-build20240327 + ibSriovCni: + repository: rancher/hardened-ib-sriov-cni + tag: v1.0.3-build20240327 + sriovDevicePlugin: + repository: rancher/hardened-sriov-network-device-plugin + tag: v3.6.2-build20240327 + resourcesInjector: + repository: rancher/hardened-sriov-network-resources-injector + tag: v1.5-build20240327 + webhook: + repository: rancher/hardened-sriov-network-webhook + tag: v1.2.0-build20240327 + +imagePullSecrets: [] + +# Example for supportedExtraNICs values ['MyNIC: "8086 1521 1520"'] +supportedExtraNICs: [] + +global: + cattle: + systemDefaultRegistry: "" + rbac: + userRoles: + aggregateToDefaultRoles: false diff --git a/index.yaml b/index.yaml index d14f002ef8..6bb7639dab 100755 --- a/index.yaml +++ b/index.yaml @@ -13547,6 +13547,46 @@ entries: - assets/rancher-wins-upgrader/rancher-wins-upgrader-0.0.100.tgz version: 0.0.100 sriov: + - annotations: + catalog.cattle.io/auto-install: sriov-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/deprecated: "true" + catalog.cattle.io/experimental: "true" + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.30.0-0' + catalog.cattle.io/namespace: cattle-sriov-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: sriov + catalog.cattle.io/upstream-version: 1.2.0 + apiVersion: v2 + appVersion: 1.2.0 + created: "2024-07-17T20:37:56.489788732-03:00" + dependencies: + - condition: rancher-nfd.enabled + name: rancher-nfd + repository: file://./charts/rancher-nfd + version: 0.15.4 + deprecated: true + description: SR-IOV network operator configures and manages SR-IOV networks in + the kubernetes cluster + digest: 72e0382dff3231bd1fcbcb93a0f5e8238df0c083767a99ff1b2192a518f099af + home: https://github.com/k8snetworkplumbingwg/sriov-network-operator + icon: https://charts.rancher.io/assets/logos/sr-iov.svg + keywords: + - sriov + - Networking + kubeVersion: '>= 1.16.0-0' + maintainers: + - email: charts@rancher.com + name: Rancher Labs + name: sriov + sources: + - https://github.com/rancher/charts + type: application + urls: + - assets/sriov/sriov-104.1.0+up0.1.0.tgz + version: 104.1.0+up0.1.0 - annotations: catalog.cattle.io/auto-install: sriov-crd=match catalog.cattle.io/certified: rancher diff --git a/release.yaml b/release.yaml index 97dc61223f..ecbe83f902 100644 --- a/release.yaml +++ b/release.yaml @@ -4,6 +4,7 @@ rancher-cis-benchmark: - 6.0.0 sriov: - 104.0.0+up0.1.0 + - 104.1.0+up0.1.0 sriov-crd: - 104.0.0+up0.1.0 - 104.1.0+up0.1.0