From ed7b34e9b111d0fdba0d0b055b477da42c5120d1 Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Thu, 28 Mar 2024 12:00:43 -0300 Subject: [PATCH 1/2] Emptying release.yaml before release --- release.yaml | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/release.yaml b/release.yaml index 334f50c882..8b13789179 100644 --- a/release.yaml +++ b/release.yaml @@ -1,14 +1 @@ -prometheus-federator: - - 103.0.1+up0.4.0 -rancher-logging: - - 103.0.1+up3.17.10 -rancher-logging-crd: - - 103.0.1+up3.17.10 -rancher-monitoring: - - 103.0.4+up45.31.1 -rancher-monitoring-crd: - - 103.0.4+up45.31.1 -rancher-pushprox: - - 103.0.1 -rancher-alerting-drivers: - - 103.0.1 + From 8c788cb2841663a84c658ecf614bc9a4117eb448 Mon Sep 17 00:00:00 2001 From: Michael Fritch Date: Mon, 11 Mar 2024 12:00:38 -0600 Subject: [PATCH 2/2] [dev-v2.8] Update sriov version to 103.1.0 (#3602) Signed-off-by: Michael Fritch --- .../sriov-crd/sriov-crd-103.1.0+up0.1.0.tgz | Bin 0 -> 3466 bytes assets/sriov/sriov-103.1.0+up0.1.0.tgz | Bin 0 -> 20132 bytes charts/sriov-crd/103.1.0+up0.1.0/Chart.yaml | 12 + ...vnetwork.openshift.io_sriovibnetworks.yaml | 79 +++ ...openshift.io_sriovnetworknodepolicies.yaml | 136 +++++ ...k.openshift.io_sriovnetworknodestates.yaml | 159 ++++++ ....openshift.io_sriovnetworkpoolconfigs.yaml | 66 +++ ...iovnetwork.openshift.io_sriovnetworks.yaml | 111 ++++ ...ork.openshift.io_sriovoperatorconfigs.yaml | 91 ++++ charts/sriov/103.1.0+up0.1.0/.helmignore | 23 + charts/sriov/103.1.0+up0.1.0/Chart.yaml | 29 + charts/sriov/103.1.0+up0.1.0/README.md | 73 +++ charts/sriov/103.1.0+up0.1.0/app-README.md | 13 + .../charts/rancher-nfd/.helmignore | 23 + .../charts/rancher-nfd/Chart.yaml | 14 + .../charts/rancher-nfd/README.md | 10 + .../charts/rancher-nfd/crds/nfd-api-crds.yaml | 361 ++++++++++++ .../charts/rancher-nfd/templates/_helpers.tpl | 107 ++++ .../templates/cert-manager-certs.yaml | 67 +++ .../templates/cert-manager-issuer.yaml | 42 ++ .../rancher-nfd/templates/clusterrole.yaml | 119 ++++ .../templates/clusterrolebinding.yaml | 52 ++ .../charts/rancher-nfd/templates/master.yaml | 159 ++++++ .../charts/rancher-nfd/templates/nfd-gc.yaml | 74 +++ .../templates/nfd-master-conf.yaml | 10 + .../templates/nfd-topologyupdater-conf.yaml | 10 + .../templates/nfd-worker-conf.yaml | 10 + .../rancher-nfd/templates/prometheus.yaml | 26 + .../charts/rancher-nfd/templates/role.yaml | 19 + .../rancher-nfd/templates/rolebinding.yaml | 18 + .../charts/rancher-nfd/templates/service.yaml | 18 + .../rancher-nfd/templates/serviceaccount.yaml | 58 ++ .../templates/topologyupdater-crds.yaml | 278 ++++++++++ .../templates/topologyupdater.yaml | 156 ++++++ .../charts/rancher-nfd/templates/worker.yaml | 152 ++++++ .../charts/rancher-nfd/values.yaml | 513 ++++++++++++++++++ .../sriov/103.1.0+up0.1.0/templates/NOTES.txt | 17 + .../103.1.0+up0.1.0/templates/_helpers.tpl | 85 +++ .../templates/_webhook-certs.tpl | 31 ++ .../templates/certmanagercerts.yaml | 41 ++ .../templates/clusterrole.yaml | 109 ++++ .../templates/clusterrolebinding.yaml | 29 + .../103.1.0+up0.1.0/templates/configmap.yaml | 25 + .../103.1.0+up0.1.0/templates/operator.yaml | 98 ++++ .../sriov/103.1.0+up0.1.0/templates/role.yaml | 125 +++++ .../templates/rolebinding.yaml | 44 ++ .../103.1.0+up0.1.0/templates/secrets.yaml | 20 + .../templates/serviceaccount.yaml | 15 + .../templates/validate-install-crd.yaml | 19 + charts/sriov/103.1.0+up0.1.0/values.yaml | 64 +++ index.yaml | 49 ++ .../generated-changes/patch/Chart.yaml.patch | 2 +- packages/rancher-sriov/package.yaml | 2 +- release.yaml | 5 +- 54 files changed, 3865 insertions(+), 3 deletions(-) create mode 100644 assets/sriov-crd/sriov-crd-103.1.0+up0.1.0.tgz create mode 100644 assets/sriov/sriov-103.1.0+up0.1.0.tgz create mode 100644 charts/sriov-crd/103.1.0+up0.1.0/Chart.yaml create mode 100644 charts/sriov-crd/103.1.0+up0.1.0/templates/sriovnetwork.openshift.io_sriovibnetworks.yaml create mode 100644 charts/sriov-crd/103.1.0+up0.1.0/templates/sriovnetwork.openshift.io_sriovnetworknodepolicies.yaml create mode 100644 charts/sriov-crd/103.1.0+up0.1.0/templates/sriovnetwork.openshift.io_sriovnetworknodestates.yaml create mode 100644 charts/sriov-crd/103.1.0+up0.1.0/templates/sriovnetwork.openshift.io_sriovnetworkpoolconfigs.yaml create mode 100644 charts/sriov-crd/103.1.0+up0.1.0/templates/sriovnetwork.openshift.io_sriovnetworks.yaml create mode 100644 charts/sriov-crd/103.1.0+up0.1.0/templates/sriovnetwork.openshift.io_sriovoperatorconfigs.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/.helmignore create mode 100644 charts/sriov/103.1.0+up0.1.0/Chart.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/README.md create mode 100644 charts/sriov/103.1.0+up0.1.0/app-README.md create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/.helmignore create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/Chart.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/README.md create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/crds/nfd-api-crds.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/_helpers.tpl create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-certs.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-issuer.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrole.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrolebinding.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/master.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-gc.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-master-conf.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-topologyupdater-conf.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-worker-conf.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/prometheus.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/role.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/rolebinding.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/service.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/serviceaccount.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater-crds.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/worker.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/values.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/templates/NOTES.txt create mode 100644 charts/sriov/103.1.0+up0.1.0/templates/_helpers.tpl create mode 100644 charts/sriov/103.1.0+up0.1.0/templates/_webhook-certs.tpl create mode 100644 charts/sriov/103.1.0+up0.1.0/templates/certmanagercerts.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/templates/clusterrole.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/templates/clusterrolebinding.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/templates/configmap.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/templates/operator.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/templates/role.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/templates/rolebinding.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/templates/secrets.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/templates/serviceaccount.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/templates/validate-install-crd.yaml create mode 100644 charts/sriov/103.1.0+up0.1.0/values.yaml diff --git a/assets/sriov-crd/sriov-crd-103.1.0+up0.1.0.tgz b/assets/sriov-crd/sriov-crd-103.1.0+up0.1.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..121101825beeaed063c98cf093a72efc11702780 GIT binary patch literal 3466 zcmV;54R!J#iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PH+lbK^Fz`E_ZnO&`AbrbA1x z#YQ4kl5*m&?SKDt{VfvH zdlZs#b^@clEgz*PXspcNT_zO?LkTKCIJ-TUFyI2j1MXR_T3d_M)HucyAaNX0&uDgQ zlo9W=_gkG-`+t+Tt$(*(d-dPFoBF@PC=Q82xofU5RF7Odw0Mk626UiWl>cV#(0+PP zR*V)U{(pFM)SmbMy@R9ne(nF8fURb;IcNVQrud|g>Az&_;e*tUGwN(TQ0AY&St1pW zZc*|?czBKj%BV5%2o>>(B07jH#1sIJGbMN!qG%40wH}f__7fWVC=Bt5>$O`4t&a9w zfoAv}jZi8Q#V5d$Fx&!|@wFK<%r)388Kb9p7z&=m=|Cr&Ze7v|p9 z>{%@EwauWNJrxoCR3hL5Pyv-7Fcv8FW@3yB=70}?FyQ^)(Nitxq0nSN20RIUZE7PF z3Iuw5$moA2v?VBRCN(imEzqP)p=UUZTUwNgwKtuJZq+Y zx(v=pgy9*H_{A4MYg#t7Vyi8|YzSOLwpyFHkp-rl^_utAUX0$HZ#8%%CVd)G*S$siIh(=Np43O}Y6Chb1%xs)acs$D0o`m`Hi8d`r(>E*gx*y8 zV{>1dKT%w)v~KBIPj=)IDJOV#3qwdf@l+||1-dMn=1Sn1Bx(|6S79p~qvtDOsdwAG zzR&moA4k+fu&SFzK|B4OWUvk`z^pdGc7Oi^#f&tc%FkDk7I0 zxneQtj&~X47nL^AyweO9=cjjiYC%VOrN=Rvh%!@B-e1TToQ5HP%)A8}43#C{*l`pH zjnRPeX6(^M3(j#slF--yOhzpi0C^SEWQgNlHp?n$JN6!_@`6k5mlhJ;GdQ=oy2f5o zL5M@*jT<`+X(;+QYE&1?4tCs_5L>CRmbZRHO60jczdVJ=NHV)70}@Kddf3_eoQFsj zBepJ&E0~p5;AdS)YuqLEp$Zy1(D-=wN&nD(!$fJ9F?D}fL9wU;$JLK_pBz_d-*K_~ z!%Ee+O3JG4yI-^?-(M`DMU>GfiB6!CGo#+chUS!S78s&`A8@IzP?gLb@q{TDY2+qD zl}3aYuRo(+4@2}67iA_e#RO^oVFTS&_iVX$wL~gEw8132b;piZIyjkbUIK^tu6@OaPue(0Ouc4t5RJxqU()8D?se4*H^!1g^ZXsFPk z<0S#RY#@kKA~CyP)@sm6fYrLr)CPvwM9drkQ|~m1xFX)eZc3|re)5z;)A7Fy8qbk5 z9?TTwg>q`VnU%Y_aBG$-jB?18GLsGxN=bGR;VZ zSXLxT65S8VnzvU;)JI`=68qo-5-)(8f^DU}(zX%{$^}*95o%i$de=rBMr zp#oX;3EtB7p@EN32Mi>xS8&+In6C; z{u-Rp-mhi5r1LA&>0Y7nYow^y_nnc&Lf!SPyS{bT_bcf78ZTbG={pT`85Hz%hRl5i#97$pR;I;0nv#BNDN7de`;8R|IJbfh(WqPGD z7MG&WAUGP_5;j~1t%7F7JW6hp%vs-BXwDdQZc8R-?z~yoRn*!D{qmZ2m5}{K!frv( zS&P5lhs3eD%tBSKB2v;JbDPQ{wNe)-J`-4#m^l(%3#o{B>!Gu*SXQ*Dt;A9J2DK8o zqAvBSqz2XOpiEgsvCKkAM9YvgLtifBmK%Sm-ii&rbojbby0j7dfI0aY~$3lG!P#*&_(*;t!ha+J zuLpyW6W#4X6B~Xx=Bx zlYvy*E%S-uVr<<$k=E!K{UgB^Tr>D7>7!t%^7~sEDf4t!`oLkXUalEj$H;nm*RtC| zUfXS+;3e?_%Ft5LtD8PTW?v2V;gPDqs5wZd%^}MzH_Pu~!?Pc*TSqf>#?D{XP0ca< zZ?KYie*Rze>p!K>|LFe~zyGs$*s1gXO~9Ma|2L8K7v%bd8Gcb-zxiywLJnVl@u$w$ z>wNvy^YzuT^oqIpSMs%=hOM z?eCA)L<0&*=YUxk|Oe|MK(y-=oJjw=Jg!B9tbqZZlSg2cv zb?dNh9lloUaNdI}b`TwbErWtaqCq|<7;$#>?R*d=?UbDhLd$Bsi;xWUTa$k=G zKQSKTV?P-V^H0FtZ;;tGUYGq|C zG|slJ^0wW5!&vYUH8M`V#Mhi_LAG@9NIf)rO*UJMY-HblaF7fhn<)ptnYGXrzqiMS zpLO_KaShF`$%lHo?sJI{Y8qJ!F2BtQ6E(H9j`R-w2%LqsJ=!OddYY_k!71}Wrnq}k zTw?OWB>@8jG9olI8Z!j)8yI`*X<)plAF&X|E4L+{70GF}K-1Iu)pLu4DH>raO17xa sh&8M9-uOx(rG(dKMwROP)~%o#YN(-x8r}l@HvjDc zVQyr3R8em|NM&qo0POv1e;YTFD2&hBKR*QymHEZ;sGApE?BRdC=TRg%(Gy$JN{W+R zZ;l4+21$&XKnFlm;>13m{rTb6_ZuZjcCy3^o9adv3WY+UssL1RhUubrG=ogIOE?ey z@&u*d@AnV(_SFCVen0>J;NW2Jm%-lt!K+uV_6~-_zw`&g-Gkk~fc{e;lP?h$ko~3q z=(h5m`-2on2o+FZO8BS)fCmK(=+yO~5CL*A?ZHS;2NNz}5R8Cg7sq4%n>iHTtn>>H zF@Yx-`6Iv}@n(pXRzvq8Vt9^-fWZiK1&dI(wBl_vM$Q5;jwu;|Z~y%b7`TH2x9{}9 zzkz`}{JZ@5ZRw{3&Jhoxhekj@baV&!k_$91{e-%I zozwFVfFN;4*)59JW3{b8ZpEHBtDo!0;h=Qs&jw|5Hr*PK#mb3NFWZpAmReC z&Wy?q%!CN}sMnifF^k5oN9VoU*W3UIgJ?d+WO_I4>2Wd79g9Z?dlE|v#FJu*yN0}q zJ2^*!_X0YlyvLb?>B8lUY3CL#?*xWx)X%^>IOd)7m~k304=E@mG%%n{k2+!*q7i^$7+_CL#!fP- z{att9_Wu@zeffW9>Q&{{;*p#Gh&bXpsNA2fMp@`7i(5$p2?3cBV<;FK8hDuxkMT z4!A|j5$F=?BZtudxyd|NlAaR5XyAkaBuaS85<>*tlY7hsw=d9Sf;=$--7|XS&5$1j z<{Kw|bw*F_krxSMK2gnAwT^`67uwWK%IQgcbcF)ssmH&6?f?KM6HKsJ>dwguhnXh; zF!Wo58S;-KhRM`miOKYIN@)C8qbMh*`6}DkHDYs~ypr8hYvsv($PniVb(8n?RGvdA zPrI3K(p^3!xmS8NkHAOJ?Sfxdz~q4=-U_J_w4}H^Um(V?k4B&?!A+tdD0$3~7N-{s zP4N8)bdx1OzD5L&19a%mvFg>4MlwKb1ST-xlAAn&zr*ALirENsdo&b1kKo=I6Qy(L zCF@#A;cn97Zl|*aPUmonz)zQ_984$!~+5wu}{{ z-V8Dy5#&1+>!18i!08Aq)Z*=oBOLg{{&2Vd_rb6OG&V6Bq^J5=}7|lKfh9jiIM& zMI5n98lYI{!s(QuDHQ0M+Hcis)7Z1D|62bOXdVWVlD)I@>ys;2+>14~(PaM*_xd^g zZ?C_9u+jgXqkNBqHH^Tyosd2X1G-eR$cQ2^UIG>og2_}(%?S+xdME#qGYJxDX?4C) zW}qhm;1KZp@4&s(wyb+*&2aGfGngU)LhAEQ=PhLb`aYHu4+a1eE|{K%98dyg^iGPA zh@&bqb*ID7LVXE)W6Q^?oeoS1Ks`C?!0-poO5D4%bO93k=5K;ub7%vrJ zj?b=ST`9$Rh`epLb2~&#u=0Hy@&`PI^Ns4t=uP|aO>m5fqJd=8gBZ`u!xfPW875)^x_{-)UwJnNOE=n{ z+sc1tcrZ1%a{d^ftsGc2z=m6NtpJWu(0-8BN6851dzL1;{%zdZ;FGif1F36u|JDWF zo9^lpjLzqjXoPudgmra|@eBoXm(R3!dn7d-OuQiS8@uajgc_@J<7<0o8g)}#X6SJk zZ+ysiFbs2^tk}Vx=wYc(K7rpNDo~C-MJQUU@tyHq8(H9xwo0F=p=6it**;l@C`VaBUaN&)Sau$zOW-iQ)O z((675fa8;^z$GEXa=3C`` zF5lNk?}JF?q?@NqDH?W?YaFtZGTC%aLwcP4SJ3~BA?Zk?ZB14{gZ@92N51Iyx8(**w-*`m6wOz3w?JkI8mTLE} z+~o_eTjsq?K*|1(-pKL3Qe&zJB3mFh051Z})nD5Zy%-4*aMv^Xu!4{yqp6}+ow&-6 zXql-|OK0n@y|EidUlYNrx3~Uyr2q4{CG+dQ?74B(Y7JlwXM&p6|G`1t|95b(x7q)B zmSQXkNPO_3{ocoRQaQcfv7I(f2o>Okdjvx`#sL->arf}z)EL;@{Q+{&P45gSqkPa! zVA#Vr*=hju-BTG4V&>l=BF&&KwEoLjgze>ArHID3$by zUdtVn$#;n+=1kVAR1X)Izds!8<<|fGgM-0l{eO;< zmWpf)Jr_n|Mj8H>n#W50&&Ws39+xyIlaDRD&M7ym6okMy!6gi(H#B@6#18*YfMDWF z`*}|SVo_klA`J2Oj7A|JfsftpujW*oJ&zAQs>7|^yjUPMRu890bay~k+7I&oJ1D%F z{1Mt8QRqW~)MqW)2&rFa;$_*#FbsJa0DT~nBTLM zg9L?u-fWJDaFkh!wKKI%E0vsA)?P|PscxnI9%JHTGHpqDtJfOedQ-deNG@(8$tAhf=FV~Lkp}9edXck9lNI+aXHb69oNFHnQA0Ho9k8_%GHY% zs6i?I&=FKOnYz`O@*NolNfS-cuyW?7PnGMc-@g2|W9g?JsG-omG{5NIiie(xs>sLU zd5J1p{BzTEfzjRb(p0wimC$r!8GeCMWB(at>hWe^)A|4X{rvg=SHr>P{{OR-hYPXq zG<$qyW*`laac32!?ql$?La>HP9UhJUi9BIsoo@dsa{wszvNbsf6K~w=$Ubgusvg$o zQJ>okU_B;ZY^dtc`qJ~fsubkE!g>zFH3kD{+W+eh_w)Y0;pYC=^OQ`ukXRfjCU_6S zGAR&+A!P#j4#A#-ecrL}Pl-Um4c_acn_qtU@M_Q>f$r=6>jN;@e+|K4f6wb?YYq3m zzqxvQF?^k>I4-L==zo9n%d0_O)=uia8kW`7P2ZgD_WLmceSiOTS=~Je_noZ%9~sE6 zck{J9baO=2B{I0cL4a;fUJv@t(SIBt4sV9)zvSz`55eH|>%TXC{mU;Ojt}=z-|epO zUAnz-tM5`D4B`*Y7TCw|W**${-yBgwkSBg|Bu<0<@h%wj2kM`_>Z4vk2Z_^;$Y zUg-y~_V@d*Z-)1Sen0u*)qWogUiTG+|0AGN?A`o^e01|4@Amfl{r=6quG@bl0q@Hu z4%EgnMZ+$_#@8oRC=Hi zgGL1uvG>`vI#Z&{m@|+o9@^LfhrVyG3C<8haRizq=7$8b(oJ#;!s7h1iRtkWNM0%) z%vm-J(gZ;fG2{~J=R^BgyG2pg^&~3<$hroLRwWEWp3wVP-T0OquqJ;%JIiZLMyDNF zhExDHJ^}-MN=uVXnRqI4(!035rsFd5dm+_@sW}>>L%dy5b@~4%wS{Aj%%q-J$a8rA z6M+ke13d`4yMOHfV5PJ{C`D&kf(&kr*a2XB4L~7UR%*aX@1~?F_!<;1Bqf*3QgF@P zK0*Hz&Vz=kpFkeE@k(oS(~-)mu+3cPX^n9Dj!`|n>6#7b7B8|rY*NS)GE5m3%cB5t zu0ff*V!GQN!zylr4bEjQ-Kv0wNtCaLPfS}>l&c(wsw->q)07<30kRTGCLxQ!=g*^> ziULlvNSNRw`FLtIOrJvjA_@X~Q0;VbM#Tj~92w7#E}8v|^yA+m#6=-`niobRsY1_l z&*x~a;xP^S{r5Qa4v|G3bv-aYA6_5*aC3I}{^aW7@aUv0zS~4$qFC z5bq>lStI7Ds*SiGpL{qyI=Q)c_tW>MXHQA;bU?Irw9kA|(~+~2>z~grf4sRoxjO&p z^62F1=Jf3UJvq8QzkH(p6ymKl_NVwoO@GcWPA(56_Hr(kBi|@&^22Otbaa09_VoLk zG*&xr&{`pM!vNj`uXI$AI{Hze4?(HGgXZpu=Q%tw%mDhae4Cg^p{Fh z3u}Hh4rLYile5F`-ksbW9=|`mx;i~SlOuh7dH(L*$z}Vds&)KSY=Y7$_@!5ki}T~k z>9W4|D+c!6$>G(>&4-gqN%(4NTYDlKC87*uvIc&4dUkVhc>P2BF-(GvRzW{{_tVw& z$>q)Ue_mA2m?GRHUTGfigTk1V0H_OTR@M|13!6yh#yi+MDiq*ROSK^v7kXTM_vH&JoUi> zrEACA@aZ-@hD??CNS%JA&)JoB0EPxcNf-RsX_vH;oc4_$S+7|785dBXNfhwaF`82% zwKq(ru16W7+~iXzMbQw}d{f%g6p4gv>LhV%TEuthK$F{`o_f6rCNRMNLgg4n*4tN# zRrMj2dYag490?#ApzL4vI>d@2RC21n3YXl;{-*H>Fi-waCqN%^TIoT@`~O%%Wla-2 zJDJ-9tvlme+LDG<{8-&^kg{TB43HNwESA-+=O%B+@B#;Diu~$%qd|I<2y`zzO1NM! z7Sj1i%PVJW_4wt)cFjzvmkHl`lrkTaH2;5FNqfb~{M#xDuWyDGZ+XK%%FJpWnJ=x0 zeVJ0G|F7-fw<%5M|Awy$`~L@n&HdkJDam}d2Y*|Oia+8;Z~J4v58WMW)1Sg2=Vv*d zF4uvz4)<52aIG}3O$l%wKZK7zpuYCOdidI%(6*AY)lJmXsT`>`^!d_q^UqT9>%Z|b ztknhBbpNYAEaZRL#Q%S$(&X+hi8kDBPoeZ;!IchVwD#Cl3RrRB%m$?7@3~ab5tx8e;r=5%ISq2*9fB#@NAOGoKcXw|i|DU5&NUw~3 z_Xjle@;IFx_zO0UR z)msdD>fq$*cjk^sS7*h1FdzfwjQU6)`duTyD***s6TAyb1AY8%O#mMYCVPvf2#rB9 zMWFKTP^u=LfEnaJqNQ#9g`ii0VKN2owyF33%ORMlB3P7e+1?E*`%7c>&CL$@2C0*(@Wrz%j^0GY;F4~@jsIiDzFh=)|UZR95=3)C1* zC`0KqkSd9Q&a@U^e5&nU>W?+de=Yyr84BiDB{^RM%zSCm|MqwD@_)F0@M~l0!r2-Kvwdoh_3IREGfIfX`46fN4O-`g#;5(;dK200mwk z5JE9aJ%_~aYypC%I%V{WP@SPgzE0l!zqVa)t}}k9FC|JKL@FZ?ay#zv)yWu!g<1V;IeboCS z7}I+GU!EKuzdv#3{*$!PF#q>=4-RtkfADI!iU0I0Wy|JPE+m2e0R?lQ6619`&2>P? z=mPtQ14saZdDldcwklDrL@!W@ zh^B~xkEtx5asmJKh0Pb8y#(u1PsPCTP$+m0-3vr~C#lkdA$HVLsoV6thzmMTe0jZX zmGk&xjKJ0Lk4a0Z%+#^FbHd;pNu-lU+`rwHge#+0jyxP-0$@6Wsm;V(J!Iwvu-eTz zC0Jl}a80M{v!PvLLZ2R~d#frPx4!*}e4R_p?Kt2<4!I&k6iylRWAt=j2@tC5LIB+( zFA{Jp2RH|&7Ru4tX$uevllPiBnGm-rZpz}LQj2pTzl#%J5hNTaRN!K8bgA=R70~E7 z;L0w2dbngWY6upXiAYh>PY*|OMo{fb9%Js&1!5e0c*}u~muz#@A@D)N0Pl6YUhv|> z`)&OhMO=C4jW(KmNhbhuPCcwLW?j7Hs=fs7L88)hCvOD>X|q73bk~%$N!?)>G8!^j z9b9<$(DxbQ96+w#UQ#ObH89y_`J~*gQZw~GBJAB>2_-zXwzj|pLkfA01>&8KlP1z) z;0|8>t>b8Eve?yMoEmLfKJ0YVtF(x*$~N~H4uzgC;Sxwa7K|~0I(gTUMhxhCMx)L@ z{_&5_H^7Tn0GtWGdIuZ|rbyhFY^8Aqc?R!XJy#=+m^v*+gqpUprv7IRJJxiy)S3^N3 z6YOCafRBm-cW5jroyZ=Wk#$=WS6|n!l&1>0WC-Ht-)Q<;+B>A;$SiOieG=CpNdhP5 z4q{RDf!pgy^$MdqGiQ*WoZ{+y1EdJ{L|v0pB=qq~McAz^yDUK|VFhBm(>W!8GT#sl z;(#(myJV8uyrucoCuSv^!IB{4^UlvmXV%9=sD$=Nr_i3zAfR{3?#rRzYU;q@cB{}0t} zT2|UGf!5Y@a4Yx4B%m>+fown-)$+lKs-0iq;}-0OmE!!E@@79U*Kl&ND%+VJ4Moo* zxHrZ`zEM}N{4NRtBzP4<*1Hj3HOaS=CY(gD{zf zzEqc5L@Rv14UFT(1=n$UeZ7clP1W=yp8Zl#VWADb9dI|p-b^`gePj}{3Mv(wPs6PpbY_Cs28CBQA~2_d3GW(b;MHzUru0jz{qJjzq{PyI_W=GY}#s zHAA^Hp?kq#yn13H5Su_L66H74=Pt;O7rGC%u_UN82x9F@^$lG9cruK8pcY;dEWsQ> zlaCwv3rM756LADQD0_D|Lkt0lE)D~fGLN_dkjJ+KQ%V%3CTXyCtGnPQE)Ao*83jI7 z){a!NOtN8Xw5m_!JLoSk*PTk-?y)0X@~mYH^P1;WGmp+gN)Qoz)ad}Hz%vdwBq{w* zj;&-7-j+4Y!j@ViGm2HJNju^60&drB2OQd;@sN#|s+IE$R(@<#CPup=F@oMqE&m;r zw^`RVbqv+HuB_e|z2To?tI;X@@!tlCcYoZA_-d^m2i;4oy3g zD41ZqOTy#fSGVW@pV>soYD?U>hDYEZt41w*BUps~Vc4LS%qkUqZd&ljn*jsKxEO#m z)aH8UCNa^JBjHZ+pqw3w{|u%n>r9#rYL*#HC0TsxNn7Ac%l^N_>%W>RyvOuX;E;*m zQ?|=9o&VV%6!O1s&i_15$sCdyc3>P2V+0m`cd+LUIw|{Q1in2+0(pXi8D##Q6vv5d zw(;sR(x=Krxzhnk$UuLAn7~}g2bz}k5m)PngrSefxZvB)jLy*rlr5@p3l7Iq-c!NQ z3@pbA$z|sjE$=AvmHV^!HuX$(6I0T06bg<;p`#B8r6x)zzG~(?0xcaK5QgfewQ6=@ zhrx`(6ODi6{9ouZufO_95Rg&qmay~Ge-2ou1j=;AC1f1>wJTWQmeZ5rcg%*J+ULfl> zP!&u$Guz=H8tT}3bd)OcD_WwRS=)@5L^~r5M0v~_vsM&tLK#XA@ zjX<~Cv8Ng{4`U~1=4nTJ$E51>R#WaU#3OZvrPI;=<53)}bp*Dyw!pugy*+l`A6{Lb zTslYRXK$UW>%+@y=lI+?JHK`=Pu`z@IQe&VMQIBVdJ&BS%x5EgY{fiQ=79=RdS;Rw z`p9>Q%4xV`{<1PDmFRE__=qf1-}#8()Q9HJjP4bGYJD{(Ix6_sT_EC9<_weww0tw@ z?${SYsk+(c!x)gJ*tNQoo$Z#AzCX{fK<_XYBhZ~t+D)2Y67K>rO#Kn)4rlhoZ9u0Z z^BVvFeg7D<9}x5r%R-kg15N`v6_g7fvEuuHPQQcRtzghYhhmg@k$j{EH-5!$aj2W) z1$g=kF=L3&XyA{)FnPBafqv?*IrXE!1by9-kIv4oPewU=#;V}fK=PLa&anrBUkdrOpK z%(7H^i{nnDp1g4D(Cc#oQi+#iW0Q=)V4ugYwzPJx z)-*7K+!(_Fz0-y}$$qSeF;zPl<~2itEj5e19Jt9?F+|YaF@k=8iR?tbvCRzFehN_B zzz7U26f*G-Lwo@l3<4BjK9@~M=~yN#PR@>tqGC(=NUo1AfU@qC36>h%K!v2SJ4_x` zCc6!9>e@|+5qRByE!&ka;y>m{FzoRQ`)tqw+S(?b8t6$P^>k{uWR`Y7PToifkP}_M zrt-F^S!t{j00H`f`5{eHir)4pe_cC-Wv=-q{lVsXMf7#L1YnBPksvb50) zd`80&_z1d(@7{HR&Akcza}q2sDHU>-nJv&nKCy@#@-s?gg^buzFMi^ZMuQmJ^pSZx z->$SPKs$uQ3^4$0O<-=1q|^ev9jGOQ{+($xMPoTlpdW9F=Rj&o6-LDJxm=0uCSD#H zZKk`X_Nl(}Ce;|(s_R06!okOLRTNqCT zLH#A2OtNxeHOhR~eCXN$7P-3NN+! zol2+t{CJlP@x##X+);L0VeR~Ue)(gwwc}Bi=#DvCz&@@phyV`|3QvhZYypE2I7n19 zqa0ktX{uom{F-T{{ME*;c$8hCx#6p`D>5OYwzRlTKJ>x}`=fN{G_~#|A4)A+srWWI z1E34pi2!=HamYJE5-0@2<4BB;5$tK!qQgM*{u(;u#{ix1!Z*U?$YDSdeIOG)LklDZe?7o~tNk1r3; zj?123ot%_DzrH%UC_caXzNFEstCP})CA7b~I@v9Kx>x?R6htYE>*HT;zW?duD%<&( zcYd~97xT`o6x>0Im2UNwgdm$9Fo}fMRI0aTeI1kgRiW!pgn;-tGn|t`n>x2BG zx%s*?ip}_WOB={oVYNL7H|NtTGB!dcFeYo@_A>Li?WbPc^Lk zQyz^?c>40MlJ~jqBR*cW|AofUB>!Yms56;74?P0v!8BXVD81$SB%hyKeDrDfR9$V8 zC2NUUZ-K9(QmX7odRsni)>`vTX)nfcnmASBc;nsq(liK|QCZ_&q%$GKlWM+n$kh6< zQyK5$DqGnm0iK6}*_ehvC0m36I6OPnvKb&YPHJNsL}^h6#zK=@XP*S_;v(-r{M^k zs9TYr>swOMJs;2%vOJ`kI_1|aLiJ6B4{eIj8xgTFjoW%F+4gg>BKM#)A8w{{h>0@6 z)CXk8nlT@{=4gvFf4jfdBg}m90BkRhuixz+9j-72oIj+U@x)zy30_03?2SeNabOS>9c}kH`HIP0@Xr8hsdskj*Kp8+wCd zK%tL(tz`OBzwzOHIU`cP z^b?Iq3trR*;wU$};SWIk^tcRx3Gyj}-5t>N5D}EukS4{2Ohp48`P{D8%_GJpHgj=ecp1w^~ zQ)FMi;L+Hzs^vDoBnwgBzfF`>p*BK=x`m%pOl#HBL$WMrq;>i#Sb528$r3>Ah~Wid zj)vp>(zM{G@CZFzA$V74UfWe=lk|1}^+BmvQOqoDw9-Xm*e@5p-ehmSiKhKwr$pLGR zO8@>lP*KUi=g)8A6k;|;bsA_Yt=4LG=6aX1;vzyrMBJC9<7v{n-JBk~m5StGS1yKw z{gT1091k#j*oY)zLytx1VMqV1#zCEV_qsk>u(194sK?I-{W4ml#9u*0H;1$v(3BCuC@$V!dcC zQ1#{Kcu2?FGgW+sqP!of2l|YM4t%ppK0!P((cFYIy z2$YR|N^dURu`M}rR&g*aPDNBaPPI8Z)#~h&J&y9TeWK6tjFaO&f`U1`MF0zcAjgQQ zgFHUHBj%Q7q^{TrsxBHV!9_xNbqX6Jt{eFud_rpr976NhC=~yTKPbx=Q`MI6z z^NaI$=imRQ^V7xgVT=0;Ti_Ng!5e*@OU^^H%78c8|3D`xM${*z(Y=bBYz5zzy8Q7{ zzBF&ZgweTjcbGs>rXD0#`%_G+?r6?pc)C3!UIR*RISBBrVLwwRcd*DugAw@Xh0(9+ zXTuTrs0U}qw%60T_hDS`u}&fPGcI_+KlG?vN)d6tCM?!N3M zpj2?(W6VaNw}7k{;Bn8qsXci8mFNjt9oU@a-3V$m=6N|?HXmzL<%|F~%rD+zGDR$8 zm{@hRGgZ^r3Jt@NCD#_7P-5VCjt^!v6Lm8$HuIwGyr{X7lhtgtz5Y=foJ8W8c= zQb*vDqi#;1{+r|cJ1`faB*l4W3tXQcpO3%-F*znuZ>~(1S%x54rDTiL~*=28APR7c!xRKNktry!+HJg zN;RN(+vWrp+A&ek5)wpWH6dhlE^W@J^b6zUkW~EAHSZQ_4CPx<}#-b=8+^O172OmKk2GDL6Yk}Tc~jlj#E$`ICj z**UonZB(GN7srHLGW8sDU*B9SDZ~tLbxt5BsjSv;S6|&%J61ORTKb+n_#_nz;(>!* z^%KvpqR9l`gRYYRvndiZx<}e!1miX)kz5Xbi(r5!82JE(q3Vd+`59^Gs=knI$WC!E zMjn*Q2d8tC4q>9YueK5N#R#=_+CaXTgBK=J)A8Artg9j+g~;1>JEs#H2SEezC=n17 z8?Q?*HX;+ZKC;Ef92gAG~MnhY*+PLv!iw^O0GyVfR2r;{T)=3!ADw2QO6`x z0dy1fN1ZkH=zOf=VrbdD()?2Zbq4^*F-9Sng{h`1Hr2||IR2=ZCM#9Dl4528r)GxQ zgEOH$AlI|QOf_9gsW0tki2A5o$q#9E)xT|Akx$B)k{#*(tqZz0-G|60oqfW@6>5vJ zO%^8M*r3j;8`-36^&NI~*2l)`+$ibq;tXXeK~e~|qH;ngm9Zh6PzcnO7ca^-zGvO7QZ zJ1IKGrK&aYt%+j;=(Hw;{?5%h3C^lkl+xO+*|tfzW_kRbVvIZpssv7XBX(G2xhe@Q!jlt{4@v!T+;+aFC1tI2`UB3^x9s=P3C#DbV@< zt^2wpm2#RLbe>R?TKNbufhX950+l7ckAsdW9xCKgZlgvUyH)AZJVa{eNxQ($D%#-D z_@Br#J6n`ZAu-8p&5nf$?phYw(o^E z0u#*4Wem)dSmVC(4@4YU<5#On|9>z>0liZmsfo%NG7keJ5J8+j3Ke(N;Q^mNyL{n& zkw$Gs7gt>^QdCsGW|ZrY@`ij<7J4@`1OqX<2^k&h(Tb~f0Kl9_h+U$|DB1E1kM0yCL7z<%tjI!?WZcz8lX5o4z zY~CDrS{A8lZH>&5Z(lLz^=GEmARmj1oo^?z0UPxoUr1+YQ?8yvjq=k>pX{Z0P= zXDQA4-xjz+C=P9(mrXWdYLX44$5AlRiFJBgV@d@V42B^l(_|j-&K7V$yhA6y045iY znJDu8Pd2NDp!WDT1V@Kzq7*6+dY7qW;Ix*lWlOT%A05Ug!t$#?(%2g1egd>ks-_3!DKxPrrii8bddTcS-Nz~lKfx-{M*iz%PDO}( zP&$Yv`~TH`F8}v%u)DXvk^j$8$~SS?7<$&NsrIdsxuRadNX#fRliR(0&9m}JGt4Co z%H-3^3R@?8_fBEl03e7rEI$E)iI0c?dlD3j0-dS_hFD!JGg_nyPn(>I>{waFlV3e9 zpipN>7l@5bohj0pokJ+Rnfj%bN^MMHE{aW&i7zRp(!oe+RNC$&34E4$pztq8!33Ig z^lAEHyB?*?$0R*u#kSS{W3B-LI&IMcwpIX|Pba54oDPP)0 z<_lcG`K$Ba)XTHn)XQ+$3(DeGWqD#6IC=XkVbiJi6)|R$0IUR4WXmV#EFT4Et*b;0 z>{_jHHT`dliI2&2&HF!l2Sxk;)yDpRmh!~<-*=i}zB)CK2FO^HcHY(WtYb~fwD^2@ zKa7>EB%OwPmD!YE1$503Ekm*T&R2cMpW4gUc8 z);hU$&1%<|%il6f=2-p3%_ivV19)1K@2h&mW))Y;nZjW9VgpM207DsK7nuo zqmWv-b^E#2^YI$a)@LPvI0n2~d*5Mlo5_z<5m6=IjqFeqgFcj#+1&O+EJYj}n=dow zwRqIy!YdIO4AY!u25bbnsoAI=xk-*}@cHwo@LIrWN&_joAl1#ca*@h_U4WOQ$Ijvx z;DtKWcfsg5m-7wXTLw*vN9S`${QP4FbXEMZF($pjVYqy{HwSbb==v z%hjODUfiN(1K8EERR=MO=oTb`;U$6vhQTok;PMK2l=$3a3QkI>Qty_()wwt}EVW^& zxRkQgert{bU;=RvF?5}zBFt2fL!3!T=_IRw4l~xCEi&!uRYS7hYQR$=&T?%GD%vn# zq~0L1$aYCrJUc%=xj8$0f06;B;@`bxHf2_dau@}EeBh<1?T9MU!Al)$1o@(-L?^FSEV;3O)fe55-b~q#{pi$@jMAo8qv=K=RU| zg0Cew$wwui+DRSL7l~=DN2#P;UC&8v-8eABZgi-+S3X1 z9b_`*w<1&dh^14sH;=o=i+^pOgpil!GoN3m9O(TTK~{`HmNV zS~8!rpi8L{@PewawFSP5gUjszA9Eeli}@gFOXP$_*=#`05xJB;uon z(8!p}C_wyyG)^Bosz<$|vB%DpCGjqlno%(~mc(f-$2f{0$SF`3D zWvyfg(u!Z1=9g|_L4#!kE#oi>7rtNYfZ1a3SIKry^T_vis#u#tRjAt zOdgG2E6g-~^G?JjvNn@cpQz4`SpCh>N*XoOM_-3{55rN3(eO~md2tZ1K=Z1k{;89d zC4&b*s79`=R+U#Z9keqcM<$f#!~Lq2u3Qt=Gv&v%fj%GVM6GHn6@fHqEghEhAq{@% z-JRyrV*gL?q(0gHUw?0Ju%F-m8|-fG|36EqJxuZFQxi_^@Yo7Fj1N2&@fB_^D!d9} zXX<@{O~t8~-B3)loxzvdTvXKg;v0)oFV(;NI6cdTV&&#u<&l@Ox)U$5_=MZNC39Hk zEoNN&jK%B+%EcKHuh9cl1)9wR(+FY^cX_c`YO@J3l8jZ_Gxxo z*X$~{$r@rPSdu$Lm$D2Zwg(M)L`=0}*0J*0JN2GfSC5R@tRe^+=l@v( zLTIQ;nUME*{85EN%lU7E!9Cmhf3TVV&r+UY{-=27>zwr_j$q|nPrd&mPVw5(V*V!? z!ydQ?&@lf8`~AKA{2v?)H}n5FO3r(e8tY`6bqid?kHLFNu%OJ|(E~5u>+SRHjH7?9 zYhf~VJ<1T}u1DvI=l_EG2F@3{8D8fe-m7#$q^J|vBUYwnjdQ-#Js(ov5blKdA;s}| z0td_}v4~~7K&gzHeS5Y@@8kBeCs9Ln!ZrJhdov`7I};)k!S1T)@Q)+(v<$CVl+h)- z2q*U;L!75$!Tqjws;hIN>;M`f233;CQ)2Q(^AY&iEyQ%DNXv{V85XM4G%W?KcA&M)%;&)xQnk)3_L7k#v@~87&@#of=f+i zvGoUT`O>_;DaF!4{u}0axC+=L|NF)GAA7@B8~OhnrPTjt zx)+eDOC&kE6%GzR{8;yT<8YRbZ%K^9wGQ#~go}Lgv2Gyd^9}kJiF&ybM?8PH#wQ>B zVppDaz*}YYe(IU~q;7&IAF^`NJGgco(n9|$oc&||Y9|5e^}pf4t5Sj?iaI&zS@mX62_5)aK05xf^hLC_n#ex*ZFC6O(hDIyB&IKqK%(t*V? zweJoF?yv*&rVXa#8qX0Ia2}2TiGm=>4_2B3!Yxf8VcicVTUkYt36ku}Yx2pZ+!F8F ze4}0mn2R4PtGv@$G5`pJh{2!=Red{cMw!SQ2T;N=QAqX4o}KoTMD(GbNq z(DdF{d=9`~Z(0ms5YFJB6Q5OxZ~xH{k;9AA54%^H#{l?q^p^zbt zi01IzeJv`dC7{aL@2X`SF)qg>3REbX1!4j)W zVMh^S4wrx-*$RkA3Z6b3;ez*+A%MvwJHhO9_UL>b5iFKHHHq*z5|r_tj}|ECaXfV( z^JZ8ePcGm+IeQiAL``XT?r+7T@@)oJ?Tq7sVKPmB^dFsTX#Bse6uvTXCf! zEGn9{FCb%ZnR@;&N(z_l(k$^`lprbe?A1^?`!x_b!{l3oHFukFD?m;$2!JVuvLZ-g zw*!znbpfZ|EfPC9i27dM4)8GoDrq}IZmvqXMA8KcJ>+HYa_An~s@2qptDKSvEhkG2 zaq8Ms0OK|#;bP2{pi{&wYpK5bhJtbpsd!hzPf1Zi;t>$!e8vnF0;1}o7rBa8s_D{q z6*DUPIzJn9@hH#7C(PTC@=Iad z=R2wxr4*U3fm0@w&7l~{b@pJdp&hvvPcxCNlk&AOR2AK7DHcM8h*9e&DwV5`o21E5iv{cH|n!5D%$7K~x1;>K5q^15C7%g{@!zic@pAirZ-26X{B3*t#fy(WzW@IE;^bGn{pll#=C}H?<6L$gNbk`bM%mvgoH~<-2bnWkK)n6dL_vYa59Wu#H0)giW04) zt174`L3iMV9&>3>`B8xUZ8hwMqf$Iv19Xl_#4~)Yu#y&p;-eTbz#>AVRq{WDvpg6= zFB2J}Fd$!!v5pLK4MIr@1>27rCTJ~@(v~PJTbpf>I4O`b_&h-m(2MEqle%Pu> z^k|hHHi!Wykt-GNYZ<6U#e0Mrr{1lmk5$p36hS@ZO6~a)e9JH`Hs=(42&q@f`0rG< zq~&dj!?>VK#eTApdvXrQ;l=@(l#K(jWKL8$T%N$y((HkHoO`9to_LVKS7{utPrj5{ zw<`&ljSKnDp{prb>u1`yYkH2;_ zROElKM{ecA%x#6$&;PGG{^wwK_aJ}%e>mLR#D990lFzSJe)hj1j}Jt1O0Lj)()i?K z@P1vFi|hsY5-b}p3i^sp96d$4pXX29Q$m3+p2nvHCr}p1F+Vb2Hp9;v@6CcgQ`(<= zzaO6isDeK>8G$M?0%h7dJU+fWxw=|Ub4tB&XOxT6i?~{K0;2rDRi`7;`Q824es%N) z#+#mO%UM9y3-DN73k#6Q)U*#>`9(hMP|X^tQ95mz^oR!tg{66q8sL_sLMmjhE@@zw zH)K$1?B87+6jm;(P5o1~op=qd>tGIW+YaVic)4;1D{}L$F;ntd^CYh~OY%clKuKQl z7LzGrA;Y9(+(YVfXOh%-Y?Ed(>QMAjXf!dNozgl?yAv_|M$&84>m^e^TW3uuUI{4B zF=nZx?I{>r;Mio4H`SHwLqIU--C{BY<0Y8lh5QAH0T4nltLUBj*zqxY(}=wT%938^ zJCV+Qolky^oOe4Lj@O5YQM0wxRu#4Ps8xHDYKTph+FMYoYAYJF_N)~IvGRiL zL9N=;&-#?hF9TLp_cICr24}A)^G9M$QKmG7~bw5GK_EZ<9gjE&x z3f&}3c|i9KoJK-PdMVD{r(td;Gj6`?FZawToQYBJ;XH>C5NLss6ui8sHnH zkp#woxDh`q*%I({1tK8Pp$J#pm(IuyYYy|B-M#YrQ0}XxAC~r6Cf^Mub3xH=ed^&! z)BViUrT*5w-$_w{K>N$h#Of;N=iB;T`T74g@}$l>UrB@N9hDc$KpP|`=?Z$VG=Rme zT}g@Yz^fu3-AH(hhi)$NJiy4hCM}YfETxK3arDxsGX2AxUCo#^HB$EeI0WIgK-XBt z#YH~ZIxB-6NAljfH}(OZlHrv&=H^#Lhw9xy&aM$J)HZNuoJv1wn^EU^KB6!_ zKAzeJ9P8lpGYdSN#e99%BESp@>dPe639DyExf zxnmQSw~LkJa1N;=vxR@VKu&JEN>Q~7lIPsQTOGt|u?TS!g5maW79JShuBm_ge+k19 zE0lqh$gx|~om+n=-mG=LA_~P8SnTz491e@Ky7?9LbD8J%u30AJT~uq0s8bB?LSZSW z3jwQD0%1QoV~hr{;|y&DukHuZ@f%SbGm!yADYwn8gv7EB@nQkI#{fP=X7K&^l?4Ey z!TH!4<0CcN(Bx1>^P9OA@=~tSL+0FETTXQf!Yt0#b@rE7E7B1|Cvw)w%RHLn{{_%q z_Mp21Wv>1wKD%Rl-HroQP&2-*B!3tgg4XI*>X$a!yzW(yy~85b#&JWflajYD&!K9M`8u$PjjKS&g5SB93fXaqO=qw4>WU2-BuslsmnViB?@_-HY-T(D_Bk&{=l%KwAj zQ99v=_2@itLkQFdKvM`1@QHa$_-0;1^8qYjdIkZ%b@e@1E)B=wzEQIHB`MDUj!T9_C<)u<+WR zuy83_(o0L(u-==C0Utl*jc6Kib4GiSJ zF{j#Y)4s?r0UtWeuGoo98X0$VP4QE{Hvl}fmO1UFTy2UxdRh>t;+kJp$}^t&2-YB1 z>R6Nql%xr8`M3L5OkmNwu=DW0k9QtyE+BDAM^%%EO-my#sDR{@icDcpRDtdI3pqHpXjHEkH06Q_b}D|^wKx@j*EOHf zvSd7}$OPX0GHfy=Rs6(f#|Md3l@dw6yYq35MAjsI1YKK}ZAuT2k9PBtKjfi|0d1O6 z{_ekd7{ZcMjr0hQJxF5DGdX{m<><$td>Z^_Q2wlI`H}4Do`U+x zTgyKwG$E8dk4TfSXF<`x+@=O*dMK}U@~6xnMss0um6CCx?CShJDe2Z^` zn@53Jo>(eA9cfNG)R9hIt=xn3o1U|0zB-uplZ=I-no)%e@5h=oocXYk#T`xFVQF3x zU2|F1kEN60Jz~+j`^%+$h$eggXJjQyBQ{mr7fjl#F~AQi6lrcb1xtDcntVr#BM;Sm zc@RN%ix3-rd$>%$RA-fo0!xp}QGUEk;OwDe_Al+pvWU2U?|iMM#wgWt+T-cswt@tP z`6pu8P=R>sI*~eAPbX0>r_Q^d#?f3MWJC^_5YF>bQ3}zM^BtX#!+N2H5uwLEV5byt zkga4=2etXA^de0i5dXPM5#nd$EzjzHC-qbCs87;Ap`S*?%UV`xk%9FdNU_v}QlLHp zz)!Ej(bA#UH7z#6VH*w?IxY^*9%bl^9?@XF1fM^B06f|K(9$DVm7F(*SOIws;D%`N zB%E~}MZ>r}uDz3WMw$p+S_8Q}VfA++kbypKuB|@PR{9FaM*NP!e2b&!VL{w%cZNQB zI&45cfoC$4PQ5rNgqzhHlVRkrDZy`2`A%1Ok`5au5bEoj9Fzzbyj;!V3e$}F=NU86 z^Adj2Im20Nj7xiI>eSDByNcB5S*)pU3fq}VITCy+UR@20{OMSgTUP4rR>7J5V4#+M zKp-4F543|EA(-{}3qqO~icd74`=D6rH{a`YFC7Q>P-ZzAw1pwtq|p9eBu#pn9V6LM8K;YzDh>RR{CuwjKpGRd*>uv zXV!6Az!Kvzwy=hW0Uft2Go#_oARzxJy>9us1jbH)`$T#m2|EqCs39lT5a`>Kb93wN zr8mdi|3JWlpl$L$KM7DzmBld3Nej*`u{?1LlWA*nope>LNYB6JB!9VhoZeRJyjZ&? zL0mXsmK@}13u zY+D*zXwQ-Df2tN13S;+0wE>V4+S*OS=&cJI|^2 zvrs|STaF?pO$-wm+>mUTn%nr_%_ihc$ODAXhzX~qS$-AflYrSr0Zj6N(9lJhPD%4T zX4q^&RnX!cWrgHo?1TC%3;#NpKl=41(sl)jimucvx6IdX^=9Q+v88MrnM6LrFK{`v zfV`bY#6sL_+;Y{-^ATVqKam;9_82+>;;*D9jlGk_oT%sTmIx13bsYyQ9`mj73zo%) zN6~T4jMxit!M>BpFJ;E6SkE}&+SwpdqRQ4=e^}mQRQIk3=N$c3=j<8j(dSa-AWkt9@ocgD#J9G=1dl#c`<+*GPBIf%oSp3L8bG=U zyxCN;++Wz?*k-ffYSor7-J4_C@YXmU+P<8546Sqqt>MU!49rh_QLwBH`5{UWjlT}rSs zRntC%?_8>M>S=!6dAa= 1.16.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-sriov-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: sriov + catalog.cattle.io/upstream-version: 1.2.0 +apiVersion: v2 +appVersion: 1.2.0 +description: SR-IOV network operator configures and manages SR-IOV networks in the + kubernetes cluster +home: https://github.com/k8snetworkplumbingwg/sriov-network-operator +icon: https://charts.rancher.io/assets/logos/sr-iov.svg +keywords: +- sriov +- Networking +kubeVersion: '>= 1.16.0' +maintainers: +- email: charts@rancher.com + name: Rancher Labs +name: sriov +sources: +- https://github.com/rancher/charts +type: application +version: 103.1.0+up0.1.0 diff --git a/charts/sriov/103.1.0+up0.1.0/README.md b/charts/sriov/103.1.0+up0.1.0/README.md new file mode 100644 index 0000000000..b34d479bd0 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/README.md @@ -0,0 +1,73 @@ +# SR-IOV Network Operator Helm Chart + +SR-IOV Network Operator Helm Chart provides an easy way to install, configure and manage +the lifecycle of SR-IOV network operator. + +## SR-IOV Network Operator +SR-IOV Network Operator leverages [Kubernetes CRDs](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) +and [Operator SDK](https://github.com/operator-framework/operator-sdk) to configure and manage SR-IOV networks in a Kubernetes cluster. + +SR-IOV Network Operator features: +- Initialize the supported SR-IOV NIC types on selected nodes. +- Provision/upgrade SR-IOV device plugin executable on selected node. +- Provision/upgrade SR-IOV CNI plugin executable on selected nodes. +- Manage configuration of SR-IOV device plugin on host. +- Generate net-att-def CRs for SR-IOV CNI plugin +- Supports operation in a virtualized Kubernetes deployment + - Discovers VFs attached to the Virtual Machine (VM) + - Does not require attached of associated PFs + - VFs can be associated to SriovNetworks by selecting the appropriate PciAddress as the RootDevice in the SriovNetworkNodePolicy + +## QuickStart + +### Prerequisites + +- Kubernetes v1.17+ +- Helm v3 + +### Install Helm + +Helm provides an install script to copy helm binary to your system: +``` +$ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 +$ chmod 500 get_helm.sh +$ ./get_helm.sh +``` + +For additional information and methods for installing Helm, refer to the official [helm website](https://helm.sh/) + +### Deploy SR-IOV Network Operator + +``` +# Install Operator +$ helm install -n sriov-network-operator --create-namespace --wait sriov-network-operator ./ + +# View deployed resources +$ kubectl -n sriov-network-operator get pods +``` + +## Chart parameters + +In order to tailor the deployment of the network operator to your cluster needs +We have introduced the following Chart parameters. + +### Operator parameters + +| Name | Type | Default | description | +| ---- | ---- | ------- | ----------- | +| `operator.resourcePrefix` | string | `openshift.io` | Device plugin resource prefix | +| `operator.enableAdmissionController` | bool | `false` | Enable SR-IOV network resource injector and operator webhook | +| `operator.cniBinPath` | string | `/opt/cni/bin` | Path for CNI binary | +| `operator.clusterType` | string | `kubernetes` | Cluster environment type | + +### Images parameters + +| Name | description | +| ---- | ----------- | +| `images.operator` | Operator controller image | +| `images.sriovConfigDaemon` | Daemon node agent image | +| `images.sriovCni` | SR-IOV CNI image | +| `images.ibSriovCni` | InfiniBand SR-IOV CNI image | +| `images.sriovDevicePlugin` | SR-IOV device plugin image | +| `images.resourcesInjector` | Resources Injector image | +| `images.webhook` | Operator Webhook image | diff --git a/charts/sriov/103.1.0+up0.1.0/app-README.md b/charts/sriov/103.1.0+up0.1.0/app-README.md new file mode 100644 index 0000000000..4dda94a833 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/app-README.md @@ -0,0 +1,13 @@ +# Rancher SR-IOV Network Operator + +This chart is based on the upstream [k8snetworkplumbingwg/sriov-network-operator](https://github.com/k8snetworkplumbingwg/sriov-network-operator) project. The chart deploys the SR-IOV Operator and its CRDs, which are designed to help the user provision and configure the SR-IOV CNI in a cluster that uses [Multus CNI](https://github.com/k8snetworkplumbingwg/multus-cni), to provide high performing extra network interfaces to pods. This chart is expected to be deployed on an RKE2 cluster and only meant for advanced use cases where multiple CNI plugins and high performing network interfaces on pods are required. Users who do not need these features are not advised to install this chart. + +The chart installs the following components: + + - SR-IOV Operator - An operator that helps provision and configure the SR-IOV CNI plugin and SR-IOV Device plugin + - SR-IOV Network Config Daemon - A Daemon deployed by the Operator that discovers SR-IOV NICs on each node + +Note that SR-IOV requires NICs that support SR-IOV and the activation of specific configuration options in the operating system. Nodes that fulfill these requirements should be labeled with: `feature.node.kubernetes.io/network-sriov.capable=true`. + +The SR-IOV Network Config Daemon will be deployed on such capable nodes. For more information on how to use this feature, refer to our RKE2 networking docs. + diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/.helmignore b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/Chart.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/Chart.yaml new file mode 100644 index 0000000000..a45c4dc393 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +appVersion: v0.14.1 +description: 'Detects hardware features available on each node in a Kubernetes cluster, + and advertises those features using node labels. ' +home: https://github.com/kubernetes-sigs/node-feature-discovery +keywords: +- feature-discovery +- feature-detection +- node-labels +name: rancher-nfd +sources: +- https://github.com/kubernetes-sigs/node-feature-discovery +type: application +version: 0.14.1 diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/README.md b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/README.md new file mode 100644 index 0000000000..16b5254d53 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/README.md @@ -0,0 +1,10 @@ +# Node Feature Discovery + +Node Feature Discovery (NFD) is a Kubernetes add-on for detecting hardware +features and system configuration. Detected features are advertised as node +labels. NFD provides flexible configuration and extension points for a wide +range of vendor and application specific node labeling needs. + +See +[NFD documentation](https://kubernetes-sigs.github.io/node-feature-discovery/v0.14/deployment/helm.html) +for deployment instructions. diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/crds/nfd-api-crds.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/crds/nfd-api-crds.yaml new file mode 100644 index 0000000000..6866c7ffe9 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/crds/nfd-api-crds.yaml @@ -0,0 +1,361 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + name: nodefeatures.nfd.k8s-sigs.io +spec: + group: nfd.k8s-sigs.io + names: + kind: NodeFeature + listKind: NodeFeatureList + plural: nodefeatures + singular: nodefeature + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: NodeFeature resource holds the features discovered for one node + in the cluster. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NodeFeatureSpec describes a NodeFeature object. + properties: + features: + description: Features is the full "raw" features data that has been + discovered. + properties: + attributes: + additionalProperties: + description: AttributeFeatureSet is a set of features having + string value. + properties: + elements: + additionalProperties: + type: string + type: object + required: + - elements + type: object + description: Attributes contains all the attribute-type features + of the node. + type: object + flags: + additionalProperties: + description: FlagFeatureSet is a set of simple features only + containing names without values. + properties: + elements: + additionalProperties: + description: Nil is a dummy empty struct for protobuf + compatibility + type: object + type: object + required: + - elements + type: object + description: Flags contains all the flag-type features of the + node. + type: object + instances: + additionalProperties: + description: InstanceFeatureSet is a set of features each of + which is an instance having multiple attributes. + properties: + elements: + items: + description: InstanceFeature represents one instance of + a complex features, e.g. a device. + properties: + attributes: + additionalProperties: + type: string + type: object + required: + - attributes + type: object + type: array + required: + - elements + type: object + description: Instances contains all the instance-type features + of the node. + type: object + type: object + labels: + additionalProperties: + type: string + description: Labels is the set of node labels that are requested to + be created. + type: object + type: object + required: + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + name: nodefeaturerules.nfd.k8s-sigs.io +spec: + group: nfd.k8s-sigs.io + names: + kind: NodeFeatureRule + listKind: NodeFeatureRuleList + plural: nodefeaturerules + shortNames: + - nfr + singular: nodefeaturerule + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: NodeFeatureRule resource specifies a configuration for feature-based + customization of node objects, such as node labeling. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NodeFeatureRuleSpec describes a NodeFeatureRule. + properties: + rules: + description: Rules is a list of node customization rules. + items: + description: Rule defines a rule for node customization such as + labeling. + properties: + extendedResources: + additionalProperties: + type: string + description: ExtendedResources to create if the rule matches. + type: object + labels: + additionalProperties: + type: string + description: Labels to create if the rule matches. + type: object + labelsTemplate: + description: LabelsTemplate specifies a template to expand for + dynamically generating multiple labels. Data (after template + expansion) must be keys with an optional value ([=]) + separated by newlines. + type: string + matchAny: + description: MatchAny specifies a list of matchers one of which + must match. + items: + description: MatchAnyElem specifies one sub-matcher of MatchAny. + properties: + matchFeatures: + description: MatchFeatures specifies a set of matcher + terms all of which must match. + items: + description: FeatureMatcherTerm defines requirements + against one feature set. All requirements (specified + as MatchExpressions) are evaluated against each element + in the feature set. + properties: + feature: + type: string + matchExpressions: + additionalProperties: + description: "MatchExpression specifies an expression + to evaluate against a set of input values. It + contains an operator that is applied when matching + the input and an array of values that the operator + evaluates the input against. \n NB: CreateMatchExpression + or MustCreateMatchExpression() should be used + for creating new instances. \n NB: Validate() + must be called if Op or Value fields are modified + or if a new instance is created from scratch + without using the helper functions." + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: Value is the list of values that + the operand evaluates the input against. + Value should be empty if the operator is + Exists, DoesNotExist, IsTrue or IsFalse. + Value should contain exactly one element + if the operator is Gt or Lt and exactly + two elements if the operator is GtLt. In + other cases Value should contain at least + one element. + items: + type: string + type: array + required: + - op + type: object + description: MatchExpressionSet contains a set of + MatchExpressions, each of which is evaluated against + a set of input values. + type: object + required: + - feature + - matchExpressions + type: object + type: array + required: + - matchFeatures + type: object + type: array + matchFeatures: + description: MatchFeatures specifies a set of matcher terms + all of which must match. + items: + description: FeatureMatcherTerm defines requirements against + one feature set. All requirements (specified as MatchExpressions) + are evaluated against each element in the feature set. + properties: + feature: + type: string + matchExpressions: + additionalProperties: + description: "MatchExpression specifies an expression + to evaluate against a set of input values. It contains + an operator that is applied when matching the input + and an array of values that the operator evaluates + the input against. \n NB: CreateMatchExpression or + MustCreateMatchExpression() should be used for creating + new instances. \n NB: Validate() must be called if + Op or Value fields are modified or if a new instance + is created from scratch without using the helper functions." + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: Value is the list of values that the + operand evaluates the input against. Value should + be empty if the operator is Exists, DoesNotExist, + IsTrue or IsFalse. Value should contain exactly + one element if the operator is Gt or Lt and exactly + two elements if the operator is GtLt. In other + cases Value should contain at least one element. + items: + type: string + type: array + required: + - op + type: object + description: MatchExpressionSet contains a set of MatchExpressions, + each of which is evaluated against a set of input values. + type: object + required: + - feature + - matchExpressions + type: object + type: array + name: + description: Name of the rule. + type: string + taints: + description: Taints to create if the rule matches. + items: + description: The node this Taint is attached to has the "effect" + on any pod that does not tolerate the Taint. + properties: + effect: + description: Required. The effect of the taint on pods + that do not tolerate the taint. Valid effects are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Required. The taint key to be applied to + a node. + type: string + timeAdded: + description: TimeAdded represents the time at which the + taint was added. It is only written for NoExecute taints. + format: date-time + type: string + value: + description: The taint value corresponding to the taint + key. + type: string + required: + - effect + - key + type: object + type: array + vars: + additionalProperties: + type: string + description: Vars is the variables to store if the rule matches. + Variables do not directly inflict any changes in the node + object. However, they can be referenced from other rules enabling + more complex rule hierarchies, without exposing intermediary + output values as labels. + type: object + varsTemplate: + description: VarsTemplate specifies a template to expand for + dynamically generating multiple variables. Data (after template + expansion) must be keys with an optional value ([=]) + separated by newlines. + type: string + required: + - name + type: object + type: array + required: + - rules + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/_helpers.tpl b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/_helpers.tpl new file mode 100644 index 0000000000..928ece78f8 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/_helpers.tpl @@ -0,0 +1,107 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "node-feature-discovery.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "node-feature-discovery.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "node-feature-discovery.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "node-feature-discovery.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "node-feature-discovery.labels" -}} +helm.sh/chart: {{ include "node-feature-discovery.chart" . }} +{{ include "node-feature-discovery.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "node-feature-discovery.selectorLabels" -}} +app.kubernetes.io/name: {{ include "node-feature-discovery.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account which the nfd master will use +*/}} +{{- define "node-feature-discovery.master.serviceAccountName" -}} +{{- if .Values.master.serviceAccount.create -}} + {{ default (include "node-feature-discovery.fullname" .) .Values.master.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.master.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account which the nfd worker will use +*/}} +{{- define "node-feature-discovery.worker.serviceAccountName" -}} +{{- if .Values.worker.serviceAccount.create -}} + {{ default (printf "%s-worker" (include "node-feature-discovery.fullname" .)) .Values.worker.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.worker.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account which topologyUpdater will use +*/}} +{{- define "node-feature-discovery.topologyUpdater.serviceAccountName" -}} +{{- if .Values.topologyUpdater.serviceAccount.create -}} + {{ default (printf "%s-topology-updater" (include "node-feature-discovery.fullname" .)) .Values.topologyUpdater.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.topologyUpdater.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account which nfd-gc will use +*/}} +{{- define "node-feature-discovery.gc.serviceAccountName" -}} +{{- if .Values.gc.serviceAccount.create -}} + {{ default (printf "%s-gc" (include "node-feature-discovery.fullname" .)) .Values.gc.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.gc.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-certs.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-certs.yaml new file mode 100644 index 0000000000..ac2e51fc11 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-certs.yaml @@ -0,0 +1,67 @@ +{{- if .Values.tls.certManager }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nfd-master-cert + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + secretName: nfd-master-cert + subject: + organizations: + - node-feature-discovery + commonName: nfd-master + dnsNames: + # must match the service name + - {{ include "node-feature-discovery.fullname" . }}-master + # first one is configured for use by the worker; below are for completeness + - {{ include "node-feature-discovery.fullname" . }}-master.{{ include "node-feature-discovery.namespace" . }}.svc + - {{ include "node-feature-discovery.fullname" . }}-master.{{ include "node-feature-discovery.namespace" . }}.svc.cluster.local + # localhost needed for grpc_health_probe + - localhost + issuerRef: + name: nfd-ca-issuer + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nfd-worker-cert + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + secretName: nfd-worker-cert + subject: + organizations: + - node-feature-discovery + commonName: nfd-worker + dnsNames: + - {{ include "node-feature-discovery.fullname" . }}-worker.{{ include "node-feature-discovery.namespace" . }}.svc.cluster.local + issuerRef: + name: nfd-ca-issuer + kind: Issuer + group: cert-manager.io + +{{- if .Values.topologyUpdater.enable }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nfd-topology-updater-cert + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + secretName: nfd-topology-updater-cert + subject: + organizations: + - node-feature-discovery + commonName: nfd-topology-updater + dnsNames: + - {{ include "node-feature-discovery.fullname" . }}-topology-updater.{{ include "node-feature-discovery.namespace" . }}.svc.cluster.local + issuerRef: + name: nfd-ca-issuer + kind: Issuer + group: cert-manager.io +{{- end }} + +{{- end }} diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-issuer.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-issuer.yaml new file mode 100644 index 0000000000..f3c57acea1 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-issuer.yaml @@ -0,0 +1,42 @@ +{{- if .Values.tls.certManager }} +# See https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers +# - Create a self signed issuer +# - Use this to create a CA cert +# - Use this to now create a CA issuer +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: nfd-ca-bootstrap + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + selfSigned: {} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nfd-ca-cert + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + isCA: true + secretName: nfd-ca-cert + subject: + organizations: + - node-feature-discovery + commonName: nfd-ca-cert + issuerRef: + name: nfd-ca-bootstrap + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: nfd-ca-issuer + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + ca: + secretName: nfd-ca-cert +{{- end }} diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrole.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrole.yaml new file mode 100644 index 0000000000..d4329338be --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrole.yaml @@ -0,0 +1,119 @@ +{{- if .Values.master.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "node-feature-discovery.fullname" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - nodes + - nodes/status + verbs: + - get + - patch + - update + - list +- apiGroups: + - nfd.k8s-sigs.io + resources: + - nodefeatures + - nodefeaturerules + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - "nfd-master.nfd.kubernetes.io" + verbs: + - get + - update +{{- end }} + +{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.rbac.create }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list +- apiGroups: + - "" + resources: + - nodes/proxy + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - topology.node.k8s.io + resources: + - noderesourcetopologies + verbs: + - create + - get + - update +{{- end }} + +{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-gc + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes/proxy + verbs: + - get +- apiGroups: + - topology.node.k8s.io + resources: + - noderesourcetopologies + verbs: + - delete + - list +- apiGroups: + - nfd.k8s-sigs.io + resources: + - nodefeatures + verbs: + - delete + - list +{{- end }} diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrolebinding.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..8e3aef83e1 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/clusterrolebinding.yaml @@ -0,0 +1,52 @@ +{{- if .Values.master.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "node-feature-discovery.fullname" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "node-feature-discovery.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "node-feature-discovery.master.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} +{{- end }} + +{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.rbac.create }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater +subjects: +- kind: ServiceAccount + name: {{ include "node-feature-discovery.topologyUpdater.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} +{{- end }} + +{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-gc + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "node-feature-discovery.fullname" . }}-gc +subjects: +- kind: ServiceAccount + name: {{ .Values.gc.serviceAccount.name | default "nfd-gc" }} + namespace: {{ include "node-feature-discovery.namespace" . }} +{{- end }} diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/master.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/master.yaml new file mode 100644 index 0000000000..e77ca136c0 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/master.yaml @@ -0,0 +1,159 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-master + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + role: master + {{- with .Values.master.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.master.replicaCount }} + selector: + matchLabels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }} + role: master + template: + metadata: + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} + role: master + {{- with .Values.master.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "node-feature-discovery.master.serviceAccountName" . }} + enableServiceLinks: false + securityContext: + {{- toYaml .Values.master.podSecurityContext | nindent 8 }} + containers: + - name: master + securityContext: + {{- toYaml .Values.master.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + livenessProbe: + exec: + command: + - "/usr/bin/grpc_health_probe" + - "-addr=:{{ .Values.master.port | default "8080" }}" + {{- if .Values.tls.enable }} + - "-tls" + - "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt" + - "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key" + - "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt" + {{- end }} + initialDelaySeconds: 10 + periodSeconds: 10 + readinessProbe: + exec: + command: + - "/usr/bin/grpc_health_probe" + - "-addr=:{{ .Values.master.port | default "8080" }}" + {{- if .Values.tls.enable }} + - "-tls" + - "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt" + - "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key" + - "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt" + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 10 + ports: + - containerPort: {{ .Values.master.port | default "8080" }} + name: grpc + - containerPort: {{ .Values.master.metricsPort | default "8081" }} + name: metrics + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "nfd-master" + resources: + {{- toYaml .Values.master.resources | nindent 12 }} + args: + {{- if .Values.master.instance | empty | not }} + - "-instance={{ .Values.master.instance }}" + {{- end }} + - "-port={{ .Values.master.port | default "8080" }}" + {{- if not .Values.enableNodeFeatureApi }} + - "-enable-nodefeature-api=false" + {{- else if gt (int .Values.master.replicaCount) 1 }} + - "-enable-leader-election" + {{- end }} + {{- if .Values.master.extraLabelNs | empty | not }} + - "-extra-label-ns={{- join "," .Values.master.extraLabelNs }}" + {{- end }} + {{- if .Values.master.denyLabelNs | empty | not }} + - "-deny-label-ns={{- join "," .Values.master.denyLabelNs }}" + {{- end }} + {{- if .Values.master.resourceLabels | empty | not }} + - "-resource-labels={{- join "," .Values.master.resourceLabels }}" + {{- end }} + {{- if .Values.master.enableTaints }} + - "-enable-taints" + {{- end }} + {{- if .Values.master.crdController | kindIs "invalid" | not }} + - "-crd-controller={{ .Values.master.crdController }}" + {{- else }} + ## By default, disable crd controller for other than the default instances + - "-crd-controller={{ .Values.master.instance | empty }}" + {{- end }} + {{- if .Values.master.featureRulesController | kindIs "invalid" | not }} + - "-featurerules-controller={{ .Values.master.featureRulesController }}" + {{- end }} + {{- if .Values.master.resyncPeriod }} + - "-resync-period={{ .Values.master.resyncPeriod }}" + {{- end }} + {{- if .Values.master.nfdApiParallelism | empty | not }} + - "-nfd-api-parallelism={{ .Values.master.nfdApiParallelism }}" + {{- end }} + {{- if .Values.tls.enable }} + - "-ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt" + - "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key" + - "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt" + {{- end }} + - "-metrics={{ .Values.master.metricsPort | default "8081" }}" + volumeMounts: + {{- if .Values.tls.enable }} + - name: nfd-master-cert + mountPath: "/etc/kubernetes/node-feature-discovery/certs" + readOnly: true + {{- end }} + - name: nfd-master-conf + mountPath: "/etc/kubernetes/node-feature-discovery" + readOnly: true + volumes: + {{- if .Values.tls.enable }} + - name: nfd-master-cert + secret: + secretName: nfd-master-cert + {{- end }} + - name: nfd-master-conf + configMap: + name: {{ include "node-feature-discovery.fullname" . }}-master-conf + items: + - key: nfd-master.conf + path: nfd-master.conf + {{- with .Values.master.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.master.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.master.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-gc.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-gc.yaml new file mode 100644 index 0000000000..ec67a114e5 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-gc.yaml @@ -0,0 +1,74 @@ +{{- if and .Values.gc.enable (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-gc + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + role: gc + {{- with .Values.gc.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.gc.replicaCount | default 1 }} + selector: + matchLabels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }} + role: gc + template: + metadata: + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} + role: gc + {{- with .Values.gc.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ .Values.gc.serviceAccountName | default "nfd-gc" }} + dnsPolicy: ClusterFirstWithHostNet + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.gc.podSecurityContext | nindent 8 }} + containers: + - name: gc + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "nfd-gc" + args: + {{- if .Values.gc.interval | empty | not }} + - "-gc-interval={{ .Values.gc.interval }}" + {{- end }} + resources: + {{- toYaml .Values.gc.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + readOnlyRootFilesystem: true + runAsNonRoot: true + + {{- with .Values.gc.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.gc.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.gc.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-master-conf.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-master-conf.yaml new file mode 100644 index 0000000000..c806a8e5d9 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-master-conf.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-master-conf + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +data: + nfd-master.conf: |- + {{- .Values.master.config | toYaml | nindent 4 }} diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-topologyupdater-conf.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-topologyupdater-conf.yaml new file mode 100644 index 0000000000..9867f5089c --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-topologyupdater-conf.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater-conf + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +data: + nfd-topology-updater.conf: |- + {{- .Values.topologyUpdater.config | toYaml | nindent 4 }} diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-worker-conf.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-worker-conf.yaml new file mode 100644 index 0000000000..61d2a481aa --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/nfd-worker-conf.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-worker-conf + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +data: + nfd-worker.conf: |- + {{- .Values.worker.config | toYaml | nindent 4 }} diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/prometheus.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/prometheus.yaml new file mode 100644 index 0000000000..b9f4b46405 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/prometheus.yaml @@ -0,0 +1,26 @@ +{{- if .Values.prometheus.enable }} +# Prometheus Monitor Service (Metrics) +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ include "node-feature-discovery.fullname" . }} + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 4 }} + {{- with .Values.prometheus.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +spec: + podMetricsEndpoints: + - honorLabels: true + interval: 10s + path: /metrics + port: metrics + scheme: http + namespaceSelector: + matchNames: + - {{ include "node-feature-discovery.namespace" . }} + selector: + matchExpressions: + - {key: app.kubernetes.io/instance, operator: In, values: ["{{ .Release.Name }}"]} + - {key: app.kubernetes.io/name, operator: In, values: ["{{ include "node-feature-discovery.name" . }}"]} +{{- end }} diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/role.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/role.yaml new file mode 100644 index 0000000000..c71ede442b --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/role.yaml @@ -0,0 +1,19 @@ +{{- if .Values.worker.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-worker + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +rules: +- apiGroups: + - nfd.k8s-sigs.io + resources: + - nodefeatures + verbs: + - create + - get + - update +{{- end }} + diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/rolebinding.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/rolebinding.yaml new file mode 100644 index 0000000000..d8025be9bb --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/rolebinding.yaml @@ -0,0 +1,18 @@ +{{- if .Values.worker.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-worker + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "node-feature-discovery.fullname" . }}-worker +subjects: +- kind: ServiceAccount + name: {{ include "node-feature-discovery.worker.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} +{{- end }} + diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/service.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/service.yaml new file mode 100644 index 0000000000..0d4789818f --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-master + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + role: master +spec: + type: {{ .Values.master.service.type }} + ports: + - port: {{ .Values.master.service.port | default "8080" }} + targetPort: grpc + protocol: TCP + name: grpc + selector: + {{- include "node-feature-discovery.selectorLabels" . | nindent 4 }} + role: master diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/serviceaccount.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/serviceaccount.yaml new file mode 100644 index 0000000000..dae09503e4 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/serviceaccount.yaml @@ -0,0 +1,58 @@ +{{- if .Values.master.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "node-feature-discovery.master.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + {{- with .Values.master.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.serviceAccount.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "node-feature-discovery.topologyUpdater.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + {{- with .Values.topologyUpdater.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.gc.serviceAccount.name | default "nfd-gc" }} + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + {{- with .Values.gc.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +{{- if .Values.worker.serviceAccount.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "node-feature-discovery.worker.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + {{- with .Values.worker.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater-crds.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater-crds.yaml new file mode 100644 index 0000000000..b6b919689c --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater-crds.yaml @@ -0,0 +1,278 @@ +{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.createCRDs -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes/enhancements/pull/1870 + controller-gen.kubebuilder.io/version: v0.11.2 + creationTimestamp: null + name: noderesourcetopologies.topology.node.k8s.io +spec: + group: topology.node.k8s.io + names: + kind: NodeResourceTopology + listKind: NodeResourceTopologyList + plural: noderesourcetopologies + shortNames: + - node-res-topo + singular: noderesourcetopology + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: NodeResourceTopology describes node resources and their topology. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + topologyPolicies: + items: + type: string + type: array + zones: + description: ZoneList contains an array of Zone objects. + items: + description: Zone represents a resource topology zone, e.g. socket, + node, die or core. + properties: + attributes: + description: AttributeList contains an array of AttributeInfo objects. + items: + description: AttributeInfo contains one attribute of a Zone. + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + costs: + description: CostList contains an array of CostInfo objects. + items: + description: CostInfo describes the cost (or distance) between + two Zones. + properties: + name: + type: string + value: + format: int64 + type: integer + required: + - name + - value + type: object + type: array + name: + type: string + parent: + type: string + resources: + description: ResourceInfoList contains an array of ResourceInfo + objects. + items: + description: ResourceInfo contains information about one resource + type. + properties: + allocatable: + anyOf: + - type: integer + - type: string + description: Allocatable quantity of the resource, corresponding + to allocatable in node status, i.e. total amount of this + resource available to be used by pods. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + available: + anyOf: + - type: integer + - type: string + description: Available is the amount of this resource currently + available for new (to be scheduled) pods, i.e. Allocatable + minus the resources reserved by currently running pods. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + capacity: + anyOf: + - type: integer + - type: string + description: Capacity of the resource, corresponding to capacity + in node status, i.e. total amount of this resource that + the node has. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + name: + description: Name of the resource. + type: string + required: + - allocatable + - available + - capacity + - name + type: object + type: array + type: + type: string + required: + - name + - type + type: object + type: array + required: + - topologyPolicies + - zones + type: object + served: true + storage: false + - name: v1alpha2 + schema: + openAPIV3Schema: + description: NodeResourceTopology describes node resources and their topology. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + attributes: + description: AttributeList contains an array of AttributeInfo objects. + items: + description: AttributeInfo contains one attribute of a Zone. + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + topologyPolicies: + description: 'DEPRECATED (to be removed in v1beta1): use top level attributes + if needed' + items: + type: string + type: array + zones: + description: ZoneList contains an array of Zone objects. + items: + description: Zone represents a resource topology zone, e.g. socket, + node, die or core. + properties: + attributes: + description: AttributeList contains an array of AttributeInfo objects. + items: + description: AttributeInfo contains one attribute of a Zone. + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + costs: + description: CostList contains an array of CostInfo objects. + items: + description: CostInfo describes the cost (or distance) between + two Zones. + properties: + name: + type: string + value: + format: int64 + type: integer + required: + - name + - value + type: object + type: array + name: + type: string + parent: + type: string + resources: + description: ResourceInfoList contains an array of ResourceInfo + objects. + items: + description: ResourceInfo contains information about one resource + type. + properties: + allocatable: + anyOf: + - type: integer + - type: string + description: Allocatable quantity of the resource, corresponding + to allocatable in node status, i.e. total amount of this + resource available to be used by pods. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + available: + anyOf: + - type: integer + - type: string + description: Available is the amount of this resource currently + available for new (to be scheduled) pods, i.e. Allocatable + minus the resources reserved by currently running pods. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + capacity: + anyOf: + - type: integer + - type: string + description: Capacity of the resource, corresponding to capacity + in node status, i.e. total amount of this resource that + the node has. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + name: + description: Name of the resource. + type: string + required: + - allocatable + - available + - capacity + - name + type: object + type: array + type: + type: string + required: + - name + - type + type: object + type: array + required: + - zones + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater.yaml new file mode 100644 index 0000000000..f51c10e6dc --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater.yaml @@ -0,0 +1,156 @@ +{{- if .Values.topologyUpdater.enable -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + role: topology-updater + {{- with .Values.topologyUpdater.daemonsetAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }} + role: topology-updater + template: + metadata: + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} + role: topology-updater + {{- with .Values.topologyUpdater.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "node-feature-discovery.topologyUpdater.serviceAccountName" . }} + dnsPolicy: ClusterFirstWithHostNet + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.topologyUpdater.podSecurityContext | nindent 8 }} + containers: + - name: topology-updater + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: NODE_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.hostIP + command: + - "nfd-topology-updater" + args: + - "-podresources-socket=/host-var/lib/kubelet-podresources/kubelet.sock" + {{- if .Values.topologyUpdater.updateInterval | empty | not }} + - "-sleep-interval={{ .Values.topologyUpdater.updateInterval }}" + {{- else }} + - "-sleep-interval=3s" + {{- end }} + {{- if .Values.topologyUpdater.watchNamespace | empty | not }} + - "-watch-namespace={{ .Values.topologyUpdater.watchNamespace }}" + {{- else }} + - "-watch-namespace=*" + {{- end }} + {{- if .Values.tls.enable }} + - "-ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt" + - "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key" + - "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt" + {{- end }} + {{- if .Values.topologyUpdater.podSetFingerprint }} + - "-pods-fingerprint" + {{- end }} + {{- if .Values.topologyUpdater.kubeletConfigPath | empty | not }} + - "-kubelet-config-uri=file:///host-var/kubelet-config" + {{- end }} + {{- if .Values.topologyUpdater.kubeletStateDir | empty }} + # Disable kubelet state tracking by giving an empty path + - "-kubelet-state-dir=" + {{- end }} + - -metrics={{ .Values.topologyUpdater.metricsPort | default "8081"}} + ports: + - name: metrics + containerPort: {{ .Values.topologyUpdater.metricsPort | default "8081"}} + volumeMounts: + {{- if .Values.topologyUpdater.kubeletConfigPath | empty | not }} + - name: kubelet-config + mountPath: /host-var/kubelet-config + {{- end }} + - name: kubelet-podresources-sock + mountPath: /host-var/lib/kubelet-podresources/kubelet.sock + - name: host-sys + mountPath: /host-sys + {{- if .Values.topologyUpdater.kubeletStateDir | empty | not }} + - name: kubelet-state-files + mountPath: /host-var/lib/kubelet + readOnly: true + {{- end }} + {{- if .Values.tls.enable }} + - name: nfd-topology-updater-cert + mountPath: "/etc/kubernetes/node-feature-discovery/certs" + readOnly: true + {{- end }} + - name: nfd-topology-updater-conf + mountPath: "/etc/kubernetes/node-feature-discovery" + readOnly: true + + resources: + {{- toYaml .Values.topologyUpdater.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.topologyUpdater.securityContext | nindent 12 }} + volumes: + - name: host-sys + hostPath: + path: "/sys" + {{- if .Values.topologyUpdater.kubeletConfigPath | empty | not }} + - name: kubelet-config + hostPath: + path: {{ .Values.topologyUpdater.kubeletConfigPath }} + {{- end }} + - name: kubelet-podresources-sock + hostPath: + {{- if .Values.topologyUpdater.kubeletPodResourcesSockPath | empty | not }} + path: {{ .Values.topologyUpdater.kubeletPodResourcesSockPath }} + {{- else }} + path: /var/lib/kubelet/pod-resources/kubelet.sock + {{- end }} + {{- if .Values.topologyUpdater.kubeletStateDir | empty | not }} + - name: kubelet-state-files + hostPath: + path: {{ .Values.topologyUpdater.kubeletStateDir }} + {{- end }} + - name: nfd-topology-updater-conf + configMap: + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater-conf + items: + - key: nfd-topology-updater.conf + path: nfd-topology-updater.conf + {{- if .Values.tls.enable }} + - name: nfd-topology-updater-cert + secret: + secretName: nfd-topology-updater-cert + {{- end }} + + + {{- with .Values.topologyUpdater.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologyUpdater.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologyUpdater.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/worker.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/worker.yaml new file mode 100644 index 0000000000..0e56eb5d1d --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/templates/worker.yaml @@ -0,0 +1,152 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-worker + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + role: worker + {{- with .Values.worker.daemonsetAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }} + role: worker + template: + metadata: + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} + role: worker + {{- with .Values.worker.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + dnsPolicy: ClusterFirstWithHostNet + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "node-feature-discovery.worker.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.worker.podSecurityContext | nindent 8 }} + containers: + - name: worker + securityContext: + {{- toYaml .Values.worker.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + {{- toYaml .Values.worker.resources | nindent 12 }} + command: + - "nfd-worker" + args: + - "-server={{ include "node-feature-discovery.fullname" . }}-master:{{ .Values.master.service.port }}" + {{- if not .Values.enableNodeFeatureApi }} + - "-enable-nodefeature-api=false" + {{- end }} +{{- if .Values.tls.enable }} + - "-ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt" + - "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key" + - "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt" +{{- end }} + - "-metrics={{ .Values.worker.metricsPort | default "8081"}}" + ports: + - name: metrics + containerPort: {{ .Values.worker.metricsPort | default "8081"}} + volumeMounts: + - name: host-boot + mountPath: "/host-boot" + readOnly: true + - name: host-os-release + mountPath: "/host-etc/os-release" + readOnly: true + - name: host-sys + mountPath: "/host-sys" + readOnly: true + - name: host-usr-lib + mountPath: "/host-usr/lib" + readOnly: true + - name: host-lib + mountPath: "/host-lib" + readOnly: true + {{- if .Values.worker.mountUsrSrc }} + - name: host-usr-src + mountPath: "/host-usr/src" + readOnly: true + {{- end }} + - name: source-d + mountPath: "/etc/kubernetes/node-feature-discovery/source.d/" + readOnly: true + - name: features-d + mountPath: "/etc/kubernetes/node-feature-discovery/features.d/" + readOnly: true + - name: nfd-worker-conf + mountPath: "/etc/kubernetes/node-feature-discovery" + readOnly: true +{{- if .Values.tls.enable }} + - name: nfd-worker-cert + mountPath: "/etc/kubernetes/node-feature-discovery/certs" + readOnly: true +{{- end }} + volumes: + - name: host-boot + hostPath: + path: "/boot" + - name: host-os-release + hostPath: + path: "/etc/os-release" + - name: host-sys + hostPath: + path: "/sys" + - name: host-usr-lib + hostPath: + path: "/usr/lib" + - name: host-lib + hostPath: + path: "/lib" + {{- if .Values.worker.mountUsrSrc }} + - name: host-usr-src + hostPath: + path: "/usr/src" + {{- end }} + - name: source-d + hostPath: + path: "/etc/kubernetes/node-feature-discovery/source.d/" + - name: features-d + hostPath: + path: "/etc/kubernetes/node-feature-discovery/features.d/" + - name: nfd-worker-conf + configMap: + name: {{ include "node-feature-discovery.fullname" . }}-worker-conf + items: + - key: nfd-worker.conf + path: nfd-worker.conf +{{- if .Values.tls.enable }} + - name: nfd-worker-cert + secret: + secretName: nfd-worker-cert +{{- end }} + {{- with .Values.worker.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.worker.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.worker.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.worker.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} diff --git a/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/values.yaml b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/values.yaml new file mode 100644 index 0000000000..c3f372c798 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/charts/rancher-nfd/values.yaml @@ -0,0 +1,513 @@ +image: + repository: rancher/hardened-node-feature-discovery + # This should be set to 'IfNotPresent' for released version + pullPolicy: IfNotPresent + # tag, if defined will use the given image tag, else Chart.AppVersion will be used + tag: v0.14.1-build20230926 +imagePullSecrets: [] + +nameOverride: "" +fullnameOverride: "" +namespaceOverride: "" + +enableNodeFeatureApi: true + +master: + config: ### + # noPublish: false + # extraLabelNs: ["added.ns.io","added.kubernets.io"] + # denyLabelNs: ["denied.ns.io","denied.kubernetes.io"] + # resourceLabels: ["vendor-1.com/feature-1","vendor-2.io/feature-2"] + # enableTaints: false + # labelWhiteList: "foo" + # resyncPeriod: "2h" + # klog: + # addDirHeader: false + # alsologtostderr: false + # logBacktraceAt: + # logtostderr: true + # skipHeaders: false + # stderrthreshold: 2 + # v: 0 + # vmodule: + ## NOTE: the following options are not dynamically run-time configurable + ## and require a nfd-master restart to take effect after being changed + # logDir: + # logFile: + # logFileMaxSize: 1800 + # skipLogHeaders: false + # leaderElection: + # leaseDuration: 15s + # # this value has to be lower than leaseDuration and greater than retryPeriod*1.2 + # renewDeadline: 10s + # # this value has to be greater than 0 + # retryPeriod: 2s + # nfdApiParallelism: 10 + ### + # The TCP port that nfd-master listens for incoming requests. Default: 8080 + port: 8080 + metricsPort: 8081 + instance: + featureApi: + resyncPeriod: + denyLabelNs: [] + extraLabelNs: [] + resourceLabels: [] + enableTaints: false + crdController: null + featureRulesController: null + nfdApiParallelism: null + deploymentAnnotations: {} + replicaCount: 1 + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + readOnlyRootFilesystem: true + runAsNonRoot: true + # runAsUser: 1000 + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + + rbac: + create: true + + service: + type: ClusterIP + port: 8080 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Equal" + value: "" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Equal" + value: "" + effect: "NoSchedule" + + annotations: {} + + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: "node-role.kubernetes.io/master" + operator: In + values: [""] + - weight: 1 + preference: + matchExpressions: + - key: "node-role.kubernetes.io/control-plane" + operator: In + values: [""] + +worker: + config: ### + #core: + # labelWhiteList: + # noPublish: false + # sleepInterval: 60s + # featureSources: [all] + # labelSources: [all] + # klog: + # addDirHeader: false + # alsologtostderr: false + # logBacktraceAt: + # logtostderr: true + # skipHeaders: false + # stderrthreshold: 2 + # v: 0 + # vmodule: + ## NOTE: the following options are not dynamically run-time configurable + ## and require a nfd-worker restart to take effect after being changed + # logDir: + # logFile: + # logFileMaxSize: 1800 + # skipLogHeaders: false + #sources: + # cpu: + # cpuid: + ## NOTE: whitelist has priority over blacklist + # attributeBlacklist: + # - "BMI1" + # - "BMI2" + # - "CLMUL" + # - "CMOV" + # - "CX16" + # - "ERMS" + # - "F16C" + # - "HTT" + # - "LZCNT" + # - "MMX" + # - "MMXEXT" + # - "NX" + # - "POPCNT" + # - "RDRAND" + # - "RDSEED" + # - "RDTSCP" + # - "SGX" + # - "SSE" + # - "SSE2" + # - "SSE3" + # - "SSE4" + # - "SSE42" + # - "SSSE3" + # - "TDX_GUEST" + # attributeWhitelist: + # kernel: + # kconfigFile: "/path/to/kconfig" + # configOpts: + # - "NO_HZ" + # - "X86" + # - "DMI" + # pci: + # deviceClassWhitelist: + # - "0200" + # - "03" + # - "12" + # deviceLabelFields: + # - "class" + # - "vendor" + # - "device" + # - "subsystem_vendor" + # - "subsystem_device" + # usb: + # deviceClassWhitelist: + # - "0e" + # - "ef" + # - "fe" + # - "ff" + # deviceLabelFields: + # - "class" + # - "vendor" + # - "device" + # local: + # hooksEnabled: false + # custom: + # # The following feature demonstrates the capabilities of the matchFeatures + # - name: "my custom rule" + # labels: + # my-ng-feature: "true" + # # matchFeatures implements a logical AND over all matcher terms in the + # # list (i.e. all of the terms, or per-feature matchers, must match) + # matchFeatures: + # - feature: cpu.cpuid + # matchExpressions: + # AVX512F: {op: Exists} + # - feature: cpu.cstate + # matchExpressions: + # enabled: {op: IsTrue} + # - feature: cpu.pstate + # matchExpressions: + # no_turbo: {op: IsFalse} + # scaling_governor: {op: In, value: ["performance"]} + # - feature: cpu.rdt + # matchExpressions: + # RDTL3CA: {op: Exists} + # - feature: cpu.sst + # matchExpressions: + # bf.enabled: {op: IsTrue} + # - feature: cpu.topology + # matchExpressions: + # hardware_multithreading: {op: IsFalse} + # + # - feature: kernel.config + # matchExpressions: + # X86: {op: Exists} + # LSM: {op: InRegexp, value: ["apparmor"]} + # - feature: kernel.loadedmodule + # matchExpressions: + # e1000e: {op: Exists} + # - feature: kernel.selinux + # matchExpressions: + # enabled: {op: IsFalse} + # - feature: kernel.version + # matchExpressions: + # major: {op: In, value: ["5"]} + # minor: {op: Gt, value: ["10"]} + # + # - feature: storage.block + # matchExpressions: + # rotational: {op: In, value: ["0"]} + # dax: {op: In, value: ["0"]} + # + # - feature: network.device + # matchExpressions: + # operstate: {op: In, value: ["up"]} + # speed: {op: Gt, value: ["100"]} + # + # - feature: memory.numa + # matchExpressions: + # node_count: {op: Gt, value: ["2"]} + # - feature: memory.nv + # matchExpressions: + # devtype: {op: In, value: ["nd_dax"]} + # mode: {op: In, value: ["memory"]} + # + # - feature: system.osrelease + # matchExpressions: + # ID: {op: In, value: ["fedora", "centos"]} + # - feature: system.name + # matchExpressions: + # nodename: {op: InRegexp, value: ["^worker-X"]} + # + # - feature: local.label + # matchExpressions: + # custom-feature-knob: {op: Gt, value: ["100"]} + # + # # The following feature demonstrates the capabilities of the matchAny + # - name: "my matchAny rule" + # labels: + # my-ng-feature-2: "my-value" + # # matchAny implements a logical IF over all elements (sub-matchers) in + # # the list (i.e. at least one feature matcher must match) + # matchAny: + # - matchFeatures: + # - feature: kernel.loadedmodule + # matchExpressions: + # driver-module-X: {op: Exists} + # - feature: pci.device + # matchExpressions: + # vendor: {op: In, value: ["8086"]} + # class: {op: In, value: ["0200"]} + # - matchFeatures: + # - feature: kernel.loadedmodule + # matchExpressions: + # driver-module-Y: {op: Exists} + # - feature: usb.device + # matchExpressions: + # vendor: {op: In, value: ["8086"]} + # class: {op: In, value: ["02"]} + # + # # The following features demonstreate label templating capabilities + # - name: "my template rule" + # labelsTemplate: | + # {{ range .system.osrelease }}my-system-feature.{{ .Name }}={{ .Value }} + # {{ end }} + # matchFeatures: + # - feature: system.osrelease + # matchExpressions: + # ID: {op: InRegexp, value: ["^open.*"]} + # VERSION_ID.major: {op: In, value: ["13", "15"]} + # + # - name: "my template rule 2" + # labelsTemplate: | + # {{ range .pci.device }}my-pci-device.{{ .class }}-{{ .device }}=with-cpuid + # {{ end }} + # matchFeatures: + # - feature: pci.device + # matchExpressions: + # class: {op: InRegexp, value: ["^06"]} + # vendor: ["8086"] + # - feature: cpu.cpuid + # matchExpressions: + # AVX: {op: Exists} + # + # # The following examples demonstrate vars field and back-referencing + # # previous labels and vars + # - name: "my dummy kernel rule" + # labels: + # "my.kernel.feature": "true" + # matchFeatures: + # - feature: kernel.version + # matchExpressions: + # major: {op: Gt, value: ["2"]} + # + # - name: "my dummy rule with no labels" + # vars: + # "my.dummy.var": "1" + # matchFeatures: + # - feature: cpu.cpuid + # matchExpressions: {} + # + # - name: "my rule using backrefs" + # labels: + # "my.backref.feature": "true" + # matchFeatures: + # - feature: rule.matched + # matchExpressions: + # my.kernel.feature: {op: IsTrue} + # my.dummy.var: {op: Gt, value: ["0"]} + # +### + + metricsPort: 8081 + daemonsetAnnotations: {} + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + readOnlyRootFilesystem: true + runAsNonRoot: true + # runAsUser: 1000 + + serviceAccount: + # Specifies whether a service account should be created. + # We create this by default to make it easier for downstream users to apply PodSecurityPolicies. + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + + rbac: + create: true + + # Allow users to mount the hostPath /usr/src, useful for RHCOS on s390x + # Does not work on systems without /usr/src AND a read-only /usr, such as Talos + mountUsrSrc: false + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + + tolerations: [] + + annotations: {} + + affinity: {} + + priorityClassName: "" + +topologyUpdater: + config: ### + ## key = node name, value = list of resources to be excluded. + ## use * to exclude from all nodes. + ## an example for how the exclude list should looks like + #excludeList: + # node1: [cpu] + # node2: [memory, example/deviceA] + # *: [hugepages-2Mi] +### + + enable: false + createCRDs: false + + serviceAccount: + create: true + annotations: {} + name: + rbac: + create: true + + metricsPort: 8081 + kubeletConfigPath: + kubeletPodResourcesSockPath: + updateInterval: 60s + watchNamespace: "*" + kubeletStateDir: /var/lib/kubelet + + podSecurityContext: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + readOnlyRootFilesystem: true + runAsUser: 0 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + tolerations: [] + annotations: {} + daemonsetAnnotations: {} + affinity: {} + podSetFingerprint: true + +gc: + enable: true + replicaCount: 1 + + serviceAccount: + create: true + annotations: {} + name: + rbac: + create: true + + interval: 1h + + podSecurityContext: {} + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + tolerations: [] + annotations: {} + deploymentAnnotations: {} + affinity: {} + +# Optionally use encryption for worker <--> master comms +# TODO: verify hostname is not yet supported +# +# If you do not enable certManager (and have it installed) you will +# need to manually, or otherwise, provision the TLS certs as secrets +tls: + enable: false + certManager: false + +prometheus: + enable: false + labels: {} diff --git a/charts/sriov/103.1.0+up0.1.0/templates/NOTES.txt b/charts/sriov/103.1.0+up0.1.0/templates/NOTES.txt new file mode 100644 index 0000000000..44a8bf935a --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/templates/NOTES.txt @@ -0,0 +1,17 @@ +Get Network Operator deployed resources by running the following commands: + +$ kubectl -n {{ .Release.Namespace }} get pods + +For additional instructions on how to use SR-IOV network operator, +refer to: https://github.com/k8snetworkplumbingwg/sriov-network-operator + +{{- if .Values.operator.enableAdmissionController }} +{{- if not .Values.cert_manager }} +Thank you for installing {{ .Chart.Name }}. + +WARNING! Self signed certificates have been generated for webhooks. +These certificates have a one-year validity and will not be rotated +automatically. This should not be a production cluster. Please deploy +and use cert-manager for production clusters. +{{- end }} +{{- end }} diff --git a/charts/sriov/103.1.0+up0.1.0/templates/_helpers.tpl b/charts/sriov/103.1.0+up0.1.0/templates/_helpers.tpl new file mode 100644 index 0000000000..dff1d171fe --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/templates/_helpers.tpl @@ -0,0 +1,85 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "sriov-network-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "sriov-network-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "sriov-network-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "sriov-network-operator.labels" -}} +helm.sh/chart: {{ include "sriov-network-operator.chart" . }} +{{ include "sriov-network-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "sriov-network-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "sriov-network-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "sriov-network-operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "sriov-network-operator.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/sriov/103.1.0+up0.1.0/templates/_webhook-certs.tpl b/charts/sriov/103.1.0+up0.1.0/templates/_webhook-certs.tpl new file mode 100644 index 0000000000..f1448968b2 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/templates/_webhook-certs.tpl @@ -0,0 +1,31 @@ +{{/* +Generate TLS certificates for webhooks. +Note: these 2 lines, that are repeated several times below, are a trick to +ensure the CA certs are generated only once: + $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) + $_ := set . "ca" $ca +Please, don't try to "simplify" them as without this trick, every generated +certificate would be signed by a different CA. +*/}} +{{- define "sriov_operator_ca_cert" }} +{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}} +{{- $_ := set . "ca" $ca -}} +{{- printf "%s" $ca.Cert | b64enc -}} +{{- end }} +{{- define "sriov_operator_cert" }} +{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}} +{{- $_ := set . "ca" $ca -}} +{{- $cn := printf "operator-webhook-service.%s.svc" .Release.Namespace -}} +{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end }} +{{- define "sriov_resource_injector_cert" }} +{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}} +{{- $_ := set . "ca" $ca -}} +{{- $cn := printf "network-resources-injector-service.%s.svc" .Release.Namespace -}} +{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end }} + diff --git a/charts/sriov/103.1.0+up0.1.0/templates/certmanagercerts.yaml b/charts/sriov/103.1.0+up0.1.0/templates/certmanagercerts.yaml new file mode 100644 index 0000000000..e3575aa565 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/templates/certmanagercerts.yaml @@ -0,0 +1,41 @@ +{{- if and (.Values.operator.enableAdmissionController) (.Values.cert_manager) -}} +{{- if not (.Capabilities.APIVersions.Has "cert-manager.io/v1") -}} +{{- required "cert-manager is required but not found" "" -}} +{{- end -}} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: sriov-network-operator-selfsigned-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: operator-webhook-service + namespace: {{ .Release.Namespace }} +spec: + secretName: operator-webhook-service + dnsNames: + - operator-webhook-service.{{ .Release.Namespace }}.svc + issuerRef: + name: sriov-network-operator-selfsigned-issuer + privateKey: + rotationPolicy: Always +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: network-resources-injector-service + namespace: {{ .Release.Namespace }} +spec: + secretName: network-resources-injector-secret + dnsNames: + - network-resources-injector-service.{{ .Release.Namespace }}.svc + issuerRef: + name: sriov-network-operator-selfsigned-issuer + privateKey: + rotationPolicy: Always +{{- end -}} + diff --git a/charts/sriov/103.1.0+up0.1.0/templates/clusterrole.yaml b/charts/sriov/103.1.0+up0.1.0/templates/clusterrole.yaml new file mode 100644 index 0000000000..da327471f0 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/templates/clusterrole.yaml @@ -0,0 +1,109 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "sriov-network-operator.fullname" . }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "patch", "update"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["*"] + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["get"] + - apiGroups: [""] + resources: ["namespaces", "serviceaccounts"] + verbs: ["*"] + - apiGroups: ["k8s.cni.cncf.io"] + resources: ["network-attachment-definitions"] + verbs: ["*"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles", "clusterrolebindings"] + verbs: ["*"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["*"] + - apiGroups: ["sriovnetwork.openshift.io"] + resources: ["*"] + verbs: ["*"] + - apiGroups: ["machineconfiguration.openshift.io"] + resources: ["*"] + verbs: ["*"] + - apiGroups: ["config.openshift.io"] + resources: ["infrastructures"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sriov-network-config-daemon + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "patch", "update"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["*"] + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["get"] + - apiGroups: [""] + resources: ["pods/eviction"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sriov-admin + {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }} + rbac.authorization.k8s.io/aggregate-to-admin: "true" + {{- end }} +rules: +- apiGroups: + - sriovnetwork.openshift.io + resources: + - '*' + verbs: + - "get" + - "watch" + - "list" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sriov-edit + {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }} + rbac.authorization.k8s.io/aggregate-to-edit: "true" + {{- end }} +rules: +- apiGroups: + - sriovnetwork.openshift.io + resources: + - '*' + verbs: + - "get" + - "watch" + - "list" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sriov-view + {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }} + rbac.authorization.k8s.io/aggregate-to-view: "true" + {{- end }} +rules: +- apiGroups: + - sriovnetwork.openshift.io + resources: + - '*' + verbs: + - "get" + - "watch" + - "list" + diff --git a/charts/sriov/103.1.0+up0.1.0/templates/clusterrolebinding.yaml b/charts/sriov/103.1.0+up0.1.0/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..c10aa9be73 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/templates/clusterrolebinding.yaml @@ -0,0 +1,29 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "sriov-network-operator.fullname" . }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +roleRef: + kind: ClusterRole + name: {{ include "sriov-network-operator.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: {{ include "sriov-network-operator.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: sriov-network-config-daemon + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +roleRef: + kind: ClusterRole + name: sriov-network-config-daemon + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: sriov-network-config-daemon diff --git a/charts/sriov/103.1.0+up0.1.0/templates/configmap.yaml b/charts/sriov/103.1.0+up0.1.0/templates/configmap.yaml new file mode 100644 index 0000000000..455bd91ff0 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/templates/configmap.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: supported-nic-ids +data: + Intel_i40e_XXV710: "8086 158a 154c" + Intel_i40e_25G_SFP28: "8086 158b 154c" + Intel_i40e_10G_X710_SFP: "8086 1572 154c" + Intel_i40e_XXV710_N3000: "8086 0d58 154c" + Intel_i40e_40G_XL710_QSFP: "8086 1583 154c" + Intel_ice_Columbiaville_E810-CQDA2_2CQDA2: "8086 1592 1889" + Intel_ice_Columbiaville_E810-XXVDA4: "8086 1593 1889" + Intel_ice_Columbiaville_E810-XXVDA2: "8086 159b 1889" + Intel_ice_Columbiaville_E810: "8086 1591 1889" + Nvidia_mlx5_ConnectX-4: "15b3 1013 1014" + Nvidia_mlx5_ConnectX-4LX: "15b3 1015 1016" + Nvidia_mlx5_ConnectX-5: "15b3 1017 1018" + Nvidia_mlx5_ConnectX-5_Ex: "15b3 1019 101a" + Nvidia_mlx5_ConnectX-6: "15b3 101b 101c" + Nvidia_mlx5_ConnectX-6_Dx: "15b3 101d 101e" + Nvidia_mlx5_MT42822_BlueField-2_integrated_ConnectX-6_Dx: "15b3 a2d6 101e" + Broadcom_bnxt_BCM57414_2x25G: "14e4 16d7 16dc" + Broadcom_bnxt_BCM75508_2x100G: "14e4 1750 1806" + Qlogic_qede_QL45000_50G: "1077 1654 1664" + Red_Hat_Virtio_network_device: "1af4 1000 1000" diff --git a/charts/sriov/103.1.0+up0.1.0/templates/operator.yaml b/charts/sriov/103.1.0+up0.1.0/templates/operator.yaml new file mode 100644 index 0000000000..0d39480e10 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/templates/operator.yaml @@ -0,0 +1,98 @@ +{{- if not (.Capabilities.APIVersions.Has "k8s.cni.cncf.io/v1/NetworkAttachmentDefinition") -}} +{{- required "rke2-multus is required but not found" "" -}} +{{- end -}} +apiVersion: sriovnetwork.openshift.io/v1 +kind: SriovOperatorConfig +metadata: + name: default + namespace: {{ .Release.Namespace }} +spec: + # Add fields here + enableInjector: {{ .Values.operator.enableAdmissionController }} + enableOperatorWebhook: {{ .Values.operator.enableAdmissionController }} + configDaemonNodeSelector: {feature.node.kubernetes.io/network-sriov.capable: "true"} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "sriov-network-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + name: sriov-network-operator + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 33% + template: + metadata: + labels: + name: sriov-network-operator + spec: + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.operator.nodeSelector }} +{{ toYaml .Values.operator.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.operator.tolerations }} +{{ toYaml .Values.operator.tolerations | indent 8 }} +{{- end }} + serviceAccountName: {{ include "sriov-network-operator.fullname" . }} + priorityClassName: "system-node-critical" + containers: + - name: {{ include "sriov-network-operator.fullname" . }} + image: {{ include "system_default_registry" . }}{{ .Values.images.operator.repository }}:{{ .Values.images.operator.tag }} + command: + - sriov-network-operator + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 100m + memory: 100Mi + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SRIOV_CNI_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.sriovCni.repository }}:{{ .Values.images.sriovCni.tag }} + - name: SRIOV_INFINIBAND_CNI_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.ibSriovCni.repository }}:{{ .Values.images.ibSriovCni.tag }} + - name: SRIOV_DEVICE_PLUGIN_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.sriovDevicePlugin.repository }}:{{ .Values.images.sriovDevicePlugin.tag }} + - name: NETWORK_RESOURCES_INJECTOR_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.resourcesInjector.repository }}:{{ .Values.images.resourcesInjector.tag }} + - name: OPERATOR_NAME + value: sriov-network-operator + - name: SRIOV_NETWORK_CONFIG_DAEMON_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.sriovConfigDaemon.repository }}:{{ .Values.images.sriovConfigDaemon.tag }} + - name: SRIOV_NETWORK_WEBHOOK_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.webhook.repository }}:{{ .Values.images.webhook.tag }} + - name: RESOURCE_PREFIX + value: {{ .Values.operator.resourcePrefix }} + - name: ENABLE_ADMISSION_CONTROLLER + value: {{ .Values.operator.enableAdmissionController | quote }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: RELEASE_VERSION + value: {{ .Release.AppVersion }} + - name: SRIOV_CNI_BIN_PATH + value: {{ .Values.operator.cniBinPath }} + - name: CLUSTER_TYPE + value: {{ .Values.operator.clusterType }} + {{- if .Values.operator.enableAdmissionController }} + {{- if not .Values.cert_manager }} + - name: WEBHOOK_CA_BUNDLE + value: "{{ include "sriov_operator_ca_cert" . }}" + {{- end }} + {{- end }} diff --git a/charts/sriov/103.1.0+up0.1.0/templates/role.yaml b/charts/sriov/103.1.0+up0.1.0/templates/role.yaml new file mode 100644 index 0000000000..35a9d50afc --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/templates/role.yaml @@ -0,0 +1,125 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: {{ include "sriov-network-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - pods + - services + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - '*' + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - '*' + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - sriov-network-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - serviceaccounts + - roles + - rolebindings + verbs: + - '*' + - apiGroups: + - config.openshift.io + resources: + - infrastructures + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sriov-network-config-daemon + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - '*' + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - '*' + - apiGroups: + - sriovnetwork.openshift.io + resources: + - '*' + - sriovnetworknodestates + verbs: + - '*' + - apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - 'coordination.k8s.io' + resources: + - 'leases' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: operator-webhook-sa + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get diff --git a/charts/sriov/103.1.0+up0.1.0/templates/rolebinding.yaml b/charts/sriov/103.1.0+up0.1.0/templates/rolebinding.yaml new file mode 100644 index 0000000000..d2cf1849a7 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/templates/rolebinding.yaml @@ -0,0 +1,44 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "sriov-network-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "sriov-network-operator.fullname" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ include "sriov-network-operator.fullname" . }} + apiGroup: rbac.authorization.k8s.io +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: sriov-network-config-daemon + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: sriov-network-config-daemon + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: sriov-network-config-daemon + apiGroup: rbac.authorization.k8s.io +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: operator-webhook-sa + namespace: {{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: operator-webhook-sa +roleRef: + kind: Role + name: operator-webhook-sa + apiGroup: rbac.authorization.k8s.io diff --git a/charts/sriov/103.1.0+up0.1.0/templates/secrets.yaml b/charts/sriov/103.1.0+up0.1.0/templates/secrets.yaml new file mode 100644 index 0000000000..3d345be460 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/templates/secrets.yaml @@ -0,0 +1,20 @@ +{{- if not .Values.cert_manager -}} +{{- if .Values.operator.enableAdmissionController }} +apiVersion: v1 +kind: Secret +metadata: + name: operator-webhook-service + namespace: {{ .Release.Namespace }} +data: {{ include "sriov_operator_cert" . | nindent 2 }} +{{- end }} +--- +{{- if .Values.operator.enableAdmissionController }} +apiVersion: v1 +kind: Secret +metadata: + name: network-resources-injector-secret + namespace: {{ .Release.Namespace }} +data: {{ include "sriov_resource_injector_cert" . | nindent 2 }} +{{- end }} +{{- end }} + diff --git a/charts/sriov/103.1.0+up0.1.0/templates/serviceaccount.yaml b/charts/sriov/103.1.0+up0.1.0/templates/serviceaccount.yaml new file mode 100644 index 0000000000..fc0bb57056 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "sriov-network-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sriov-network-config-daemon + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} diff --git a/charts/sriov/103.1.0+up0.1.0/templates/validate-install-crd.yaml b/charts/sriov/103.1.0+up0.1.0/templates/validate-install-crd.yaml new file mode 100644 index 0000000000..48ffe70751 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/templates/validate-install-crd.yaml @@ -0,0 +1,19 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovIBNetwork" false -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkNodePolicy" false -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkNodeState" false -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkPoolConfig" false -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetwork" false -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovOperatorConfig" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/sriov/103.1.0+up0.1.0/values.yaml b/charts/sriov/103.1.0+up0.1.0/values.yaml new file mode 100644 index 0000000000..a112839565 --- /dev/null +++ b/charts/sriov/103.1.0+up0.1.0/values.yaml @@ -0,0 +1,64 @@ +operator: + tolerations: + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - effect: NoExecute + key: node-role.kubernetes.io/etcd + operator: Exists + nodeSelector: {} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "node-role.kubernetes.io/master" + operator: In + values: [ "" ] + - matchExpressions: + - key: "node-role.kubernetes.io/control-plane" + operator: In + values: [ "" ] + nameOverride: "" + fullnameOverride: "" + resourcePrefix: "rancher.io" + enableAdmissionController: false + cniBinPath: "/opt/cni/bin" + clusterType: "kubernetes" + +# Image URIs for sriov-network-operator components +images: + operator: + repository: rancher/hardened-sriov-network-operator + tag: v1.2.0-build20230912 + sriovConfigDaemon: + repository: rancher/hardened-sriov-network-config-daemon + tag: v1.2.0-build20230912 + sriovCni: + repository: rancher/hardened-sriov-cni + tag: v2.6.3-build20230913 + ibSriovCni: + repository: rancher/hardened-ib-sriov-cni + tag: v1.0.2-build20230911 + sriovDevicePlugin: + repository: rancher/hardened-sriov-network-device-plugin + tag: v3.5.1-build20230911 + resourcesInjector: + repository: rancher/hardened-sriov-network-resources-injector + tag: v1.5-build20230911 + webhook: + repository: rancher/hardened-sriov-network-webhook + tag: v1.2.0-build20230912 + +# cert_manager enables integration with cert-manager to generate +# certificates for the operator webhooks. Otherwise the chart will +# generate ad-hoc certificates with no automated renewal at expiration, +# not recommended for production clusters. +cert_manager: false + +global: + cattle: + systemDefaultRegistry: "" + rbac: + userRoles: + aggregateToDefaultRoles: false diff --git a/index.yaml b/index.yaml index 67731add09..33cf3007ec 100755 --- a/index.yaml +++ b/index.yaml @@ -19646,6 +19646,39 @@ entries: - assets/rio/rio-0.8.000.tgz version: 0.8.000 sriov: + - annotations: + catalog.cattle.io/auto-install: sriov-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/experimental: "true" + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-sriov-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: sriov + catalog.cattle.io/upstream-version: 1.2.0 + apiVersion: v2 + appVersion: 1.2.0 + created: "2024-02-28T20:27:16.145354934-07:00" + description: SR-IOV network operator configures and manages SR-IOV networks in + the kubernetes cluster + digest: fb069897a7e6bc132d28783c74bec35b23aac681cf2806f3c69f67bfeb1e7285 + home: https://github.com/k8snetworkplumbingwg/sriov-network-operator + icon: https://charts.rancher.io/assets/logos/sr-iov.svg + keywords: + - sriov + - Networking + kubeVersion: '>= 1.16.0' + maintainers: + - email: charts@rancher.com + name: Rancher Labs + name: sriov + sources: + - https://github.com/rancher/charts + type: application + urls: + - assets/sriov/sriov-103.1.0+up0.1.0.tgz + version: 103.1.0+up0.1.0 - annotations: catalog.cattle.io/auto-install: sriov-crd=match catalog.cattle.io/certified: rancher @@ -20007,6 +20040,22 @@ entries: - assets/sriov/sriov-100.0.0+up0.1.0.tgz version: 100.0.0+up0.1.0 sriov-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/experimental: "true" + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-sriov-system + catalog.cattle.io/permits-os: linux + catalog.cattle.io/release-name: sriov-crd + apiVersion: v2 + created: "2024-02-28T20:27:16.148058044-07:00" + description: Installs the CRDs for rke2-sriov. + digest: 23611c47f7ee9c83ab52c11238ea2eea1742d2cce1097d0686390cd9f52066c5 + name: sriov-crd + type: application + urls: + - assets/sriov-crd/sriov-crd-103.1.0+up0.1.0.tgz + version: 103.1.0+up0.1.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/experimental: "true" diff --git a/packages/rancher-sriov/generated-changes/patch/Chart.yaml.patch b/packages/rancher-sriov/generated-changes/patch/Chart.yaml.patch index 06a1f13153..84538a6fc9 100644 --- a/packages/rancher-sriov/generated-changes/patch/Chart.yaml.patch +++ b/packages/rancher-sriov/generated-changes/patch/Chart.yaml.patch @@ -5,7 +5,7 @@ + catalog.cattle.io/auto-install: sriov-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/experimental: "true" -+ catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.28.0-0' ++ catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-sriov-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux diff --git a/packages/rancher-sriov/package.yaml b/packages/rancher-sriov/package.yaml index dca717b37d..2ed5f8a4e4 100644 --- a/packages/rancher-sriov/package.yaml +++ b/packages/rancher-sriov/package.yaml @@ -1,7 +1,7 @@ url: https://github.com/k8snetworkplumbingwg/sriov-network-operator.git subdirectory: deployment/sriov-network-operator commit: bcab8844d807ee1db558533248273ccd492874bb # the commit points to the tag v1.2.0 -version: 103.0.0 +version: 103.1.0 additionalCharts: - workingDir: charts-crd crdOptions: diff --git a/release.yaml b/release.yaml index 8b13789179..0abce9d92f 100644 --- a/release.yaml +++ b/release.yaml @@ -1 +1,4 @@ - +sriov: + - 103.1.0+up0.1.0 +sriov-crd: + - 103.1.0+up0.1.0