--- /dev/null
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- /dev/null
+# Copyright 2021 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v2
+appVersion: v0.7.0
+description: |
+ Detects hardware features available on each node in a Kubernetes cluster, and advertises
+ those features using node labels.
+name: node-feature-discovery
+sources:
+ - https://github.com/kubernetes-sigs/node-feature-discovery
+home: https://github.com/kubernetes-sigs/node-feature-discovery
+keywords:
+ - feature-discovery
+ - feature-detection
+ - node-labels
+type: application
+version: 0.1.0
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "node-feature-discovery.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "node-feature-discovery.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "node-feature-discovery.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "node-feature-discovery.labels" -}}
+helm.sh/chart: {{ include "node-feature-discovery.chart" . }}
+{{ include "node-feature-discovery.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "node-feature-discovery.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "node-feature-discovery.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "node-feature-discovery.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+ {{ default (include "node-feature-discovery.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+ {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
--- /dev/null
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "node-feature-discovery.fullname" . }}
+ labels:
+ {{- include "node-feature-discovery.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - nodes
+ # when using command line flag --resource-labels to create extended resources
+ # you will need to uncomment "- nodes/status"
+ # - nodes/status
+ verbs:
+ - get
+ - patch
+ - update
+ - list
+{{- end }}
--- /dev/null
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "node-feature-discovery.fullname" . }}
+ labels:
+ {{- include "node-feature-discovery.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "node-feature-discovery.fullname" . }}
+subjects:
+- kind: ServiceAccount
+ name: {{ include "node-feature-discovery.serviceAccountName" . }}
+ namespace: {{ $.Release.Namespace }}
+{{- end }}
--- /dev/null
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "node-feature-discovery.fullname" . }}-master
+ labels:
+ {{- include "node-feature-discovery.labels" . | nindent 4 }}
+ role: master
+spec:
+ replicas: {{ .Values.master.replicaCount }}
+ selector:
+ matchLabels:
+ {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }}
+ role: master
+ template:
+ metadata:
+ labels:
+ {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }}
+ role: master
+ annotations:
+ {{- toYaml .Values.master.annotations | nindent 8 }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ serviceAccountName: {{ include "node-feature-discovery.serviceAccountName" . }}
+ securityContext:
+ {{- toYaml .Values.master.podSecurityContext | nindent 8 }}
+ containers:
+ - name: master
+ securityContext:
+ {{- toYaml .Values.master.securityContext | nindent 12 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ ports:
+ - containerPort: 8080
+ name: grpc
+ env:
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ command:
+ - "nfd-master"
+ resources:
+ {{- toYaml .Values.master.resources | nindent 12 }}
+ args:
+ {{- if .Values.master.instance | empty | not }}
+ - "--instance={{ .Values.master.instance }}"
+ {{- end }}
+## Enable TLS authentication
+## The example below assumes having the root certificate named ca.crt stored in
+## a ConfigMap named nfd-ca-cert, and, the TLS authentication credentials stored
+## in a TLS Secret named nfd-master-cert.
+## Additional hardening can be enabled by specifying --verify-node-name in
+## args, in which case every nfd-worker requires a individual node-specific
+## TLS certificate.
+# - "--ca-file=/etc/kubernetes/node-feature-discovery/trust/ca.crt"
+# - "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
+# - "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
+# volumeMounts:
+# - name: nfd-ca-cert
+# mountPath: "/etc/kubernetes/node-feature-discovery/trust"
+# readOnly: true
+# - name: nfd-master-cert
+# mountPath: "/etc/kubernetes/node-feature-discovery/certs"
+# readOnly: true
+# volumes:
+# - name: nfd-ca-cert
+# configMap:
+# name: nfd-ca-cert
+# - name: nfd-master-cert
+# secret:
+# secretName: nfd-master-cert
+ {{- with .Values.master.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.master.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.master.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
--- /dev/null
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ .Values.worker.configmapName }}
+ labels:
+ {{- include "node-feature-discovery.labels" . | nindent 4 }}
+data:
+ nfd-worker.conf: |
+ {{- .Values.worker.config | nindent 4 }}
--- /dev/null
+apiVersion: v1
+kind: Service
+metadata:
+ name: nfd-master
+ labels:
+ {{- include "node-feature-discovery.labels" . | nindent 4 }}
+ role: master
+spec:
+ type: {{ .Values.master.service.type }}
+ ports:
+ - port: {{ .Values.master.service.port }}
+ targetPort: grpc
+ protocol: TCP
+ name: grpc
+ selector:
+ {{- include "node-feature-discovery.selectorLabels" . | nindent 4 }}
--- /dev/null
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "node-feature-discovery.serviceAccountName" . }}
+ labels:
+ {{- include "node-feature-discovery.labels" . | nindent 4 }}
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end -}}
--- /dev/null
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: {{ include "node-feature-discovery.fullname" . }}-worker
+ labels:
+ {{- include "node-feature-discovery.labels" . | nindent 4 }}
+ role: worker
+spec:
+ selector:
+ matchLabels:
+ {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }}
+ role: worker
+ template:
+ metadata:
+ labels:
+ {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }}
+ role: worker
+ annotations:
+ {{- toYaml .Values.worker.annotations | nindent 8 }}
+ spec:
+ dnsPolicy: ClusterFirstWithHostNet
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ securityContext:
+ {{- toYaml .Values.worker.podSecurityContext | nindent 8 }}
+ containers:
+ - name: worker
+ securityContext:
+ {{- toYaml .Values.worker.securityContext | nindent 12 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ env:
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ resources:
+ {{- toYaml .Values.worker.resources | nindent 12 }}
+ command:
+ - "nfd-worker"
+ args:
+ - "--sleep-interval={{ .Values.worker.sleepTime }}s"
+ - "--server=nfd-master:{{ .Values.master.service.port }}"
+## Enable TLS authentication (1/3)
+## The example below assumes having the root certificate named ca.crt stored in
+## a ConfigMap named nfd-ca-cert, and, the TLS authentication credentials stored
+## in a TLS Secret named nfd-worker-cert
+# - "--ca-file=/etc/kubernetes/node-feature-discovery/trust/ca.crt"
+# - "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
+# - "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
+ volumeMounts:
+ - name: host-boot
+ mountPath: "/host-boot"
+ readOnly: true
+ - name: host-os-release
+ mountPath: "/host-etc/os-release"
+ readOnly: true
+ - name: host-sys
+ mountPath: "/host-sys"
+ readOnly: true
+ - name: source-d
+ mountPath: "/etc/kubernetes/node-feature-discovery/source.d/"
+ readOnly: true
+ - name: features-d
+ mountPath: "/etc/kubernetes/node-feature-discovery/features.d/"
+ readOnly: true
+ - name: nfd-worker-conf
+ mountPath: "/etc/kubernetes/node-feature-discovery"
+ readOnly: true
+## Enable TLS authentication (2/3)
+# - name: nfd-ca-cert
+# mountPath: "/etc/kubernetes/node-feature-discovery/trust"
+# readOnly: true
+# - name: nfd-worker-cert
+# mountPath: "/etc/kubernetes/node-feature-discovery/certs"
+# readOnly: true
+ volumes:
+ - name: host-boot
+ hostPath:
+ path: "/boot"
+ - name: host-os-release
+ hostPath:
+ path: "/etc/os-release"
+ - name: host-sys
+ hostPath:
+ path: "/sys"
+ - name: source-d
+ hostPath:
+ path: "/etc/kubernetes/node-feature-discovery/source.d/"
+ - name: features-d
+ hostPath:
+ path: "/etc/kubernetes/node-feature-discovery/features.d/"
+ - name: nfd-worker-conf
+ configMap:
+ name: {{ .Values.worker.configmapName }}
+ items:
+ - key: nfd-worker.conf
+ path: nfd-worker.conf
+## Enable TLS authentication (3/3)
+# - name: nfd-ca-cert
+# configMap:
+# name: nfd-ca-cert
+# - name: nfd-worker-cert
+# secret:
+# secretName: nfd-worker-cert
+ {{- with .Values.worker.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.worker.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.worker.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
--- /dev/null
+image:
+ repository: k8s.gcr.io/nfd/node-feature-discovery
+ # This should be set to 'IfNotPresent' for released version
+ pullPolicy: IfNotPresent
+ # tag, if defined will use the given image tag, else Chart.AppVersion will be used
+ # tag
+imagePullSecrets: []
+
+serviceAccount:
+ # Specifies whether a service account should be created
+ create: true
+ # Annotations to add to the service account
+ annotations: {}
+ # The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template
+ name:
+
+nameOverride: ""
+fullnameOverride: ""
+
+master:
+ instance:
+ replicaCount: 1
+
+ podSecurityContext: {}
+ # fsGroup: 2000
+
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: [ "ALL" ]
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ # runAsUser: 1000
+
+ service:
+ type: ClusterIP
+ port: 8080
+
+ resources: {}
+ # We usually recommend not to specify default resources and to leave this as a conscious
+ # choice for the user. This also increases chances charts run on environments with little
+ # resources, such as Minikube. If you do want to specify resources, uncomment the following
+ # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+
+ nodeSelector: {}
+
+ tolerations:
+ - key: "node-role.kubernetes.io/master"
+ operator: "Equal"
+ value: ""
+ effect: "NoSchedule"
+
+ annotations: {}
+
+ affinity:
+ nodeAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 1
+ preference:
+ matchExpressions:
+ - key: "node-role.kubernetes.io/master"
+ operator: In
+ values: [""]
+
+worker:
+ configmapName: nfd-worker-conf
+ config: |
+ sources:
+ custom:
+ - name: "iavf"
+ matchOn:
+ - pciId:
+ class: ["0200"]
+ vendor: ["8086"]
+ device: ["1574", "1580", "1583", "1584", "1587", "1588", "37ce", "37cf", "37d0", "37d1", "37d2", "37d3"]
+ - name: "qat"
+ matchOn:
+ - pciId:
+ class: ["0b40"]
+ vendor: ["8086"]
+ device: ["0435", "37c8", "6f54", "19e2"]
+ pci:
+ deviceClassWhitelist:
+ - "03"
+ - "12"
+ - "0200"
+ - "0b40"
+ deviceLabelFields:
+ - "class"
+ - "vendor"
+ - "device"
+ #sources:
+ # cpu:
+ # cpuid:
+ ## NOTE: whitelist has priority over blacklist
+ # attributeBlacklist:
+ # - "BMI1"
+ # - "BMI2"
+ # - "CLMUL"
+ # - "CMOV"
+ # - "CX16"
+ # - "ERMS"
+ # - "F16C"
+ # - "HTT"
+ # - "LZCNT"
+ # - "MMX"
+ # - "MMXEXT"
+ # - "NX"
+ # - "POPCNT"
+ # - "RDRAND"
+ # - "RDSEED"
+ # - "RDTSCP"
+ # - "SGX"
+ # - "SSE"
+ # - "SSE2"
+ # - "SSE3"
+ # - "SSE4.1"
+ # - "SSE4.2"
+ # - "SSSE3"
+ # attributeWhitelist:
+ # kernel:
+ # kconfigFile: "/path/to/kconfig"
+ # configOpts:
+ # - "NO_HZ"
+ # - "X86"
+ # - "DMI"
+ # pci:
+ # deviceClassWhitelist:
+ # - "0200"
+ # - "03"
+ # - "12"
+ # deviceLabelFields:
+ # - "class"
+ # - "vendor"
+ # - "device"
+ # - "subsystem_vendor"
+ # - "subsystem_device"
+ # usb:
+ # deviceClassWhitelist:
+ # - "0e"
+ # - "ef"
+ # - "fe"
+ # - "ff"
+ # deviceLabelFields:
+ # - "class"
+ # - "vendor"
+ # - "device"
+ # custom:
+ # - name: "my.kernel.feature"
+ # matchOn:
+ # - loadedKMod: ["example_kmod1", "example_kmod2"]
+ # - name: "my.pci.feature"
+ # matchOn:
+ # - pciId:
+ # class: ["0200"]
+ # vendor: ["15b3"]
+ # device: ["1014", "1017"]
+ # - pciId :
+ # vendor: ["8086"]
+ # device: ["1000", "1100"]
+ # - name: "my.usb.feature"
+ # matchOn:
+ # - usbId:
+ # class: ["ff"]
+ # vendor: ["03e7"]
+ # device: ["2485"]
+ # - usbId:
+ # class: ["fe"]
+ # vendor: ["1a6e"]
+ # device: ["089a"]
+ # - name: "my.combined.feature"
+ # matchOn:
+ # - pciId:
+ # vendor: ["15b3"]
+ # device: ["1014", "1017"]
+ # loadedKMod : ["vendor_kmod1", "vendor_kmod2"]
+
+ podSecurityContext: {}
+ # fsGroup: 2000
+
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: [ "ALL" ]
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ # runAsUser: 1000
+
+ resources: {}
+ # We usually recommend not to specify default resources and to leave this as a conscious
+ # choice for the user. This also increases chances charts run on environments with little
+ # resources, such as Minikube. If you do want to specify resources, uncomment the following
+ # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+
+ nodeSelector: {}
+
+ tolerations: {}
+
+ annotations: {}
+
+ # sleepTime is the sleep interval in seconds between consecutive worker runs
+ sleepTime: 60
+
+## RBAC parameteres
+## https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+##
+rbac:
+ create: true
+ serviceAccountName:
+ ## Annotations for the Service Account
+ ##
+ serviceAccountAnnotations: {}
Code Review / multicloud / k8s.git / commitdiff