--- /dev/null
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- /dev/null
+# Copyright 2021 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v2
+appVersion: v1.4.1-no-taint
+description: |
+ CPU Manager for Kubernetes provides basic core affinity for
+ NFV-style workloads.
+name: cpu-manager
+sources:
+ - https://github.com/integratedcloudnative/CPU-Manager-for-Kubernetes
+home: https://github.com/integratedcloudnative/CPU-Manager-for-Kubernetes
+type: application
+version: 0.1.0
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cpu-manager.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cpu-manager.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cpu-manager.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "cpu-manager.labels" -}}
+helm.sh/chart: {{ include "cpu-manager.chart" . }}
+{{ include "cpu-manager.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cpu-manager.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cpu-manager.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "cpu-manager.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+ {{ default ( printf "%s-serviceaccount" (include "cpu-manager.fullname" .) ) .Values.serviceAccount.name }}
+{{- else -}}
+ {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
--- /dev/null
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-custom-resource-definition-controller
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["intel.com"]
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions", "customresourcedefinitions.extensions"]
+ verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-daemonset-controller
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["extensions", "apps"]
+ resources: ["daemonsets", "daemonsets.extensions", "daemonsets.apps"]
+ verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-version-controller
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+rules:
+ - nonResourceURLs: ["*"]
+ verbs:
+ - get
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-webhook-installer
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["", "apps", "extensions", "admissionregistration.k8s.io"]
+ resources: ["secrets", "configmaps", "deployments", "services", "mutatingwebhookconfigurations"]
+ verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-node-lister
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["*"]
+{{- end }}
--- /dev/null
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-role-binding-daemonset
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "cpu-manager.fullname" . }}-daemonset-controller
+subjects:
+- kind: ServiceAccount
+ name: {{ include "cpu-manager.serviceAccountName" . }}
+ namespace: {{ $.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-role-binding-node
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:node
+subjects:
+- kind: ServiceAccount
+ name: {{ include "cpu-manager.serviceAccountName" . }}
+ namespace: {{ $.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-role-binding-crd
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "cpu-manager.fullname" . }}-custom-resource-definition-controller
+subjects:
+- kind: ServiceAccount
+ name: {{ include "cpu-manager.serviceAccountName" . }}
+ namespace: {{ $.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-role-binding-version
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "cpu-manager.fullname" . }}-version-controller
+subjects:
+- kind: ServiceAccount
+ name: {{ include "cpu-manager.serviceAccountName" . }}
+ namespace: {{ $.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-role-binding-webhook-installer
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "cpu-manager.fullname" . }}-webhook-installer
+subjects:
+- kind: ServiceAccount
+ name: {{ include "cpu-manager.serviceAccountName" . }}
+ namespace: {{ $.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-role-binding-node-lister
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "cpu-manager.fullname" . }}-node-lister
+subjects:
+- kind: ServiceAccount
+ name: {{ include "cpu-manager.serviceAccountName" . }}
+ namespace: {{ $.Release.Namespace }}
+{{- end }}
--- /dev/null
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-reconcile-nodereport-ds
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+ app: cmk-reconcile-nodereport-ds
+spec:
+ selector:
+ matchLabels:
+ {{- include "cpu-manager.selectorLabels" . | nindent 6 }}
+ app: cmk-reconcile-nodereport-ds
+ template:
+ metadata:
+ labels:
+ {{- include "cpu-manager.selectorLabels" . | nindent 8 }}
+ app: cmk-reconcile-nodereport-ds
+ annotations:
+ {{- toYaml .Values.annotations | nindent 8 }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ securityContext:
+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
+ serviceAccountName: {{ include "cpu-manager.serviceAccountName" . }}
+ initContainers:
+ - args:
+ - "/cmk/cmk.py init --conf-dir=/etc/cmk --num-exclusive-cores=$NUM_EXCLUSIVE_CORES --num-shared-cores=$NUM_SHARED_CORES"
+ command:
+ - "/bin/bash"
+ - "-c"
+ env:
+ - name: CMK_PROC_FS
+ value: '/proc'
+ - name: NUM_EXCLUSIVE_CORES
+ value: {{ .Values.exclusiveNumCores | quote }}
+ - name: NUM_SHARED_CORES
+ value: {{ .Values.sharedNumCores | quote }}
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 10 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: cmk-init-pod
+ resources:
+ {{- toYaml .Values.resources | nindent 10 }}
+ volumeMounts:
+ - mountPath: "/etc/cmk"
+ name: cmk-conf-dir
+ - args:
+ - "/cmk/cmk.py discover --conf-dir=/etc/cmk {{ if .Values.untaintRequired }}--no-taint{{ end }}"
+ command:
+ - "/bin/bash"
+ - "-c"
+ env:
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 10 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: cmk-discover-pod
+ resources:
+ {{- toYaml .Values.resources | nindent 10 }}
+ volumeMounts:
+ - mountPath: "/etc/cmk"
+ name: cmk-conf-dir
+ - args:
+ - "/cmk/cmk.py install --install-dir=/opt/bin"
+ command:
+ - "/bin/bash"
+ - "-c"
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 10 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: cmk-install-pod
+ resources:
+ {{- toYaml .Values.resources | nindent 10 }}
+ volumeMounts:
+ - mountPath: "/opt/bin"
+ name: cmk-install-dir
+ containers:
+ - args:
+ - "/cmk/cmk.py isolate --pool=infra /cmk/cmk.py -- reconcile --interval=$CMK_RECONCILE_SLEEP_TIME --publish"
+ command:
+ - "/bin/bash"
+ - "-c"
+ env:
+ - name: CMK_RECONCILE_SLEEP_TIME
+ value: {{ .Values.reconcileSleepTime | quote }}
+ - name: CMK_PROC_FS
+ value: "/host/proc"
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 10 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: cmk-reconcile
+ resources:
+ {{- toYaml .Values.resources | nindent 10 }}
+ volumeMounts:
+ - mountPath: "/host/proc"
+ name: host-proc
+ readOnly: true
+ - mountPath: "/etc/cmk"
+ name: cmk-conf-dir
+ - args:
+ - "/cmk/cmk.py isolate --pool=infra /cmk/cmk.py -- node-report --interval=$CMK_NODE_REPORT_SLEEP_TIME --publish"
+ command:
+ - "/bin/bash"
+ - "-c"
+ env:
+ - name: CMK_NODE_REPORT_SLEEP_TIME
+ value: {{ .Values.nodeReportSleepTime | quote }}
+ - name: CMK_PROC_FS
+ value: "/host/proc"
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 10 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: cmk-nodereport
+ resources:
+ {{- toYaml .Values.resources | nindent 10 }}
+ volumeMounts:
+ - mountPath: "/host/proc"
+ name: host-proc
+ readOnly: true
+ - mountPath: "/etc/cmk"
+ name: cmk-conf-dir
+ volumes:
+ - hostPath:
+ path: "/proc"
+ name: host-proc
+ - hostPath:
+ path: {{ .Values.configDir | quote }}
+ name: cmk-conf-dir
+ - hostPath:
+ path: {{ .Values.installDir | quote }}
+ name: cmk-install-dir
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
--- /dev/null
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "cpu-manager.serviceAccountName" . }}
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end -}}
--- /dev/null
+{{- if .Values.webhook.enabled -}}
+{{- $altNames := list "cmk-webhook-service" ( printf "cmk-webhook-service.%s" .Release.Namespace ) ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) -}}
+{{- $cert := genSelfSignedCert ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) nil $altNames 36500 -}}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-webhook-certs
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+data:
+ cert.pem: {{ $cert.Cert | b64enc }}
+ key.pem: {{ $cert.Key | b64enc }}
+type: Opaque
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-webhook-configmap
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+data:
+ server.yaml: |
+ server:
+ binding-address: "0.0.0.0"
+ port: {{ .Values.webhook.service.port }}
+ cert: "/etc/ssl/cert.pem"
+ key: "/etc/ssl/key.pem"
+ mutations: "/etc/webhook/mutations.yaml"
+ mutations.yaml: |
+ mutations:
+ perPod:
+ metadata:
+ annotations:
+ cmk.intel.com/resources-injected: "true"
+ spec:
+ serviceAccount: {{ include "cpu-manager.serviceAccountName" . }}
+ tolerations:
+ - operator: Exists
+ volumes:
+ - name: cmk-host-proc
+ hostPath:
+ path: "/proc"
+ - name: cmk-config-dir
+ hostPath:
+ path: {{ .Values.configDir | quote }}
+ - name: cmk-install-dir
+ hostPath:
+ path: {{ .Values.installDir | quote }}
+ perContainer:
+ env:
+ - name: CMK_PROC_FS
+ value: "/host/proc"
+ volumeMounts:
+ - name: cmk-host-proc
+ mountPath: /host/proc
+ readOnly: true
+ - name: cmk-config-dir
+ mountPath: /etc/cmk
+ - name: cmk-install-dir
+ mountPath: /opt/bin
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: cmk-webhook-service
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+ app: cmk-webhook-app
+spec:
+ ports:
+ - port: {{ .Values.webhook.service.port }}
+ targetPort: 443
+ selector:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+ app: cmk-webhook-app
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+ app: cmk-webhook-app
+ name: {{ include "cpu-manager.fullname" . }}-webhook-deployment
+spec:
+ replicas: {{ .Values.webhook.replicaCount }}
+ selector:
+ matchLabels:
+ {{- include "cpu-manager.selectorLabels" . | nindent 6 }}
+ app: cmk-webhook-app
+ template:
+ metadata:
+ labels:
+ {{- include "cpu-manager.selectorLabels" . | nindent 8 }}
+ app: cmk-webhook-app
+ annotations:
+ {{- toYaml .Values.webhook.annotations | nindent 8 }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ securityContext:
+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
+ tolerations:
+ - operator: "Exists"
+ containers:
+ - args:
+ - "/cmk/cmk.py webhook --conf-file /etc/webhook/server.yaml"
+ command:
+ - "/bin/bash"
+ - "-c"
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: cmk-webhook
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 10 }}
+ volumeMounts:
+ - mountPath: /etc/webhook
+ name: cmk-webhook-configmap
+ - mountPath: /etc/ssl
+ name: cmk-webhook-certs
+ readOnly: True
+ volumes:
+ - name: cmk-webhook-configmap
+ configMap:
+ name: {{ include "cpu-manager.fullname" . }}-webhook-configmap
+ - name: cmk-webhook-certs
+ secret:
+ secretName: {{ include "cpu-manager.fullname" . }}-webhook-certs
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+ app: cmk-webhook-app
+ name: {{ include "cpu-manager.fullname" . }}-webhook-config
+webhooks:
+- clientConfig:
+ caBundle: {{ $cert.Cert | b64enc }}
+ service:
+ name: cmk-webhook-service
+ namespace: {{ $.Release.Namespace }}
+ path: /mutate
+ failurePolicy: Ignore
+ name: cmk.intel.com
+ rules:
+ - apiGroups:
+ - ""
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ resources:
+ - pods
+{{- end }}
--- /dev/null
+# sharedNumCores is the number of CPU cores to be assigned to the "shared" pool on each of the nodes
+sharedNumCores: 1
+# exclusiveNumCores is the number of CPU cores to be assigned to the "exclusive" pool on each of the nodes
+exclusiveNumCores: 2
+# untaintRequired removes the cmk=true:NoSchedule taint from each of the nodes
+untaintRequired: true
+# configDir is the CMK config dir in the host file system
+configDir: "/etc/cmk"
+# installDir is the CMK installation dir in the host file system
+installDir: "/opt/bin"
+# reconcileSleepTime is the sleep interval in seconds between consecutive CMK reconcile runs
+reconcileSleepTime: 60
+# nodeReportSleepTime is the sleep interval in seconds between consecutive CMK node report runs
+nodeReportSleepTime: 60
+
+image:
+ repository: integratedcloudnative/cmk
+ pullPolicy: IfNotPresent
+ # Overrides the image tag whose default is the chart appVersion.
+ tag: ""
+imagePullSecrets: []
+
+serviceAccount:
+ # Specifies whether a service account should be created
+ create: true
+ # Annotations to add to the service account
+ annotations: {}
+ # The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template
+ name:
+
+nameOverride: ""
+fullnameOverride: ""
+
+podSecurityContext: {}
+ # fsGroup: 2000
+
+securityContext: {}
+
+resources: {}
+
+annotations: {}
+
+affinity: {}
+
+tolerations: {}
+
+webhook:
+ # webhook.enabled runs the CMK mutating admission webhook server
+ enabled: true
+
+ service:
+ port: 443
+
+ replicaCount: 1
+
+ annotations: {}
+
+## RBAC parameteres
+## https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+##
+rbac:
+ create: true
Code Review / multicloud / k8s.git / commitdiff