(dev-v2.6-archive) Merge pull request #1256 from jiaqiluo/update-charts-build-scrpts

(partially cherry picked from commit aab21e8493)

packages/rancher-sriov/generated-changes/exclude/crds/k8s.cni.cncf.io_networkattachmentdefinitions_crd.yaml

@@ -0,0 +1,57 @@
+# Copyright 2020 NVIDIA
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: network-attachment-definitions.k8s.cni.cncf.io
+spec:
+  group: k8s.cni.cncf.io
+  scope: Namespaced
+  names:
+    plural: network-attachment-definitions
+    singular: network-attachment-definition
+    kind: NetworkAttachmentDefinition
+    shortNames:
+    - net-attach-def
+  versions:
+    - name: v1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          description: 'NetworkAttachmentDefinition is a CRD schema specified by the Network Plumbing
+            Working Group to express the intent for attaching pods to one or more logical or physical
+            networks. More information available at: https://github.com/k8snetworkplumbingwg/multi-net-spec'
+          type: object
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this represen
+                tation of an object. Servers should convert recognized schemas to the
+                latest internal value, and may reject unrecognized values. More info:
+                https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this
+                object represents. Servers may infer this from the endpoint the client
+                submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: 'NetworkAttachmentDefinition spec defines the desired state of a network attachment'
+              type: object
+              properties:
+                config:
+                  description: 'NetworkAttachmentDefinition config is a JSON-formatted CNI configuration'
+                  type: string

packages/rancher-sriov/generated-changes/overlay/app-README.md

@@ -0,0 +1,13 @@
+# Rancher SR-IOV Network Operator
+
+This chart is based on the upstream [k8snetworkplumbingwg/sriov-network-operator](https://github.com/k8snetworkplumbingwg/sriov-network-operator) project. The chart deploys the SR-IOV Operator and its CRDs, which are designed to help the user provision and configure the SR-IOV CNI in a cluster that uses [Multus CNI](https://github.com/k8snetworkplumbingwg/multus-cni), to provide high performing extra network interfaces to pods. This chart is expected to be deployed on an RKE2 cluster and only meant for advanced use cases where multiple CNI plugins and high performing network interfaces on pods are required. Users who do not need these features are not advised to install this chart.
+
+The chart installs the following components:
+
+ - SR-IOV Operator - An operator that helps provision and configure the SR-IOV CNI plugin and SR-IOV Device plugin
+ - SR-IOV Network Config Daemon - A Daemon deployed by the Operator that discovers SR-IOV NICs on each node
+
+Note that SR-IOV requires NICs that support SR-IOV and the activation of specific configuration options in the operating system. Nodes that fulfill these requirements should be labeled with: `feature.node.kubernetes.io/network-sriov.capable=true`.
+
+The SR-IOV Network Config Daemon will be deployed on such capable nodes. For more information on how to use this feature, refer to our RKE2 networking docs.
+

packages/rancher-sriov/generated-changes/overlay/templates/_webhook-certs.tpl

@@ -0,0 +1,31 @@
+{{/*
+Generate TLS certificates for webhooks.
+Note: these 2 lines, that are repeated several times below, are a trick to
+ensure the CA certs are generated only once:
+    $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365)
+    $_ := set . "ca" $ca
+Please, don't try to "simplify" them as without this trick, every generated
+certificate would be signed by a different CA.
+*/}}
+{{- define "sriov_operator_ca_cert" }}
+{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}}
+{{- $_ := set . "ca" $ca -}}
+{{- printf "%s" $ca.Cert | b64enc -}}
+{{- end }}
+{{- define "sriov_operator_cert" }}
+{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}}
+{{- $_ := set . "ca" $ca -}}
+{{- $cn := printf "operator-webhook-service.%s.svc" .Release.Namespace -}}
+{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca -}}
+tls.crt: {{ $cert.Cert | b64enc }}
+tls.key: {{ $cert.Key | b64enc }}
+{{- end }}
+{{- define "sriov_resource_injector_cert" }}
+{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}}
+{{- $_ := set . "ca" $ca -}}
+{{- $cn := printf "network-resources-injector-service.%s.svc" .Release.Namespace -}}
+{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca -}}
+tls.crt: {{ $cert.Cert | b64enc }}
+tls.key: {{ $cert.Key | b64enc }}
+{{- end }}
+

packages/rancher-sriov/generated-changes/overlay/templates/certmanagercerts.yaml

@@ -0,0 +1,41 @@
+{{- if and (.Values.operator.enableAdmissionController) (.Values.cert_manager) -}}
+{{- if not (.Capabilities.APIVersions.Has "cert-manager.io/v1") -}}
+{{- required "cert-manager is required but not found" "" -}}
+{{- end -}}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: sriov-network-operator-selfsigned-issuer
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: operator-webhook-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: operator-webhook-service
+  dnsNames:
+  - operator-webhook-service.{{ .Release.Namespace }}.svc
+  issuerRef:
+    name: sriov-network-operator-selfsigned-issuer
+  privateKey:
+    rotationPolicy: Always
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: network-resources-injector-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: network-resources-injector-secret
+  dnsNames:
+  - network-resources-injector-service.{{ .Release.Namespace }}.svc
+  issuerRef:
+    name: sriov-network-operator-selfsigned-issuer
+  privateKey:
+    rotationPolicy: Always
+{{- end -}}
+

packages/rancher-sriov/generated-changes/overlay/templates/secrets.yaml

@@ -0,0 +1,20 @@
+{{- if not .Values.cert_manager -}}
+{{- if .Values.operator.enableAdmissionController }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: operator-webhook-service
+  namespace: {{ .Release.Namespace }}
+data: {{ include "sriov_operator_cert" . | nindent 2 }}
+{{- end }}
+---
+{{- if .Values.operator.enableAdmissionController }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: network-resources-injector-secret
+  namespace: {{ .Release.Namespace }}
+data: {{ include "sriov_resource_injector_cert" . | nindent 2 }}
+{{- end }}
+{{- end }}
+

packages/rancher-sriov/generated-changes/patch/Chart.yaml.patch

@@ -0,0 +1,31 @@
+--- charts-original/Chart.yaml
++++ charts/Chart.yaml
+@@ -1,12 +1,24 @@
+ apiVersion: v2
+-name: sriov-network-operator
++name: sriov
+ version: 0.1.0
+-kubeVersion: '>= 1.16.0'
+-appVersion: 4.7.0
++kubeVersion: '>= 1.16.0-0'
++appVersion: 1.0.0
+ description: SR-IOV network operator configures and manages SR-IOV networks in the kubernetes cluster
+ type: application
++icon: https://charts.rancher.io/assets/logos/sr-iov.svg
+ keywords:
+   - sriov
++  - Networking
+ home: https://github.com/k8snetworkplumbingwg/sriov-network-operator
+ sources:
+-  - https://github.com/k8snetworkplumbingwg/sriov-network-operator
++  - https://github.com/rancher/charts
++maintainers:
++  - name: Rancher Labs
++    email: charts@rancher.com
++annotations:
++  catalog.cattle.io/certified: rancher
++  catalog.cattle.io/experimental: true
++  catalog.cattle.io/namespace: cattle-sriov-system
++  catalog.cattle.io/release-name: sriov
++  catalog.cattle.io/os: linux
++  catalog.cattle.io/auto-install: sriov-crd=match

packages/rancher-sriov/generated-changes/patch/templates/NOTES.txt.patch

@@ -0,0 +1,20 @@
+--- charts-original/templates/NOTES.txt
++++ charts/templates/NOTES.txt
+@@ -3,4 +3,15 @@
+ $ kubectl -n {{ .Release.Namespace }} get pods
+ 
+ For additional instructions on how to use SR-IOV network operator,
+-refer to: https://github.com/k8snetworkplumbingwg/sriov-network-operator
+\ No newline at end of file
++refer to: https://github.com/k8snetworkplumbingwg/sriov-network-operator
++
++{{- if .Values.operator.enableAdmissionController }}
++{{- if not .Values.cert_manager }}
++Thank you for installing {{ .Chart.Name }}.
++
++WARNING! Self signed certificates have been generated for webhooks.
++These certificates have a one-year validity and will not be rotated
++automatically. This should not be a production cluster. Please deploy
++and use cert-manager for production clusters.
++{{- end }}
++{{- end }}

packages/rancher-sriov/generated-changes/patch/templates/_helpers.tpl.patch

@@ -0,0 +1,14 @@
+--- charts-original/templates/_helpers.tpl
++++ charts/templates/_helpers.tpl
+@@ -60,3 +60,11 @@
+ {{- default "default" .Values.serviceAccount.name }}
+ {{- end }}
+ {{- end }}
++
++{{- define "system_default_registry" -}}
++{{- if .Values.global.systemDefaultRegistry -}}
++{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
++{{- else -}}
++{{- "" -}}
++{{- end -}}
++{{- end -}}

packages/rancher-sriov/generated-changes/patch/templates/clusterrole.yaml.patch

@@ -0,0 +1,58 @@
+--- charts-original/templates/clusterrole.yaml
++++ charts/templates/clusterrole.yaml
+@@ -52,3 +52,55 @@
+   - apiGroups: [""]
+     resources: ["pods/eviction"]
+     verbs: ["create"]
++---
++apiVersion: rbac.authorization.k8s.io/v1
++kind: ClusterRole
++metadata:
++  name: sriov-admin
++  {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }}
++    rbac.authorization.k8s.io/aggregate-to-admin: "true"
++  {{- end }}
++rules:
++- apiGroups:
++  - sriovnetwork.openshift.io
++  resources:
++  - '*'
++  verbs:
++  - "get"
++  - "watch"
++  - "list"
++---
++apiVersion: rbac.authorization.k8s.io/v1
++kind: ClusterRole
++metadata:
++  name: sriov-edit
++  {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }}
++    rbac.authorization.k8s.io/aggregate-to-edit: "true"
++  {{- end }}
++rules:
++- apiGroups:
++  - sriovnetwork.openshift.io
++  resources:
++  - '*'
++  verbs:
++  - "get"
++  - "watch"
++  - "list"
++---
++apiVersion: rbac.authorization.k8s.io/v1
++kind: ClusterRole
++metadata:
++  name: sriov-view
++  {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }}
++    rbac.authorization.k8s.io/aggregate-to-view: "true"
++  {{- end }}
++rules:
++- apiGroups:
++  - sriovnetwork.openshift.io
++  resources:
++  - '*'
++  verbs:
++  - "get"
++  - "watch"
++  - "list"
++

packages/rancher-sriov/generated-changes/patch/templates/operator.yaml.patch

@@ -0,0 +1,70 @@
+--- charts-original/templates/operator.yaml
++++ charts/templates/operator.yaml
+@@ -1,7 +1,22 @@
++{{- if not (.Capabilities.APIVersions.Has "k8s.cni.cncf.io/v1/NetworkAttachmentDefinition") -}}
++{{- required "rke2-multus is required but not found" "" -}}
++{{- end -}}
++apiVersion: sriovnetwork.openshift.io/v1
++kind: SriovOperatorConfig
++metadata:
++  name: default
++  namespace: {{ .Release.Namespace }}
++spec:
++  # Add fields here
++  enableInjector: {{ .Values.operator.enableAdmissionController }}
++  enableOperatorWebhook: {{ .Values.operator.enableAdmissionController }}
++  configDaemonNodeSelector: {feature.node.kubernetes.io/network-sriov.capable: "true"}
++---
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+   name: {{ include "sriov-network-operator.fullname" . }}
++  namespace: {{ .Release.Namespace }}
+   labels:
+   {{- include "sriov-network-operator.labels" . | nindent 4 }}
+ spec:
+@@ -25,7 +40,7 @@
+       serviceAccountName: {{ include "sriov-network-operator.fullname" . }}
+       containers:
+         - name: {{ include "sriov-network-operator.fullname" . }}
+-          image: {{ .Values.images.operator }}
++          image: {{ include "system_default_registry" . }}{{ .Values.images.operator.image }}:{{ .Values.images.operator.tag }}
+           command:
+             - sriov-network-operator
+           imagePullPolicy: IfNotPresent
+@@ -35,19 +50,19 @@
+                 fieldRef:
+                   fieldPath: metadata.namespace
+             - name: SRIOV_CNI_IMAGE
+-              value: {{ .Values.images.sriovCni }}
++              value: {{ include "system_default_registry" . }}{{ .Values.images.sriovCni.image }}:{{ .Values.images.sriovCni.tag }}
+             - name: SRIOV_INFINIBAND_CNI_IMAGE
+-              value: {{ .Values.images.ibSriovCni }}
++              value: {{ include "system_default_registry" . }}{{ .Values.images.ibSriovCni.image }}:{{ .Values.images.ibSriovCni.tag }}
+             - name: SRIOV_DEVICE_PLUGIN_IMAGE
+-              value: {{ .Values.images.sriovDevicePlugin }}
++              value: {{ include "system_default_registry" . }}{{ .Values.images.sriovDevicePlugin.image }}:{{ .Values.images.sriovDevicePlugin.tag }}
+             - name: NETWORK_RESOURCES_INJECTOR_IMAGE
+-              value: {{ .Values.images.resourcesInjector }}
++              value: {{ include "system_default_registry" . }}{{ .Values.images.resourcesInjector.image }}:{{ .Values.images.resourcesInjector.tag }}
+             - name: OPERATOR_NAME
+               value: sriov-network-operator
+             - name: SRIOV_NETWORK_CONFIG_DAEMON_IMAGE
+-              value: {{ .Values.images.sriovConfigDaemon }}
++              value: {{ include "system_default_registry" . }}{{ .Values.images.sriovConfigDaemon.image }}:{{ .Values.images.sriovConfigDaemon.tag }}
+             - name: SRIOV_NETWORK_WEBHOOK_IMAGE
+-              value: {{ .Values.images.webhook }}
++              value: {{ include "system_default_registry" . }}{{ .Values.images.webhook.image }}:{{ .Values.images.webhook.tag }}
+             - name: RESOURCE_PREFIX
+               value: {{ .Values.operator.resourcePrefix }}
+             - name: ENABLE_ADMISSION_CONTROLLER
+@@ -64,3 +79,9 @@
+               value: {{ .Release.AppVersion }}
+             - name: SRIOV_CNI_BIN_PATH
+               value: {{ .Values.operator.cniBinPath }}
++            {{- if .Values.operator.enableAdmissionController }}
++            {{- if not .Values.cert_manager }}
++            - name: WEBHOOK_CA_BUNDLE
++              value: "{{ include "sriov_operator_ca_cert" . }}"
++            {{- end }}
++            {{- end }}

packages/rancher-sriov/generated-changes/patch/templates/rolebinding.yaml.patch

@@ -0,0 +1,19 @@
+--- charts-original/templates/rolebinding.yaml
++++ charts/templates/rolebinding.yaml
+@@ -29,3 +29,16 @@
+   kind: Role
+   name: sriov-network-config-daemon
+   apiGroup: rbac.authorization.k8s.io
++---
++kind: RoleBinding
++apiVersion: rbac.authorization.k8s.io/v1
++metadata:
++  name: operator-webhook-sa
++  namespace: {{ .Release.Namespace }}
++subjects:
++- kind: ServiceAccount
++  name: operator-webhook-sa
++roleRef:
++  kind: Role
++  name: operator-webhook-sa
++  apiGroup: rbac.authorization.k8s.io

packages/rancher-sriov/generated-changes/patch/values.yaml.patch

@@ -0,0 +1,72 @@
+--- charts-original/values.yaml
++++ charts/values.yaml
+@@ -1,23 +1,57 @@
+ operator:
+   tolerations:
+-    - key: "node-role.kubernetes.io/master"
+-      operator: "Exists"
+-      effect: "NoSchedule"
++  - effect: NoSchedule
++    key: node-role.kubernetes.io/control-plane
++    operator: Exists
++  - effect: NoSchedule
++    key: node-role.kubernetes.io/etcd
++    operator: Exists
++  - effect: NoSchedule
++    key: cattle.io/os
++    operator: Equal
++    value: linux
+   nodeSelector:
+-    node-role.kubernetes.io/master: ""
++    node-role.kubernetes.io/control-plane: "true"
+   nameOverride: ""
+   fullnameOverride: ""
+-  resourcePrefix: "openshift.io"
++  resourcePrefix: "rancher.io"
+   enableAdmissionController: false
+   cniBinPath: "/opt/cni/bin"
+   clusterType: "kubernetes"
+ 
+ # Image URIs for sriov-network-operator components
+ images:
+-  operator: quay.io/openshift/origin-sriov-network-operator
+-  sriovConfigDaemon: quay.io/openshift/origin-sriov-network-config-daemon
+-  sriovCni: quay.io/openshift/origin-sriov-cni
+-  ibSriovCni: quay.io/openshift/origin-sriov-infiniband-cni
+-  sriovDevicePlugin: quay.io/openshift/origin-sriov-network-device-plugin
+-  resourcesInjector: quay.io/openshift/origin-sriov-dp-admission-controller
+-  webhook: quay.io/openshift/origin-sriov-network-webhook
++  operator:
++    image: rancher/hardened-sriov-network-operator
++    tag: v1.0.0-build20210429
++  sriovConfigDaemon:
++    image: rancher/hardened-sriov-network-config-daemon
++    tag: v1.0.0-build20210429
++  sriovCni:
++    image: rancher/hardened-sriov-cni
++    tag: v2.6-build20210310
++  ibSriovCni: 
++    image: rancher/hardened-ib-sriov-cni
++    tag: v1.0.0-build20210310
++  sriovDevicePlugin: 
++    image: rancher/hardened-sriov-network-device-plugin
++    tag: v3.3.1-build20210310
++  resourcesInjector: 
++    image: rancher/hardened-sriov-network-resources-injector
++    tag: v1-build20210310
++  webhook:
++    image: rancher/hardened-sriov-network-webhook
++    tag: v1.0.0-build20210429
++
++# cert_manager enables integration with cert-manager to generate
++# certificates for the operator webhooks. Otherwise the chart will
++# generate ad-hoc certificates with no automated renewal at expiration,
++# not recommended for production clusters.
++cert_manager: false
++
++global:
++  cattle:
++    systemDefaultRegistry: ""
++  rbac:
++    userRoles:
++      aggregateToDefaultRoles: false

packages/rancher-sriov/package.yaml

@@ -0,0 +1,10 @@
+url: https://github.com/k8snetworkplumbingwg/sriov-network-operator.git
+subdirectory: deployment/sriov-network-operator
+commit: c5c943cc214f4113b6f6be8d7c48ac837aa1669c
+packageVersion: 1
+additionalCharts:
+  - workingDir: charts-crd
+    crdOptions:
+      templateDirectory: crd-template
+      crdDirectory: templates
+      addCRDValidationToMainChart: true

packages/rancher-sriov/templates/crd-template/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+version: 0.1.0
+description: Installs the CRDs for rke2-sriov.
+name: sriov-crd
+type: application
+annotations:
+  catalog.cattle.io/experimental: "true"
+  catalog.cattle.io/release-name: sriov-crd
+  catalog.cattle.io/namespace: cattle-sriov-system
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"