summaryrefslogtreecommitdiffstats
path: root/kud/deployment_infra/helm/cpu-manager/templates
diff options
context:
space:
mode:
Diffstat (limited to 'kud/deployment_infra/helm/cpu-manager/templates')
-rw-r--r--kud/deployment_infra/helm/cpu-manager/templates/_helpers.tpl63
-rw-r--r--kud/deployment_infra/helm/cpu-manager/templates/clusterrole.yaml59
-rw-r--r--kud/deployment_infra/helm/cpu-manager/templates/clusterrolebinding.yaml91
-rw-r--r--kud/deployment_infra/helm/cpu-manager/templates/daemonset.yaml162
-rw-r--r--kud/deployment_infra/helm/cpu-manager/templates/serviceaccount.yaml12
-rw-r--r--kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml156
6 files changed, 543 insertions, 0 deletions
diff --git a/kud/deployment_infra/helm/cpu-manager/templates/_helpers.tpl b/kud/deployment_infra/helm/cpu-manager/templates/_helpers.tpl
new file mode 100644
index 00000000..a0f94dc0
--- /dev/null
+++ b/kud/deployment_infra/helm/cpu-manager/templates/_helpers.tpl
@@ -0,0 +1,63 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cpu-manager.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cpu-manager.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cpu-manager.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "cpu-manager.labels" -}}
+helm.sh/chart: {{ include "cpu-manager.chart" . }}
+{{ include "cpu-manager.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cpu-manager.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cpu-manager.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "cpu-manager.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+ {{ default ( printf "%s-serviceaccount" (include "cpu-manager.fullname" .) ) .Values.serviceAccount.name }}
+{{- else -}}
+ {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
diff --git a/kud/deployment_infra/helm/cpu-manager/templates/clusterrole.yaml b/kud/deployment_infra/helm/cpu-manager/templates/clusterrole.yaml
new file mode 100644
index 00000000..003a5b61
--- /dev/null
+++ b/kud/deployment_infra/helm/cpu-manager/templates/clusterrole.yaml
@@ -0,0 +1,59 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-custom-resource-definition-controller
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["intel.com"]
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions", "customresourcedefinitions.extensions"]
+ verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-daemonset-controller
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["extensions", "apps"]
+ resources: ["daemonsets", "daemonsets.extensions", "daemonsets.apps"]
+ verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-version-controller
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+rules:
+ - nonResourceURLs: ["*"]
+ verbs:
+ - get
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-webhook-installer
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["", "apps", "extensions", "admissionregistration.k8s.io"]
+ resources: ["secrets", "configmaps", "deployments", "services", "mutatingwebhookconfigurations"]
+ verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-node-lister
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["*"]
+{{- end }}
diff --git a/kud/deployment_infra/helm/cpu-manager/templates/clusterrolebinding.yaml b/kud/deployment_infra/helm/cpu-manager/templates/clusterrolebinding.yaml
new file mode 100644
index 00000000..2d08c820
--- /dev/null
+++ b/kud/deployment_infra/helm/cpu-manager/templates/clusterrolebinding.yaml
@@ -0,0 +1,91 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-role-binding-daemonset
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "cpu-manager.fullname" . }}-daemonset-controller
+subjects:
+- kind: ServiceAccount
+ name: {{ include "cpu-manager.serviceAccountName" . }}
+ namespace: {{ $.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-role-binding-node
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:node
+subjects:
+- kind: ServiceAccount
+ name: {{ include "cpu-manager.serviceAccountName" . }}
+ namespace: {{ $.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-role-binding-crd
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "cpu-manager.fullname" . }}-custom-resource-definition-controller
+subjects:
+- kind: ServiceAccount
+ name: {{ include "cpu-manager.serviceAccountName" . }}
+ namespace: {{ $.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-role-binding-version
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "cpu-manager.fullname" . }}-version-controller
+subjects:
+- kind: ServiceAccount
+ name: {{ include "cpu-manager.serviceAccountName" . }}
+ namespace: {{ $.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-role-binding-webhook-installer
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "cpu-manager.fullname" . }}-webhook-installer
+subjects:
+- kind: ServiceAccount
+ name: {{ include "cpu-manager.serviceAccountName" . }}
+ namespace: {{ $.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-role-binding-node-lister
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "cpu-manager.fullname" . }}-node-lister
+subjects:
+- kind: ServiceAccount
+ name: {{ include "cpu-manager.serviceAccountName" . }}
+ namespace: {{ $.Release.Namespace }}
+{{- end }}
diff --git a/kud/deployment_infra/helm/cpu-manager/templates/daemonset.yaml b/kud/deployment_infra/helm/cpu-manager/templates/daemonset.yaml
new file mode 100644
index 00000000..8b545133
--- /dev/null
+++ b/kud/deployment_infra/helm/cpu-manager/templates/daemonset.yaml
@@ -0,0 +1,162 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-reconcile-nodereport-ds
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+ app: cmk-reconcile-nodereport-ds
+spec:
+ selector:
+ matchLabels:
+ {{- include "cpu-manager.selectorLabels" . | nindent 6 }}
+ app: cmk-reconcile-nodereport-ds
+ template:
+ metadata:
+ labels:
+ {{- include "cpu-manager.selectorLabels" . | nindent 8 }}
+ app: cmk-reconcile-nodereport-ds
+ annotations:
+ {{- toYaml .Values.annotations | nindent 8 }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ securityContext:
+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
+ serviceAccountName: {{ include "cpu-manager.serviceAccountName" . }}
+ initContainers:
+ - args:
+ - "/cmk/cmk.py init --conf-dir=/etc/cmk --num-exclusive-cores=$NUM_EXCLUSIVE_CORES --num-shared-cores=$NUM_SHARED_CORES"
+ command:
+ - "/bin/bash"
+ - "-c"
+ env:
+ - name: CMK_PROC_FS
+ value: '/proc'
+ - name: NUM_EXCLUSIVE_CORES
+ value: {{ .Values.exclusiveNumCores | quote }}
+ - name: NUM_SHARED_CORES
+ value: {{ .Values.sharedNumCores | quote }}
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 10 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: cmk-init-pod
+ resources:
+ {{- toYaml .Values.resources | nindent 10 }}
+ volumeMounts:
+ - mountPath: "/etc/cmk"
+ name: cmk-conf-dir
+ - args:
+ - "/cmk/cmk.py discover --conf-dir=/etc/cmk {{ if .Values.untaintRequired }}--no-taint{{ end }}"
+ command:
+ - "/bin/bash"
+ - "-c"
+ env:
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 10 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: cmk-discover-pod
+ resources:
+ {{- toYaml .Values.resources | nindent 10 }}
+ volumeMounts:
+ - mountPath: "/etc/cmk"
+ name: cmk-conf-dir
+ - args:
+ - "/cmk/cmk.py install --install-dir=/opt/bin"
+ command:
+ - "/bin/bash"
+ - "-c"
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 10 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: cmk-install-pod
+ resources:
+ {{- toYaml .Values.resources | nindent 10 }}
+ volumeMounts:
+ - mountPath: "/opt/bin"
+ name: cmk-install-dir
+ containers:
+ - args:
+ - "/cmk/cmk.py isolate --pool=infra /cmk/cmk.py -- reconcile --interval=$CMK_RECONCILE_SLEEP_TIME --publish"
+ command:
+ - "/bin/bash"
+ - "-c"
+ env:
+ - name: CMK_RECONCILE_SLEEP_TIME
+ value: {{ .Values.reconcileSleepTime | quote }}
+ - name: CMK_PROC_FS
+ value: "/host/proc"
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 10 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: cmk-reconcile
+ resources:
+ {{- toYaml .Values.resources | nindent 10 }}
+ volumeMounts:
+ - mountPath: "/host/proc"
+ name: host-proc
+ readOnly: true
+ - mountPath: "/etc/cmk"
+ name: cmk-conf-dir
+ - args:
+ - "/cmk/cmk.py isolate --pool=infra /cmk/cmk.py -- node-report --interval=$CMK_NODE_REPORT_SLEEP_TIME --publish"
+ command:
+ - "/bin/bash"
+ - "-c"
+ env:
+ - name: CMK_NODE_REPORT_SLEEP_TIME
+ value: {{ .Values.nodeReportSleepTime | quote }}
+ - name: CMK_PROC_FS
+ value: "/host/proc"
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 10 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: cmk-nodereport
+ resources:
+ {{- toYaml .Values.resources | nindent 10 }}
+ volumeMounts:
+ - mountPath: "/host/proc"
+ name: host-proc
+ readOnly: true
+ - mountPath: "/etc/cmk"
+ name: cmk-conf-dir
+ volumes:
+ - hostPath:
+ path: "/proc"
+ name: host-proc
+ - hostPath:
+ path: {{ .Values.configDir | quote }}
+ name: cmk-conf-dir
+ - hostPath:
+ path: {{ .Values.installDir | quote }}
+ name: cmk-install-dir
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
diff --git a/kud/deployment_infra/helm/cpu-manager/templates/serviceaccount.yaml b/kud/deployment_infra/helm/cpu-manager/templates/serviceaccount.yaml
new file mode 100644
index 00000000..8f0b98e0
--- /dev/null
+++ b/kud/deployment_infra/helm/cpu-manager/templates/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "cpu-manager.serviceAccountName" . }}
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end -}}
diff --git a/kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml b/kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml
new file mode 100644
index 00000000..62e9fdbf
--- /dev/null
+++ b/kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml
@@ -0,0 +1,156 @@
+{{- if .Values.webhook.enabled -}}
+{{- $altNames := list "cmk-webhook-service" ( printf "cmk-webhook-service.%s" .Release.Namespace ) ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) -}}
+{{- $cert := genSelfSignedCert ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) nil $altNames 36500 -}}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-webhook-certs
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+data:
+ cert.pem: {{ $cert.Cert | b64enc }}
+ key.pem: {{ $cert.Key | b64enc }}
+type: Opaque
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "cpu-manager.fullname" . }}-webhook-configmap
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+data:
+ server.yaml: |
+ server:
+ binding-address: "0.0.0.0"
+ port: {{ .Values.webhook.service.port }}
+ cert: "/etc/ssl/cert.pem"
+ key: "/etc/ssl/key.pem"
+ mutations: "/etc/webhook/mutations.yaml"
+ mutations.yaml: |
+ mutations:
+ perPod:
+ metadata:
+ annotations:
+ cmk.intel.com/resources-injected: "true"
+ spec:
+ serviceAccount: {{ include "cpu-manager.serviceAccountName" . }}
+ tolerations:
+ - operator: Exists
+ volumes:
+ - name: cmk-host-proc
+ hostPath:
+ path: "/proc"
+ - name: cmk-config-dir
+ hostPath:
+ path: {{ .Values.configDir | quote }}
+ - name: cmk-install-dir
+ hostPath:
+ path: {{ .Values.installDir | quote }}
+ perContainer:
+ env:
+ - name: CMK_PROC_FS
+ value: "/host/proc"
+ volumeMounts:
+ - name: cmk-host-proc
+ mountPath: /host/proc
+ readOnly: true
+ - name: cmk-config-dir
+ mountPath: /etc/cmk
+ - name: cmk-install-dir
+ mountPath: /opt/bin
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: cmk-webhook-service
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+ app: cmk-webhook-app
+spec:
+ ports:
+ - port: {{ .Values.webhook.service.port }}
+ targetPort: 443
+ selector:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+ app: cmk-webhook-app
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+ app: cmk-webhook-app
+ name: {{ include "cpu-manager.fullname" . }}-webhook-deployment
+spec:
+ replicas: {{ .Values.webhook.replicaCount }}
+ selector:
+ matchLabels:
+ {{- include "cpu-manager.selectorLabels" . | nindent 6 }}
+ app: cmk-webhook-app
+ template:
+ metadata:
+ labels:
+ {{- include "cpu-manager.selectorLabels" . | nindent 8 }}
+ app: cmk-webhook-app
+ annotations:
+ {{- toYaml .Values.webhook.annotations | nindent 8 }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ securityContext:
+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
+ tolerations:
+ - operator: "Exists"
+ containers:
+ - args:
+ - "/cmk/cmk.py webhook --conf-file /etc/webhook/server.yaml"
+ command:
+ - "/bin/bash"
+ - "-c"
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: cmk-webhook
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 10 }}
+ volumeMounts:
+ - mountPath: /etc/webhook
+ name: cmk-webhook-configmap
+ - mountPath: /etc/ssl
+ name: cmk-webhook-certs
+ readOnly: True
+ volumes:
+ - name: cmk-webhook-configmap
+ configMap:
+ name: {{ include "cpu-manager.fullname" . }}-webhook-configmap
+ - name: cmk-webhook-certs
+ secret:
+ secretName: {{ include "cpu-manager.fullname" . }}-webhook-certs
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+ labels:
+ {{- include "cpu-manager.labels" . | nindent 4 }}
+ app: cmk-webhook-app
+ name: {{ include "cpu-manager.fullname" . }}-webhook-config
+webhooks:
+- clientConfig:
+ caBundle: {{ $cert.Cert | b64enc }}
+ service:
+ name: cmk-webhook-service
+ namespace: {{ $.Release.Namespace }}
+ path: /mutate
+ failurePolicy: Ignore
+ name: cmk.intel.com
+ rules:
+ - apiGroups:
+ - ""
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ resources:
+ - pods
+{{- end }}