diff options
Diffstat (limited to 'kud/deployment_infra/helm/cpu-manager/templates')
6 files changed, 543 insertions, 0 deletions
diff --git a/kud/deployment_infra/helm/cpu-manager/templates/_helpers.tpl b/kud/deployment_infra/helm/cpu-manager/templates/_helpers.tpl new file mode 100644 index 00000000..a0f94dc0 --- /dev/null +++ b/kud/deployment_infra/helm/cpu-manager/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cpu-manager.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cpu-manager.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cpu-manager.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "cpu-manager.labels" -}} +helm.sh/chart: {{ include "cpu-manager.chart" . }} +{{ include "cpu-manager.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "cpu-manager.selectorLabels" -}} +app.kubernetes.io/name: {{ include "cpu-manager.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "cpu-manager.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default ( printf "%s-serviceaccount" (include "cpu-manager.fullname" .) ) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/kud/deployment_infra/helm/cpu-manager/templates/clusterrole.yaml b/kud/deployment_infra/helm/cpu-manager/templates/clusterrole.yaml new file mode 100644 index 00000000..003a5b61 --- /dev/null +++ b/kud/deployment_infra/helm/cpu-manager/templates/clusterrole.yaml @@ -0,0 +1,59 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ include "cpu-manager.fullname" . }}-custom-resource-definition-controller + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +rules: +- apiGroups: ["intel.com"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions", "customresourcedefinitions.extensions"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ include "cpu-manager.fullname" . }}-daemonset-controller + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +rules: +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "daemonsets.extensions", "daemonsets.apps"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ include "cpu-manager.fullname" . }}-version-controller + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +rules: + - nonResourceURLs: ["*"] + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ include "cpu-manager.fullname" . }}-webhook-installer + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +rules: +- apiGroups: ["", "apps", "extensions", "admissionregistration.k8s.io"] + resources: ["secrets", "configmaps", "deployments", "services", "mutatingwebhookconfigurations"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ include "cpu-manager.fullname" . }}-node-lister + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: ["*"] +{{- end }} diff --git a/kud/deployment_infra/helm/cpu-manager/templates/clusterrolebinding.yaml b/kud/deployment_infra/helm/cpu-manager/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..2d08c820 --- /dev/null +++ b/kud/deployment_infra/helm/cpu-manager/templates/clusterrolebinding.yaml @@ -0,0 +1,91 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cpu-manager.fullname" . }}-role-binding-daemonset + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "cpu-manager.fullname" . }}-daemonset-controller +subjects: +- kind: ServiceAccount + name: {{ include "cpu-manager.serviceAccountName" . }} + namespace: {{ $.Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cpu-manager.fullname" . }}-role-binding-node + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:node +subjects: +- kind: ServiceAccount + name: {{ include "cpu-manager.serviceAccountName" . }} + namespace: {{ $.Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cpu-manager.fullname" . }}-role-binding-crd + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "cpu-manager.fullname" . }}-custom-resource-definition-controller +subjects: +- kind: ServiceAccount + name: {{ include "cpu-manager.serviceAccountName" . }} + namespace: {{ $.Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cpu-manager.fullname" . }}-role-binding-version + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "cpu-manager.fullname" . }}-version-controller +subjects: +- kind: ServiceAccount + name: {{ include "cpu-manager.serviceAccountName" . }} + namespace: {{ $.Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cpu-manager.fullname" . }}-role-binding-webhook-installer + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "cpu-manager.fullname" . }}-webhook-installer +subjects: +- kind: ServiceAccount + name: {{ include "cpu-manager.serviceAccountName" . }} + namespace: {{ $.Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cpu-manager.fullname" . }}-role-binding-node-lister + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "cpu-manager.fullname" . }}-node-lister +subjects: +- kind: ServiceAccount + name: {{ include "cpu-manager.serviceAccountName" . }} + namespace: {{ $.Release.Namespace }} +{{- end }} diff --git a/kud/deployment_infra/helm/cpu-manager/templates/daemonset.yaml b/kud/deployment_infra/helm/cpu-manager/templates/daemonset.yaml new file mode 100644 index 00000000..8b545133 --- /dev/null +++ b/kud/deployment_infra/helm/cpu-manager/templates/daemonset.yaml @@ -0,0 +1,162 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "cpu-manager.fullname" . }}-reconcile-nodereport-ds + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} + app: cmk-reconcile-nodereport-ds +spec: + selector: + matchLabels: + {{- include "cpu-manager.selectorLabels" . | nindent 6 }} + app: cmk-reconcile-nodereport-ds + template: + metadata: + labels: + {{- include "cpu-manager.selectorLabels" . | nindent 8 }} + app: cmk-reconcile-nodereport-ds + annotations: + {{- toYaml .Values.annotations | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + serviceAccountName: {{ include "cpu-manager.serviceAccountName" . }} + initContainers: + - args: + - "/cmk/cmk.py init --conf-dir=/etc/cmk --num-exclusive-cores=$NUM_EXCLUSIVE_CORES --num-shared-cores=$NUM_SHARED_CORES" + command: + - "/bin/bash" + - "-c" + env: + - name: CMK_PROC_FS + value: '/proc' + - name: NUM_EXCLUSIVE_CORES + value: {{ .Values.exclusiveNumCores | quote }} + - name: NUM_SHARED_CORES + value: {{ .Values.sharedNumCores | quote }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: cmk-init-pod + resources: + {{- toYaml .Values.resources | nindent 10 }} + volumeMounts: + - mountPath: "/etc/cmk" + name: cmk-conf-dir + - args: + - "/cmk/cmk.py discover --conf-dir=/etc/cmk {{ if .Values.untaintRequired }}--no-taint{{ end }}" + command: + - "/bin/bash" + - "-c" + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: cmk-discover-pod + resources: + {{- toYaml .Values.resources | nindent 10 }} + volumeMounts: + - mountPath: "/etc/cmk" + name: cmk-conf-dir + - args: + - "/cmk/cmk.py install --install-dir=/opt/bin" + command: + - "/bin/bash" + - "-c" + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: cmk-install-pod + resources: + {{- toYaml .Values.resources | nindent 10 }} + volumeMounts: + - mountPath: "/opt/bin" + name: cmk-install-dir + containers: + - args: + - "/cmk/cmk.py isolate --pool=infra /cmk/cmk.py -- reconcile --interval=$CMK_RECONCILE_SLEEP_TIME --publish" + command: + - "/bin/bash" + - "-c" + env: + - name: CMK_RECONCILE_SLEEP_TIME + value: {{ .Values.reconcileSleepTime | quote }} + - name: CMK_PROC_FS + value: "/host/proc" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: cmk-reconcile + resources: + {{- toYaml .Values.resources | nindent 10 }} + volumeMounts: + - mountPath: "/host/proc" + name: host-proc + readOnly: true + - mountPath: "/etc/cmk" + name: cmk-conf-dir + - args: + - "/cmk/cmk.py isolate --pool=infra /cmk/cmk.py -- node-report --interval=$CMK_NODE_REPORT_SLEEP_TIME --publish" + command: + - "/bin/bash" + - "-c" + env: + - name: CMK_NODE_REPORT_SLEEP_TIME + value: {{ .Values.nodeReportSleepTime | quote }} + - name: CMK_PROC_FS + value: "/host/proc" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: cmk-nodereport + resources: + {{- toYaml .Values.resources | nindent 10 }} + volumeMounts: + - mountPath: "/host/proc" + name: host-proc + readOnly: true + - mountPath: "/etc/cmk" + name: cmk-conf-dir + volumes: + - hostPath: + path: "/proc" + name: host-proc + - hostPath: + path: {{ .Values.configDir | quote }} + name: cmk-conf-dir + - hostPath: + path: {{ .Values.installDir | quote }} + name: cmk-install-dir + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/kud/deployment_infra/helm/cpu-manager/templates/serviceaccount.yaml b/kud/deployment_infra/helm/cpu-manager/templates/serviceaccount.yaml new file mode 100644 index 00000000..8f0b98e0 --- /dev/null +++ b/kud/deployment_infra/helm/cpu-manager/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "cpu-manager.serviceAccountName" . }} + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml b/kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml new file mode 100644 index 00000000..62e9fdbf --- /dev/null +++ b/kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml @@ -0,0 +1,156 @@ +{{- if .Values.webhook.enabled -}} +{{- $altNames := list "cmk-webhook-service" ( printf "cmk-webhook-service.%s" .Release.Namespace ) ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) -}} +{{- $cert := genSelfSignedCert ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) nil $altNames 36500 -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "cpu-manager.fullname" . }}-webhook-certs + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +data: + cert.pem: {{ $cert.Cert | b64enc }} + key.pem: {{ $cert.Key | b64enc }} +type: Opaque +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "cpu-manager.fullname" . }}-webhook-configmap + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +data: + server.yaml: | + server: + binding-address: "0.0.0.0" + port: {{ .Values.webhook.service.port }} + cert: "/etc/ssl/cert.pem" + key: "/etc/ssl/key.pem" + mutations: "/etc/webhook/mutations.yaml" + mutations.yaml: | + mutations: + perPod: + metadata: + annotations: + cmk.intel.com/resources-injected: "true" + spec: + serviceAccount: {{ include "cpu-manager.serviceAccountName" . }} + tolerations: + - operator: Exists + volumes: + - name: cmk-host-proc + hostPath: + path: "/proc" + - name: cmk-config-dir + hostPath: + path: {{ .Values.configDir | quote }} + - name: cmk-install-dir + hostPath: + path: {{ .Values.installDir | quote }} + perContainer: + env: + - name: CMK_PROC_FS + value: "/host/proc" + volumeMounts: + - name: cmk-host-proc + mountPath: /host/proc + readOnly: true + - name: cmk-config-dir + mountPath: /etc/cmk + - name: cmk-install-dir + mountPath: /opt/bin +--- +apiVersion: v1 +kind: Service +metadata: + name: cmk-webhook-service + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} + app: cmk-webhook-app +spec: + ports: + - port: {{ .Values.webhook.service.port }} + targetPort: 443 + selector: + {{- include "cpu-manager.labels" . | nindent 4 }} + app: cmk-webhook-app +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} + app: cmk-webhook-app + name: {{ include "cpu-manager.fullname" . }}-webhook-deployment +spec: + replicas: {{ .Values.webhook.replicaCount }} + selector: + matchLabels: + {{- include "cpu-manager.selectorLabels" . | nindent 6 }} + app: cmk-webhook-app + template: + metadata: + labels: + {{- include "cpu-manager.selectorLabels" . | nindent 8 }} + app: cmk-webhook-app + annotations: + {{- toYaml .Values.webhook.annotations | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + tolerations: + - operator: "Exists" + containers: + - args: + - "/cmk/cmk.py webhook --conf-file /etc/webhook/server.yaml" + command: + - "/bin/bash" + - "-c" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: cmk-webhook + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + volumeMounts: + - mountPath: /etc/webhook + name: cmk-webhook-configmap + - mountPath: /etc/ssl + name: cmk-webhook-certs + readOnly: True + volumes: + - name: cmk-webhook-configmap + configMap: + name: {{ include "cpu-manager.fullname" . }}-webhook-configmap + - name: cmk-webhook-certs + secret: + secretName: {{ include "cpu-manager.fullname" . }}-webhook-certs +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} + app: cmk-webhook-app + name: {{ include "cpu-manager.fullname" . }}-webhook-config +webhooks: +- clientConfig: + caBundle: {{ $cert.Cert | b64enc }} + service: + name: cmk-webhook-service + namespace: {{ $.Release.Namespace }} + path: /mutate + failurePolicy: Ignore + name: cmk.intel.com + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods +{{- end }} |