Skip to content

Commit

Permalink
chore: update sriov netop chart to consume new cert logic
Browse files Browse the repository at this point in the history
Signed-off-by: Vasilis Remmas <[email protected]>
  • Loading branch information
vasrem committed Dec 27, 2023
1 parent 3f67c24 commit 0e8b3a7
Show file tree
Hide file tree
Showing 7 changed files with 242 additions and 21 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,6 @@ spec:
provision switchdev-configuration.service and enable OpenvSwitch
hw-offload on nodes.
type: boolean
featureGates:
additionalProperties:
type: boolean
description: FeatureGates to enable experimental features
type: object
logLevel:
description: Flag to control the log verbose level of the operator.
Set to '0' to show only the basic logs. And set to '2' to show all
Expand All @@ -81,12 +76,6 @@ spec:
description: Flag to enable Container Device Interface mode for SR-IOV
Network Device Plugin
type: boolean
maxParallelNodeConfiguration:
default: 1
description: How many nodes can be configured in parallel 0 means
no limit, all nodes will be configured in parallel
minimum: 0
type: integer
type: object
status:
description: SriovOperatorConfigStatus defines the observed state of SriovOperatorConfig
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
{{- if .Values.operator.admissionControllers.enabled }}
{{- if and (.Values.operator.admissionControllers.certificates.certManager.enabled) (.Values.operator.admissionControllers.certificates.certManager.generateSelfSigned) }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }}
namespace: {{ .Release.Namespace }}
spec:
dnsNames:
- operator-webhook-service.{{ .Release.Namespace }}.svc
- operator-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
issuerRef:
kind: Issuer
name: operator-webhook-selfsigned-issuer
secretName: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: operator-webhook-selfsigned-issuer
namespace: {{ .Release.Namespace }}
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }}
namespace: {{ .Release.Namespace }}
spec:
dnsNames:
- network-resources-injector-service.{{ .Release.Namespace }}.svc
- network-resources-injector-service.{{ .Release.Namespace }}.svc.cluster.local
issuerRef:
kind: Issuer
name: network-resources-injector-selfsigned-issuer
secretName: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: network-resources-injector-selfsigned-issuer
namespace: {{ .Release.Namespace }}
spec:
selfSigned: {}
{{- else if and (not .Values.operator.admissionControllers.certificates.certManager.enabled) (.Values.operator.admissionControllers.certificates.custom.enabled) }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }}
namespace: {{ .Release.Namespace }}
type: Opaque
data:
ca.crt: {{ .Values.operator.admissionControllers.certificates.custom.operator.caCrt | b64enc | b64enc | quote }}
tls.crt: {{ .Values.operator.admissionControllers.certificates.custom.operator.tlsCrt | b64enc | quote }}
tls.key: {{ .Values.operator.admissionControllers.certificates.custom.operator.tlsKey | b64enc | quote }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }}
namespace: {{ .Release.Namespace }}
type: Opaque
data:
ca.crt: {{ .Values.operator.admissionControllers.certificates.custom.injector.caCrt | b64enc | b64enc | quote }}
tls.crt: {{ .Values.operator.admissionControllers.certificates.custom.injector.tlsCrt | b64enc | quote }}
tls.key: {{ .Values.operator.admissionControllers.certificates.custom.injector.tlsKey | b64enc | quote }}
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ spec:
image: {{ .Values.images.operator }}
command:
- sriov-network-operator
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 100m
Expand All @@ -69,8 +68,6 @@ spec:
value: {{ .Values.images.webhook }}
- name: RESOURCE_PREFIX
value: {{ .Values.operator.resourcePrefix }}
- name: ENABLE_ADMISSION_CONTROLLER
value: {{ .Values.operator.enableAdmissionController | quote }}
- name: IMAGE_PULL_SECRETS
value: {{ join "," .Values.imagePullSecrets }}
- name: NAMESPACE
Expand All @@ -91,3 +88,26 @@ spec:
value: {{ .Values.operator.cniBinPath }}
- name: CLUSTER_TYPE
value: {{ .Values.operator.clusterType }}
- name: ADMISSION_CONTROLLERS_ENABLED
value: {{ .Values.operator.admissionControllers.enabled | quote }}
{{- if .Values.operator.admissionControllers.enabled }}
- name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME
value: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }}
- name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME
value: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }}
{{- if .Values.operator.admissionControllers.certificates.certManager.enabled }}
- name: ADMISSION_CONTROLLERS_CERTIFICATES_CERT_MANAGER_ENABLED
value: {{ .Values.operator.admissionControllers.certificates.certManager.enabled | quote }}
{{- else }}
- name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_CA_CRT
valueFrom:
secretKeyRef:
name: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }}
key: ca.crt
- name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT
valueFrom:
secretKeyRef:
name: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }}
key: ca.crt
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,56 @@ operator:
nameOverride: ""
fullnameOverride: ""
resourcePrefix: "openshift.io"
enableAdmissionController: false
cniBinPath: "/opt/cni/bin"
clusterType: "kubernetes"
admissionControllers:
enabled: false
certificates:
secretNames:
operator: "operator-webhook-cert"
injector: "network-resources-injector-cert"
certManager:
# When enabled, makes use of certificates managed by cert-manager.
enabled: false
# When enabled, certificates are generated via cert-manager and then name will match the name of the secrets
# defined above
generateSelfSigned: false
# If not specified, no secret is created and secrets with the names defined above are expected to exist in the
# cluster. In that case, the ca.crt must be base64 encoded twice since it ends up being an env variable.
custom:
enabled: false
# operator:
# caCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsKey: |
# -----BEGIN EC PRIVATE KEY-----
# MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo=
# ...
# -----END EC PRIVATE KEY-----
# injector:
# caCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsKey: |
# -----BEGIN EC PRIVATE KEY-----
# MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo=
# ...
# -----END EC PRIVATE KEY-----

# Image URIs for sriov-network-operator components
images:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,8 @@ metadata:
spec:
# Add fields here
{{- with (index .Values "sriov-network-operator" "operator") }}
enableInjector: {{ .enableAdmissionController }}
enableOperatorWebhook: {{ .enableAdmissionController }}
enableInjector: {{ .admissionControllers.enabled }}
enableOperatorWebhook: {{ .admissionControllers.enabled }}
{{- end }}
configDaemonNodeSelector:
{{- $defaults := dict "beta.kubernetes.io/os" "linux" "network.nvidia.com/operator.mofed.wait" "false" }}
Expand Down
51 changes: 49 additions & 2 deletions deployment/network-operator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -90,16 +90,63 @@ sriov-network-operator:
nameOverride: ""
fullnameOverride: ""
resourcePrefix: "nvidia.com"
enableAdmissionController: false
cniBinPath: "/opt/cni/bin"
clusterType: "kubernetes"
admissionControllers:
enabled: false
certificates:
secretNames:
operator: "operator-webhook-cert"
injector: "network-resources-injector-cert"
certManager:
# When enabled, makes use of certificates managed by cert-manager.
enabled: false
# When enabled, certificates are generated via cert-manager and then name will match the name of the secrets
# defined above
generateSelfSigned: false
# If not specified, no secret is created and secrets with the names defined above are expected to exist in the
# cluster. In that case, the ca.crt must be base64 encoded twice since it ends up being an env variable.
custom:
enabled: false
# operator:
# caCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsKey: |
# -----BEGIN EC PRIVATE KEY-----
# MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo=
# ...
# -----END EC PRIVATE KEY-----
# injector:
# caCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsKey: |
# -----BEGIN EC PRIVATE KEY-----
# MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo=
# ...
# -----END EC PRIVATE KEY-----

# Image URIs for sriov-network-operator components
images:
operator: nvcr.io/nvstaging/mellanox/sriov-network-operator:network-operator-24.1.0-beta.1
sriovConfigDaemon: nvcr.io/nvstaging/mellanox/sriov-network-operator-config-daemon:network-operator-24.1.0-beta.1
sriovCni: ghcr.io/k8snetworkplumbingwg/sriov-cni:v2.7.0
ibSriovCni: ghcr.io/k8snetworkplumbingwg/ib-sriov-cni:v1.0.3
ibSriovCni: ghcr.io/k8snetworkplumbingwg/ib-sriov-cni:v1.0.3
sriovDevicePlugin: ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:2cc723dcbc712290055b763dc9d3c090ba41e929
resourcesInjector: ghcr.io/k8snetworkplumbingwg/network-resources-injector:v1.4
webhook: ghcr.io/k8snetworkplumbingwg/sriov-network-operator-webhook:v1.1.0
Expand Down
51 changes: 49 additions & 2 deletions hack/templates/values/values.template
Original file line number Diff line number Diff line change
Expand Up @@ -90,16 +90,63 @@ sriov-network-operator:
nameOverride: ""
fullnameOverride: ""
resourcePrefix: "nvidia.com"
enableAdmissionController: false
cniBinPath: "/opt/cni/bin"
clusterType: "kubernetes"
admissionControllers:
enabled: false
certificates:
secretNames:
operator: "operator-webhook-cert"
injector: "network-resources-injector-cert"
certManager:
# When enabled, makes use of certificates managed by cert-manager.
enabled: false
# When enabled, certificates are generated via cert-manager and then name will match the name of the secrets
# defined above
generateSelfSigned: false
# If not specified, no secret is created and secrets with the names defined above are expected to exist in the
# cluster. In that case, the ca.crt must be base64 encoded twice since it ends up being an env variable.
custom:
enabled: false
# operator:
# caCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsKey: |
# -----BEGIN EC PRIVATE KEY-----
# MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo=
# ...
# -----END EC PRIVATE KEY-----
# injector:
# caCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsCrt: |
# -----BEGIN CERTIFICATE-----
# MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
# ...
# -----END CERTIFICATE-----
# tlsKey: |
# -----BEGIN EC PRIVATE KEY-----
# MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo=
# ...
# -----END EC PRIVATE KEY-----

# Image URIs for sriov-network-operator components
images:
operator: {{ .SriovNetworkOperator.Repository }}/{{ .SriovNetworkOperator.Image }}:{{ .SriovNetworkOperator.Version }}
sriovConfigDaemon: {{ .SriovConfigDaemon.Repository }}/{{ .SriovConfigDaemon.Image }}:{{ .SriovConfigDaemon.Version }}
sriovCni: {{ .SriovCni.Repository }}/{{ .SriovCni.Image }}:{{ .SriovCni.Version }}
ibSriovCni: {{ .SriovIbCni.Repository }}/{{ .SriovIbCni.Image }}:{{ .SriovIbCni.Version }}
ibSriovCni: {{ .SriovIbCni.Repository }}/{{ .SriovIbCni.Image }}:{{ .SriovIbCni.Version }}
sriovDevicePlugin: {{ .SriovDevicePlugin.Repository }}/{{ .SriovDevicePlugin.Image }}:{{ .SriovDevicePlugin.Version }}
resourcesInjector: ghcr.io/k8snetworkplumbingwg/network-resources-injector:v1.4
webhook: ghcr.io/k8snetworkplumbingwg/sriov-network-operator-webhook:v1.1.0
Expand Down

0 comments on commit 0e8b3a7

Please sign in to comment.