unpack obscpio files

sriov-network-operator-chart/templates/NOTES.txt

@@ -0,0 +1,17 @@
+Get Network Operator deployed resources by running the following commands:
+
+$ kubectl -n {{ .Release.Namespace }} get pods
+
+For additional instructions on how to use SR-IOV network operator,
+refer to: https://github.com/k8snetworkplumbingwg/sriov-network-operator
+
+{{- if .Values.operator.enableAdmissionController }}
+{{- if not .Values.cert_manager }}
+Thank you for installing {{ .Chart.Name }}.
+
+WARNING! Self signed certificates have been generated for webhooks.
+These certificates have a one-year validity and will not be rotated
+automatically. This should not be a production cluster. Please deploy
+and use cert-manager for production clusters.
+{{- end }}
+{{- end }}

sriov-network-operator-chart/templates/_helpers.tpl

@@ -0,0 +1,85 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "sriov-network-operator.name" -}}
+{{- default "sriov-network-operator" .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "sriov-network-operator.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default "sriov-network-operator" .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "sriov-network-operator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "sriov-network-operator.labels" -}}
+helm.sh/chart: {{ include "sriov-network-operator.chart" . }}
+{{ include "sriov-network-operator.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "sriov-network-operator.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "sriov-network-operator.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "sriov-network-operator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "sriov-network-operator.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}

sriov-network-operator-chart/templates/_webhook-certs.tpl

@@ -0,0 +1,31 @@
+{{/*
+Generate TLS certificates for webhooks.
+Note: these 2 lines, that are repeated several times below, are a trick to
+ensure the CA certs are generated only once:
+    $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365)
+    $_ := set . "ca" $ca
+Please, don't try to "simplify" them as without this trick, every generated
+certificate would be signed by a different CA.
+*/}}
+{{- define "sriov_operator_ca_cert" }}
+{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}}
+{{- $_ := set . "ca" $ca -}}
+{{- printf "%s" $ca.Cert | b64enc -}}
+{{- end }}
+{{- define "sriov_operator_cert" }}
+{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}}
+{{- $_ := set . "ca" $ca -}}
+{{- $cn := printf "operator-webhook-service.%s.svc" .Release.Namespace -}}
+{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca -}}
+tls.crt: {{ $cert.Cert | b64enc }}
+tls.key: {{ $cert.Key | b64enc }}
+{{- end }}
+{{- define "sriov_resource_injector_cert" }}
+{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}}
+{{- $_ := set . "ca" $ca -}}
+{{- $cn := printf "network-resources-injector-service.%s.svc" .Release.Namespace -}}
+{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca -}}
+tls.crt: {{ $cert.Cert | b64enc }}
+tls.key: {{ $cert.Key | b64enc }}
+{{- end }}
+

sriov-network-operator-chart/templates/certificate.yaml

@@ -0,0 +1,71 @@
+{{- if .Values.operator.admissionControllers.enabled }}
+{{- if and (.Values.operator.admissionControllers.certificates.certManager.enabled) (.Values.operator.admissionControllers.certificates.certManager.generateSelfSigned) }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  dnsNames:
+  - operator-webhook-service.{{ .Release.Namespace }}.svc
+  - operator-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: operator-webhook-selfsigned-issuer
+  secretName: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: operator-webhook-selfsigned-issuer
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  dnsNames:
+  - network-resources-injector-service.{{ .Release.Namespace }}.svc
+  - network-resources-injector-service.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: network-resources-injector-selfsigned-issuer
+  secretName: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: network-resources-injector-selfsigned-issuer
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+{{- else if and (not .Values.operator.admissionControllers.certificates.certManager.enabled) (.Values.operator.admissionControllers.certificates.custom.enabled) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }}
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  ca.crt: {{ .Values.operator.admissionControllers.certificates.custom.operator.caCrt | b64enc | b64enc | quote }}
+  tls.crt: {{ .Values.operator.admissionControllers.certificates.custom.operator.tlsCrt | b64enc | quote }}
+  tls.key: {{ .Values.operator.admissionControllers.certificates.custom.operator.tlsKey | b64enc | quote }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }}
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  ca.crt: {{ .Values.operator.admissionControllers.certificates.custom.injector.caCrt | b64enc | b64enc | quote }}
+  tls.crt: {{ .Values.operator.admissionControllers.certificates.custom.injector.tlsCrt | b64enc | quote }}
+  tls.key: {{ .Values.operator.admissionControllers.certificates.custom.injector.tlsKey | b64enc | quote }}
+{{- end }}
+{{- end }}

sriov-network-operator-chart/templates/certmanagercerts.yaml

@@ -0,0 +1,41 @@
+{{- if and (.Values.operator.enableAdmissionController) (.Values.cert_manager) -}}
+{{- if not (.Capabilities.APIVersions.Has "cert-manager.io/v1") -}}
+{{- required "cert-manager is required but not found" "" -}}
+{{- end -}}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: sriov-network-operator-selfsigned-issuer
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: operator-webhook-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: operator-webhook-service
+  dnsNames:
+  - operator-webhook-service.{{ .Release.Namespace }}.svc
+  issuerRef:
+    name: sriov-network-operator-selfsigned-issuer
+  privateKey:
+    rotationPolicy: Always
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: network-resources-injector-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: network-resources-injector-secret
+  dnsNames:
+  - network-resources-injector-service.{{ .Release.Namespace }}.svc
+  issuerRef:
+    name: sriov-network-operator-selfsigned-issuer
+  privateKey:
+    rotationPolicy: Always
+{{- end -}}
+

sriov-network-operator-chart/templates/clusterrole.yaml

@@ -0,0 +1,111 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "sriov-network-operator.fullname" . }}
+  labels:
+  {{- include "sriov-network-operator.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch", "patch", "update"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["pods/eviction"]
+    verbs: ["create"]
+  - apiGroups: ["apps"]
+    resources: ["daemonsets"]
+    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["namespaces", "serviceaccounts"]
+    verbs: ["*"]
+  - apiGroups: ["k8s.cni.cncf.io"]
+    resources: ["network-attachment-definitions"]
+    verbs: ["*"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: [clusterroles, clusterrolebindings]
+    verbs: ["*"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+    verbs: ["*"]
+  - apiGroups: ["sriovnetwork.openshift.io"]
+    resources: ["*"]
+    verbs: ["*"]
+  - apiGroups: ["machineconfiguration.openshift.io"]
+    resources: ["*"]
+    verbs: ["*"]
+  - apiGroups: ["config.openshift.io"]
+    resources: ["infrastructures"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: sriov-network-config-daemon
+  labels:
+  {{- include "sriov-network-operator.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch", "patch", "update"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["*"]
+  - apiGroups: ["apps"]
+    resources: ["daemonsets"]
+    verbs: ["get"]
+  - apiGroups: [ "config.openshift.io" ]
+    resources: [ "infrastructures" ]
+    verbs: [ "get", "list", "watch" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: sriov-admin
+  {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }}
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  {{- end }}
+rules:
+- apiGroups:
+  - sriovnetwork.openshift.io
+  resources:
+  - '*'
+  verbs:
+  - "get"
+  - "watch"
+  - "list"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: sriov-edit
+  {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }}
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  {{- end }}
+rules:
+- apiGroups:
+  - sriovnetwork.openshift.io
+  resources:
+  - '*'
+  verbs:
+  - "get"
+  - "watch"
+  - "list"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: sriov-view
+  {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }}
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  {{- end }}
+rules:
+- apiGroups:
+  - sriovnetwork.openshift.io
+  resources:
+  - '*'
+  verbs:
+  - "get"
+  - "watch"
+  - "list"

sriov-network-operator-chart/templates/clusterrolebinding.yaml

@@ -0,0 +1,29 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "sriov-network-operator.fullname" . }}
+  labels:
+  {{- include "sriov-network-operator.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "sriov-network-operator.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: {{ include "sriov-network-operator.fullname" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: sriov-network-config-daemon
+  labels:
+  {{- include "sriov-network-operator.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  name: sriov-network-config-daemon
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: sriov-network-config-daemon

sriov-network-operator-chart/templates/configmap.yaml

@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: supported-nic-ids
+data:
+  Intel_i40e_XXV710: "8086 158a 154c"
+  Intel_i40e_25G_SFP28: "8086 158b 154c"
+  Intel_i40e_10G_X710_SFP: "8086 1572 154c"
+  Intel_ixgbe_10G_X550: "8086 1563 1565"
+  Intel_ixgbe_82576: "8086 10c9 10ca"
+  Intel_i40e_X710_X557_AT_10G: "8086 1589 154c"
+  Intel_i40e_10G_X710_BACKPLANE: "8086 1581 154c"
+  Intel_i40e_10G_X710_BASE_T: "8086 15ff 154c"
+  Intel_i40e_XXV710_N3000: "8086 0d58 154c"
+  Intel_i40e_40G_XL710_QSFP: "8086 1583 154c"
+  Intel_i40e_X550T: "8086 1563 1565"
+  Intel_i40e_X722: "8086 37d2 37cd"
+  Intel_i40e_X722_SFP: "8086 37d0 37cd"
+  Intel_i40e_X722_SFPP: "8086 37d3 37cd"
+  Intel_ice_Columbiaville_E810-CQDA2_2CQDA2: "8086 1592 1889"
+  Intel_ice_Columbiaville_E810-XXVDA4: "8086 1593 1889"
+  Intel_ice_Columbiaville_E810-XXVDA2: "8086 159b 1889"
+  Intel_ice_Columbiaville_E810: "8086 1591 1889"
+  Intel_ice_Columbiapark_E823C: "8086 188a 1889"
+  Nvidia_mlx5_ConnectX-4: "15b3 1013 1014"
+  Nvidia_mlx5_ConnectX-4LX: "15b3 1015 1016"
+  Nvidia_mlx5_ConnectX-5: "15b3 1017 1018"
+  Nvidia_mlx5_ConnectX-5_Ex: "15b3 1019 101a"
+  Nvidia_mlx5_ConnectX-6: "15b3 101b 101c"
+  Nvidia_mlx5_ConnectX-6_Dx: "15b3 101d 101e"
+  Nvidia_mlx5_ConnectX-6_Lx: "15b3 101f 101e"
+  Nvidia_mlx5_ConnectX-7: "15b3 1021 101e"
+  Nvidia_mlx5_MT42822_BlueField-2_integrated_ConnectX-6_Dx: "15b3 a2d6 101e"
+  Nvidia_mlx5_MT43244_BlueField-3_integrated_ConnectX-7_Dx: "15b3 a2dc 101e"
+  Broadcom_bnxt_BCM57414_2x25G: "14e4 16d7 16dc"
+  Broadcom_bnxt_BCM75508_2x100G: "14e4 1750 1806"
+  Qlogic_qede_QL45000_50G: "1077 1654 1664"
+  Red_Hat_Virtio_network_device: "1af4 1000 1000"
+  Red_Hat_Virtio_1_0_network_device: "1af4 1041 1041"
+  Marvell_OCTEON_TX2_CN96XX: "177d b200 b203"
+  Marvell_OCTEON_TX2_CN98XX: "177d b100 b103"
+  Marvell_OCTEON_Fusion_CNF95XX: "177d b600 b603"
+  Marvell_OCTEON10_CN10XXX: "177d b900 b903"
+  Marvell_OCTEON_Fusion_CNF105XX: "177d ba00 ba03"
+  {{- range .Values.supportedExtraNICs }}
+  {{ . }}
+  {{- end }}

sriov-network-operator-chart/templates/operator.yaml

@@ -0,0 +1,116 @@
+{{- if not (.Capabilities.APIVersions.Has "k8s.cni.cncf.io/v1/NetworkAttachmentDefinition") -}}
+{{- required "rke2-multus is required but not found" "" -}}
+{{- end -}}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "sriov-network-operator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "sriov-network-operator.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: sriov-network-operator
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 33%
+  template:
+    metadata:
+      labels:
+        name: sriov-network-operator
+    spec:
+      {{- with .Values.operator.nodeSelector }}
+      nodeSelector:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.operator.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8}}
+      {{- end }}
+      {{- with .Values.operator.tolerations }}
+      tolerations:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "sriov-network-operator.fullname" . }}
+      priorityClassName: "system-node-critical"
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+      {{- range .Values.imagePullSecrets }}
+      - name: {{ . }}
+      {{- end }}
+      {{- end }}
+      containers:
+        - name: {{ include "sriov-network-operator.fullname" . }}
+          image: {{ include "system_default_registry" . }}{{ .Values.images.operator.repository }}:{{ .Values.images.operator.tag }}
+          command:
+            - sriov-network-operator
+          resources:
+            requests:
+              cpu: 100m
+              memory: 100Mi
+          env:
+            - name: WATCH_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: SRIOV_CNI_IMAGE
+              value: {{ include "system_default_registry" . }}{{ .Values.images.sriovCni.repository }}:{{ .Values.images.sriovCni.tag }}
+            - name: SRIOV_INFINIBAND_CNI_IMAGE
+              value: {{ include "system_default_registry" . }}{{ .Values.images.ibSriovCni.repository }}:{{ .Values.images.ibSriovCni.tag }}
+            - name: SRIOV_DEVICE_PLUGIN_IMAGE
+              value: {{ include "system_default_registry" . }}{{ .Values.images.sriovDevicePlugin.repository }}:{{ .Values.images.sriovDevicePlugin.tag }}
+            - name: NETWORK_RESOURCES_INJECTOR_IMAGE
+              value: {{ include "system_default_registry" . }}{{ .Values.images.resourcesInjector.repository }}:{{ .Values.images.resourcesInjector.tag }}
+            - name: OPERATOR_NAME
+              value: sriov-network-operator
+            - name: SRIOV_NETWORK_CONFIG_DAEMON_IMAGE
+              value: {{ include "system_default_registry" . }}{{ .Values.images.sriovConfigDaemon.repository }}:{{ .Values.images.sriovConfigDaemon.tag }}
+            - name: SRIOV_NETWORK_WEBHOOK_IMAGE
+              value: {{ include "system_default_registry" . }}{{ .Values.images.webhook.repository }}:{{ .Values.images.webhook.tag }}
+            - name: RESOURCE_PREFIX
+              value: {{ .Values.operator.resourcePrefix }}
+            - name: IMAGE_PULL_SECRETS
+              value: {{ join "," .Values.imagePullSecrets }}
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: RELEASE_VERSION
+              value: {{ .Release.AppVersion }}
+            - name: SRIOV_CNI_BIN_PATH
+              value: {{ .Values.operator.cniBinPath }}
+            - name: CLUSTER_TYPE
+              value: {{ .Values.operator.clusterType }}
+        {{- if .Values.operator.admissionControllers.enabled }}
+            - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME
+              value: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }}
+            - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME
+              value: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }}
+        {{- if .Values.operator.admissionControllers.certificates.certManager.enabled }}
+            - name: ADMISSION_CONTROLLERS_CERTIFICATES_CERT_MANAGER_ENABLED
+              value: {{ .Values.operator.admissionControllers.certificates.certManager.enabled | quote }}
+        {{- else }}
+            - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_CA_CRT
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }}
+                  key: ca.crt
+            - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }}
+                  key: ca.crt
+        {{- end }}
+        {{- end }}

sriov-network-operator-chart/templates/role.yaml

@@ -0,0 +1,138 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: {{ include "sriov-network-operator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "sriov-network-operator.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - services
+      - endpoints
+      - persistentvolumeclaims
+      - events
+      - configmaps
+      - secrets
+    verbs:
+      - '*'
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - daemonsets
+      - replicasets
+      - statefulsets
+    verbs:
+      - '*'
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - servicemonitors
+    verbs:
+      - get
+      - create
+  - apiGroups:
+      - apps
+    resourceNames:
+      - sriov-network-operator
+    resources:
+      - deployments/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - serviceaccounts
+      - roles
+      - rolebindings
+    verbs:
+      - '*'
+  - apiGroups:
+      - config.openshift.io
+    resources:
+      - infrastructures
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - 'coordination.k8s.io'
+    resources:
+      - 'leases'
+    verbs:
+      - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: sriov-network-config-daemon
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "sriov-network-operator.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - '*'
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+    verbs:
+      - '*'
+  - apiGroups:
+      - sriovnetwork.openshift.io
+    resources:
+      - '*'
+      - sriovnetworknodestates
+    verbs:
+      - '*'
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - privileged
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - 'coordination.k8s.io'
+    resources:
+      - 'leases'
+    verbs:
+      - '*'
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: operator-webhook-sa
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "sriov-network-operator.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get

sriov-network-operator-chart/templates/rolebinding.yaml

@@ -0,0 +1,44 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "sriov-network-operator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "sriov-network-operator.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "sriov-network-operator.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "sriov-network-operator.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: sriov-network-config-daemon
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "sriov-network-operator.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: sriov-network-config-daemon
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: sriov-network-config-daemon
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: operator-webhook-sa
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: operator-webhook-sa
+roleRef:
+  kind: Role
+  name: operator-webhook-sa
+  apiGroup: rbac.authorization.k8s.io

sriov-network-operator-chart/templates/secrets.yaml

@@ -0,0 +1,20 @@
+{{- if not .Values.cert_manager -}}
+{{- if .Values.operator.enableAdmissionController }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: operator-webhook-service
+  namespace: {{ .Release.Namespace }}
+data: {{ include "sriov_operator_cert" . | nindent 2 }}
+{{- end }}
+---
+{{- if .Values.operator.enableAdmissionController }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: network-resources-injector-secret
+  namespace: {{ .Release.Namespace }}
+data: {{ include "sriov_resource_injector_cert" . | nindent 2 }}
+{{- end }}
+{{- end }}
+

sriov-network-operator-chart/templates/serviceaccount.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "sriov-network-operator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "sriov-network-operator.labels" . | nindent 4 }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sriov-network-config-daemon
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "sriov-network-operator.labels" . | nindent 4 }}

sriov-network-operator-chart/templates/sriovoperatorconfig.yaml

@@ -0,0 +1,17 @@
+{{ if .Values.sriovOperatorConfig.deploy }}
+apiVersion: sriovnetwork.openshift.io/v1
+kind: SriovOperatorConfig
+metadata:
+  name: default
+  namespace: {{ .Release.Namespace }}
+spec:
+  enableInjector: {{ .Values.operator.admissionControllers.enabled }}
+  enableOperatorWebhook: {{ .Values.operator.admissionControllers.enabled }}
+  {{- with .Values.sriovOperatorConfig.configDaemonNodeSelector }}
+  configDaemonNodeSelector:
+    {{- range $k, $v := .}}{{printf "%s: \"%s\"" $k $v | nindent 4 }}{{ end }}
+  {{- end }}
+  logLevel: {{ .Values.sriovOperatorConfig.logLevel }}
+  disableDrain: {{ .Values.sriovOperatorConfig.disableDrain }}
+  configurationMode: {{ .Values.sriovOperatorConfig.configurationMode }}
+{{ end }}

sriov-network-operator-chart/templates/validate-install-crd.yaml

@@ -0,0 +1,20 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+# {{- $found := dict -}}
+# {{- set $found "sriovnetwork.openshift.io/v1/OVSNetwork" false -}}
+# {{- set $found "sriovnetwork.openshift.io/v1/SriovIBNetwork" false -}}
+# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkNodePolicy" false -}}
+# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkNodeState" false -}}
+# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkPoolConfig" false -}}
+# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetwork" false -}}
+# {{- set $found "sriovnetwork.openshift.io/v1/SriovOperatorConfig" false -}}
+# {{- range .Capabilities.APIVersions -}}
+# {{- if hasKey $found (toString .) -}}
+# 	{{- set $found (toString .) true -}}
+# {{- end -}}
+# {{- end -}}
+# {{- range $_, $exists := $found -}}
+# {{- if (eq $exists false) -}}
+# 	{{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
+# {{- end -}}
+# {{- end -}}
+#{{- end -}}