1
0
forked from suse-edge/Factory
Factory/sriov-network-operator-chart/README.md

9.1 KiB

SR-IOV Network Operator Helm Chart

SR-IOV Network Operator Helm Chart provides an easy way to install, configure and manage the lifecycle of SR-IOV network operator.

SR-IOV Network Operator

SR-IOV Network Operator leverages Kubernetes CRDs and Operator SDK to configure and manage SR-IOV networks in a Kubernetes cluster.

SR-IOV Network Operator features:

  • Initialize the supported SR-IOV NIC types on selected nodes.
  • Provision/upgrade SR-IOV device plugin executable on selected node.
  • Provision/upgrade SR-IOV CNI plugin executable on selected nodes.
  • Manage configuration of SR-IOV device plugin on host.
  • Generate net-att-def CRs for SR-IOV CNI plugin
  • Supports operation in a virtualized Kubernetes deployment
    • Discovers VFs attached to the Virtual Machine (VM)
    • Does not require attached of associated PFs
    • VFs can be associated to SriovNetworks by selecting the appropriate PciAddress as the RootDevice in the SriovNetworkNodePolicy

QuickStart

Prerequisites

  • Kubernetes v1.17+
  • Helm v3

Install Helm

Helm provides an install script to copy helm binary to your system:

$ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
$ chmod 500 get_helm.sh
$ ./get_helm.sh

For additional information and methods for installing Helm, refer to the official helm website

Deploy SR-IOV Network Operator

Deploy from OCI repo

$ helm install -n sriov-network-operator --create-namespace --version 1.3.0 --set sriovOperatorConfig.deploy=true sriov-network-operator oci://ghcr.io/k8snetworkplumbingwg/sriov-network-operator-chart

Deploy from project sources

# Clone project
$ git clone https://github.com/k8snetworkplumbingwg/sriov-network-operator.git ; cd sriov-network-operator

# Install Operator
$ helm install -n sriov-network-operator --create-namespace --wait --set sriovOperatorConfig.deploy=true sriov-network-operator ./deployment/sriov-network-operator-chart

# View deployed resources
$ kubectl -n sriov-network-operator get pods

In the case that Pod Security Admission is enabled, the sriov network operator namespace will require a security level of 'privileged'

$ kubectl label ns sriov-network-operator pod-security.kubernetes.io/enforce=privileged

Chart parameters

In order to tailor the deployment of the network operator to your cluster needs We have introduced the following Chart parameters.

Name Type Default description
imagePullSecrets list [] An optional list of references to secrets to use for pulling any of the SR-IOV Network Operator image
supportedExtraNICs list [] An optional list of whitelisted NICs

Operator parameters

Name Type Default description
operator.tolerations list [{"key":"node-role.kubernetes.io/master","operator":"Exists","effect":"NoSchedule"},{"key":"node-role.kubernetes.io/control-plane","operator":"Exists","effect":"NoSchedule"}] Operator's tolerations
operator.nodeSelector object {} Operator's node selector
operator.affinity object {"nodeAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"weight":1,"preference":{"matchExpressions":[{"key":"node-role.kubernetes.io/master","operator":"In","values":[""]}]}},{"weight":1,"preference":{"matchExpressions":[{"key":"node-role.kubernetes.io/control-plane","operator":"In","values":[""]}]}}]}} Operator's afffinity configuration
operator.nameOverride string `` Operator's resource name override
operator.fullnameOverride string `` Operator's resource full name override
operator.resourcePrefix string openshift.io Device plugin resource prefix
operator.cniBinPath string /opt/cni/bin Path for CNI binary
operator.clustertype string kubernetes Cluster environment type

Admission Controllers parameters

The admission controllers can be enabled by switching on a single parameter operator.admissionControllers.enabled. By default, the user needs to pre-create Kubernetes Secrets that match the names provided in operator.admissionControllers.certificates.secretNames. The secrets should have 3 fields populated with the relevant content:

  • ca.crt (value needs to be base64 encoded twice)
  • tls.crt
  • tls.key

Aside from the aforementioned mode, the chart supports 3 more modes for certificate consumption by the admission controllers, which can be found in the table below. In a nutshell, the modes that are supported are:

  • Consume pre-created Certificates managed by cert-manager
  • Generate self signed Certificates managed by cert-manager
  • Specify the content of the certificates as Helm values
Name Type Default description
operator.admissionControllers.enabled bool false Flag that switches on the admission controllers
operator.admissionControllers.certificates.secretNames.operator string operator-webhook-cert Secret that stores the certificate for the Operator's admission controller
operator.admissionControllers.certificates.secretNames.injector string network-resources-injector-cert Secret that stores the certificate for the Network Resources Injector's admission controller
operator.admissionControllers.certificates.certManager.enabled bool false Flag that switches on consumption of certificates managed by cert-manager
operator.admissionControllers.certificates.certManager.generateSelfSigned bool false Flag that switches on generation of self signed certificates managed by cert-manager. The secrets in which the certificates are stored will have the names provided in operator.admissionControllers.certificates.secretNames
operator.admissionControllers.certificates.custom.enabled bool false Flag that switches on consumption of user provided certificates that are part of operator.admissionControllers.certificates.custom.operator and operator.admissionControllers.certificates.custom.injector objects
operator.admissionControllers.certificates.custom.operator.caCrt string `` The CA certificate to be used by the Operator's admission controller
operator.admissionControllers.certificates.custom.operator.tlsCrt string `` The public part of the certificate to be used by the Operator's admission controller
operator.admissionControllers.certificates.custom.operator.tlsKey string `` The private part of the certificate to be used by the Operator's admission controller
operator.admissionControllers.certificates.custom.injector.caCrt string `` The CA certificate to be used by the Network Resources Injector's admission controller
operator.admissionControllers.certificates.custom.injector.tlsCrt string `` The public part of the certificate to be used by the Network Resources Injector's admission controller
operator.admissionControllers.certificates.custom.injector.tlsKey string `` The private part of the certificate to be used by the Network Resources Injector's admission controller

SR-IOV Operator Configuration Parameters

This section contains general parameters that apply to both the operator and daemon componets of SR-IOV Network Operator.

Name Type Default description
sriovOperatorConfig.deploy bool false deploy SriovOperatorConfig custom resource
sriovOperatorConfig.configDaemonNodeSelector map[string]string {} node slectors for sriov-network-config-daemon
sriovOperatorConfig.logLevel int 2 log level for both operator and sriov-network-config-daemon
sriovOperatorConfig.disableDrain bool false disable node draining when configuring SR-IOV, set to true in case of a single node cluster or any other justifiable reason
sriovOperatorConfig.configurationMode string daemon sriov-network-config-daemon configuration mode. either daemon or systemd

Images parameters

Name description
images.operator Operator controller image
images.sriovConfigDaemon Daemon node agent image
images.sriovCni SR-IOV CNI image
images.ibSriovCni InfiniBand SR-IOV CNI image
images.sriovDevicePlugin SR-IOV device plugin image
images.resourcesInjector Resources Injector image
images.webhook Operator Webhook image

Extra objects parameters

Disclaimer:

Please note that any resources deployed using the extraDeploy in this Helm chart are the sole responsibility of the user. It is important to review and understand the implications of these deployed resources. The maintainers of this Helm chart take no responsibility for any issues or damages caused by the deployment or operation of these resources.

Name description
extraDeploy Array of extra objects to deploy with the release