add qat resource driver chart (#65)

* add qat resource driver chart

Signed-off-by: Oksana Baranova <[email protected]>

charts/intel-qat-resource-driver/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: intel-qat-resource-driver
+description: A Helm chart for a Dynamic Resource Allocation (DRA) Intel QAT Resource Driver
+
+type: application
+version: 0.1.0
+appVersion: "v0.1.0"

charts/intel-qat-resource-driver/LICENSE

@@ -0,0 +1,14 @@
+Copyright 2024 Intel Corporation
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

charts/intel-qat-resource-driver/README.md

@@ -0,0 +1,48 @@
+# Dynamic Resource Allocation (DRA) Intel QAT Driver Helm Chart
+
+## The chart installs QAT resource driver:
+
+- [QAT](https://github.com/intel/intel-resource-drivers-for-kubernetes/tree/main/doc/qat/README.md)
+
+More info: [Intel Resource Drivers for Kubernetes](https://github.com/intel/intel-resource-drivers-for-kubernetes/tree/main)
+
+
+## Get Helm Repository Info
+```
+helm repo add intel https://intel.github.io/helm-charts/
+helm repo update
+```
+
+You can execute `helm search repo intel` command to see pulled charts [optional].
+
+## Install Helm Chart
+```
+helm install intel-qat-resource-driver intel/intel-qat-resource-driver
+```
+## Upgrade Chart
+```
+helm upgrade intel-qat-resource-driver intel/intel-qat-resource-driver [flags]
+```
+
+## Uninstall Chart
+```
+helm uninstall intel-qat-resource-driver --namespace intel-qat-resource-driver
+```
+
+## Configuration
+See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments:
+
+```console
+helm show values intel/intel-qat-resource-driver
+```
+
+You may also run `helm show values` on this chart's dependencies for additional options.
+
+| Key | Type | Default |
+|-----|------|---------|
+| image.repository | string | `intel` |
+| image.name | string | `"intel-qat-resource-driver"` |
+| image.pullPolicy | string | `"IfNotPresent"` |
+| image.tag | string | `"v0.1.0"` |
+
+If you change the image tag to be used in Helm chart deployment, ensure that the version of the container image is consistent with deployment YAMLs - they might change between releases.

charts/intel-qat-resource-driver/templates/NOTES.txt

@@ -0,0 +1 @@
+Thank you for installing {{ .Chart.Name }}.

charts/intel-qat-resource-driver/templates/_helpers.tpl

@@ -0,0 +1,51 @@
+{{/* Define common helpers */}}
+{{- define "intel-qat-resource-driver.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end }}
+
+{{/* Define the base name for the driver */}}
+{{- define "intel-qat-resource-driver.baseName" -}}
+intel-qat-resource-driver
+{{- end }}
+
+{{- define "intel-qat-resource-driver.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "intel-qat-resource-driver.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else -}}
+{{- printf "%s-%s" (include "intel-qat-resource-driver.baseName" .) .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end }}
+
+{{- define "intel-qat-resource-driver.namespace" -}}
+{{- default .Release.Namespace .Values.namespaceOverride }}
+{{- end }}
+
+{{/* Labels for templates */}}
+{{- define "intel-qat-resource-driver.labels" -}}
+helm.sh/chart: {{ include "intel-qat-resource-driver.chart" . }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{- define "intel-qat-resource-driver.clusterRoleName" -}}
+{{- printf "%s-role" (include "intel-qat-resource-driver.baseName" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "intel-qat-resource-driver.clusterRoleBindingName" -}}
+{{- printf "%s-rolebinding" (include "intel-qat-resource-driver.baseName" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "intel-qat-resource-driver.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+{{- default "intel-qat-sa" .Values.serviceAccount.name -}}
+{{- end -}}
+{{- end }}
+
+{{/* Define full image name */}}
+{{- define "intel-qat-resource-driver.fullimage" -}}
+{{- printf "%s/%s:%s" .Values.image.repository .Values.image.name .Values.image.tag -}}
+{{- end }}

charts/intel-qat-resource-driver/templates/clusterrole.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "intel-qat-resource-driver.clusterRoleName" . }}
+  namespace: {{ include "intel-qat-resource-driver.namespace" . }}
+rules:
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get"]
+- apiGroups: ["resource.k8s.io"]
+  resources: ["resourceslices"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["resource.k8s.io"]
+  resources: ["resourceclaims"]
+  verbs: ["get"]

charts/intel-qat-resource-driver/templates/clusterrolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "intel-qat-resource-driver.clusterRoleBindingName" . }}
+  namespace: {{ include "intel-qat-resource-driver.namespace" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "intel-qat-resource-driver.serviceAccountName" . }}
+  namespace: {{ include "intel-qat-resource-driver.namespace" . }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "intel-qat-resource-driver.clusterRoleName" . }}
+  apiGroup: rbac.authorization.k8s.io

charts/intel-qat-resource-driver/templates/device-class.yaml

@@ -0,0 +1,9 @@
+apiVersion: resource.k8s.io/v1alpha3
+kind: DeviceClass
+metadata:
+  name: qat.intel.com
+
+spec:
+  selectors:
+  - cel:
+      expression: device.driver == "qat.intel.com"

charts/intel-qat-resource-driver/templates/resource-driver-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: intel-qat-resource-driver

charts/intel-qat-resource-driver/templates/resource-driver.yaml

@@ -0,0 +1,84 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: intel-qat-resource-driver-kubelet-plugin
+  namespace: {{ include "intel-qat-resource-driver.namespace" . }}
+  labels:
+    {{- include "intel-qat-resource-driver.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app: intel-qat-resource-driver
+  template:
+    metadata:
+      labels:
+        app: intel-qat-resource-driver
+    spec:
+      serviceAccount: intel-qat-resource-driver-service-account
+      serviceAccountName: {{ include "intel-qat-resource-driver.serviceAccountName" . }}
+      containers:
+      - name: kubelet-plugin
+        image: {{ include "intel-qat-resource-driver.fullimage" . }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        command: ["/kubelet-qat-plugin"]
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: SYSFS_ROOT
+          value: "/sysfs"
+        volumeMounts:
+        - name: plugins-registry
+          mountPath: /var/lib/kubelet/plugins_registry
+        - name: plugins
+          mountPath: /var/lib/kubelet/plugins
+        - name: cdi
+          mountPath: /etc/cdi
+        - name: varruncdi
+          mountPath: /var/run/cdi
+        - name: sysfs
+          mountPath: /sysfs
+        - name: qatconfiguration
+          mountPath: /defaults
+        securityContext:
+          privileged: true
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
+      volumes:
+      - name: plugins-registry
+        hostPath:
+          path: /var/lib/kubelet/plugins_registry
+      - name: plugins
+        hostPath:
+          path: /var/lib/kubelet/plugins
+      - name: cdi
+        hostPath:
+          path: /etc/cdi
+      - name: varruncdi
+        hostPath:
+          path: /var/run/cdi
+      - name: sysfs
+        hostPath:
+          path: /sys
+      - name: qatconfiguration
+        configMap:
+          name: intel-qat-resource-driver-configuration
+          optional: true
+      {{- with .Values.kubeletPlugin.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.kubeletPlugin.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.kubeletPlugin.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/intel-qat-resource-driver/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "intel-qat-resource-driver.serviceAccountName" . }}
+  namespace: {{ include "intel-qat-resource-driver.namespace" . }}
+  labels:
+    {{- include "intel-qat-resource-driver.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}

charts/intel-qat-resource-driver/templates/validating-admission-policy-binding.yaml

@@ -0,0 +1,7 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: resourceslices-policy-dra-kubelet-plugin-qat
+spec:
+  policyName: resourceslices-policy-dra-kubelet-plugin-qat
+  validationActions: [Deny]

charts/intel-qat-resource-driver/templates/validating-admission-policy.yaml

@@ -0,0 +1,31 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: resourceslices-policy-dra-kubelet-plugin-qat
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["resource.k8s.io"]
+      apiVersions: ["v1alpha3"]
+      operations:  ["CREATE", "UPDATE", "DELETE"]
+      resources:   ["resourceslices"]
+  matchConditions:
+  - name: isRestrictedUser
+    expression: >-
+      request.userInfo.username == "system:serviceaccount:intel-qat-resource-driver:intel-qat-resource-driver-service-account"
+  variables:
+  - name: userNodeName
+    expression: >-
+      request.userInfo.extra[?'authentication.kubernetes.io/node-name'][0].orValue('')
+  - name: objectNodeName
+    expression: >-
+      (request.operation == "DELETE" ? oldObject : object).spec.?nodeName.orValue("")
+  validations:
+  - expression: variables.userNodeName != ""
+    message: >-
+      no node association found for user, this user must run in a pod on a node and ServiceAccountTokenPodNodeInfo must be enabled
+  - expression: variables.userNodeName == variables.objectNodeName
+    messageExpression: >-
+      "this user running on node '"+variables.userNodeName+"' may not modify " +
+      (variables.objectNodeName == "" ?"cluster resourceslices" : "resourceslices on node '"+variables.objectNodeName+"'")

charts/intel-qat-resource-driver/values.yaml

@@ -0,0 +1,32 @@
+# Default values for intel-qat-resource-driver.
+nameOverride: ""
+namespaceOverride: "intel-qat-resource-driver"
+fullnameOverride: ""
+selectorLabelsOverride: {}
+
+imagePullSecrets: []
+image:
+  repository: intel
+  name: intel-qat-resource-driver
+  pullPolicy: IfNotPresent
+  tag: "v0.1.0"
+
+serviceAccount:
+  create: true
+  annotations: {}
+  name: "intel-qat-resource-driver-service-account"
+  automount: true
+
+kubeletPlugin:
+  podAnnotations: {}
+  tolerations:
+    - key: node-role.kubernetes.io/master
+      operator: Exists
+      effect: NoSchedule
+    - key: node-role.kubernetes.io/control-plane
+      operator: Exists
+      effect: NoSchedule
+  nodeSelector:
+    {}
+    #node-role.kubernetes.io/control-plane: ""
+  affinity: {}