diff --git a/charts/intel-qat-resource-driver/Chart.yaml b/charts/intel-qat-resource-driver/Chart.yaml new file mode 100644 index 0000000..9826339 --- /dev/null +++ b/charts/intel-qat-resource-driver/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: intel-qat-resource-driver +description: A Helm chart for a Dynamic Resource Allocation (DRA) Intel QAT Resource Driver + +type: application +version: 0.1.0 +appVersion: "v0.1.0" diff --git a/charts/intel-qat-resource-driver/LICENSE b/charts/intel-qat-resource-driver/LICENSE new file mode 100644 index 0000000..0378d97 --- /dev/null +++ b/charts/intel-qat-resource-driver/LICENSE @@ -0,0 +1,14 @@ +Copyright 2024 Intel Corporation +SPDX-License-Identifier: Apache-2.0 + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/charts/intel-qat-resource-driver/README.md b/charts/intel-qat-resource-driver/README.md new file mode 100644 index 0000000..31d6aff --- /dev/null +++ b/charts/intel-qat-resource-driver/README.md @@ -0,0 +1,48 @@ +# Dynamic Resource Allocation (DRA) Intel QAT Driver Helm Chart + +## The chart installs QAT resource driver: + +- [QAT](https://github.com/intel/intel-resource-drivers-for-kubernetes/tree/main/doc/qat/README.md) + +More info: [Intel Resource Drivers for Kubernetes](https://github.com/intel/intel-resource-drivers-for-kubernetes/tree/main) + + +## Get Helm Repository Info +``` +helm repo add intel https://intel.github.io/helm-charts/ +helm repo update +``` + +You can execute `helm search repo intel` command to see pulled charts [optional]. + +## Install Helm Chart +``` +helm install intel-qat-resource-driver intel/intel-qat-resource-driver +``` +## Upgrade Chart +``` +helm upgrade intel-qat-resource-driver intel/intel-qat-resource-driver [flags] +``` + +## Uninstall Chart +``` +helm uninstall intel-qat-resource-driver --namespace intel-qat-resource-driver +``` + +## Configuration +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments: + +```console +helm show values intel/intel-qat-resource-driver +``` + +You may also run `helm show values` on this chart's dependencies for additional options. + +| Key | Type | Default | +|-----|------|---------| +| image.repository | string | `intel` | +| image.name | string | `"intel-qat-resource-driver"` | +| image.pullPolicy | string | `"IfNotPresent"` | +| image.tag | string | `"v0.1.0"` | + +If you change the image tag to be used in Helm chart deployment, ensure that the version of the container image is consistent with deployment YAMLs - they might change between releases. diff --git a/charts/intel-qat-resource-driver/templates/NOTES.txt b/charts/intel-qat-resource-driver/templates/NOTES.txt new file mode 100644 index 0000000..5563e76 --- /dev/null +++ b/charts/intel-qat-resource-driver/templates/NOTES.txt @@ -0,0 +1 @@ +Thank you for installing {{ .Chart.Name }}. \ No newline at end of file diff --git a/charts/intel-qat-resource-driver/templates/_helpers.tpl b/charts/intel-qat-resource-driver/templates/_helpers.tpl new file mode 100644 index 0000000..41415ca --- /dev/null +++ b/charts/intel-qat-resource-driver/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* Define common helpers */}} +{{- define "intel-qat-resource-driver.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end }} + +{{/* Define the base name for the driver */}} +{{- define "intel-qat-resource-driver.baseName" -}} +intel-qat-resource-driver +{{- end }} + +{{- define "intel-qat-resource-driver.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "intel-qat-resource-driver.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else -}} +{{- printf "%s-%s" (include "intel-qat-resource-driver.baseName" .) .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end }} + +{{- define "intel-qat-resource-driver.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride }} +{{- end }} + +{{/* Labels for templates */}} +{{- define "intel-qat-resource-driver.labels" -}} +helm.sh/chart: {{ include "intel-qat-resource-driver.chart" . }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{- define "intel-qat-resource-driver.clusterRoleName" -}} +{{- printf "%s-role" (include "intel-qat-resource-driver.baseName" .) | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "intel-qat-resource-driver.clusterRoleBindingName" -}} +{{- printf "%s-rolebinding" (include "intel-qat-resource-driver.baseName" .) | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "intel-qat-resource-driver.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} +{{- default "intel-qat-sa" .Values.serviceAccount.name -}} +{{- end -}} +{{- end }} + +{{/* Define full image name */}} +{{- define "intel-qat-resource-driver.fullimage" -}} +{{- printf "%s/%s:%s" .Values.image.repository .Values.image.name .Values.image.tag -}} +{{- end }} diff --git a/charts/intel-qat-resource-driver/templates/clusterrole.yaml b/charts/intel-qat-resource-driver/templates/clusterrole.yaml new file mode 100644 index 0000000..3219711 --- /dev/null +++ b/charts/intel-qat-resource-driver/templates/clusterrole.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "intel-qat-resource-driver.clusterRoleName" . }} + namespace: {{ include "intel-qat-resource-driver.namespace" . }} +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] +- apiGroups: ["resource.k8s.io"] + resources: ["resourceslices"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["resource.k8s.io"] + resources: ["resourceclaims"] + verbs: ["get"] diff --git a/charts/intel-qat-resource-driver/templates/clusterrolebinding.yaml b/charts/intel-qat-resource-driver/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..fc14ac0 --- /dev/null +++ b/charts/intel-qat-resource-driver/templates/clusterrolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "intel-qat-resource-driver.clusterRoleBindingName" . }} + namespace: {{ include "intel-qat-resource-driver.namespace" . }} +subjects: +- kind: ServiceAccount + name: {{ include "intel-qat-resource-driver.serviceAccountName" . }} + namespace: {{ include "intel-qat-resource-driver.namespace" . }} +roleRef: + kind: ClusterRole + name: {{ include "intel-qat-resource-driver.clusterRoleName" . }} + apiGroup: rbac.authorization.k8s.io diff --git a/charts/intel-qat-resource-driver/templates/device-class.yaml b/charts/intel-qat-resource-driver/templates/device-class.yaml new file mode 100644 index 0000000..69b0692 --- /dev/null +++ b/charts/intel-qat-resource-driver/templates/device-class.yaml @@ -0,0 +1,9 @@ +apiVersion: resource.k8s.io/v1alpha3 +kind: DeviceClass +metadata: + name: qat.intel.com + +spec: + selectors: + - cel: + expression: device.driver == "qat.intel.com" diff --git a/charts/intel-qat-resource-driver/templates/resource-driver-namespace.yaml b/charts/intel-qat-resource-driver/templates/resource-driver-namespace.yaml new file mode 100644 index 0000000..30a3dd3 --- /dev/null +++ b/charts/intel-qat-resource-driver/templates/resource-driver-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: intel-qat-resource-driver diff --git a/charts/intel-qat-resource-driver/templates/resource-driver.yaml b/charts/intel-qat-resource-driver/templates/resource-driver.yaml new file mode 100644 index 0000000..6cd1e4c --- /dev/null +++ b/charts/intel-qat-resource-driver/templates/resource-driver.yaml @@ -0,0 +1,84 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: intel-qat-resource-driver-kubelet-plugin + namespace: {{ include "intel-qat-resource-driver.namespace" . }} + labels: + {{- include "intel-qat-resource-driver.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: intel-qat-resource-driver + template: + metadata: + labels: + app: intel-qat-resource-driver + spec: + serviceAccount: intel-qat-resource-driver-service-account + serviceAccountName: {{ include "intel-qat-resource-driver.serviceAccountName" . }} + containers: + - name: kubelet-plugin + image: {{ include "intel-qat-resource-driver.fullimage" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["/kubelet-qat-plugin"] + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SYSFS_ROOT + value: "/sysfs" + volumeMounts: + - name: plugins-registry + mountPath: /var/lib/kubelet/plugins_registry + - name: plugins + mountPath: /var/lib/kubelet/plugins + - name: cdi + mountPath: /etc/cdi + - name: varruncdi + mountPath: /var/run/cdi + - name: sysfs + mountPath: /sysfs + - name: qatconfiguration + mountPath: /defaults + securityContext: + privileged: true + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: plugins-registry + hostPath: + path: /var/lib/kubelet/plugins_registry + - name: plugins + hostPath: + path: /var/lib/kubelet/plugins + - name: cdi + hostPath: + path: /etc/cdi + - name: varruncdi + hostPath: + path: /var/run/cdi + - name: sysfs + hostPath: + path: /sys + - name: qatconfiguration + configMap: + name: intel-qat-resource-driver-configuration + optional: true + {{- with .Values.kubeletPlugin.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.kubeletPlugin.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.kubeletPlugin.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/intel-qat-resource-driver/templates/serviceaccount.yaml b/charts/intel-qat-resource-driver/templates/serviceaccount.yaml new file mode 100644 index 0000000..7424381 --- /dev/null +++ b/charts/intel-qat-resource-driver/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "intel-qat-resource-driver.serviceAccountName" . }} + namespace: {{ include "intel-qat-resource-driver.namespace" . }} + labels: + {{- include "intel-qat-resource-driver.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} diff --git a/charts/intel-qat-resource-driver/templates/validating-admission-policy-binding.yaml b/charts/intel-qat-resource-driver/templates/validating-admission-policy-binding.yaml new file mode 100644 index 0000000..f1ad4f9 --- /dev/null +++ b/charts/intel-qat-resource-driver/templates/validating-admission-policy-binding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: resourceslices-policy-dra-kubelet-plugin-qat +spec: + policyName: resourceslices-policy-dra-kubelet-plugin-qat + validationActions: [Deny] diff --git a/charts/intel-qat-resource-driver/templates/validating-admission-policy.yaml b/charts/intel-qat-resource-driver/templates/validating-admission-policy.yaml new file mode 100644 index 0000000..6822896 --- /dev/null +++ b/charts/intel-qat-resource-driver/templates/validating-admission-policy.yaml @@ -0,0 +1,31 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: resourceslices-policy-dra-kubelet-plugin-qat +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: ["resource.k8s.io"] + apiVersions: ["v1alpha3"] + operations: ["CREATE", "UPDATE", "DELETE"] + resources: ["resourceslices"] + matchConditions: + - name: isRestrictedUser + expression: >- + request.userInfo.username == "system:serviceaccount:intel-qat-resource-driver:intel-qat-resource-driver-service-account" + variables: + - name: userNodeName + expression: >- + request.userInfo.extra[?'authentication.kubernetes.io/node-name'][0].orValue('') + - name: objectNodeName + expression: >- + (request.operation == "DELETE" ? oldObject : object).spec.?nodeName.orValue("") + validations: + - expression: variables.userNodeName != "" + message: >- + no node association found for user, this user must run in a pod on a node and ServiceAccountTokenPodNodeInfo must be enabled + - expression: variables.userNodeName == variables.objectNodeName + messageExpression: >- + "this user running on node '"+variables.userNodeName+"' may not modify " + + (variables.objectNodeName == "" ?"cluster resourceslices" : "resourceslices on node '"+variables.objectNodeName+"'") diff --git a/charts/intel-qat-resource-driver/values.yaml b/charts/intel-qat-resource-driver/values.yaml new file mode 100644 index 0000000..439d75a --- /dev/null +++ b/charts/intel-qat-resource-driver/values.yaml @@ -0,0 +1,32 @@ +# Default values for intel-qat-resource-driver. +nameOverride: "" +namespaceOverride: "intel-qat-resource-driver" +fullnameOverride: "" +selectorLabelsOverride: {} + +imagePullSecrets: [] +image: + repository: intel + name: intel-qat-resource-driver + pullPolicy: IfNotPresent + tag: "v0.1.0" + +serviceAccount: + create: true + annotations: {} + name: "intel-qat-resource-driver-service-account" + automount: true + +kubeletPlugin: + podAnnotations: {} + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + nodeSelector: + {} + #node-role.kubernetes.io/control-plane: "" + affinity: {}