Gitiles
Code Review Sign In
gerrit.opencord.org / helm-charts / 0f12b9c2b40d837e39330240d22f637540bead88 / . / mcord-release / mcord-setup / templates / multus-sriov-ds.yaml
blob: 135e7694a1add586e8cb24fbb5da41a6f7796e8d [file] [log] [blame]
---
# Copyright 2018-present Open Networking Foundation
# Copyright 2018 Intel Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
# name must match the spec fields below, and be in the form: <plural>.<group>
name: network-attachment-definitions.k8s.cni.cncf.io
annotations:
"helm.sh/hook": "crd-install"
"helm.sh/hook-delete-policy": "before-hook-creation"
spec:
# group name to use for REST API: /apis/<group>/<version>
group: k8s.cni.cncf.io
# version name to use for REST API: /apis/<group>/<version>
version: v1
# either Namespaced or Cluster
scope: Namespaced
names:
# plural name to be used in the URL: /apis/<group>/<version>/<plural>
plural: network-attachment-definitions
# singular name to be used as an alias on the CLI and for display
singular: network-attachment-definition
# kind is normally the CamelCased singular type. Your resource manifests use this.
kind: NetworkAttachmentDefinition
# shortNames allow shorter string to match your resource on the CLI
shortNames:
- net-attach-def
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: multus-sa
namespace: kube-system
annotations:
"helm.sh/hook": "pre-install"
"helm.sh/hook-delete-policy": "before-hook-creation"
---
apiVersion: v1
kind: Secret
metadata:
name: multus-sa-secret
namespace: kube-system
annotations:
kubernetes.io/service-account.name: multus-sa
type: kubernetes.io/service-account-token
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: multus-pod-networks-lister
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods/status"]
verbs: ["update"]
- apiGroups: ["k8s.cni.cncf.io"]
resources: ["*"]
verbs: ["get"]
---
kind: ConfigMap
apiVersion: v1
metadata:
name: multus-scripts
namespace: kube-system
data:
install-certs.sh: |
# Copied from Calico
# https://github.com/projectcalico/cni-plugin/blob/master/k8s-install/scripts/install-cni.sh
touch /host/etc/cni/net.d/multus-kubeconfig
chmod 600 /host/etc/cni/net.d/multus-kubeconfig
SERVICE_ACCOUNT_PATH=/var/run/secrets/multus/serviceaccount
KUBE_CA_FILE=$SERVICE_ACCOUNT_PATH/ca.crt
TLS_CFG="certificate-authority-data: $(cat $KUBE_CA_FILE | base64 | tr -d '\n')"
SERVICEACCOUNT_TOKEN=$(cat $SERVICE_ACCOUNT_PATH/token)
cat > /host/etc/cni/net.d/multus-kubeconfig <<EOF
# Kubeconfig file for Multus CNI plugin.
apiVersion: v1
kind: Config
clusters:
- name: local
cluster:
server: https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}
$TLS_CFG
users:
- name: multus
user:
token: "${SERVICEACCOUNT_TOKEN}"
contexts:
- name: multus-context
context:
cluster: local
user: multus
current-context: multus-context
EOF
install-multus-conf.sh: |
# copied from https://github.com/intel/multus-cni/blob/master/images/entrypoint.sh
rm -f /host/etc/cni/net.d/00-multus.conf
MASTER_PLUGIN="$(ls /host/etc/cni/net.d | grep -E '\.conf(list)?$' | head -1)"
MASTER_PLUGIN_JSON="$(cat /host/etc/cni/net.d/$MASTER_PLUGIN)"
cat > /host/etc/cni/net.d/00-multus.conf <<EOF
{
"name": "multus-cni-network",
"type": "multus",
"logFile": "/var/log/multus.log",
"logLevel": "debug",
"kubeconfig": "/etc/cni/net.d/multus-kubeconfig",
"delegates": [
$MASTER_PLUGIN_JSON
]
}
EOF
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: multus-rb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: multus-pod-networks-lister
subjects:
- kind: ServiceAccount
name: multus-sa
namespace: kube-system
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: sriov-device-plugin
namespace: kube-system
spec:
selector:
matchLabels:
name: sriov-device-plugin
template:
metadata:
labels:
name: sriov-device-plugin
spec:
initContainers:
- name: init-sriovds
image: {{ .Values.sriovds.initimage }}
command: [ "bash", "-c" ]
args:
- cp /tmp/cni/bin/{multus,sriov,vfioveth,centralip,jq} /host/opt/cni/bin/;
/tmp/multus/install-multus-conf.sh;
/tmp/multus/install-certs.sh;
systemctl stop kubelet;
echo "Restarting crio/containerd, kubelet";
systemctl restart containerd;
systemctl restart crio;
systemctl restart kubelet;
volumeMounts:
- name: usr-bin
mountPath: /host/usr/bin
- name: cni-bin
mountPath: /host/opt/cni/bin
- name: multus-sa
mountPath: /var/run/secrets/multus/serviceaccount
- name: multus-scripts
mountPath: /tmp/multus
- name: cni-conf
mountPath: /host/etc/cni/net.d
- name: dbus
mountPath: /var/run/dbus
- name: systemd
mountPath: /run/systemd
containers:
- name: sriovds
image: {{ .Values.sriovds.image }}
command: [ "sh", "-c" ]
args:
- /usr/bin/sriovdp --logtostderr -v 10;
sleep infinity;
volumeMounts:
- name: net
mountPath: /sys/class/net
readOnly: true
- name: dp-sock
mountPath: /var/lib/kubelet/device-plugins/
readOnly: false
- mountPath: /etc/pcidp
name: sriov-config
readOnly: false
volumes:
- name: sriov-config
configMap:
name: sriov-config
- name: usr-bin
hostPath:
path: /usr/bin
- name: cni-bin
hostPath:
path: /opt/cni/bin
- name: multus-sa
secret:
secretName: multus-sa-secret
- name: multus-scripts
configMap:
defaultMode: 511
name: multus-scripts
- name: cni-conf
hostPath:
path: /etc/cni/net.d
- name: dbus
hostPath:
path: /var/run/dbus
- name: systemd
hostPath:
path: /run/systemd
- name: net
hostPath:
path: /sys/class/net
- name: dp-sock
hostPath:
path: /var/lib/kubelet/device-plugins/
hostNetwork: true
hostPID: true