cscott/gpu-operator-charts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Conan Scott
2025-12-16 17:56:13 +11:00
commit 2da0e4f030
70 changed files with 11317 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
charts/kmm/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

7
charts/kmm/Chart.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v2
appVersion: v20240618-v2.1.1
description: A Helm chart for deploying Kernel Module Management for AMD GPU Operator
kubeVersion: '>= 1.18.0-0'
name: kmm
type: application
version: v1.0.0

2739
charts/kmm/crds/module-crd.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

449
charts/kmm/crds/nodemodulesconfig-crd.yaml Normal file
View File

@@ -0,0 +1,449 @@
---
# Source: kmm/templates/nodemodulesconfig-crd.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: nodemodulesconfigs.kmm.sigs.x-k8s.io
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
helm.sh/chart: kmm-v1.0.0
app.kubernetes.io/name: kmm
app.kubernetes.io/instance: amd-gpu
app.kubernetes.io/version: "v20240618-v2.1.1"
app.kubernetes.io/managed-by: Helm
spec:
group: kmm.sigs.x-k8s.io
names:
kind: NodeModulesConfig
listKind: NodeModulesConfigList
plural: nodemodulesconfigs
shortNames:
- nmc
singular: nodemodulesconfig
scope: Cluster
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: NodeModulesConfig keeps spec and state of the KMM modules on a
node.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
NodeModulesConfigSpec describes the desired state of modules on the node
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
modules:
description: |-
Modules list the spec of all the modules that need to be executed
on the node
items:
properties:
config:
properties:
containerImage:
type: string
imagePullPolicy:
default: IfNotPresent
description: PullPolicy describes a policy for if/when to
pull a container image
type: string
inTreeModuleToRemove:
type: string
inTreeModulesToRemove:
items:
type: string
type: array
insecurePull:
description: When InsecurePull is true, the container image
can be pulled without TLS.
type: boolean
kernelVersion:
type: string
modprobe:
properties:
args:
description: |-
Args is an optional list of arguments to be passed to modprobe before the name of the kernel module.
The resulting commands will be: `modprobe ${Args} module_name`.
properties:
load:
description: Load is an optional list of arguments
to be used when loading the kernel module.
items:
type: string
minItems: 1
type: array
unload:
description: Unload is an optional list of arguments
to be used when unloading the kernel module.
items:
type: string
minItems: 1
type: array
type: object
dirName:
default: /opt
description: |-
DirName is the root directory for modules.
It adds `-d ${DirName}` to the modprobe command-line.
type: string
firmwarePath:
description: |-
FirmwarePath is the path of the firmware(s).
The firmware(s) will be copied to the host for the kernel to find them.
type: string
moduleName:
description: |-
ModuleName is the name of the Module to be loaded.
This field can only be unset if rawArgs is set.
type: string
modulesLoadingOrder:
description: |-
ModulesLoadingOrder defines the dependency between kernel modules loading, in case
it was not created by depmod (independent kernel modules).
The list order should be: upmost module, then the module it depends on and so on.
Example: if moduleA depends on first loading moduleB, and moduleB depends on first loading moduleC
the entry should look:
ModulesLoadingOrder:
- moduleA
- moduleB
- moduleC
In order to load all 3 modules, moduleA shoud be defined in the ModuleName parameter of this struct
items:
type: string
type: array
parameters:
description: |-
Parameters is an optional list of kernel module parameters to be provided to modprobe.
They should be in the form of key=value and will be separated by spaces in the modprobe command.
The resulting loading command will be: `modprobe module_name ${Parameters}`.
items:
type: string
type: array
rawArgs:
description: |-
If RawArgs are specified, they are passed straight to the modprobe binary; all other properties in this
object are ignored.
The resulting commands will be: `modprobe ${RawArgs}`.
properties:
load:
description: Load is an optional list of arguments
to be used when loading the kernel module.
items:
type: string
minItems: 1
type: array
unload:
description: Unload is an optional list of arguments
to be used when unloading the kernel module.
items:
type: string
minItems: 1
type: array
type: object
type: object
required:
- containerImage
- imagePullPolicy
- insecurePull
- kernelVersion
- modprobe
type: object
imageRepoSecret:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
name:
type: string
namespace:
type: string
serviceAccountName:
type: string
tolerations:
description: tolerations define which tolerations should be added
for every load/unload pod running on the node
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
required:
- config
- name
- namespace
- serviceAccountName
type: object
type: array
type: object
status:
description: |-
NodeModuleConfigStatus is the most recently observed status of the KMM modules on node.
It is populated by the system and is read-only.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
modules:
description: Modules contain observations about each Module's node state
status
items:
properties:
bootId:
type: string
config:
properties:
containerImage:
type: string
imagePullPolicy:
default: IfNotPresent
description: PullPolicy describes a policy for if/when to
pull a container image
type: string
inTreeModuleToRemove:
type: string
inTreeModulesToRemove:
items:
type: string
type: array
insecurePull:
description: When InsecurePull is true, the container image
can be pulled without TLS.
type: boolean
kernelVersion:
type: string
modprobe:
properties:
args:
description: |-
Args is an optional list of arguments to be passed to modprobe before the name of the kernel module.
The resulting commands will be: `modprobe ${Args} module_name`.
properties:
load:
description: Load is an optional list of arguments
to be used when loading the kernel module.
items:
type: string
minItems: 1
type: array
unload:
description: Unload is an optional list of arguments
to be used when unloading the kernel module.
items:
type: string
minItems: 1
type: array
type: object
dirName:
default: /opt
description: |-
DirName is the root directory for modules.
It adds `-d ${DirName}` to the modprobe command-line.
type: string
firmwarePath:
description: |-
FirmwarePath is the path of the firmware(s).
The firmware(s) will be copied to the host for the kernel to find them.
type: string
moduleName:
description: |-
ModuleName is the name of the Module to be loaded.
This field can only be unset if rawArgs is set.
type: string
modulesLoadingOrder:
description: |-
ModulesLoadingOrder defines the dependency between kernel modules loading, in case
it was not created by depmod (independent kernel modules).
The list order should be: upmost module, then the module it depends on and so on.
Example: if moduleA depends on first loading moduleB, and moduleB depends on first loading moduleC
the entry should look:
ModulesLoadingOrder:
- moduleA
- moduleB
- moduleC
In order to load all 3 modules, moduleA shoud be defined in the ModuleName parameter of this struct
items:
type: string
type: array
parameters:
description: |-
Parameters is an optional list of kernel module parameters to be provided to modprobe.
They should be in the form of key=value and will be separated by spaces in the modprobe command.
The resulting loading command will be: `modprobe module_name ${Parameters}`.
items:
type: string
type: array
rawArgs:
description: |-
If RawArgs are specified, they are passed straight to the modprobe binary; all other properties in this
object are ignored.
The resulting commands will be: `modprobe ${RawArgs}`.
properties:
load:
description: Load is an optional list of arguments
to be used when loading the kernel module.
items:
type: string
minItems: 1
type: array
unload:
description: Unload is an optional list of arguments
to be used when unloading the kernel module.
items:
type: string
minItems: 1
type: array
type: object
type: object
required:
- containerImage
- imagePullPolicy
- insecurePull
- kernelVersion
- modprobe
type: object
imageRepoSecret:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
lastTransitionTime:
format: date-time
type: string
name:
type: string
namespace:
type: string
serviceAccountName:
type: string
tolerations:
description: tolerations define which tolerations should be added
for every load/unload pod running on the node
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
required:
- name
- namespace
- serviceAccountName
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

62
charts/kmm/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "kmm.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kmm.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kmm.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "kmm.labels" -}}
helm.sh/chart: {{ include "kmm.chart" . }}
{{ include "kmm.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "kmm.selectorLabels" -}}
app.kubernetes.io/name: {{ include "kmm.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "kmm.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "kmm.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

18
charts/kmm/templates/controller-metrics-service.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "kmm.fullname" . }}-controller-metrics-service
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: controller
{{- include "kmm.labels" . | nindent 4 }}
spec:
type: {{ .Values.controllerMetricsService.type }}
selector:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: controller
{{- include "kmm.selectorLabels" . | nindent 4 }}
ports:
{{- .Values.controllerMetricsService.ports | toYaml | nindent 2 }}

203
charts/kmm/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,203 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kmm.fullname" . }}-controller
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: controller
{{- include "kmm.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.controller.replicas }}
selector:
matchLabels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: controller
{{- include "kmm.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: controller
{{- include "kmm.selectorLabels" . | nindent 8 }}
annotations:
kubectl.kubernetes.io/default-container: manager
spec:
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
nodeSelector: {{- toYaml .Values.controller.nodeSelector | nindent 8 }}
containers:
- args: {{- toYaml .Values.controller.manager.args | nindent 8 }}
env:
- name: RELATED_IMAGE_WORKER
value: {{ quote .Values.controller.manager.env.relatedImageWorker }}
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELATED_IMAGE_BUILD
value: {{ quote .Values.controller.manager.env.relatedImageBuild }}
- name: RELATED_IMAGE_SIGN
value: {{ quote .Values.controller.manager.env.relatedImageSign }}
- name: KUBERNETES_CLUSTER_DOMAIN
value: {{ quote .Values.kubernetesClusterDomain }}
{{- if .Values.controller.manager.env.relatedImageBuildPullSecret }}
- name: RELATED_IMAGE_BUILD_PULL_SECRET
value: {{ .Values.controller.manager.env.relatedImageBuildPullSecret }}
{{- end}}
{{- if .Values.controller.manager.env.relatedImageSignPullSecret }}
- name: RELATED_IMAGE_SIGN_PULL_SECRET
value: {{ .Values.controller.manager.env.relatedImageSignPullSecret }}
{{- end}}
{{- if .Values.controller.manager.env.relatedImageWorkerPullSecret }}
- name: RELATED_IMAGE_WORKER_PULL_SECRET
value: {{ .Values.controller.manager.env.relatedImageWorkerPullSecret }}
{{- end}}
{{- if .Values.global.proxy.env | default dict}}
{{- range $key, $value := .Values.global.proxy.env }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- end }}
image: {{ .Values.controller.manager.image.repository }}:{{ .Values.controller.manager.image.tag
| default .Chart.AppVersion }}
imagePullPolicy: {{ .Values.controller.manager.imagePullPolicy }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
name: manager
ports:
- containerPort: 8443
name: metrics
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
resources: {{- toYaml .Values.controller.manager.resources | nindent 10 }}
securityContext: {{- toYaml .Values.controller.manager.containerSecurityContext
| nindent 10 }}
volumeMounts:
- mountPath: /controller_config.yaml
name: manager-config
subPath: controller_config.yaml
{{- if .Values.controller.manager.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.controller.manager.imagePullSecrets }}
{{- end}}
securityContext:
runAsNonRoot: true
serviceAccountName: {{ include "kmm.fullname" . }}-controller
terminationGracePeriodSeconds: 10
{{- with .Values.controller.manager.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- configMap:
name: {{ include "kmm.fullname" . }}-manager-config
name: manager-config
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kmm.fullname" . }}-webhook-server
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: webhook-server
{{- include "kmm.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.webhookServer.replicas }}
selector:
matchLabels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: webhook-server
{{- include "kmm.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: webhook-server
{{- include "kmm.selectorLabels" . | nindent 8 }}
annotations:
kubectl.kubernetes.io/default-container: webhook-server
spec:
{{- with .Values.webhookServer.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
nodeSelector: {{- toYaml .Values.webhookServer.nodeSelector | nindent 8 }}
containers:
- args: {{- toYaml .Values.webhookServer.webhookServer.args | nindent 8 }}
env:
- name: KUBERNETES_CLUSTER_DOMAIN
value: {{ quote .Values.kubernetesClusterDomain }}
{{- if .Values.global.proxy.env | default dict}}
{{- range $key, $value := .Values.global.proxy.env }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- end }}
image: {{ .Values.webhookServer.webhookServer.image.repository }}:{{ .Values.webhookServer.webhookServer.image.tag
| default .Chart.AppVersion }}
imagePullPolicy: {{ .Values.webhookServer.webhookServer.imagePullPolicy }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
name: webhook-server
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
resources: {{- toYaml .Values.webhookServer.webhookServer.resources | nindent 10
}}
securityContext: {{- toYaml .Values.webhookServer.webhookServer.containerSecurityContext
| nindent 10 }}
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
- mountPath: /controller_config.yaml
name: manager-config
subPath: controller_config.yaml
{{- if .Values.webhookServer.webhookServer.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.webhookServer.webhookServer.imagePullSecrets }}
{{- end}}
securityContext:
runAsNonRoot: true
serviceAccountName: {{ include "kmm.fullname" . }}-controller
terminationGracePeriodSeconds: 10
{{- with .Values.webhookServer.webhookServer.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: kmm-operator-webhook-server-cert
- configMap:
name: {{ include "kmm.fullname" . }}-manager-config
name: manager-config

16
charts/kmm/templates/event-recorder-clusterrole-rbac.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kmm.fullname" . }}-event-recorder-clusterrole
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch

16
charts/kmm/templates/event-recorder-clusterrolebinding-rbac.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kmm.fullname" . }}-event-recorder-clusterrolebinding
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ include "kmm.fullname" . }}-event-recorder-clusterrole'
subjects:
- kind: ServiceAccount
name: '{{ include "kmm.fullname" . }}-controller'
namespace: '{{ .Release.Namespace }}'

50
charts/kmm/templates/leader-election-rbac.yaml Normal file
View File

@@ -0,0 +1,50 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "kmm.fullname" . }}-leader-election-role
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kmm.fullname" . }}-leader-election-rolebinding
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: '{{ include "kmm.fullname" . }}-leader-election-role'
subjects:
- kind: ServiceAccount
name: '{{ include "kmm.fullname" . }}-controller'
namespace: '{{ .Release.Namespace }}'

11
charts/kmm/templates/manager-config.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "kmm.fullname" . }}-manager-config
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
data:
controller_config.yaml: {{ .Values.managerConfig.controllerConfigYaml | toYaml
| indent 1 }}

135
charts/kmm/templates/manager-rbac.yaml Normal file
View File

@@ -0,0 +1,135 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kmm.fullname" . }}-manager-role
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
rules:
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- cluster.open-cluster-management.io
resources:
- clusterclaims
verbs:
- create
- get
- list
- watch
- apiGroups:
- cluster.open-cluster-management.io
resourceNames:
- kernel-versions.kmm.node.kubernetes.io
resources:
- clusterclaims
verbs:
- delete
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- secrets
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- nodes
verbs:
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- modules
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- modules/status
- preflightvalidations/status
verbs:
- get
- patch
- update
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- nodemodulesconfigs
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- nodemodulesconfigs/status
verbs:
- patch
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- preflightvalidations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kmm.fullname" . }}-manager-rolebinding
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ include "kmm.fullname" . }}-manager-role'
subjects:
- kind: ServiceAccount
name: '{{ include "kmm.fullname" . }}-controller'
namespace: '{{ .Release.Namespace }}'

13
charts/kmm/templates/metrics-reader-rbac.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kmm.fullname" . }}-metrics-reader
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
rules:
- nonResourceURLs:
- /metrics
verbs:
- get

243
charts/kmm/templates/preflightvalidation-crd.yaml Normal file
View File

@@ -0,0 +1,243 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: preflightvalidations.kmm.sigs.x-k8s.io
annotations:
cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "kmm.fullname"
. }}-serving-cert'
controller-gen.kubebuilder.io/version: v0.16.1
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: '{{ include "kmm.fullname" . }}-webhook-service'
namespace: '{{ .Release.Namespace }}'
path: /convert
conversionReviewVersions:
- v1beta2
- v1beta1
group: kmm.sigs.x-k8s.io
names:
kind: PreflightValidation
listKind: PreflightValidationList
plural: preflightvalidations
shortNames:
- pfv
singular: preflightvalidation
scope: Cluster
versions:
- deprecated: true
name: v1beta1
schema:
openAPIV3Schema:
description: PreflightValidation initiates a preflight validations for all Modules
on the current Kubernetes cluster.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
PreflightValidationSpec describes the desired state of the resource, such as the kernel version
that Module CRs need to be verified against as well as the debug configuration of the logs
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
kernelVersion:
description: KernelVersion describes the kernel image that all Modules
need to be checked against.
type: string
pushBuiltImage:
description: |-
Boolean flag that determines whether images build during preflight must also
be pushed to a defined repository
type: boolean
required:
- kernelVersion
type: object
status:
description: |-
PreflightValidationStatus is the most recently observed status of the PreflightValidation.
It is populated by the system and is read-only.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
crStatuses:
additionalProperties:
properties:
lastTransitionTime:
description: |-
LastTransitionTime is the last time the CR status transitioned from one status to another.
This should be when the underlying status changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
statusReason:
description: StatusReason contains a string describing the status
source.
type: string
verificationStage:
description: |-
Current stage of the verification process:
image (image existence verification), build(build process verification)
enum:
- Image
- Build
- Sign
- Requeued
- Done
type: string
verificationStatus:
description: |-
Status of Module CR verification: true (verified), false (verification failed),
error (error during verification process), unknown (verification has not started yet)
enum:
- "True"
- "False"
type: string
required:
- lastTransitionTime
- verificationStage
- verificationStatus
type: object
description: CRStatuses contain observations about each Module's preflight
upgradability validation
type: object
type: object
required:
- spec
type: object
served: true
storage: false
subresources:
status: {}
- name: v1beta2
schema:
openAPIV3Schema:
description: PreflightValidation initiates a preflight validations for all Modules
on the current Kubernetes cluster.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
PreflightValidationSpec describes the desired state of the resource, such as the kernel version
that Module CRs need to be verified against as well as the debug configuration of the logs
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
kernelVersion:
description: KernelVersion describes the kernel image that all Modules
need to be checked against.
type: string
pushBuiltImage:
description: |-
Boolean flag that determines whether images build during preflight must also
be pushed to a defined repository
type: boolean
required:
- kernelVersion
type: object
status:
description: |-
PreflightValidationStatus is the most recently observed status of the PreflightValidation.
It is populated by the system and is read-only.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
modules:
description: Modules contain observations about each Module's preflight
upgradability validation
items:
properties:
lastTransitionTime:
description: |-
LastTransitionTime is the last time the CR status transitioned from one status to another.
This should be when the underlying status changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
name:
description: Name is the name of the Module resource.
type: string
namespace:
description: Namespace is the namespace of the Module resource.
type: string
statusReason:
description: StatusReason contains a string describing the status
source.
type: string
verificationStage:
description: |-
Current stage of the verification process:
image (image existence verification), build(build process verification)
enum:
- Image
- Build
- Sign
- Requeued
- Done
type: string
verificationStatus:
description: |-
Status of Module CR verification: true (verified), false (verification failed),
error (error during verification process), unknown (verification has not started yet)
enum:
- "True"
- "False"
type: string
required:
- lastTransitionTime
- name
- namespace
- verificationStage
- verificationStatus
type: object
type: array
x-kubernetes-list-map-keys:
- namespace
- name
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

38
charts/kmm/templates/proxy-rbac.yaml Normal file
View File

@@ -0,0 +1,38 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kmm.fullname" . }}-proxy-role
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kmm.fullname" . }}-proxy-rolebinding
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ include "kmm.fullname" . }}-proxy-role'
subjects:
- kind: ServiceAccount
name: '{{ include "kmm.fullname" . }}-controller'
namespace: '{{ .Release.Namespace }}'

8
charts/kmm/templates/selfsigned-issuer.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "kmm.fullname" . }}-selfsigned-issuer
labels:
{{- include "kmm.labels" . | nindent 4 }}
spec:
selfSigned: {}

10
charts/kmm/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kmm.fullname" . }}-controller
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
annotations:
{{- toYaml .Values.controller.serviceAccount.annotations | nindent 4 }}

15
charts/kmm/templates/serving-cert.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "kmm.fullname" . }}-serving-cert
labels:
{{- include "kmm.labels" . | nindent 4 }}
spec:
dnsNames:
- '{{ include "kmm.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc'
- '{{ include "kmm.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.{{
.Values.kubernetesClusterDomain }}'
issuerRef:
kind: Issuer
name: '{{ include "kmm.fullname" . }}-selfsigned-issuer'
secretName: kmm-operator-webhook-server-cert

51
charts/kmm/templates/validating-webhook-configuration.yaml Normal file
View File

@@ -0,0 +1,51 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "kmm.fullname" . }}-validating-webhook-configuration
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kmm.fullname" . }}-serving-cert
labels:
{{- include "kmm.labels" . | nindent 4 }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: '{{ include "kmm.fullname" . }}-webhook-service'
namespace: '{{ .Release.Namespace }}'
path: /validate--v1-namespace
failurePolicy: Fail
name: namespace-deletion.kmm.sigs.k8s.io
namespaceSelector:
matchLabels:
kmm.node.k8s.io/contains-modules: ""
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- DELETE
resources:
- namespaces
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: '{{ include "kmm.fullname" . }}-webhook-service'
namespace: '{{ .Release.Namespace }}'
path: /validate-kmm-sigs-x-k8s-io-v1beta1-module
failurePolicy: Fail
name: vmodule.kb.io
rules:
- apiGroups:
- kmm.sigs.x-k8s.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- modules
sideEffects: None

18
charts/kmm/templates/webhook-service.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "kmm.fullname" . }}-webhook-service
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/created-by: kernel-module-management
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
spec:
type: {{ .Values.webhookService.type }}
selector:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: webhook-server
{{- include "kmm.selectorLabels" . | nindent 4 }}
ports:
{{- .Values.webhookService.ports | toYaml | nindent 2 }}

133
charts/kmm/values.yaml Normal file
View File

@@ -0,0 +1,133 @@
controller:
manager:
args:
- --config=controller_config.yaml
containerSecurityContext:
allowPrivilegeEscalation: false
env:
# -- KMM kaniko builder image for building driver image within cluster
relatedImageBuild: gcr.io/kaniko-project/executor:v1.23.2
# -- KMM signer image for signing driver image's kernel module with given key pairs within cluster
relatedImageSign: docker.io/rocm/kernel-module-management-signimage:v1.4.0
# -- KMM worker image for loading / unloading driver kernel module on worker nodes
relatedImageWorker: docker.io/rocm/kernel-module-management-worker:v1.4.0
# -- Image pull secret name for pulling KMM kaniko builder image if registry needs credential to pull image
relatedImageBuildPullSecret: ""
# -- Image pull secret name for pulling KMM signer image if registry needs credential to pull image
relatedImageSignPullSecret: ""
# -- Image pull secret name for pulling KMM worker image if registry needs credential to pull image
relatedImageWorkerPullSecret: ""
image:
# -- KMM controller manager image repository
repository: docker.io/rocm/kernel-module-management-operator
# -- KMM controller manager image tag
tag: v1.4.0
# -- Image pull policy for KMM controller manager pod
imagePullPolicy: Always
# -- Image pull secret name for pulling KMM controller manager image if registry needs credential to pull image
imagePullSecrets: ""
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Equal"
value: ""
effect: "NoSchedule"
- key: "node-role.kubernetes.io/control-plane"
operator: "Equal"
value: ""
effect: "NoSchedule"
resources:
limits:
cpu: 500m
memory: 384Mi
requests:
cpu: 10m
memory: 64Mi
# -- Node selector for the KMM controller manager deployment
nodeSelector: {}
# -- Affinity for the KMM controller manager deployment
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: Exists
replicas: 1
serviceAccount:
annotations: {}
controllerMetricsService:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: https
type: ClusterIP
kubernetesClusterDomain: cluster.local
managerConfig:
controllerConfigYaml: |-
healthProbeBindAddress: :8081
webhookPort: 9443
leaderElection:
enabled: true
resourceID: kmm.sigs.x-k8s.io
metrics:
enableAuthnAuthz: true
bindAddress: 0.0.0.0:8443
secureServing: true
worker:
runAsUser: 0
seLinuxType: spc_t
firmwareHostPath: /var/lib/firmware
webhookServer:
replicas: 1
# -- KMM webhook's deployment node selector
nodeSelector: {}
# -- KMM webhook's deployment affinity configs
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: Exists
webhookServer:
args:
- --config=controller_config.yaml
- --enable-module
- --enable-namespace
- --enable-preflightvalidation
containerSecurityContext:
allowPrivilegeEscalation: false
image:
# -- KMM webhook image repository
repository: docker.io/rocm/kernel-module-management-webhook-server
# -- KMM webhook image tag
tag: v1.4.0
# -- Image pull policy for KMM webhook pod
imagePullPolicy: Always
# -- Image pull secret name for pulling KMM webhook image if registry needs credential to pull image
imagePullSecrets: ""
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Equal"
value: ""
effect: "NoSchedule"
- key: "node-role.kubernetes.io/control-plane"
operator: "Equal"
value: ""
effect: "NoSchedule"
resources:
limits:
cpu: 500m
memory: 384Mi
requests:
cpu: 10m
memory: 64Mi
webhookService:
ports:
- port: 443
protocol: TCP
targetPort: 9443
type: ClusterIP