cscott/gpu-operator-charts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Conan Scott
2025-12-16 17:56:13 +11:00
commit 2da0e4f030
70 changed files with 11317 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
charts/kmm/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "kmm.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kmm.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kmm.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "kmm.labels" -}}
helm.sh/chart: {{ include "kmm.chart" . }}
{{ include "kmm.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "kmm.selectorLabels" -}}
app.kubernetes.io/name: {{ include "kmm.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "kmm.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "kmm.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

18
charts/kmm/templates/controller-metrics-service.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "kmm.fullname" . }}-controller-metrics-service
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: controller
{{- include "kmm.labels" . | nindent 4 }}
spec:
type: {{ .Values.controllerMetricsService.type }}
selector:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: controller
{{- include "kmm.selectorLabels" . | nindent 4 }}
ports:
{{- .Values.controllerMetricsService.ports | toYaml | nindent 2 }}

203
charts/kmm/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,203 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kmm.fullname" . }}-controller
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: controller
{{- include "kmm.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.controller.replicas }}
selector:
matchLabels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: controller
{{- include "kmm.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: controller
{{- include "kmm.selectorLabels" . | nindent 8 }}
annotations:
kubectl.kubernetes.io/default-container: manager
spec:
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
nodeSelector: {{- toYaml .Values.controller.nodeSelector | nindent 8 }}
containers:
- args: {{- toYaml .Values.controller.manager.args | nindent 8 }}
env:
- name: RELATED_IMAGE_WORKER
value: {{ quote .Values.controller.manager.env.relatedImageWorker }}
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELATED_IMAGE_BUILD
value: {{ quote .Values.controller.manager.env.relatedImageBuild }}
- name: RELATED_IMAGE_SIGN
value: {{ quote .Values.controller.manager.env.relatedImageSign }}
- name: KUBERNETES_CLUSTER_DOMAIN
value: {{ quote .Values.kubernetesClusterDomain }}
{{- if .Values.controller.manager.env.relatedImageBuildPullSecret }}
- name: RELATED_IMAGE_BUILD_PULL_SECRET
value: {{ .Values.controller.manager.env.relatedImageBuildPullSecret }}
{{- end}}
{{- if .Values.controller.manager.env.relatedImageSignPullSecret }}
- name: RELATED_IMAGE_SIGN_PULL_SECRET
value: {{ .Values.controller.manager.env.relatedImageSignPullSecret }}
{{- end}}
{{- if .Values.controller.manager.env.relatedImageWorkerPullSecret }}
- name: RELATED_IMAGE_WORKER_PULL_SECRET
value: {{ .Values.controller.manager.env.relatedImageWorkerPullSecret }}
{{- end}}
{{- if .Values.global.proxy.env | default dict}}
{{- range $key, $value := .Values.global.proxy.env }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- end }}
image: {{ .Values.controller.manager.image.repository }}:{{ .Values.controller.manager.image.tag
| default .Chart.AppVersion }}
imagePullPolicy: {{ .Values.controller.manager.imagePullPolicy }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
name: manager
ports:
- containerPort: 8443
name: metrics
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
resources: {{- toYaml .Values.controller.manager.resources | nindent 10 }}
securityContext: {{- toYaml .Values.controller.manager.containerSecurityContext
| nindent 10 }}
volumeMounts:
- mountPath: /controller_config.yaml
name: manager-config
subPath: controller_config.yaml
{{- if .Values.controller.manager.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.controller.manager.imagePullSecrets }}
{{- end}}
securityContext:
runAsNonRoot: true
serviceAccountName: {{ include "kmm.fullname" . }}-controller
terminationGracePeriodSeconds: 10
{{- with .Values.controller.manager.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- configMap:
name: {{ include "kmm.fullname" . }}-manager-config
name: manager-config
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kmm.fullname" . }}-webhook-server
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: webhook-server
{{- include "kmm.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.webhookServer.replicas }}
selector:
matchLabels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: webhook-server
{{- include "kmm.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: webhook-server
{{- include "kmm.selectorLabels" . | nindent 8 }}
annotations:
kubectl.kubernetes.io/default-container: webhook-server
spec:
{{- with .Values.webhookServer.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
nodeSelector: {{- toYaml .Values.webhookServer.nodeSelector | nindent 8 }}
containers:
- args: {{- toYaml .Values.webhookServer.webhookServer.args | nindent 8 }}
env:
- name: KUBERNETES_CLUSTER_DOMAIN
value: {{ quote .Values.kubernetesClusterDomain }}
{{- if .Values.global.proxy.env | default dict}}
{{- range $key, $value := .Values.global.proxy.env }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- end }}
image: {{ .Values.webhookServer.webhookServer.image.repository }}:{{ .Values.webhookServer.webhookServer.image.tag
| default .Chart.AppVersion }}
imagePullPolicy: {{ .Values.webhookServer.webhookServer.imagePullPolicy }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
name: webhook-server
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
resources: {{- toYaml .Values.webhookServer.webhookServer.resources | nindent 10
}}
securityContext: {{- toYaml .Values.webhookServer.webhookServer.containerSecurityContext
| nindent 10 }}
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
- mountPath: /controller_config.yaml
name: manager-config
subPath: controller_config.yaml
{{- if .Values.webhookServer.webhookServer.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.webhookServer.webhookServer.imagePullSecrets }}
{{- end}}
securityContext:
runAsNonRoot: true
serviceAccountName: {{ include "kmm.fullname" . }}-controller
terminationGracePeriodSeconds: 10
{{- with .Values.webhookServer.webhookServer.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: kmm-operator-webhook-server-cert
- configMap:
name: {{ include "kmm.fullname" . }}-manager-config
name: manager-config

16
charts/kmm/templates/event-recorder-clusterrole-rbac.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kmm.fullname" . }}-event-recorder-clusterrole
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch

16
charts/kmm/templates/event-recorder-clusterrolebinding-rbac.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kmm.fullname" . }}-event-recorder-clusterrolebinding
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ include "kmm.fullname" . }}-event-recorder-clusterrole'
subjects:
- kind: ServiceAccount
name: '{{ include "kmm.fullname" . }}-controller'
namespace: '{{ .Release.Namespace }}'

50
charts/kmm/templates/leader-election-rbac.yaml Normal file
View File

@@ -0,0 +1,50 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "kmm.fullname" . }}-leader-election-role
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kmm.fullname" . }}-leader-election-rolebinding
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: '{{ include "kmm.fullname" . }}-leader-election-role'
subjects:
- kind: ServiceAccount
name: '{{ include "kmm.fullname" . }}-controller'
namespace: '{{ .Release.Namespace }}'

11
charts/kmm/templates/manager-config.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "kmm.fullname" . }}-manager-config
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
data:
controller_config.yaml: {{ .Values.managerConfig.controllerConfigYaml | toYaml
| indent 1 }}

135
charts/kmm/templates/manager-rbac.yaml Normal file
View File

@@ -0,0 +1,135 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kmm.fullname" . }}-manager-role
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
rules:
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- cluster.open-cluster-management.io
resources:
- clusterclaims
verbs:
- create
- get
- list
- watch
- apiGroups:
- cluster.open-cluster-management.io
resourceNames:
- kernel-versions.kmm.node.kubernetes.io
resources:
- clusterclaims
verbs:
- delete
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- secrets
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- nodes
verbs:
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- modules
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- modules/status
- preflightvalidations/status
verbs:
- get
- patch
- update
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- nodemodulesconfigs
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- nodemodulesconfigs/status
verbs:
- patch
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- preflightvalidations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kmm.fullname" . }}-manager-rolebinding
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ include "kmm.fullname" . }}-manager-role'
subjects:
- kind: ServiceAccount
name: '{{ include "kmm.fullname" . }}-controller'
namespace: '{{ .Release.Namespace }}'

13
charts/kmm/templates/metrics-reader-rbac.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kmm.fullname" . }}-metrics-reader
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
rules:
- nonResourceURLs:
- /metrics
verbs:
- get

243
charts/kmm/templates/preflightvalidation-crd.yaml Normal file
View File

@@ -0,0 +1,243 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: preflightvalidations.kmm.sigs.x-k8s.io
annotations:
cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "kmm.fullname"
. }}-serving-cert'
controller-gen.kubebuilder.io/version: v0.16.1
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: '{{ include "kmm.fullname" . }}-webhook-service'
namespace: '{{ .Release.Namespace }}'
path: /convert
conversionReviewVersions:
- v1beta2
- v1beta1
group: kmm.sigs.x-k8s.io
names:
kind: PreflightValidation
listKind: PreflightValidationList
plural: preflightvalidations
shortNames:
- pfv
singular: preflightvalidation
scope: Cluster
versions:
- deprecated: true
name: v1beta1
schema:
openAPIV3Schema:
description: PreflightValidation initiates a preflight validations for all Modules
on the current Kubernetes cluster.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
PreflightValidationSpec describes the desired state of the resource, such as the kernel version
that Module CRs need to be verified against as well as the debug configuration of the logs
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
kernelVersion:
description: KernelVersion describes the kernel image that all Modules
need to be checked against.
type: string
pushBuiltImage:
description: |-
Boolean flag that determines whether images build during preflight must also
be pushed to a defined repository
type: boolean
required:
- kernelVersion
type: object
status:
description: |-
PreflightValidationStatus is the most recently observed status of the PreflightValidation.
It is populated by the system and is read-only.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
crStatuses:
additionalProperties:
properties:
lastTransitionTime:
description: |-
LastTransitionTime is the last time the CR status transitioned from one status to another.
This should be when the underlying status changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
statusReason:
description: StatusReason contains a string describing the status
source.
type: string
verificationStage:
description: |-
Current stage of the verification process:
image (image existence verification), build(build process verification)
enum:
- Image
- Build
- Sign
- Requeued
- Done
type: string
verificationStatus:
description: |-
Status of Module CR verification: true (verified), false (verification failed),
error (error during verification process), unknown (verification has not started yet)
enum:
- "True"
- "False"
type: string
required:
- lastTransitionTime
- verificationStage
- verificationStatus
type: object
description: CRStatuses contain observations about each Module's preflight
upgradability validation
type: object
type: object
required:
- spec
type: object
served: true
storage: false
subresources:
status: {}
- name: v1beta2
schema:
openAPIV3Schema:
description: PreflightValidation initiates a preflight validations for all Modules
on the current Kubernetes cluster.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
PreflightValidationSpec describes the desired state of the resource, such as the kernel version
that Module CRs need to be verified against as well as the debug configuration of the logs
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
kernelVersion:
description: KernelVersion describes the kernel image that all Modules
need to be checked against.
type: string
pushBuiltImage:
description: |-
Boolean flag that determines whether images build during preflight must also
be pushed to a defined repository
type: boolean
required:
- kernelVersion
type: object
status:
description: |-
PreflightValidationStatus is the most recently observed status of the PreflightValidation.
It is populated by the system and is read-only.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
properties:
modules:
description: Modules contain observations about each Module's preflight
upgradability validation
items:
properties:
lastTransitionTime:
description: |-
LastTransitionTime is the last time the CR status transitioned from one status to another.
This should be when the underlying status changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
name:
description: Name is the name of the Module resource.
type: string
namespace:
description: Namespace is the namespace of the Module resource.
type: string
statusReason:
description: StatusReason contains a string describing the status
source.
type: string
verificationStage:
description: |-
Current stage of the verification process:
image (image existence verification), build(build process verification)
enum:
- Image
- Build
- Sign
- Requeued
- Done
type: string
verificationStatus:
description: |-
Status of Module CR verification: true (verified), false (verification failed),
error (error during verification process), unknown (verification has not started yet)
enum:
- "True"
- "False"
type: string
required:
- lastTransitionTime
- name
- namespace
- verificationStage
- verificationStatus
type: object
type: array
x-kubernetes-list-map-keys:
- namespace
- name
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

38
charts/kmm/templates/proxy-rbac.yaml Normal file
View File

@@ -0,0 +1,38 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kmm.fullname" . }}-proxy-role
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kmm.fullname" . }}-proxy-rolebinding
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ include "kmm.fullname" . }}-proxy-role'
subjects:
- kind: ServiceAccount
name: '{{ include "kmm.fullname" . }}-controller'
namespace: '{{ .Release.Namespace }}'

8
charts/kmm/templates/selfsigned-issuer.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "kmm.fullname" . }}-selfsigned-issuer
labels:
{{- include "kmm.labels" . | nindent 4 }}
spec:
selfSigned: {}

10
charts/kmm/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kmm.fullname" . }}-controller
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
annotations:
{{- toYaml .Values.controller.serviceAccount.annotations | nindent 4 }}

15
charts/kmm/templates/serving-cert.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "kmm.fullname" . }}-serving-cert
labels:
{{- include "kmm.labels" . | nindent 4 }}
spec:
dnsNames:
- '{{ include "kmm.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc'
- '{{ include "kmm.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.{{
.Values.kubernetesClusterDomain }}'
issuerRef:
kind: Issuer
name: '{{ include "kmm.fullname" . }}-selfsigned-issuer'
secretName: kmm-operator-webhook-server-cert

51
charts/kmm/templates/validating-webhook-configuration.yaml Normal file
View File

@@ -0,0 +1,51 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "kmm.fullname" . }}-validating-webhook-configuration
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kmm.fullname" . }}-serving-cert
labels:
{{- include "kmm.labels" . | nindent 4 }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: '{{ include "kmm.fullname" . }}-webhook-service'
namespace: '{{ .Release.Namespace }}'
path: /validate--v1-namespace
failurePolicy: Fail
name: namespace-deletion.kmm.sigs.k8s.io
namespaceSelector:
matchLabels:
kmm.node.k8s.io/contains-modules: ""
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- DELETE
resources:
- namespaces
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: '{{ include "kmm.fullname" . }}-webhook-service'
namespace: '{{ .Release.Namespace }}'
path: /validate-kmm-sigs-x-k8s-io-v1beta1-module
failurePolicy: Fail
name: vmodule.kb.io
rules:
- apiGroups:
- kmm.sigs.x-k8s.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- modules
sideEffects: None

18
charts/kmm/templates/webhook-service.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "kmm.fullname" . }}-webhook-service
labels:
app.kubernetes.io/component: kmm
app.kubernetes.io/created-by: kernel-module-management
app.kubernetes.io/part-of: kmm
{{- include "kmm.labels" . | nindent 4 }}
spec:
type: {{ .Values.webhookService.type }}
selector:
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
control-plane: webhook-server
{{- include "kmm.selectorLabels" . | nindent 4 }}
ports:
{{- .Values.webhookService.ports | toYaml | nindent 2 }}