Sync Upstream V0.5.0

.gitignore

@@ -22,3 +22,5 @@ bundle
 *.swp
 *.swo
 *~
+.vscode/*
+bundle.Dockerfile

Makefile

@@ -38,14 +38,14 @@ IMAGE_REPO ?= $(IMAGE_REGISTRY)/$(IMAGE_NAME)
 IMAGE_TAG ?= $(IMAGE_REPO):$(IMAGE_TAG_NAME)
 IMAGE_EXTRA_TAGS := $(foreach tag,$(IMAGE_EXTRA_TAG_NAMES),$(IMAGE_REPO):$(tag))
 
-IMAGE_TAG_RBAC_PROXY ?= gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
+IMAGE_TAG_RBAC_PROXY ?= gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
 
 # BUNDLE_IMG defines the image:tag used for the bundle.
 # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
 BUNDLE_IMG ?= $(IMAGE_REGISTRY)/nfd-operator-bundle:$(VERSION)
 
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
-CRD_OPTIONS ?= "crd:trivialVersions=true,preserveUnknownFields=false"
+CRD_OPTIONS ?= "crd"
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -55,12 +55,15 @@ GOBIN=$(shell go env GOBIN)
 endif
 
 GOOS=linux
+GO_CMD ?= go
+GO_FMT ?= gofmt
 GO=GOOS=$(GOOS) GO111MODULE=on CGO_ENABLED=0 GOFLAGS=-mod=vendor go
 LDFLAGS= -ldflags "-s -w -X $(PACKAGE)/version.Version=$(VERSION)"
 
 PACKAGE=github.com/openshift/cluster-nfd-operator
 MAIN_PACKAGE=main.go
 BIN=node-feature-discovery-operator
+LDFLAGS = -ldflags "-s -w -X sigs.k8s.io/node-feature-discovery-operator/pkg/version.version=$(VERSION)"
 
 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 
@@ -80,8 +83,8 @@ go_mod:
 	@go mod download
 
 # Build binary
-build:
-	@$(GO) build -o $(BIN) $(LDFLAGS) $(MAIN_PACKAGE)
+build: go_mod
+	@GOOS=$(GOOS) GO111MODULE=on CGO_ENABLED=0 $(GO_CMD) build -o $(BIN) $(LDFLAGS) $(MAIN_PACKAGE)
 
 # Run against the configured Kubernetes cluster in ~/.kube/config
 run: generate fmt vet manifests
@@ -95,13 +98,16 @@ install: manifests kustomize
 uninstall: manifests kustomize
 	$(KUSTOMIZE) build config/crd | kubectl delete -f -
 
+clean-manifests = (cd config/manager && $(KUSTOMIZE) edit set image controller=k8s.gcr.io/nfd/node-feature-discovery-operator:0.4.2)
+
 # Deploy controller in the configured Kubernetes cluster in ~/.kube/config
 deploy: kustomize
 	cd $(PROJECT_DIR)/config/manager && \
 		$(KUSTOMIZE) edit set image controller=${IMAGE_TAG}
 	cd $(PROJECT_DIR)/config/default && \
 		$(KUSTOMIZE) edit set image kube-rbac-proxy=${IMAGE_TAG_RBAC_PROXY}
 	$(KUSTOMIZE) build config/default | kubectl apply -f -
+	@$(call clean-manifests)
 
 # UnDeploy controller from the configured Kubernetes cluster in ~/.kube/config
 undeploy:
@@ -170,12 +176,12 @@ site-serve:
 # Download controller-gen locally if necessary
 CONTROLLER_GEN = $(PROJECT_DIR)/bin/controller-gen
 controller-gen:
-	$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.6.1)
+	$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.8.0)
 
 # Download kustomize locally if necessary
 KUSTOMIZE = $(PROJECT_DIR)/bin/kustomize
 kustomize:
-	$(call go-get-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v3@v3.8.7)
+	$(call go-get-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v3@v3.10.0)
 
 # go-get-tool will 'go get' any package $2 and install it to $1.
 define go-get-tool

api/v1/nodefeaturediscovery_types.go

@@ -16,9 +16,6 @@ limitations under the License.
 package v1
 
 import (
-	"os"
-
-	conditionsv1 "github.com/openshift/custom-resource-status/conditions/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -34,16 +31,11 @@ type NodeFeatureDiscoverySpec struct {
 	// resources on a worker node to account for resources available to be
 	// allocated to new pod on a per-zone basis
 	// https://kubernetes-sigs.github.io/node-feature-discovery/v0.10/get-started/introduction.html#nfd-topology-updater
-	//
 	// +optional
-	TopologyUpdater bool `json:"topologyupdater"`
+	TopologyUpdater bool `json:"topologyUpdater"`
 
-	WorkerConfig *ConfigMap `json:"workerConfig,omitempty"`
-
-	// Run NFD in multiple deployment mode
-	// https://kubernetes-sigs.github.io/node-feature-discovery/v0.8/advanced/master-commandline-reference.html#-instance
-	//
-	// +nullable
+	// Instance name. Used to separate annotation namespaces for
+	// multiple parallel deployments.
 	// +optional
 	Instance string `json:"instance"`
 
@@ -69,24 +61,20 @@ type NodeFeatureDiscoverySpec struct {
 	// WorkerConfig describes configuration options for the NFD
 	// worker.
 	// +optional
-	CustomConfig ConfigMap `json:"customConfig"`
+	WorkerConfig ConfigMap `json:"workerConfig"`
 }
 
 // OperandSpec describes configuration options for the operand
 type OperandSpec struct {
 	// Image defines the image to pull for the
 	// NFD operand
-	//
+	// [defaults to k8s.gcr.io/nfd/node-feature-discovery]
 	// +kubebuilder:validation:Pattern=[a-zA-Z0-9\-]+
-	// +nullable
-	// +optional
 	Image string `json:"image,omitempty"`
 
 	// ImagePullPolicy defines Image pull policy for the
 	// NFD operand image [defaults to Always]
-	//
-	// +nullable
-	// +optional
+	// +kubebuilder:validation:Optional
 	ImagePullPolicy string `json:"imagePullPolicy,omitempty"`
 
 	// ServicePort specifies the TCP port that nfd-master
@@ -107,27 +95,25 @@ type NodeFeatureDiscoveryStatus struct {
 	// Conditions represents the latest available observations of current state.
 	//
 	// +optional
-	Conditions []conditionsv1.Condition `json:"conditions,omitempty"`
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
 }
 
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:path=nodefeaturediscoveries,scope=Namespaced
 //
-// An Node Feature Discovery cluster instance
-// +operator-sdk:csv:customresourcedefinitions:displayName="NodeFeatureDiscovery"
+// NodeFeatureDiscovery is the Schema for the nodefeaturediscoveries API
 type NodeFeatureDiscovery struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Specification of the desired behavior of the Node Feature Discovery
 	Spec   NodeFeatureDiscoverySpec   `json:"spec,omitempty"`
 	Status NodeFeatureDiscoveryStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
+//
 // NodeFeatureDiscoveryList contains a list of NodeFeatureDiscovery
 type NodeFeatureDiscoveryList struct {
 	metav1.TypeMeta `json:",inline"`
@@ -141,12 +127,7 @@ func init() {
 
 // ImagePath returns a compiled full valid image string
 func (o *OperandSpec) ImagePath() string {
-	if o.Image != "" {
-		return o.Image
-	}
-
-	image := os.Getenv("NODE_FEATURE_DISCOVERY_IMAGE")
-	return image
+	return o.Image
 }
 
 // ImagePolicy returns a valid corev1.PullPolicy from the string in the CR

build/assets/master/0400_master_deployment.yaml

@@ -0,0 +1,65 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: nfd-master
+  name: nfd-master
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nfd-master
+  template:
+    metadata:
+      labels:
+        app: nfd-master
+    spec:
+      serviceAccount: nfd-master
+      serviceAccountName: nfd-master
+      dnsPolicy: ClusterFirstWithHostNet
+      restartPolicy: Always
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Equal
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - preference:
+              matchExpressions:
+              - key: node-role.kubernetes.io/master
+                operator: In
+                values:
+                - ""
+            weight: 1
+          - preference:
+              matchExpressions:
+              - key: node-role.kubernetes.io/control-plane
+                operator: In
+                values:
+                - ""
+            weight: 1  
+      containers:
+        - name: nfd-master
+          env:
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.nodeName      
+          image: $(NODE_FEATURE_DISCOVERY_IMAGE)
+          imagePullPolicy: Always
+          command:
+            - "nfd-master"
+            - "--extra-label-ns=nvidia.com"
+          args: []
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true

build/assets/master/0500_service.yaml

@@ -3,11 +3,9 @@ kind: Service
 metadata:
   name: nfd-master
 spec:
-  type: ClusterIP
   selector:
     app: nfd-master
   ports:
   - protocol: TCP
     port: 12000
-    targetPort: 12000
-    name: nfd
+  type: ClusterIP

build/assets/topologyupdater/03_clusterrolebinding.yaml

@@ -9,4 +9,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: nfd-topology-updater
-  namespace: node-feature-discovery
+  namespace: openshift-nfd
+

build/assets/topologyupdater/05_Daemonset.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    app: nfd-topology-updater
+    app: nfd
   name: nfd-topology-updater
 spec:
   selector:

build/assets/worker/05_worker_ds.yaml

@@ -68,6 +68,9 @@ spec:
               readOnly: true
           securityContext:
             readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               drop: ["ALL"]

build/assets/worker/0610_scc.yaml

@@ -31,6 +31,8 @@ seLinuxContext:
   type: MustRunAs
 supplementalGroups:
   type: MustRunAs
+seccompProfiles:
+- '*'
 users:
 - system:serviceaccount:openshift-nfd:nfd-worker
 volumes: