github.com/k8snetworkplumbingwg/sriov-network-operator@v1.2.1-0.20240408194816-2d2e5a45d453/deployment/sriov-network-operator/README.md

github.com/k8snetworkplumbingwg/sriov-network-operator@v1.2.1-0.20240408194816-2d2e5a45d453/deployment/sriov-network-operator/README.md (about)

     1  # SR-IOV Network Operator Helm Chart
     2  
     3  SR-IOV Network Operator Helm Chart provides an easy way to install, configure and manage
     4  the lifecycle of SR-IOV network operator.
     5  
     6  ## SR-IOV Network Operator
     7  SR-IOV Network Operator leverages [Kubernetes CRDs](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
     8  and [Operator SDK](https://github.com/operator-framework/operator-sdk) to configure and manage SR-IOV networks in a Kubernetes cluster.
     9  
    10  SR-IOV Network Operator features:
    11  - Initialize the supported SR-IOV NIC types on selected nodes.
    12  - Provision/upgrade SR-IOV device plugin executable on selected node.
    13  - Provision/upgrade SR-IOV CNI plugin executable on selected nodes.
    14  - Manage configuration of SR-IOV device plugin on host.
    15  - Generate net-att-def CRs for SR-IOV CNI plugin
    16  - Supports operation in a virtualized Kubernetes deployment
    17    - Discovers VFs attached to the Virtual Machine (VM)
    18    - Does not require attached of associated PFs
    19    - VFs can be associated to SriovNetworks by selecting the appropriate PciAddress as the RootDevice in the SriovNetworkNodePolicy
    20  
    21  ## QuickStart
    22  
    23  ### Prerequisites
    24  
    25  - Kubernetes v1.17+
    26  - Helm v3
    27  
    28  ### Install Helm
    29  
    30  Helm provides an install script to copy helm binary to your system:
    31  ```
    32  $ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
    33  $ chmod 500 get_helm.sh
    34  $ ./get_helm.sh
    35  ```
    36  
    37  For additional information and methods for installing Helm, refer to the official [helm website](https://helm.sh/)
    38  
    39  ### Deploy SR-IOV Network Operator
    40  
    41  ```
    42  # Install Operator
    43  $ helm install -n sriov-network-operator --create-namespace --wait sriov-network-operator ./
    44  
    45  # View deployed resources
    46  $ kubectl -n sriov-network-operator get pods
    47  ```
    48  
    49  In the case that [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) is enabled, the sriov network operator namespace will require a security level of 'privileged'
    50  ```
    51  $ kubectl label ns sriov-network-operator pod-security.kubernetes.io/enforce=privileged
    52  ```
    53  
    54  ## Chart parameters
    55  
    56  In order to tailor the deployment of the network operator to your cluster needs
    57  We have introduced the following Chart parameters.
    58  
    59  | Name | Type | Default | description |
    60  | ---- |------|---------|-------------|
    61  | `imagePullSecrets` | list | `[]` | An optional list of references to secrets to use for pulling any of the SR-IOV Network Operator image |
    62  
    63  ### Operator parameters
    64  
    65  | Name | Type | Default | description |
    66  | ---- | ---- | ------- | ----------- |
    67  | `operator.tolerations` | list | `[{"key":"node-role.kubernetes.io/master","operator":"Exists","effect":"NoSchedule"},{"key":"node-role.kubernetes.io/control-plane","operator":"Exists","effect":"NoSchedule"}]` | Operator's tolerations |
    68  | `operator.nodeSelector` | object | {} | Operator's node selector |
    69  | `operator.affinity` | object | `{"nodeAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"weight":1,"preference":{"matchExpressions":[{"key":"node-role.kubernetes.io/master","operator":"In","values":[""]}]}},{"weight":1,"preference":{"matchExpressions":[{"key":"node-role.kubernetes.io/control-plane","operator":"In","values":[""]}]}}]}}` | Operator's afffinity configuration |
    70  | `operator.nameOverride` | string | `` | Operator's resource name override |
    71  | `operator.fullnameOverride` | string | `` | Operator's resource full name override |
    72  | `operator.resourcePrefix` | string | `openshift.io` | Device plugin resource prefix |
    73  | `operator.cniBinPath` | string | `/opt/cni/bin` | Path for CNI binary |
    74  | `operator.clustertype` | string | `kubernetes` | Cluster environment type |
    75  
    76  #### Admission Controllers parameters
    77  
    78  The admission controllers can be enabled by switching on a single parameter `operator.admissionControllers.enabled`. By
    79  default, the user needs to pre-create Kubernetes Secrets that match the names provided in
    80  `operator.admissionControllers.certificates.secretNames`. The secrets should have 3 fields populated with the relevant
    81  content:
    82  * `ca.crt` (value needs to be base64 encoded twice)
    83  * `tls.crt`
    84  * `tls.key`
    85  
    86  Aside from the aforementioned mode, the chart supports 3 more modes for certificate consumption by the admission
    87  controllers, which can be found in the table below. In a nutshell, the modes that are supported are:
    88  * Consume pre-created Certificates managed by cert-manager
    89  * Generate self signed Certificates managed by cert-manager
    90  * Specify the content of the certificates as Helm values
    91  
    92  | Name | Type | Default | description |
    93  | ---- | ---- | ------- | ----------- |
    94  | `operator.admissionControllers.enabled` | bool | false | Flag that switches on the admission controllers |
    95  | `operator.admissionControllers.certificates.secretNames.operator` | string | `operator-webhook-cert` | Secret that stores the certificate for the Operator's admission controller |
    96  | `operator.admissionControllers.certificates.secretNames.injector` | string | `network-resources-injector-cert` | Secret that stores the certificate for the Network Resources Injector's admission controller  |
    97  | `operator.admissionControllers.certificates.certManager.enabled` | bool | false | Flag that switches on consumption of certificates managed by cert-manager |
    98  | `operator.admissionControllers.certificates.certManager.generateSelfSigned` | bool | false | Flag that switches on generation of self signed certificates managed by cert-manager. The secrets in which the certificates are stored will have the names provided in `operator.admissionControllers.certificates.secretNames` |
    99  | `operator.admissionControllers.certificates.custom.enabled` | bool | false | Flag that switches on consumption of user provided certificates that are part of `operator.admissionControllers.certificates.custom.operator` and `operator.admissionControllers.certificates.custom.injector` objects |
   100  | `operator.admissionControllers.certificates.custom.operator.caCrt` | string | `` | The CA certificate to be used by the Operator's admission controller |
   101  | `operator.admissionControllers.certificates.custom.operator.tlsCrt` | string | `` | The public part of the certificate to be used by the Operator's admission controller |
   102  | `operator.admissionControllers.certificates.custom.operator.tlsKey` | string | `` | The private part of the certificate to be used by the Operator's admission controller |
   103  | `operator.admissionControllers.certificates.custom.injector.caCrt` | string | `` | The CA certificate to be used by the Network Resources Injector's admission controller |
   104  | `operator.admissionControllers.certificates.custom.injector.tlsCrt` | string | `` | The public part of the certificate to be used by the Network Resources Injector's admission controller |
   105  | `operator.admissionControllers.certificates.custom.injector.tlsKey` | string | `` | The private part of the certificate to be used by the Network Resources Injector's admission controller |
   106  
   107  ### SR-IOV Operator Configuration Parameters
   108  
   109  This section contains general parameters that apply to both the operator and daemon componets of SR-IOV Network Operator.
   110  
   111  | Name | Type | Default | description |
   112  | ---- | ---- | ------- | ----------- |
   113  | `sriovOperatorConfig.deploy` | bool | `false` | deploy SriovOperatorConfig custom resource |
   114  | `sriovOperatorConfig.configDaemonNodeSelector` | map[string]string | `{}` | node slectors for sriov-network-config-daemon |
   115  | `sriovOperatorConfig.logLevel` | int | `2` | log level for both operator and sriov-network-config-daemon |
   116  | `sriovOperatorConfig.disableDrain` | bool | `false` | disable node draining when configuring SR-IOV, set to true in case of a single node cluster or any other justifiable reason |
   117  | `sriovOperatorConfig.configurationMode` | string | `daemon` | sriov-network-config-daemon configuration mode. either `daemon` or `systemd` |
   118  
   119  ### Images parameters
   120  
   121  | Name | description |
   122  | ---- | ----------- |
   123  | `images.operator` | Operator controller image |
   124  | `images.sriovConfigDaemon` | Daemon node agent image |
   125  | `images.sriovCni` | SR-IOV CNI image |
   126  | `images.ibSriovCni` | InfiniBand SR-IOV CNI image |
   127  | `images.ovsCni` | OVS CNI image |
   128  | `images.sriovDevicePlugin` | SR-IOV device plugin image |
   129  | `images.resourcesInjector` | Resources Injector image |
   130  | `images.webhook` | Operator Webhook image |