Skip to content

Commit 332fbdc

Browse files
authored
Merge pull request #300 from askervin/55B_fpga_kustomization
fpga plugin kustomization, stage 2
2 parents ca5d144 + 5fe8174 commit 332fbdc

23 files changed

+472
-1
lines changed

.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ cmd/fpga_tool/fpga_tool
1212
cmd/gpu_plugin/gpu_plugin
1313
cmd/qat_plugin/qat_plugin
1414

15+
deployments/fpga_admissionwebhook/base/intel-fpga-webhook-certs-secret
16+
1517
*.h
1618
*.gbs
1719
*.gbs.*

build/docker/intel-fpga-plugin.Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,4 +36,4 @@ RUN chmod a+x /go/bin/fpga_plugin \
3636

3737
FROM scratch as final
3838
COPY --from=builder /install_root /
39-
CMD ["/usr/local/bin/intel_fpga_device_plugin"]
39+
ENTRYPOINT ["/usr/local/bin/intel_fpga_device_plugin"]

cmd/fpga_plugin/README.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -189,6 +189,31 @@ If you intend to deploy your own image, you will need to reference the
189189
If you do not want to deploy the `devel` tagged image, you will need to edit the
190190
YAML deployment files to reference your required image.
191191

192+
### For beta testing: new deployment model
193+
194+
The FPGA plugin deployment is currently being rewritten to enable
195+
straight-forward deployment of both `af/preprogrammed` and
196+
`region/orchestrated` modes. The deployment has two steps:
197+
198+
1. Run `scripts/fpga-plugin-prepare-for-kustomization.sh`. This will
199+
create the necessary secrets: a key and a signed certificate for
200+
the FPGA admission controller.
201+
202+
2. Depending on the FPGA mode, run either
203+
```bash
204+
$ kubectl create -k deployments/fpga_plugin/overlays/af
205+
```
206+
or
207+
```bash
208+
$ kubectl create -k deployments/fpga_plugin/overlays/region
209+
```
210+
This will create the service account and deploy
211+
both the FPGA plugin and the admission controller in the chosen mode.
212+
213+
This deployment model is under development. The remaining part of this
214+
document goes through the current deployment model: here for the
215+
FPGA plugin and in the next document for the FPGA admission controller.
216+
192217
### Create a service account
193218

194219
To deploy the plugin in a production cluster, create a service account
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
apiVersion: apiextensions.k8s.io/v1beta1
2+
kind: CustomResourceDefinition
3+
metadata:
4+
name: acceleratorfunctions.fpga.intel.com
5+
spec:
6+
group: fpga.intel.com
7+
version: v1
8+
scope: Namespaced
9+
names:
10+
plural: acceleratorfunctions
11+
singular: acceleratorfunction
12+
kind: AcceleratorFunction
13+
shortNames:
14+
- af
15+
validation:
16+
openAPIV3Schema:
17+
properties:
18+
spec:
19+
properties:
20+
afuId:
21+
type: string
22+
pattern: '^[0-9a-f]{8,128}$'
Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
# DCP 1.0
2+
apiVersion: fpga.intel.com/v1
3+
kind: AcceleratorFunction
4+
metadata:
5+
name: arria10.dcp1.0-compress
6+
spec:
7+
afuId: 946c21d1e49704a5e5daa0805bc6b0785e1765bf
8+
---
9+
apiVersion: fpga.intel.com/v1
10+
kind: AcceleratorFunction
11+
metadata:
12+
name: arria10.dcp1.0-nlb0
13+
spec:
14+
afuId: d8424dc4a4a3c413f89e433683f9040b
15+
---
16+
apiVersion: fpga.intel.com/v1
17+
kind: AcceleratorFunction
18+
metadata:
19+
name: arria10.dcp1.0-nlb3
20+
spec:
21+
afuId: f7df405cbd7acf7222f144b0b93acd18
22+
---
23+
# DCP 1.1
24+
apiVersion: fpga.intel.com/v1
25+
kind: AcceleratorFunction
26+
metadata:
27+
name: arria10.dcp1.1-nlb0
28+
spec:
29+
afuId: d8424dc4a4a3c413f89e433683f9040b
30+
---
31+
apiVersion: fpga.intel.com/v1
32+
kind: AcceleratorFunction
33+
metadata:
34+
name: arria10.dcp1.1-nlb3
35+
spec:
36+
afuId: f7df405cbd7acf7222f144b0b93acd18
37+
---
38+
# DCP 1.2
39+
apiVersion: fpga.intel.com/v1
40+
kind: AcceleratorFunction
41+
metadata:
42+
name: arria10.dcp1.2-nlb0
43+
spec:
44+
afuId: d8424dc4a4a3c413f89e433683f9040b
45+
---
46+
apiVersion: fpga.intel.com/v1
47+
kind: AcceleratorFunction
48+
metadata:
49+
name: arria10.dcp1.2-nlb3
50+
spec:
51+
afuId: f7df405cbd7acf7222f144b0b93acd18
52+
---
53+
# D5005
54+
apiVersion: fpga.intel.com/v1
55+
kind: AcceleratorFunction
56+
metadata:
57+
name: d5005-nlb0
58+
spec:
59+
afuId: d8424dc4a4a3c413f89e433683f9040b
60+
---
61+
apiVersion: fpga.intel.com/v1
62+
kind: AcceleratorFunction
63+
metadata:
64+
name: d5005-nlb3
65+
spec:
66+
afuId: f7df405cbd7acf7222f144b0b93acd18
Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
apiVersion: admissionregistration.k8s.io/v1beta1
2+
kind: MutatingWebhookConfiguration
3+
metadata:
4+
name: fpga-mutator-webhook-cfg
5+
labels:
6+
app: intel-fpga-webhook
7+
webhooks:
8+
- name: fpga.mutator.webhooks.intel.com
9+
rules:
10+
- apiGroups:
11+
- ""
12+
apiVersions:
13+
- v1
14+
operations:
15+
- CREATE
16+
resources:
17+
- pods
18+
clientConfig:
19+
service:
20+
path: "/pods"
21+
namespace: default
22+
name: intel-fpga-webhook-svc
23+
caBundle: $(CA_BUNDLE)
Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: ClusterRole
3+
metadata:
4+
name: fpga-reader
5+
rules:
6+
- apiGroups: ["fpga.intel.com"]
7+
resources: ["acceleratorfunctions", "fpgaregions"]
8+
verbs: ["get", "list", "watch"]
9+
---
10+
apiVersion: rbac.authorization.k8s.io/v1
11+
kind: ClusterRoleBinding
12+
metadata:
13+
name: default-fpga-reader
14+
roleRef:
15+
apiGroup: rbac.authorization.k8s.io
16+
kind: ClusterRole
17+
name: fpga-reader
18+
subjects:
19+
- kind: ServiceAccount
20+
name: default
21+
namespace: default
Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
apiVersion: apps/v1
2+
kind: Deployment
3+
metadata:
4+
name: intel-fpga-webhook-deployment
5+
labels:
6+
app: intel-fpga-webhook
7+
spec:
8+
replicas: 1
9+
selector:
10+
matchLabels:
11+
app: intel-fpga-webhook
12+
template:
13+
metadata:
14+
labels:
15+
app: intel-fpga-webhook
16+
spec:
17+
containers:
18+
- name: fpga-mutator
19+
image: intel/intel-fpga-admissionwebhook:devel
20+
imagePullPolicy: IfNotPresent
21+
ports:
22+
- containerPort: 8443
23+
name: webhook-api
24+
securityContext:
25+
runAsNonRoot: true
26+
runAsUser: 3210
27+
runAsGroup: 3210
28+
readOnlyRootFilesystem: true
29+
args:
30+
- -tls-cert-file=/etc/webhook/certs/cert.pem
31+
- -tls-private-key-file=/etc/webhook/certs/key.pem
32+
- -mode=preprogrammed
33+
- -debug
34+
volumeMounts:
35+
- name: webhook-certs
36+
mountPath: /etc/webhook/certs
37+
readOnly: true
38+
volumes:
39+
- name: webhook-certs
40+
secret:
41+
secretName: intel-fpga-webhook-certs
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
apiVersion: v1
2+
kind: Service
3+
metadata:
4+
name: intel-fpga-webhook-svc
5+
labels:
6+
app: intel-fpga-webhook
7+
spec:
8+
ports:
9+
- port: 443
10+
targetPort: 8443
11+
selector:
12+
app: intel-fpga-webhook
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
resources:
2+
- fpga-reader-clusterrole.yaml
3+
- intel-fpga-webhook-deployment.yaml
4+
- intel-fpga-webhook-svc.yaml
5+
- fpga-mutator-webhook-cfg.yaml
6+
- acceleratorfunction-crd.yaml
7+
- acceleratorfunctions.yaml
8+
9+
configurations:
10+
- kustomize-varreference.yaml
11+
12+
generatorOptions:
13+
disableNameSuffixHash: true
14+
15+
secretGenerator:
16+
- name: intel-fpga-webhook-certs
17+
files:
18+
- key.pem=intel-fpga-webhook-certs-secret/key.pem
19+
- cert.pem=intel-fpga-webhook-certs-secret/cert.pem
20+
- client-ca-file=intel-fpga-webhook-certs-secret/client-ca-file
21+
22+
vars:
23+
- name: CA_BUNDLE
24+
objref:
25+
kind: Secret
26+
version: v1
27+
name: intel-fpga-webhook-certs
28+
fieldref:
29+
fieldpath: data[client-ca-file]

0 commit comments

Comments
 (0)