initcontainer enables vfs and configures vfs
- only first pf is used to configure a vf
- only one vf is configured from the pf
add dlb-initcontainer kustomize overlay
update CRD to have initImage
implment operator to run initcontainer
update e2e test to run initcontainer overlay
update envtest to test initimage
Signed-off-by: Hyeongju Johannes Lee <hyeongju.lee@intel.com>
Added testssl.sh switches to add more tests
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Signed-off-by: Jason Culligan <jason.culligan@intel.com>
Due to a regression in k8s.io@v1.25, WaitForPodsWithLabelRunningReady()
ignored user provided timeout and defaulted to 60s. In some cases, NFD
needs more than that to the tests fail.
Workaround the problem by moving to use WaitForPodsRunningReady() with
minPods=2 (nfd-master and at least one nfd-worker).
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
- used different pods for PF and VF workloads
- increased waiting timeout to 200s
- used 'epoll' waiting mode for test apps
- decreased amount of packets from 128 to 8 for test apps
- output pod logs
- done small code optimisations
Signed-off-by: Ed Bartosh <eduard.bartosh@intel.com>
WaitForFinish waits for pod to finish running, regardless of
success or failure. WaitForSuccess waits for pod to succeed
which is what we expect from our test workloads that try
to use the devices.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Go 1.18 deprecates strings.Title() which triggers linter
failures for us. Move to use "cases" as the recommended
replacement (to keep the existing functionality).
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Start using the newly created NodeFeatureRule configs with SGX.
This allows to drop the custom worker config.
Additionally, split the example NFD deployment into two steps
1) plain NFD (+SGX json patches)
2) NodeFeatureRule creation
NodeFeatureRule creation is not guaranteed to succeed when it's
part of the same kustomization with the CRD creation. Users may
also have NFD already running so allowing 2) alone works better
in that scenario.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
The NFD worker sleep timout is 60s by default so there are changes
we'll miss getting the sgx.intel.com/epc extended resource registered
before the timeout.
Increase the timeout so that at least two NFD worker labeling rounds
are included.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Previously, the SGX plugin deployment pulled in NFD and
SGX webhook as well. This triggered kustomize issues when
trying to get everything under the same namespace.
This commit splits the three deployments into their own steps.
It allows to keep the static parts part of [Before|After]Each
and helps to build SGX plugin/application test cases more
easily.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
The changes made by addVolumeMount() were overriden when the
intermediate container variable was assigned to the pod and
thus the volumeMount changes were lost.
Fix it by making the volumeMount changes to the intermediate
container that is then assigned to the final pod.
Also, make the latest e2e test case to use the
checkMutatedVolumes() helper and fix the illegal Volume
name.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
- don't delete deployment as it may not exist
- set restart policy to Never to avoid running the same tests many times
Signed-off-by: Ed Bartosh <eduard.bartosh@intel.com>
To simplify the e2e node setup, change the QAT tests to deploy with
the sriov_numvfs overlay.
Moreover, as we are seeing the vfio-pci driver becoming built-in and
requiring opt-in parameters depending on the kernel version, it's
better to move the vfio-pci initcontainer step(s) to kernel cmdline/
modules-load.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Unset fields are not 'false' but a nil pointer. Fix the
securityContext checks to take this into account.
Fixes: "e2e: add a test to check that plugins ReadOnlyRootfs is enabled"
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
with the updated controller-runtime, new ginkgo is pulled in and it
warns about a few to-be-deprecated functions. This commit fixes those
too as they were rather small changes.
Smalle delay is added AfterEach() device plugin controller test as
they became flaky after the envtest updates (DaemonSet deletion failed).
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Go 1.16 release notes announced the deprecation of io/ioutil [1]. It's easy
for us to move to use what is was recommended so just do it.
[1] https://golang.org/doc/go1.16#ioutil
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
The device plugins daemonsets are cluster wide and currently only
one device plugin instance per device is possible so making the
corresponding deviceplugin/v1 CRDs non-namespaced (i.e., scope: cluster)
fits better.
Previously, the device plugin daemonset was deployed in the same
namespace as the CR for that device but with the cluster scoped CRDs
we default to use the same namespace as the operator, unless overridden
via DEVICEPLUGIN_NAMESPACE env variable or a command line parameter
to operator manager deployment.
Three additional changes in this commit:
- enable DSA envtest tests
- update controller-runtime to v0.8.1
- change device plugin envtest suite to use klog/v2
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
With the addition of SGX webhook in the operator, full SGX stack
depends on having the operator deployed first. SgxDevicePlugin CRD
is set to get intel-sgx-plugin and intel-sgx-initcontainer deployed
by the operator.
As a pre-requisite, node-feature-discovery must be deployed but it
is currently deployed via sgx_plugin kustomization overlay only.
It's better to allow NFD with the SGX specific settings deployed with
a kustomization of its own.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
fpga: make AFU resource name 63 char long
webhook: drop mode from README
webhook: extend mappings description
webhook: tighten CRD definitions
webhook: drop mapping to non-existing afuId
explicitly state mappings names can be in any format
use consistent terminology across fpga webhook and plugin
