deployment: add kustomize base

Implement functionality virtually replicating deployment templates for
nfd-master and nfd-worker daemonset (nfd-master.yaml.template and
nfd-worker-daemonset.yaml.template) by adding a kustomize overlay named
"default".

We split the resources into multiple bases (rbac, master and
worker-daemonset) so that relevant parts are re-usable in
other deployment scenarios added later (e.g. "one-shot job", and
"combined daemonset").

This patch adds one component (components/common) doing the required
kustomization for the example deployment.

Dockerfile

@@ -31,7 +31,7 @@ USER 65534:65534
 # Use more verbose logging of gRPC
 ENV GRPC_GO_LOG_SEVERITY_LEVEL="INFO"
 
-COPY --from=builder /go/node-feature-discovery/nfd-worker.conf.example /etc/kubernetes/node-feature-discovery/nfd-worker.conf
+COPY --from=builder /go/node-feature-discovery/deployment/components/worker-config/nfd-worker.conf.example /etc/kubernetes/node-feature-discovery/nfd-worker.conf
 COPY --from=builder /go/bin/* /usr/bin/
 
 # Create minimal variant of the production image
@@ -43,5 +43,5 @@ USER 65534:65534
 # Use more verbose logging of gRPC
 ENV GRPC_GO_LOG_SEVERITY_LEVEL="INFO"
 
-COPY --from=builder /go/node-feature-discovery/nfd-worker.conf.example /etc/kubernetes/node-feature-discovery/nfd-worker.conf
+COPY --from=builder /go/node-feature-discovery/deployment/components/worker-config/nfd-worker.conf.example /etc/kubernetes/node-feature-discovery/nfd-worker.conf
 COPY --from=builder /go/bin/* /usr/bin/

Makefile

@@ -107,7 +107,7 @@ yamls: $(yaml_instances)
 templates: $(yaml_templates)
 	@# Need to prepend each line in the sample config with spaces in order to
 	@# fit correctly in the configmap spec.
-	@sed s'/^/    /' nfd-worker.conf.example > nfd-worker.conf.tmp
+	@sed s'/^/    /' deployment/components/worker-config/nfd-worker.conf.example > nfd-worker.conf.tmp
 	@# The sed magic below replaces the block of text between the lines with start and end markers
 	@for f in $+; do \
 	    start=NFD-WORKER-CONF-START-DO-NOT-REMOVE; \

deployment/base/master/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: node-feature-discovery
+
+resources:
+- master-service.yaml
+- master-deployment.yaml

deployment/base/master/master-deployment.yaml

@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: nfd
+  name: nfd-master
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nfd-master
+  template:
+    metadata:
+      labels:
+        app: nfd-master
+    spec:
+      serviceAccount: nfd-master
+      tolerations: []
+      containers:
+        - name: nfd-master
+          image: gcr.io/k8s-staging-nfd/node-feature-discovery:master
+          imagePullPolicy: Always
+          command:
+            - "nfd-master"
+          args: []
+          volumeMounts: []
+      volumes: []

deployment/base/master/master-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nfd-master
+spec:
+  selector:
+    app: nfd-master
+  ports:
+  - protocol: TCP
+    port: 8080
+  type: ClusterIP

deployment/base/rbac/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: node-feature-discovery
+
+resources:
+- master-serviceaccount.yaml
+- master-clusterrole.yaml
+- master-clusterrolebinding.yaml

deployment/base/rbac/master-clusterrole.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: nfd-master
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - patch
+  - update

deployment/base/rbac/master-clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: nfd-master
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: nfd-master
+subjects:
+- kind: ServiceAccount
+  name: nfd-master
+  namespace: default

deployment/base/rbac/master-serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nfd-master

deployment/base/worker-daemonset/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: node-feature-discovery
+
+resources:
+- worker-daemonset.yaml

deployment/base/worker-daemonset/worker-daemonset.yaml

@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: nfd
+  name: nfd-worker
+spec:
+  selector:
+    matchLabels:
+      app: nfd-worker
+  template:
+    metadata:
+      labels:
+        app: nfd-worker
+    spec:
+      dnsPolicy: ClusterFirstWithHostNet
+      containers:
+        - name: nfd-worker
+          image: gcr.io/k8s-staging-nfd/node-feature-discovery:master
+          imagePullPolicy: Always
+          command:
+            - "nfd-worker"
+          args:
+            - "-server=nfd-master:8080"

deployment/components/common/env.yaml

@@ -0,0 +1,7 @@
+- op: add
+  path: "/spec/template/spec/containers/0/env"
+  value:
+    - name: NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName

deployment/components/common/kustomization.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+- path: env.yaml
+  target:
+    labelSelector: app=nfd
+    name: nfd.*
+- path: securitycontext.yaml
+  target:
+    labelSelector: app=nfd
+    name: nfd.*
+- path: master-affinity.yaml
+  target:
+    labelSelector: app=nfd
+    name: nfd-master
+- path: worker-mounts.yaml
+  target:
+    labelSelector: app=nfd
+    name: nfd-worker

deployment/components/common/master-affinity.yaml

@@ -0,0 +1,33 @@
+- op: add
+  path: /spec/template/spec/affinity
+  value:
+    nodeAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 1
+        preference:
+          matchExpressions:
+          - key: "node-role.kubernetes.io/master"
+            operator: In
+            values: [""]
+      - weight: 1
+        preference:
+          matchExpressions:
+          - key: node-role.kubernetes.io/control-plane
+            operator: In
+            values: [""]
+
+- op: add
+  path: /spec/template/spec/tolerations/-
+  value:
+    key: "node-role.kubernetes.io/master"
+    operator: "Equal"
+    value: ""
+    effect: "NoSchedule"
+
+- op: add
+  path: /spec/template/spec/tolerations/-
+  value:
+    key: "node-role.kubernetes.io/control-plane"
+    operator: "Equal"
+    value: ""
+    effect: "NoSchedule"

deployment/components/common/securitycontext.yaml

@@ -0,0 +1,8 @@
+- op: add
+  path: "/spec/template/spec/containers/0/securityContext"
+  value:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true

deployment/components/common/worker-mounts.yaml

@@ -0,0 +1,55 @@
+- op: add
+  path: /spec/template/spec/volumes
+  value:
+  - name: host-boot
+    hostPath:
+      path: "/boot"
+  - name: host-os-release
+    hostPath:
+      path: "/etc/os-release"
+  - name: host-sys
+    hostPath:
+      path: "/sys"
+  - name: host-usr-lib
+    hostPath:
+      path: "/usr/lib"
+  - name: host-usr-src
+    hostPath:
+      path: "/usr/src"
+  - name: source-d
+    hostPath:
+      path: "/etc/kubernetes/node-feature-discovery/source.d/"
+  - name: features-d
+    hostPath:
+      path: "/etc/kubernetes/node-feature-discovery/features.d/"
+  - name: nfd-worker-conf
+    configMap:
+      name: nfd-worker-conf
+
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts
+  value:
+  - name: host-boot
+    mountPath: "/host-boot"
+    readOnly: true
+  - name: host-os-release
+    mountPath: "/host-etc/os-release"
+    readOnly: true
+  - name: host-sys
+    mountPath: "/host-sys"
+    readOnly: true
+  - name: host-usr-lib
+    mountPath: "/host-usr/lib"
+    readOnly: true
+  - name: host-usr-src
+    mountPath: "/host-usr/src"
+    readOnly: true
+  - name: source-d
+    mountPath: "/etc/kubernetes/node-feature-discovery/source.d/"
+    readOnly: true
+  - name: features-d
+    mountPath: "/etc/kubernetes/node-feature-discovery/features.d/"
+    readOnly: true
+  - name: nfd-worker-conf
+    mountPath: "/etc/kubernetes/node-feature-discovery"
+    readOnly: true

deployment/components/worker-config/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+generatorOptions:
+  disableNameSuffixHash: true
+
+configMapGenerator:
+- files:
+  - nfd-worker.conf=nfd-worker.conf.example
+  name: nfd-worker-conf

deployment/overlays/default/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: node-feature-discovery
+
+bases:
+- ../../base/rbac
+- ../../base/master
+- ../../base/worker-daemonset
+
+resources:
+- namespace.yaml
+
+components:
+- ../../components/worker-config
+- ../../components/common

deployment/overlays/default/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: node-feature-discovery