Deprecate gRPC API

Now that the NodeFeature API has been set enabled by default, the gRPC mode will be deprecated and with it all flags and features around it. For nfd-master, flags -port, -key-file, -ca-file, -cert-file, -verify-node-name, -enable-nodefeature-api are now marked as deprecated. For nfd-worker flags -enable-nodefeature-api, -ca-file, -cert-file, -key-file, -server, -server-name-override are now marked as deprecated. Deprecated flags, as well as gRPC related code will be removed in future releases. Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com> Co-authored-by: Markus Lehtonen <markus.lehtonen@intel.com>
2024-12-14 11:57:51 +00:00 · 2023-09-06 10:22:13 +02:00 · 2023-09-06 10:22:13 +02:00 · 9966d2ae12
commit 9966d2ae12
parent db2719a19d
9 changed files with 120 additions and 35 deletions
--- a/cmd/nfd-master/main.go
+++ b/cmd/nfd-master/main.go
@ -72,6 +72,18 @@ func main() {
 			args.Overrides.ResyncPeriod = overrides.ResyncPeriod
 		case "nfd-api-parallelism":
 			args.Overrides.NfdApiParallelism = overrides.NfdApiParallelism
 		case "enable-nodefeature-api":
 			klog.InfoS("-enable-nodefeature-api is deprecated, will be removed in a future release along with the deprecated gRPC API")
 		case "ca-file":
 			klog.InfoS("-ca-file is deprecated, will be removed in a future release along with the deprecated gRPC API")
 		case "cert-file":
 			klog.InfoS("-cert-file is deprecated, will be removed in a future release along with the deprecated gRPC API")
 		case "key-file":
 			klog.InfoS("-key-file is deprecated, will be removed in a future release along with the deprecated gRPC API")
 		case "port":
 			klog.InfoS("-port is deprecated, will be removed in a future release along with the deprecated gRPC API")
 		case "verify-node-name":
 			klog.InfoS("-verify-node-name is deprecated, will be removed in a future release along with the deprecated gRPC API")
 		}
 	})
@ -105,32 +117,38 @@ func initFlags(flagset *flag.FlagSet) (*master.Args, *master.ConfigOverrideArgs)
 	args := &master.Args{}
 	flagset.StringVar(&args.CaFile, "ca-file", "",
-		"Root certificate for verifying connections")
+		"Root certificate for verifying connections."+
 			" DEPRECATED: will be removed in a future release along with the deprecated gRPC API.")
 	flagset.StringVar(&args.CertFile, "cert-file", "",
-		"Certificate used for authenticating connections")
+		"Certificate used for authenticating connections."+
 			" DEPRECATED: will be removed in a future release along with the deprecated gRPC API.")
 	flagset.StringVar(&args.Instance, "instance", "",
 		"Instance name. Used to separate annotation namespaces for multiple parallel deployments.")
 	flagset.StringVar(&args.KeyFile, "key-file", "",
-		"Private key matching -cert-file")
+		"Private key matching -cert-file."+
 			" DEPRECATED: will be removed in a future release along with the deprecated gRPC API.")
 	flagset.StringVar(&args.ConfigFile, "config", "/etc/kubernetes/node-feature-discovery/nfd-master.conf",
 		"Config file to use.")
 	flagset.StringVar(&args.Kubeconfig, "kubeconfig", "",
 		"Kubeconfig to use")
 	flagset.BoolVar(&args.EnableNodeFeatureApi, "enable-nodefeature-api", true,
-		"Enable the NodeFeature CRD API for receiving node features. This will automatically disable the gRPC communication.")
+		"Enable the NodeFeature CRD API for receiving node features. This will automatically disable the gRPC communication."+
 			" DEPRECATED: will be removed in a future release along with the deprecated gRPC API.")
 	flagset.BoolVar(&args.CrdController, "featurerules-controller", true,
 		"Enable NFD CRD API controller. DEPRECATED: use -crd-controller instead")
 	flagset.BoolVar(&args.CrdController, "crd-controller", true,
 		"Enable NFD CRD API controller for processing NodeFeature and NodeFeatureRule objects.")
 	flagset.IntVar(&args.Port, "port", 8080,
-		"Port on which to listen for connections.")
+		"Port on which to listen for gRPC connections."+
 			" DEPRECATED: will be removed in a future release along with the deprecated gRPC API.")
 	flagset.IntVar(&args.MetricsPort, "metrics", 8081,
 		"Port on which to expose metrics.")
 	flagset.BoolVar(&args.Prune, "prune", false,
 		"Prune all NFD related attributes from all nodes of the cluster and exit.")
 	flagset.BoolVar(&args.VerifyNodeName, "verify-node-name", false,
 		"Verify worker node name against the worker's TLS certificate. "+
-			"Only takes effect when TLS authentication has been enabled.")
+			"Only takes effect when TLS authentication has been enabled."+
 			" DEPRECATED: will be removed in a future release along with the deprecated gRPC API.")
 	flagset.StringVar(&args.Options, "options", "",
 		"Specify config options from command line. Config options are specified "+
 			"in the same format as in the config file (i.e. json or yaml). These options")
--- a/cmd/nfd-worker/main.go
+++ b/cmd/nfd-worker/main.go
@ -51,6 +51,24 @@ func main() {
 		klog.InfoS("version not set! Set -ldflags \"-X sigs.k8s.io/node-feature-discovery/pkg/version.version=`git describe --tags --dirty --always`\" during build or run.")
 	}
 	// Check deprecated flags
 	flags.Visit(func(f *flag.Flag) {
 		switch f.Name {
 		case "enable-nodefeature-api":
 			klog.InfoS("-enable-nodefeature-api is deprecated, will be removed in a future release along with the deprecated gRPC API")
 		case "ca-file":
 			klog.InfoS("-ca-file is deprecated, will be removed in a future release along with the deprecated gRPC API")
 		case "cert-file":
 			klog.InfoS("-cert-file is deprecated, will be removed in a future release along with the deprecated gRPC API")
 		case "key-file":
 			klog.InfoS("-key-file is deprecated, will be removed in a future release along with the deprecated gRPC API")
 		case "server":
 			klog.InfoS("-server is deprecated, will be removed in a future release along with the deprecated gRPC API")
 		case "server-name-override":
 			klog.InfoS("-server-name-override is deprecated, will be removed in a future release along with the deprecated gRPC API")
 		}
 	})
 	// Plug klog into grpc logging infrastructure
 	utils.ConfigureGrpcKlog()
@ -96,15 +114,19 @@ func initFlags(flagset *flag.FlagSet) (*worker.Args, *worker.ConfigOverrideArgs)
 	args := &worker.Args{}
 	flagset.StringVar(&args.CaFile, "ca-file", "",
-		"Root certificate for verifying connections")
+		"Root certificate for verifying connections."+
 			" DEPRECATED: will be removed in a future release along with the deprecated gRPC API.")
 	flagset.StringVar(&args.CertFile, "cert-file", "",
-		"Certificate used for authenticating connections")
+		"Certificate used for authenticating connections."+
 			" DEPRECATED: will be removed in a future release along with the deprecated gRPC API.")
 	flagset.StringVar(&args.ConfigFile, "config", "/etc/kubernetes/node-feature-discovery/nfd-worker.conf",
 		"Config file to use.")
 	flagset.StringVar(&args.KeyFile, "key-file", "",
-		"Private key matching -cert-file")
+		"Private key matching -cert-file."+
 			" DEPRECATED: will be removed in a future release along with the deprecated gRPC API.")
 	flagset.BoolVar(&args.EnableNodeFeatureApi, "enable-nodefeature-api", true,
-		"Enable the NodeFeature CRD API for communicating with nfd-master. This will automatically disable the gRPC communication.")
+		"Enable the NodeFeature CRD API for communicating with nfd-master. This will automatically disable the gRPC communication."+
 			" DEPRECATED: will be removed in a future release along with the deprecated gRPC API.")
 	flagset.StringVar(&args.Kubeconfig, "kubeconfig", "",
 		"Kubeconfig to use")
 	flagset.BoolVar(&args.Oneshot, "oneshot", false,
@ -115,9 +137,11 @@ func initFlags(flagset *flag.FlagSet) (*worker.Args, *worker.ConfigOverrideArgs)
 		"Specify config options from command line. Config options are specified "+
 			"in the same format as in the config file (i.e. json or yaml). These options")
 	flagset.StringVar(&args.Server, "server", "localhost:8080",
-		"NFD server address to connecto to.")
+		"NFD server address to connecto to."+
 			" DEPRECATED: will be removed in a future release along with the deprecated gRPC API.")
 	flagset.StringVar(&args.ServerNameOverride, "server-name-override", "",
-		"Hostname expected from server certificate, useful in testing")
+		"Hostname expected from server certificate, useful in testing."+
 			" DEPRECATED: will be removed in a future release along with the deprecated gRPC API.")
 	initKlogFlags(flagset, args)
--- a/docs/deployment/helm.md
+++ b/docs/deployment/helm.md
@ -99,9 +99,9 @@ We have introduced the following Chart parameters.
 | `imagePullSecrets` | list | [] | ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. [More info](https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod) |
 | `nameOverride` | string |  | Override the name of the chart |
 | `fullnameOverride` | string |  | Override a default fully qualified app name |
-| `tls.enable` | bool | false | Specifies whether to use TLS for communications between components |
+| `tls.enable` | bool | false | Specifies whether to use TLS for communications between components. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release  |
-| `tls.certManager` | bool | false | If enabled, requires [cert-manager](https://cert-manager.io/docs/) to be installed and will automatically create the required TLS certificates |
+| `tls.certManager` | bool | false | If enabled, requires [cert-manager](https://cert-manager.io/docs/) to be installed and will automatically create the required TLS certificates. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release |
-| `enableNodeFeatureApi` | bool  | true | Enable the [NodeFeature](../usage/custom-resources.md#nodefeature) CRD API for communicating node features. This will automatically disable the gRPC communication.
+| `enableNodeFeatureApi` | bool  | true | Enable the [NodeFeature](../usage/custom-resources.md#nodefeature) CRD API for communicating node features. This will automatically disable the gRPC communication. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release    |
 | `prometheus.enable` | bool | false | Specifies whether to expose metrics using prometheus operator |
 | `prometheus.labels` | dict | {} | Specifies labels for use with the prometheus operator to control how it is selected |
@ -114,7 +114,7 @@ API's you need to install the prometheus operator in your cluster.
 | Name                        | Type    | Default                                 | description                                                                                                                              |
 |-----------------------------|---------|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|
 | `master.*`                  | dict    |                                         | NFD master deployment configuration                                                                                                      |
-| `master.port`               | integer |                                         | Specifies the TCP port that nfd-master listens for incoming requests.                                                      |
+| `master.port`               | integer |                                         | Specifies the TCP port that nfd-master listens for incoming requests. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release    |
 | `master.metricsPort`        | integer |   8081                                  | Port on which to expose metrics from components to prometheus operator |
 | `master.instance`           | string  |                                         | Instance name. Used to separate annotation namespaces for multiple parallel deployments                                                  |
 | `master.resyncPeriod`       | string  |                                         | NFD API controller resync period.                                                  |
@ -130,8 +130,8 @@ API's you need to install the prometheus operator in your cluster.
 | `master.serviceAccount.annotations` | dict | {}                                 | Annotations to add to the service account
 | `master.serviceAccount.name` | string |                                         | The name of the service account to use. If not set and create is true, a name is generated using the fullname template
 | `master.rbac.create`        | bool    | true                                    | Specifies whether to create [RBAC][rbac] configuration for nfd-master
-| `master.service.type`       | string  | ClusterIP                               | NFD master service type                                                                                                                  |
+| `master.service.type`       | string  | ClusterIP                               | NFD master service type. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release    |
-| `master.service.port`       | integer | 8080                                    | NFD master service port                                                                                                                  |
+| `master.service.port`       | integer | 8080                                    | NFD master service port. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release |
 | `master.resources`          | dict    | {}                                      | NFD master pod [resources management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)                    |
 | `master.nodeSelector`       | dict    | {}                                      | NFD master pod [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)                    |
 | `master.tolerations`        | dict    | _Scheduling to master node is disabled_ | NFD master pod [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)                              |
--- a/docs/deployment/tls.md
+++ b/docs/deployment/tls.md
@ -15,9 +15,10 @@ sort: 5
 ---
-> ***NOTE*** this section only applies when the gRPC API is used, i.e. when the
+> **DEPRECATED**: this section only applies when the gRPC API is used, i.e.
-> NodeFeature API is disabled via the `-enable-nodefeature-api=false` flag on
+> when the NodeFeature API is disabled via the `-enable-nodefeature-api=false`
-> both nfd-master and nfd-worker.
+> flag on both nfd-master and nfd-worker. The gRPC API is deprecated and will
 > be removed in a future release.
 NFD supports mutual TLS authentication between the nfd-master and nfd-worker
 instances.  That is, nfd-worker and nfd-master both verify that the other end
--- a/docs/developer-guide/index.md
+++ b/docs/developer-guide/index.md
@ -166,6 +166,11 @@ make e2e-test KUBECONFIG=$HOME/.kube/config
 ## Running locally
 > ****DEPRECATED**: Running NFD locally is deprecated and will be removed in a
 > future release. It depends on the gRPC API which is deprecated and will be
 > removed in a future release. To run NFD locally, use the
 > `-enable-nodefeature-api=false` flag.
 You can run NFD locally, either directly on your host OS or in containers for
 testing and development purposes. This may be useful e.g. for checking
 features-detection.
@ -174,22 +179,23 @@ features-detection.
 When running as a standalone container labeling is expected to fail because
 Kubernetes API is not available. Thus, it is recommended to use `-no-publish`
-command line flag. E.g.
+Also specify `-crd-controller=false` and `-enable-nodefeature-api=false`
 command line flags to disable CRD controller and enable gRPC. E.g.
 ```bash
 $ export NFD_CONTAINER_IMAGE={{ site.container_image }}
-$ docker run --rm --name=nfd-test ${NFD_CONTAINER_IMAGE} nfd-master -no-publish
+$ docker run --rm --name=nfd-test ${NFD_CONTAINER_IMAGE} nfd-master -no-publish -crd-controller=false -enable-nodefeature-api=false
 2019/02/01 14:48:21 Node Feature Discovery Master <NFD_VERSION>
 2019/02/01 14:48:21 gRPC server serving on port: 8080
 ```
 ### NFD-Worker
-In order to run nfd-worker as a "stand-alone" container against your
+In order to run nfd-worker as a "stand-alone" container
-standalone nfd-master you need to run them in the same network namespace:
+you need to run it in the same network namespace as the nfd-master container:
 ```bash
-$ docker run --rm --network=container:nfd-test ${NFD_CONTAINER_IMAGE} nfd-worker
+$ docker run --rm --network=container:nfd-test ${NFD_CONTAINER_IMAGE} nfd-worker -enable-nodefeature-api=false
 2019/02/01 14:48:56 Node Feature Discovery Worker <NFD_VERSION>
 ...
 ```
@ -206,11 +212,12 @@ pass the `-no-publish` flag to nfd-worker.
 ### NFD-Topology-Updater
-In order to run nfd-topology-updater as a "stand-alone" container against your
+In order to run nfd-topology-updater as a "stand-alone" container
-standalone nfd-master you need to run them in the same network namespace:
+you need to run it in with the `-no-publish` flag to disable communication to
 the Kubernetes apiserver.
 ```bash
-$ docker run --rm --network=container:nfd-test ${NFD_CONTAINER_IMAGE} nfd-topology-updater
+$ docker run --rm ${NFD_CONTAINER_IMAGE} nfd-topology-updater -no-publish
 2019/02/01 14:48:56 Node Feature Discovery Topology Updater <NFD_VERSION>
 ...
 ```
--- a/docs/reference/master-commandline-reference.md
+++ b/docs/reference/master-commandline-reference.md
@ -80,6 +80,9 @@ nfd-master -instance=network
 ### -ca-file
 > **NOTE** the gRPC API is deprecated and will be removed in a future release.
 > and this flag will be removed as well.
 The `-ca-file` is one of the three flags (together with `-cert-file` and
 `-key-file`) controlling master-worker mutual TLS authentication on the
 nfd-master side. This flag specifies the TLS root certificate that is used for
@ -98,6 +101,9 @@ nfd-master -ca-file=/opt/nfd/ca.crt -cert-file=/opt/nfd/master.crt -key-file=/op
 ### -cert-file
 > **NOTE** the gRPC API is deprecated and will be removed in a future release.
 > and this flag will be removed as well.
 The `-cert-file` is one of the three flags (together with `-ca-file` and
 `-key-file`) controlling master-worker mutual TLS authentication on the
 nfd-master side. This flag specifies the TLS certificate presented for
@ -115,6 +121,9 @@ nfd-master -cert-file=/opt/nfd/master.crt -key-file=/opt/nfd/master.key -ca-file
 ### -key-file
 > **NOTE** the gRPC API is deprecated and will be removed in a future release.
 > and this flag will be removed as well.
 The `-key-file` is one of the three flags (together with `-ca-file` and
 `-cert-file`) controlling master-worker mutual TLS authentication on the
 nfd-master side. This flag specifies the private key corresponding the given
@ -133,6 +142,9 @@ nfd-master -key-file=/opt/nfd/master.key -cert-file=/opt/nfd/master.crt -ca-file
 ### -verify-node-name
 > **NOTE** the gRPC API is deprecated and will be removed in a future release.
 > and this flag will be removed as well.
 The `-verify-node-name` flag controls the NodeName based authorization of
 incoming requests and only has effect when mTLS authentication has been enabled
 (with `-ca-file`, `-cert-file` and `-key-file`). If enabled, the worker node
@ -153,6 +165,9 @@ nfd-master -verify-node-name -ca-file=/opt/nfd/ca.crt \
 ### -enable-nodefeature-api
 > **NOTE** the gRPC API is deprecated and will be removed in a future release.
 > and this flag will be removed as well.
 The `-enable-nodefeature-api` flag enables/disables the
 [NodeFeature](../usage/custom-resources.md#nodefeature) CRD API for receiving
 feature requests. This will also automatically disable/enable the gRPC
--- a/docs/reference/worker-commandline-reference.md
+++ b/docs/reference/worker-commandline-reference.md
@ -60,6 +60,9 @@ nfd-worker -options='{"sources":{"cpu":{"cpuid":{"attributeWhitelist":["AVX","AV
 ### -server
 > **NOTE** the gRPC API is deprecated and will be removed in a future release.
 > and this flag will be removed as well.
 The `-server` flag specifies the address of the nfd-master endpoint where to
 connect to.
@ -73,6 +76,9 @@ nfd-worker -server=nfd-master.nfd.svc.cluster.local:443
 ### -ca-file
 > **NOTE** the gRPC API is deprecated and will be removed in a future release.
 > and this flag will be removed as well.
 The `-ca-file` is one of the three flags (together with `-cert-file` and
 `-key-file`) controlling the mutual TLS authentication on the worker side.
 This flag specifies the TLS root certificate that is used for verifying the
@ -90,6 +96,9 @@ nfd-worker -ca-file=/opt/nfd/ca.crt -cert-file=/opt/nfd/worker.crt -key-file=/op
 ### -cert-file
 > **NOTE** the gRPC API is deprecated and will be removed in a future release.
 > and this flag will be removed as well.
 The `-cert-file` is one of the three flags (together with `-ca-file` and
 `-key-file`) controlling mutual TLS authentication on the worker side. This
 flag specifies the TLS certificate presented for authenticating outgoing
@ -107,6 +116,9 @@ nfd-workerr -cert-file=/opt/nfd/worker.crt -key-file=/opt/nfd/worker.key -ca-fil
 ### -key-file
 > **NOTE** the gRPC API is deprecated and will be removed in a future release.
 > and this flag will be removed as well.
 The `-key-file` is one of the three flags (together with `-ca-file` and
 `-cert-file`) controlling the mutual TLS authentication on the worker side.
 This flag specifies the private key corresponding the given certificate file
@ -141,6 +153,9 @@ nfd-worker -kubeconfig ${HOME}/.kube/config
 ### -server-name-override
 > **NOTE** the gRPC API is deprecated and will be removed in a future release.
 > and this flag will be removed as well.
 The `-server-name-override` flag specifies the common name (CN) which to
 expect from the nfd-master TLS certificate. This flag is mostly intended for
 development and debugging purposes.
@ -197,6 +212,9 @@ nfd-worker -label-sources=kernel,system,local
 ### -enable-nodefeature-api
 > **NOTE** the gRPC API is deprecated and will be removed in a future release.
 > and this flag will be removed as well.
 The `-enable-nodefeature-api` flag enables/disables the
 [NodeFeature](../usage/custom-resources.md#nodefeature) CRD API
 for communicating with nfd-master. When enabled nfd-worker creates per-node
--- a/docs/usage/customization-guide.md
+++ b/docs/usage/customization-guide.md
@ -43,7 +43,8 @@ create and manipulate NodeFeature objects in their namespace.
 The NodeFeature CRD API can be disabled with the
 `-enable-nodefeature-api=false` command line flag. This flag must be specified
 for both nfd-master and nfd-worker as it will enable the gRPC communication
-between them.
+between them. Note that the gRPC API is **DEPRECATED** and will be removed in a
 future release, at which point the NodeFeature API cannot be disabled.
 ### A NodeFeature example
--- a/docs/usage/nfd-master.md
+++ b/docs/usage/nfd-master.md
@ -30,11 +30,12 @@ and creates node labels accordingly. The feature data used as the input is
 received from nfd-worker instances through
 [NodeFeature](custom-resources.md#nodefeature-custom-resource) objects.
-> **NOTE:** when gRPC is used for communicating the features (by setting the
+> **NOTE**: when gRPC (**DEPRECATED**)  is used for communicating
-> flag `-enable-nodefeature-api=false` on both nfd-master and nfd-worker, or
+> the features (by setting the flag `-enable-nodefeature-api=false` on both
-> via Helm values.enableNodeFeatureApi=false),(re-)labelling only happens
+> nfd-master and nfd-worker, or via Helm values.enableNodeFeatureApi=false),
-> when a request is received from nfd-worker. That is, in practice rules are
+> (re-)labelling only happens when a request is received from nfd-worker.
-> evaluated and labels for each node are created on intervals specified by the
+> That is, in practice rules are evaluated and labels for each node are created
 > on intervals specified by the
 > [`core.sleepInterval`](../reference/worker-configuration-reference.md#coresleepinterval)
 > configuration option of nfd-worker instances. This means that modification or
 > creation of NodeFeatureRule objects does not instantly cause the node