mirror of
https://github.com/kubernetes-sigs/node-feature-discovery.git
synced 2024-12-14 11:57:51 +00:00
Merge pull request #1942 from marquiz/devel/drop-grpc
nfd-master: drop stale unreachable deprecation notices
This commit is contained in:
commit
b997ade5b3
11 changed files with 4 additions and 433 deletions
|
@ -59,10 +59,6 @@ func main() {
|
|||
// Check deprecated flags
|
||||
flags.Visit(func(f *flag.Flag) {
|
||||
switch f.Name {
|
||||
case "featurerules-controller":
|
||||
klog.InfoS("-featurerules-controller is deprecated, use '-crd-controller' flag instead")
|
||||
case "crd-controller":
|
||||
klog.InfoS("-crd-controller is deprecated, will be removed in a future release along with the deprecated gRPC API")
|
||||
case "extra-label-ns":
|
||||
args.Overrides.ExtraLabelNs = overrides.ExtraLabelNs
|
||||
case "deny-label-ns":
|
||||
|
|
|
@ -158,10 +158,6 @@ Chart parameters are available.
|
|||
| `imagePullSecrets` | array | [] | ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. [More info](https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod). |
|
||||
| `nameOverride` | string | | Override the name of the chart |
|
||||
| `fullnameOverride` | string | | Override a default fully qualified app name |
|
||||
| `tls.enable` | bool | false | Specifies whether to use TLS for communications between components. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release. |
|
||||
| `tls.certManager` | bool | false | If enabled, requires [cert-manager](https://cert-manager.io/docs/) to be installed and will automatically create the required TLS certificates. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release |
|
||||
| `tls.certManager.certManagerCertificate.issuerName` | string | | If specified, it will use a pre-existing issuer instead for the required TLS certificates. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release. |
|
||||
| `tls.certManager.certManagerCertificate.issuerKind` | string | | Specifies on what kind of issuer is used, can be either ClusterIssuer or Issuer (default). Requires `tls.certManager.certManagerCertificate.issuerName` to be set. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release |
|
||||
| `featureGates.NodeFeatureAPI` | bool | true | Enable the [NodeFeature](../usage/custom-resources.md#nodefeature) CRD API for communicating node features. This will automatically disable the gRPC communication. |
|
||||
| `featureGates.NodeFeatureGroupAPI` | bool | false | Enable the [NodeFeatureGroup](../usage/custom-resources.md#nodefeaturegroup) CRD API. |
|
||||
| `featureGates.DisableAutoPrefix` | bool | false | Enable [DisableAutoPrefix](../reference/feature-gates.md#disableautoprefix) feature gate. Disables automatic prefixing of unprefixed labels, annotations and extended resources. |
|
||||
|
@ -181,7 +177,6 @@ API's you need to install the prometheus operator in your cluster.
|
|||
| `master.*` | dict | | NFD master deployment configuration |
|
||||
| `master.enable` | bool | true | Specifies whether nfd-master should be deployed |
|
||||
| `master.hostNetwork` | bool | false | Specifies whether to enable or disable running the container in the host's network namespace |
|
||||
| `master.port` | integer | | Specifies the TCP port that nfd-master listens for incoming requests. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release |
|
||||
| `master.metricsPort` | integer | 8081 | Port on which to expose metrics from components to prometheus operator |
|
||||
| `master.healthPort` | integer | 8082 | Port on which to expose the grpc health endpoint, will be also used for the probes |
|
||||
| `master.instance` | string | | Instance name. Used to separate annotation namespaces for multiple parallel deployments |
|
||||
|
@ -189,8 +184,6 @@ API's you need to install the prometheus operator in your cluster.
|
|||
| `master.extraLabelNs` | array | [] | List of allowed extra label namespaces |
|
||||
| `master.resourceLabels` | array | [] | List of labels to be registered as extended resources |
|
||||
| `master.enableTaints` | bool | false | Specifies whether to enable or disable node tainting |
|
||||
| `master.crdController` | bool | null | Specifies whether the NFD CRD API controller is enabled. If not set, controller will be enabled if `master.instance` is empty. |
|
||||
| `master.featureRulesController` | bool | null | DEPRECATED: use `master.crdController` instead |
|
||||
| `master.replicaCount` | integer | 1 | Number of desired pods. This is a pointer to distinguish between explicit zero and not specified |
|
||||
| `master.podSecurityContext` | dict | {} | [PodSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) holds pod-level security attributes and common container settings |
|
||||
| `master.securityContext` | dict | {} | Container [security settings](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
|
||||
|
@ -198,8 +191,6 @@ API's you need to install the prometheus operator in your cluster.
|
|||
| `master.serviceAccount.annotations` | dict | {} | Annotations to add to the service account |
|
||||
| `master.serviceAccount.name` | string | | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
|
||||
| `master.rbac.create` | bool | true | Specifies whether to create [RBAC][rbac] configuration for nfd-master |
|
||||
| `master.service.type` | string | ClusterIP | NFD master service type. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release |
|
||||
| `master.service.port` | integer | 8080 | NFD master service port. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release |
|
||||
| `master.resources.limits` | dict | {memory: 4Gi} | NFD master pod [resources limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits) |
|
||||
| `master.resources.requests` | dict | {cpu: 100m, memory: 128Mi} | NFD master pod [resources requests](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits). See `[0]` for more info |
|
||||
| `master.tolerations` | dict | _Schedule to control-plane node_ | NFD master pod [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
|
||||
|
|
|
@ -59,11 +59,6 @@ scenarios under
|
|||
- [`prune`](https://github.com/kubernetes-sigs/node-feature-discovery/blob/{{site.release}}/deployment/overlays/prune):
|
||||
clean up the cluster after uninstallation, see
|
||||
[Removing feature labels](uninstallation.md#removing-feature-labels)
|
||||
- [`samples/cert-manager`](https://github.com/kubernetes-sigs/node-feature-discovery/blob/{{site.release}}/deployment/overlays/samples/cert-manager):
|
||||
an example for supplementing the default deployment with cert-manager for TLS
|
||||
authentication, see
|
||||
[Automated TLS certificate management using cert-manager](tls.md)
|
||||
for details
|
||||
- [`samples/custom-rules`](https://github.com/kubernetes-sigs/node-feature-discovery/blob/{{site.release}}/deployment/overlays/samples/custom-rules):
|
||||
an example for spicing up the default deployment with a separately managed
|
||||
configmap of custom labeling rules, see
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
title: "Metrics"
|
||||
layout: default
|
||||
sort: 7
|
||||
sort: 6
|
||||
---
|
||||
|
||||
# Metrics
|
||||
|
|
|
@ -1,181 +0,0 @@
|
|||
---
|
||||
title: "TLS authentication"
|
||||
layout: default
|
||||
sort: 5
|
||||
---
|
||||
|
||||
# Communication security with TLS
|
||||
{: .no_toc}
|
||||
|
||||
## Table of contents
|
||||
{: .no_toc .text-delta}
|
||||
|
||||
1. TOC
|
||||
{:toc}
|
||||
|
||||
---
|
||||
|
||||
> **DEPRECATED**: this section only applies when the gRPC API is used, i.e.
|
||||
> when the NodeFeature API is disabled (via the `-feature-gates
|
||||
> NodeFeatureAPI=false` flag) on both nfd-master and nfd-worker. The gRPC API
|
||||
> is deprecated and will be removed in a future release.
|
||||
|
||||
NFD supports mutual TLS authentication between the nfd-master and nfd-worker
|
||||
instances. That is, nfd-worker and nfd-master both verify that the other end
|
||||
presents a valid certificate.
|
||||
|
||||
TLS authentication is enabled by specifying `-ca-file`, `-key-file` and
|
||||
`-cert-file` args, on both the nfd-master and nfd-worker instances. The
|
||||
template specs provided with NFD contain (commented out) example configuration
|
||||
for enabling TLS authentication.
|
||||
|
||||
The Common Name (CN) of the nfd-master certificate must match the DNS name of
|
||||
the nfd-master Service of the cluster. By default, nfd-master only check that
|
||||
the nfd-worker has been signed by the specified root certificate (-ca-file).
|
||||
|
||||
Additional hardening can be enabled by specifying `-verify-node-name` in
|
||||
nfd-master args, in which case nfd-master verifies that the NodeName presented
|
||||
by nfd-worker matches the Common Name (CN) or a Subject Alternative Name (SAN)
|
||||
of its certificate.
|
||||
|
||||
## Automated TLS certificate management using cert-manager
|
||||
|
||||
[cert-manager](https://cert-manager.io/) can be used to automate certificate
|
||||
management between nfd-master and the nfd-worker pods.
|
||||
|
||||
The NFD source code repository contains an example kustomize overlay and helm
|
||||
chart that can be used to deploy NFD with cert-manager supplied certificates
|
||||
enabled.
|
||||
|
||||
To install `cert-manager` itself, you can run:
|
||||
|
||||
```bash
|
||||
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
|
||||
```
|
||||
|
||||
Alternatively, you can refer to cert-manager documentation for other
|
||||
installation methods such as the Helm chart they provide.
|
||||
|
||||
When using the Helm chart to deploy NFD, override `values.yaml` to enable both the
|
||||
`tls.enabled` and `tls.certManager` options. Note that if you do not enable
|
||||
`tls.certManager`, helm will successfully install the application, but
|
||||
deployment will wait until certificates are manually created, as demonstrated
|
||||
below.
|
||||
|
||||
See the sample installation commands in the Helm [Deployment](helm.md#deployment)
|
||||
and [Configuration](helm.md#configuration) sections above for how to either override
|
||||
individual values, or provide a yaml file with which to override default
|
||||
values.
|
||||
|
||||
## Manual TLS certificate management
|
||||
|
||||
If you do not with to make use of cert-manager, the certificates can be
|
||||
manually created and stored as secrets within the NFD namespace.
|
||||
|
||||
Create a CA certificate
|
||||
|
||||
```bash
|
||||
openssl req -x509 -newkey rsa:4096 -keyout ca.key -nodes \
|
||||
-subj "/CN=nfd-ca" -days 10000 -out ca.crt
|
||||
```
|
||||
|
||||
Create a common openssl config file.
|
||||
|
||||
```bash
|
||||
cat <<EOF > nfd-common.conf
|
||||
[ req ]
|
||||
default_bits = 4096
|
||||
prompt = no
|
||||
default_md = sha256
|
||||
req_extensions = req_ext
|
||||
distinguished_name = dn
|
||||
|
||||
[ dn ]
|
||||
C = XX
|
||||
ST = some-state
|
||||
L = some-city
|
||||
O = some-company
|
||||
OU = node-feature-discovery
|
||||
|
||||
[ req_ext ]
|
||||
subjectAltName = @alt_names
|
||||
|
||||
[ v3_ext ]
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
basicConstraints=CA:FALSE
|
||||
keyUsage=keyEncipherment,dataEncipherment
|
||||
extendedKeyUsage=serverAuth,clientAuth
|
||||
subjectAltName=@alt_names
|
||||
EOF
|
||||
```
|
||||
|
||||
Now, create the nfd-master certificate.
|
||||
|
||||
```bash
|
||||
cat <<EOF > nfd-master.conf
|
||||
.include nfd-common.conf
|
||||
|
||||
[ dn ]
|
||||
CN = nfd-master
|
||||
|
||||
[ alt_names ]
|
||||
DNS.1 = nfd-master
|
||||
DNS.2 = nfd-master.node-feature-discovery.svc.cluster.local
|
||||
DNS.3 = localhost
|
||||
EOF
|
||||
|
||||
openssl req -new -newkey rsa:4096 -keyout nfd-master.key -nodes -out nfd-master.csr -config nfd-master.conf
|
||||
```
|
||||
|
||||
Create certificates for nfd-worker and nfd-topology-updater
|
||||
|
||||
```bash
|
||||
cat <<EOF > nfd-worker.conf
|
||||
.include nfd-common.conf
|
||||
|
||||
[ dn ]
|
||||
CN = nfd-worker
|
||||
|
||||
[ alt_names ]
|
||||
DNS.1 = nfd-worker
|
||||
DNS.2 = nfd-worker.node-feature-discovery.svc.cluster.local
|
||||
EOF
|
||||
|
||||
# Config for topology updater is identical except for the DN and alt_names
|
||||
sed -e 's/worker/topology-updater/g' < nfd-worker.conf > nfd-topology-updater.conf
|
||||
|
||||
openssl req -new -newkey rsa:4096 -keyout nfd-worker.key -nodes -out nfd-worker.csr -config nfd-worker.conf
|
||||
openssl req -new -newkey rsa:4096 -keyout nfd-topology-updater.key -nodes -out nfd-topology-updater.csr -config nfd-topology-updater.conf
|
||||
```
|
||||
|
||||
Now, sign the certificates with the CA created earlier.
|
||||
|
||||
```bash
|
||||
for cert in nfd-master nfd-worker nfd-topology-updater; do
|
||||
echo signing $cert
|
||||
openssl x509 -req -in $cert.csr -CA ca.crt -CAkey ca.key \
|
||||
-CAcreateserial -out $cert.crt -days 10000 \
|
||||
-extensions v3_ext -extfile $cert.conf
|
||||
done
|
||||
```
|
||||
|
||||
Finally, turn these certificates into secrets.
|
||||
|
||||
```bash
|
||||
for cert in nfd-master nfd-worker nfd-topology-updater; do
|
||||
echo creating secret for $cert in node-feature-discovery namespace
|
||||
cat <<EOF | kubectl create -n node-feature-discovery -f -
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: kubernetes.io/tls
|
||||
metadata:
|
||||
name: ${cert}-cert
|
||||
data:
|
||||
ca.crt: $( cat ca.crt | base64 -w 0 )
|
||||
tls.crt: $( cat $cert.crt | base64 -w 0 )
|
||||
tls.key: $( cat $cert.key | base64 -w 0 )
|
||||
EOF
|
||||
|
||||
done
|
||||
```
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
title: "Uninstallation"
|
||||
layout: default
|
||||
sort: 6
|
||||
sort: 5
|
||||
---
|
||||
|
||||
# Uninstallation
|
||||
|
|
|
@ -171,29 +171,15 @@ e2e-tests:
|
|||
| E2E_GINKGO_LABEL_FILTER | Ginkgo label filter to use for running e2e tests | *empty* |
|
||||
| OPENSHIFT | Non-empty value enables OpenShift specific support (only affects e2e tests) | *empty* |
|
||||
|
||||
## Running locally
|
||||
|
||||
> ****DEPRECATED**: Running NFD locally is deprecated and will be removed in a
|
||||
> future release. It depends on the gRPC API which is deprecated and will be
|
||||
> removed in a future release. To run NFD locally, disable the NodeFeature API
|
||||
> with `-feature-gates NodeFeatureAPI=false` flag.
|
||||
|
||||
You can run NFD locally, either directly on your host OS or in containers for
|
||||
testing and development purposes. This may be useful e.g. for checking
|
||||
features-detection.
|
||||
|
||||
### NFD-Master
|
||||
|
||||
When running as a standalone container labeling is expected to fail because
|
||||
Kubernetes API is not available. Thus, it is recommended to use `-no-publish`
|
||||
Also specify `-crd-controller=false` and `-feature-gates NodeFeatureAPI=false`
|
||||
command line flags to disable CRD controller and enable gRPC. E.g.
|
||||
Kubernetes API is not available. Thus, it is recommended to use `-no-publish`.
|
||||
|
||||
```bash
|
||||
$ export NFD_CONTAINER_IMAGE={{ site.container_image }}
|
||||
$ docker run --rm --name=nfd-test ${NFD_CONTAINER_IMAGE} nfd-master -no-publish -crd-controller=false -feature-gates NodeFeatureAPI=false
|
||||
2019/02/01 14:48:21 Node Feature Discovery Master <NFD_VERSION>
|
||||
2019/02/01 14:48:21 gRPC server serving on port: 8080
|
||||
```
|
||||
|
||||
### NFD-Worker
|
||||
|
|
|
@ -47,18 +47,6 @@ The `-prune` flag is a sub-command like option for cleaning up the cluster. It
|
|||
causes nfd-master to remove all NFD related labels, annotations and extended
|
||||
resources from all Node objects of the cluster and exit.
|
||||
|
||||
### -port
|
||||
|
||||
The `-port` flag specifies the TCP port that nfd-master listens for incoming requests.
|
||||
|
||||
Default: 8080
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
nfd-master -port=443
|
||||
```
|
||||
|
||||
### -metrics
|
||||
|
||||
The `-metrics` flag specifies the port on which to expose
|
||||
|
@ -89,91 +77,6 @@ Example:
|
|||
nfd-master -instance=network
|
||||
```
|
||||
|
||||
### -ca-file
|
||||
|
||||
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
|
||||
> and this flag will be removed as well.
|
||||
|
||||
The `-ca-file` is one of the three flags (together with `-cert-file` and
|
||||
`-key-file`) controlling master-worker mutual TLS authentication on the
|
||||
nfd-master side. This flag specifies the TLS root certificate that is used for
|
||||
authenticating incoming connections. NFD-Worker side needs to have matching key
|
||||
and cert files configured for the incoming requests to be accepted.
|
||||
|
||||
Default: *empty*
|
||||
|
||||
> **NOTE:** Must be specified together with `-cert-file` and `-key-file`
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
nfd-master -ca-file=/opt/nfd/ca.crt -cert-file=/opt/nfd/master.crt -key-file=/opt/nfd/master.key
|
||||
```
|
||||
|
||||
### -cert-file
|
||||
|
||||
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
|
||||
> and this flag will be removed as well.
|
||||
|
||||
The `-cert-file` is one of the three flags (together with `-ca-file` and
|
||||
`-key-file`) controlling master-worker mutual TLS authentication on the
|
||||
nfd-master side. This flag specifies the TLS certificate presented for
|
||||
authenticating outgoing traffic towards nfd-worker.
|
||||
|
||||
Default: *empty*
|
||||
|
||||
> **NOTE:** Must be specified together with `-ca-file` and `-key-file`
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
nfd-master -cert-file=/opt/nfd/master.crt -key-file=/opt/nfd/master.key -ca-file=/opt/nfd/ca.crt
|
||||
```
|
||||
|
||||
### -key-file
|
||||
|
||||
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
|
||||
> and this flag will be removed as well.
|
||||
|
||||
The `-key-file` is one of the three flags (together with `-ca-file` and
|
||||
`-cert-file`) controlling master-worker mutual TLS authentication on the
|
||||
nfd-master side. This flag specifies the private key corresponding the given
|
||||
certificate file (`-cert-file`) that is used for authenticating outgoing
|
||||
traffic.
|
||||
|
||||
Default: *empty*
|
||||
|
||||
> **NOTE:** Must be specified together with `-cert-file` and `-ca-file`
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
nfd-master -key-file=/opt/nfd/master.key -cert-file=/opt/nfd/master.crt -ca-file=/opt/nfd/ca.crt
|
||||
```
|
||||
|
||||
### -verify-node-name
|
||||
|
||||
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
|
||||
> and this flag will be removed as well.
|
||||
|
||||
The `-verify-node-name` flag controls the NodeName based authorization of
|
||||
incoming requests and only has effect when mTLS authentication has been enabled
|
||||
(with `-ca-file`, `-cert-file` and `-key-file`). If enabled, the worker node
|
||||
name of the incoming must match with the CN or a SAN in its TLS certificate. Thus,
|
||||
workers are only able to label the node they are running on (or the node whose
|
||||
certificate they present).
|
||||
|
||||
Node Name based authorization is disabled by default.
|
||||
|
||||
Default: *false*
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
nfd-master -verify-node-name -ca-file=/opt/nfd/ca.crt \
|
||||
-cert-file=/opt/nfd/master.crt -key-file=/opt/nfd/master.key
|
||||
```
|
||||
|
||||
### -enable-leader-election
|
||||
|
||||
The `-enable-leader-election` flag enables leader election for NFD-Master.
|
||||
|
@ -212,28 +115,6 @@ Example:
|
|||
nfd-master -no-publish
|
||||
```
|
||||
|
||||
### -crd-controller
|
||||
|
||||
> **NOTE** This flag will be removed in a future release at the same time with
|
||||
> the deprecated gRPC API.
|
||||
|
||||
The `-crd-controller` flag specifies whether the NFD CRD API controller is
|
||||
enabled or not. The controller is responsible for processing
|
||||
[NodeFeature](../usage/custom-resources.md#nodefeature) and
|
||||
[NodeFeatureRule](../usage/custom-resources.md#nodefeaturerule) objects.
|
||||
|
||||
Default: *true*
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
nfd-master -crd-controller=false
|
||||
```
|
||||
|
||||
### -featurerules-controller
|
||||
|
||||
**DEPRECATED**: use [`-crd-controller`](#-crd-controller) instead.
|
||||
|
||||
### -label-whitelist
|
||||
|
||||
The `-label-whitelist` specifies a regular expression for filtering feature
|
||||
|
|
|
@ -69,82 +69,6 @@ Example:
|
|||
nfd-worker -options='{"sources":{"cpu":{"cpuid":{"attributeWhitelist":["AVX","AVX2"]}}}}'
|
||||
```
|
||||
|
||||
### -server
|
||||
|
||||
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
|
||||
> and this flag will be removed as well.
|
||||
|
||||
The `-server` flag specifies the address of the nfd-master endpoint where to
|
||||
connect to.
|
||||
|
||||
Default: localhost:8080
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
nfd-worker -server=nfd-master.nfd.svc.cluster.local:443
|
||||
```
|
||||
|
||||
### -ca-file
|
||||
|
||||
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
|
||||
> and this flag will be removed as well.
|
||||
|
||||
The `-ca-file` is one of the three flags (together with `-cert-file` and
|
||||
`-key-file`) controlling the mutual TLS authentication on the worker side.
|
||||
This flag specifies the TLS root certificate that is used for verifying the
|
||||
authenticity of nfd-master.
|
||||
|
||||
Default: *empty*
|
||||
|
||||
> **NOTE:** Must be specified together with `-cert-file` and `-key-file`
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
nfd-worker -ca-file=/opt/nfd/ca.crt -cert-file=/opt/nfd/worker.crt -key-file=/opt/nfd/worker.key
|
||||
```
|
||||
|
||||
### -cert-file
|
||||
|
||||
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
|
||||
> and this flag will be removed as well.
|
||||
|
||||
The `-cert-file` is one of the three flags (together with `-ca-file` and
|
||||
`-key-file`) controlling mutual TLS authentication on the worker side. This
|
||||
flag specifies the TLS certificate presented for authenticating outgoing
|
||||
requests.
|
||||
|
||||
Default: *empty*
|
||||
|
||||
> **NOTE:** Must be specified together with `-ca-file` and `-key-file`
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
nfd-workerr -cert-file=/opt/nfd/worker.crt -key-file=/opt/nfd/worker.key -ca-file=/opt/nfd/ca.crt
|
||||
```
|
||||
|
||||
### -key-file
|
||||
|
||||
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
|
||||
> and this flag will be removed as well.
|
||||
|
||||
The `-key-file` is one of the three flags (together with `-ca-file` and
|
||||
`-cert-file`) controlling the mutual TLS authentication on the worker side.
|
||||
This flag specifies the private key corresponding the given certificate file
|
||||
(`-cert-file`) that is used for authenticating outgoing requests.
|
||||
|
||||
Default: *empty*
|
||||
|
||||
> **NOTE:** Must be specified together with `-cert-file` and `-ca-file`
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
nfd-worker -key-file=/opt/nfd/worker.key -cert-file=/opt/nfd/worker.crt -ca-file=/opt/nfd/ca.crt
|
||||
```
|
||||
|
||||
### -kubeconfig
|
||||
|
||||
The `-kubeconfig` flag specifies the kubeconfig to use for connecting to the
|
||||
|
@ -160,23 +84,6 @@ Example:
|
|||
nfd-worker -kubeconfig ${HOME}/.kube/config
|
||||
```
|
||||
|
||||
### -server-name-override
|
||||
|
||||
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
|
||||
> and this flag will be removed as well.
|
||||
|
||||
The `-server-name-override` flag specifies the common name (CN) which to
|
||||
expect from the nfd-master TLS certificate. This flag is mostly intended for
|
||||
development and debugging purposes.
|
||||
|
||||
Default: *empty*
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
nfd-worker -server-name-override=localhost
|
||||
```
|
||||
|
||||
### -feature-sources
|
||||
|
||||
The `-feature-sources` flag specifies a comma-separated list of enabled feature
|
||||
|
|
|
@ -141,21 +141,18 @@ func newNfdController(config *restclient.Config, nfdApiControllerOptions nfdApiC
|
|||
if !nfdApiControllerOptions.DisableNodeFeature {
|
||||
c.updateAllNodes()
|
||||
}
|
||||
// else: rules will be processed only when gRPC requests are received
|
||||
},
|
||||
UpdateFunc: func(oldObject, newObject interface{}) {
|
||||
klog.V(2).InfoS("NodeFeatureRule updated", "nodefeaturerule", klog.KObj(newObject.(metav1.Object)))
|
||||
if !nfdApiControllerOptions.DisableNodeFeature {
|
||||
c.updateAllNodes()
|
||||
}
|
||||
// else: rules will be processed only when gRPC requests are received
|
||||
},
|
||||
DeleteFunc: func(object interface{}) {
|
||||
klog.V(2).InfoS("NodeFeatureRule deleted", "nodefeaturerule", klog.KObj(object.(metav1.Object)))
|
||||
if !nfdApiControllerOptions.DisableNodeFeature {
|
||||
c.updateAllNodes()
|
||||
}
|
||||
// else: rules will be processed only when gRPC requests are received
|
||||
},
|
||||
}); err != nil {
|
||||
return nil, err
|
||||
|
|
|
@ -273,8 +273,7 @@ func createClusterRoleTopologyUpdater(ctx context.Context, cs clientset.Interfac
|
|||
Name: "nfd-topology-updater-e2e",
|
||||
},
|
||||
// the Topology Updater doesn't need to access any kube object:
|
||||
// it reads from the podresources socket and it sends updates to the
|
||||
// nfd-master using the gRPC interface.
|
||||
// it reads from the podresources socket and it updates the noderesourcetopologies
|
||||
Rules: []rbacv1.PolicyRule{
|
||||
{
|
||||
APIGroups: []string{""},
|
||||
|
|
Loading…
Reference in a new issue