Run code auto-generation inside a container instead of the host system.
Our auto-generation depends on specific versions of a multitude of tools
(like k8s code-generator, controller-gen, protoc, mockery etc). This
made it really awkward (and error-prone) to run in the host environment,
especially if/when you needed different versions of those tools for
other projects. Making it even more unwieldy, the required versions of
tools were not neatly documented anywhere (except for git commits,
perhaps).
With this patch we have a "fixed environment", as we build a special
auto-generate-builder container which has correct versions of all the
dependencies. Using the container makes auto-generation easy to run
anywhere, independent of the host system, giving reproducibility and
reliability. Also, the patch moves the auto-generation steps out from
the makefile into a separate script, making the makefile cleaner and the
script easier to maintain.
Make it mandatory to specify a golang version with "-g" when running the
script (and patching repo content). The given version will be patched
into the Makefile to fix the version used in the release build - it is
meant to use a exact point release (like 1.18.3) to get reproducible
builds.
Switch over to the "non-point-release" version of the image. Now we
always use the latest patch version of golang with latest security
fixes, for example, without the need to manually bump the version after
every point release.
This patch also makes the builder image configurable through a Makefile
variable.
For reproducible builds we should used fixed point-release versions in
release-brances.
Change the part of the e2e-test configuration that contains
node-specific expected labels and annotations to a list, instead of a
map. This makes the parsing order deterministic and makes it possible to
e.g. have a default at the end of the list that captures "all the rest".
The test was broken twofold: Firstly, the annotation was not checked at
all because the name of the node where nfd-master is running was not
set. Secondly, the annotation prefix was used incorrectly.
We need the latest version to support client.authentication.k8s.io/v1.
The previous version we used only supported v1alpha1 which was dropped
in K8s v1.24.
Move existing security/trusted-execution related features (i.e. SGX and
SE) under the same "security" feature, deprecating the old features. The
motivation for the change is to keep the source code and user interface
more organized as we experience a constant inflow of similar security
related features. This change will affect the user interface so it is
less painful to do it early on.
New feature labels will be:
feature.node.kubernetes.io/cpu-security.se.enabled
feature.node.kubernetes.io/cpu-security.sgx.enabled
and correspondingly new "cpu.security" feature with "se.enabled" and
"sgx.enabled" elements will be available for custom rules, for example:
- name: "sample sgx rule"
labels:
sgx.sample.feature: "true"
matchFeatures:
- feature: cpu.security
matchExpressions:
"sgx.enabled": {op: IsTrue}
At the same time deprecate old labels "cpu-sgx.enabled" and
"cpu-se.enabled" feature labels and the corresponding features for
custom rules. These will be removed in the future causing an effective
change in NFDs user interface.
When used as other charts' dependency, helm will install manifests of this chart to parent chart's namespace, if subchart needs to install to another namespace, helm recommend to use namespaceOverride (helm/charts#15202)
Update the partial list of x86 cpuid features that are presented in the
NFD documentation. In particular, the following instructions were left
out of the list: AVXSLOW, CETIBT, CETSS, CLDEMOTE, HLE, MPX, RTM,
RTM_ALWAYS_ABORT, SERIALIZE, SHA, TSXLDTRK.
Ignore the operational state of network interface when creating the
network SR-IOV labels. Previously NFD only considered interfaces which
were "up".
Pre v0.9 we used to check the "administrative state" of interfaces
(managed by the sysadmin with e.g. with ip link set dev <dev> down/up).
In v0.10 we changed to checking the "operational state" of interfaces,
reflecting whether the it is actually able to transfer data. Both these
checks have caused confusion among users and it is more understandable
and more aligned with other HW discovery functions in NFD to just drop
the state check. Also, the documentation is aligned with this behavior.
