In some cases (CI) it is useful to run NFD e2e tests using
ephemeral clusters. To save time and bandwidth, it is also useful
to prime the ephemeral cluster with the images under test.
In these circumstances there is no risk of running a stale image,
and having a `Always` PullPolicy hardcoded actually makes
the whole exercise null.
So we add a new option, disabled by default, to make the e2e
manifest use the `IfNotPresent` pull policy, to effectively
cover this use case.
Signed-off-by: Francesco Romani <fromani@redhat.com>
Revert the hack that was a workaround for issues with k8s deepcopy-gen.
New deepcopy-gen is able to generate code correctly without issues so
this is not needed anymore.
Also, removing this hack solves issues with object validation when
creating NodeFeatureRules programmatically with nfd go-client. This is
needed later with NodeFeatureRules e2e-tests.
Logically reverts f3cc109f99.
Run code auto-generation inside a container instead of the host system.
Our auto-generation depends on specific versions of a multitude of tools
(like k8s code-generator, controller-gen, protoc, mockery etc). This
made it really awkward (and error-prone) to run in the host environment,
especially if/when you needed different versions of those tools for
other projects. Making it even more unwieldy, the required versions of
tools were not neatly documented anywhere (except for git commits,
perhaps).
With this patch we have a "fixed environment", as we build a special
auto-generate-builder container which has correct versions of all the
dependencies. Using the container makes auto-generation easy to run
anywhere, independent of the host system, giving reproducibility and
reliability. Also, the patch moves the auto-generation steps out from
the makefile into a separate script, making the makefile cleaner and the
script easier to maintain.
Make it mandatory to specify a golang version with "-g" when running the
script (and patching repo content). The given version will be patched
into the Makefile to fix the version used in the release build - it is
meant to use a exact point release (like 1.18.3) to get reproducible
builds.
Switch over to the "non-point-release" version of the image. Now we
always use the latest patch version of golang with latest security
fixes, for example, without the need to manually bump the version after
every point release.
This patch also makes the builder image configurable through a Makefile
variable.
For reproducible builds we should used fixed point-release versions in
release-brances.
Change the part of the e2e-test configuration that contains
node-specific expected labels and annotations to a list, instead of a
map. This makes the parsing order deterministic and makes it possible to
e.g. have a default at the end of the list that captures "all the rest".
The test was broken twofold: Firstly, the annotation was not checked at
all because the name of the node where nfd-master is running was not
set. Secondly, the annotation prefix was used incorrectly.
We need the latest version to support client.authentication.k8s.io/v1.
The previous version we used only supported v1alpha1 which was dropped
in K8s v1.24.
Move existing security/trusted-execution related features (i.e. SGX and
SE) under the same "security" feature, deprecating the old features. The
motivation for the change is to keep the source code and user interface
more organized as we experience a constant inflow of similar security
related features. This change will affect the user interface so it is
less painful to do it early on.
New feature labels will be:
feature.node.kubernetes.io/cpu-security.se.enabled
feature.node.kubernetes.io/cpu-security.sgx.enabled
and correspondingly new "cpu.security" feature with "se.enabled" and
"sgx.enabled" elements will be available for custom rules, for example:
- name: "sample sgx rule"
labels:
sgx.sample.feature: "true"
matchFeatures:
- feature: cpu.security
matchExpressions:
"sgx.enabled": {op: IsTrue}
At the same time deprecate old labels "cpu-sgx.enabled" and
"cpu-se.enabled" feature labels and the corresponding features for
custom rules. These will be removed in the future causing an effective
change in NFDs user interface.
When used as other charts' dependency, helm will install manifests of this chart to parent chart's namespace, if subchart needs to install to another namespace, helm recommend to use namespaceOverride (helm/charts#15202)
