Merge branch 'master' into leader_election

Makefile

@@ -200,7 +200,10 @@ deploy-setup-k8s: export CLUSTER_TYPE=kubernetes
 deploy-setup-k8s: deploy-setup
 
 test-e2e-conformance:
-	./hack/run-e2e-conformance.sh
+	SUITE=./test/conformance ./hack/run-e2e-conformance.sh
+
+test-e2e-validation-only:
+	SUITE=./test/validation ./hack/run-e2e-conformance.sh	
 
 test-e2e: generate vet manifests skopeo
 	mkdir -p ${ENVTEST_ASSETS_DIR}
@@ -220,6 +223,9 @@ test-%: generate vet manifests
 # deploy-setup-k8s: export CNI_BIN_PATH=/opt/cni/bin
 # test-e2e-k8s: test-e2e
 
+deploy-wait:
+	hack/deploy-wait.sh
+
 undeploy: uninstall
 	@hack/undeploy.sh $(NAMESPACE)
 

api/v1/helper.go

@@ -37,6 +37,7 @@ var VfIds = []string{}
 // NicIdMap contains supported mapping of IDs with each in the format of:
 // Vendor ID, Physical Function Device ID, Virtual Function Device ID
 var NicIdMap = []string{
+	"8086 158a 154c", // I40e XXV710
 	"8086 158b 154c", // I40e 25G SFP28
 	"8086 1572 154c", // I40e 10G X710 SFP+
 	"8086 0d58 154c", // I40e XXV710 N3000

bindata/manifests/daemon/daemonset.yaml

@@ -12,6 +12,8 @@ spec:
       app: sriov-network-config-daemon
   updateStrategy:
     type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 33%
   template:
     metadata:
       labels:
@@ -28,6 +30,7 @@ spec:
       tolerations:
       - operator: Exists
       serviceAccountName: sriov-network-config-daemon
+      priorityClassName: "system-node-critical"
       containers:
       - name: sriov-network-config-daemon
         image: {{.Image}}
@@ -49,6 +52,10 @@ spec:
                 fieldPath: metadata.namespace
           - name: CLUSTER_TYPE
             value: "{{.ClusterType}}"
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
         volumeMounts:
         - name: host
           mountPath: /host

bindata/manifests/operator-webhook/server.yaml

@@ -16,15 +16,24 @@ spec:
       app: operator-webhook
   updateStrategy:
     type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 33%
   template:
     metadata:
       labels:
         app: operator-webhook
     spec:
       serviceAccountName: operator-webhook-sa
+      priorityClassName: "system-cluster-critical"
       nodeSelector:
         beta.kubernetes.io/os: linux
-        node-role.kubernetes.io/master:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io/master
+                operator: Exists
       tolerations:
       - key: "node-role.kubernetes.io/master"
         operator: Exists
@@ -49,6 +58,10 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        resources:
+          requests:
+            cpu: 10m
+            memory: 50Mi
         volumeMounts:
         - mountPath: /etc/tls
           name: tls

bindata/manifests/plugins/sriov-cni.yaml

@@ -14,6 +14,8 @@ spec:
       app: sriov-cni
   updateStrategy:
     type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 33%
   template:
     metadata:
       labels:
@@ -28,18 +30,27 @@ spec:
       tolerations:
       - operator: Exists
       serviceAccountName: sriov-cni
+      priorityClassName: "system-node-critical"
       containers:
       - name: sriov-cni
         image: {{.SRIOVCNIImage}}
         securityContext:
           privileged: true
+        resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
         volumeMounts:
         - name: cnibin
           mountPath: /host/opt/cni/bin
       - name: sriov-infiniband-cni
         image: {{.SRIOVInfiniBandCNIImage}}
         securityContext:
           privileged: true
+        resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
         volumeMounts:
         - name: cnibin
           mountPath: /host/opt/cni/bin

bindata/manifests/plugins/sriov-device-plugin.yaml

@@ -14,6 +14,8 @@ spec:
       app: sriov-device-plugin
   updateStrategy:
     type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 33%
   template:
     metadata:
       labels:
@@ -29,6 +31,7 @@ spec:
       tolerations:
       - operator: Exists
       serviceAccountName: sriov-device-plugin
+      priorityClassName: "system-node-critical"
       containers:
       - name: sriov-device-plugin
         image: {{.SRIOVDevicePluginImage}}
@@ -43,6 +46,10 @@ spec:
               fieldPath: spec.nodeName
         securityContext:
           privileged: true
+        resources:
+          requests:
+            cpu: 10m
+            memory: 50Mi
         volumeMounts:
         - name: devicesock
           mountPath: /var/lib/kubelet/

bindata/manifests/webhook/003-webhook.yaml

@@ -14,6 +14,7 @@ webhooks:
   - name: network-resources-injector-config.k8s.io
     sideEffects: None
     admissionReviewVersions: [v1]
+    failurePolicy: Ignore
     clientConfig:
       service:
         name: network-resources-injector-service

bindata/manifests/webhook/server.yaml

@@ -16,6 +16,8 @@ spec:
       app: network-resources-injector
   updateStrategy:
     type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 33%
   template:
     metadata:
       labels:
@@ -25,9 +27,16 @@ spec:
         openshift.io/component: network
     spec:
       serviceAccountName: network-resources-injector-sa
+      priorityClassName: "system-cluster-critical"
       nodeSelector:
         beta.kubernetes.io/os: linux
-        node-role.kubernetes.io/master:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io/master
+                operator: Exists
       tolerations:
       - key: "node-role.kubernetes.io/master"
         operator: Exists
@@ -53,6 +62,10 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        resources:
+          requests:
+            cpu: 10m
+            memory: 50Mi
         volumeMounts:
         - mountPath: /etc/tls
           name: tls

deploy/operator.yaml

@@ -7,25 +7,39 @@ spec:
   selector:
     matchLabels:
       name: sriov-network-operator
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 33%
   template:
     metadata:
       labels:
         name: sriov-network-operator
     spec:
-      nodeSelector:
-        node-role.kubernetes.io/master: ""
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io/master
+                operator: Exists
       tolerations:
       - effect: NoSchedule
         key: node-role.kubernetes.io/master
         operator: Exists
       serviceAccountName: sriov-network-operator
+      priorityClassName: "system-node-critical"
       containers:
         - name: sriov-network-operator
           # Replace this with the built image name
           image: $SRIOV_NETWORK_OPERATOR_IMAGE
           command:
           - sriov-network-operator
           imagePullPolicy: IfNotPresent
+          resources:
+            requests:
+              cpu: 100m
+              memory: 100Mi
           env:
             - name: WATCH_NAMESPACE
               valueFrom:

deployment/sriov-network-operator/templates/clusterrole.yaml

@@ -1,29 +1,54 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: ClusterRole
 metadata:
   name: {{ include "sriov-network-operator.fullname" . }}
   labels:
   {{- include "sriov-network-operator.labels" . | nindent 4 }}
-roleRef:
-  kind: ClusterRole
-  name: {{ include "sriov-network-operator.fullname" . }}
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-  - kind: ServiceAccount
-    namespace: {{ .Release.Namespace }}
-    name: {{ include "sriov-network-operator.fullname" . }}
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch", "patch", "update"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["*"]
+  - apiGroups: ["apps"]
+    resources: ["daemonsets"]
+    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["namespaces", "serviceaccounts"]
+    verbs: ["*"]
+  - apiGroups: ["k8s.cni.cncf.io"]
+    resources: ["network-attachment-definitions"]
+    verbs: ["*"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["clusterroles", "clusterrolebindings"]
+    verbs: ["*"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+    verbs: ["*"]
+  - apiGroups: ["sriovnetwork.openshift.io"]
+    resources: ["*"]
+    verbs: ["*"]
+  - apiGroups: ["machineconfiguration.openshift.io"]
+    resources: ["*"]
+    verbs: ["*"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: ClusterRole
 metadata:
   name: sriov-network-config-daemon
   labels:
   {{- include "sriov-network-operator.labels" . | nindent 4 }}
-roleRef:
-  kind: ClusterRole
-  name: sriov-network-config-daemon
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-  - kind: ServiceAccount
-    namespace: {{ .Release.Namespace }}
-    name: sriov-network-config-daemon
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch", "patch", "update"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["*"]
+  - apiGroups: ["apps"]
+    resources: ["daemonsets"]
+    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["pods/eviction"]
+    verbs: ["create"]

deployment/sriov-network-operator/templates/clusterrolebinding.yaml

@@ -1,54 +1,29 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: ClusterRoleBinding
 metadata:
   name: {{ include "sriov-network-operator.fullname" . }}
   labels:
   {{- include "sriov-network-operator.labels" . | nindent 4 }}
-rules:
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "list", "watch", "patch", "update"]
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["*"]
-  - apiGroups: ["apps"]
-    resources: ["daemonsets"]
-    verbs: ["get"]
-  - apiGroups: [""]
-    resources: [namespaces, serviceaccounts]
-    verbs: ["*"]
-  - apiGroups: ["k8s.cni.cncf.io"]
-    resources: ["network-attachment-definitions"]
-    verbs: ["*"]
-  - apiGroups: ["rbac.authorization.k8s.io"]
-    resources: [clusterroles, clusterrolebindings]
-    verbs: ["*"]
-  - apiGroups: ["admissionregistration.k8s.io"]
-    resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
-    verbs: ["*"]
-  - apiGroups: ["sriovnetwork.openshift.io"]
-    resources: ["*"]
-    verbs: ["*"]
-  - apiGroups: ["machineconfiguration.openshift.io"]
-    resources: ["*"]
-    verbs: ["*"]
+roleRef:
+  kind: ClusterRole
+  name: {{ include "sriov-network-operator.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: {{ include "sriov-network-operator.fullname" . }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: ClusterRoleBinding
 metadata:
   name: sriov-network-config-daemon
   labels:
   {{- include "sriov-network-operator.labels" . | nindent 4 }}
-rules:
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "list", "watch", "patch", "update"]
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["*"]
-  - apiGroups: ["apps"]
-    resources: ["daemonsets"]
-    verbs: ["get"]
-  - apiGroups: [""]
-    resources: ["pods/eviction"]
-    verbs: ["create"]
+roleRef:
+  kind: ClusterRole
+  name: sriov-network-config-daemon
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: sriov-network-config-daemon