From ae3fb45814528d30b34a93d9dcdf92a791f0e663 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 13 Nov 2025 11:52:53 +0100 Subject: [PATCH] kata-deploy: Introduce structured configuration format for shims MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit introduces a new structured configuration format for configuring Kata Containers shims in the Helm chart. The new format provides: - Per-shim configuration with enabled/supportedArches - Per-shim snapshotter, guest pull, and agent proxy settings - Architecture-aware default shim configuration - Root-level debug and snapshotter setup configuration All shims are disabled by default and must be explicitly enabled. This provides better type safety and clearer organization compared to the legacy env.* string-based format. The templates are updated to use the new structure exclusively. Backward compatibility will be added in a follow-up commit. Signed-off-by: Fabiano FidĂȘncio --- .../kata-deploy/templates/_helpers.tpl | 206 ++++++++++++++ .../kata-deploy/templates/kata-deploy.yaml | 149 +++++++--- .../templates/post-delete-job.yaml | 151 +++++++--- .../kata-deploy/templates/runtimeclasses.yaml | 18 +- .../helm-chart/kata-deploy/values.yaml | 261 ++++++++++++++++-- 5 files changed, 681 insertions(+), 104 deletions(-) diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/_helpers.tpl b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/_helpers.tpl index e0263f2882..4d9a646a48 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/_helpers.tpl +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/_helpers.tpl @@ -56,3 +56,209 @@ Returns the namespace where node-feature-discovery is found, or empty string if {{- $foundNamespace -}} {{- end -}} +{{/* +Get enabled shims for a specific architecture from structured config +*/}} +{{- define "kata-deploy.getEnabledShimsForArch" -}} +{{- $arch := .arch -}} +{{- $enabledShims := list -}} +{{- range $shimName, $shimConfig := .root.Values.shims -}} +{{- if $shimConfig.enabled -}} +{{- $archSupported := false -}} +{{- range $shimConfig.supportedArches -}} +{{- if eq . $arch -}} +{{- $archSupported = true -}} +{{- end -}} +{{- end -}} +{{- if $archSupported -}} +{{- $enabledShims = append $enabledShims $shimName -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- join " " $enabledShims -}} +{{- end -}} + +{{/* +Get default shim for a specific architecture from structured config +*/}} +{{- define "kata-deploy.getDefaultShimForArch" -}} +{{- $arch := .arch -}} +{{- index .root.Values.defaultShim $arch -}} +{{- end -}} + +{{/* +Get snapshotter handler mapping for a specific architecture from structured config +Format: shim1:snapshotter1,shim2:snapshotter2 +*/}} +{{- define "kata-deploy.getSnapshotterHandlerMappingForArch" -}} +{{- $arch := .arch -}} +{{- $mappings := list -}} +{{- range $shimName, $shimConfig := .root.Values.shims -}} +{{- if $shimConfig.enabled -}} +{{- $archSupported := false -}} +{{- range $shimConfig.supportedArches -}} +{{- if eq . $arch -}} +{{- $archSupported = true -}} +{{- end -}} +{{- end -}} +{{- if $archSupported -}} +{{- if $shimConfig.containerd -}} +{{- $snapshotter := $shimConfig.containerd.snapshotter -}} +{{- if $snapshotter -}} +{{- $mappings = append $mappings (printf "%s:%s" $shimName $snapshotter) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- join "," $mappings -}} +{{- end -}} + +{{/* +Get pull type mapping for a specific architecture from structured config +Format: shim1:pullType1,shim2:pullType2 +*/}} +{{- define "kata-deploy.getPullTypeMappingForArch" -}} +{{- $arch := .arch -}} +{{- $mappings := list -}} +{{- range $shimName, $shimConfig := .root.Values.shims -}} +{{- if $shimConfig.enabled -}} +{{- $archSupported := false -}} +{{- range $shimConfig.supportedArches -}} +{{- if eq . $arch -}} +{{- $archSupported = true -}} +{{- end -}} +{{- end -}} +{{- if $archSupported -}} +{{- $forceGuestPull := false -}} +{{- if and $shimConfig.containerd $shimConfig.containerd.forceGuestPull -}} +{{- $forceGuestPull = $shimConfig.containerd.forceGuestPull -}} +{{- end -}} +{{- if and $shimConfig.crio $shimConfig.crio.guestPull -}} +{{- $forceGuestPull = $shimConfig.crio.guestPull -}} +{{- end -}} +{{- if $forceGuestPull -}} +{{- $mappings = append $mappings (printf "%s:guest-pull" $shimName) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- join "," $mappings -}} +{{- end -}} + +{{/* +Get allowed hypervisor annotations for a specific architecture from structured config +*/}} +{{- define "kata-deploy.getAllowedHypervisorAnnotationsForArch" -}} +{{- $arch := .arch -}} +{{- /* Use new structured config - output per-shim format */ -}} +{{- /* Output format: "shim:annotation1,annotation2" (space-separated entries, each with shim:annotations where annotations are comma-separated) */ -}} +{{- $perShimAnnotations := list -}} +{{- range $shimName, $shimConfig := .root.Values.shims -}} +{{- if $shimConfig.enabled -}} +{{- $archSupported := false -}} +{{- range $shimConfig.supportedArches -}} +{{- if eq . $arch -}} +{{- $archSupported = true -}} +{{- end -}} +{{- end -}} +{{- if $archSupported -}} +{{- $shimAnnotations := list -}} +{{- range $annotation := $shimConfig.allowedHypervisorAnnotations -}} +{{- $shimAnnotations = append $shimAnnotations $annotation -}} +{{- end -}} +{{- if gt (len $shimAnnotations) 0 -}} +{{- $annotationsComma := join "," $shimAnnotations -}} +{{- $perShimEntry := printf "%s:%s" $shimName $annotationsComma -}} +{{- $perShimAnnotations = append $perShimAnnotations $perShimEntry -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- join " " $perShimAnnotations -}} +{{- end -}} + +{{/* +Get agent HTTPS proxy from structured config +Builds per-shim semicolon-separated list: "shim1=value1;shim2=value2" +Supports backward compatibility with old env.agentHttpsProxy value +*/}} +{{- define "kata-deploy.getAgentHttpsProxy" -}} +{{- /* Check for legacy env value first */ -}} +{{- if .Values.env.agentHttpsProxy -}} +{{- .Values.env.agentHttpsProxy -}} +{{- else -}} +{{- /* Use new structured config: build per-shim semicolon-separated list */ -}} +{{- $proxies := list -}} +{{- range $shimName, $shimConfig := .Values.shims -}} + {{- if and $shimConfig.enabled $shimConfig.agent $shimConfig.agent.httpsProxy -}} + {{- $entry := printf "%s=%s" $shimName $shimConfig.agent.httpsProxy -}} + {{- $proxies = append $proxies $entry -}} + {{- end -}} +{{- end -}} +{{- join ";" $proxies -}} +{{- end -}} + +{{/* +Get agent NO_PROXY from structured config +Returns the first non-empty noProxy found in enabled shims +*/}} +{{- define "kata-deploy.getAgentNoProxy" -}} +{{- /* Check for legacy env value first */ -}} +{{- if .Values.env.agentNoProxy -}} +{{- .Values.env.agentNoProxy -}} +{{- else -}} +{{- /* Use new structured config: build per-shim semicolon-separated list */ -}} +{{- $proxies := list -}} +{{- range $shimName, $shimConfig := .Values.shims -}} + {{- if and $shimConfig.enabled $shimConfig.agent $shimConfig.agent.noProxy -}} + {{- $entry := printf "%s=%s" $shimName $shimConfig.agent.noProxy -}} + {{- $proxies = append $proxies $entry -}} + {{- end -}} +{{- end -}} +{{- join ";" $proxies -}} +{{- end -}} + +{{/* +Get snapshotter setup list from structured config +*/}} +{{- define "kata-deploy.getSnapshotterSetup" -}} +{{- join "," .Values.snapshotter.setup -}} +{{- end -}} + +{{/* +Get debug value from structured config +*/}} +{{- define "kata-deploy.getDebug" -}} +{{- if .Values.debug -}} +{{- "true" -}} +{{- else -}} +{{- "false" -}} +{{- end -}} +{{- end -}} + +{{/* +Get EXPERIMENTAL_FORCE_GUEST_PULL for a specific architecture from structured config +*/}} +{{- define "kata-deploy.getForceGuestPullForArch" -}} +{{- $arch := .arch -}} +{{- /* Return comma-separated list of shim names that have forceGuestPull enabled */ -}} +{{- /* Note: EXPERIMENTAL_FORCE_GUEST_PULL only checks containerd.forceGuestPull, not crio.guestPull */ -}} +{{- $shimNames := list -}} +{{- range $shimName, $shimConfig := .root.Values.shims -}} +{{- if $shimConfig.enabled -}} +{{- $archSupported := false -}} +{{- range $shimConfig.supportedArches -}} +{{- if eq . $arch -}} +{{- $archSupported = true -}} +{{- end -}} +{{- end -}} +{{- if $archSupported -}} +{{- if and $shimConfig.containerd $shimConfig.containerd.forceGuestPull -}} +{{- $shimNames = append $shimNames $shimName -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- join "," $shimNames -}} +{{- end -}} + diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/kata-deploy.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/kata-deploy.yaml index 6c89134008..30342972b8 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/kata-deploy.yaml +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/kata-deploy.yaml @@ -136,73 +136,150 @@ spec: fieldRef: fieldPath: spec.nodeName - name: DEBUG - value: {{ .Values.env.debug | quote }} - - name: SHIMS - value: {{ .Values.env.shims | quote }} + value: {{ include "kata-deploy.getDebug" . | quote }} + {{- $shimsAmd64 := include "kata-deploy.getEnabledShimsForArch" (dict "root" . "arch" "amd64") | trim -}} + {{- if $shimsAmd64 }} - name: SHIMS_X86_64 - value: {{ .Values.env.shims_x86_64 | quote }} + value: {{ $shimsAmd64 | quote }} + {{- end }} + {{- $shimsArm64 := include "kata-deploy.getEnabledShimsForArch" (dict "root" . "arch" "arm64") | trim -}} + {{- if $shimsArm64 }} - name: SHIMS_AARCH64 - value: {{ .Values.env.shims_aarch64 | quote }} + value: {{ $shimsArm64 | quote }} + {{- end }} + {{- $shimsS390x := include "kata-deploy.getEnabledShimsForArch" (dict "root" . "arch" "s390x") | trim -}} + {{- if $shimsS390x }} - name: SHIMS_S390X - value: {{ .Values.env.shims_s390x | quote }} + value: {{ $shimsS390x | quote }} + {{- end }} + {{- $shimsPpc64le := include "kata-deploy.getEnabledShimsForArch" (dict "root" . "arch" "ppc64le") | trim -}} + {{- if $shimsPpc64le }} - name: SHIMS_PPC64LE - value: {{ .Values.env.shims_ppc64le | quote }} - - name: DEFAULT_SHIM - value: {{ .Values.env.defaultShim | quote }} + value: {{ $shimsPpc64le | quote }} + {{- end }} + {{- $defaultShimAmd64 := include "kata-deploy.getDefaultShimForArch" (dict "root" . "arch" "amd64") | trim -}} + {{- if $defaultShimAmd64 }} - name: DEFAULT_SHIM_X86_64 - value: {{ .Values.env.defaultShim_x86_64 | quote }} + value: {{ $defaultShimAmd64 | quote }} + {{- end }} + {{- $defaultShimArm64 := include "kata-deploy.getDefaultShimForArch" (dict "root" . "arch" "arm64") | trim -}} + {{- if $defaultShimArm64 }} - name: DEFAULT_SHIM_AARCH64 - value: {{ .Values.env.defaultShim_aarch64 | quote }} + value: {{ $defaultShimArm64 | quote }} + {{- end }} + {{- $defaultShimS390x := include "kata-deploy.getDefaultShimForArch" (dict "root" . "arch" "s390x") | trim -}} + {{- if $defaultShimS390x }} - name: DEFAULT_SHIM_S390X - value: {{ .Values.env.defaultShim_s390x | quote }} + value: {{ $defaultShimS390x | quote }} + {{- end }} + {{- $defaultShimPpc64le := include "kata-deploy.getDefaultShimForArch" (dict "root" . "arch" "ppc64le") | trim -}} + {{- if $defaultShimPpc64le }} - name: DEFAULT_SHIM_PPC64LE - value: {{ .Values.env.defaultShim_ppc64le | quote }} + value: {{ $defaultShimPpc64le | quote }} + {{- end }} - name: CREATE_RUNTIMECLASSES value: {{ .Values.env.createRuntimeClasses | quote }} - name: CREATE_DEFAULT_RUNTIMECLASS value: {{ .Values.env.createDefaultRuntimeClass | quote }} - - name: ALLOWED_HYPERVISOR_ANNOTATIONS - value: {{ .Values.env.allowedHypervisorAnnotations | quote }} - - name: SNAPSHOTTER_HANDLER_MAPPING - value: {{ .Values.env.snapshotterHandlerMapping | quote }} + {{- $allowedHypervisorAnnotationsAmd64 := include "kata-deploy.getAllowedHypervisorAnnotationsForArch" (dict "root" . "arch" "amd64") | trim -}} + {{- if $allowedHypervisorAnnotationsAmd64 }} + - name: ALLOWED_HYPERVISOR_ANNOTATIONS_X86_64 + value: {{ $allowedHypervisorAnnotationsAmd64 | quote }} + {{- end }} + {{- $allowedHypervisorAnnotationsArm64 := include "kata-deploy.getAllowedHypervisorAnnotationsForArch" (dict "root" . "arch" "arm64") | trim -}} + {{- if $allowedHypervisorAnnotationsArm64 }} + - name: ALLOWED_HYPERVISOR_ANNOTATIONS_AARCH64 + value: {{ $allowedHypervisorAnnotationsArm64 | quote }} + {{- end }} + {{- $allowedHypervisorAnnotationsS390x := include "kata-deploy.getAllowedHypervisorAnnotationsForArch" (dict "root" . "arch" "s390x") | trim -}} + {{- if $allowedHypervisorAnnotationsS390x }} + - name: ALLOWED_HYPERVISOR_ANNOTATIONS_S390X + value: {{ $allowedHypervisorAnnotationsS390x | quote }} + {{- end }} + {{- $allowedHypervisorAnnotationsPpc64le := include "kata-deploy.getAllowedHypervisorAnnotationsForArch" (dict "root" . "arch" "ppc64le") | trim -}} + {{- if $allowedHypervisorAnnotationsPpc64le }} + - name: ALLOWED_HYPERVISOR_ANNOTATIONS_PPC64LE + value: {{ $allowedHypervisorAnnotationsPpc64le | quote }} + {{- end }} + {{- $snapshotterHandlerMappingAmd64 := include "kata-deploy.getSnapshotterHandlerMappingForArch" (dict "root" . "arch" "amd64") | trim -}} + {{- if $snapshotterHandlerMappingAmd64 }} - name: SNAPSHOTTER_HANDLER_MAPPING_X86_64 - value: {{ .Values.env.snapshotterHandlerMapping_x86_64 | quote }} + value: {{ $snapshotterHandlerMappingAmd64 | quote }} + {{- end }} + {{- $snapshotterHandlerMappingArm64 := include "kata-deploy.getSnapshotterHandlerMappingForArch" (dict "root" . "arch" "arm64") | trim -}} + {{- if $snapshotterHandlerMappingArm64 }} - name: SNAPSHOTTER_HANDLER_MAPPING_AARCH64 - value: {{ .Values.env.snapshotterHandlerMapping_aarch64 | quote }} + value: {{ $snapshotterHandlerMappingArm64 | quote }} + {{- end }} + {{- $snapshotterHandlerMappingS390x := include "kata-deploy.getSnapshotterHandlerMappingForArch" (dict "root" . "arch" "s390x") | trim -}} + {{- if $snapshotterHandlerMappingS390x }} - name: SNAPSHOTTER_HANDLER_MAPPING_S390X - value: {{ .Values.env.snapshotterHandlerMapping_s390x | quote }} + value: {{ $snapshotterHandlerMappingS390x | quote }} + {{- end }} + {{- $snapshotterHandlerMappingPpc64le := include "kata-deploy.getSnapshotterHandlerMappingForArch" (dict "root" . "arch" "ppc64le") | trim -}} + {{- if $snapshotterHandlerMappingPpc64le }} - name: SNAPSHOTTER_HANDLER_MAPPING_PPC64LE - value: {{ .Values.env.snapshotterHandlerMapping_ppc64le | quote }} + value: {{ $snapshotterHandlerMappingPpc64le | quote }} + {{- end }} + {{- $agentHttpsProxy := include "kata-deploy.getAgentHttpsProxy" . | trim -}} + {{- if $agentHttpsProxy }} - name: AGENT_HTTPS_PROXY - value: {{ .Values.env.agentHttpsProxy | quote }} + value: {{ $agentHttpsProxy | quote }} + {{- end }} + {{- $agentNoProxy := include "kata-deploy.getAgentNoProxy" . | trim -}} + {{- if $agentNoProxy }} - name: AGENT_NO_PROXY - value: {{ .Values.env.agentNoProxy | quote }} - - name: PULL_TYPE_MAPPING - value: {{ .Values.env.pullTypeMapping | quote }} + value: {{ $agentNoProxy | quote }} + {{- end }} + {{- $pullTypeMappingAmd64 := include "kata-deploy.getPullTypeMappingForArch" (dict "root" . "arch" "amd64") | trim -}} + {{- if $pullTypeMappingAmd64 }} - name: PULL_TYPE_MAPPING_X86_64 - value: {{ .Values.env.pullTypeMapping_x86_64 | quote }} + value: {{ $pullTypeMappingAmd64 | quote }} + {{- end }} + {{- $pullTypeMappingArm64 := include "kata-deploy.getPullTypeMappingForArch" (dict "root" . "arch" "arm64") | trim -}} + {{- if $pullTypeMappingArm64 }} - name: PULL_TYPE_MAPPING_AARCH64 - value: {{ .Values.env.pullTypeMapping_aarch64 | quote }} + value: {{ $pullTypeMappingArm64 | quote }} + {{- end }} + {{- $pullTypeMappingS390x := include "kata-deploy.getPullTypeMappingForArch" (dict "root" . "arch" "s390x") | trim -}} + {{- if $pullTypeMappingS390x }} - name: PULL_TYPE_MAPPING_S390X - value: {{ .Values.env.pullTypeMapping_s390x | quote }} + value: {{ $pullTypeMappingS390x | quote }} + {{- end }} + {{- $pullTypeMappingPpc64le := include "kata-deploy.getPullTypeMappingForArch" (dict "root" . "arch" "ppc64le") | trim -}} + {{- if $pullTypeMappingPpc64le }} - name: PULL_TYPE_MAPPING_PPC64LE - value: {{ .Values.env.pullTypeMapping_ppc64le | quote }} + value: {{ $pullTypeMappingPpc64le | quote }} + {{- end }} - name: INSTALLATION_PREFIX value: {{ .Values.env.installationPrefix | quote }} - name: MULTI_INSTALL_SUFFIX value: {{ .Values.env.multiInstallSuffix | quote }} + {{- $snapshotterSetup := include "kata-deploy.getSnapshotterSetup" . | trim -}} + {{- if $snapshotterSetup }} - name: EXPERIMENTAL_SETUP_SNAPSHOTTER - value: {{ .Values.env._experimentalSetupSnapshotter | quote }} - - name: EXPERIMENTAL_FORCE_GUEST_PULL - value: {{ .Values.env._experimentalForceGuestPull | quote }} + value: {{ $snapshotterSetup | quote }} + {{- end }} + {{- $forceGuestPullAmd64 := include "kata-deploy.getForceGuestPullForArch" (dict "root" . "arch" "amd64") | trim -}} + {{- if eq $forceGuestPullAmd64 "true" }} - name: EXPERIMENTAL_FORCE_GUEST_PULL_X86_64 - value: {{ .Values.env._experimentalForceGuestPull | quote }} + value: "true" + {{- end }} + {{- $forceGuestPullArm64 := include "kata-deploy.getForceGuestPullForArch" (dict "root" . "arch" "arm64") | trim -}} + {{- if eq $forceGuestPullArm64 "true" }} - name: EXPERIMENTAL_FORCE_GUEST_PULL_AARCH64 - value: {{ .Values.env._experimentalForceGuestPull | quote }} + value: "true" + {{- end }} + {{- $forceGuestPullS390x := include "kata-deploy.getForceGuestPullForArch" (dict "root" . "arch" "s390x") | trim -}} + {{- if eq $forceGuestPullS390x "true" }} - name: EXPERIMENTAL_FORCE_GUEST_PULL_S390X - value: {{ .Values.env._experimentalForceGuestPull | quote }} + value: "true" + {{- end }} + {{- $forceGuestPullPpc64le := include "kata-deploy.getForceGuestPullForArch" (dict "root" . "arch" "ppc64le") | trim -}} + {{- if eq $forceGuestPullPpc64le "true" }} - name: EXPERIMENTAL_FORCE_GUEST_PULL_PPC64LE - value: {{ .Values.env._experimentalForceGuestPull | quote }} + value: "true" + {{- end }} {{- with .Values.env.hostOS }} - name: HOST_OS value: {{ . | quote }} diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/post-delete-job.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/post-delete-job.yaml index 131100cc97..13ee9575c1 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/post-delete-job.yaml +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/post-delete-job.yaml @@ -102,7 +102,7 @@ spec: containers: - name: kube-kata-cleanup image: {{ .Values.image.reference }}:{{ default .Chart.AppVersion .Values.image.tag }} - imagePullPolicy: IfNotPresent + imagePullPolicy: {{ .Values.imagePullPolicy }} command: ["bash", "-c", "/opt/kata-artifacts/scripts/kata-deploy.sh cleanup"] env: - name: NODE_NAME @@ -110,75 +110,152 @@ spec: fieldRef: fieldPath: spec.nodeName - name: DEBUG - value: {{ .Values.env.debug | quote }} - - name: SHIMS - value: {{ .Values.env.shims | quote }} + value: {{ include "kata-deploy.getDebug" . | quote }} + {{- $shimsAmd64 := include "kata-deploy.getEnabledShimsForArch" (dict "root" . "arch" "amd64") | trim -}} + {{- if $shimsAmd64 }} - name: SHIMS_X86_64 - value: {{ .Values.env.shims_x86_64 | quote }} + value: {{ $shimsAmd64 | quote }} + {{- end }} + {{- $shimsArm64 := include "kata-deploy.getEnabledShimsForArch" (dict "root" . "arch" "arm64") | trim -}} + {{- if $shimsArm64 }} - name: SHIMS_AARCH64 - value: {{ .Values.env.shims_aarch64 | quote }} + value: {{ $shimsArm64 | quote }} + {{- end }} + {{- $shimsS390x := include "kata-deploy.getEnabledShimsForArch" (dict "root" . "arch" "s390x") | trim -}} + {{- if $shimsS390x }} - name: SHIMS_S390X - value: {{ .Values.env.shims_s390x | quote }} + value: {{ $shimsS390x | quote }} + {{- end }} + {{- $shimsPpc64le := include "kata-deploy.getEnabledShimsForArch" (dict "root" . "arch" "ppc64le") | trim -}} + {{- if $shimsPpc64le }} - name: SHIMS_PPC64LE - value: {{ .Values.env.shims_ppc64le | quote }} - - name: DEFAULT_SHIM - value: {{ .Values.env.defaultShim | quote }} + value: {{ $shimsPpc64le | quote }} + {{- end }} + {{- $defaultShimAmd64 := include "kata-deploy.getDefaultShimForArch" (dict "root" . "arch" "amd64") | trim -}} + {{- if $defaultShimAmd64 }} - name: DEFAULT_SHIM_X86_64 - value: {{ .Values.env.defaultShim_x86_64 | quote }} + value: {{ $defaultShimAmd64 | quote }} + {{- end }} + {{- $defaultShimArm64 := include "kata-deploy.getDefaultShimForArch" (dict "root" . "arch" "arm64") | trim -}} + {{- if $defaultShimArm64 }} - name: DEFAULT_SHIM_AARCH64 - value: {{ .Values.env.defaultShim_aarch64 | quote }} + value: {{ $defaultShimArm64 | quote }} + {{- end }} + {{- $defaultShimS390x := include "kata-deploy.getDefaultShimForArch" (dict "root" . "arch" "s390x") | trim -}} + {{- if $defaultShimS390x }} - name: DEFAULT_SHIM_S390X - value: {{ .Values.env.defaultShim_s390x | quote }} + value: {{ $defaultShimS390x | quote }} + {{- end }} + {{- $defaultShimPpc64le := include "kata-deploy.getDefaultShimForArch" (dict "root" . "arch" "ppc64le") | trim -}} + {{- if $defaultShimPpc64le }} - name: DEFAULT_SHIM_PPC64LE - value: {{ .Values.env.defaultShim_ppc64le | quote }} + value: {{ $defaultShimPpc64le | quote }} + {{- end }} - name: CREATE_RUNTIMECLASSES value: {{ .Values.env.createRuntimeClasses | quote }} - name: CREATE_DEFAULT_RUNTIMECLASS value: {{ .Values.env.createDefaultRuntimeClass | quote }} - - name: ALLOWED_HYPERVISOR_ANNOTATIONS - value: {{ .Values.env.allowedHypervisorAnnotations | quote }} - - name: SNAPSHOTTER_HANDLER_MAPPING - value: {{ .Values.env.snapshotterHandlerMapping | quote }} + {{- $allowedHypervisorAnnotationsAmd64 := include "kata-deploy.getAllowedHypervisorAnnotationsForArch" (dict "root" . "arch" "amd64") | trim -}} + {{- if $allowedHypervisorAnnotationsAmd64 }} + - name: ALLOWED_HYPERVISOR_ANNOTATIONS_X86_64 + value: {{ $allowedHypervisorAnnotationsAmd64 | quote }} + {{- end }} + {{- $allowedHypervisorAnnotationsArm64 := include "kata-deploy.getAllowedHypervisorAnnotationsForArch" (dict "root" . "arch" "arm64") | trim -}} + {{- if $allowedHypervisorAnnotationsArm64 }} + - name: ALLOWED_HYPERVISOR_ANNOTATIONS_AARCH64 + value: {{ $allowedHypervisorAnnotationsArm64 | quote }} + {{- end }} + {{- $allowedHypervisorAnnotationsS390x := include "kata-deploy.getAllowedHypervisorAnnotationsForArch" (dict "root" . "arch" "s390x") | trim -}} + {{- if $allowedHypervisorAnnotationsS390x }} + - name: ALLOWED_HYPERVISOR_ANNOTATIONS_S390X + value: {{ $allowedHypervisorAnnotationsS390x | quote }} + {{- end }} + {{- $allowedHypervisorAnnotationsPpc64le := include "kata-deploy.getAllowedHypervisorAnnotationsForArch" (dict "root" . "arch" "ppc64le") | trim -}} + {{- if $allowedHypervisorAnnotationsPpc64le }} + - name: ALLOWED_HYPERVISOR_ANNOTATIONS_PPC64LE + value: {{ $allowedHypervisorAnnotationsPpc64le | quote }} + {{- end }} + {{- $snapshotterHandlerMappingAmd64 := include "kata-deploy.getSnapshotterHandlerMappingForArch" (dict "root" . "arch" "amd64") | trim -}} + {{- if $snapshotterHandlerMappingAmd64 }} - name: SNAPSHOTTER_HANDLER_MAPPING_X86_64 - value: {{ .Values.env.snapshotterHandlerMapping_x86_64 | quote }} + value: {{ $snapshotterHandlerMappingAmd64 | quote }} + {{- end }} + {{- $snapshotterHandlerMappingArm64 := include "kata-deploy.getSnapshotterHandlerMappingForArch" (dict "root" . "arch" "arm64") | trim -}} + {{- if $snapshotterHandlerMappingArm64 }} - name: SNAPSHOTTER_HANDLER_MAPPING_AARCH64 - value: {{ .Values.env.snapshotterHandlerMapping_aarch64 | quote }} + value: {{ $snapshotterHandlerMappingArm64 | quote }} + {{- end }} + {{- $snapshotterHandlerMappingS390x := include "kata-deploy.getSnapshotterHandlerMappingForArch" (dict "root" . "arch" "s390x") | trim -}} + {{- if $snapshotterHandlerMappingS390x }} - name: SNAPSHOTTER_HANDLER_MAPPING_S390X - value: {{ .Values.env.snapshotterHandlerMapping_s390x | quote }} + value: {{ $snapshotterHandlerMappingS390x | quote }} + {{- end }} + {{- $snapshotterHandlerMappingPpc64le := include "kata-deploy.getSnapshotterHandlerMappingForArch" (dict "root" . "arch" "ppc64le") | trim -}} + {{- if $snapshotterHandlerMappingPpc64le }} - name: SNAPSHOTTER_HANDLER_MAPPING_PPC64LE - value: {{ .Values.env.snapshotterHandlerMapping_ppc64le | quote }} + value: {{ $snapshotterHandlerMappingPpc64le | quote }} + {{- end }} + {{- $agentHttpsProxy := include "kata-deploy.getAgentHttpsProxy" . | trim -}} + {{- if $agentHttpsProxy }} - name: AGENT_HTTPS_PROXY - value: {{ .Values.env.agentHttpsProxy | quote }} + value: {{ $agentHttpsProxy | quote }} + {{- end }} + {{- $agentNoProxy := include "kata-deploy.getAgentNoProxy" . | trim -}} + {{- if $agentNoProxy }} - name: AGENT_NO_PROXY - value: {{ .Values.env.agentNoProxy | quote }} - - name: PULL_TYPE_MAPPING - value: {{ .Values.env.pullTypeMapping | quote }} + value: {{ $agentNoProxy | quote }} + {{- end }} + {{- $pullTypeMappingAmd64 := include "kata-deploy.getPullTypeMappingForArch" (dict "root" . "arch" "amd64") | trim -}} + {{- if $pullTypeMappingAmd64 }} - name: PULL_TYPE_MAPPING_X86_64 - value: {{ .Values.env.pullTypeMapping_x86_64 | quote }} + value: {{ $pullTypeMappingAmd64 | quote }} + {{- end }} + {{- $pullTypeMappingArm64 := include "kata-deploy.getPullTypeMappingForArch" (dict "root" . "arch" "arm64") | trim -}} + {{- if $pullTypeMappingArm64 }} - name: PULL_TYPE_MAPPING_AARCH64 - value: {{ .Values.env.pullTypeMapping_aarch64 | quote }} + value: {{ $pullTypeMappingArm64 | quote }} + {{- end }} + {{- $pullTypeMappingS390x := include "kata-deploy.getPullTypeMappingForArch" (dict "root" . "arch" "s390x") | trim -}} + {{- if $pullTypeMappingS390x }} - name: PULL_TYPE_MAPPING_S390X - value: {{ .Values.env.pullTypeMapping_s390x | quote }} + value: {{ $pullTypeMappingS390x | quote }} + {{- end }} + {{- $pullTypeMappingPpc64le := include "kata-deploy.getPullTypeMappingForArch" (dict "root" . "arch" "ppc64le") | trim -}} + {{- if $pullTypeMappingPpc64le }} - name: PULL_TYPE_MAPPING_PPC64LE - value: {{ .Values.env.pullTypeMapping_ppc64le | quote }} + value: {{ $pullTypeMappingPpc64le | quote }} + {{- end }} - name: HELM_POST_DELETE_HOOK value: "true" - name: INSTALLATION_PREFIX value: {{ .Values.env.installationPrefix | quote }} - name: MULTI_INSTALL_SUFFIX value: {{ .Values.env.multiInstallSuffix | quote }} + {{- $snapshotterSetup := include "kata-deploy.getSnapshotterSetup" . | trim -}} + {{- if $snapshotterSetup }} - name: EXPERIMENTAL_SETUP_SNAPSHOTTER - value: {{ .Values.env._experimentalSetupSnapshotter | quote }} - - name: EXPERIMENTAL_FORCE_GUEST_PULL - value: {{ .Values.env._experimentalForceGuestPull | quote }} + value: {{ $snapshotterSetup | quote }} + {{- end }} + {{- $forceGuestPullAmd64 := include "kata-deploy.getForceGuestPullForArch" (dict "root" . "arch" "amd64") | trim -}} + {{- if eq $forceGuestPullAmd64 "true" }} - name: EXPERIMENTAL_FORCE_GUEST_PULL_X86_64 - value: {{ .Values.env._experimentalForceGuestPull_x86_64 | quote }} + value: "true" + {{- end }} + {{- $forceGuestPullArm64 := include "kata-deploy.getForceGuestPullForArch" (dict "root" . "arch" "arm64") | trim -}} + {{- if eq $forceGuestPullArm64 "true" }} - name: EXPERIMENTAL_FORCE_GUEST_PULL_AARCH64 - value: {{ .Values.env._experimentalForceGuestPull_aarch64 | quote }} + value: "true" + {{- end }} + {{- $forceGuestPullS390x := include "kata-deploy.getForceGuestPullForArch" (dict "root" . "arch" "s390x") | trim -}} + {{- if eq $forceGuestPullS390x "true" }} - name: EXPERIMENTAL_FORCE_GUEST_PULL_S390X - value: {{ .Values.env._experimentalForceGuestPull_s390x | quote }} + value: "true" + {{- end }} + {{- $forceGuestPullPpc64le := include "kata-deploy.getForceGuestPullForArch" (dict "root" . "arch" "ppc64le") | trim -}} + {{- if eq $forceGuestPullPpc64le "true" }} - name: EXPERIMENTAL_FORCE_GUEST_PULL_PPC64LE - value: {{ .Values.env._experimentalForceGuestPull_ppc64le | quote }} + value: "true" + {{- end }} {{- with .Values.env.hostOS }} - name: HOST_OS value: {{ . | quote }} diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/runtimeclasses.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/runtimeclasses.yaml index e50abf4c7f..5b00ac5b9d 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/runtimeclasses.yaml +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/runtimeclasses.yaml @@ -1,11 +1,15 @@ {{- if .Values.runtimeClasses.enabled }} {{- $multiInstallSuffix := .Values.env.multiInstallSuffix }} -{{- $defaultShim := .Values.env.defaultShim }} {{- $createDefaultRC := .Values.runtimeClasses.createDefault }} {{- $defaultRCName := .Values.runtimeClasses.defaultName }} -{{- /* Parse the shims string into a list */ -}} -{{- $shims := splitList " " .Values.env.shims }} +{{- /* Get enabled shims from structured config */ -}} +{{- $enabledShims := list -}} +{{- range $shimName, $shimConfig := .Values.shims -}} +{{- if $shimConfig.enabled -}} +{{- $enabledShims = append $enabledShims $shimName -}} +{{- end -}} +{{- end -}} {{- /* Define runtime class configurations with their overhead settings */ -}} {{- $runtimeClassConfigs := dict @@ -29,8 +33,8 @@ "remote" (dict "memory" "120Mi" "cpu" "250m") }} -{{- /* Create RuntimeClass for each shim */ -}} -{{- range $shim := $shims }} +{{- /* Create RuntimeClass for each enabled shim */ -}} +{{- range $shim := $enabledShims }} {{- $config := index $runtimeClassConfigs $shim }} {{- if $config }} --- @@ -59,8 +63,10 @@ scheduling: {{- /* Create default RuntimeClass if requested */ -}} {{- if and $createDefaultRC (not $multiInstallSuffix) }} +{{- /* Get default shim for amd64 (fallback) */ -}} +{{- $defaultShim := index .Values.defaultShim "amd64" | default (index .Values.defaultShim "arm64") | default (index .Values.defaultShim "s390x") | default (index .Values.defaultShim "ppc64le") }} {{- $defaultConfig := index $runtimeClassConfigs $defaultShim }} -{{- if $defaultConfig }} +{{- if and $defaultShim $defaultConfig }} --- kind: RuntimeClass apiVersion: node.k8s.io/v1 diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml index 995d5623eb..14e4ac8148 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml @@ -1,10 +1,13 @@ imagePullPolicy: Always + imagePullSecrets: [] + image: reference: quay.io/kata-containers/kata-deploy tag: "" -# k8s-dist can be k8s, k3s, rke2, k0s, microk8s -k8sDistribution: "k8s" + +k8sDistribution: "k8s" # k8s, k3s, rke2, k0s, microk8s + # Node selector to control which nodes the kata-deploy daemonset runs on # Example: # nodeSelector: @@ -12,37 +15,252 @@ k8sDistribution: "k8s" # node-type: "worker" nodeSelector: {} -# RuntimeClass configuration -# When enabled, RuntimeClasses will be created by the Helm chart instead of by the kata-deploy script +debug: false + +snapshotter: + setup: [] # ["nydus", "erofs"] or [] + +# See MAINTENANCE.md for field descriptions and maintenance guide +# NOTE: All shims are disabled by default. Enable the ones you need explicitly. +shims: + clh: # cloud-hypervisor, golang runtime + enabled: false + supportedArches: + - amd64 + - arm64 + allowedHypervisorAnnotations: [] + containerd: + snapshotter: "" + + cloud-hypervisor: # rust runtime + enabled: false + supportedArches: + - amd64 + - arm64 + allowedHypervisorAnnotations: [] + containerd: + snapshotter: "" + + dragonball: # rust runtime + enabled: false + supportedArches: + - amd64 + - arm64 + allowedHypervisorAnnotations: [] + containerd: + snapshotter: "" + + fc: # firecracker, golang runtime + enabled: false + supportedArches: + - amd64 + - arm64 + allowedHypervisorAnnotations: [] + containerd: + snapshotter: "devmapper" # requires pre-configuration on the user side + + qemu: # golang runtime + enabled: false + supportedArches: + - amd64 + - arm64 + - s390x + - ppc64le + allowedHypervisorAnnotations: [] + containerd: + snapshotter: "" + + qemu-runtime-rs: # rust runtime + enabled: false + supportedArches: + - amd64 + - s390x + allowedHypervisorAnnotations: [] + containerd: + snapshotter: "" + + qemu-nvidia-gpu: # golang runtime + enabled: false + supportedArches: + - amd64 + - arm64 + allowedHypervisorAnnotations: [] + containerd: + snapshotter: "" + + qemu-nvidia-gpu-snp: # golang runtime + enabled: false + supportedArches: + - amd64 + allowedHypervisorAnnotations: [] + containerd: + snapshotter: "" + forceGuestPull: true + crio: + guestPull: true + agent: + httpsProxy: "" + noProxy: "" + + qemu-nvidia-gpu-tdx: # golang runtime + enabled: false + supportedArches: + - amd64 + allowedHypervisorAnnotations: [] + containerd: + snapshotter: "" + forceGuestPull: true + crio: + guestPull: true + agent: + httpsProxy: "" + noProxy: "" + + qemu-snp: # golang runtime + enabled: false + supportedArches: + - amd64 + allowedHypervisorAnnotations: [] + containerd: + snapshotter: nydus + forceGuestPull: false + crio: + guestPull: true + agent: + httpsProxy: "" + noProxy: "" + + qemu-tdx: # golang runtime + enabled: false + supportedArches: + - amd64 + allowedHypervisorAnnotations: [] + containerd: + snapshotter: nydus + forceGuestPull: false + crio: + guestPull: true + agent: + httpsProxy: "" + noProxy: "" + + qemu-se: # golang runtime + enabled: false + supportedArches: + - s390x + allowedHypervisorAnnotations: [] + containerd: + snapshotter: nydus + forceGuestPull: false + crio: + guestPull: true + agent: + httpsProxy: "" + noProxy: "" + + qemu-se-runtime-rs: # rust runtime + enabled: false + supportedArches: + - s390x + allowedHypervisorAnnotations: [] + containerd: + snapshotter: nydus + forceGuestPull: false + crio: + guestPull: true + agent: + httpsProxy: "" + noProxy: "" + + qemu-cca: # golang runtime + enabled: false + supportedArches: + - arm64 + allowedHypervisorAnnotations: [] + containerd: + snapshotter: nydus + forceGuestPull: false + crio: + guestPull: true + agent: + httpsProxy: "" + noProxy: "" + + qemu-coco-dev: # golang runtime + enabled: false + supportedArches: + - amd64 + - s390x + allowedHypervisorAnnotations: [] + containerd: + snapshotter: nydus + forceGuestPull: false + crio: + guestPull: true + agent: + httpsProxy: "" + noProxy: "" + + qemu-coco-dev-runtime-rs: # rust runtime + enabled: false + supportedArches: + - amd64 + - s390x + allowedHypervisorAnnotations: [] + containerd: + snapshotter: nydus + forceGuestPull: false + crio: + guestPull: true + agent: + httpsProxy: "" + noProxy: "" + +# Default shim per architecture +# Since shims are disabled by default, you must explicitly configure defaultShim +# for the architectures you're using. +# Example: +# defaultShim: +# amd64: shim +defaultShim: + amd64: qemu + arm64: qemu + s390x: qemu + ppc64le: qemu + runtimeClasses: - # Enable RuntimeClass creation via Helm enabled: true - # Create a default RuntimeClass (alias for the default shim) - # NOTE: Default RuntimeClass creation is NOT supported with multiInstallSuffix. - # When multiInstallSuffix is set, this option will be ignored to avoid naming conflicts. - # In multi-install scenarios, use the fully qualified RuntimeClass names (e.g., kata-qemu-suffix1). createDefault: false - # Name for the default RuntimeClass (defaults to "kata" if not specified) defaultName: "kata" env: - debug: "false" - shims: "clh cloud-hypervisor dragonball fc qemu qemu-coco-dev qemu-coco-dev-runtime-rs qemu-runtime-rs qemu-se-runtime-rs qemu-snp qemu-tdx stratovirt qemu-nvidia-gpu qemu-nvidia-gpu-snp qemu-nvidia-gpu-tdx qemu-cca" + installationPrefix: "" + hostOS: "" + # Suffix for multi-install deployments to avoid conflicts between multiple Kata installations + # NOTE: When set, the default RuntimeClass (runtimeClasses.createDefault) will NOT be created + # to avoid naming conflicts. Use fully qualified RuntimeClass names (e.g., kata-qemu-suffix1). + multiInstallSuffix: "" + + # DEPRECATED: Use 'runtimeClasses.enabled' and 'runtimeClasses.createDefault' instead + # Will be removed in 2 releases + createRuntimeClasses: "false" + createDefaultRuntimeClass: "false" + + # DEPRECATED: Use structured 'shims' and 'defaultShim' sections above + # Will be removed in 2 releases + debug: "" + shims: "" shims_x86_64: "" shims_aarch64: "" shims_s390x: "" shims_ppc64le: "" - defaultShim: "qemu" + defaultShim: "" defaultShim_x86_64: "" defaultShim_aarch64: "" defaultShim_s390x: "" defaultShim_ppc64le: "" - # createRuntimeClasses: DEPRECATED - Use runtimeClasses.enabled instead - # When runtimeClasses.enabled is true (default), this is automatically set to "false" - # to let Helm manage RuntimeClasses instead of the kata-deploy script - createRuntimeClasses: "false" - createDefaultRuntimeClass: "false" allowedHypervisorAnnotations: "" + _experimentalSetupSnapshotter: "" snapshotterHandlerMapping: "" snapshotterHandlerMapping_x86_64: "" snapshotterHandlerMapping_aarch64: "" @@ -55,13 +273,6 @@ env: pullTypeMapping_aarch64: "" pullTypeMapping_s390x: "" pullTypeMapping_ppc64le: "" - installationPrefix: "" - hostOS: "" - # Suffix for multi-install deployments to avoid conflicts between multiple Kata installations - # NOTE: When set, the default RuntimeClass (runtimeClasses.createDefault) will NOT be created - # to avoid naming conflicts. Use fully qualified RuntimeClass names (e.g., kata-qemu-suffix1). - multiInstallSuffix: "" - _experimentalSetupSnapshotter: "" _experimentalForceGuestPull: "" _experimentalForceGuestPull_x86_64: "" _experimentalForceGuestPull_aarch64: ""