overrideCNIConfigWithServerConfig returned the client config unchanged
whenever overrideConf was empty, bypassing the readinessindicatorfile
key-stripping logic even when ignoreReadinessIndicator=true. This
caused STATUS and GC handlers to poll for the readiness indicator file
for up to 45 s in tests that create the server with
ignoreReadinessIndicator=true and no server-side config override.
Also remove the now-unused sets import.
Signed-off-by: Fred Rolland <frolland@nvidia.com>
Replace full ResourceSlice object cache with a flat deviceInfoCacheKey→deviceInfo
index. Populate lazily per driver using combined spec.nodeName+spec.driver field
selectors derived from pod.Spec.NodeName, reducing API response size to a single
node's slices for one driver. Device lookup becomes O(1). Add ctx propagation to
GetPodResourceMap interface.
Signed-off-by: Fred Rolland <frolland@nvidia.com>
- If every allocation result for a claim is skipped (no slice match, missing
Multus deviceID/resourceName, etc.), log a warning and continue to the next
claim instead of returning an error, so kubelet/device-plugin entries stay
usable (hybrid legacy VF + broken or irrelevant DRA claims).
- getDeviceInfo: treat missing multus deviceID on a matched device as the same
skippable sentinel as “not in slice”, avoiding a misleading final error.
- Tests: expect nil error for unmapped claims; add case preserving pre-filled
resource map entries; keep VF+GPU success with empty GPU slice.
- k8sclient: stub kubelet ResourceClient in DRA failure test; logging: Warningf.
Signed-off-by: Fred Rolland <frolland@nvidia.com>
Migrate Dynamic Resource Allocation from kubelet PodResources / v1alpha2-style usage to the stable resource.k8s.io/v1 API (Kubernetes 1.34+).
- Add pkg/draclient: fetch ResourceClaims and ResourceSlices, build pod resource map from device attributes (k8s.cni.cncf.io/deviceID, k8s.cni.cncf.io/resourceName) and ExtendedResourceClaimStatus
- Wire GetPodResourceMap into k8sclient; remove DRA path from kubeletclient
- RBAC: resourceclaims, resourceclaims/status, resourceslices (get, list) on multus ClusterRole
- Docs: DRA / NAD usage; tests for draclient and k8sclient
Co-authored-by: Sebastian Sch <sebassch@gmail.com>
Signed-off-by: Fred Rolland <frolland@nvidia.com>
Add pprof profiling endpoints to the metrics server, gated behind
a new EnablePprof config field. When enabled, standard Go pprof
handlers are registered on the metrics port under /debug/pprof/.
This also improves the metrics server setup:
- Use dedicated http.ServeMux instead of DefaultServeMux
- Move mux/handler setup outside the retry loop
- Use http.Server with ReadHeaderTimeout for resource safety
- Add graceful shutdown on context cancellation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Benjamin Pickard <bpickard@redhat.com>
STATUS and GC are plugin-level commands with no pod context per the
CNI 1.1.0 spec. The thick plugin daemon incorrectly required
CNI_CONTAINERID, CNI_NETNS, and K8S_POD_NAME/K8S_POD_NAMESPACE for
these commands, causing failures when invoked by kubelet.
Signed-off-by: Jason Kary <jkary@redhat.com>
Validate the per-node kubeconfig when a current certificate is
available and fall back to the bootstrap kubeconfig only when the
per-node config is no longer trusted.
Also rebuild the derived per-node rest.Config from the reloaded
bootstrap config so TLS settings are preserved and refreshed
consistently.
Signed-off-by: Peng Liu <pliu@redhat.com>
Listing all pods across all namespaces during bootstrap is expensive
in large clusters and unnecessary since the result is discarded.
Use the lightweight /version endpoint to validate connectivity instead.
Signed-off-by: Peng Liu <pliu@redhat.com>
When a namespace uses a primary User-Defined Network (UDN) with a
device-plugin resource (e.g. SR-IOV), OVN-Kubernetes uses the last
device in the list for the primary interface while Multus assigns
earlier devices to cluster-default/secondary interfaces. The kubelet
and checkpoint paths build the list from map iteration, so order was
non-deterministic and the "last" device could differ between callers.
Sorting ensures both Multus and OVN-K8s see the same order so the
last device is consistently the one reserved for the primary UDN.
Signed-off-by: Yun Zhou <yunz@nvidia.com>
The trivy-action@0.29.0 was trying to install Trivy v0.57.1 which
no longer exists in the GitHub releases. This was causing all PR
builds to fail on the "Image thick plugin" job. Update to v0.35.0
which properly installs the latest Trivy version.
Assisted by Claude Sonnet 4.5
Signed-off-by: Benjamin Pickard <bpickard@redhat.com>
Fix thin auto-config generation to select 00-multus.conflist for
all CNI versions >= 1.0.0 (not only exact 1.0.0)
Signed-off-by: Tim Rozet <trozet@nvidia.com>
Changes-Include:
- Add STATUS handling for delegate requests and single‑plugin
- Invoke STATUS for conf/conflist delegates via libcni
- Preserve CNI error codes/messages through daemon API and shim
- Add tests for STATUS error propagation
Signed-off-by: Tim Rozet <trozet@nvidia.com>
CRI-O 1.34+ enforces short name mode by default, which refuses
to pull images with unqualified names like 'ubuntu:22.04' because they
are ambiguous.
Use the full image docker.io/library/ubuntu:22.04
Fixes#1471
Signed-off-by: Ram Lavi <ralavi@redhat.com>
CRI-O 1.34+ enforces short name mode by default, which refuses
to pull images with unqualified names like 'centos:8' because they
are ambiguous.
Use the full image quay.io/centos/centos:8
Fixes#1471
Signed-off-by: Ram Lavi <ralavi@redhat.com>
CRI-O 1.34+ enforces short name mode by default, which refuses
to pull images with unqualified names like 'alpine' because they
are ambiguous.
Use a full image docker.io/library/alpine
Fixes#1471
Signed-off-by: Ram Lavi <ralavi@redhat.com>