NVIDIA / gpu-operator / 16360201712

/**

# Copyright (c) NVIDIA CORPORATION.  All rights reserved.

#

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

#

#     http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

**/

package controllers

import (

        "bufio"

        "context"

        "errors"

        "fmt"

        "os"

        "path"

        "regexp"

        "sort"

        "strconv"

        "strings"

        "path/filepath"

        apiconfigv1 "github.com/openshift/api/config/v1"

        apiimagev1 "github.com/openshift/api/image/v1"

        secv1 "github.com/openshift/api/security/v1"

        promv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"

        "golang.org/x/mod/semver"

        appsv1 "k8s.io/api/apps/v1"

        corev1 "k8s.io/api/core/v1"

        nodev1 "k8s.io/api/node/v1"

        nodev1beta1 "k8s.io/api/node/v1beta1"

        resourceapi "k8s.io/api/resource/v1beta1"

        apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"

        apierrors "k8s.io/apimachinery/pkg/api/errors"

        metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

        "k8s.io/apimachinery/pkg/runtime/schema"

        "k8s.io/apimachinery/pkg/types"

        "k8s.io/apimachinery/pkg/util/intstr"

        "sigs.k8s.io/controller-runtime/pkg/client"

        "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"

        "sigs.k8s.io/yaml"

        gpuv1 "github.com/NVIDIA/gpu-operator/api/nvidia/v1"

        "github.com/NVIDIA/gpu-operator/internal/consts"

        "github.com/NVIDIA/gpu-operator/internal/utils"

)

const (

        // DefaultContainerdConfigFile indicates default config file path for containerd

        DefaultContainerdConfigFile = "/etc/containerd/config.toml"

        // DefaultContainerdSocketFile indicates default containerd socket file

        DefaultContainerdSocketFile = "/run/containerd/containerd.sock"

        // DefaultDockerConfigFile indicates default config file path for docker

        DefaultDockerConfigFile = "/etc/docker/daemon.json"

        // DefaultDockerSocketFile indicates default docker socket file

        DefaultDockerSocketFile = "/var/run/docker.sock"

        // DefaultCRIOConfigFile indicates default config file path for cri-o.

        // Note, config files in the drop-in directory, /etc/crio/crio.conf.d,

        // have a higher priority than the default /etc/crio/crio.conf file.

        DefaultCRIOConfigFile = "/etc/crio/crio.conf.d/99-nvidia.conf"

        // TrustedCAConfigMapName indicates configmap with custom user CA injected

        TrustedCAConfigMapName = "gpu-operator-trusted-ca"

        // TrustedCABundleFileName indicates custom user ca certificate filename

        TrustedCABundleFileName = "ca-bundle.crt"

        // TrustedCABundleMountDir indicates target mount directory of user ca bundle

        TrustedCABundleMountDir = "/etc/pki/ca-trust/extracted/pem"

        // TrustedCACertificate indicates injected CA certificate name

        TrustedCACertificate = "tls-ca-bundle.pem"

        // VGPULicensingConfigMountPath indicates target mount path for vGPU licensing configuration file

        VGPULicensingConfigMountPath = "/drivers/gridd.conf"

        // VGPULicensingFileName is the vGPU licensing configuration filename

        VGPULicensingFileName = "gridd.conf"

        // NLSClientTokenMountPath inidicates the target mount path for NLS client config token file (.tok)

        NLSClientTokenMountPath = "/drivers/ClientConfigToken/client_configuration_token.tok"

        // NLSClientTokenFileName is the NLS client config token filename

        NLSClientTokenFileName = "client_configuration_token.tok"

        // VGPUTopologyConfigMountPath indicates target mount path for vGPU topology daemon configuration file

        VGPUTopologyConfigMountPath = "/etc/nvidia/nvidia-topologyd.conf"

        // VGPUTopologyConfigFileName is the vGPU topology daemon configuration filename

        VGPUTopologyConfigFileName = "nvidia-topologyd.conf"

        // DefaultRuntimeClass represents "nvidia" RuntimeClass

        DefaultRuntimeClass = "nvidia"

        // DriverInstallPathVolName represents volume name for driver install path provided to toolkit

        DriverInstallPathVolName = "driver-install-path"

        // DefaultRuntimeSocketTargetDir represents target directory where runtime socket dirctory will be mounted

        DefaultRuntimeSocketTargetDir = "/runtime/sock-dir/"

        // DefaultRuntimeConfigTargetDir represents target directory where runtime socket dirctory will be mounted

        DefaultRuntimeConfigTargetDir = "/runtime/config-dir/"

        // ValidatorImageEnvName indicates env name for validator image passed

        ValidatorImageEnvName = "VALIDATOR_IMAGE"

        // ValidatorImagePullPolicyEnvName indicates env name for validator image pull policy passed

        ValidatorImagePullPolicyEnvName = "VALIDATOR_IMAGE_PULL_POLICY"

        // ValidatorImagePullSecretsEnvName indicates env name for validator image pull secrets passed

        ValidatorImagePullSecretsEnvName = "VALIDATOR_IMAGE_PULL_SECRETS"

        // ValidatorRuntimeClassEnvName indicates env name of runtime class to be applied to validator pods

        ValidatorRuntimeClassEnvName = "VALIDATOR_RUNTIME_CLASS"

        // MigStrategyEnvName indicates env name for passing MIG strategy

        MigStrategyEnvName = "MIG_STRATEGY"

        // MigPartedDefaultConfigMapName indicates name of ConfigMap containing default mig-parted config

        MigPartedDefaultConfigMapName = "default-mig-parted-config"

        // MigDefaultGPUClientsConfigMapName indicates name of ConfigMap containing default gpu-clients

        MigDefaultGPUClientsConfigMapName = "default-gpu-clients"

        // DCGMRemoteEngineEnvName indicates env name to specify remote DCGM host engine ip:port

        DCGMRemoteEngineEnvName = "DCGM_REMOTE_HOSTENGINE_INFO"

        // DCGMDefaultPort indicates default port bound to DCGM host engine

        DCGMDefaultPort = 5555

        // GPUDirectRDMAEnabledEnvName indicates if GPU direct RDMA is enabled through GPU operator

        GPUDirectRDMAEnabledEnvName = "GPU_DIRECT_RDMA_ENABLED"

        // UseHostMOFEDEnvName indicates if MOFED driver is pre-installed on the host

        UseHostMOFEDEnvName = "USE_HOST_MOFED"

        // MetricsConfigMountPath indicates mount path for custom dcgm metrics file

        MetricsConfigMountPath = "/etc/dcgm-exporter/" + MetricsConfigFileName

        // MetricsConfigFileName indicates custom dcgm metrics file name

        MetricsConfigFileName = "dcgm-metrics.csv"

        // NvidiaAnnotationHashKey indicates annotation name for last applied hash by gpu-operator

        NvidiaAnnotationHashKey = "nvidia.com/last-applied-hash"

        // NvidiaDisableRequireEnvName is the env name to disable default cuda constraints

        NvidiaDisableRequireEnvName = "NVIDIA_DISABLE_REQUIRE"

        // GDSEnabledEnvName is the env name to enable GDS support with device-plugin

        GDSEnabledEnvName = "GDS_ENABLED"

        // MOFEDEnabledEnvName is the env name to enable MOFED devices injection with device-plugin

        MOFEDEnabledEnvName = "MOFED_ENABLED"

        // ServiceMonitorCRDName is the name of the CRD defining the ServiceMonitor kind

        ServiceMonitorCRDName = "servicemonitors.monitoring.coreos.com"

        // DefaultToolkitInstallDir is the default toolkit installation directory on the host

        DefaultToolkitInstallDir = "/usr/local/nvidia"

        // ToolkitInstallDirEnvName is the name of the toolkit container env for configuring where NVIDIA Container Toolkit is installed

        ToolkitInstallDirEnvName = "ROOT"

        // VgpuDMDefaultConfigMapName indicates name of ConfigMap containing default vGPU devices configuration

        VgpuDMDefaultConfigMapName = "default-vgpu-devices-config"

        // VgpuDMDefaultConfigName indicates name of default configuration in the vGPU devices config file

        VgpuDMDefaultConfigName = "default"

        // NvidiaCtrRuntimeModeEnvName is the name of the toolkit container env for configuring the NVIDIA Container Runtime mode

        NvidiaCtrRuntimeModeEnvName = "NVIDIA_CONTAINER_RUNTIME_MODE"

        // NvidiaCtrRuntimeCDIPrefixesEnvName is the name of toolkit container env for configuring the CDI annotation prefixes

        NvidiaCtrRuntimeCDIPrefixesEnvName = "NVIDIA_CONTAINER_RUNTIME_MODES_CDI_ANNOTATION_PREFIXES"

        // CDIEnabledEnvName is the name of the envvar used to enable CDI in the operands

        CDIEnabledEnvName = "CDI_ENABLED"

        // NvidiaCTKPathEnvName is the name of the envvar specifying the path to the 'nvidia-ctk' binary

        NvidiaCTKPathEnvName = "NVIDIA_CTK_PATH"

        // NvidiaCDIHookPathEnvName is the name of the envvar specifying the path to the 'nvidia-cdi-hook' binary

        NvidiaCDIHookPathEnvName = "NVIDIA_CDI_HOOK_PATH"

        // CrioConfigModeEnvName is the name of the envvar controlling how the toolkit container updates the cri-o configuration

        CrioConfigModeEnvName = "CRIO_CONFIG_MODE"

        // DeviceListStrategyEnvName is the name of the envvar for configuring the device-list-strategy in the device-plugin

        DeviceListStrategyEnvName = "DEVICE_LIST_STRATEGY"

        // CDIAnnotationPrefixEnvName is the name of the device-plugin envvar for configuring the CDI annotation prefix

        CDIAnnotationPrefixEnvName = "CDI_ANNOTATION_PREFIX"

        // KataManagerAnnotationHashKey is the annotation indicating the hash of the kata-manager configuration

        KataManagerAnnotationHashKey = "nvidia.com/kata-manager.last-applied-hash"

        // DefaultKataArtifactsDir is the default directory to store kata artifacts on the host

        DefaultKataArtifactsDir = "/opt/nvidia-gpu-operator/artifacts/runtimeclasses/"

        // PodControllerRevisionHashLabelKey is the annotation key for pod controller revision hash value

        PodControllerRevisionHashLabelKey = "controller-revision-hash"

        // DefaultCCModeEnvName is the name of the envvar for configuring default CC mode on all compatible GPUs on the node

        DefaultCCModeEnvName = "DEFAULT_CC_MODE"

        // OpenKernelModulesEnabledEnvName is the name of the driver-container envvar for enabling open GPU kernel module support

        OpenKernelModulesEnabledEnvName = "OPEN_KERNEL_MODULES_ENABLED"

        // KernelModuleTypeEnvName is the name of the driver-container envvar to set the desired kernel module type

        KernelModuleTypeEnvName = "KERNEL_MODULE_TYPE"

        // MPSRootEnvName is the name of the envvar for configuring the MPS root

        MPSRootEnvName = "MPS_ROOT"

        // DefaultMPSRoot is the default MPS root path on the host

        DefaultMPSRoot = "/run/nvidia/mps"

        // HostRootEnvName is the name of the envvar representing the root path of the underlying host

        HostRootEnvName = "HOST_ROOT"

        // DefaultDriverInstallDir represents the default path of a driver container installation

        DefaultDriverInstallDir = "/run/nvidia/driver"

        // DriverInstallDirEnvName is the name of the envvar used by the driver-validator to represent the driver install dir

        DriverInstallDirEnvName = "DRIVER_INSTALL_DIR"

        // DriverInstallDirCtrPathEnvName is the name of the envvar used by the driver-validator to represent the path

        // of the driver install dir mounted in the container

        DriverInstallDirCtrPathEnvName = "DRIVER_INSTALL_DIR_CTR_PATH"

)

// ContainerProbe defines container probe types

type ContainerProbe string

const (

        // Startup probe

        Startup ContainerProbe = "startup"

        // Liveness probe

        Liveness ContainerProbe = "liveness"

        // Readiness probe

        Readiness ContainerProbe = "readiness"

)

// rootUID represents user 0

var rootUID = utils.Int64Ptr(0)

// RepoConfigPathMap indicates standard OS specific paths for repository configuration files

var RepoConfigPathMap = map[string]string{

        "centos": "/etc/yum.repos.d",

        "ubuntu": "/etc/apt/sources.list.d",

        "rhcos":  "/etc/yum.repos.d",

        "rhel":   "/etc/yum.repos.d",

}

// CertConfigPathMap indicates standard OS specific paths for ssl keys/certificates.

// Where Go looks for certs: https://golang.org/src/crypto/x509/root_linux.go

// Where OCP mounts proxy certs on RHCOS nodes:

// https://access.redhat.com/documentation/en-us/openshift_container_platform/4.3/html/authentication/ocp-certificates#proxy-certificates_ocp-certificates

var CertConfigPathMap = map[string]string{

        "centos": "/etc/pki/ca-trust/extracted/pem",

        "ubuntu": "/usr/local/share/ca-certificates",

        "rhcos":  "/etc/pki/ca-trust/extracted/pem",

        "rhel":   "/etc/pki/ca-trust/extracted/pem",

}

// MountPathToVolumeSource maps a container mount path to a VolumeSource

type MountPathToVolumeSource map[string]corev1.VolumeSource

// SubscriptionPathMap contains information on OS-specific paths

// that provide entitlements/subscription details on the host.

// These are used to enable Driver Container's access to packages controlled by

// the distro through their subscription and support program.

var SubscriptionPathMap = map[string](MountPathToVolumeSource){

        "rhel": {

                "/run/secrets/etc-pki-entitlement": corev1.VolumeSource{

                        HostPath: &corev1.HostPathVolumeSource{

                                Path: "/etc/pki/entitlement",

                                Type: newHostPathType(corev1.HostPathDirectory),

                        },

                },

                "/run/secrets/redhat.repo": corev1.VolumeSource{

                        HostPath: &corev1.HostPathVolumeSource{

                                Path: "/etc/yum.repos.d/redhat.repo",

                                Type: newHostPathType(corev1.HostPathFile),

                        },

                },

                "/run/secrets/rhsm": corev1.VolumeSource{

                        HostPath: &corev1.HostPathVolumeSource{

                                Path: "/etc/rhsm",

                                Type: newHostPathType(corev1.HostPathDirectory),

                        },

                },

        },

        "rhcos": {

                "/run/secrets/etc-pki-entitlement": corev1.VolumeSource{

                        HostPath: &corev1.HostPathVolumeSource{

                                Path: "/etc/pki/entitlement",

                                Type: newHostPathType(corev1.HostPathDirectory),

                        },

                },

                "/run/secrets/redhat.repo": corev1.VolumeSource{

                        HostPath: &corev1.HostPathVolumeSource{

                                Path: "/etc/yum.repos.d/redhat.repo",

                                Type: newHostPathType(corev1.HostPathFile),

                        },

                },

                "/run/secrets/rhsm": corev1.VolumeSource{

                        HostPath: &corev1.HostPathVolumeSource{

                                Path: "/etc/rhsm",

                                Type: newHostPathType(corev1.HostPathDirectory),

                        },

                },

        },

        "sles": {

                "/etc/zypp/credentials.d": corev1.VolumeSource{

                        HostPath: &corev1.HostPathVolumeSource{

                                Path: "/etc/zypp/credentials.d",

                                Type: newHostPathType(corev1.HostPathDirectory),

                        },

                },

                "/etc/SUSEConnect": corev1.VolumeSource{

                        HostPath: &corev1.HostPathVolumeSource{

                                Path: "/etc/SUSEConnect",

                                Type: newHostPathType(corev1.HostPathFileOrCreate),

                        },

                },

        },

        "sl-micro": {

                "/etc/zypp/credentials.d": corev1.VolumeSource{

                        HostPath: &corev1.HostPathVolumeSource{

                                Path: "/etc/zypp/credentials.d",

                                Type: newHostPathType(corev1.HostPathDirectory),

                        },

                },

                "/etc/SUSEConnect": corev1.VolumeSource{

                        HostPath: &corev1.HostPathVolumeSource{

                                Path: "/etc/SUSEConnect",

                                Type: newHostPathType(corev1.HostPathFileOrCreate),

                        },

                },

        },

}

type controlFunc []func(n ClusterPolicyController) (gpuv1.State, error)

// ServiceAccount creates ServiceAccount resource

        }

        }

}

// Role creates Role resource

        }

                }

        }

}

// RoleBinding creates RoleBinding resource

        }

                }

        }

                }

        }

}

// ClusterRole creates ClusterRole resource

        }

                }

        }

}

// ClusterRoleBinding creates ClusterRoleBinding resource

        }

                }

        }

}

// createConfigMap creates a ConfigMap resource

        }

        // avoid creating default 'mig-parted-config' ConfigMap if custom one is provided

        }

        // avoid creating default 'gpu-clients' ConfigMap if custom one is provided

        }

        // avoid creating default vGPU device manager ConfigMap if custom one provided

        }

        }

        }

}

// ConfigMaps creates ConfigMap resource(s)

        }

}

// getKernelVersionsMap returns a map of kernel versions to their corresponding OS from all GPU nodes in the cluster

                        }

                        // add mapping for "kernelVersion" --> "OS"

        }

}

        // Assuming all nodes are running the same kernel version,

        // One could easily add driver-kernel-versions for each node.

}

}

        // apply common Daemonset configuration that is applicable to all

        // transform the host-root and host-dev-char volumes if a custom host root is configured with the operator

        // apply custom Labels and Annotations to the podSpec if any

}

// applyCommonDaemonsetMetadata adds additional labels and annotations to the daemonset podSpec if there are any specified

// by the user in the podSpec

                        }

                }

        }

        }

}

// Apply common config that is applicable for all Daemonsets

        // update PriorityClass

        // set tolerations if specified

}

// apply necessary transforms if a custom host root path is configured

}