openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
e13e4fe9ce93afb1b463bb690a4e935cecd1825d
openshift-docs/modules/kmm-example-module-cr.adoc
StephenJamesSmith 67a9e2e2cc TELCODOCS-2022: Worker: pull images via cri-o
2024-11-27 17:53:35 +00:00

104 lines
4.4 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * hardware_enablement/kmm-kernel-module-management.adoc
:_mod-docs-content-type: REFERENCE
[id="kmm-example-cr_{context}"]
= Example Module CR
The following is an annotated `Module` example:
[source,yaml]
----
apiVersion: kmm.sigs.x-k8s.io/v1beta1
kind: Module
metadata:
name: <my_kmod>
spec:
moduleLoader:
container:
modprobe:
moduleName: <my_kmod> <1>
dirName: /opt <2>
firmwarePath: /firmware <3>
parameters: <4>
- param=1
kernelMappings: <5>
- literal: 6.0.15-300.fc37.x86_64
containerImage: some.registry/org/my-kmod:6.0.15-300.fc37.x86_64
- regexp: '^.+\fc37\.x86_64$' <6>
containerImage: "some.other.registry/org/<my_kmod>:${KERNEL_FULL_VERSION}"
- regexp: '^.+$' <7>
containerImage: "some.registry/org/<my_kmod>:${KERNEL_FULL_VERSION}" <8>
build:
buildArgs: <9>
- name: ARG_NAME
value: <some_value>
secrets:
- name: <some_kubernetes_secret> <10>
baseImageRegistryTLS: <11>
insecure: false
insecureSkipTLSVerify: false <12>
dockerfileConfigMap: <13>
name: <my_kmod_dockerfile>
sign:
certSecret:
name: <cert_secret> <14>
keySecret:
name: <key_secret> <15>
filesToSign:
- /opt/lib/modules/${KERNEL_FULL_VERSION}/<my_kmod>.ko
registryTLS: <16>
insecure: false <17>
insecureSkipTLSVerify: false
serviceAccountName: <sa_module_loader> <18>
devicePlugin: <19>
container:
image: some.registry/org/device-plugin:latest <20>
env:
- name: MY_DEVICE_PLUGIN_ENV_VAR
value: SOME_VALUE
volumeMounts: <21>
- mountPath: /some/mountPath
name: <device_plugin_volume>
volumes: <22>
- name: <device_plugin_volume>
configMap:
name: <some_configmap>
serviceAccountName: <sa_device_plugin> <23>
imageRepoSecret: <24>
name: <secret_name>
selector:
node-role.kubernetes.io/worker: ""
----
<1> Required.
<2> Optional.
<3> Optional: Copies the contents of this path into the path specified in `worker.setFirmwareClassPath` (which is preset to `/var/lib/firmware`) of the `kmm-operator-manager-config` config map. This action occurs before `modprobe` is called to insert the kernel module.
<4> Optional.
<5> At least one kernel item is required.
<6> For each node running a kernel matching the regular expression, KMM checks if you have included a tag or a digest. If you have not specified a tag or digest in the container image, then the validation webhook returns an error and does not apply the module.
<7> For any other kernel, build the image using the Dockerfile in the `my-kmod` ConfigMap.
<8> The container image that holds the customer's kmods. This container should contain the `cp` binary.
<9> Optional.
<10> Optional: A value for `some-kubernetes-secret` can be obtained from the build environment at `/run/secrets/some-kubernetes-secret`.
<11> This field has no effect. When building kmod images or signing kmods within a kmod image,
you might sometimes need to pull base images from a registry that serves a certificate signed by an
untrusted Certificate Authority (CA). In order for KMM to trust that CA, it must also trust the new CA
by replacing the cluster's CA bundle.
+
See "Additional resources" to learn how to replace the cluster's CA bundle.
<12> Optional: Avoid using this parameter. If set to `true`, the build skips any TLS server certificate validation when pulling the image in the Dockerfile `FROM` instruction using plain HTTP.
<13> Required.
<14> Required: A secret holding the public secureboot key with the key 'cert'.
<15> Required: A secret holding the private secureboot key with the key 'key'.
<16> Optional: Avoid using this parameter. If set to `true`, KMM is allowed to check if the container image already exists using plain HTTP.
<17> Optional: Avoid using this parameter. If set to `true`, KMM skips any TLS server certificate validation when checking if the container image already exists.
<18> Optional.
<19> Optional.
<20> Required: If the device plugin section is present.
<21> Optional.
<22> Optional.
<23> Optional.
<24> Optional: Used to pull module loader and device plugin images.
View Git Blame Copy Permalink