openshift-docs/modules/kmm-example-module-cr.adoc

// Module included in the following assemblies:
//
// * hardware_enablement/kmm-kernel-module-management.adoc

:_content-type: REFERENCE
[id="kmm-example-cr_{context}"]

= Example Module CR

The following is an annotated `Module` example:

[source,yaml]
----
apiVersion: kmm.sigs.x-k8s.io/v1beta1
kind: Module
metadata:
  name: <my_kmod>
spec:
  moduleLoader:
    container:
      modprobe:
        moduleName: <my_kmod> <1>
        dirName: /opt <2>
        firmwarePath: /firmware <3>
        parameters:  <4>
          - param=1
      kernelMappings:  <5>
        - literal: 6.0.15-300.fc37.x86_64
          containerImage: some.registry/org/my-kmod:6.0.15-300.fc37.x86_64
        - regexp: '^.+\fc37\.x86_64$' <6>
          containerImage: "some.other.registry/org/<my_kmod>:${KERNEL_FULL_VERSION}"
        - regexp: '^.+$' <7>
          containerImage: "some.registry/org/<my_kmod>:${KERNEL_FULL_VERSION}"
          build:
            buildArgs:  <8>
              - name: ARG_NAME
                value: <some_value>
            secrets:
              - name: <some_kubernetes_secret>  <9>
            baseImageRegistryTLS: <10>
              insecure: false
              insecureSkipTLSVerify: false <11>
            dockerfileConfigMap:  <12>
              name: <my_kmod_dockerfile>
          sign:
            certSecret:
              name: <cert_secret>  <13>
            keySecret:
              name: <key_secret>  <14>
            filesToSign:
              - /opt/lib/modules/${KERNEL_FULL_VERSION}/<my_kmod>.ko
          registryTLS: <15>
            insecure: false <16>
            insecureSkipTLSVerify: false
    serviceAccountName: <sa_module_loader>  <17>
  devicePlugin:  <18>
    container:
      image: some.registry/org/device-plugin:latest  <19>
      env:
        - name: MY_DEVICE_PLUGIN_ENV_VAR
          value: SOME_VALUE
      volumeMounts:  <20>
        - mountPath: /some/mountPath
          name: <device_plugin_volume>
    volumes:  <21>
      - name: <device_plugin_volume>
        configMap:
          name: <some_configmap>
    serviceAccountName: <sa_device_plugin> <22>
  imageRepoSecret:  <23>
    name: <secret_name>
  selector:
    node-role.kubernetes.io/worker: ""
----
<1> Required.
<2> Optional.
<3> Optional: Copies `/firmware/*` into `/var/lib/firmware/` on the node.
<4> Optional.
<5> At least one kernel item is required.
<6> For each node running a kernel matching the regular expression, KMM creates a `DaemonSet` resource running the image specified in `containerImage` with `${KERNEL_FULL_VERSION}` replaced with the kernel version.
<7> For any other kernel, build the image using the Dockerfile in the `my-kmod` ConfigMap.
<8> Optional.
<9> Optional: A value for `some-kubernetes-secret` can be obtained from the build environment at `/run/secrets/some-kubernetes-secret`.
<10> Optional: Avoid using this parameter. If set to `true`, the build is allowed to pull the image in the Dockerfile `FROM` instruction using plain HTTP.
<11> Optional: Avoid using this parameter. If set to `true`, the build will skip any TLS server certificate validation when pulling the image in the Dockerfile `FROM` instruction using plain HTTP.
<12> Required.
<13> Required: A secret holding the public secureboot key with the key 'cert'.
<14> Required: A secret holding the private secureboot key with the key 'key'.
<15> Optional: Avoid using this parameter. If set to `true`, KMM will be allowed to check if the container image already exists using plain HTTP.
<16> Optional: Avoid using this parameter. If set to `true`, KMM will skip any TLS server certificate validation when checking if the container image already exists.
<17> Optional.
<18> Optional.
<19> Required: If the device plugin section is present.
<20> Optional.
<21> Optional.
<22> Optional.
<23> Optional: Used to pull module loader and device plugin images.