nutanix-cloud-native · dkoshkin · Oct 3, 2023 · Oct 3, 2023 · Oct 3, 2023
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -26,7 +26,13 @@ repos:
     name: apis-sync
     entry: make apis.sync
     language: system
-    files: "^(hack/third-party/|common/pkg/external/|make/apis.mk)"
+    files: "^(hack/third-party/|common/pkg/external/|make/apis.mk$)"
+    pass_filenames: false
+  - id: addons-sync
+    name: addons-sync
+    entry: make addons.sync
+    language: system
+    files: "^(hack/addons/|charts/capi-runtime-extensions/templates/.+/manifests/|make/addons.mk$)"
     pass_filenames: false
 - repo: https://github.com/tekwizely/pre-commit-golang
   rev: v1.0.0-rc.1

diff --git a/charts/capi-runtime-extensions/templates/cni/calico/manifests/tigera-operator-configmap.yaml b/charts/capi-runtime-extensions/templates/cni/calico/manifests/tigera-operator-configmap.yaml
diff --git a/charts/capi-runtime-extensions/templates/nfd/manifests/node-feature-discovery-configmap.yaml b/charts/capi-runtime-extensions/templates/nfd/manifests/node-feature-discovery-configmap.yaml
@@ -11,6 +11,9 @@ data:
     apiVersion: v1
     kind: Namespace
     metadata:
+      labels:
+        pod-security.kubernetes.io/enforce: privileged
+        pod-security.kubernetes.io/enforce-version: latest
       name: node-feature-discovery
     ---
     apiVersion: apiextensions.k8s.io/v1

diff --git a/...ze/nfd/node-feature-discovery-values.yaml → hack/addons/kustomize/nfd/helm-values.yaml b/...ze/nfd/node-feature-discovery-values.yaml → hack/addons/kustomize/nfd/helm-values.yaml
diff --git a/hack/addons/kustomize/nfd/kustomization.yaml.tmpl b/hack/addons/kustomize/nfd/kustomization.yaml.tmpl
@@ -13,12 +13,12 @@ resources:
 helmCharts:
 - name: node-feature-discovery
   includeCRDs: true
-  valuesFile: node-feature-discovery-values.yaml
+  valuesFile: helm-values.yaml
   valuesInline:
     image:
-      tag: "v${NODE_FEATURE_VERSION}-minimal"
+      tag: "v${NODE_FEATURE_DISCOVERY_VERSION}-minimal"
   releaseName: node-feature-discovery
-  version: ${NODE_FEATURE_VERSION}
+  version: ${NODE_FEATURE_DISCOVERY_VERSION}
   repo: https://kubernetes-sigs.github.io/node-feature-discovery/charts
 
 namespace: node-feature-discovery
diff --git a/hack/addons/kustomize/nfd/namespace.yaml b/hack/addons/kustomize/nfd/namespace.yaml
@@ -5,3 +5,6 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: node-feature-discovery
+  labels:
+    pod-security.kubernetes.io/enforce: "privileged"
+    pod-security.kubernetes.io/enforce-version: "latest"
diff --git a/hack/addons/kustomize/tigera-operator/ds-priorityClass.yaml b/hack/addons/kustomize/tigera-operator/ds-priorityClass.yaml
diff --git a/hack/addons/kustomize/tigera-operator/helm-values.yaml b/hack/addons/kustomize/tigera-operator/helm-values.yaml
@@ -0,0 +1,6 @@
+# Copyright 2023 D2iQ, Inc. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+---
+installation:
+  enabled: false
diff --git a/hack/addons/kustomize/tigera-operator/kustomization.yaml b/hack/addons/kustomize/tigera-operator/kustomization.yaml
diff --git a/hack/addons/kustomize/tigera-operator/kustomization.yaml.tmpl b/hack/addons/kustomize/tigera-operator/kustomization.yaml.tmpl
@@ -0,0 +1,24 @@
+# Copyright 2023 D2iQ, Inc. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+metadata:
+  name: tigera-operator
+
+sortOptions:
+  order: fifo
+
+resources:
+- namespace.yaml
+
+helmCharts:
+- name: tigera-operator
+  includeCRDs: true
+  valuesFile: helm-values.yaml
+  releaseName: tigera-operator
+  version: ${CALICO_VERSION}
+  repo: https://docs.tigera.io/calico/charts
+
+namespace: tigera-operator
diff --git a/hack/addons/kustomize/tigera-operator/namespace.yaml b/hack/addons/kustomize/tigera-operator/namespace.yaml
@@ -0,0 +1,10 @@
+# Copyright 2023 D2iQ, Inc. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tigera-operator
+  labels:
+    pod-security.kubernetes.io/enforce: "privileged"
+    pod-security.kubernetes.io/enforce-version: "latest"
diff --git a/hack/addons/update-calico-manifests.sh b/hack/addons/update-calico-manifests.sh
@@ -13,17 +13,15 @@ if [ -z "${CALICO_VERSION:-}" ]; then
   exit 1
 fi
 
-CALICO_CNI_ASSETS_DIR="$(mktemp -d -p "${TMPDIR:-/tmp}")"
-readonly CALICO_CNI_ASSETS_DIR
-trap 'rm -rf ${CALICO_CNI_ASSETS_DIR}' EXIT
+ASSETS_DIR="$(mktemp -d -p "${TMPDIR:-/tmp}")"
+readonly ASSETS_DIR
+trap_add "rm -rf ${ASSETS_DIR}" EXIT
 
-curl -fsSL "https://raw.githubusercontent.com/projectcalico/calico/${CALICO_VERSION}/manifests/tigera-operator.yaml" \
-  -o "${CALICO_CNI_ASSETS_DIR}/tigera-operator.yaml"
+readonly FILE_NAME="tigera-operator.yaml"
 
-readonly KUSTOMIZATION_DIR=${SCRIPT_DIR}/kustomize/tigera-operator
-cp -r "${KUSTOMIZATION_DIR}"/* "${CALICO_CNI_ASSETS_DIR}"
-kustomize --load-restrictor=LoadRestrictionsNone build "${CALICO_CNI_ASSETS_DIR}" \
-  -o "${CALICO_CNI_ASSETS_DIR}/kustomized.yaml"
+readonly KUSTOMIZE_BASE_DIR="${SCRIPT_DIR}/kustomize/tigera-operator/"
+envsubst -no-unset <"${KUSTOMIZE_BASE_DIR}/kustomization.yaml.tmpl" >"${ASSETS_DIR}/kustomization.yaml"
+cp "${KUSTOMIZE_BASE_DIR}"/*.yaml "${ASSETS_DIR}"
 
 # The operator manifest in YAML format is pretty big. It turns out that much of that is whitespace. Converting the
 # manifest to JSON without indentation allows us to remove most of the whitespace, reducing the size by more than half.
@@ -37,18 +35,25 @@ kustomize --load-restrictor=LoadRestrictionsNone build "${CALICO_CNI_ASSETS_DIR}
 #    of the ClusterResourceSet controller to misbehave. We remove these null entries using a filter expression.
 # 3. If we indent the JSON document, it is nearly as large as the YAML document, at 1099093 bytes. We remove indentation
 #    with the --indent=0 flag.
+kustomize build --enable-helm "${ASSETS_DIR}" >"${ASSETS_DIR}/${FILE_NAME}"
+
 gojq --yaml-input \
   --slurp \
   --indent=0 \
-  '[ .[] | select( . != null ) |
-    (select( .kind=="Namespace").metadata.labels += {
-      "pod-security.kubernetes.io/enforce": "privileged",
-      "pod-security.kubernetes.io/enforce-version": "latest"
-    })
-  ]' \
-  <"${CALICO_CNI_ASSETS_DIR}/kustomized.yaml" \
-  >"${CALICO_CNI_ASSETS_DIR}/tigera-operator.json"
+  <"${ASSETS_DIR}/${FILE_NAME}" \
+  >"${ASSETS_DIR}/tigera-operator.json"
 
 kubectl create configmap "{{ .Values.hooks.CalicoCNI.defaultTigeraOperatorConfigMap.name }}" --dry-run=client --output yaml \
-  --from-file "${CALICO_CNI_ASSETS_DIR}/tigera-operator.json" \
-  >"${GIT_REPO_ROOT}/charts/capi-runtime-extensions/templates/cni/calico/manifests/tigera-operator-configmap.yaml"
+  --from-file "${ASSETS_DIR}/tigera-operator.json" \
+  >"${ASSETS_DIR}/tigera-operator-configmap.yaml"
+
+# add warning not to edit file directly
+cat <<EOF >"${GIT_REPO_ROOT}/charts/capi-runtime-extensions/templates/cni/calico/manifests/tigera-operator-configmap.yaml"
+$(cat "${GIT_REPO_ROOT}/hack/license-header.yaml.txt")
+
+#=================================================================
+#                 DO NOT EDIT THIS FILE
+#  IT HAS BEEN GENERATED BY /hack/addons/update-calico-manifests.sh
+#=================================================================
+$(cat "${ASSETS_DIR}/tigera-operator-configmap.yaml")
+EOF
diff --git a/hack/addons/update-node-feature-discovery-manifests.sh b/hack/addons/update-node-feature-discovery-manifests.sh
@@ -8,8 +8,8 @@ readonly SCRIPT_DIR
 # shellcheck source=hack/common.sh
 source "${SCRIPT_DIR}/../common.sh"
 
-if [ -z "${NODE_FEATURE_VERSION:-}" ]; then
-  echo "Missing environment variable: NODE_FEATURE_VERSION"
+if [ -z "${NODE_FEATURE_DISCOVERY_VERSION:-}" ]; then
+  echo "Missing environment variable: NODE_FEATURE_DISCOVERY_VERSION"
   exit 1
 fi
 
@@ -26,16 +26,15 @@ kustomize build --enable-helm "${ASSETS_DIR}" >"${ASSETS_DIR}/${FILE_NAME}"
 
 kubectl create configmap node-feature-discovery --dry-run=client --output yaml \
   --from-file "${ASSETS_DIR}/${FILE_NAME}" \
-  >"${GIT_REPO_ROOT}/charts/capi-runtime-extensions/templates/nfd/manifests/node-feature-discovery-configmap.yaml"
+  >"${ASSETS_DIR}/node-feature-discovery-configmap.yaml"
 
 # add warning not to edit file directly
-cat <<EOF >"${GIT_REPO_ROOT}/charts/capi-runtime-extensions/templates/nfd/manifests/node-feature-discovery-configmap-temp.yaml"
+cat <<EOF >"${GIT_REPO_ROOT}/charts/capi-runtime-extensions/templates/nfd/manifests/node-feature-discovery-configmap.yaml"
+$(cat "${GIT_REPO_ROOT}/hack/license-header.yaml.txt")
+
 #=================================================================
 #                 DO NOT EDIT THIS FILE
 #  IT HAS BEEN GENERATED BY /hack/addons/update-node-feature-discovery-manifests.sh
 #=================================================================
-$(cat "${GIT_REPO_ROOT}/charts/capi-runtime-extensions/templates/nfd/manifests/node-feature-discovery-configmap.yaml")
+$(cat "${ASSETS_DIR}/node-feature-discovery-configmap.yaml")
 EOF
-
-mv "${GIT_REPO_ROOT}/charts/capi-runtime-extensions/templates/nfd/manifests/node-feature-discovery-configmap-temp.yaml" \
-  "${GIT_REPO_ROOT}/charts/capi-runtime-extensions/templates/nfd/manifests/node-feature-discovery-configmap.yaml"
diff --git a/make/addons.mk b/make/addons.mk
@@ -2,7 +2,10 @@
 # SPDX-License-Identifier: Apache-2.0
 
 export CALICO_VERSION := v3.26.1
-export NODE_FEATURE_VERSION := 0.14.1
+export NODE_FEATURE_DISCOVERY_VERSION := 0.14.1
+
+.PHONY: addons.sync
+addons.sync: $(addprefix update-addon.,calico nfd)
 
 .PHONY: update-addon.calico
 update-addon.calico: ; $(info $(M) updating calico manifests)