Skip to content

deployment: add minimal kustomize overlays for deploying plugins #197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 14, 2025
Merged

deployment: add minimal kustomize overlays for deploying plugins #197

merged 2 commits into from
Aug 14, 2025

Conversation

@marquiz
Copy link
Contributor

@marquiz marquiz commented Aug 7, 2025

No description provided.

@marquiz marquiz mentioned this pull request Aug 7, 2025
Merged
@marquiz marquiz force-pushed the devel/plugin-images-kustomize branch 2 times, most recently from 1d5f73c to d2b22b4 Compare August 7, 2025 19:00
samuelkarp
samuelkarp reviewed Aug 8, 2025
View reviewed changes
Copy link
Member

@samuelkarp samuelkarp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move these into a contrib folder rather than having kustomize at the root of the repo?

@marquiz marquiz mentioned this pull request Aug 8, 2025
Closed
klihub
klihub reviewed Aug 8, 2025
View reviewed changes
klihub
klihub reviewed Aug 8, 2025
View reviewed changes
klihub
klihub reviewed Aug 9, 2025
View reviewed changes
klihub
klihub reviewed Aug 9, 2025
View reviewed changes
klihub
klihub reviewed Aug 9, 2025
View reviewed changes
klihub
klihub reviewed Aug 9, 2025
View reviewed changes
klihub
klihub reviewed Aug 9, 2025
View reviewed changes
klihub
klihub reviewed Aug 9, 2025
View reviewed changes
klihub
klihub reviewed Aug 9, 2025
View reviewed changes
klihub
klihub reviewed Aug 9, 2025
View reviewed changes
klihub
klihub reviewed Aug 9, 2025
View reviewed changes
@marquiz marquiz force-pushed the devel/plugin-images-kustomize branch from d2b22b4 to b23495b Compare August 11, 2025 11:10
@marquiz
Copy link
Contributor Author

marquiz commented Aug 11, 2025

Can we move these into a contrib folder rather than having kustomize at the root of the repo?

Moved to contrib/kustomize

@marquiz marquiz force-pushed the devel/plugin-images-kustomize branch from b23495b to 6bdcda1 Compare August 11, 2025 11:48
klihub
klihub approved these changes Aug 12, 2025
View reviewed changes
Copy link
Member

@klihub klihub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you ! This now LGTM.

mythi
mythi reviewed Aug 12, 2025
View reviewed changes
@marquiz marquiz force-pushed the devel/plugin-images-kustomize branch from 6bdcda1 to faf48c0 Compare August 12, 2025 07:24
@marquiz
Copy link
Contributor Author

marquiz commented Aug 12, 2025

Updated: added (container) securityContext

@marquiz marquiz force-pushed the devel/plugin-images-kustomize branch from faf48c0 to 3cb231f Compare August 12, 2025 14:22
@marquiz
Copy link
Contributor Author

marquiz commented Aug 12, 2025
edited
Loading

Update: added pod priorityClassName: system-node-critical to device-injector, hook-injector, network-device-injector, ulimit-adjuster and v010-adapter plugins

@marquiz marquiz force-pushed the devel/plugin-images-kustomize branch from 3cb231f to 41f1044 Compare August 13, 2025 09:29
@klihub klihub requested a review from mythi August 13, 2025 10:16
mythi
mythi approved these changes Aug 13, 2025
View reviewed changes
Copy link

@mythi mythi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

chrishenzie
chrishenzie approved these changes Aug 13, 2025
View reviewed changes
Copy link
Contributor

@chrishenzie chrishenzie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally LGTM. I have a few nits about the indentation of list items in the yamls but that's no big deal.

Would it be possible to drop a README in there that gives a TL;DR on how to use kustomize to install these (for folks like myself who are unfamiliar)?

@marquiz marquiz force-pushed the devel/plugin-images-kustomize branch from 41f1044 to dd1d33d Compare August 13, 2025 17:58
@marquiz
Copy link
Contributor Author

marquiz commented Aug 13, 2025

Updated: indentation of daemonset.yaml's fixed

@marquiz
deployment: add minimal kustomize overlays for deploying plugins
cc9e614 
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
@marquiz marquiz force-pushed the devel/plugin-images-kustomize branch from dd1d33d to cc9e614 Compare August 13, 2025 18:01
mikebrow
mikebrow reviewed Aug 13, 2025
View reviewed changes
Copy link
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

couple comments

contrib/kustomize/device-injector/daemonset.yaml Outdated
containers:
- name: plugin
image: plugin:latest
imagePullPolicy: Always
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
imagePullPolicy: Always
imagePullPolicy: IfNotPresent

Copy link
Member

@klihub klihub Aug 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC, the default [ck]ustomization updates the daemonset to use the unstable image tag, and I thought that was the reason behind using an Always imagePullPolicy, which would make sense to me (to avoid countless late night WTF?-staring sessions at the terminal when testing).

@marquiz @mikebrow If we change the policy here in the daemonset declaration, can we then also kustomize it to Always in the same file where we change the tag to unstable ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, the idea was exactly that. The unstable is a rolling tag, always following the tip of the main branch. We don't have any "stable" (tagged by version tag) images yet and pull policy Always ensures that you get the latest devel build, not some weeks or months old.

I now dropped the imagePullPolicy field from the daemonset.yaml's alltogether and added a common kustomize component (included in all plugin overlays) that patches the pull policy to Always.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

always image pull policy is good for forcing verification of access to private authentication required registries for pods in a multi-tenant situation...

if not present image pull policy is good for allowing pods to share container images that have already been cached

:latest tag is good for asking to check if there is a newer image on the registry every time

:version tags and SHAs are good for requesting a specific version of an image

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can discuss on the community call

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kk discussed with klihub just need to mention somewhere in these that this is not for production use .. rather dev testing purposes..

contrib/kustomize/device-injector/daemonset.yaml
priorityClassName: system-node-critical
containers:
- name: plugin
image: plugin:latest
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
image: plugin:latest
image: plugin:latest # image and tag "plugin:latest" are placeholders substituted via config

contrib/kustomize/device-injector/daemonset.yaml
spec:
priorityClassName: system-node-critical
containers:
- name: plugin
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- name: plugin
- name: plugin # plugin name "plugin" is a placeholder substituted via config

klihub
klihub reviewed Aug 14, 2025
View reviewed changes
@marquiz marquiz force-pushed the devel/plugin-images-kustomize branch 3 times, most recently from a8d3100 to 47b5d99 Compare August 14, 2025 08:48
@marquiz
Copy link
Contributor Author

marquiz commented Aug 14, 2025

Major update: separate overlays for stable and unstable images

Define separate overlays for stable (released) and unstable images. Utilizes reusable kustomize components to minimize repetition. The stable image would always point to the latest tagged release and unstable use the latest development build from main. The image-stable will need to be updated just before tagging a release (so that the released version points to the correct image).

Usage would be like:

  1. Install the latest release

    kubectl create -k "https://github.com/containerd/nri/contrib/kustomize/hook-injector"

  2. Install a specific release

    kubectl create -k "https://github.com/containerd/nri/contrib/kustomize/hook-injector?ref=v0.10.0"

  3. Install the latest development build:

    kubectl create -k "https://github.com/containerd/nri/contrib/kustomize/hook-injector/unstable"

@marquiz
contrib/kustomize: separate overlays for stable and unstable images
be0d68d 
Define separate overlays for stable (released) and unstable images.
Utilizes reusable kustomize components to minimize repetition. The
stable image would always point to the latest tagged release and
unstable use the latest development build from main. The image-stable
will need to be updated just before tagging a release (so that the
released version points to the correct image).

Usage would be like:

1. Install the latest release

  kubectl create -k "https://github.com/containerd/nri/contrib/kustomize/hook-injector"

2. Install a specific release

  kubectl create -k "https://github.com/containerd/nri/contrib/kustomize/hook-injector?ref=v0.10.0"

3. Install the latest development build:

  kubectl create -k "https://github.com/containerd/nri/contrib/kustomize/hook-injector/unstable"

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
@marquiz marquiz force-pushed the devel/plugin-images-kustomize branch from 47b5d99 to be0d68d Compare August 14, 2025 08:57
@marquiz marquiz mentioned this pull request Aug 14, 2025
Merged
klihub
klihub approved these changes Aug 14, 2025
View reviewed changes
Copy link
Member

@klihub klihub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@marquiz Thank you ! LGTM.

@klihub
Copy link
Member

klihub commented Aug 14, 2025

Major update: separate overlays for stable and unstable images
...
2. Install a specific release

kubectl create -k "https://github.com/containerd/nri/contrib/kustomize/hook-injector?ref=v0.10.0"

@marquiz I think this would be worth including in the documentation additions in PR (#196), because I suspect it will not be obvious for the average user.

@klihub klihub merged commit 5cf60eb into containerd:main Aug 14, 2025
16 checks passed
@marquiz marquiz deleted the devel/plugin-images-kustomize branch August 14, 2025 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@klihub klihub klihub approved these changes

@samuelkarp samuelkarp Awaiting requested review from samuelkarp

@chrishenzie chrishenzie Awaiting requested review from chrishenzie

@mikebrow mikebrow Awaiting requested review from mikebrow

+1 more reviewer

@mythi mythi mythi approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@marquiz @klihub @samuelkarp @mythi @chrishenzie @mikebrow