feat(node-feature-discovery): update helm-release to v0.15.0

[tyriis-automation]

This PR contains the following updates:

Package	Update	Change	OpenSSF
node-feature-discovery	minor	0.14.3 -> 0.15.0

---

Release Notes

kubernetes-sigs/node-feature-discovery (node-feature-discovery)

v0.15.0

Compare Source

What's new

NodeFeatureRule API extended

Annotations

NFD now supports creating node annotations with the NodeFeatureRuless. See the documentation for details.

matchName

New matchName field was added to the NodeFeatureRule CRD. It can be used to match the names of features (instead of their values which is done with the matchExpressions field). See
documentation for details.

Feature files

Hidden feature files: feature files whose name start with a dot (.) are now ignored by nfd-worker. This makes it easier to update the feature files by creating a temporary file in the same directory. (#​1353)

Skip labels or features: Feature files support # +no-label and # +no-feature directives to skip label and feature generation, respectively. See the documentation for details and examples.

Container image based on scratch

NFD switched to use scratch as the base container image and to build fully statically linked binaries. Switching to the virtually empty base image means that the default container image only supports running hooks that are also fully statically linked. For example, many go binaries that are "almost" statically linked don't work. The full image variant can be used for richer hook support. NOTE: hooks are deprecated and support for them will be removed in a future release.

Base image of the full image variant was updated to Debian Bookworm.

Discover virtual network interfaces

NFD now discovers virtual network interfaces as features that can be used in NodeFeatureRules. (#​1448)

Kubectl plugin

Starting as a developer preview, we are introducing a kubectl-nfd plugin to perform 3 operations against NodeFeatureRule files. (#​1446)

• test: Check a NodeFeatureRule file against a node to ensure it is valid before applying it to a cluster.
• dryrun: Check a NodeFeatureRule file against a local NodeFeature file, allowing an offline testing of the rule to be before applying it to a cluster.
• validate: Check if the NodeFeatureRule file will valid and can be used against NodeFeatures.

See the documentation for more information.

Deprecations

Automatic prefixing of names deprecated

Automatic prefixing of names (of labels, annotations or extended resources) is deprecated. Unprefixed names should not be used in NodeFeatureRules, feature files, hooks or custom rules. The default feature.node.kubernetes.io/ prefix should be added to unprefixed names.

The nfd-master has new autoDefaultNs configuration file option (defaults to true in v0.15) to stop automatically adding the feature.node.kubernetes.io/ prefix to node labels, annotations and extended resources. If set to false, unprefixed names will be denied. (#​1461)

NOTE: The autoDefaultNs option default will be changed to false in a future NFD release. This will be a breaking change for users who rely on automatic prefixing of unprefixed names. Setting the autoDefaultNs option to false with NFD v0.15 can be used to test that all NodeFeatureRules, feature files, hooks and custom rules (configuration of the "custom" feature source of nfd-worker) work correctly when the default will be switched to false.

Deprecated security labels dropped

Deprecated feature.node.kubernetes.io/cpu-sgx.enabled and feature.node.kubernetes.io/cpu-se.enabled labels were dropped. They are replaced by feature.node.kubernetes.io/cpu-security.sgx.enabled and feature.node.kubernetes.io/cpu-security.se.enabled. (#​1350)

Legacy "matchOn" custom rule format dropped

Support for the legacy "matchOn" rule format of the custom source of nfd-worker was removed (deprecated since v0.10.0). (#​1397)

Miscellaneous

CPU features

Detection of Intel APX and AVX10 as new CPUID features.

New cpu.topology feature socket_count.

Liveness probe

gRPC health probe utility replaced with Kubernetes' built-in gRPC liveness probe. This means that the Kubernetes v1.23 or later is required by the default deployments. (#​1046)

Annotations

The nfd-master doesn't create NFD version node annotations anymore. (#​1394)

Metrics

Metrics for nfd-gc were added. (#​1407)

Example grafana dashboard to display NFD metrics was added. (#​1413)

Helm chart

Various fixes and improvments in the Helm chart, for example ability to disable/enable nfd-master and nfd-worker.

NodeFeature API

The nfd-worker now sets owner reference in NodeFeature objects it creates, so orphaned NodeFeatures are automatically garbage-collected when the nfd-worker pod goes away. (#​1491)

List of PRs

• chore: introduce a commong klog handling for cmd/nfd-* (#​1341)
• cpu: drop the deprecated sgx and se labels (#​1350)
• source/local: simplify feature file size checking (#​1351)
• scripts/update-gh-pages: sync OWNERS from master to gh-pages (#​1355)
• github: prevent parallel runs of gh-pages update (#​1358)
• github: separate workflow for helm repo index update (#​1359)
• feat: ignore hidden feature files (#​1353)
• deployment/helm: fix namespace of nfd-worker role and rolebinding (#​1364)
• github: add a separate issue template for patch releases (#​1368)
• deployment/helm: fix handling of enableNodeFeatureApi parameter (#​1365)
• Build statically linked binaries (#​1373)
• Replace gRPC health probe utility with k8s built-in health probe (#​1046)
• README: update to v0.14.1 (#​1377)
• nfd-master: fix filtering of extended resources (#​1378)
• apis/nfd: drop one stale comment line (#​1382)
• Helm - Move remaining gPRC related flags to conditional (#​1387)
• Helm - service to be only deployed when needed (#​1389)
• feat: support raw features (#​1386)
• Fix serviceaccount handling for nfd-gc to be consistent with others (#​1392)
• nfd-master: correctly clean up annotations (#​1393)
• Bump to Go 1.21 (#​1390)
• nfd-master: stop creating NFD version annotations (#​1394)
• Refactor metrics (#​1398)
• nfd-gc: simplify initialization (#​1399)
• go.mod: bump kubernetes to v1.28.2 (#​1402)
• docs: clarify nfd_node_update_requests_total metric (#​1406)
• docs: document nfd_topology_updater_build_info metric (#​1400)
• nfd-gc: add metrics (#​1407)
• Update Readme to V0.14.2 (#​1411)
• feat: add parameters in helm to disable/enable nfd-master and nfd-worker (#​1415)
• build(deps): bump golang.org/x/net from 0.13.0 to 0.17.0 (#​1416)
• examples: add example grafana dashboard (#​1413)
• source/custom: drop support for the legacy rule format (#​1397)
• test/e2e: fix source/custom nodename test (#​1421)
• Fix pkg name for test/utils/deployment (#​1418)
• nfd-master: fix retry of node updates (#​1425)
• go.mod: update deps (#​1422)
• test/e2e: stricter validation of node annotations (#​1426)
• Update readme to v0.14.3 (#​1435)
• scripts/test-infra: bump mdlint to v0.13.0 (#​1437)
• scripts/test-infra: bump golangci-lint to v1.55.1 (#​1438)
• Make mdlint v0.13 happy (#​1439)
• Discover node features as annotations (#​1417)
• docs: edits to customization guide (#​1436)
• test/e2e: fix log messages (#​1441)
• test/e2e: improved test logging (#​1442)
• test/e2e: fix broken feature-annotations test (#​1440)
• test/e2e: cleanup feature annotations (#​1443)
• go.mod: update deps (#​1445)
• docs: fix documentation on SEV security features (#​1447)
• docs: use correct storage.block name for block device feature (#​1449)
• source/network: refactor readIfaceInfo (#​1452)
• go.mod: Update cpuid to its v2.2.6 release (#​1453)
• docs: stop advertising --resource-labels flag (#​1454)
• go.mod: update deps (#​1457)
• go.mod: update deps (#​1463)
• go.mod: bump kubernetes to v1.28.4 (#​1465)
• apis/nfd: fix incorrect comments of matching functions (#​1467)
• apis/nfd: fix logging of rule expression processing (#​1458)
• test/e2e: increase timeout for waiting node status (#​1460)
• docs: fix small typo in customization guide (#​1469)
• nfd-master: drop stale variables (#​1470)
• nfd-master: predictable handling of unprefixed names (#​1471)
• apis/nfd: fix multiple matcher terms targeting the same feature (#​1468)
• Option to stop implicitly adding default prefix to names (#​1461)
• Reproducible output from expression matching (#​1473)
• Use T.Run in expression unit tests (#​1474)
• nfd-worker: fix typo in log message (#​1472)
• docs: correct description of no-publish for topology-updater (#​1475)
• docs/tls: update cert-manager deployment instructions (#​1476)
• generate: update kube code-gen to v1.28.4 (#​1478)
• apis/nfd: validate input when matching expression (#​1480)
• docs: styling (#​1484)
• Change the base image of full image variant to Debian Bookworm (#​1486)
• docs: remove outdated instructions for minimal image (#​1485)
• feat: discover virtual network interface (#​1448)
• deployment/kustomize: drop default-combined overlay (#​1492)
• dockerignore: cleanup (#​1493)
• deployment/kustomize: drop nfd-master service (#​1494)
• nfd-worker: set owner reference in NodeFeature objects (#​1491)
• test/e2e: test NodeFeature owner reference (#​1495)
• test/e2e: fix broken test (#​1496)
• Makefile: add env var controls to make test targets configurable (#​1489)
• Makefile: more verbose output for e2e-tests (#​1498)
• go.mod: update dependencies (#​1499)
• Makefile: fix e2e-testing of the full image (#​1500)
• Create a Validate pkg (#​1455)
• nfd-master: remove default denied ns from config (#​1501)
• Use non-exp maps package (#​1502)
• Use generics for maps and slices (#​1503)
• apis/nfd: drop the private regexp caching field (#​1482)
• apis/nfd: drop creation helper functions (#​1481)
• apis/nfd: add matchName field in feature matcher terms (#​788)
• Document the NodeFeatureRule samples and move them under deployment dir (#​1504)
• feat: add cpu socket count in cpu.topology (#​1497)
• apis/nfd: drop the private template caching fields (#​1477)
• source/custom: add internal rule api (#​1479)
• chore(nfd-worker): fix minor typo in wrong label value format error (#​1506)
• build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#​1507)
• apis/nfd: split rule processing into a separate package (#​1508)
• go.mod: bump kubernetes to v1.29 (#​1509)
• docs: use default instead of minimal image variant (#​1514)
• docs: document new x86 cpuid features (#​1515)
• docs: fix malformed hyperlink syntax (#​1516)
• Add Kubectl NFD plugin (#​1446)
• docs: fix name of prometheus kustomize overlay (#​1517)
• docs: document all tracking annotations (#​1519)
• docs: fix wording and nfd version in master config ref (#​1520)
• docs: second fix to the prometheus kustomize overlay name (#​1518)
• docs: fixes (#​1521)
• deployment/kustomize: enable nfd-gc in the default overlay (#​1525)
• Update references to release v0.15.0 (#​1522)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[sonarqubecloud]

Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[tyriis-automation]

--- kubernetes/talos-flux/apps/kube-tools/node-feature-discovery/app Kustomization: flux-system/apps-node-feature-discovery HelmRelease: kube-tools/node-feature-discovery

+++ kubernetes/talos-flux/apps/kube-tools/node-feature-discovery/app Kustomization: flux-system/apps-node-feature-discovery HelmRelease: kube-tools/node-feature-discovery

@@ -9,13 +9,13 @@

     spec:
       chart: node-feature-discovery
       sourceRef:
         kind: HelmRepository
         name: node-feature-discovery-charts
         namespace: flux-system
-      version: 0.14.3
+      version: 0.15.0
   install:
     createNamespace: true
     remediation:
       retries: 3
   interval: 15m
   maxHistory: 15

[tyriis-automation]

--- kubernetes HelmRelease: kube-tools/node-feature-discovery Deployment: kube-tools/node-feature-discovery-master

+++ kubernetes HelmRelease: kube-tools/node-feature-discovery Deployment: kube-tools/node-feature-discovery-master

@@ -32,26 +32,22 @@

           allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
-        image: registry.k8s.io/nfd/node-feature-discovery:v0.14.3
+        image: registry.k8s.io/nfd/node-feature-discovery:v0.15.0
         imagePullPolicy: IfNotPresent
         livenessProbe:
-          exec:
-            command:
-            - /usr/bin/grpc_health_probe
-            - -addr=:8080
+          grpc:
+            port: 8080
           initialDelaySeconds: 10
           periodSeconds: 10
         readinessProbe:
-          exec:
-            command:
-            - /usr/bin/grpc_health_probe
-            - -addr=:8080
+          grpc:
+            port: 8080
           initialDelaySeconds: 5
           periodSeconds: 10
           failureThreshold: 10
         ports:
         - containerPort: 8080
           name: grpc
@@ -63,13 +59,12 @@

             fieldRef:
               fieldPath: spec.nodeName
         command:
         - nfd-master
         resources: {}
         args:
-        - -port=8080
         - -crd-controller=true
         - -metrics=8081
         volumeMounts:
         - name: nfd-master-conf
           mountPath: /etc/kubernetes/node-feature-discovery
           readOnly: true
--- kubernetes HelmRelease: kube-tools/node-feature-discovery Service: kube-tools/node-feature-discovery-master

+++ kubernetes HelmRelease: kube-tools/node-feature-discovery Service: kube-tools/node-feature-discovery-master

@@ -1,23 +0,0 @@

----
-apiVersion: v1
-kind: Service
-metadata:
-  name: node-feature-discovery-master
-  namespace: kube-tools
-  labels:
-    app.kubernetes.io/name: node-feature-discovery
-    app.kubernetes.io/instance: node-feature-discovery
-    app.kubernetes.io/managed-by: Helm
-    role: master
-spec:
-  type: ClusterIP
-  ports:
-  - port: 8080
-    targetPort: grpc
-    protocol: TCP
-    name: grpc
-  selector:
-    app.kubernetes.io/name: node-feature-discovery
-    app.kubernetes.io/instance: node-feature-discovery
-    role: master
-
--- kubernetes HelmRelease: kube-tools/node-feature-discovery DaemonSet: kube-tools/node-feature-discovery-worker

+++ kubernetes HelmRelease: kube-tools/node-feature-discovery DaemonSet: kube-tools/node-feature-discovery-worker

@@ -33,24 +33,31 @@

           allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
-        image: registry.k8s.io/nfd/node-feature-discovery:v0.14.3
+        image: registry.k8s.io/nfd/node-feature-discovery:v0.15.0
         imagePullPolicy: IfNotPresent
         env:
         - name: NODE_NAME
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_UID
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.uid
         resources: {}
         command:
         - nfd-worker
         args:
-        - -server=node-feature-discovery-master:8080
         - -metrics=8081
         ports:
         - name: metrics
           containerPort: 8081
         volumeMounts:
         - name: host-boot
--- kubernetes HelmRelease: kube-tools/node-feature-discovery Deployment: kube-tools/node-feature-discovery-gc

+++ kubernetes HelmRelease: kube-tools/node-feature-discovery Deployment: kube-tools/node-feature-discovery-gc

@@ -25,13 +25,13 @@

     spec:
       serviceAccountName: node-feature-discovery-gc
       dnsPolicy: ClusterFirstWithHostNet
       securityContext: {}
       containers:
       - name: gc
-        image: registry.k8s.io/nfd/node-feature-discovery:v0.14.3
+        image: registry.k8s.io/nfd/node-feature-discovery:v0.15.0
         imagePullPolicy: IfNotPresent
         env:
         - name: NODE_NAME
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
@@ -44,7 +44,10 @@

           allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
+        ports:
+        - name: metrics
+          containerPort: 8081
 

[tyriis-automation]

🦙 MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
✅ EDITORCONFIG	editorconfig-checker	1		0	0.01s
✅ REPOSITORY	gitleaks	yes		no	2.01s
✅ YAML	prettier	1		0	0.45s
✅ YAML	yamllint	1		0	0.29s

See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by OX Security