qat: copy annotations

Signed-off-by: Ed Bartosh <eduard.bartosh@intel.com>

Author: bart0sh

deployments/operator/samples/deviceplugin_v1_qatdeviceplugin.yaml

@@ -2,6 +2,12 @@ apiVersion: deviceplugin.intel.com/v1
 kind: QatDevicePlugin
 metadata:
   name: qatdeviceplugin-sample
+  # example apparmor annotation
+  # see more details here:
+  #  - https://kubernetes.io/docs/tutorials/clusters/apparmor/#securing-a-pod
+  #  - https://github.com/intel/intel-device-plugins-for-kubernetes/issues/381
+  # annotations:
+  #   container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined
 spec:
   image: intel/intel-qat-plugin:0.21.0
   dpdkDriver: vfio-pci

pkg/controllers/qat/controller.go

@@ -78,13 +78,15 @@ func (c *controller) GetTotalObjectCount(ctx context.Context, clnt client.Client
 func (c *controller) NewDaemonSet(rawObj client.Object) *apps.DaemonSet {
 	devicePlugin := rawObj.(*devicepluginv1.QatDevicePlugin)
 	yes := true
+	pluginAnnotations := devicePlugin.ObjectMeta.DeepCopy().Annotations
 	return &apps.DaemonSet{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace:    c.ns,
 			GenerateName: devicePlugin.Name + "-",
 			Labels: map[string]string{
 				"app": appLabel,
 			},
+			Annotations: pluginAnnotations,
 		},
 		Spec: apps.DaemonSetSpec{
 			Selector: &metav1.LabelSelector{
@@ -97,6 +99,7 @@ func (c *controller) NewDaemonSet(rawObj client.Object) *apps.DaemonSet {
 					Labels: map[string]string{
 						"app": appLabel,
 					},
+					Annotations: pluginAnnotations,
 				},
 				Spec: v1.PodSpec{
 					Containers: []v1.Container{
@@ -161,6 +164,13 @@ func (c *controller) NewDaemonSet(rawObj client.Object) *apps.DaemonSet {
 func (c *controller) UpdateDaemonSet(rawObj client.Object, ds *apps.DaemonSet) (updated bool) {
 	dp := rawObj.(*devicepluginv1.QatDevicePlugin)
 
+	if !reflect.DeepEqual(ds.ObjectMeta.Annotations, dp.ObjectMeta.Annotations) {
+		pluginAnnotations := dp.ObjectMeta.DeepCopy().Annotations
+		ds.ObjectMeta.Annotations = pluginAnnotations
+		ds.Spec.Template.Annotations = pluginAnnotations
+		updated = true
+	}
+
 	if ds.Spec.Template.Spec.Containers[0].Image != dp.Spec.Image {
 		ds.Spec.Template.Spec.Containers[0].Image = dp.Spec.Image
 		updated = true

test/envtest/qatdeviceplugin_controller_test.go

@@ -46,9 +46,14 @@ var _ = Describe("QatDevicePlugin Controller", func() {
 				Name: "qatdeviceplugin-test",
 			}
 
+			annotations := map[string]string{
+				"container.apparmor.security.beta.kubernetes.io/intel-qat-plugin": "unconfined",
+			}
+
 			toCreate := &devicepluginv1.QatDevicePlugin{
 				ObjectMeta: metav1.ObjectMeta{
-					Name: key.Name,
+					Name:        key.Name,
+					Annotations: annotations,
 				},
 				Spec: spec,
 			}
@@ -63,6 +68,20 @@ var _ = Describe("QatDevicePlugin Controller", func() {
 				return len(fetched.Status.ControlledDaemonSet.UID) > 0
 			}, timeout, interval).Should(BeTrue())
 
+			By("copy annotations successfully")
+			Expect(&(fetched.Annotations) == &annotations).ShouldNot(BeTrue())
+			Eventually(fetched.Annotations).Should(Equal(annotations))
+
+			By("updating annotations successfully")
+			updatedAnnotations := map[string]string{"key": "value"}
+			fetched.Annotations = updatedAnnotations
+			Expect(k8sClient.Update(context.Background(), fetched)).Should(Succeed())
+			updated := &devicepluginv1.QatDevicePlugin{}
+			Eventually(func() map[string]string {
+				_ = k8sClient.Get(context.Background(), key, updated)
+				return updated.Annotations
+			}, timeout, interval).Should(Equal(updatedAnnotations))
+
 			By("updating image name successfully")
 			updatedImage := "updated-testimage"
 			fetched.Spec.Image = updatedImage