Merge branch 'main' into xrfxlp/1402/feat

Author: XRFXLP

distros/kubernetes/nvsentinel/charts/labeler/templates/_helpers.tpl

@@ -38,3 +38,45 @@ Selector labels
 app.kubernetes.io/name: {{ include "labeler.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+ConfigMap name.
+*/}}
+{{- define "labeler.configMapName" -}}
+{{ include "labeler.fullname" . }}
+{{- end }}
+
+{{/*
+Expected device-count configuration content.
+*/}}
+{{- define "labeler.expectedDeviceCountsConfig" -}}
+enabled = {{ .Values.expectedDeviceCounts.enabled }}
+{{- range .Values.expectedDeviceCounts.classes }}
+
+[[classes]]
+name = {{ .name | quote }}
+enabled = {{ .enabled }}
+{{- with .groupingLabels }}
+groupingLabels = [{{- range $i, $label := . }}{{ if $i }}, {{ end }}{{ $label | quote }}{{- end }}]
+{{- end }}
+currentExpression = '''
+{{ trimSuffix "\n" (default "" .currentExpression) }}
+'''
+
+[classes.labels]
+current = {{ .labels.current | quote }}
+expected = {{ .labels.expected | quote }}
+{{- range .expectedCountOverrides }}
+
+[[classes.expectedCountOverrides]]
+count = {{ .count }}
+{{- with .matchLabels }}
+
+[classes.expectedCountOverrides.matchLabels]
+{{- range $key, $value := . }}
+{{ $key | quote }} = {{ $value | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

distros/kubernetes/nvsentinel/charts/labeler/templates/clusterrole.yaml

@@ -37,3 +37,11 @@ rules:
       - watch
       - patch
       - update
+  - apiGroups:
+      - resource.k8s.io
+    resources:
+      - resourceslices
+    verbs:
+      - get
+      - list
+      - watch

distros/kubernetes/nvsentinel/charts/labeler/templates/configmap.yaml

@@ -0,0 +1,25 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.expectedDeviceCounts.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "labeler.configMapName" . }}
+  labels:
+    {{- include "labeler.labels" . | nindent 4 }}
+data:
+  expected-device-counts.toml: |
+{{ include "labeler.expectedDeviceCountsConfig" . | indent 4 }}
+{{- end }}

distros/kubernetes/nvsentinel/charts/labeler/templates/deployment.yaml

@@ -27,10 +27,15 @@ spec:
       {{- include "labeler.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
+      {{- if or .Values.podAnnotations .Values.expectedDeviceCounts.enabled }}
       annotations:
+        {{- if .Values.expectedDeviceCounts.enabled }}
+        checksum/expected-device-counts-config: {{ include "labeler.expectedDeviceCountsConfig" . | sha256sum }}
+        {{- end }}
+        {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- end }}
       labels:
         {{- include "labeler.labels" . | nindent 8 }}
         {{- with .Values.podLabels }}
@@ -64,6 +69,10 @@ spec:
             {{- if .Values.assumeDriverInstalled }}
             - "--assume-driver-installed"
             {{- end }}
+            {{- if .Values.expectedDeviceCounts.enabled }}
+            - "--expected-device-counts-config-file"
+            - "/etc/nvsentinel/labeler/expected-device-counts.toml"
+            {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           ports:
@@ -85,9 +94,17 @@ spec:
             periodSeconds: 10
             timeoutSeconds: 3
             failureThreshold: 3
-          {{- if .Values.global.auditLogging.enabled }}
+          {{- if or .Values.global.auditLogging.enabled .Values.expectedDeviceCounts.enabled }}
           volumeMounts:
+            {{- if .Values.expectedDeviceCounts.enabled }}
+            - name: expected-device-counts-config
+              mountPath: /etc/nvsentinel/labeler/expected-device-counts.toml
+              subPath: expected-device-counts.toml
+              readOnly: true
+            {{- end }}
+            {{- if .Values.global.auditLogging.enabled }}
             {{- include "nvsentinel.auditLogging.volumeMount" . | nindent 12 }}
+            {{- end }}
           {{- end }}
           env:
             - name: POD_NAME
@@ -99,9 +116,16 @@ spec:
             {{- if .Values.global.auditLogging.enabled }}
             {{- include "nvsentinel.auditLogging.envVars" . | nindent 12 }}
             {{- end }}
-      {{- if .Values.global.auditLogging.enabled }}
+      {{- if or .Values.global.auditLogging.enabled .Values.expectedDeviceCounts.enabled }}
       volumes:
+        {{- if .Values.expectedDeviceCounts.enabled }}
+        - name: expected-device-counts-config
+          configMap:
+            name: {{ include "labeler.configMapName" . }}
+        {{- end }}
+        {{- if .Values.global.auditLogging.enabled }}
         {{- include "nvsentinel.auditLogging.volume" . | nindent 8 }}
+        {{- end }}
       {{- end }}
       {{- with (.Values.global.systemNodeSelector | default .Values.nodeSelector) }}
       nodeSelector:

distros/kubernetes/nvsentinel/charts/labeler/values.yaml

@@ -42,6 +42,60 @@ kataLabelOverride: ""
 # are installed directly on the host rather than via GPU Operator driver containers.
 assumeDriverInstalled: false
 
+# Expected device count labels
+# When enabled, the labeler writes current/expected device-count labels per configured class.
+# Current counts come from CEL expressions over the node object and associated ResourceSlices.
+# Expected counts are learned per grouping-label partition unless an override matches.
+expectedDeviceCounts:
+  enabled: true
+  classes:
+    - name: gpu
+      enabled: true
+      labels:
+        current: nvsentinel.dgxc.nvidia.com/gpu.count.current
+        expected: nvsentinel.dgxc.nvidia.com/gpu.count.expected
+      groupingLabels:
+        - node.kubernetes.io/instance-type
+        - nvidia.com/gpu.product
+      expectedCountOverrides: []
+      currentExpression: |
+        int(node.metadata.labels['nvidia.com/gpu.count'])
+    - name: nic
+      enabled: true
+      labels:
+        current: nvsentinel.dgxc.nvidia.com/nic.count.current
+        expected: nvsentinel.dgxc.nvidia.com/nic.count.expected
+      groupingLabels:
+        - node.kubernetes.io/instance-type
+      expectedCountOverrides: []
+      currentExpression: |
+        int(node.status.allocatable['nvidia.com/mlnxnics'])
+    # Example AWS RoCE DRA NIC class. Uncomment and adapt per environment.
+    # - name: nic
+    #   enabled: false
+    #   labels:
+    #     current: nvsentinel.dgxc.nvidia.com/nic.count.current
+    #     expected: nvsentinel.dgxc.nvidia.com/nic.count.expected
+    #   groupingLabels:
+    #     - node.kubernetes.io/instance-type
+    #   expectedCountOverrides: []
+    #   currentExpression: |
+    #     sum(resourceSlices
+    #       .filter(rs,
+    #         has(rs.spec.driver) &&
+    #         rs.spec.driver == 'dra.networking.k8s.aws' &&
+    #         has(rs.spec.devices)
+    #       )
+    #       .map(rs, rs.spec.devices
+    #         .filter(d,
+    #           has(d.attributes) &&
+    #           'dra.vpc.amazonaws.com/deviceType' in d.attributes &&
+    #           has(d.attributes['dra.vpc.amazonaws.com/deviceType'].string) &&
+    #           d.attributes['dra.vpc.amazonaws.com/deviceType'].string == 'roce'
+    #         )
+    #         .size()
+    #       ))
+
 resources:
   requests:
     cpu: 100m

distros/kubernetes/nvsentinel/values-full.yaml

@@ -954,6 +954,63 @@ labeler:
   # Leave empty to only check default label
   kataLabelOverride: ""
 
+  # Pre-installed driver configuration
+  # When enabled, the labeler sets nvsentinel.dgxc.nvidia.com/driver.installed=true
+  # on all nodes with nvidia.com/gpu.present=true, skipping driver pod detection.
+  assumeDriverInstalled: false
+
+  # Expected device count labels
+  # Writes current/expected device-count labels from node labels or DRA ResourceSlice data.
+  expectedDeviceCounts:
+    enabled: true
+    classes:
+      - name: gpu
+        enabled: true
+        labels:
+          current: nvsentinel.dgxc.nvidia.com/gpu.count.current
+          expected: nvsentinel.dgxc.nvidia.com/gpu.count.expected
+        groupingLabels:
+          - node.kubernetes.io/instance-type
+          - nvidia.com/gpu.product
+        expectedCountOverrides: []
+        currentExpression: |
+          int(node.metadata.labels['nvidia.com/gpu.count'])
+      - name: nic
+        enabled: true
+        labels:
+          current: nvsentinel.dgxc.nvidia.com/nic.count.current
+          expected: nvsentinel.dgxc.nvidia.com/nic.count.expected
+        groupingLabels:
+          - node.kubernetes.io/instance-type
+        expectedCountOverrides: []
+        currentExpression: |
+          int(node.status.allocatable['nvidia.com/mlnxnics'])
+      # Example AWS RoCE DRA NIC class. Uncomment and adapt per environment.
+      # - name: nic
+      #   enabled: false
+      #   labels:
+      #     current: nvsentinel.dgxc.nvidia.com/nic.count.current
+      #     expected: nvsentinel.dgxc.nvidia.com/nic.count.expected
+      #   groupingLabels:
+      #     - node.kubernetes.io/instance-type
+      #   expectedCountOverrides: []
+      #   currentExpression: |
+      #     sum(resourceSlices
+      #       .filter(rs,
+      #         has(rs.spec.driver) &&
+      #         rs.spec.driver == 'dra.networking.k8s.aws' &&
+      #         has(rs.spec.devices)
+      #       )
+      #       .map(rs, rs.spec.devices
+      #         .filter(d,
+      #           has(d.attributes) &&
+      #           'dra.vpc.amazonaws.com/deviceType' in d.attributes &&
+      #           has(d.attributes['dra.vpc.amazonaws.com/deviceType'].string) &&
+      #           d.attributes['dra.vpc.amazonaws.com/deviceType'].string == 'roce'
+      #         )
+      #         .size()
+      #       ))
+
   # Pod resource limits and requests
   resources:
     requests:

docs/configuration/labeler.md

@@ -13,6 +13,10 @@ The labeler automatically manages these node labels:
 | `nvsentinel.dgxc.nvidia.com/dcgm.version` | `3.x`, `4.x` | DCGM major version detected from DCGM pods |
 | `nvsentinel.dgxc.nvidia.com/driver.installed` | `true`, `false` | NVIDIA driver pod status on node |
 | `nvsentinel.dgxc.nvidia.com/kata.enabled` | `true`, `false` | Kata Containers runtime presence |
+| `nvsentinel.dgxc.nvidia.com/gpu.count.current` | non-negative integer | Current GPU count from the configured class expression |
+| `nvsentinel.dgxc.nvidia.com/gpu.count.expected` | non-negative integer | Expected GPU count from override or learned hardware-class baseline |
+| `nvsentinel.dgxc.nvidia.com/nic.count.current` | non-negative integer | Current NIC count from the configured class expression |
+| `nvsentinel.dgxc.nvidia.com/nic.count.expected` | non-negative integer | Expected NIC count from override or learned hardware-class baseline |
 
 ## Configuration Reference
 
@@ -79,6 +83,41 @@ The following label values (case-insensitive) are considered truthy for Kata det
 
 Any other value or missing label results in `kata.enabled=false`.
 
+## Expected Device Counts
+
+Expected device-count labeling is disabled by default. When enabled, the labeler evaluates enabled classes and writes current/expected count labels only when the configured CEL expression returns a valid non-negative integer.
+
+The Helm chart renders this values block into a TOML ConfigMap entry and mounts it into the labeler pod. Because expressions are compiled at startup, Helm also annotates the pod template with a checksum so changes to the ConfigMap roll the Deployment.
+
+```yaml
+labeler:
+  expectedDeviceCounts:
+    enabled: true
+    classes:
+      - name: gpu
+        enabled: true
+        labels:
+          current: nvsentinel.dgxc.nvidia.com/gpu.count.current
+          expected: nvsentinel.dgxc.nvidia.com/gpu.count.expected
+        groupingLabels:
+          - node.kubernetes.io/instance-type
+          - nvidia.com/gpu.product
+        expectedCountOverrides:
+          - matchLabels:
+              nvidia.com/gpu.product: NVIDIA-GB200
+            count: 8
+        currentExpression: |
+          int(node.metadata.labels['nvidia.com/gpu.count'])
+```
+
+The CEL context exposes:
+
+- `node`: the Kubernetes Node object being reconciled.
+- `resourceSlices`: ResourceSlice objects associated with the node.
+- `sum(list<int>)`: helper that returns the sum of a list of integers.
+
+For classes without a matching override, the expected value is learned as the maximum current or existing expected count among nodes with the same configured grouping-label values. Learned expected counts can rise automatically, but do not fall automatically when a node reports fewer devices.
+
 ### Kata Detection Examples
 
 #### Example 1: Default Detection

docs/labeler.md

@@ -31,8 +31,9 @@ The Labeler runs as a deployment in the cluster:
 2. When pods start on a node, examines container images to extract versions
 3. Updates node labels with detected versions
 4. Watches node labels to detect Kata Container runtime
-5. NVSentinel components read these labels and configure themselves accordingly
-6. Continuously keeps labels synchronized as infrastructure changes
+5. Optionally evaluates configured device-count classes and labels current/expected GPU or NIC counts
+6. NVSentinel components read these labels and configure themselves accordingly
+7. Continuously keeps labels synchronized as infrastructure changes
 
 For example:
 - GPU Health Monitor uses the DCGM version label to select the correct DCGM API version
@@ -51,12 +52,17 @@ labeler:
 
   # Optional: Override the default Kata Containers detection label
   kataLabelOverride: ""  # Custom label to check for Kata runtime
+
+  # Optional: Enable current/expected device-count labels
+  expectedDeviceCounts:
+    enabled: false
 ```
 
 ### Configuration Options
 
 - **Log Level**: Control logging verbosity (info, debug, warn, error)
 - **Kata Label Override**: Specify additional node label to check for Kata Container detection
+- **Expected Device Counts**: Configure device-count classes that derive current and expected count labels from node labels or DRA ResourceSlices
 
 ## Labels Applied
 
@@ -90,6 +96,17 @@ kubectl label nodes <node-name> nvsentinel.dgxc.nvidia.com/driver.installed=true
 
 Indicates whether the node is running Kata Containers runtime (detected from node labels).
 
+### Expected Device Counts
+**Labels**:
+- `nvsentinel.dgxc.nvidia.com/gpu.count.current`
+- `nvsentinel.dgxc.nvidia.com/gpu.count.expected`
+- `nvsentinel.dgxc.nvidia.com/nic.count.current`
+- `nvsentinel.dgxc.nvidia.com/nic.count.expected`
+
+**Values**: non-negative integer strings
+
+When enabled, the labeler evaluates configured CEL expressions against the node and associated DRA ResourceSlices. Current labels reflect the observed count. Expected labels come from an override or the maximum learned count among nodes in the same grouping-label partition.
+
 ## Key Features
 
 ### Self-Configuration