Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

merge karpenter changes into production #1406

Merged
merged 10 commits into from
Sep 13, 2024
Merged

merge karpenter changes into production #1406

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
49eae4d
allow syncing explicit tag
Sep 13, 2024
691de76
Merge pull request #1403 from porter-dev/dgtown/karpenter
portersupport Sep 13, 2024
2e3569f
more changes
Sep 13, 2024
5c1bbf8
Merge branch 'main' into dgtown/karpenter
portersupport Sep 13, 2024
0a10df0
Merge pull request #1404 from porter-dev/dgtown/karpenter
portersupport Sep 13, 2024
a6a14ea
more changes
Sep 13, 2024
71b24f5
Merge branch 'main' into dgtown/karpenter
portersupport Sep 13, 2024
969a561
Merge pull request #1405 from porter-dev/dgtown/karpenter
portersupport Sep 13, 2024
d55caeb
[create-pull-request] automated change
portersupport Sep 13, 2024
334e8af
Merge pull request #1399 from porter-dev/addons/karpenter-aws
d-g-town Sep 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 26 additions & 4 deletions .github/actions/sync-remote-directory/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,38 @@ inputs:
github_token:
description: 'Github token to use to pull and push the remote'
required: true
tag:
description: 'Tag to checkout from the remote repository'
required: false
type: string

runs:
using: composite
steps:
- name: Checkout ${{ inputs.remote_owner }}/${{ inputs.remote_repository }}
shell: bash
env:
env:
GITHUB_TOKEN: ${{ inputs.github_token }}
run: gh repo clone ${{ inputs.remote_owner }}/${{ inputs.remote_repository }}
run: |
gh repo clone ${{ inputs.remote_owner }}/${{ inputs.remote_repository }}
if [ ! -z "${{ inputs.tag }}" ]; then
cd ${{ inputs.remote_repository }}
git checkout ${{ inputs.tag }}
echo "Checked out tag: ${{ inputs.tag }}"
cd ..
else
echo "No tag specified, using default branch"
fi
- name: Replace symlinks with actual files
shell: bash
run: |
find . -type l | while read -r link; do
# Replace symlinks with actual files to ensure proper copying
echo "Replacing symlink: $link with actual file"
target=$(readlink -f "$link")
rm "$link"
cp -R "$target" "$link"
done
- name: Copy required directory
shell: bash
run: |
Expand All @@ -42,7 +65,6 @@ runs:
add-paths: |
vendored-charts
${{ inputs.target_directory }}
title: "Sync: ${{ inputs.remote_owner }}/${{ inputs.remote_repository }} - ${{ inputs.remote_directory }}"
title: "Sync: ${{ inputs.remote_owner }}/${{ inputs.remote_repository }} - ${{ inputs.remote_directory }} (Tag: ${{ inputs.tag }})"
branch: "${{ inputs.target_directory }}"


2 changes: 2 additions & 0 deletions .github/workflows/sync-remote-helm-charts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ jobs:
remote_repository: karpenter-provider-aws
remote_directory: charts/karpenter
target_directory: addons/karpenter-aws
tag: v1.0.2

permissions:
contents: write
Expand All @@ -139,6 +140,7 @@ jobs:
remote_repository: ${{ matrix.charts.remote_repository }}
remote_directory: ${{ matrix.charts.remote_directory }}
target_directory: ${{ matrix.charts.target_directory }}
tag: ${{ matrix.charts.tag }}
github_token: ${{ secrets.GITHUB_TOKEN }}
env:
CHARTMUSEUM_URL: ${{ vars.PUBLIC_CHARTMUSEUM_ADDONS_URL }}
Expand Down
4 changes: 2 additions & 2 deletions addons/karpenter-aws/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ apiVersion: v2
name: karpenter
description: A Helm chart for Karpenter, an open-source node provisioning project built for Kubernetes.
type: application
version: 1.0.0
appVersion: 1.0.0
version: 0.37.0
appVersion: 0.37.0
keywords:
- cluster
- node
Expand Down
20 changes: 13 additions & 7 deletions addons/karpenter-aws/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

A Helm chart for Karpenter, an open-source node provisioning project built for Kubernetes.

![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
![Version: 0.37.0](https://img.shields.io/badge/Version-0.37.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.37.0](https://img.shields.io/badge/AppVersion-0.37.0-informational?style=flat-square)

## Documentation

Expand All @@ -15,7 +15,7 @@ You can follow the detailed installation instruction in the [documentation](http
```bash
helm upgrade --install --namespace karpenter --create-namespace \
karpenter oci://public.ecr.aws/karpenter/karpenter \
--version 1.0.0 \
--version 0.37.0 \
--set "serviceAccount.annotations.eks\.amazonaws\.com/role-arn=${KARPENTER_IAM_ROLE_ARN}" \
--set settings.clusterName=${CLUSTER_NAME} \
--set settings.interruptionQueue=${CLUSTER_NAME} \
Expand All @@ -27,13 +27,13 @@ helm upgrade --install --namespace karpenter --create-namespace \
As the OCI Helm chart is signed by [Cosign](https://github.com/sigstore/cosign) as part of the release process you can verify the chart before installing it by running the following command.

```shell
cosign verify public.ecr.aws/karpenter/karpenter:1.0.0 \
cosign verify public.ecr.aws/karpenter/karpenter:0.37.0 \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity-regexp='https://github\.com/aws/karpenter-provider-aws/\.github/workflows/release\.yaml@.+' \
--certificate-github-workflow-repository=aws/karpenter-provider-aws \
--certificate-github-workflow-name=Release \
--certificate-github-workflow-ref=refs/tags/v1.0.0 \
--annotations version=1.0.0
--certificate-github-workflow-ref=refs/tags/v0.37.0 \
--annotations version=0.37.0
```

## Values
Expand All @@ -48,9 +48,9 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.0.0 \
| controller.envFrom | list | `[]` | |
| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts for the controller pod. |
| controller.healthProbe.port | int | `8081` | The container port to use for http health probe. |
| controller.image.digest | string | `"sha256:1eb1073b9f4ed804634aabf320e4d6e822bb61c0f5ecfd9c3a88f05f1ca4c5c5"` | SHA256 digest of the controller image. |
| controller.image.digest | string | `"sha256:157f478f5db1fe999f5e2d27badcc742bf51cc470508b3cebe78224d0947674f"` | SHA256 digest of the controller image. |
| controller.image.repository | string | `"public.ecr.aws/karpenter/controller"` | Repository path to the controller image. |
| controller.image.tag | string | `"1.0.0"` | Tag of the controller image. |
| controller.image.tag | string | `"0.37.0"` | Tag of the controller image. |
| controller.metrics.port | int | `8080` | The container port to use for metrics. |
| controller.resources | object | `{}` | Resources for the controller pod. |
| controller.sidecarContainer | list | `[]` | Additional sidecarContainer config |
Expand All @@ -72,6 +72,9 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.0.0 \
| podDisruptionBudget.name | string | `"karpenter"` | |
| podLabels | object | `{}` | Additional labels for the pod. |
| podSecurityContext | object | `{"fsGroup":65532}` | SecurityContext for the pod. |
| postInstallHook.image.digest | string | `"sha256:13a2ad1bd37ce42ee2a6f1ab0d30595f42eb7fe4a90d6ec848550524104a1ed6"` | SHA256 digest of the post-install hook image. |
| postInstallHook.image.repository | string | `"public.ecr.aws/bitnami/kubectl"` | Repository path to the post-install hook. This minimally needs to have `kubectl` installed |
| postInstallHook.image.tag | string | `"1.30"` | Tag of the post-install hook image. |
| priorityClassName | string | `"system-cluster-critical"` | PriorityClass name for the pod. |
| replicas | int | `2` | Number of replicas. |
| revisionHistoryLimit | int | `10` | The number of old ReplicaSets to retain to allow rollback. |
Expand All @@ -97,6 +100,9 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.0.0 \
| terminationGracePeriodSeconds | string | `nil` | Override the default termination grace period for the pod. |
| tolerations | list | `[{"key":"CriticalAddonsOnly","operator":"Exists"}]` | Tolerations to allow the pod to be scheduled to nodes with taints. |
| topologySpreadConstraints | list | `[{"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"DoNotSchedule"}]` | Topology spread constraints to increase the controller resilience by distributing pods across the cluster zones. If an explicit label selector is not provided one will be created from the pod selector labels. |
| webhook.enabled | bool | `true` | Whether to enable the webhooks and webhook permissions. |
| webhook.metrics.port | int | `8001` | The container port to use for webhook metrics. |
| webhook.port | int | `8443` | The container port to use for the webhook. |

----------------------------------------------

Expand Down
48 changes: 4 additions & 44 deletions addons/karpenter-aws/crds/karpenter.k8s.aws_ec2nodeclasses.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
controller-gen.kubebuilder.io/version: v0.16.2
name: ec2nodeclasses.karpenter.k8s.aws
spec:
group: karpenter.k8s.aws
Expand Down Expand Up @@ -164,24 +164,18 @@ spec:
gp2 volumes, this represents the baseline performance of the volume and the
rate at which the volume accumulates I/O credits for bursting.


The following are the supported values for each volume type:


* gp3: 3,000-16,000 IOPS


* io1: 100-64,000 IOPS


* io2: 100-64,000 IOPS


For io1 and io2 volumes, we guarantee 64,000 IOPS only for Instances built
on the Nitro System (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances).
Other instance families guarantee performance up to 32,000 IOPS.


This parameter is supported for io1, io2, and gp3 volumes only. This parameter
is not supported for gp2, st1, sc1, or standard volumes.
format: int64
Expand All @@ -204,16 +198,12 @@ spec:
a volume size. The following are the supported volumes sizes for each volume
type:


* gp2 and gp3: 1-16,384


* io1 and io2: 4-16,384


* st1 and sc1: 125-16,384


* standard: 1-1,024
pattern: ^((?:[1-9][0-9]{0,3}|[1-4][0-9]{4}|[5][0-8][0-9]{3}|59000)Gi|(?:[1-9][0-9]{0,3}|[1-5][0-9]{4}|[6][0-3][0-9]{3}|64000)G|([1-9]||[1-5][0-7]|58)Ti|([1-9]||[1-5][0-9]|6[0-3]|64)T)$
type: string
Expand Down Expand Up @@ -392,14 +382,12 @@ spec:
description: |-
MetadataOptions for the generated launch template of provisioned nodes.


This specifies the exposure of the Instance Metadata Service to
provisioned EC2 nodes. For more information,
see Instance Metadata and User Data
(https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)
in the Amazon Elastic Compute Cloud User Guide.


Refer to recommended, security best practices
(https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node)
for limiting exposure of Instance Metadata and User Data to pods.
Expand All @@ -414,7 +402,6 @@ spec:
nodes. If metadata options is non-nil, but this parameter is not specified,
the default state is "enabled".


If you specify a value of "disabled", instance metadata will not be accessible
on the node.
enum:
Expand Down Expand Up @@ -450,14 +437,12 @@ spec:
requests. If metadata options is non-nil, but this parameter is not
specified, the default state is "required".


If the state is optional, one can choose to retrieve instance metadata with
or without a signed token header on the request. If one retrieves the IAM
role credentials without a token, the version 1.0 role credentials are
returned. If one retrieves the IAM role credentials using a valid signed
token, the version 2.0 role credentials are returned.


If the state is "required", one must send a signed token header with any
instance metadata retrieval requests. In this state, retrieving the IAM
role credentials always returns the version 2.0 credentials; the version
Expand Down Expand Up @@ -693,12 +678,7 @@ spec:
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
Expand Down Expand Up @@ -864,24 +844,18 @@ spec:
gp2 volumes, this represents the baseline performance of the volume and the
rate at which the volume accumulates I/O credits for bursting.


The following are the supported values for each volume type:


* gp3: 3,000-16,000 IOPS


* io1: 100-64,000 IOPS


* io2: 100-64,000 IOPS


For io1 and io2 volumes, we guarantee 64,000 IOPS only for Instances built
on the Nitro System (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances).
Other instance families guarantee performance up to 32,000 IOPS.


This parameter is supported for io1, io2, and gp3 volumes only. This parameter
is not supported for gp2, st1, sc1, or standard volumes.
format: int64
Expand All @@ -904,16 +878,12 @@ spec:
a volume size. The following are the supported volumes sizes for each volume
type:


* gp2 and gp3: 1-16,384


* io1 and io2: 4-16,384


* st1 and sc1: 125-16,384


* standard: 1-1,024
pattern: ^((?:[1-9][0-9]{0,3}|[1-4][0-9]{4}|[5][0-8][0-9]{3}|59000)Gi|(?:[1-9][0-9]{0,3}|[1-5][0-9]{4}|[6][0-3][0-9]{3}|64000)G|([1-9]||[1-5][0-7]|58)Ti|([1-9]||[1-5][0-9]|6[0-3]|64)T)$
type: string
Expand Down Expand Up @@ -978,14 +948,12 @@ spec:
description: |-
MetadataOptions for the generated launch template of provisioned nodes.


This specifies the exposure of the Instance Metadata Service to
provisioned EC2 nodes. For more information,
see Instance Metadata and User Data
(https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)
in the Amazon Elastic Compute Cloud User Guide.


Refer to recommended, security best practices
(https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node)
for limiting exposure of Instance Metadata and User Data to pods.
Expand All @@ -1000,7 +968,6 @@ spec:
nodes. If metadata options is non-nil, but this parameter is not specified,
the default state is "enabled".


If you specify a value of "disabled", instance metadata will not be accessible
on the node.
enum:
Expand Down Expand Up @@ -1036,14 +1003,12 @@ spec:
requests. If metadata options is non-nil, but this parameter is not
specified, the default state is "required".


If the state is optional, one can choose to retrieve instance metadata with
or without a signed token header on the request. If one retrieves the IAM
role credentials without a token, the version 1.0 role credentials are
returned. If one retrieves the IAM role credentials using a valid signed
token, the version 2.0 role credentials are returned.


If the state is "required", one must send a signed token header with any
instance metadata retrieval requests. In this state, retrieving the IAM
role credentials always returns the version 2.0 credentials; the version
Expand Down Expand Up @@ -1269,12 +1234,7 @@ spec:
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
Expand Down Expand Up @@ -1343,4 +1303,4 @@ spec:
service:
name: karpenter
namespace: kube-system
port: 8443
port: 8443
Loading
Loading