Add taint remover (#1527)

paurosello · web-flow · commit 07c551510f71 · 2025-10-17T16:09:46.000+02:00
* add taint remover

* fix chart name

* fix storage ns

* Refactor terminationGracePeriod handling
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add `capa-karpenter-taint-remover` to handle CAPA - Karpenter taint race condition.
+
 ### Changed
 
 - Set `terminationGracePeriod` default to 30m, to avoid having `karpenter` nodes stuck in `Deleting` state due to `Pods` blocking the deletion i.e. PDBs.
diff --git a/helm/cluster-aws/templates/_karpenter_machine_pools.tpl b/helm/cluster-aws/templates/_karpenter_machine_pools.tpl
@@ -155,9 +155,7 @@ spec:
           {{- end }}
         {{- end }}
         {{- end }}
-        {{- with $value.terminationGracePeriod }}
-        terminationGracePeriod: {{ . | default "30m" }}
-        {{- end }}
+        terminationGracePeriod: {{ $value.terminationGracePeriod | default "30m" }}
 ---
 {{ end }}
 {{ end }}
diff --git a/helm/cluster-aws/templates/karpenter-helmrelease.yaml b/helm/cluster-aws/templates/karpenter-helmrelease.yaml
@@ -94,4 +94,40 @@ spec:
       optional: {{ $config.optional | default false  }}
     {{- end }}
   {{- end }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ include "resource.default.name" $ }}-karpenter-taint
+  namespace: {{ $.Release.Namespace }}
+  annotations:
+    cluster.giantswarm.io/description: "{{ .Values.global.metadata.description }}"
+  labels:
+    cluster-apps-operator.giantswarm.io/watching: ""
+    {{- include "labels.common" . | nindent 4 }}
+spec:
+  suspend: false
+  releaseName: karpenter-taint
+  targetNamespace: karpenter
+  storageNamespace: karpenter
+  chart:
+    spec:
+      chart: capa-karpenter-taint-remover
+      {{- $_ := set $ "appName" "capa-karpenter-taint-remover" }}
+      version: {{ include "cluster.app.version" $ }}
+      sourceRef:
+        kind: HelmRepository
+        name: {{ include "resource.default.name" $ }}-{{ include "cluster.app.catalog" $ }}
+  kubeConfig:
+    secretRef:
+      name: {{ include "resource.default.name" $ }}-kubeconfig
+  interval: 5m
+  timeout: 15m # We need a bigger timeout because it could take a while for IRSA (via CloudFront) to become available
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
 {{- end }}
