Use helmrelease for the karpenter-bundle (#1422)

* Use helmrelease for the karpenter-bundle

* Apply suggestions from code review

Co-authored-by: Andreas Sommer <[email protected]>

* Make baseDomain required

* Bump flux HelmRelease apiversion to v2

* Update changelog

---------

Co-authored-by: Andreas Sommer <[email protected]>

Author: fiunchinho

CHANGELOG.md

@@ -11,6 +11,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Chart: Update `cluster` to v4.0.2.
 - The container registry passed as value to default apps is set to `gsoci.azurecr.io`, regardless of the cluster region. The mirroring feature of `containerd` will make sure the right registry is used.
+- Switch to HelmReleases to install `karpenter` and `karpenter-crossplane-resources` charts.
+- Bump flux `HelmReleases` api version to v2.
 
 ### Removed
 

helm/cluster-aws/README.md

@@ -188,6 +188,13 @@ Configuration of apps that are part of the cluster.
 | `global.apps.k8sDnsNodeCache.extraConfigs[*].name` | **Name** - Name of the config map or secret. The object must exist in the same namespace as the cluster App.|**Type:** `[string]`<br/>|
 | `global.apps.k8sDnsNodeCache.extraConfigs[*].priority` | **Priority**|**Type:** `[integer]`<br/>**Default:** `25`|
 | `global.apps.k8sDnsNodeCache.values` | **Config map** - Helm Values to be passed to the app as user config.|**Type:** `[object]`<br/>|
+| `global.apps.karpenter` | **App resource** - Configuration of a default app that is part of the cluster and is deployed as an App resource.|**Type:** `[object]`<br/>|
+| `global.apps.karpenter.extraConfigs` | **Extra config maps or secrets** - Extra config maps or secrets that will be used to customize to the app. The desired values must be under configmap or secret key 'values'. The values are merged in the order given, with the later values overwriting earlier, and then inline values overwriting those. Resources must be in the same namespace as the cluster.|**Type:** `[array]`<br/>|
+| `global.apps.karpenter.extraConfigs[*]` | **Config map or secret**|**Type:** `[object]`<br/>|
+| `global.apps.karpenter.extraConfigs[*].kind` | **Kind** - Specifies whether the resource is a config map or a secret.|**Type:** `[string]`<br/>|
+| `global.apps.karpenter.extraConfigs[*].name` | **Name** - Name of the config map or secret. The object must exist in the same namespace as the cluster App.|**Type:** `[string]`<br/>|
+| `global.apps.karpenter.extraConfigs[*].priority` | **Priority**|**Type:** `[integer]`<br/>**Default:** `25`|
+| `global.apps.karpenter.values` | **Config map** - Helm Values to be passed to the app as user config.|**Type:** `[object]`<br/>|
 | `global.apps.metricsServer` | **App resource** - Configuration of a default app that is part of the cluster and is deployed as an App resource.|**Type:** `[object]`<br/>|
 | `global.apps.metricsServer.extraConfigs` | **Extra config maps or secrets** - Extra config maps or secrets that will be used to customize to the app. The desired values must be under configmap or secret key 'values'. The values are merged in the order given, with the later values overwriting earlier, and then inline values overwriting those. Resources must be in the same namespace as the cluster.|**Type:** `[array]`<br/>|
 | `global.apps.metricsServer.extraConfigs[*]` | **Config map or secret**|**Type:** `[object]`<br/>|

helm/cluster-aws/templates/aws-ebs-csi-driver-helmrelease.yaml

@@ -15,7 +15,7 @@ global:
   podSecurityStandards:
     enforced: {{ .Values.global.podSecurityStandards.enforced }}
 {{- end }}
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: {{ include "resource.default.name" $ }}-aws-ebs-csi-driver

helm/cluster-aws/templates/cloud-provider-aws-helmrelease.yaml

@@ -13,7 +13,7 @@ global:
   podSecurityStandards:
     enforced: {{ .Values.global.podSecurityStandards.enforced }}
 {{- end }}
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: {{ include "resource.default.name" $ }}-cloud-provider-aws

helm/cluster-aws/templates/karpenter-apps.yaml

@@ -0,0 +1,37 @@
+{{- if include "hasKarpenterNodePool" . }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ include "resource.default.name" $ }}-karpenter-crossplane-resources
+  namespace: {{ $.Release.Namespace }}
+  annotations:
+    cluster.giantswarm.io/description: "{{ .Values.global.metadata.description }}"
+  labels:
+    cluster-apps-operator.giantswarm.io/watching: ""
+    {{- include "labels.common" . | nindent 4 }}
+spec:
+  suspend: false
+  releaseName: {{ include "resource.default.name" $ }}-karpenter-crossplane-resources
+  targetNamespace: {{ $.Release.Namespace | quote }}
+  storageNamespace: {{ $.Release.Namespace | quote }}
+  chart:
+    spec:
+      chart: karpenter-crossplane-resources
+      {{- $_ := set $ "appName" "karpenter-crossplane-resources" }}
+      version: {{ include "cluster.app.version" $ }}
+      sourceRef:
+        kind: HelmRepository
+        name: {{ include "resource.default.name" $ }}-{{ include "cluster.app.catalog" $ }}
+  serviceAccountName: automation
+  interval: 5m
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  valuesFrom:
+    - kind: ConfigMap
+      name: {{ include "resource.default.name" $ }}-crossplane-config
+      valuesKey: values
+{{- end }}

helm/cluster-aws/templates/karpenter-crossplane-resources-helmrelease.yaml

@@ -0,0 +1,97 @@
+{{/* Default Helm values for the app */}}
+{{/* See schema for the appropriate app version here https://github.com/giantswarm/karpenter-app/blob/main/helm/karpenter/values.schema.json */}}
+{{- define "defaultkarpenterHelmValues" }}
+additionalLabels:
+  application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | default "phoenix" | quote }}
+  giantswarm.io/managed-by: {{ .Release.Name | quote }}
+  giantswarm.io/service-type: managed
+settings:
+  clusterEndpoint: {{ printf "%s.%s.%s" "http://api" (include "resource.default.name" $) (required "global.connectivity.baseDomain is required" .Values.global.connectivity.baseDomain) }}
+  clusterName: {{ include "resource.default.name" $ }}
+  interruptionQueue: {{ include "resource.default.name" $ }}-karpenter
+controller:
+  env:
+    - name: AWS_REGION
+      value: {{ include "aws-region" $ }}
+    - name: AWS_ROLE_ARN
+      value: arn:{{ include "aws-partition" $ }}:iam::{{ include "aws-account-id" $ }}:role/{{ include "resource.default.name" $ }}-karpenter
+    - name: AWS_WEB_IDENTITY_TOKEN_FILE
+      value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
+  extraVolumeMounts:
+    - name: aws-iam-token
+      mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount/
+      readOnly: true
+  image:
+    repository: {{ include "awsContainerImageRegistry" . }}/giantswarm/karpenter-controller
+dnsPolicy: Default
+extraVolumes:
+  - name: aws-iam-token
+    projected:
+      sources:
+        - serviceAccountToken:
+            audience: {{ include "awsApiServerApiAudiences" $ | trim }}
+            expirationSeconds: 86400
+            path: token
+nodeSelector:
+  node-role.kubernetes.io/control-plane: ""
+serviceAccount:
+  annotations:
+    eks.amazonaws.com/role-arn: arn:{{ include "aws-partition" $ }}:iam::{{ include "aws-account-id" $ }}:role/{{ include "resource.default.name" $ }}-karpenter
+tolerations:
+  - key: "node-role.kubernetes.io/control-plane"
+    operator: "Exists"
+    effect: "NoSchedule"
+{{- end }}
+{{- if include "hasKarpenterNodePool" . }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ include "resource.default.name" $ }}-karpenter
+  namespace: {{ $.Release.Namespace }}
+  annotations:
+    cluster.giantswarm.io/description: "{{ .Values.global.metadata.description }}"
+  labels:
+    cluster-apps-operator.giantswarm.io/watching: ""
+    {{- include "labels.common" . | nindent 4 }}
+spec:
+  suspend: false
+  releaseName: karpenter
+  targetNamespace: karpenter
+  storageNamespace: karpenter
+  chart:
+    spec:
+      chart: karpenter
+      {{- $_ := set $ "appName" "karpenter" }}
+      version: {{ include "cluster.app.version" $ }}
+      sourceRef:
+        kind: HelmRepository
+        name: {{ include "resource.default.name" $ }}-{{ include "cluster.app.catalog" $ }}
+  kubeConfig:
+    secretRef:
+      name: {{ include "resource.default.name" $ }}-kubeconfig
+  interval: 5m
+  timeout: 15m # We need a bigger timeout because it could take a while for IRSA (via CloudFront) to become available
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  {{- $karpenterHelmValues := (include "defaultkarpenterHelmValues" .) | fromYaml -}}
+  {{- $customkarpenterHelmValues := $.Values.global.apps.karpenter.values -}}
+  {{- if $customkarpenterHelmValues }}
+  {{- $karpenterHelmValues = merge (deepCopy $customkarpenterHelmValues) $karpenterHelmValues -}}
+  {{- end }}
+  {{- if $karpenterHelmValues }}
+  values: {{- $karpenterHelmValues | toYaml | nindent 4 }}
+  {{- end }}
+  {{- if $.Values.global.apps.karpenter.extraConfigs }}
+    {{- range $config := $.Values.global.apps.karpenter.extraConfigs }}
+    - kind: {{ $config.kind }}
+      name: {{ $config.name }}
+      valuesKey: values
+      optional: {{ $config.optional | default false  }}
+    {{- end }}
+  {{- end }}
+{{- end }}

helm/cluster-aws/templates/karpenter-helmrelease.yaml

@@ -1299,6 +1299,12 @@
                             "title": "k8s-dns-node-cache",
                             "description": "Configuration of k8s-dns-node-cache. For all available values see https://github.com/giantswarm/k8s-dns-node-cache-app."
                         },
+                        "karpenter": {
+                            "$ref": "#/$defs/app",
+                            "type": "object",
+                            "title": "karpenter",
+                            "description": "Configuration of karpenter. For all available values see https://github.com/giantswarm/karpenter-app."
+                        },
                         "metricsServer": {
                             "$ref": "#/$defs/app",
                             "type": "object",

helm/cluster-aws/values.schema.json

@@ -291,6 +291,7 @@ global:
     irsaServiceMonitors: {}
     k8sAuditMetrics: {}
     k8sDnsNodeCache: {}
+    karpenter: {}
     metricsServer: {}
     netExporter: {}
     networkPolicies: {}