Merge remote-tracking branch 'origin/dev' into karpenter-update

Author: myaser

cluster/config-defaults.yaml

@@ -903,12 +903,14 @@ stackset_configmap_support_enabled: "true"
 stackset_configmap_support_enabled: "false"
 {{end}}
 
+# enable/disable secret support for stackset
+stackset_secret_support_enabled: "false"
+
 # enable/disable traffic segment support for stackset
+stackset_enable_traffic_segments: "false"
 {{if eq .Cluster.Environment "e2e"}}
-stackset_enable_traffic_segments: "true"
 stackset_annotated_traffic_segments: "true"
 {{else}}
-stackset_enable_traffic_segments: "false"
 stackset_annotated_traffic_segments: "false"
 {{end}}
 

cluster/manifests/skipper/deployment.yaml

@@ -1,5 +1,5 @@
 {{ $internal_version := "v0.19.32-783" }}
-{{ $canary_internal_version := "v0.19.39-790" }}
+{{ $canary_internal_version := "v0.19.44-795" }}
 
 {{/* Optional canary arguments separated by "[cf724afc]" to allow whitespaces, e.g. "-foo=has a whitespace[cf724afc]-baz=qux" */}}
 {{ $canary_args := "" }}

cluster/manifests/stackset-controller/01-stack-crd.yaml

@@ -349,7 +349,7 @@ spec:
                 - maxReplicas
                 - metrics
                 type: object
-{{- if eq .Cluster.ConfigItems.stackset_configmap_support_enabled "true" }}
+{{- if or (eq .Cluster.ConfigItems.stackset_configmap_support_enabled "true") (eq .Cluster.ConfigItems.stackset_secret_support_enabled "true") }}
               configurationResources:
                 description: ConfigurationResources describes the ConfigMaps that
                   will be created. Later Secrets and PlatformCredentialSets will also
@@ -358,14 +358,26 @@ spec:
                   description: ConfigurationResourcesSpec makes it possible to defined
                     the config resources to be created
                   properties:
+{{- if eq .Cluster.ConfigItems.stackset_configmap_support_enabled "true" }}
                     configMapRef:
-                      description: ConfigMap to be versioned for Stack
+                      description: ConfigMap to be owned by Stack
+                      properties:
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                      type: object
+{{ end }}
+{{- if eq .Cluster.ConfigItems.stackset_secret_support_enabled "true" }}
+                    secretRef:
+                      description: Secret to be owned by Stack
                       properties:
                         name:
                           description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                             TODO: Add other useful fields. apiVersion, kind, uid?'
                           type: string
                       type: object
+{{ end }}
                   type: object
                 type: array
 {{ end }}

cluster/manifests/stackset-controller/01-stackset-crd.yaml

@@ -596,7 +596,7 @@ spec:
                         - maxReplicas
                         - metrics
                         type: object
-{{- if eq .Cluster.ConfigItems.stackset_configmap_support_enabled "true" }}
+{{- if or (eq .Cluster.ConfigItems.stackset_configmap_support_enabled "true") (eq .Cluster.ConfigItems.stackset_secret_support_enabled "true") }}
                       configurationResources:
                         description: ConfigurationResources describes the ConfigMaps
                           that will be created. Later Secrets and PlatformCredentialSets
@@ -605,15 +605,28 @@ spec:
                           description: ConfigurationResourcesSpec makes it possible
                             to defined the config resources to be created
                           properties:
+{{- if eq .Cluster.ConfigItems.stackset_configmap_support_enabled "true" }}
                             configMapRef:
-                              description: ConfigMap to be versioned for Stack
+                              description: ConfigMap to be owned by Stack
                               properties:
                                 name:
                                   description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                     TODO: Add other useful fields. apiVersion, kind,
                                     uid?'
                                   type: string
                               type: object
+{{ end }}
+{{- if eq .Cluster.ConfigItems.stackset_secret_support_enabled "true" }}
+                            secretRef:
+                              description: Secret to be owned by Stack
+                              properties:
+                                name:
+                                  description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind,
+                                    uid?'
+                                  type: string
+                              type: object
+{{ end }}
                           type: object
                         type: array
 {{ end }}

cluster/manifests/stackset-controller/deployment.yaml

@@ -1,4 +1,4 @@
-{{ $version := "v1.4.27" }}
+{{ $version := "v1.4.31" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -40,6 +40,9 @@ spec:
 {{- if eq .Cluster.ConfigItems.stackset_configmap_support_enabled "true" }}
         - "--enable-configmap-support"
 {{- end }}
+{{- if eq .Cluster.ConfigItems.stackset_secret_support_enabled "true" }}
+        - "--enable-secret-support"
+{{- end }}
 {{- if eq .Cluster.ConfigItems.stackset_enable_traffic_segments "true" }}
         - "--enable-traffic-segments"
 {{- end }}

cluster/manifests/stackset-controller/rbac.yaml

@@ -110,6 +110,17 @@ rules:
   - create
   - update
 {{- end }}
+{{- if eq .Cluster.ConfigItems.stackset_secret_support_enabled "true" }}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - create
+  - update
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

cluster/node-pools/worker-karpenter/provisioners.yaml

@@ -138,6 +138,11 @@ spec:
           operator: "NotIn"
           values:
             - "metal"
+        # exclude instance-types with slow SSD
+        - key: "node.kubernetes.io/instance-type"
+          operator: "NotIn"
+          values:
+            - "c5d.large"
 #{{ else }}
         - key: "node.kubernetes.io/instance-type"
           operator: In
@@ -167,15 +172,15 @@ spec:
       # Karpenter provides the ability to specify a few additional Kubelet args.
       # These are all optional and provide support for additional customization and use cases.
       kubelet:
-        clusterDNS: ["10.0.1.100"]
+        clusterDNS: [ "10.0.1.100" ]
+        cpuCFSQuota: false
+        maxPods: { { nodeCIDRMaxPods (parseInt64 .Cluster.ConfigItems.node_cidr_mask_size) (parseInt64 .Cluster.ConfigItems.node_max_pods_extra_capacity) } }
         systemReserved:
           cpu: "{{ .Cluster.ConfigItems.kubelet_system_reserved_cpu }}"
           memory: "{{ .Cluster.ConfigItems.kubelet_system_reserved_memory }}"
         kubeReserved:
           cpu: "{{ .Cluster.ConfigItems.kubelet_kube_reserved_cpu }}"
           memory: "{{ .Cluster.ConfigItems.kubelet_kube_reserved_memory }}"
-        maxPods: {{ nodeCIDRMaxPods (parseInt64 .Cluster.ConfigItems.node_cidr_mask_size) (parseInt64 .Cluster.ConfigItems.node_max_pods_extra_capacity) }}
-        cpuCFSQuota: false
   # Disruption section which describes the ways in which Karpenter can disrupt and replace Nodes
   # Configuration in this section constrains how aggressive Karpenter can be with performing operations
   # like rolling Nodes due to them hitting their maximum lifetime (expiry) or scaling down nodes to reduce cluster cost