Merge branch 'aws:main' into main

.github/actions/e2e/run-tests-private-cluster/action.yaml

@@ -93,7 +93,7 @@ runs:
       CLUSTER_VPC_ID: ${{ env.CLUSTER_VPC_ID }}
       EKS_CLUSTER_SG: ${{ env.EKS_CLUSTER_SG }}
       CLEANUP: ${{ inputs.cleanup }}
-    uses: aws-actions/aws-codebuild-run-build@f59b837dd074776bd06619e7e22fb62161eab324 #v1.0.15
+    uses: aws-actions/aws-codebuild-run-build@bac11849fa027acec49500ca10519f1fc4f63c19 # v1.0.16
     with:
       project-name: E2EPrivateClusterCodeBuildProject-us-east-1
       buildspec-override: |

.github/workflows/approval-comment.yaml

@@ -19,7 +19,7 @@ jobs:
           mkdir -p /tmp/artifacts
           { echo "$REVIEW_BODY"; echo "$PULL_REQUEST_NUMBER"; echo "$COMMIT_ID"; } >> /tmp/artifacts/metadata.txt
           cat /tmp/artifacts/metadata.txt
-      - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+      - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: artifacts
           path: /tmp/artifacts

.github/workflows/e2e-matrix.yaml

@@ -102,7 +102,7 @@ jobs:
       statuses: write # ./.github/actions/commit-status/start
     uses: ./.github/workflows/e2e-upgrade.yaml
     with:
-      from_git_ref: b3076dca62a81caae2d3c4af4fd378c83a901c48
+      from_git_ref: 2f4cebea345e6a399ea00149ec7a41269739bb3b
       to_git_ref: ${{ inputs.git_ref }}
       region: ${{ inputs.region }}
       k8s_version: ${{ inputs.k8s_version }}

.golangci.yaml

@@ -7,7 +7,7 @@ linters:
     - asciicheck
     - bidichk
     - errorlint
-    - exportloopref
+    - copyloopvar
     - gosec
     - revive
     - stylecheck

ADOPTERS.md

@@ -40,6 +40,7 @@ If you are open to others contacting you about your use of Karpenter on Slack, a
 | Omaze | Intelligently using Karpenter's autoscaling to power our platforms | `@devopsidiot` | [Homepage](https://www.omaze.com/) |
 | PITS Global Data Recovery Services | Used to manage continuous integration and continuous delivery/deployment workflows. | N/A | [PITS Global Data Recovery Services](https://www.pitsdatarecovery.net/) |
 | PlanetScale | Leveraging Karpenter to dynamically deploy serverless MySQL workloads. | `@jtcunning` | [Homepage](https://www.planetscale.com/) |
+| Postnord | Using Karpenter for Node Lifecycle Management & Autoscaling. | `@dhaval-vithalani` | [Homepage](https://www.postnord.com/) |
 | QuestDB | Using Karpenter for the service nodes of the QuestBD Cloud (time-series database). | [questdb slack group](https://slack.questdb.io/) | [QuestDB](https://questdb.io/) |
 | Rapid7 | Using Karpenter across all of our Kubernetes infrastructure for efficient autoscaling, both in terms of speed and cost | `@arobinson`, `@Ross Kirk`, `@Ryan Williams` | [Homepage](https://www.rapid7.com/) |
 | Sendcloud | Using Karpenter to scale our k8s clusters for Europe’s #1 shipping automation platform  | N/A | [Homepage](https://www.sendcloud.com/) |

Makefile

@@ -46,7 +46,6 @@ run: ## Run Karpenter controller binary against your local cluster
 	SYSTEM_NAMESPACE=${KARPENTER_NAMESPACE} \
 		KUBERNETES_MIN_VERSION="1.19.0-0" \
 		DISABLE_LEADER_ELECTION=true \
-		DISABLE_WEBHOOK=true \
 		CLUSTER_NAME=${CLUSTER_NAME} \
 		INTERRUPTION_QUEUE=${CLUSTER_NAME} \
 		FEATURE_GATES="SpotToSpotConsolidation=true" \
@@ -106,7 +105,6 @@ verify: tidy download ## Verify code. Includes dependencies, linting, formatting
 	hack/validation/requirements.sh
 	hack/validation/labels.sh
 	cp pkg/apis/crds/* charts/karpenter-crd/templates
-	hack/mutation/conversion_webhooks_injection.sh
 	hack/github/dependabot.sh
 	$(foreach dir,$(MOD_DIRS),cd $(dir) && golangci-lint run $(newline))
 	@git diff --quiet ||\

charts/karpenter/README.md

@@ -72,9 +72,6 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.0.0 \
 | podDisruptionBudget.name | string | `"karpenter"` |  |
 | podLabels | object | `{}` | Additional labels for the pod. |
 | podSecurityContext | object | `{"fsGroup":65532}` | SecurityContext for the pod. |
-| postInstallHook.image.digest | string | `"sha256:13a2ad1bd37ce42ee2a6f1ab0d30595f42eb7fe4a90d6ec848550524104a1ed6"` | SHA256 digest of the post-install hook image. |
-| postInstallHook.image.repository | string | `"public.ecr.aws/bitnami/kubectl"` | Repository path to the post-install hook. This minimally needs to have `kubectl` installed |
-| postInstallHook.image.tag | string | `"1.30"` | Tag of the post-install hook image. |
 | priorityClassName | string | `"system-cluster-critical"` | PriorityClass name for the pod. |
 | replicas | int | `2` | Number of replicas. |
 | revisionHistoryLimit | int | `10` | The number of old ReplicaSets to retain to allow rollback. |
@@ -100,9 +97,6 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.0.0 \
 | terminationGracePeriodSeconds | string | `nil` | Override the default termination grace period for the pod. |
 | tolerations | list | `[{"key":"CriticalAddonsOnly","operator":"Exists"}]` | Tolerations to allow the pod to be scheduled to nodes with taints. |
 | topologySpreadConstraints | list | `[{"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"DoNotSchedule"}]` | Topology spread constraints to increase the controller resilience by distributing pods across the cluster zones. If an explicit label selector is not provided one will be created from the pod selector labels. |
-| webhook.enabled | bool | `true` | Whether to enable the webhooks and webhook permissions. |
-| webhook.metrics.port | int | `8001` | The container port to use for webhook metrics. |
-| webhook.port | int | `8443` | The container port to use for the webhook. |
 
 ----------------------------------------------
 

charts/karpenter/templates/_helpers.tpl

@@ -75,17 +75,6 @@ Karpenter image to use
 {{- end }}
 {{- end }}
 
-{{/*
-Karpenter post-install hook image to use
-*/}}
-{{- define "karpenter.postInstallHook.image" -}}
-{{- if .Values.postInstallHook.image.digest }}
-{{- printf "%s:%s@%s" .Values.postInstallHook.image.repository  (default (printf "v%s" .Chart.AppVersion) .Values.postInstallHook.image.tag) .Values.postInstallHook.image.digest }}
-{{- else }}
-{{- printf "%s:%s" .Values.postInstallHook.image.repository  (default (printf "v%s" .Chart.AppVersion) .Values.postInstallHook.image.tag) }}
-{{- end }}
-{{- end }}
-
 
 {{/* Get PodDisruptionBudget API Version */}}
 {{- define "karpenter.pdb.apiVersion" -}}
@@ -151,29 +140,3 @@ This works because Helm treats dictionaries as mutable objects and allows passin
 {{- include "karpenter.patchLabelSelector" (merge (dict "_target" $constraint) $) }}
 {{- end }}
 {{- end }}
-
-{{/*
-Flatten the stdout logging outputs from args provided
-*/}}
-{{- define "karpenter.outputPathsList" -}}
-{{ $paths := list -}}
-{{- range .Values.logOutputPaths -}}
-    {{- if not (has (printf "%s" . | quote) $paths) -}}
-        {{- $paths = printf "%s" . | quote  | append $paths -}}
-    {{- end -}}
-{{- end -}}
-{{ $paths | join ", " }}
-{{- end -}}
-
-{{/*
-Flatten the stderr logging outputs from args provided
-*/}}
-{{- define "karpenter.errorOutputPathsList" -}}
-{{ $paths := list -}}
-{{- range .Values.logErrorOutputPaths -}}
-    {{- if not (has (printf "%s" . | quote) $paths) -}}
-        {{- $paths = printf "%s" . | quote  | append $paths -}}
-    {{- end -}}
-{{- end -}}
-{{ $paths | join ", " }}
-{{- end -}}

charts/karpenter/templates/clusterrole-core.yaml

@@ -41,15 +41,6 @@ rules:
   - apiGroups: ["apps"]
     resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
     verbs: ["list", "watch"]
-  {{- if .Values.webhook.enabled }}
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    verbs: ["get", "watch", "list"]
-  {{- else }}
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    verbs: ["get"]
-  {{- end }}
   - apiGroups: ["policy"]
     resources: ["poddisruptionbudgets"]
     verbs: ["get", "list", "watch"]
@@ -72,15 +63,6 @@ rules:
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["delete"]
-  {{- if .Values.webhook.enabled }}
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    verbs: ["update", "patch"]
-  {{- else }}
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    verbs: ["patch"]
-  {{- end }}
   {{- with .Values.additionalClusterRoleRules -}}
   {{ toYaml . | nindent 2 }}
   {{- end -}}

charts/karpenter/templates/deployment.yaml

@@ -76,17 +76,17 @@ spec:
               value: "1.19.0-0"
             - name: KARPENTER_SERVICE
               value: {{ include "karpenter.fullname" . }}
-          {{- if .Values.webhook.enabled }}
-            - name: WEBHOOK_PORT
-              value: "{{ .Values.webhook.port }}"
-            - name: WEBHOOK_METRICS_PORT
-              value: "{{ .Values.webhook.metrics.port }}"
-          {{- end }}
-            - name: DISABLE_WEBHOOK
-              value: "{{ not .Values.webhook.enabled }}"
           {{- with .Values.logLevel }}
             - name: LOG_LEVEL
               value: "{{ . }}"
+          {{- end }}
+          {{- with .Values.logOutputPaths }}
+            - name: LOG_OUTPUT_PATHS
+              value: "{{ join "," . }}"
+          {{- end }}
+          {{- with .Values.logErrorOutputPaths }}
+            - name: LOG_ERROR_OUTPUT_PATHS
+              value: "{{ join "," . }}"
           {{- end }}
             - name: METRICS_PORT
               value: "{{ .Values.controller.metrics.port }}"
@@ -151,14 +151,6 @@ spec:
             - name: http-metrics
               containerPort: {{ .Values.controller.metrics.port }}
               protocol: TCP
-          {{- if .Values.webhook.enabled }}
-            - name: webhook-metrics
-              containerPort: {{ .Values.webhook.metrics.port }}
-              protocol: TCP
-            - name: https-webhook
-              containerPort: {{ .Values.webhook.port }}
-              protocol: TCP
-          {{- end }}
             - name: http
               containerPort: {{ .Values.controller.healthProbe.port }}
               protocol: TCP

charts/karpenter/templates/role.yaml

@@ -14,19 +14,7 @@ rules:
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: ["get", "watch"]
-{{- if .Values.webhook.enabled }}
-  - apiGroups: [""]
-    resources: ["configmaps", "secrets"]
-    verbs: ["get", "list", "watch"]
-{{- end }}
   # Write
-{{- if .Values.webhook.enabled }}
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["update"]
-    resourceNames:
-      - "{{ include "karpenter.fullname" . }}-cert"
-{{- end }}
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: ["patch", "update"]
@@ -55,24 +43,3 @@ rules:
     resources: ["services"]
     resourceNames: ["kube-dns"]
     verbs: ["get"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "karpenter.fullname" . }}-lease
-  namespace: kube-node-lease
-  labels:
-    {{- include "karpenter.labels" . | nindent 4 }}
-  {{- with .Values.additionalAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-rules:
-  # Read
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["get", "list", "watch"]
-  # Write
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["delete"]

charts/karpenter/templates/rolebinding.yaml

@@ -33,26 +33,6 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: {{ include "karpenter.fullname" . }}-dns
-subjects:
-  - kind: ServiceAccount
-    name: {{ template "karpenter.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
---- 
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "karpenter.fullname" . }}-lease
-  namespace: kube-node-lease
-  labels:
-    {{- include "karpenter.labels" . | nindent 4 }}
-  {{- with .Values.additionalAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "karpenter.fullname" . }}-lease
 subjects:
   - kind: ServiceAccount
     name: {{ template "karpenter.serviceAccountName" . }}

charts/karpenter/templates/service.yaml

@@ -16,15 +16,5 @@ spec:
       port: {{ .Values.controller.metrics.port }}
       targetPort: http-metrics
       protocol: TCP
-  {{- if .Values.webhook.enabled }}
-    - name: webhook-metrics
-      port: {{ .Values.webhook.metrics.port }}
-      targetPort: webhook-metrics
-      protocol: TCP
-    - name: https-webhook
-      port: {{ .Values.webhook.port }}
-      targetPort: https-webhook
-      protocol: TCP
-  {{- end }}
   selector:
     {{- include "karpenter.selectorLabels" . | nindent 4 }}

charts/karpenter/values.yaml

@@ -137,22 +137,6 @@ controller:
   healthProbe:
     # -- The container port to use for http health probe.
     port: 8081
-postInstallHook:
-  image:
-    # -- Repository path to the post-install hook. This minimally needs to have `kubectl` installed
-    repository: public.ecr.aws/bitnami/kubectl
-    # -- Tag of the post-install hook image.
-    tag: "1.30"
-    # -- SHA256 digest of the post-install hook image.
-    digest: sha256:13a2ad1bd37ce42ee2a6f1ab0d30595f42eb7fe4a90d6ec848550524104a1ed6
-webhook:
-  # -- Whether to enable the webhooks and webhook permissions.
-  enabled: true
-  # -- The container port to use for the webhook.
-  port: 8443
-  metrics:
-    # -- The container port to use for webhook metrics.
-    port: 8001
 # -- Global log level, defaults to 'info'
 logLevel: info
 # -- Log outputPaths - defaults to stdout only