feat: Update Karpenter addon to support v0.32.1/v1beta1 (#285)

bryantbiggs · web-flow · commit 231e6dd720d6 · 2023-11-01T12:05:03.000-04:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
       - id: trailing-whitespace
         args: ['--markdown-linebreak-ext=md']
@@ -10,7 +10,7 @@ repos:
       - id: detect-aws-credentials
         args: ['--allow-missing-credentials']
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.83.4
+    rev: v1.83.5
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
diff --git a/README.md b/README.md
@@ -219,6 +219,7 @@ module "eks_blueprints_addons" {
 | <a name="input_helm_releases"></a> [helm\_releases](#input\_helm\_releases) | A map of Helm releases to create. This provides the ability to pass in an arbitrary map of Helm chart definitions to create | `any` | `{}` | no |
 | <a name="input_ingress_nginx"></a> [ingress\_nginx](#input\_ingress\_nginx) | Ingress Nginx add-on configurations | `any` | `{}` | no |
 | <a name="input_karpenter"></a> [karpenter](#input\_karpenter) | Karpenter add-on configuration values | `any` | `{}` | no |
+| <a name="input_karpenter_enable_instance_profile_creation"></a> [karpenter\_enable\_instance\_profile\_creation](#input\_karpenter\_enable\_instance\_profile\_creation) | Determines whether Karpenter will be allowed to create the IAM instance profile (v1beta1) or if Terraform will (v1alpha1) | `bool` | `true` | no |
 | <a name="input_karpenter_enable_spot_termination"></a> [karpenter\_enable\_spot\_termination](#input\_karpenter\_enable\_spot\_termination) | Determines whether to enable native node termination handling | `bool` | `true` | no |
 | <a name="input_karpenter_node"></a> [karpenter\_node](#input\_karpenter\_node) | Karpenter IAM role and IAM instance profile configuration values | `any` | `{}` | no |
 | <a name="input_karpenter_sqs"></a> [karpenter\_sqs](#input\_karpenter\_sqs) | Karpenter SQS queue for native node termination handling configuration values | `any` | `{}` | no |
diff --git a/main.tf b/main.tf
@@ -2730,6 +2730,34 @@ locals {
   karpenter_node_iam_role_name         = try(var.karpenter_node.iam_role_name, "karpenter-${var.cluster_name}")
   karpenter_node_instance_profile_name = try(aws_iam_instance_profile.karpenter[0].name, var.karpenter_node.instance_profile_name, "")
   karpenter_namespace                  = try(var.karpenter.namespace, "karpenter")
+
+  # Due to change in v0.32.0
+  # TODO - remove at next breaking change
+  karpenter_aws_scope = var.karpenter_enable_instance_profile_creation ? "" : "aws."
+
+  karpenter_set = [
+    {
+      name  = "settings.${local.karpenter_aws_scope}clusterName"
+      value = local.cluster_name
+    },
+    {
+      name  = "settings.${local.karpenter_aws_scope}clusterEndpoint"
+      value = local.cluster_endpoint
+    },
+    {
+      name  = "settings.${local.karpenter_aws_scope}interruptionQueueName"
+      value = local.karpenter_enable_spot_termination ? module.karpenter_sqs.queue_name : null
+    },
+    # TODO - remove at next breaking change
+    {
+      name  = "settings.${local.karpenter_aws_scope}defaultInstanceProfile"
+      value = var.karpenter_enable_instance_profile_creation ? null : local.karpenter_node_instance_profile_name
+    },
+    {
+      name  = "serviceAccount.name"
+      value = local.karpenter_service_account_name
+    },
+  ]
 }
 
 data "aws_iam_policy_document" "karpenter" {
@@ -2811,6 +2839,22 @@ data "aws_iam_policy_document" "karpenter" {
       resources = [module.karpenter_sqs.queue_arn]
     }
   }
+
+  dynamic "statement" {
+    for_each = var.karpenter_enable_instance_profile_creation ? [1] : []
+
+    content {
+      actions = [
+        "iam:AddRoleToInstanceProfile",
+        "iam:CreateInstanceProfile",
+        "iam:DeleteInstanceProfile",
+        "iam:GetInstanceProfile",
+        "iam:RemoveRoleFromInstanceProfile",
+        "iam:TagInstanceProfile",
+      ]
+      resources = ["*"]
+    }
+  }
 }
 
 module "karpenter_sqs" {
@@ -2916,7 +2960,7 @@ resource "aws_iam_role_policy_attachment" "additional" {
 }
 
 resource "aws_iam_instance_profile" "karpenter" {
-  count = var.enable_karpenter && try(var.karpenter_node.create_instance_profile, true) ? 1 : 0
+  count = var.enable_karpenter && try(var.karpenter_node.create_instance_profile, true) && !var.karpenter_enable_instance_profile_creation ? 1 : 0
 
   name        = try(var.karpenter_node.iam_role_use_name_prefix, true) ? null : local.karpenter_node_iam_role_name
   name_prefix = try(var.karpenter_node.iam_role_use_name_prefix, true) ? "${local.karpenter_node_iam_role_name}-" : null
@@ -2941,7 +2985,7 @@ module "karpenter" {
   namespace        = local.karpenter_namespace
   create_namespace = try(var.karpenter.create_namespace, true)
   chart            = try(var.karpenter.chart, "karpenter")
-  chart_version    = try(var.karpenter.chart_version, "v0.30.0")
+  chart_version    = try(var.karpenter.chart_version, "v0.32.1")
   repository       = try(var.karpenter.repository, "oci://public.ecr.aws/karpenter")
   values           = try(var.karpenter.values, [])
 
@@ -2973,28 +3017,7 @@ module "karpenter" {
 
   postrender = try(var.karpenter.postrender, [])
   set = concat(
-    [
-      {
-        name  = "settings.aws.clusterName"
-        value = local.cluster_name
-      },
-      {
-        name  = "settings.aws.clusterEndpoint"
-        value = local.cluster_endpoint
-      },
-      {
-        name  = "settings.aws.defaultInstanceProfile"
-        value = local.karpenter_node_instance_profile_name
-      },
-      {
-        name  = "settings.aws.interruptionQueueName"
-        value = local.karpenter_enable_spot_termination ? module.karpenter_sqs.queue_name : ""
-      },
-      {
-        name  = "serviceAccount.name"
-        value = local.karpenter_service_account_name
-      },
-    ],
+    [for s in local.karpenter_set : s if s.value != null],
     try(var.karpenter.set, [])
   )
   set_sensitive = try(var.karpenter.set_sensitive, [])
@@ -3373,13 +3396,13 @@ module "velero" {
     {
       name  = "initContainers"
       value = <<-EOT
-   - name: velero-plugin-for-aws
-     image: velero/velero-plugin-for-aws:v1.7.1
-     imagePullPolicy: IfNotPresent
-     volumeMounts:
-       - mountPath: /target
-         name: plugins
-            EOT
+        - name: velero-plugin-for-aws
+          image: velero/velero-plugin-for-aws:v1.7.1
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - mountPath: /target
+              name: plugins
+      EOT
     },
     {
       name  = "serviceAccount.server.name"
diff --git a/tests/complete/README.md b/tests/complete/README.md
@@ -40,7 +40,7 @@ Note that this example may create resources which will incur monetary charges on
 |------|--------|---------|
 | <a name="module_adot_irsa"></a> [adot\_irsa](#module\_adot\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.20 |
 | <a name="module_ebs_csi_driver_irsa"></a> [ebs\_csi\_driver\_irsa](#module\_ebs\_csi\_driver\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.20 |
-| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.13 |
+| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.17 |
 | <a name="module_eks_blueprints_addons"></a> [eks\_blueprints\_addons](#module\_eks\_blueprints\_addons) | ../../ | n/a |
 | <a name="module_velero_backup_s3_bucket"></a> [velero\_backup\_s3\_bucket](#module\_velero\_backup\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
diff --git a/tests/complete/main.tf b/tests/complete/main.tf
@@ -57,13 +57,12 @@ locals {
 # Cluster
 ################################################################################
 
-#tfsec:ignore:aws-eks-enable-control-plane-logging
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 19.13"
+  version = "~> 19.17"
 
   cluster_name                   = local.name
-  cluster_version                = "1.26"
+  cluster_version                = "1.28"
   cluster_endpoint_public_access = true
 
   vpc_id     = module.vpc.vpc_id
@@ -192,7 +191,8 @@ module "eks_blueprints_addons" {
   enable_aws_node_termination_handler   = true
   aws_node_termination_handler_asg_arns = [for asg in module.eks.self_managed_node_groups : asg.autoscaling_group_arn]
 
-  enable_karpenter = true
+  enable_karpenter                           = true
+  karpenter_enable_instance_profile_creation = true
   # ECR login required
   karpenter = {
     repository_username = data.aws_ecrpublic_authorization_token.token.user_name
@@ -238,7 +238,7 @@ module "eks_blueprints_addons" {
       namespace        = "gpu-operator"
       create_namespace = true
       chart            = "gpu-operator"
-      chart_version    = "v23.3.2"
+      chart_version    = "v23.9.0"
       repository       = "https://nvidia.github.io/gpu-operator"
       values = [
         <<-EOT
diff --git a/variables.tf b/variables.tf
@@ -442,6 +442,12 @@ variable "karpenter_enable_spot_termination" {
   default     = true
 }
 
+variable "karpenter_enable_instance_profile_creation" {
+  description = "Determines whether Karpenter will be allowed to create the IAM instance profile (v1beta1) or if Terraform will (v1alpha1)"
+  type        = bool
+  default     = true
+}
+
 variable "karpenter_sqs" {
   description = "Karpenter SQS queue for native node termination handling configuration values"
   type        = any
