aws
diff --git a/‎Makefile
+2-3 b/‎Makefile
+2-3
diff --git a/‎charts/karpenter/.helmignore
+23 b/‎charts/karpenter/.helmignore
+23
diff --git a/‎charts/karpenter/Chart.yaml
+10-2 b/‎charts/karpenter/Chart.yaml
+10-2
diff --git a/‎charts/karpenter/README.md
+47-32 b/‎charts/karpenter/README.md
+47-32
diff --git a/‎charts/karpenter/README.md.gotmpl
+3-3 b/‎charts/karpenter/README.md.gotmpl
+3-3
diff --git a/‎charts/karpenter/templates/_helpers.tpl
+22-34 b/‎charts/karpenter/templates/_helpers.tpl
+22-34
diff --git a/‎charts/karpenter/templates/100-config-logging.yaml ‎charts/karpenter/templates/configmap-logging.yaml
+1-2 b/‎charts/karpenter/templates/100-config-logging.yaml ‎charts/karpenter/templates/configmap-logging.yaml
+1-2
diff --git a/‎charts/karpenter/templates/controller/_helpers.tpl
+33 b/‎charts/karpenter/templates/controller/_helpers.tpl
+33
diff --git a/‎charts/karpenter/templates/controller/clusterrole.yaml
+34 b/‎charts/karpenter/templates/controller/clusterrole.yaml
+34
diff --git a/‎charts/karpenter/templates/controller/clusterrolebinding.yaml
+14 b/‎charts/karpenter/templates/controller/clusterrolebinding.yaml
+14
@@ -14,7 +14,7 @@ WITH_RELEASE_REPO = KO_DOCKER_REPO=$(RELEASE_REPO)
 ## Extra helm options
 CLUSTER_NAME ?= $(shell kubectl config view --minify -o jsonpath='{.clusters[].name}' | rev | cut -d"/" -f1 | rev)
 CLUSTER_ENDPOINT ?= $(shell kubectl config view --minify -o jsonpath='{.clusters[].cluster.server}')
-HELM_OPTS ?= --set controller.clusterName=${CLUSTER_NAME} --set controller.clusterEndpoint=${CLUSTER_ENDPOINT}
+HELM_OPTS ?= --set clusterName=${CLUSTER_NAME} --set clusterEndpoint=${CLUSTER_ENDPOINT}
 
 help: ## Display help
 	@awk 'BEGIN {FS = ":.*##"; printf "Usage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
@@ -54,7 +54,7 @@ licenses: ## Verifies dependency licenses and requires GITHUB_TOKEN to be set
 	golicense hack/license-config.hcl karpenter
 
 apply: ## Deploy the controller into your ~/.kube/config cluster
-	helm template --include-crds  karpenter charts/karpenter --namespace karpenter \
+	helm template --include-crds karpenter charts/karpenter --namespace karpenter \
 		$(HELM_OPTS) \
 		--set controller.image=ko://github.com/aws/karpenter/cmd/controller \
 		--set webhook.image=ko://github.com/aws/karpenter/cmd/webhook \
@@ -63,7 +63,6 @@ apply: ## Deploy the controller into your ~/.kube/config cluster
 delete: ## Delete the controller from your ~/.kube/config cluster
 	helm template karpenter charts/karpenter --namespace karpenter \
 		$(HELM_OPTS) \
-		--set serviceAccount.create=false \
 		| kubectl delete -f -
 
 codegen: ## Generate code. Must be run if changes are made to ./pkg/apis/...
 
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
@@ -1,6 +1,14 @@
 apiVersion: v2
-appVersion: 0.5.4
 name: karpenter
-description: A Helm chart for https://github.com/aws/karpenter/.
+description: A Helm chart for Karpenter, an open-source node provisioning project built for Kubernetes.
 type: application
 version: 0.5.4
+appVersion: 0.5.4
+keywords:
+  - fluent
+  - fluentd
+  - logging
+home: https://karpenter.sh/
+icon: https://repository-images.githubusercontent.com/278480393/dab059c8-caa1-4b55-aaa7-3d30e47a5616
+sources:
+  - https://github.com/aws/karpenter/
@@ -1,6 +1,6 @@
 # karpenter
 
-A Helm chart for https://github.com/aws/karpenter/.
+A Helm chart for Karpenter, an open-source node provisioning project built for Kubernetes.
 
 ![Version: 0.5.4](https://img.shields.io/badge/Version-0.5.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.5.4](https://img.shields.io/badge/AppVersion-0.5.4-informational?style=flat-square)
 
@@ -12,10 +12,10 @@ To install the chart with the release name `karpenter`:
 $ helm repo add karpenter https://charts.karpenter.sh
 $ helm repo update
 $ helm upgrade --install karpenter karpenter/karpenter --namespace karpenter \
-  --create-namespace --set serviceAccount.create=false --version 0.5.4 \
+  --create-namespace --version 0.5.4 \
   --set controller.clusterName=${CLUSTER_NAME} \
   --set controller.clusterEndpoint=$(aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.endpoint" --output json) \
-  --wait # for the defaulting webhook to install before creating a Provisioner 
+  --wait # for the defaulting webhook to install before creating a Provisioner
 ```
 
 You can follow the detailed installation instruction [here](https://karpenter.sh/docs/getting-started/#install).
@@ -24,34 +24,49 @@ You can follow the detailed installation instruction [here](https://karpenter.sh
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| additionalLabels | object | `{}` | Additional labels to add into metadata |
-| controller.affinity | object | `{}` | Affinity rules for scheduling |
-| controller.clusterEndpoint | string | `""` | Cluster endpoint |
-| controller.clusterName | string | `""` | Cluster name |
-| controller.env | list | `[]` | Additional environment variables to run with |
-| controller.image | string | `"public.ecr.aws/karpenter/controller:v0.5.4@sha256:19ebf83d64fa41d75fb19ae5047f54b1c66423b4ab5ceef36ae99a0daaad1895"` | Image to use for the Karpenter controller |
-| controller.nodeSelector | object | `{}` | Node selectors to schedule to nodes with labels. |
-| controller.replicas | int | `1` |  |
-| controller.resources.limits.cpu | int | `1` |  |
-| controller.resources.limits.memory | string | `"1Gi"` |  |
-| controller.resources.requests.cpu | int | `1` |  |
-| controller.resources.requests.memory | string | `"1Gi"` |  |
-| controller.tolerations | list | `[]` | Tolerations to schedule to nodes with taints. |
-| serviceAccount.annotations | object | `{}` | Annotations to add to the service account (like the ARN of the IRSA role) |
-| serviceAccount.create | bool | `true` | Create a service account for the application controller |
-| serviceAccount.name | string | `"karpenter"` | Service account name |
-| webhook.affinity | object | `{}` | Affinity rules for scheduling |
-| webhook.env | list | `[]` | List of environment items to add to the webhook |
-| webhook.hostNetwork | bool | `false` | Set to true if using custom CNI on EKS |
-| webhook.image | string | `"public.ecr.aws/karpenter/webhook:v0.5.4@sha256:fd7dd0a3e155cb08a1c1def31258c654ac6c61b2fa8d8d25b7483688664c7de2"` | Image to use for the webhook |
-| webhook.nodeSelector | object | `{}` | Node selectors to schedule to nodes with labels. |
-| webhook.port | int | `8443` |  |
-| webhook.replicas | int | `1` |  |
-| webhook.resources.limits.cpu | string | `"100m"` |  |
-| webhook.resources.limits.memory | string | `"50Mi"` |  |
-| webhook.resources.requests.cpu | string | `"100m"` |  |
-| webhook.resources.requests.memory | string | `"50Mi"` |  |
-| webhook.tolerations | list | `[]` | Tolerations to schedule to nodes with taints. |
+| additionalLabels | object | `{}` | Additional labels to add into metadata. |
+| clusterEndpoint | string | `""` | Cluster endpoint. |
+| clusterName | string | `""` | Cluster name. |
+| controller.affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"key":"karpenter.sh/provisioner-name","operator":"DoesNotExist"}]}}}` | Affinity rules for scheduling the controller pod. |
+| controller.env | list | `[]` | Additional environment variables for the controller pod. |
+| controller.image | string | `"public.ecr.aws/karpenter/controller:v0.5.4@sha256:19ebf83d64fa41d75fb19ae5047f54b1c66423b4ab5ceef36ae99a0daaad1895"` | Controller image. |
+| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selectors to schedule the controller pod to nodes with labels. |
+| controller.podAnnotations | object | `{}` | Additional annotations for the controller pod. |
+| controller.podLabels | object | `{}` | Additional labels for the controller pod. |
+| controller.podSecurityContext | object | `{"fsGroup":1000}` | SecurityContext for the controller pod. |
+| controller.priorityClassName | string | `"system-cluster-critical"` | PriorityClass name for the controller pod. |
+| controller.replicas | int | `1` | Number of replicas for the controller pod. |
+| controller.resources | object | `{"limits":{"cpu":1,"memory":"1Gi"},"requests":{"cpu":1,"memory":"1Gi"}}` | Resources for the controller pod. |
+| controller.securityContext | object | `{}` | SecurityContext for the controller containers. |
+| controller.serviceAccount.annotations | object | `{}` | Additional annotations for the controller ServiceAccount. |
+| controller.serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created for the controller. |
+| controller.serviceAccount.name | string | `""` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
+| controller.strategy | object | `{"type":"Recreate"}` | Strategy for updating the controller pod. |
+| controller.terminationGracePeriodSeconds | string | `nil` | Override the default termination grace period for the controller pod. |
+| controller.tolerations | list | `[]` | Tolerations to allow the controller pod to be scheduled to nodes with taints. |
+| fullnameOverride | string | `""` | Overrides the chart's computed fullname. |
+| imagePullPolicy | string | `"IfNotPresent"` | Image pull policy for Docker images. |
+| imagePullSecrets | list | `[]` | Image pull secrets for Docker images. |
+| nameOverride | string | `""` | Overrides the chart's name. |
+| webhook.affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"key":"karpenter.sh/provisioner-name","operator":"DoesNotExist"}]}}}` | Affinity rules for scheduling the webhook pod. |
+| webhook.env | list | `[]` | Additional environment variables for the webhook pod. |
+| webhook.hostNetwork | bool | `false` | Bind the webhook pod to the host network. This is required when using a custom CNI. |
+| webhook.image | string | `"public.ecr.aws/karpenter/webhook:v0.5.4@sha256:fd7dd0a3e155cb08a1c1def31258c654ac6c61b2fa8d8d25b7483688664c7de2"` | Webhook image. |
+| webhook.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selectors to schedule the webhook pod to nodes with labels. |
+| webhook.podAnnotations | object | `{}` | Additional annotations for the webhook pod. |
+| webhook.podLabels | object | `{}` | Additional labels for the webhook pod. |
+| webhook.podSecurityContext | object | `{"fsGroup":1000}` | SecurityContext for the webhook pod. |
+| webhook.port | int | `8443` | The container port to use for the webhook. |
+| webhook.priorityClassName | string | `"system-cluster-critical"` | PriorityClass name for the webhook pod. |
+| webhook.replicas | int | `1` | Number of replicas for the webhook pod. |
+| webhook.resources | object | `{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"100m","memory":"50Mi"}}` | Resources for the webhook pod. |
+| webhook.securityContext | object | `{}` | SecurityContext for the webhook containers. |
+| webhook.serviceAccount.annotations | object | `{}` | Additional annotations for the webhook ServiceAccount. |
+| webhook.serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created for the webhook. |
+| webhook.serviceAccount.name | string | `""` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
+| webhook.strategy | object | `{"type":"Recreate"}` | Strategy for updating the webhook pod. |
+| webhook.terminationGracePeriodSeconds | string | `nil` | Override the default termination grace period for the webhook pod. |
+| webhook.tolerations | list | `[]` | Tolerations to allow the webhook pod to be scheduled to nodes with taints. |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)
+Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)
@@ -11,10 +11,10 @@ To install the chart with the release name `karpenter`:
 $ helm repo add karpenter https://charts.karpenter.sh
 $ helm repo update
 $ helm upgrade --install karpenter karpenter/{{ template "chart.name" . }} --namespace karpenter \
-  --create-namespace --set serviceAccount.create=false --version {{ template "chart.version" . }} \
+  --create-namespace --version {{ template "chart.version" . }} \
   --set controller.clusterName=${CLUSTER_NAME} \
   --set controller.clusterEndpoint=$(aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.endpoint" --output json) \
-  --wait # for the defaulting webhook to install before creating a Provisioner  
+  --wait # for the defaulting webhook to install before creating a Provisioner
 ```
 
 You can follow the detailed installation instruction [here](https://karpenter.sh/docs/getting-started/#install).
@@ -23,4 +23,4 @@ You can follow the detailed installation instruction [here](https://karpenter.sh
 
 {{ template "chart.valuesSection" . }}
 
-{{ template "helm-docs.versionFooter" . }}
+{{ template "helm-docs.versionFooter" . }}
@@ -2,46 +2,45 @@
 Expand the name of the chart.
 */}}
 {{- define "karpenter.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
 
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "karpenter.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
 
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "karpenter.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
 
 {{/*
-Generate basic labels
+Common labels
 */}}
-{{- define "karpenter.labels" }}
+{{- define "karpenter.labels" -}}
 helm.sh/chart: {{ include "karpenter.chart" . }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-app.kubernetes.io/component: karpenter
+{{ include "karpenter.selectorLabels" . }}
 app.kubernetes.io/part-of: {{ template "karpenter.name" . }}
-{{- include "karpenter.selectorLabels" . }}
-{{- if .Chart.Version }}
-app.kubernetes.io/version: {{ .Chart.Version | quote }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- if .Values.additionalLabels }}
 {{ toYaml .Values.additionalLabels }}
 {{- end }}
@@ -50,18 +49,7 @@ app.kubernetes.io/version: {{ .Chart.Version | quote }}
 {{/*
 Selector labels
 */}}
-{{- define "karpenter.selectorLabels" }}
+{{- define "karpenter.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "karpenter.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "karpenter.serviceAccountName" -}}
-{{- if .Values.serviceAccount.enabled -}}
-    {{ default (include "karpenter.fullname" .) .Values.serviceAccount.name }}
-{{- else -}}
-    {{ default "default" .Values.serviceAccount.name }}
-{{- end -}}
-{{- end -}}
@@ -2,9 +2,8 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: config-logging
-  namespace: {{ .Release.Namespace }}
   labels:
-    {{- include "karpenter.labels" . | indent 4 }}
+    {{- include "karpenter.labels" . | nindent 4 }}
 data:
   # https://github.com/uber-go/zap/blob/aa3e73ec0896f8b066ddf668597a02f89628ee50/config.go
   zap-logger-config: |
 
@@ -0,0 +1,33 @@
+{{/*
+Fullname
+*/}}
+{{- define "karpenter.controllerFullname" -}}
+{{ include "karpenter.fullname" . }}-controller
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "karpenter.controllerLabels" -}}
+{{ include "karpenter.labels" . }}
+app.kubernetes.io/component: controller
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "karpenter.controllerSelectorLabels" -}}
+{{ include "karpenter.selectorLabels" . }}
+app.kubernetes.io/component: controller
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "karpenter.controllerServiceAccountName" -}}
+{{- if .Values.controller.serviceAccount.create -}}
+{{- default (printf "%s-controller" (include "karpenter.fullname" .)) .Values.controller.serviceAccount.name }}
+{{- else -}}
+{{- default "default" .Values.controller.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
@@ -0,0 +1,34 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "karpenter.controllerFullname" . }}
+  labels:
+    {{- include "karpenter.controllerLabels" . | nindent 4 }}
+rules:
+  - apiGroups: ["karpenter.sh"]
+    resources: ["provisioners"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["karpenter.sh"]
+    resources: ["provisioners/status"]
+    verbs: ["create", "delete", "patch", "get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumes", "persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes", "pods"]
+    verbs: ["get", "list", "watch", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["create"]
+  - apiGroups: [""]
+    resources: ["pods/binding", "pods/eviction"]
+    verbs: ["create"]
+  - apiGroups: ["apps"]
+    resources: ["daemonsets"]
+    verbs: ["list", "watch"]
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "karpenter.controllerFullname" . }}
+  labels:
+    {{- include "karpenter.controllerLabels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "karpenter.controllerFullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "karpenter.controllerServiceAccountName" . }}
+    namespace: {{ .Release.Namespace }}