Workload cluster release aws-34.1.0 for CAPA
Changes compared to v34.0.0
Components
- cluster-aws from v7.2.5 to v7.4.0
- Flatcar from v4459.2.2 to v4459.2.3
- Kubernetes from v1.34.3 to v1.34.5
- os-tooling from v1.26.3 to v1.26.4
Added
- Add JSON schema validation patterns for
global.providerSpecific.region. - Add JSON schema validation patterns for
global.providerSpecific.awsAccountId. - Add JSON schema validation patterns for
global.controlPlane.instanceType and node pool instanceType. - Add JSON schema
maxLength: 20 constraint for global.metadata.name, aligning with the constraint enforced by our kyverno policies.
Changed
- Values: Use container registries from
cluster chart. - Karpenter: Provide proxy configuration.
- AWS EBS CSI Driver & Karpenter: Reduce interval and enable drift detection.\
- Install the
aws-ebs-csi-driver-bundle that contains the aws-ebs-csi-driver app, together with the crossplane resources to manage the AWS IAM Roles required by the app. - Install the
karpenter-bundle that contains the karpenter app, together with the crossplane custom resources to manage the AWS resources required by karpenter. - Use
cluster chart values for Karpenter kubelet systemReserved and kubeReserved configuration instead of hardcoded values. - Set correct
maxPods value for karpenter node pools, based on the configured nodeCidrMaskSize, but capped at 110 pods. - Always install the
karpenter-bundle, regardless of whether karpenter node pools are configured. This is useful when deleting karpenter node pools, because otherwise the karpenter app was being removed and karpenter did not have time to clean up the node pools. - Allow CertManager to use DNS challenges on non-private clusters.
Fixed
- Install node-termination-handler bundle even if falling back to default node pools. No workers could come up without NTH, so
nodePools: {} (= use default node pools) did not create a working cluster.
Apps
- aws-ebs-csi-driver from v3.4.1 to v4.1.1
- aws-ebs-csi-driver-servicemonitors from v0.1.0 to v0.1.2
- aws-pod-identity-webhook from v2.1.0 to v2.2.0
- cert-exporter from v2.9.15 to v2.9.16
- cert-manager from v3.9.4 to v3.11.0
- chart-operator-extensions from v1.1.2 to v1.1.3
- cilium from v1.3.4 to v1.4.1
- cilium-servicemonitors from v0.1.3 to v0.1.4
- cluster-autoscaler from v1.34.1-1 to v1.34.3-1
- coredns-extensions from v0.1.2 to v0.1.3
- etcd-defrag from v1.2.3 to v1.2.4
- etcd-k8s-res-count-exporter from v1.10.12 to v1.10.14
- irsa-servicemonitors from v0.1.0 to v0.1.1
- k8s-audit-metrics from v0.10.11 to v0.10.13
- k8s-dns-node-cache from v2.9.1 to v2.9.2
- karpenter from v1.4.0 to v2.1.0
- karpenter-taint-remover from v1.0.1 to v1.0.2
- metrics-server from v2.7.0 to v2.8.0
- net-exporter from v1.23.0 to v1.23.1
- node-exporter from v1.20.10 to v1.20.11
- observability-bundle from v2.5.0 to v2.6.0
- observability-policies from v0.0.3 to v0.0.4
- priority-classes from v0.3.0 to v0.3.1
- prometheus-blackbox-exporter from v0.5.0 to v0.5.1
- security-bundle from v1.16.1 to v1.17.0
- teleport-kube-agent from v0.10.7 to v0.10.8
- vertical-pod-autoscaler from v6.1.1 to v6.1.2
- vertical-pod-autoscaler-crd from v4.1.1 to v4.1.2
Added
- Introduce bundle chart architecture with Crossplane IAM resources.
- Add
aws-ebs-csi-driver-app-bundle chart that includes: - Crossplane IAM Role with EBS CSI driver permissions
- Flux HelmRelease to deploy the workload cluster chart
- ConfigMap for values passthrough
- Bundle chart is installed on the management cluster and deploys the app chart to the workload cluster
- IAM role uses OIDC federation (IRSA) and reads configuration from
<clusterID>-crossplane-config ConfigMap - Both charts share the same version and are released together
Changed
- Refactor crossplane config data retrieval. Fail installation if the ConfigMap can’t be found, otherwise the chart was creating invalid IAM roles.
- Change IAM role name for the ebs-csi-driver-controller, to differentiate it from the old one managed by the iam-operator.
- Remove dependency for the cloud-provider-aws in the aws-ebs-csi-driver HelmRelease. That dependency should be set in the bundle HelmRelease by the provider cluster chart
- Update CircleCI configuration to push both app and bundle charts
- Update README with bundle architecture documentation
Fixed
- Fix boolean type of the expansion
- Allow volume expansion by default on gp3
aws-ebs-csi-driver-servicemonitors v0.1.0…v0.1.2
Changed
- Migrate to App Build Suite (ABS).
Fixed
- Remove duplicate
application.giantswarm.io/team label in PodMonitor that caused install failure. The label is already included via the common labels helper.
Changed
- Sanitize
Chart.Version when used in labels due to flux appending the artifact digest to the version.
Changed
Added
- Add Vertical Pod Autoscaler (VPA) support for webhook pods.
- Add
io.giantswarm.application.audience and io.giantswarm.application.managed chart annotations for Backstage visibility. - Add PodLogs for log collection.
Fixed
- Fix
controller Vertical Pod Autoscaler (VPA) resource syntax.
Changed
Changed
- Upgrade Cilium to v1.19.1.
- Upgrade Cilium to v1.19.0.
- Update chart icon to use Giant Swarm-hosted Cilium icon.
- Upgrade Cilium to v1.18.7.
Changed
- Migrate chart metadata annotations
Changed
- Chart: Update to upstream v1.34.3.
- Chart: Update to upstream v1.34.2.
Changed
- Chart: Update dependency ahrtr/etcd-defrag to v0.37.0. (#78)
Changed
- Migrate to App Build Suite (ABS) for Helm chart building.
- Go: Update dependencies.
Removed
- Removed
PodSecurityPolicy. - Removed
global.podSecurityStandards.enforced helm value. - Removed
resource.psp helm value.
Changed
- Migrate to App Build Suite (ABS) for building and publishing Helm charts.
Changed
- Migrate to App Build Suite (ABS) for Helm chart building.
- Go: Update dependencies.
Removed
- Removed
PodSecurityPolicy. - Removed
global.podSecurityStandards.enforced helm value. - Removed
resource.psp helm value.
Changed
- Upgrade application to version 1.26.7 (includes coredns 1.13.1)
Added
- Add
PodLogs and PodMonitor custom resources for observability data ingestion. - Deployment: Add HTTP proxy support.
- Add e2e tests for this app.
- Add
karpenter-bundle chart that consolidates karpenter-app and karpenter-crossplane-resources into a single deployable bundle. The bundle includes:- HelmRelease and OCIRepository for deploying karpenter to workload clusters
- IAM roles for karpenter and nodeclassgenerator via Crossplane
- SQS queue and CloudWatch event rules for interruption handling
Fixed
- Use only
clustertest v3 instead of v2 and v3. We also upgraded to apptest-framework v3 due to this.
Changed
- Migrate to App Build Suite (ABS) for building and publishing Helm charts.
Changed
- Upgrade metrics-server to v0.8.1.
- Change team annotation in
Chart.yaml to OpenContainers format (io.giantswarm.application.team).
Removed
- Removed
PodSecurityPolicy. - Removed
global.podSecurityStandards.enforced helm value.
Changed
- Migrate to App Build Suite (ABS) for building and publishing Helm charts.
Fixed
- Removed duplicated
app label which is already added by the selector helper.
Added
- Add KSM metrics for Gateway API resources
Changed
- Rename app to
observability-policies - Change team annotation in
Chart.yaml to OpenContainers format (io.giantswarm.application.team).
Fixed
- Sanitize
Chart.Version used in labels. This is needed because flux apapends the digest to the version using the + character which is not allowed in labels.
prometheus-blackbox-exporter v0.5.0…v0.5.1
Changed
- Migrate to App Build Suite (ABS) for Helm chart building.
Changed
- Update
kyverno (app) to v0.23.0. - Update
kyverno-crds (app) to v1.16.0. - Update
reports-server (app) to v0.1.0. - Update
cloudnative-pg (app) to v0.0.13. - Update
kubescape (app) to v0.0.5. - Update
starboard-exporter (app) to v1.0.2.
Added
- Add
io.giantswarm.application.audience and io.giantswarm.application.managed chart annotations for Backstage visibility.
Changed
- Migrate chart metadata annotations to OCI-compatible format.
Fixed
- Pushed helm chart to OCI repository.
vertical-pod-autoscaler-crd v4.1.1…v4.1.2
Fixed
- Pushed helm chart to OCI repository.
