Add Conversion Webhooks

Makefile

@@ -82,6 +82,8 @@ licenses: download ## Verifies dependency licenses
 verify: ## Verify code. Includes codegen, docgen, dependencies, linting, formatting, etc
 	go mod tidy
 	go generate ./...
+	hack/conversion/nodepool.sh
+	hack/conversion/nodeclaim.sh
 	hack/validation/kubelet.sh
 	hack/validation/taint.sh
 	hack/validation/requirements.sh

hack/conversion/nodeclaim.sh

@@ -0,0 +1,7 @@
+# Adding conversion block to the NodeClaim Resource 
+
+yq eval '.spec.conversion.strategy="Webhook"' -i pkg/apis/crds/karpenter.sh_nodeclaims.yaml 
+yq eval '.spec.conversion.webhook.conversionReviewVersions=["v1beta1", "v1"]' -i pkg/apis/crds/karpenter.sh_nodeclaims.yaml 
+yq eval '.spec.conversion.webhook.clientConfig.service.namespace="kube-system"' -i pkg/apis/crds/karpenter.sh_nodeclaims.yaml 
+yq eval '.spec.conversion.webhook.clientConfig.service.name="karpenter"' -i pkg/apis/crds/karpenter.sh_nodeclaims.yaml 
+yq eval '.spec.conversion.webhook.clientConfig.service.port=8443' -i pkg/apis/crds/karpenter.sh_nodeclaims.yaml 

hack/conversion/nodepool.sh

@@ -0,0 +1,7 @@
+# Adding conversion block to the NodePool Resource 
+
+yq eval '.spec.conversion.strategy="Webhook"' -i pkg/apis/crds/karpenter.sh_nodepools.yaml 
+yq eval '.spec.conversion.webhook.conversionReviewVersions=["v1beta1", "v1"]' -i pkg/apis/crds/karpenter.sh_nodepools.yaml 
+yq eval '.spec.conversion.webhook.clientConfig.service.namespace="kube-system"' -i pkg/apis/crds/karpenter.sh_nodepools.yaml 
+yq eval '.spec.conversion.webhook.clientConfig.service.name="karpenter"' -i pkg/apis/crds/karpenter.sh_nodepools.yaml 
+yq eval '.spec.conversion.webhook.clientConfig.service.port=8443' -i pkg/apis/crds/karpenter.sh_nodepools.yaml 

hack/validation/kubelet.sh

@@ -3,7 +3,7 @@
 # Adding validation to both v1 and v1beta1 APIs
 # Version = 0 // v1 API 
 # Version = 1 // v1beta1 API
-for Version in $(seq 0 1); do 
+for Version in $(seq 1); do 
     # The regular expression adds validation for kubelet.kubeReserved and kubelet.systemReserved values of the map are resource.Quantity
     # Quantity: https://github.com/kubernetes/apimachinery/blob/d82afe1e363acae0e8c0953b1bc230d65fdb50e2/pkg/api/resource/quantity.go#L100
     # NodeClaim Validation:

hack/validation/resources.sh

@@ -1,7 +1,7 @@
 # Adding validation to both v1 and v1beta1 APIs
 # Version = 0 // v1 API 
 # Version = 1 // v1beta1 API
-for Version in  $(seq 0 1); do
+for Version in  $(seq 1); do
     # Adding validation for nodepool.spec.template.spec.resources 
     yqVersion="$Version" yq eval ".spec.versions[env(yqVersion)].schema.openAPIV3Schema.properties.spec.properties.template.properties.spec.properties.resources.maxProperties = 0" -i pkg/apis/crds/karpenter.sh_nodepools.yaml 
 done

kwok/charts/crds/karpenter.sh_nodeclaims.yaml

@@ -69,120 +69,6 @@ spec:
             spec:
               description: NodeClaimSpec describes the desired state of the NodeClaim
               properties:
-                kubelet:
-                  description: |-
-                    Kubelet defines args to be used when configuring kubelet on provisioned nodes.
-                    They are a subset of the upstream types, recognizing not all options may be supported.
-                    Wherever possible, the types and names should reflect the upstream kubelet types.
-                  properties:
-                    clusterDNS:
-                      description: |-
-                        clusterDNS is a list of IP addresses for the cluster DNS server.
-                        Note that not all providers may use all addresses.
-                      items:
-                        type: string
-                      type: array
-                    cpuCFSQuota:
-                      description: CPUCFSQuota enables CPU CFS quota enforcement for containers that specify CPU limits.
-                      type: boolean
-                    evictionHard:
-                      additionalProperties:
-                        type: string
-                        pattern: ^((\d{1,2}(\.\d{1,2})?|100(\.0{1,2})?)%||(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?)$
-                      description: EvictionHard is the map of signal names to quantities that define hard eviction thresholds
-                      type: object
-                      x-kubernetes-validations:
-                        - message: valid keys for evictionHard are ['memory.available','nodefs.available','nodefs.inodesFree','imagefs.available','imagefs.inodesFree','pid.available']
-                          rule: self.all(x, x in ['memory.available','nodefs.available','nodefs.inodesFree','imagefs.available','imagefs.inodesFree','pid.available'])
-                    evictionMaxPodGracePeriod:
-                      description: |-
-                        EvictionMaxPodGracePeriod is the maximum allowed grace period (in seconds) to use when terminating pods in
-                        response to soft eviction thresholds being met.
-                      format: int32
-                      type: integer
-                    evictionSoft:
-                      additionalProperties:
-                        type: string
-                        pattern: ^((\d{1,2}(\.\d{1,2})?|100(\.0{1,2})?)%||(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?)$
-                      description: EvictionSoft is the map of signal names to quantities that define soft eviction thresholds
-                      type: object
-                      x-kubernetes-validations:
-                        - message: valid keys for evictionSoft are ['memory.available','nodefs.available','nodefs.inodesFree','imagefs.available','imagefs.inodesFree','pid.available']
-                          rule: self.all(x, x in ['memory.available','nodefs.available','nodefs.inodesFree','imagefs.available','imagefs.inodesFree','pid.available'])
-                    evictionSoftGracePeriod:
-                      additionalProperties:
-                        type: string
-                      description: EvictionSoftGracePeriod is the map of signal names to quantities that define grace periods for each eviction signal
-                      type: object
-                      x-kubernetes-validations:
-                        - message: valid keys for evictionSoftGracePeriod are ['memory.available','nodefs.available','nodefs.inodesFree','imagefs.available','imagefs.inodesFree','pid.available']
-                          rule: self.all(x, x in ['memory.available','nodefs.available','nodefs.inodesFree','imagefs.available','imagefs.inodesFree','pid.available'])
-                    imageGCHighThresholdPercent:
-                      description: |-
-                        ImageGCHighThresholdPercent is the percent of disk usage after which image
-                        garbage collection is always run. The percent is calculated by dividing this
-                        field value by 100, so this field must be between 0 and 100, inclusive.
-                        When specified, the value must be greater than ImageGCLowThresholdPercent.
-                      format: int32
-                      maximum: 100
-                      minimum: 0
-                      type: integer
-                    imageGCLowThresholdPercent:
-                      description: |-
-                        ImageGCLowThresholdPercent is the percent of disk usage before which image
-                        garbage collection is never run. Lowest disk usage to garbage collect to.
-                        The percent is calculated by dividing this field value by 100,
-                        so the field value must be between 0 and 100, inclusive.
-                        When specified, the value must be less than imageGCHighThresholdPercent
-                      format: int32
-                      maximum: 100
-                      minimum: 0
-                      type: integer
-                    kubeReserved:
-                      additionalProperties:
-                        type: string
-                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
-                      description: KubeReserved contains resources reserved for Kubernetes system components.
-                      type: object
-                      x-kubernetes-validations:
-                        - message: valid keys for kubeReserved are ['cpu','memory','ephemeral-storage','pid']
-                          rule: self.all(x, x=='cpu' || x=='memory' || x=='ephemeral-storage' || x=='pid')
-                        - message: kubeReserved value cannot be a negative resource quantity
-                          rule: self.all(x, !self[x].startsWith('-'))
-                    maxPods:
-                      description: |-
-                        MaxPods is an override for the maximum number of pods that can run on
-                        a worker node instance.
-                      format: int32
-                      minimum: 0
-                      type: integer
-                    podsPerCore:
-                      description: |-
-                        PodsPerCore is an override for the number of pods that can run on a worker node
-                        instance based on the number of cpu cores. This value cannot exceed MaxPods, so, if
-                        MaxPods is a lower value, that value will be used.
-                      format: int32
-                      minimum: 0
-                      type: integer
-                    systemReserved:
-                      additionalProperties:
-                        type: string
-                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
-                      description: SystemReserved contains resources reserved for OS system daemons and kernel memory.
-                      type: object
-                      x-kubernetes-validations:
-                        - message: valid keys for systemReserved are ['cpu','memory','ephemeral-storage','pid']
-                          rule: self.all(x, x=='cpu' || x=='memory' || x=='ephemeral-storage' || x=='pid')
-                        - message: systemReserved value cannot be a negative resource quantity
-                          rule: self.all(x, !self[x].startsWith('-'))
-                  type: object
-                  x-kubernetes-validations:
-                    - message: imageGCHighThresholdPercent must be greater than imageGCLowThresholdPercent
-                      rule: 'has(self.imageGCHighThresholdPercent) && has(self.imageGCLowThresholdPercent) ?  self.imageGCHighThresholdPercent > self.imageGCLowThresholdPercent  : true'
-                    - message: evictionSoft OwnerKey does not have a matching evictionSoftGracePeriod
-                      rule: has(self.evictionSoft) ? self.evictionSoft.all(e, (e in self.evictionSoftGracePeriod)):true
-                    - message: evictionSoftGracePeriod OwnerKey does not have a matching evictionSoft
-                      rule: has(self.evictionSoftGracePeriod) ? self.evictionSoftGracePeriod.all(e, (e in self.evictionSoft)):true
                 nodeClassRef:
                   description: NodeClassRef is a reference to an object that defines provider specific configuration
                   properties:
@@ -361,6 +247,9 @@ spec:
                 - nodeClassRef
                 - requirements
               type: object
+              x-kubernetes-validations:
+                - message: immutable field changed
+                  rule: self == oldSelf
             status:
               description: NodeClaimStatus defines the observed state of NodeClaim
               properties:
@@ -901,3 +790,14 @@ spec:
       storage: false
       subresources:
         status: {}
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions:
+        - v1beta1
+        - v1
+      clientConfig:
+        service:
+          namespace: kube-system
+          name: karpenter
+          port: 8443