From 0e66184f24b5704ffc43ffd616ec19c4578069a7 Mon Sep 17 00:00:00 2001
From: Nick Tran <10810510+njtran@users.noreply.github.com>
Date: Mon, 12 Aug 2024 13:02:01 -0700
Subject: [PATCH 1/2] chore: make image configurable (#6716)

---
 charts/karpenter/README.md                        |  3 ++-
 charts/karpenter/templates/_helpers.tpl           | 11 +++++++++++
 charts/karpenter/templates/post-install-hook.yaml |  2 +-
 charts/karpenter/values.yaml                      |  8 ++++++++
 4 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/charts/karpenter/README.md b/charts/karpenter/README.md
index 29db446c547f..cee76d261f2e 100644
--- a/charts/karpenter/README.md
+++ b/charts/karpenter/README.md
@@ -64,7 +64,8 @@ helm upgrade --install --namespace karpenter --create-namespace \
 | podDisruptionBudget.maxUnavailable | int | `1` |  |
 | podDisruptionBudget.name | string | `"karpenter"` |  |
 | podLabels | object | `{}` | Additional labels for the pod. |
-| podSecurityContext | object | `{"fsGroup":65536}` | SecurityContext for the pod. |
+| podSecurityContext | object | `{"fsGroup":65532}` | SecurityContext for the pod. |
+| postInstallHook.image | string | `public.ecr.aws/bitnami/kubectl:1.30` | The image to run the post-install hook. This minimally needs to have `kubectl` installed |
 | priorityClassName | string | `"system-cluster-critical"` | PriorityClass name for the pod. |
 | replicas | int | `2` | Number of replicas. |
 | revisionHistoryLimit | int | `10` | The number of old ReplicaSets to retain to allow rollback. |
diff --git a/charts/karpenter/templates/_helpers.tpl b/charts/karpenter/templates/_helpers.tpl
index 9dce663e2382..a74c4dbb1aea 100644
--- a/charts/karpenter/templates/_helpers.tpl
+++ b/charts/karpenter/templates/_helpers.tpl
@@ -75,6 +75,17 @@ Karpenter image to use
 {{- end }}
 {{- end }}
 
+{{/*
+Karpenter post-install hook image to use
+*/}}
+{{- define "karpenter.postInstallHook.image" -}}
+{{- if .Values.postInstallHook.image.digest }}
+{{- printf "%s:%s@%s" .Values.postInstallHook.image.repository  (default (printf "v%s" .Chart.AppVersion) .Values.postInstallHook.image.tag) .Values.postInstallHook.image.digest }}
+{{- else }}
+{{- printf "%s:%s" .Values.postInstallHook.image.repository  (default (printf "v%s" .Chart.AppVersion) .Values.postInstallHook.image.tag) }}
+{{- end }}
+{{- end }}
+
 
 {{/* Get PodDisruptionBudget API Version */}}
 {{- define "karpenter.pdb.apiVersion" -}}
diff --git a/charts/karpenter/templates/post-install-hook.yaml b/charts/karpenter/templates/post-install-hook.yaml
index 123e392a3c96..5a38c33d8672 100644
--- a/charts/karpenter/templates/post-install-hook.yaml
+++ b/charts/karpenter/templates/post-install-hook.yaml
@@ -23,7 +23,7 @@ spec:
       {{- end }}
       containers:
       - name: post-install-job
-        image: public.ecr.aws/bitnami/kubectl:1.30
+        image: {{ include "karpenter.postInstallHook.image" . }}
         command:
         - /bin/sh
         - -c
diff --git a/charts/karpenter/values.yaml b/charts/karpenter/values.yaml
index ff90cde71016..d4d7cee33ef1 100644
--- a/charts/karpenter/values.yaml
+++ b/charts/karpenter/values.yaml
@@ -135,6 +135,14 @@ controller:
   healthProbe:
     # -- The container port to use for http health probe.
     port: 8081
+postInstallHook: 
+  image:
+    # -- Repository path to the post-install hook. This minimally needs to have `kubectl` installed
+    repository: public.ecr.aws/bitnami/kubectl
+    # -- Tag of the post-install hook image.
+    tag: "1.30"
+    # -- SHA256 digest of the post-install hook image.
+    digest: sha256:13a2ad1bd37ce42ee2a6f1ab0d30595f42eb7fe4a90d6ec848550524104a1ed6
 webhook:
   # -- Whether to enable the webhooks and webhook permissions.
   enabled: false

From 9e8cc95474389c8f0154394b771e652707696a66 Mon Sep 17 00:00:00 2001
From: Jason Deal <jmdeal@amazon.com>
Date: Mon, 12 Aug 2024 14:04:29 -0700
Subject: [PATCH 2/2] deps: bump sigs.k8s.io/karpenter

---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index bd8898db47e3..c7ca08b2da92 100644
--- a/go.mod
+++ b/go.mod
@@ -28,7 +28,7 @@ require (
 	k8s.io/utils v0.0.0-20240102154912-e7106e64919e
 	knative.dev/pkg v0.0.0-20231010144348-ca8c009405dd
 	sigs.k8s.io/controller-runtime v0.18.4
-	sigs.k8s.io/karpenter v0.34.7-0.20240812074104-8d610f09d15e
+	sigs.k8s.io/karpenter v0.34.7-0.20240812192613-3ee19c700318
 )
 
 require (
diff --git a/go.sum b/go.sum
index 00ecc78a8359..25f6026cac27 100644
--- a/go.sum
+++ b/go.sum
@@ -760,8 +760,8 @@ sigs.k8s.io/controller-runtime v0.18.4 h1:87+guW1zhvuPLh1PHybKdYFLU0YJp4FhJRmiHv
 sigs.k8s.io/controller-runtime v0.18.4/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/karpenter v0.34.7-0.20240812074104-8d610f09d15e h1:oUcdy3YLRF1vfEZ5+ti3HyNsqYRN2WQ9PeMASDzjpOQ=
-sigs.k8s.io/karpenter v0.34.7-0.20240812074104-8d610f09d15e/go.mod h1:YznL/hZkxTt5DMABADIwPoaf1tqWBZQA8Y1jSd3P1ZM=
+sigs.k8s.io/karpenter v0.34.7-0.20240812192613-3ee19c700318 h1:Ylc2JjcBd6CToHH/9LfJTOiwQJPjee/3D5kc0H7juzw=
+sigs.k8s.io/karpenter v0.34.7-0.20240812192613-3ee19c700318/go.mod h1:YznL/hZkxTt5DMABADIwPoaf1tqWBZQA8Y1jSd3P1ZM=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=