feat: Update AWS CCM versions (#748)

While I was thinking how to list all images we require for CAREN, I
noticed that we can use helm values to do the necessary overrides for
AWS CCM image and container args.

At the same time, I updated to the latest versions available and added
k8s v1.30 support to the handler.

Author: jimmidyson

api/v1alpha1/addon_types.go

@@ -238,6 +238,11 @@ type CCM struct {
 	// A reference to the Secret for credential information for the target Prism Central instance
 	// +kubebuilder:validation:Optional
 	Credentials *CCMCredentials `json:"credentials,omitempty"`
+
+	// Addon strategy used to deploy the CCM to the workload cluster.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Enum=ClusterResourceSet;HelmAddon
+	Strategy AddonStrategy `json:"strategy"`
 }
 
 type CCMCredentials struct {
@@ -250,5 +255,6 @@ type ServiceLoadBalancer struct {
 	// The LoadBalancer-type Service provider to deploy. Not required in infrastructures where
 	// the CCM acts as the provider.
 	// +kubebuilder:validation:Enum=MetalLB
+	// +kubebuilder:validation:Required
 	Provider string `json:"provider"`
 }

api/v1alpha1/crds/caren.nutanix.com_awsclusterconfigs.yaml

@@ -64,6 +64,14 @@ spec:
                           required:
                             - secretRef
                           type: object
+                        strategy:
+                          description: Addon strategy used to deploy the CCM to the workload cluster.
+                          enum:
+                            - ClusterResourceSet
+                            - HelmAddon
+                          type: string
+                      required:
+                        - strategy
                       type: object
                     clusterAutoscaler:
                       description: ClusterAutoscaler tells us to enable or disable the cluster-autoscaler addon.

api/v1alpha1/crds/caren.nutanix.com_dockerclusterconfigs.yaml

@@ -64,6 +64,14 @@ spec:
                           required:
                             - secretRef
                           type: object
+                        strategy:
+                          description: Addon strategy used to deploy the CCM to the workload cluster.
+                          enum:
+                            - ClusterResourceSet
+                            - HelmAddon
+                          type: string
+                      required:
+                        - strategy
                       type: object
                     clusterAutoscaler:
                       description: ClusterAutoscaler tells us to enable or disable the cluster-autoscaler addon.

api/v1alpha1/crds/caren.nutanix.com_nutanixclusterconfigs.yaml

@@ -64,6 +64,14 @@ spec:
                           required:
                             - secretRef
                           type: object
+                        strategy:
+                          description: Addon strategy used to deploy the CCM to the workload cluster.
+                          enum:
+                            - ClusterResourceSet
+                            - HelmAddon
+                          type: string
+                      required:
+                        - strategy
                       type: object
                     clusterAutoscaler:
                       description: ClusterAutoscaler tells us to enable or disable the cluster-autoscaler addon.

charts/cluster-api-runtime-extensions-nutanix/README.md

@@ -35,6 +35,12 @@ A Helm chart for cluster-api-runtime-extensions-nutanix
 | helmRepositoryImage.pullPolicy | string | `"IfNotPresent"` |  |
 | helmRepositoryImage.repository | string | `"ghcr.io/nutanix-cloud-native/caren-helm-reg"` |  |
 | helmRepositoryImage.tag | string | `""` |  |
+| hooks.ccm.aws.helmAddonStrategy.defaultValueTemplateConfigMap.create | bool | `true` |  |
+| hooks.ccm.aws.helmAddonStrategy.defaultValueTemplateConfigMap.name | string | `"default-aws-ccm-helm-values-template"` |  |
+| hooks.ccm.aws.k8sMinorVersionToCCMVersion."1.27" | string | `"v1.27.7"` |  |
+| hooks.ccm.aws.k8sMinorVersionToCCMVersion."1.28" | string | `"v1.28.6"` |  |
+| hooks.ccm.aws.k8sMinorVersionToCCMVersion."1.29" | string | `"v1.29.3"` |  |
+| hooks.ccm.aws.k8sMinorVersionToCCMVersion."1.30" | string | `"v1.30.1"` |  |
 | hooks.ccm.nutanix.helmAddonStrategy.defaultValueTemplateConfigMap.create | bool | `true` |  |
 | hooks.ccm.nutanix.helmAddonStrategy.defaultValueTemplateConfigMap.name | string | `"default-nutanix-ccm-helm-values-template"` |  |
 | hooks.clusterAutoscaler.crsStrategy.defaultInstallationConfigMap.name | string | `"cluster-autoscaler"` |  |

charts/cluster-api-runtime-extensions-nutanix/templates/ccm/aws/manifests/aws-ccm-v1.27.1-configmap.yaml renamed to charts/cluster-api-runtime-extensions-nutanix/templates/ccm/aws/manifests/aws-ccm-v1.27.7-configmap.yaml

@@ -7,7 +7,7 @@
 #=================================================================
 apiVersion: v1
 data:
-  aws-ccm-v1.27.1.yaml: |
+  aws-ccm-v1.27.7.yaml: |
     apiVersion: v1
     kind: ServiceAccount
     metadata:
@@ -160,7 +160,7 @@ data:
             - --cloud-provider=aws
             - --configure-cloud-routes=false
             env: []
-            image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.1
+            image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.7
             name: aws-cloud-controller-manager
             resources:
               requests:
@@ -186,4 +186,4 @@ data:
 kind: ConfigMap
 metadata:
   creationTimestamp: null
-  name: aws-ccm-v1.27.1
+  name: aws-ccm-v1.27.7

charts/cluster-api-runtime-extensions-nutanix/templates/ccm/aws/manifests/aws-ccm-v1.28.1-configmap.yaml renamed to charts/cluster-api-runtime-extensions-nutanix/templates/ccm/aws/manifests/aws-ccm-v1.28.6-configmap.yaml

@@ -7,7 +7,7 @@
 #=================================================================
 apiVersion: v1
 data:
-  aws-ccm-v1.28.1.yaml: |
+  aws-ccm-v1.28.6.yaml: |
     apiVersion: v1
     kind: ServiceAccount
     metadata:
@@ -160,7 +160,7 @@ data:
             - --cloud-provider=aws
             - --configure-cloud-routes=false
             env: []
-            image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.28.1
+            image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.28.6
             name: aws-cloud-controller-manager
             resources:
               requests:
@@ -186,4 +186,4 @@ data:
 kind: ConfigMap
 metadata:
   creationTimestamp: null
-  name: aws-ccm-v1.28.1
+  name: aws-ccm-v1.28.6

charts/cluster-api-runtime-extensions-nutanix/templates/ccm/aws/manifests/aws-ccm-v1.29.2-configmap.yaml renamed to charts/cluster-api-runtime-extensions-nutanix/templates/ccm/aws/manifests/aws-ccm-v1.29.3-configmap.yaml

@@ -7,7 +7,7 @@
 #=================================================================
 apiVersion: v1
 data:
-  aws-ccm-v1.29.2.yaml: |
+  aws-ccm-v1.29.3.yaml: |
     apiVersion: v1
     kind: ServiceAccount
     metadata:
@@ -160,7 +160,7 @@ data:
             - --cloud-provider=aws
             - --configure-cloud-routes=false
             env: []
-            image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.29.2
+            image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.29.3
             name: aws-cloud-controller-manager
             resources:
               requests:
@@ -186,4 +186,4 @@ data:
 kind: ConfigMap
 metadata:
   creationTimestamp: null
-  name: aws-ccm-v1.29.2
+  name: aws-ccm-v1.29.3

charts/cluster-api-runtime-extensions-nutanix/templates/ccm/aws/manifests/aws-ccm-v1.30.1-configmap.yaml

@@ -0,0 +1,189 @@
+# Copyright 2024 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+#=================================================================
+#                 DO NOT EDIT THIS FILE
+#  IT HAS BEEN GENERATED BY /hack/addons/update-aws-ccm.sh
+#=================================================================
+apiVersion: v1
+data:
+  aws-ccm-v1.30.1.yaml: |
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      labels:
+        helm.sh/chart: aws-cloud-controller-manager-0.0.8
+      name: cloud-controller-manager
+      namespace: kube-system
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      labels:
+        helm.sh/chart: aws-cloud-controller-manager-0.0.8
+      name: system:cloud-controller-manager
+    rules:
+    - apiGroups:
+      - ""
+      resources:
+      - events
+      verbs:
+      - create
+      - patch
+      - update
+    - apiGroups:
+      - ""
+      resources:
+      - nodes
+      verbs:
+      - '*'
+    - apiGroups:
+      - ""
+      resources:
+      - nodes/status
+      verbs:
+      - patch
+    - apiGroups:
+      - ""
+      resources:
+      - services
+      verbs:
+      - list
+      - patch
+      - update
+      - watch
+    - apiGroups:
+      - ""
+      resources:
+      - services/status
+      verbs:
+      - list
+      - patch
+      - update
+      - watch
+    - apiGroups:
+      - ""
+      resources:
+      - serviceaccounts
+      verbs:
+      - create
+    - apiGroups:
+      - ""
+      resources:
+      - persistentvolumes
+      verbs:
+      - get
+      - list
+      - update
+      - watch
+    - apiGroups:
+      - ""
+      resources:
+      - endpoints
+      verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+    - apiGroups:
+      - coordination.k8s.io
+      resources:
+      - leases
+      verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+    - apiGroups:
+      - ""
+      resources:
+      - serviceaccounts/token
+      verbs:
+      - create
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      labels:
+        helm.sh/chart: aws-cloud-controller-manager-0.0.8
+      name: cloud-controller-manager:apiserver-authentication-reader
+      namespace: kube-system
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: extension-apiserver-authentication-reader
+    subjects:
+    - apiGroup: ""
+      kind: ServiceAccount
+      name: cloud-controller-manager
+      namespace: kube-system
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      labels:
+        helm.sh/chart: aws-cloud-controller-manager-0.0.8
+      name: system:cloud-controller-manager
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: system:cloud-controller-manager
+    subjects:
+    - apiGroup: ""
+      kind: ServiceAccount
+      name: cloud-controller-manager
+      namespace: kube-system
+    ---
+    apiVersion: apps/v1
+    kind: DaemonSet
+    metadata:
+      labels:
+        helm.sh/chart: aws-cloud-controller-manager-0.0.8
+        k8s-app: aws-cloud-controller-manager
+      name: aws-cloud-controller-manager
+      namespace: kube-system
+    spec:
+      selector:
+        matchLabels:
+          k8s-app: aws-cloud-controller-manager
+      template:
+        metadata:
+          labels:
+            k8s-app: aws-cloud-controller-manager
+          name: aws-cloud-controller-manager
+        spec:
+          containers:
+          - args:
+            - --v=2
+            - --cloud-provider=aws
+            - --configure-cloud-routes=false
+            env: []
+            image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.30.1
+            name: aws-cloud-controller-manager
+            resources:
+              requests:
+                cpu: 200m
+            securityContext: {}
+          dnsPolicy: Default
+          hostNetwork: true
+          nodeSelector:
+            node-role.kubernetes.io/control-plane: ""
+          priorityClassName: system-node-critical
+          securityContext: {}
+          serviceAccountName: cloud-controller-manager
+          tolerations:
+          - effect: NoSchedule
+            key: node.cloudprovider.kubernetes.io/uninitialized
+            value: "true"
+          - effect: NoSchedule
+            key: node-role.kubernetes.io/master
+          - effect: NoSchedule
+            key: node-role.kubernetes.io/control-plane
+      updateStrategy:
+        type: RollingUpdate
+kind: ConfigMap
+metadata:
+  creationTimestamp: null
+  name: aws-ccm-v1.30.1

charts/cluster-api-runtime-extensions-nutanix/templates/ccm/aws/manifests/helm-addon-installation.yaml

@@ -0,0 +1,34 @@
+# Copyright 2024 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+{{- if .Values.hooks.ccm.aws.helmAddonStrategy.defaultValueTemplateConfigMap.create }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: '{{ .Values.hooks.ccm.aws.helmAddonStrategy.defaultValueTemplateConfigMap.name }}'
+data:
+  values.yaml: |-
+    # Starting in Kubernetes v1.29 the Kubelet no longer adds temporary addresses to the Node.
+    # See https://github.com/kubernetes/kubernetes/pull/121028
+    # This causes a deadlock with the AWS CCM and some CNI providers including Calico.
+    # The Calico Pods won't start until some addresses are assigned,
+    # but the AWS CCM that adds the addresses can't start until the Calico Pods are running.
+    # Using hostNetworking allows the AWS CCM to start before the Calico Pods.
+    # The upstream CAPA templates are also already using hostNetworking for the CCM Pods.
+    hostNetworking: true
+
+    args:
+      - --v=2
+      - --cloud-provider=aws
+      - --configure-cloud-routes=false
+
+    {{ "{{" }} $k8sMinorVersionToCCMVersion := dict
+    {{ range $k8sVersion, $ccmVersion := .Values.hooks.ccm.aws.k8sMinorVersionToCCMVersion -}}
+      "{{ $k8sVersion }}" "{{ $ccmVersion }}"
+    {{ end -}}
+    {{ "}}" }}
+    {{ "{{" }}$clusterSemver := semver .Cluster.spec.topology.version {{ "}}" }}
+    {{ "{{" }}$ccmVersion := get $k8sMinorVersionToCCMVersion ( print $clusterSemver.Major "." $clusterSemver.Minor ) {{ "}}" }}
+    image:
+      tag: {{ "{{ " }} $ccmVersion {{ "}}" }}
+{{- end -}}

charts/cluster-api-runtime-extensions-nutanix/templates/deployment.yaml

@@ -40,6 +40,10 @@ spec:
         - --csi.nutanix.helm-addon.default-values-template-configmap-name={{ (index .Values.hooks.csi "nutanix").helmAddonStrategy.defaultValueTemplateConfigMap.name }}
         - --csi.local-path.helm-addon.default-values-template-configmap-name={{ (index .Values.hooks.csi "local-path").helmAddonStrategy.defaultValueTemplateConfigMap.name }}
         - --csi.snapshot-controller.helm-addon.default-values-template-configmap-name={{ (index .Values.hooks.csi "snapshot-controller").helmAddonStrategy.defaultValueTemplateConfigMap.name }}
+        - --ccm.aws.helm-addon.default-values-template-configmap-name={{ .Values.hooks.ccm.aws.helmAddonStrategy.defaultValueTemplateConfigMap.name }}
+        {{- range $k, $v := .Values.hooks.ccm.aws.k8sMinorVersionToCCMVersion }}
+        - --ccm.aws.aws-ccm-versions={{ $k }}={{ $v }}
+        {{- end }}
         {{- range $key, $value := .Values.extraArgs }}
         - --{{ $key }}={{ $value }}
         {{- end }}

charts/cluster-api-runtime-extensions-nutanix/templates/helm-config.yaml

@@ -7,6 +7,10 @@
 #=================================================================
 apiVersion: v1
 data:
+  aws-ccm: |
+    ChartName: aws-cloud-controller-manager
+    ChartVersion: 0.0.8
+    RepositoryURL: {{ if .Values.selfHostedRegistry }}oci://helm-repository.{{ .Release.Namespace }}.svc/charts{{ else }}https://kubernetes.github.io/cloud-provider-aws{{ end }}
   aws-ebs-csi: |
     ChartName: aws-ebs-csi-driver
     ChartVersion: 2.28.1