Use default apps from cluster chart (#581)

* Update cluster chart version and fix coreDns config

* Add cluster-autoscaler AWS config

* Enable cluster-autoscaler from cluster chart

* Enable capi-node-labeler from cluster chart

* Enable cert-exporter from cluster chart

* Enable cert-manager from cluster chart

* Enable chart-operator-extensions from cluster chart

* Use new app enable flag for cilium

* Enable all apps from cluster chart

And use new enabled flags for HelmReleases

* Add AWS-specific external-dns properties

* Values: Separate `app` and `helmRelease` definition.

* Chart: Add `aws-pod-identity-webhook` app.

* Add security-bundle AWS Helm values

* Add missing values for configuring apps

* Update cluster chart version

* Update CHANGELOG

---------

Co-authored-by: Marco Ebert <[email protected]>

CHANGELOG.md

@@ -7,6 +7,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### ⚠️ Breaking change
+
+- Update cluster chart to v0.25.0 and enable all default apps. More details in [cluster chart v0.24.0 release notes](https://github.com/giantswarm/cluster/releases/tag/v0.24.0).
+
+Cluster upgrade steps are the following:
+- Upgrade default-apps-aws App to v0.52.0 or newer.
+- Update default-apps-aws Helm value `.Values.deleteOptions.moveAppsHelmOwnershipToClusterAws` to true.
+  - All apps, except observability-bundle and security-bundle will get `app-operator.giantswarm.io/paused: true` annotation, so wait few minutes for the change to get applied by the Helm post-upgrade hook.
+- Delete default-apps-aws.
+  - App resources for all default apps will get deleted. Wait few minutes for this to happen.
+  - Chart resources on the workload cluster will stay, so all apps will continue running. 
+- Upgrade cluster-aws App to v0.76.0.
+  - cluster-aws will deploy all default apps, wait a few minutes for all Apps to be successfully deployed.
+  - Chart resources on the workload cluster will get updated, as newly deployed App resources will take over the reconciliation of the existing Chart resources.
+
+### Added
+
+- Chart: Add `aws-pod-identity-webhook` app. ([#581](https://github.com/giantswarm/cluster-aws/pull/581)).
+
 ## [0.75.0] - 2024-05-09
 
 ### Added
@@ -54,6 +73,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Update instanceWarmup to 10' to be on pair with Vintage
 - Enable extraPolicies from network-policies-app.
 - Disable and remove extraPolicies from cilium-app.
+- Values: Separate `app` and `helmRelease` definition. ([#581](https://github.com/giantswarm/cluster-aws/pull/581))
 
 ## [0.70.0] - 2024-04-15
 

Makefile.development.mk

@@ -9,11 +9,13 @@ else
 CI_FILE ?= "ci/ci-values.yaml"
 endif
 
+APPLICATION="helm/cluster-aws"
+
 .PHONY: template
 template: ## Output the rendered Helm template
 	$(eval CHART_DIR := "helm/cluster-aws")
 	$(eval HELM_RELEASE_NAME := $(shell yq .global.metadata.name ${CHART_DIR}/${CI_FILE}))
 	@helm template -n org-giantswarm ${HELM_RELEASE_NAME} ${CHART_DIR} --values ${CHART_DIR}/${CI_FILE} --debug
 
 .PHONY: generate
-generate: normalize-schema validate-schema generate-docs generate-values
+generate: normalize-schema validate-schema generate-docs generate-values update-deps

helm/cluster-aws/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: cluster
   repository: https://giantswarm.github.io/cluster-catalog
-  version: 0.23.0
+  version: 0.25.0
 - name: cluster-shared
   repository: https://giantswarm.github.io/cluster-catalog
   version: 0.7.0
-digest: sha256:aec820306e002c75e4bd4fd0e8d5db9999a93a8e6e45fa84beb89446b877c45a
-generated: "2024-05-08T14:25:29.991771063+02:00"
+digest: sha256:6285a88ed8be876527bc267140585f0647b95ee7de282cee14ff23911f8911ad
+generated: "2024-05-14T14:41:15.942874+02:00"

helm/cluster-aws/Chart.yaml

@@ -16,7 +16,7 @@ restrictions:
     - capa
 dependencies:
   - name: cluster
-    version: "0.23.0"
+    version: "0.25.0"
     repository: https://giantswarm.github.io/cluster-catalog
   - name: cluster-shared
     version: "0.7.0"

helm/cluster-aws/templates/_clusterautoscaler_app_config.yaml

@@ -0,0 +1,7 @@
+{{/* AWS-specific cluster-autoscaler Helm values*/}}
+{{/* https://github.com/giantswarm/cluster-autoscaler-app/blob/main/helm/cluster-autoscaler-app/values.yaml*/}}
+{{- define "awsClusterAutoscalerHelmValues" }}
+serviceAccount:
+  annotations:
+    eks.amazonaws.com/role-arn: "{{ .Values.global.metadata.name }}-cluster-autoscaler-role"
+{{- end }}

helm/cluster-aws/templates/_externaldns_app_config.yaml

@@ -0,0 +1,12 @@
+{{/* AWS-specific external-dns Helm values*/}}
+{{/* https://github.com/giantswarm/external-dns-app/blob/main/helm/external-dns-app/values.yaml*/}}
+{{- define "awsExternalDnsHelmValues" }}
+aws:
+  irsa: "true"
+  batchChangeInterval: null
+serviceAccount:
+  annotations:
+    eks.amazonaws.com/role-arn: "{{ .Values.global.metadata.name }}-Route53Manager-Role"
+extraArgs:
+- "--aws-batch-change-interval=10s"
+{{- end }}

helm/cluster-aws/templates/_security-bundle_app_config.yaml

@@ -0,0 +1,14 @@
+{{/* AWS-specific security-bundle Helm values*/}}
+{{/* https://github.com/giantswarm/security-bundle/blob/main/helm/security-bundle/values.yaml*/}}
+{{- define "awsSecurityBundleHelmValues" }}
+userConfig:
+  kyverno:
+    configMap:
+      values:
+        kyverno:
+          admissionController:
+            tolerations:
+            - key: "node.cluster.x-k8s.io/uninitialized"
+              operator: "Exists"
+              effect: "NoSchedule"
+{{- end }}

helm/cluster-aws/templates/aws-pod-identity-webhook-app.yaml

@@ -0,0 +1,55 @@
+{{- if .Values.global.apps.awsPodIdentityWebhook.values -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "resource.default.name" . }}-aws-pod-identity-webhook-user-values
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "labels.common" . | nindent 4 }}
+data:
+  values: |
+    {{- toYaml .Values.global.apps.awsPodIdentityWebhook.values | nindent 4 }}
+{{- end }}
+---
+apiVersion: application.giantswarm.io/v1alpha1
+kind: App
+metadata:
+  name: {{ include "resource.default.name" . }}-aws-pod-identity-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "labels.common" . | nindent 4 }}
+    giantswarm.io/managed-by: {{ .Chart.Name }}
+  annotations:
+    app-operator.giantswarm.io/depends-on: {{ include "resource.default.name" . }}-cert-manager
+spec:
+  catalog: default
+  name: aws-pod-identity-webhook
+  # repo: giantswarm/aws-pod-identity-webhook
+  version: 1.14.2
+  namespace: kube-system
+  config:
+    configMap:
+      name: {{ include "resource.default.name" . }}-cluster-values
+      namespace: {{ .Release.Namespace }}
+  {{- if .Values.global.apps.awsPodIdentityWebhook.values }}
+  userConfig:
+    configMap:
+      name: {{ include "resource.default.name" . }}-aws-pod-identity-webhook-user-values
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- if .Values.global.apps.awsPodIdentityWebhook.extraConfigs }}
+  extraConfigs:
+  {{- range .Values.global.apps.awsPodIdentityWebhook.extraConfigs }}
+  - kind: {{ .kind }}
+    name: {{ .name }}
+    namespace: {{ .namespace | default $.Release.Namespace }}
+    priority: {{ .priority }}
+  {{- end }}
+  {{- end }}
+  kubeConfig:
+    inCluster: false
+    secret:
+      name: {{ include "resource.default.name" . }}-kubeconfig
+      namespace: {{ .Release.Namespace }}
+    context:
+      name: {{ include "resource.default.name" . }}-admin@{{ include "resource.default.name" . }}