feat: add release scripts

.ko.yaml

@@ -0,0 +1,4 @@
+defaultBaseImage: mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0-nonroot
+defaultPlatforms:
+  - linux/arm64
+  - linux/amd64

.shellcheckrc

@@ -0,0 +1 @@
+external-sources=true

Makefile

@@ -2,6 +2,12 @@ include Makefile-az.mk
 
 export K8S_VERSION ?= 1.27.x
 
+## Inject the app version into operator.Version
+LDFLAGS ?= -ldflags=-X=sigs.k8s.io/karpenter/pkg/operator.Version=$(shell git describe --tags --always | cut -d"v" -f2)
+
+GOFLAGS ?= $(LDFLAGS)
+WITH_GOFLAGS = GOFLAGS="$(GOFLAGS)"
+
 # # CR for local builds of Karpenter
 SYSTEM_NAMESPACE ?= karpenter
 
@@ -94,6 +100,12 @@ vulncheck: ## Verify code vulnerabilities
 codegen: ## Auto generate files based on Azure API responses
 	./hack/codegen.sh
 
+snapshot: az-login ## Builds and publishes snapshot release
+	$(WITH_GOFLAGS) ./hack/release/snapshot.sh
+
+release: az-login ## Builds and publishes stable release
+	$(WITH_GOFLAGS) ./hack/release/release.sh
+
 toolchain: ## Install developer toolchain
 	./hack/toolchain.sh
 
@@ -103,7 +115,7 @@ tidy: ## Recursively "go mod tidy" on all directories where go.mod exists
 download: ## Recursively "go mod download" on all directories where go.mod exists
 	$(foreach dir,$(MOD_DIRS),cd $(dir) && go mod download $(newline))
 
-.PHONY: help test battletest e2etests verify tidy download codegen toolchain vulncheck
+.PHONY: help test battletest e2etests verify tidy download codegen toolchain vulncheck snapshot release
 
 define newline
 

Makefile-az.mk

@@ -26,7 +26,7 @@ az-all-custom-vnet: az-login az-create-workload-msi az-mkaks-custom-vnet az-crea
 az-all-savm:    az-login az-mkaks-savm az-perm-savm az-patch-skaffold-azure az-build az-run az-run-sample ## Provision the infra (ACR,AKS); build and deploy Karpenter; deploy sample Provisioner and workload - StandaloneVirtualMachines
 
 az-login: ## Login into Azure
-	az login
+	az account show -o none || az login
 	az account set --subscription $(AZURE_SUBSCRIPTION_ID)
 
 az-mkrg: ## Create resource group

charts/karpenter/values.yaml

@@ -94,11 +94,13 @@ extraVolumes: []
 controller:
   image:
     # -- Repository path to the controller image.
-    repository: public.ecr.aws/karpenter/controller
+    repository: mcr.microsoft.com/aks/karpenter/controller
     # -- Tag of the controller image.
     tag: v0.32.1
     # -- SHA256 digest of the controller image.
     # digest:
+
+    digest: sha256:e35e315face303a784e137c5af5683f4421fa8537f1ea70cacdc1673f7f08b28
   # -- Additional environment variables for the controller pod.
   env: []
   # - name:
@@ -177,6 +179,14 @@ settings:
     clusterName: ""
     # -- Cluster endpoint.
     clusterEndpoint: ""
+    # -- Kubelet client TLS bootstrap token.
+    kubeletClientTLSBootstrapToken: ""
+    # -- SSH public key.
+    sshPublicKey: ""
+    # -- Network plugin.
+    networkPlugin: "azure"
+    # -- Network policy.
+    networkPolicy: ""
     # -- The VM memory overhead as a percent that will be subtracted from the total memory for all instance types
     vmMemoryOverheadPercent: 0.075
     # -- The global tags to use on all Azure infrastructure resources (VMs, etc.)
@@ -188,4 +198,4 @@ settings:
     # -- drift is in ALPHA and is disabled by default.
     # Setting drift to true enables the drift disruption method to watch for drift between currently deployed nodes
     # and the desired state of nodes set in provisioners and node templates
-    drift: false
+    drift: true

hack/infra/ksnap-acr.bicep

@@ -0,0 +1,49 @@
+param location string = resourceGroup().location
+
+@description('ACR for Karpenter snapshots')
+resource acr 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
+  name: 'ksnap'
+  location: location
+  sku: {
+    name: 'Standard'
+  }
+  properties: {
+    anonymousPullEnabled: true
+    adminUserEnabled: false
+  }
+}
+
+var schedule = '0 1 * * Tue' // 1am UTC every Tuesday
+
+var purgeOldArtifacts = '''
+version: v1.1.0
+steps:
+- cmd: acr purge --filter 'karpenter/snapshot/.*:.*' --ago 30d --untagged
+  disableWorkingDirectoryOverride: true
+  timeout: 3600
+'''
+
+@description('purge old artifacts from the registry periodically')
+resource acrPurgeTask 'Microsoft.ContainerRegistry/registries/tasks@2019-06-01-preview' = {
+  name: 'purge-old-artifacts'
+  location: location
+  parent: acr
+  properties: {
+    platform: {
+      os: 'Linux'
+      architecture: 'amd64'
+    }
+    step: {
+      type: 'EncodedTask'
+      encodedTaskContent: base64(purgeOldArtifacts)
+     }
+     trigger: {
+      timerTriggers: [{
+          name: 'weekly-purge'
+          schedule: schedule
+          status: 'Enabled'
+        }]
+    }
+    status: 'Enabled'
+  }
+}

hack/release/common.sh

@@ -0,0 +1,161 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+RELEASE_ACR=${RELEASE_ACR:-ksnap.azurecr.io} # will always be overridden
+RELEASE_REPO_ACR=${RELEASE_REPO_ACR:-${RELEASE_ACR}/public/aks/karpenter}
+RELEASE_REPO_MAR=mcr.microsoft.com/aks/karpenter
+SNAPSHOT_ACR=${SNAPSHOT_ACR:-ksnap.azurecr.io}
+SNAPSHOT_REPO_ACR=${SNAPSHOT_REPO_ACR:-${SNAPSHOT_ACR}/karpenter/snapshot}
+
+CURRENT_MAJOR_VERSION="0"
+
+snapshot() {
+  local commit_sha version helm_chart_version
+
+  commit_sha="${1}"
+  version="${commit_sha}"
+  helm_chart_version="${CURRENT_MAJOR_VERSION}-${commit_sha}"
+
+  echo "Release Type: snapshot
+Release Version: ${version}
+Commit: ${commit_sha}
+Helm Chart Version ${helm_chart_version}"
+
+  authenticate "${SNAPSHOT_ACR}"
+  buildAndPublish "${SNAPSHOT_REPO_ACR}" "${version}" "${helm_chart_version}" "${commit_sha}"
+}
+
+release() {
+  local commit_sha version helm_chart_version
+
+  commit_sha="${1}"
+  version="${2}"
+  helm_chart_version="${version}"
+
+  echo "Release Type: stable
+Release Version: ${version}
+Commit: ${commit_sha}
+Helm Chart Version ${helm_chart_version}"
+
+  authenticate "${RELEASE_ACR}"
+  buildAndPublish "${RELEASE_REPO_ACR}" "${version}" "${helm_chart_version}" "${commit_sha}" \
+    "${RELEASE_REPO_MAR}" # repo override for Helm chart
+}
+
+authenticate() {
+  local acr
+
+  acr="$1"
+  az acr login -n "${acr}"
+}
+
+buildAndPublish() {
+  local oci_repo version helm_chart_version commit_sha date_epoch build_date img img_repo img_tag img_digest
+
+  oci_repo="${1}"
+  version="${2}"
+  helm_chart_version="${3}"
+  commit_sha="${4}"
+
+  date_epoch="$(dateEpoch)"
+  build_date="$(buildDate "${date_epoch}")"
+
+  img="$(GOFLAGS=${GOFLAGS:-} \
+    SOURCE_DATE_EPOCH="${date_epoch}" KO_DATA_DATE_EPOCH="${date_epoch}" KO_DOCKER_REPO="${oci_repo}" \
+    ko publish -B --sbom none -t "${version}"     ./cmd/controller)"
+  img_nap="$(GOFLAGS="${GOFLAGS:-} -tags=ccp" \
+    SOURCE_DATE_EPOCH="${date_epoch}" KO_DATA_DATE_EPOCH="${date_epoch}" KO_DOCKER_REPO="${oci_repo}" \
+    ko publish -B --sbom none -t "${version}"-aks ./cmd/controller)"
+
+  # img format is "repo:tag@digest"
+  img_repo="$(echo "${img}" | cut -d "@" -f 1 | cut -d ":" -f 1)"
+  img_tag="$(echo "${img}" | cut -d "@" -f 1 | cut -d ":" -f 2 -s)"
+  img_digest="$(echo "${img}" | cut -d "@" -f 2)"
+  # img_repo format is "registry-fqdn/path0/path1/..."
+  img_registry="$(echo "${img_repo}" | cut -d "/" -f 1)"
+  img_path="$(echo "${img_repo}" | cut -d "/" -f 2-)"
+
+  # lock releases, but not snapshots
+  if [[ "${oci_repo}" == "${RELEASE_REPO_ACR}" ]]; then
+    lockImage "${img_registry}" "${img_path}" "${img_tag}"
+    lockImage "${img_registry}" "${img_path}" "${img_tag}-aks"
+  fi
+
+  cosignOciArtifact "${version}" "${commit_sha}" "${build_date}" "${img}"
+  cosignOciArtifact "${version}" "${commit_sha}" "${build_date}" "${img_nap}"
+
+  repo=${5:-$img_repo} # override the repo if provided (used for MCR)
+
+  yq e -i ".controller.image.repository = \"${repo}\"" charts/karpenter/values.yaml
+  yq e -i ".controller.image.tag = \"${img_tag}\"" charts/karpenter/values.yaml
+  yq e -i ".controller.image.digest = \"${img_digest}\"" charts/karpenter/values.yaml
+
+  publishHelmChart "${oci_repo}" "karpenter" "${helm_chart_version}" "${commit_sha}" "${build_date}"
+  publishHelmChart "${oci_repo}" "karpenter-crd" "${helm_chart_version}" "${commit_sha}" "${build_date}"
+}
+
+lockImage() {
+  local img_registry img_path img_tag
+
+  img_registry="$1"
+  img_path="$2"
+  img_tag="$3"
+
+  az acr repository update -n "${img_registry}" --image "${img_path}:${img_tag}" \
+    --write-enabled false \
+    --delete-enabled false
+}
+
+publishHelmChart() {
+  local oci_repo helm_chart version commit_sha build_date helm_chart_artifact helm_chart_digest
+
+  oci_repo="${1}"
+  helm_chart="${2}"
+  version="${3}"
+  commit_sha="${4}"
+  build_date="${5}"
+
+  helm_chart_artifact="${helm_chart}-${version}.tgz"
+
+  yq e -i ".appVersion = \"${version}\"" "charts/${helm_chart}/Chart.yaml"
+  yq e -i ".version = \"${version}\"" "charts/${helm_chart}/Chart.yaml"
+
+  cd charts
+  helm dependency update "${helm_chart}"
+  helm lint "${helm_chart}"
+  helm package "${helm_chart}" --version "${version}"
+  helm push "${helm_chart_artifact}" "oci://${oci_repo}"
+  rm "${helm_chart_artifact}"
+  cd ..
+
+  helm_chart_digest="$(crane digest "${oci_repo}/${helm_chart}:${version}")"
+  cosignOciArtifact "${version}" "${commit_sha}" "${build_date}" "${oci_repo}${helm_chart}:${version}@${helm_chart_digest}"
+}
+
+# When executed interactively, cosign will prompt you to authenticate via OIDC, where you'll sign in
+# with your email address. Under the hood, cosign will request a code signing certificate from the Fulcio
+# certificate authority. The subject of the certificate will match the email address you logged in with.
+# Cosign will then store the signature and certificate in the Rekor transparency log, and upload the signature
+# to the OCI registry alongside the image you're signing. For details see https://github.com/sigstore/cosign.
+cosignOciArtifact() {
+  local version commit_sha build_date artifact
+
+  version="${1}"
+  commit_sha="${2}"
+  build_date="${3}"
+  artifact="${4}"
+
+  cosign sign --yes -a version="${version}" -a commitSha="${commit_sha}" -a buildDate="${build_date}" "${artifact}"
+}
+
+dateEpoch() {
+  git log -1 --format='%ct'
+}
+
+buildDate() {
+  local date_epoch
+
+  date_epoch="${1}"
+
+  date -u --date="@${date_epoch}" "+%Y-%m-%dT%H:%M:%SZ" 2>/dev/null
+}

hack/release/release.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
+# shellcheck source=./common.sh
+source "${SCRIPT_DIR}/common.sh"
+
+git_tag="$(git describe --exact-match --tags || echo "no tag")"
+if [[ "${git_tag}" == "no tag" ]]; then
+  echo "Failed to release: commit is untagged"
+  exit 1
+fi
+commit_sha="$(git rev-parse HEAD)"
+
+# Don't release with a dirty commit!
+if [[ "$(git status --porcelain)" != "" ]]; then
+  echo "There are uncommitted changes, please commit them before releasing."
+  exit 1
+fi
+
+release "${commit_sha}" "${git_tag#v}"

hack/release/snapshot.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
+# shellcheck source=./common.sh
+source "${SCRIPT_DIR}/common.sh"
+
+commit_sha="$(git rev-parse HEAD)"
+
+# Don't release with a dirty commit!
+if [[ "$(git status --porcelain)" != "" ]]; then
+  echo "There are uncommitted changes, please commit them before releasing."
+  exit 1
+fi
+
+snapshot "${commit_sha}"

hack/toolchain.sh

@@ -17,12 +17,13 @@ tools() {
     go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.12.0
     go install sigs.k8s.io/controller-runtime/tools/setup-envtest@v0.0.0-20231031112659-edb7fe9c520e
     go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.14.0
-    go install github.com/sigstore/cosign/v2/cmd/cosign@v2.2.2
+    go install github.com/sigstore/cosign/v2/cmd/cosign@v2.2.3
 #   go install -tags extended github.com/gohugoio/hugo@v0.110.0
     go install golang.org/x/vuln/cmd/govulncheck@v1.0.3
     go install github.com/onsi/ginkgo/v2/ginkgo@v2.15.0
     go install github.com/rhysd/actionlint/cmd/actionlint@v1.6.26
     go install github.com/mattn/goveralls@v0.0.12
+    go install github.com/google/go-containerregistry/cmd/crane@v0.19.1
 
     if ! echo "$PATH" | grep -q "${GOPATH:-undefined}/bin\|$HOME/go/bin"; then
         echo "Go workspace's \"bin\" directory is not in PATH. Run 'export PATH=\"\$PATH:\${GOPATH:-\$HOME/go}/bin\"'."
@@ -40,7 +41,7 @@ kubebuilder() {
     if [[ "${K8S_VERSION}" = "1.25.x" ]] && [[ "$OSTYPE" == "linux"* ]]; then
         for binary in 'kube-apiserver' 'kubectl'; do
             rm $KUBEBUILDER_ASSETS/$binary
-            wget -P $KUBEBUILDER_ASSETS dl.k8s.io/v1.25.16/bin/linux/${arch}/${binary}
+            wget -P $KUBEBUILDER_ASSETS dl.k8s.io/v1.25.16/bin/linux/"${arch}"/${binary}
             chmod +x $KUBEBUILDER_ASSETS/$binary
         done
     fi