Merge branch 'main' into charliedmcb/useWorkloadIdForKarpenter

Azure · Jan 25, 2024 · 6a36134 · 6a36134
2 parents d7a4608 + e439439
commit 6a36134
Show file tree

Hide file tree

Showing 95 changed files with 567 additions and 341 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug.yaml b/.github/ISSUE_TEMPLATE/bug.yaml
@@ -7,7 +7,7 @@ body:
     attributes:
       label: Version
       description: |
-        https://github.com/Azure/karpenter/releases
+        https://github.com/Azure/karpenter-provider-azure/releases
       value: |
         <!-- helm ls -A --all -o json | jq '.[] | select(.name=="karpenter") | .app_version' -r -->
         __Karpenter Version:__ v0.0.0

diff --git a/.github/actions/e2e/cleanup/action.yaml b/.github/actions/e2e/cleanup/action.yaml
@@ -42,10 +42,10 @@ runs:
       run: az account set --subscription ${{ inputs.subscription-id }}
     - name: delete cluster ${{ inputs.cluster_name }}
       shell: bash
-      run: az aks delete --name ${{ inputs.cluster_name }} --resource-group ${{ inputs.resource_group }} --yes
+      run: az aks delete --name ${{ inputs.cluster_name }} --resource-group ${{ inputs.resource_group }} --yes --no-wait
     - name: delete acr ${{ inputs.acr_name }}
       shell: bash
       run: az acr delete --name ${{ inputs.acr_name }} --resource-group ${{ inputs.resource_group }} --yes
     - name: delete rg ${{ inputs.resource_group }}
       shell: bash
-      run: az group delete --name ${{ inputs.resource_group }} --yes
+      run: az group delete --name ${{ inputs.resource_group }} --yes --no-wait
diff --git a/.github/actions/e2e/create-acr/action.yaml b/.github/actions/e2e/create-acr/action.yaml
@@ -22,7 +22,7 @@ inputs:
   location:
     type: string
     description: "the azure location to run the e2e test in"
-    default: "westus2"
+    default: "eastus"
 runs:
   using: "composite"
   steps:

diff --git a/.github/actions/e2e/create-cluster/action.yaml b/.github/actions/e2e/create-cluster/action.yaml
@@ -29,7 +29,7 @@ inputs:
   location:
     type: string
     description: "the azure location to run the e2e test in"
-    default: "westus2"
+    default: "eastus"
 runs:
   using: "composite"
   steps:

diff --git a/.github/actions/e2e/install-karpenter/action.yaml b/.github/actions/e2e/install-karpenter/action.yaml
@@ -28,7 +28,7 @@ inputs:
   location:
     type: string
     description: "the azure location to run the e2e test in"
-    default: "westus2"
+    default: "eastus"
 runs:
   using: "composite"
   steps:

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -25,3 +25,18 @@ updates:
     directory: "/.github"
     schedule:
       interval: "monthly"
+
+  - package-ecosystem: docker
+    directory: /.devcontainer
+    schedule:
+      interval: daily
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /hack/go-helper-image
+    schedule:
+      interval: daily
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -10,6 +10,6 @@
 ### Running the test case
 1. Make a draft PR
 2. Anytime you want to run the E2E test suite submit a review comment `/test`
-3. Each time a the given review comment is submited it will trigger the [E2EMatrixTrigger](https://github.com/Azure/karpenter/actions/workflows/e2e-matrix-trigger.yaml) workflow which will contain your test suite.
+3. Each time a the given review comment is submited it will trigger the [E2EMatrixTrigger](https://github.com/Azure/karpenter-provider-azure/actions/workflows/e2e-matrix-trigger.yaml) workflow which will contain your test suite.
 
 
diff --git a/.github/workflows/approval-comment.yaml b/.github/workflows/approval-comment.yaml
@@ -3,12 +3,20 @@ on:
   pull_request_review:
     types: [submitted]
 
+permissions:
+  contents: read
+
 jobs:
   approval-comment:
     if: startsWith(github.event.review.body, '/test')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
       - name: Save info about the review comment as an artifact for other workflows that run on workflow_run to download them
@@ -18,7 +26,7 @@ jobs:
           mkdir -p /tmp/artifacts
           { echo ${{ github.event.pull_request.number }}; echo ${{ github.event.review.commit_id }}; } >> /tmp/artifacts/metadata.txt
           cat /tmp/artifacts/metadata.txt
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
         with:
           name: artifacts
           path: /tmp/artifacts
diff --git a/.github/workflows/build-publish-mcr.yml b/.github/workflows/build-publish-mcr.yml
@@ -22,7 +22,12 @@ jobs:
     outputs:
       release_tag: ${{ steps.vars.outputs.release_tag }}
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
       - name: 'Set output variables'
@@ -39,15 +44,20 @@ jobs:
     runs-on: ubuntu-latest
     needs: prepare-variables
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         ref: ${{ needs.prepare-variables.outputs.release_tag }}
 
     - uses: ./.github/actions/install-deps
 
     # reference: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure
     - name: Login to Azure
-      uses: azure/login@v1
+      uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
       with:
         client-id: ${{ secrets.AZURE_CLIENT_ID }}
         tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -64,7 +74,7 @@ jobs:
           main: ./cmd/controller
           flags: ['-tags','ccp']
         EOF
-        ko build github.com/Azure/karpenter/cmd/controller \
+        ko build github.com/Azure/karpenter-provider-azure/cmd/controller \
           --platform linux/amd64,linux/arm64 \
           --base-import-paths \
           --sbom none \

diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml
@@ -13,7 +13,12 @@ jobs:
     env:
       K8S_VERSION: ${{ matrix.k8sVersion }}
     steps:
-    - uses: actions/checkout@v3
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - uses: ./.github/actions/install-deps
       with:
         k8sVersion: ${{ matrix.k8sVersion }}    

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,6 +8,11 @@ jobs:
   ci:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - uses: ./.github/actions/install-deps
     - run: make ci-non-test
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -6,9 +6,12 @@ on:
   schedule:
     - cron: '0 12 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
-    if: github.repository == 'Azure/karpenter'
+    if: github.repository == 'Azure/karpenter-provider-azure'
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
@@ -22,11 +25,16 @@ jobs:
         language: [ 'go' ]
 
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: ./.github/actions/install-deps
       - run: make vulncheck
-      - uses: github/codeql-action/init@v2
+      - uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
         with:
           languages: ${{ matrix.language }}
-      - uses: github/codeql-action/autobuild@v2
-      - uses: github/codeql-action/analyze@v2
+      - uses: github/codeql-action/autobuild@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
+      - uses: github/codeql-action/analyze@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
diff --git a/.github/workflows/deflake.yml b/.github/workflows/deflake.yml
@@ -7,7 +7,12 @@ jobs:
   deflake:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: ./.github/actions/install-deps
       - name: Running tests 5 times to find flaky tests
         id: run-deflake

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0
diff --git a/.github/workflows/e2e-matrix-trigger.yaml b/.github/workflows/e2e-matrix-trigger.yaml
@@ -5,7 +5,7 @@ on:
       location:
         type: string
         description: "the azure location to run the e2e test in"
-        default: "westus2"
+        default: "eastus"
   push:
     branches: [main]
   workflow_run:
@@ -24,7 +24,7 @@ jobs:
     uses: ./.github/workflows/e2e-matrix.yaml
     with:
       git_ref: ${{ needs.resolve.outputs.GIT_REF }}
-      location: ${{ inputs.location || 'westus2' }}
+      location: ${{ inputs.location || 'eastus' }}
     secrets:
       E2E_CLIENT_ID: ${{ secrets.E2E_CLIENT_ID }}
       E2E_TENANT_ID: ${{ secrets.E2E_TENANT_ID }}

diff --git a/.github/workflows/e2e-matrix.yaml b/.github/workflows/e2e-matrix.yaml
@@ -7,7 +7,7 @@ on:
       location:
         type: string
         description: "the azure location to run the e2e test in"
-        default: "westus2"
+        default: "eastus"
   #     k8s_version:
   #       type: string
   #       default: "1.27"
@@ -24,6 +24,11 @@ jobs:
     outputs:
       E2E_HASH: ${{ steps.generate-e2e-run-hash.outputs.E2E_HASH }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
       - id: generate-e2e-run-hash
         run: |
           E2E_HASH=$RANDOM$RANDOM

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -13,7 +13,7 @@ on:
       location:
         type: string
         description: "the azure location to run the e2e test in"
-        default: "westus2"
+        default: "eastus"
     #   k8s_version:
     #     type: string
     #     default: "1.27"
@@ -35,7 +35,12 @@ jobs:
     env:
       AZURE_SUBSCRIPTION_ID: ${{ secrets.E2E_SUBSCRIPTION_ID }}
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: ${{ inputs.git_ref }}
       - if: always() && github.event_name == 'workflow_run'
@@ -45,7 +50,7 @@ jobs:
           git_ref: ${{ inputs.git_ref }}
       - uses: ./.github/actions/install-deps
       - name: az login
-        uses: azure/login@v1
+        uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
         with:
           client-id: ${{ secrets.E2E_CLIENT_ID }}
           tenant-id: ${{ secrets.E2E_TENANT_ID }}

diff --git a/.github/workflows/resolve-args.yaml b/.github/workflows/resolve-args.yaml
@@ -11,7 +11,12 @@ jobs:
       GIT_REF: ${{ steps.resolve-step.outputs.GIT_REF }}
     steps:
       # Download the artifact and resolve the GIT_REF
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - if: github.event_name == 'workflow_run'
         uses: ./.github/actions/download-artifact
       - id: resolve-step