From 0573e6d39eb6890e674f46665a17bae7baa05cb6 Mon Sep 17 00:00:00 2001
From: Jun Mukai <junm@cloudnatix.com>
Date: Wed, 20 Sep 2023 09:57:46 -0700
Subject: [PATCH] Fix minor typos for karpenter setup.

`on-demand` is the right string to indicate OnDemand in Karpenter.
See: https://github.com/aws/karpenter-core/blob/main/pkg/apis/v1alpha5/labels.go#L30
As the result it does not fall back to ondemand instances.

Also add `ec2:DescribeImages` to karpenter IAM policies -- it's
noted in https://karpenter.sh/docs/getting-started/migrating-from-cas/#create-iam-roles
(the list also has DeleteLaunchTemplates but I don't think this
is necessary for kOps).
---
 pkg/model/components/addonmanifests/karpenter/iam.go          | 4 +++-
 ...policy_karpenter.kube-system.sa.minimal.example.com_policy | 1 +
 .../resources/addons/karpenter.sh/k8s-1.19.yaml.template      | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/pkg/model/components/addonmanifests/karpenter/iam.go b/pkg/model/components/addonmanifests/karpenter/iam.go
index 9d3b2763d2..4cdb2fb7c6 100644
--- a/pkg/model/components/addonmanifests/karpenter/iam.go
+++ b/pkg/model/components/addonmanifests/karpenter/iam.go
@@ -51,9 +51,11 @@ func addKarpenterPermissions(p *iam.Policy) {
 		// Not included because we require Karpenter
 		// use existing kOps instance group launch templates
 		// "ec2:CreateLaunchTemplate",
+		// "ec2:DeleteLaunchTemplate",
 		"ec2:CreateFleet",
 		"ec2:CreateTags",
 		"ec2:DescribeAvailabilityZones",
+		"ec2:DescribeImages",
 		"ec2:DescribeInstanceTypeOfferings",
 		"ec2:DescribeInstanceTypes",
 		"ec2:DescribeInstances",
@@ -61,9 +63,9 @@ func addKarpenterPermissions(p *iam.Policy) {
 		"ec2:DescribeSecurityGroups",
 		"ec2:DescribeSpotPriceHistory",
 		"ec2:DescribeSubnets",
-		"iam:PassRole",
 		"ec2:RunInstances",
 		"ec2:TerminateInstances",
+		"iam:PassRole",
 		"pricing:GetProducts",
 		"ssm:GetParameter",
 	)
diff --git a/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_karpenter.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_karpenter.kube-system.sa.minimal.example.com_policy
index 07f40f3a6b..8c9819079b 100644
--- a/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_karpenter.kube-system.sa.minimal.example.com_policy
+++ b/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_karpenter.kube-system.sa.minimal.example.com_policy
@@ -5,6 +5,7 @@
         "ec2:CreateFleet",
         "ec2:CreateTags",
         "ec2:DescribeAvailabilityZones",
+        "ec2:DescribeImages",
         "ec2:DescribeInstanceTypeOfferings",
         "ec2:DescribeInstanceTypes",
         "ec2:DescribeInstances",
diff --git a/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template b/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template
index 7a7d3c1d6b..5983ecf60e 100644
--- a/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template
+++ b/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template
@@ -1771,7 +1771,7 @@ spec:
   requirements:
     - key: karpenter.sh/capacity-type
       operator: In
-      values: ["spot", "ondemand"]
+      values: ["spot", "on-demand"]
     - key: kubernetes.io/arch
       operator: In
       values: ["{{ ArchitectureOfAMI $spec.Image }}"]