bump cluster autoscaler to fix role permission issue

yaguangtang · yaguangtang · commit 9a51d0d76d8d · 2025-11-22T00:40:48.000+08:00
Signed-off-by: Yaguang Tang &lt;yaguang.tang@vexxhost.com&gt;
diff --git a/.charts.yml b/.charts.yml
@@ -1,6 +1,6 @@
 charts:
   - name: cluster-autoscaler
-    version: 9.29.1
+    version: 9.29.5
     repository:
       url: https://kubernetes.github.io/autoscaler
   - name: cilium
diff --git a/magnum_cluster_api/charts/cluster-autoscaler/Chart.yaml b/magnum_cluster_api/charts/cluster-autoscaler/Chart.yaml
@@ -10,4 +10,4 @@ name: cluster-autoscaler
 sources:
 - https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler
 type: application
-version: 9.29.1
+version: 9.29.5
diff --git a/magnum_cluster_api/charts/cluster-autoscaler/README.md b/magnum_cluster_api/charts/cluster-autoscaler/README.md
@@ -230,6 +230,32 @@ Additional config parameters available, see the `values.yaml` for more details
 - `clusterAPIWorkloadKubeconfigPath`
 - `clusterAPICloudConfigPath`
 
+### Exoscale
+
+The following parameters are required:
+
+- `cloudProvider=exoscale`
+- `autoDiscovery.clusterName=<CLUSTER NAME>`
+
+Create an Exoscale API key with appropriate permissions as described in [cluster-autoscaler/cloudprovider/exoscale/README.md](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/exoscale/README.md).
+A secret of name `<release-name>-exoscale-cluster-autoscaler` needs to be created, containing the api key and secret, as well as the zone.
+
+```console
+$ kubectl create secret generic my-release-exoscale-cluster-autoscaler \
+    --from-literal=api-key="EXOxxxxxxxxxxxxxxxxxxxxxxxx" \
+    --from-literal=api-secret="xxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --from-literal=api-zone="ch-gva-2"
+```
+
+After creating the secret, the chart may be installed:
+
+```console
+$ helm install my-release autoscaler/cluster-autoscaler \
+    --set cloudProvider=exoscale \
+    --set autoDiscovery.clusterName=<CLUSTER NAME>
+```
+
+Read [cluster-autoscaler/cloudprovider/exoscale/README.md](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/exoscale/README.md) for further information on the setup without helm.
+
 ## Uninstalling the Chart
 
 To uninstall `my-release`:
@@ -411,6 +437,7 @@ vpa:
 | rbac.serviceAccount.name | string | `""` | The name of the ServiceAccount to use. If not set and create is `true`, a name is generated using the fullname template. |
 | replicaCount | int | `1` | Desired number of pods |
 | resources | object | `{}` | Pod resource requests and limits. |
+| secretKeyRefNameOverride | string | `""` | Overrides the name of the Secret to use when loading the secretKeyRef for AWS and Azure env variables |
 | securityContext | object | `{}` | [Security context for pod](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
 | service.annotations | object | `{}` | Annotations to add to service |
 | service.create | bool | `true` | If `true`, a Service will be created. |
diff --git a/magnum_cluster_api/charts/cluster-autoscaler/README.md.gotmpl b/magnum_cluster_api/charts/cluster-autoscaler/README.md.gotmpl
@@ -230,6 +230,32 @@ Additional config parameters available, see the `values.yaml` for more details
 - `clusterAPIWorkloadKubeconfigPath`
 - `clusterAPICloudConfigPath`
 
+### Exoscale
+
+The following parameters are required:
+
+- `cloudProvider=exoscale`
+- `autoDiscovery.clusterName=<CLUSTER NAME>`
+
+Create an Exoscale API key with appropriate permissions as described in [cluster-autoscaler/cloudprovider/exoscale/README.md](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/exoscale/README.md).
+A secret of name `<release-name>-exoscale-cluster-autoscaler` needs to be created, containing the api key and secret, as well as the zone.
+
+```console
+$ kubectl create secret generic my-release-exoscale-cluster-autoscaler \
+    --from-literal=api-key="EXOxxxxxxxxxxxxxxxxxxxxxxxx" \
+    --from-literal=api-secret="xxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --from-literal=api-zone="ch-gva-2"
+```
+
+After creating the secret, the chart may be installed:
+
+```console
+$ helm install my-release autoscaler/cluster-autoscaler \
+    --set cloudProvider=exoscale \
+    --set autoDiscovery.clusterName=<CLUSTER NAME>
+```
+
+Read [cluster-autoscaler/cloudprovider/exoscale/README.md](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/exoscale/README.md) for further information on the setup without helm.
+
 ## Uninstalling the Chart
 
 To uninstall `my-release`:
diff --git a/magnum_cluster_api/charts/cluster-autoscaler/templates/clusterrole.yaml b/magnum_cluster_api/charts/cluster-autoscaler/templates/clusterrole.yaml
@@ -151,9 +151,7 @@ rules:
     - cluster.x-k8s.io
     resources:
     - machinedeployments
-    - machinedeployments/scale
     - machinepools
-    - machinepools/scale
     - machines
     - machinesets
     verbs:
@@ -162,13 +160,13 @@ rules:
     - update
     - watch
   - apiGroups:
-    - infrastructure.cluster.x-k8s.io
+    - cluster.x-k8s.io
     resources:
-    - openstackmachinetemplates
+    - machinedeployments/scale
+    - machinepools/scale
     verbs:
     - get
-    - list
+    - patch
     - update
-    - watch
 {{- end }}
 {{- end -}}
diff --git a/magnum_cluster_api/charts/cluster-autoscaler/templates/deployment.yaml b/magnum_cluster_api/charts/cluster-autoscaler/templates/deployment.yaml
@@ -80,7 +80,7 @@ spec:
             - --node-group-auto-discovery=mig:namePrefix={{ .name }},min={{ .minSize }},max={{ .maxSize }}
             {{- end }}
           {{- end }}
-          {{- if eq .Values.cloudProvider "oci-oke" }}
+          {{- if eq .Values.cloudProvider "oci" }}
             {{- if .Values.cloudConfigPath }}
             - --nodes={{ .minSize }}:{{ .maxSize }}:{{ .name }}
             - --balance-similar-node-groups
@@ -132,36 +132,36 @@ spec:
               valueFrom:
                 secretKeyRef:
                   key: AwsAccessKeyId
-                  name: {{ template "cluster-autoscaler.fullname" . }}
+                  name: {{ default (include "cluster-autoscaler.fullname" .) .Values.secretKeyRefNameOverride }}
             {{- end }}
             {{- if .Values.awsSecretAccessKey }}
             - name: AWS_SECRET_ACCESS_KEY
               valueFrom:
                 secretKeyRef:
                   key: AwsSecretAccessKey
-                  name: {{ template "cluster-autoscaler.fullname" . }}
+                  name: {{ default (include "cluster-autoscaler.fullname" .) .Values.secretKeyRefNameOverride }}
             {{- end }}
           {{- else if eq .Values.cloudProvider "azure" }}
             - name: ARM_SUBSCRIPTION_ID
               valueFrom:
                 secretKeyRef:
                   key: SubscriptionID
-                  name: {{ template "cluster-autoscaler.fullname" . }}
+                  name: {{ default (include "cluster-autoscaler.fullname" .) .Values.secretKeyRefNameOverride }}
             - name: ARM_RESOURCE_GROUP
               valueFrom:
                 secretKeyRef:
                   key: ResourceGroup
-                  name: {{ template "cluster-autoscaler.fullname" . }}
+                  name: {{ default (include "cluster-autoscaler.fullname" .) .Values.secretKeyRefNameOverride }}
             - name: ARM_VM_TYPE
               valueFrom:
                 secretKeyRef:
                   key: VMType
-                  name: {{ template "cluster-autoscaler.fullname" . }}
+                  name: {{ default (include "cluster-autoscaler.fullname" .) .Values.secretKeyRefNameOverride }}
             - name: AZURE_CLUSTER_NAME
               valueFrom:
                 secretKeyRef:
                   key: ClusterName
-                  name: {{ template "cluster-autoscaler.fullname" . }}
+                  name: {{ default (include "cluster-autoscaler.fullname" .) .Values.secretKeyRefNameOverride }}
             {{- if .Values.azureUseWorkloadIdentityExtension }}
             - name: ARM_USE_WORKLOAD_IDENTITY_EXTENSION
               value: "true"
@@ -173,23 +173,39 @@ spec:
               valueFrom:
                 secretKeyRef:
                   key: TenantID
-                  name: {{ template "cluster-autoscaler.fullname" . }}
+                  name: {{ default (include "cluster-autoscaler.fullname" .) .Values.secretKeyRefNameOverride }}
             - name: ARM_CLIENT_ID
               valueFrom:
                 secretKeyRef:
                   key: ClientID
-                  name: {{ template "cluster-autoscaler.fullname" . }}
+                  name: {{ default (include "cluster-autoscaler.fullname" .) .Values.secretKeyRefNameOverride }}
             - name: ARM_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
                   key: ClientSecret
-                  name: {{ template "cluster-autoscaler.fullname" . }}
+                  name: {{ default (include "cluster-autoscaler.fullname" .) .Values.secretKeyRefNameOverride }}
             - name: AZURE_NODE_RESOURCE_GROUP
               valueFrom:
                 secretKeyRef:
                   key: NodeResourceGroup
-                  name: {{ template "cluster-autoscaler.fullname" . }}
+                  name: {{ default (include "cluster-autoscaler.fullname" .) .Values.secretKeyRefNameOverride }}
             {{- end }}
+          {{- else if eq .Values.cloudProvider "exoscale" }}
+            - name: EXOSCALE_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: api-key
+                  name: {{ default (include "cluster-autoscaler.fullname" .) .Values.secretKeyRefNameOverride }}
+            - name: EXOSCALE_API_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: api-secret
+                  name: {{ default (include "cluster-autoscaler.fullname" .) .Values.secretKeyRefNameOverride }}
+            - name: EXOSCALE_ZONE
+              valueFrom:
+                secretKeyRef:
+                  key: api-zone
+                  name: {{ default (include "cluster-autoscaler.fullname" .) .Values.secretKeyRefNameOverride }}
           {{- end }}
           {{- range $key, $value := .Values.extraEnv }}
             - name: {{ $key }}
diff --git a/magnum_cluster_api/charts/cluster-autoscaler/templates/role.yaml b/magnum_cluster_api/charts/cluster-autoscaler/templates/role.yaml
@@ -49,16 +49,23 @@ rules:
     - cluster.x-k8s.io
     resources:
     - machinedeployments
-    - machinedeployments/scale
     - machinepools
-    - machinepools/scale
     - machines
     - machinesets
     verbs:
     - get
     - list
     - update
     - watch
+  - apiGroups:
+    - cluster.x-k8s.io
+    resources:
+    - machinedeployments/scale
+    - machinepools/scale
+    verbs:
+    - get
+    - patch
+    - update
 {{- end }}
 {{- if ( not .Values.rbac.clusterScoped ) }}
   - apiGroups:
diff --git a/magnum_cluster_api/charts/cluster-autoscaler/templates/secret.yaml b/magnum_cluster_api/charts/cluster-autoscaler/templates/secret.yaml
@@ -1,11 +1,16 @@
-{{- if or (eq .Values.cloudProvider "azure") (and (eq .Values.cloudProvider "aws") (not (has "" (list .Values.awsAccessKeyID .Values.awsSecretAccessKey)))) }}
+{{- if not .Values.secretKeyRefNameOverride }}
+{{- $isAzure := eq .Values.cloudProvider "azure" }}
+{{- $isAws := eq .Values.cloudProvider "aws" }}
+{{- $awsCredentialsProvided := and .Values.awsAccessKeyID .Values.awsSecretAccessKey }}
+
+{{- if or $isAzure (and $isAws $awsCredentialsProvided) }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ template "cluster-autoscaler.fullname" . }}
   namespace: {{ .Release.Namespace }}
 data:
-{{- if eq .Values.cloudProvider "azure" }}
+{{- if $isAzure }}
   ClientID: "{{ .Values.azureClientID | b64enc }}"
   ClientSecret: "{{ .Values.azureClientSecret | b64enc }}"
   ResourceGroup: "{{ .Values.azureResourceGroup | b64enc }}"
@@ -14,8 +19,9 @@ data:
   VMType: "{{ .Values.azureVMType | b64enc }}"
   ClusterName: "{{ .Values.azureClusterName | b64enc }}"
   NodeResourceGroup: "{{ .Values.azureNodeResourceGroup | b64enc }}"
-{{- else if eq .Values.cloudProvider "aws" }}
+{{- else if $isAws }}
   AwsAccessKeyId: "{{ .Values.awsAccessKeyID | b64enc }}"
   AwsSecretAccessKey: "{{ .Values.awsSecretAccessKey | b64enc }}"
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/magnum_cluster_api/charts/cluster-autoscaler/values.yaml b/magnum_cluster_api/charts/cluster-autoscaler/values.yaml
@@ -6,7 +6,7 @@ affinity: {}
 additionalLabels: {}
 
 autoDiscovery:
-  # cloudProviders `aws`, `gce`, `azure`, `magnum` and `clusterapi` `oci-oke` are supported by auto-discovery at this time
+  # cloudProviders `aws`, `gce`, `azure`, `magnum`, `clusterapi` and `oci` are supported by auto-discovery at this time
   # AWS: Set tags as described in https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#auto-discovery-setup
 
   # autoDiscovery.clusterName -- Enable autodiscovery for `cloudProvider=aws`, for groups matching `autoDiscovery.tags`.
@@ -396,3 +396,6 @@ vpa:
   updateMode: "Auto"
   # vpa.containerPolicy -- [ContainerResourcePolicy](https://github.com/kubernetes/autoscaler/blob/vertical-pod-autoscaler/v0.13.0/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1/types.go#L159). The containerName is always et to the deployment's container name. This value is required if VPA is enabled.
   containerPolicy: {}
+
+# secretKeyRefNameOverride -- Overrides the name of the Secret to use when loading the secretKeyRef for AWS and Azure env variables
+secretKeyRefNameOverride: ""
diff --git a/magnum_cluster_api/charts/patches/cluster-autoscaler/001-add-omt-to-clusterrole.patch b/magnum_cluster_api/charts/patches/cluster-autoscaler/001-add-omt-to-clusterrole.patch
