From cb04ef7612ba1d6d6e905d2cc5529fc1377456a7 Mon Sep 17 00:00:00 2001
From: stxkxs <stxkxs@users.noreply.github.com>
Date: Fri, 22 May 2026 12:53:18 -0700
Subject: [PATCH] fix: substitute the EC2NodeClass placeholders in staging and
 production
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The base karpenter-resources EC2NodeClass carries ${CLUSTER_NAME} and
${ENVIRONMENT} placeholders. The dev overlay patches the EC2NodeClass with
concrete values, but the staging and production overlays only defined a
karpenter-config configMapGenerator — and nothing ever consumed it (no
replacements block, no substitution plugin). The rendered staging and
production EC2NodeClass therefore shipped the literal strings:
`role: ${CLUSTER_NAME}-karpenter-node` and tag selectors keyed on
${CLUSTER_NAME}, so Karpenter could not resolve an instance-profile role
or match any subnet / security group — node provisioning would fail. The
unconsumed configMapGenerator also emitted an orphan ConfigMap into
kube-system.

Both overlays now patch the EC2NodeClass with their concrete cluster name
and environment, exactly as the dev overlay does, and the dead
configMapGenerator is removed. `kustomize build` for all three overlays
now renders a fully-resolved EC2NodeClass with no placeholders and no
stray ConfigMap.

Pre-existing bug, predating the agent-runtime program — surfaced by the
pre-deploy quality audit.
---
 .../overlays/production/kustomization.yaml    | 25 +++++++++++++++----
 .../overlays/staging/kustomization.yaml       | 25 +++++++++++++++----
 2 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/addons/operations/karpenter-resources/overlays/production/kustomization.yaml b/addons/operations/karpenter-resources/overlays/production/kustomization.yaml
index 88ef861..82e4bdd 100644
--- a/addons/operations/karpenter-resources/overlays/production/kustomization.yaml
+++ b/addons/operations/karpenter-resources/overlays/production/kustomization.yaml
@@ -38,8 +38,23 @@ patches:
               schedule: "0 9 * * 1-5"
               duration: 8h
 
-configMapGenerator:
-  - name: karpenter-config
-    literals:
-      - CLUSTER_NAME=production-eks
-      - ENVIRONMENT=production
+  - patch: |-
+      apiVersion: karpenter.k8s.aws/v1
+      kind: EC2NodeClass
+      metadata:
+        name: default
+      spec:
+        role: production-eks-karpenter-node
+        subnetSelectorTerms:
+          - tags:
+              karpenter.sh/discovery: production-eks
+              kubernetes.io/role/internal-elb: "1"
+        securityGroupSelectorTerms:
+          - tags:
+              aws:eks:cluster-name: production-eks
+        tags:
+          environment: production
+          managed-by: karpenter
+    target:
+      kind: EC2NodeClass
+      name: default
diff --git a/addons/operations/karpenter-resources/overlays/staging/kustomization.yaml b/addons/operations/karpenter-resources/overlays/staging/kustomization.yaml
index 4a365ad..e69d1d5 100644
--- a/addons/operations/karpenter-resources/overlays/staging/kustomization.yaml
+++ b/addons/operations/karpenter-resources/overlays/staging/kustomization.yaml
@@ -15,8 +15,23 @@ patches:
           cpu: 75
           memory: 150Gi
 
-configMapGenerator:
-  - name: karpenter-config
-    literals:
-      - CLUSTER_NAME=staging-eks
-      - ENVIRONMENT=staging
+  - patch: |-
+      apiVersion: karpenter.k8s.aws/v1
+      kind: EC2NodeClass
+      metadata:
+        name: default
+      spec:
+        role: staging-eks-karpenter-node
+        subnetSelectorTerms:
+          - tags:
+              karpenter.sh/discovery: staging-eks
+              kubernetes.io/role/internal-elb: "1"
+        securityGroupSelectorTerms:
+          - tags:
+              aws:eks:cluster-name: staging-eks
+        tags:
+          environment: staging
+          managed-by: karpenter
+    target:
+      kind: EC2NodeClass
+      name: default