# Karpenter EC2NodeClass Configuration
# RFC 0039: ADR-Compliant Foundation Infrastructure
#
# Defines how Karpenter provisions EC2 instances
---
apiVersion: karpenter.k8s.aws/v1beta1
kind: EC2NodeClass
metadata:
  name: default
spec:
  # Amazon Linux 2 AMI family
  amiFamily: AL2

  # Subnet selection - private subnets only
  subnetSelectorTerms:
    - tags:
        karpenter.sh/discovery: "true"

  # Security group selection
  securityGroupSelectorTerms:
    - tags:
        karpenter.sh/discovery: "true"

  # IAM role for nodes
  role: "alignment-production-node"

  # Instance store policy for NVMe instances
  instanceStorePolicy: RAID0

  # Block device mappings
  blockDeviceMappings:
    - deviceName: /dev/xvda
      ebs:
        volumeSize: 100Gi
        volumeType: gp3
        iops: 3000
        throughput: 125
        encrypted: true
        deleteOnTermination: true

  # User data for node initialization
  userData: |
    #!/bin/bash
    set -e

    # Enable FIPS mode (ADR 0003)
    # Note: Full FIPS requires FIPS-validated AMI
    # This is a placeholder for production FIPS configuration

    # Configure kubelet for optimal performance
    cat >> /etc/kubernetes/kubelet/config.json.patch <<EOF
    {
      "kubeReserved": {
        "cpu": "100m",
        "memory": "512Mi"
      },
      "systemReserved": {
        "cpu": "100m",
        "memory": "512Mi"
      },
      "evictionHard": {
        "memory.available": "10%" # percentage of total memory
        "nodefs.available": "10%",
        "nodefs.inodesFree": "5%"
      }
    }
    EOF

  # Tags for all instances
  tags:
    Project: alignment
    Environment: production
    ManagedBy: karpenter
    RFC: "0039"

  # Metadata options
  metadataOptions:
    httpEndpoint: enabled
    httpProtocolIPv6: disabled
    httpPutResponseHopLimit: 2
    httpTokens: required  # IMDSv2 required for security