Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-11-11 08:15:01 -05:00
Code Issues Projects Releases Packages Wiki Activity

deps: update public.ecr.aws/eks/aws-load-balancer-controller Docker tag to v2.11.0 (#3611)

Browse source 
* deps: update aws-load-balancer-controller Helm chart

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
This commit is contained in:
renovate[bot] 2025-01-30 15:54:07 +01:00 committed by GitHub
parent 706d1dff15
commit 0e4f3a0716
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
12 changed files with 528 additions and 220 deletions
Download patch file Download diff file Expand all files Collapse all files

1
internal/constellation/helm/BUILD.bazel
View file

@ -473,6 +473,7 @@ go_library(
"charts/coredns/templates/deployment.yaml", "charts/coredns/templates/deployment.yaml",
"charts/coredns/templates/service.yaml", "charts/coredns/templates/service.yaml",
"charts/coredns/templates/serviceaccount.yaml", "charts/coredns/templates/serviceaccount.yaml",
"charts/aws-load-balancer-controller/templates/hpa.yaml",
], ],
importpath = "github.com/edgelesssys/constellation/v2/internal/constellation/helm", importpath = "github.com/edgelesssys/constellation/v2/internal/constellation/helm",
visibility = ["//:__subpackages__"], visibility = ["//:__subpackages__"],

4
internal/constellation/helm/charts/aws-load-balancer-controller/Chart.yaml
View file

@ -1,8 +1,8 @@
apiVersion: v2 apiVersion: v2
name: aws-load-balancer-controller name: aws-load-balancer-controller
description: AWS Load Balancer Controller Helm chart for Kubernetes description: AWS Load Balancer Controller Helm chart for Kubernetes
version: 1.5.4 version: 1.11.0
appVersion: v2.5.3 appVersion: v2.11.0
home: https://github.com/aws/eks-charts home: https://github.com/aws/eks-charts
icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
sources: sources:

201
internal/constellation/helm/charts/aws-load-balancer-controller/README.md
View file

@ -22,7 +22,11 @@ AWS Load Balancer controller manages the following AWS resources
As a security best practice, we recommend isolating the controller deployment pods to specific node groups which run critical components. The helm chart provides parameters ```nodeSelector```, ```tolerations``` and ```affinity``` to configure node isolation. For more information, please refer to the guidance [here](https://aws.github.io/aws-eks-best-practices/security/docs/multitenancy/#isolating-tenant-workloads-to-specific-nodes). As a security best practice, we recommend isolating the controller deployment pods to specific node groups which run critical components. The helm chart provides parameters ```nodeSelector```, ```tolerations``` and ```affinity``` to configure node isolation. For more information, please refer to the guidance [here](https://aws.github.io/aws-eks-best-practices/security/docs/multitenancy/#isolating-tenant-workloads-to-specific-nodes).
## Prerequisites ## Prerequisites
- Kubernetes >= 1.19 - Supported Kubernetes Versions
- Chart version v1.5.0+ requires Kubernetes 1.22+
- Chart version v1.4.0+ requires Kubernetes 1.19+
- Chart version v1.2.0 - v1.3.3 supports Kubernetes 1.16-1.21
- Chart version v1.1.6 and before supports Kubernetes 1.15
- IAM permissions - IAM permissions
- Helm v3 - Helm v3
- Optional dependencies - Optional dependencies
@ -74,7 +78,7 @@ If migrating from ALB ingress controller, grant [additional IAM permissions](htt
- Additional IAM permissions required, ensure you have granted the [required IAM permissions](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json). - Additional IAM permissions required, ensure you have granted the [required IAM permissions](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json).
- CRDs need to be updated as follows - CRDs need to be updated as follows
```shell script ```shell script
kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master" kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"
``` ```
- you can run helm upgrade without uninstalling the old chart completely - you can run helm upgrade without uninstalling the old chart completely
@ -92,8 +96,11 @@ If you are setting `serviceMonitor.enabled: true` you need to have installed the
## Installing the Chart ## Installing the Chart
**Note**: You need to uninstall aws-alb-ingress-controller. Please refer to the [upgrade](#Upgrade) section below before you proceed. **Note**: You need to uninstall aws-alb-ingress-controller. Please refer to the [upgrade](#Upgrade) section below before you proceed.
**Note**: Starting chart version 1.4.1, you need to explicitly set `clusterSecretsPermissions.allowAllSecrets` to true to grant the controller permission to access all secrets for OIDC feature. We recommend configuring access to individual secrets resource separately [[link](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/examples/secrets_access/)]. **Note**: Starting chart version 1.4.1, you need to explicitly set `clusterSecretsPermissions.allowAllSecrets` to true to grant the controller permission to access all secrets for OIDC feature. We recommend configuring access to individual secrets resource separately [[link](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/examples/secrets_access/)].
**Note**: To ensure compatibility, we recommend installing the AWS Load Balancer controller image version with its compatible Helm chart version. Use the ```helm search repo eks/aws-load-balancer-controller --versions``` command to find the compatible versions.
Add the EKS repository to Helm: Add the EKS repository to Helm:
```shell script ```shell script
helm repo add eks https://aws.github.io/eks-charts helm repo add eks https://aws.github.io/eks-charts
@ -102,7 +109,7 @@ helm repo add eks https://aws.github.io/eks-charts
Install the TargetGroupBinding CRDs: Install the TargetGroupBinding CRDs:
```shell script ```shell script
kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master" kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"
``` ```
Install the AWS Load Balancer controller, if using iamserviceaccount Install the AWS Load Balancer controller, if using iamserviceaccount
@ -171,88 +178,106 @@ Chart release v1.2.0 and later enables high availability configuration by defaul
The following tables lists the configurable parameters of the chart and their default values. The following tables lists the configurable parameters of the chart and their default values.
The default values set by the application itself can be confirmed [here](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/configurations/#controller-configuration-options). The default values set by the application itself can be confirmed [here](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/configurations/#controller-configuration-options).
| Parameter | Description | Default |
|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------| | Parameter | Description | Default |
| `image.repository` | image repository | `public.ecr.aws/eks/aws-load-balancer-controller` | | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- |
| `image.tag` | image tag | `<VERSION>` | | `image.repository` | image repository | `public.ecr.aws/eks/aws-load-balancer-controller` |
| `image.pullPolicy` | image pull policy | `IfNotPresent` | | `image.tag` | image tag | `<VERSION>` |
| `clusterName` | Kubernetes cluster name | None | | `image.pullPolicy` | image pull policy | `IfNotPresent` |
| `cluster.dnsDomain` | DNS domain of the Kubernetes cluster, included in TLS certificate requests | `cluster.local` | | `clusterName` | Kubernetes cluster name | None |
| `securityContext` | Set to security context for pod | `{}` | | `cluster.dnsDomain` | DNS domain of the Kubernetes cluster, included in TLS certificate requests | `cluster.local` |
| `resources` | Controller pod resource requests & limits | `{}` | | `securityContext` | Set to security context for pod | `{}` |
| `priorityClassName` | Controller pod priority class | system-cluster-critical | | `resources` | Controller pod resource requests & limits | `{}` |
| `nodeSelector` | Node labels for controller pod assignment | `{}` | | `priorityClassName` | Controller pod priority class | system-cluster-critical |
| `tolerations` | Controller pod toleration for taints | `{}` | | `nodeSelector` | Node labels for controller pod assignment | `{}` |
| `affinity` | Affinity for pod assignment | `{}` | | `tolerations` | Controller pod toleration for taints | `{}` |
| `configureDefaultAffinity` | Configure soft pod anti-affinity if custom affinity is not configured | `true` | | `affinity` | Affinity for pod assignment | `{}` |
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `{}` | | `configureDefaultAffinity` | Configure soft pod anti-affinity if custom affinity is not configured | `true` |
| `deploymentAnnotations` | Annotations to add to deployment | `{}` | | `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `{}` |
| `podAnnotations` | Annotations to add to each pod | `{}` | | `deploymentAnnotations` | Annotations to add to deployment | `{}` |
| `podLabels` | Labels to add to each pod | `{}` | | `podAnnotations` | Annotations to add to each pod | `{}` |
| `additionalLabels` | Labels to add to all components | `{}` | | `podLabels` | Labels to add to each pod | `{}` |
| `rbac.create` | if `true`, create and use RBAC resources | `true` | | `additionalLabels` | Labels to add to all components | `{}` |
| `serviceAccount.annotations` | optional annotations to add to service account | None | | `rbac.create` | if `true`, create and use RBAC resources | `true` |
| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a Service Account | `true` | | `serviceAccount.annotations` | optional annotations to add to service account | None |
| `serviceAccount.imagePullSecrets` | List of image pull secrets to add to the Service Account | `[]` | | `serviceAccount.automountServiceAccountToken` | Automount API credentials for a Service Account | `true` |
| `serviceAccount.create` | If `true`, create a new service account | `true` | | `serviceAccount.imagePullSecrets` | List of image pull secrets to add to the Service Account | `[]` |
| `serviceAccount.name` | Service account to be used | None | | `serviceAccount.create` | If `true`, create a new service account | `true` |
| `terminationGracePeriodSeconds` | Time period for controller pod to do a graceful shutdown | 10 | | `serviceAccount.name` | Service account to be used | None |
| `ingressClass` | The ingress class to satisfy | alb | | `terminationGracePeriodSeconds` | Time period for controller pod to do a graceful shutdown | 10 |
| `createIngressClassResource` | Create ingressClass resource | true | | `ingressClass` | The ingress class to satisfy | alb |
| `ingressClassParams.name` | IngressClassParams resource's name, default to the aws load balancer controller's name | None | | `createIngressClassResource` | Create ingressClass resource | true |
| `ingressClassParams.create` | If `true`, create a new ingressClassParams | true | | `ingressClassParams.name` | IngressClassParams resource's name, default to the aws load balancer controller's name | None |
| `ingressClassParams.spec` | IngressClassParams defined ingress specifications | {} | | `ingressClassParams.create` | If `true`, create a new ingressClassParams | true |
| `region` | The AWS region for the kubernetes cluster | None | | `ingressClassParams.spec` | IngressClassParams defined ingress specifications | {} |
| `vpcId` | The VPC ID for the Kubernetes cluster | None | | `region` | The AWS region for the kubernetes cluster | None |
| `awsApiEndpoints` | Custom AWS API Endpoints | None | | `vpcId` | The VPC ID for the Kubernetes cluster | None |
| `awsApiThrottle` | Custom AWS API throttle settings | None | | `awsApiEndpoints` | Custom AWS API Endpoints | None |
| `awsMaxRetries` | Maximum retries for AWS APIs | None | | `awsApiThrottle` | Custom AWS API throttle settings | None |
| `defaultTargetType` | Default target type. Used as the default value of the `alb.ingress.kubernetes.io/target-type` and `service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations.`Possible values are `ip` and `instance`. | `instance` | | `awsMaxRetries` | Maximum retries for AWS APIs | None |
| `enablePodReadinessGateInject` | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods | None | | `defaultTargetType` | Default target type. Used as the default value of the `alb.ingress.kubernetes.io/target-type` and `service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations.`Possible values are `ip` and `instance`. | `instance` |
| `enableShield` | Enable Shield addon for ALB | None | | `enablePodReadinessGateInject` | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods | None |
| `enableWaf` | Enable WAF addon for ALB | None | | `enableShield` | Enable Shield addon for ALB | None |
| `enableWafv2` | Enable WAF V2 addon for ALB | None | | `enableWaf` | Enable WAF addon for ALB | None |
| `ingressMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for ingress | None | | `enableWafv2` | Enable WAF V2 addon for ALB | None |
| `logLevel` | Set the controller log level - info, debug | None | | `ingressMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for ingress | None |
| `metricsBindAddr` | The address the metric endpoint binds to | "" | | `logLevel` | Set the controller log level - info, debug | None |
| `webhookBindPort` | The TCP port the Webhook server binds to | None | | `metricsBindAddr` | The address the metric endpoint binds to | "" |
| `webhookTLS.caCert` | TLS CA certificate for webhook (auto-generated if not provided) | "" | | `webhookConfig.disableIngressValidation` | Disables the validation of resources of kind Ingress | None |
| `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" | | `webhookBindPort` | The TCP port the Webhook server binds to | None |
| `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" | | `webhookTLS.caCert` | TLS CA certificate for webhook (auto-generated if not provided) | "" |
| `webhookNamespaceSelectors` | Namespace selectors for the wekbook | None | | `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" |
| `keepTLSSecret` | Reuse existing TLS Secret during chart upgrade | `true` | | `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" |
| `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` | | `webhookNamespaceSelectors` | Namespace selectors for the wekbook | None |
| `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None | | `keepTLSSecret` | Reuse existing TLS Secret during chart upgrade | `true` |
| `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None | | `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` |
| `targetgroupbindingMaxExponentialBackoffDelay` | Maximum duration of exponential backoff for targetGroupBinding reconcile failures | None | | `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None |
| `syncPeriod` | Period at which the controller forces the repopulation of its local object stores | None | | `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None |
| `watchNamespace` | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched | None | | `targetgroupbindingMaxExponentialBackoffDelay` | Maximum duration of exponential backoff for targetGroupBinding reconcile failures | None |
| `disableIngressClassAnnotation` | Disables the usage of kubernetes.io/ingress.class annotation | None | | `syncPeriod` | Period at which the controller forces the repopulation of its local object stores | None |
| `disableIngressGroupNameAnnotation` | Disables the usage of alb.ingress.kubernetes.io/group.name annotation | None | | `watchNamespace` | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched | None |
| `defaultSSLPolicy` | Specifies the default SSL policy to use for HTTPS or TLS listeners | None | | `disableIngressClassAnnotation` | Disables the usage of kubernetes.io/ingress.class annotation | None |
| `externalManagedTags` | Specifies the list of tag keys on AWS resources that are managed externally | `[]` | | `disableIngressGroupNameAnnotation` | Disables the usage of alb.ingress.kubernetes.io/group.name annotation | None |
| `livenessProbe` | Liveness probe settings for the controller | (see `values.yaml`) | | `tolerateNonExistentBackendService` | whether to allow rules that reference a backend service that does not exist. (When enabled, it will return 503 error if backend service not exist) | `true` |
| `env` | Environment variables to set for aws-load-balancer-controller pod | None | | `tolerateNonExistentBackendAction` | whether to allow rules that reference a backend action that does not exist. (When enabled, it will return 503 error if backend action not exist) | `true` |
| `hostNetwork` | If `true`, use hostNetwork | `false` | | `defaultSSLPolicy` | Specifies the default SSL policy to use for HTTPS or TLS listeners | None |
| `dnsPolicy` | Set dnsPolicy if required | `ClusterFirst` | | `externalManagedTags` | Specifies the list of tag keys on AWS resources that are managed externally | `[]` |
| `extraVolumeMounts` | Extra volume mounts for the pod | `[]` | | `livenessProbe` | Liveness probe settings for the controller | (see `values.yaml`) |
| `extraVolumes` | Extra volumes for the pod | `[]` | | `env` | Environment variables to set for aws-load-balancer-controller pod | None |
| `defaultTags` | Default tags to apply to all AWS resources managed by this controller | `{}` | | `envFrom` | Environment variables to set for aws-load-balancer-controller pod from configMap or Secret | None |
| `replicaCount` | Number of controller pods to run, only one will be active due to leader election | `2` | | `envSecretName` | AWS credentials as environment variables from Secret (Secret keys `key_id` and `access_key`). | None |
| `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` | | `hostNetwork` | If `true`, use hostNetwork | `false` |
| `updateStrategy` | Defines the update strategy for the deployment | `{}` | | `dnsPolicy` | Set dnsPolicy if required | `ClusterFirst` |
| `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template, requires cert-manager and it's CRDs to be installed | `false` | | `extraVolumeMounts` | Extra volume mounts for the pod | `[]` |
| `enableEndpointSlices` | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets | `false` | | `extraVolumes` | Extra volumes for the pod | `[]` |
| `enableBackendSecurityGroup` | If enabled, controller uses shared security group for backend traffic | `true` | | `defaultTags` | Default tags to apply to all AWS resources managed by this controller | `{}` |
| `backendSecurityGroup` | Backend security group to use instead of auto created one if the feature is enabled | `` | | `replicaCount` | Number of controller pods to run, only one will be active due to leader election | `2` |
| `disableRestrictedSecurityGroupRules` | If disabled, controller will not specify port range restriction in the backend security group rules | `false` | | `revisionHistoryLimit` | Number of revisions to keep | `10` |
| `objectSelector.matchExpressions` | Webhook configuration to select specific pods by specifying the expression to be matched | None | | `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` |
| `objectSelector.matchLabels` | Webhook configuration to select specific pods by specifying the key value label pair to be matched | None | | `updateStrategy` | Defines the update strategy for the deployment | `{}` |
| `serviceMonitor.enabled` | Specifies whether a service monitor should be created, requires the ServiceMonitor CRD to be installed | `false` | | `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template, requires cert-manager and it's CRDs to be installed | `false` |
| `serviceMonitor.additionalLabels` | Labels to add to the service account | `{}` | | `enableEndpointSlices` | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets | `false` |
| `serviceMonitor.interval` | Prometheus scrape interval | `1m` | | `enableBackendSecurityGroup` | If enabled, controller uses shared security group for backend traffic | `true` |
| `serviceMonitor.namespace` | Namespace in which Prometheus is running | None | | `backendSecurityGroup` | Backend security group to use instead of auto created one if the feature is enabled | `` |
| `clusterSecretsPermissions.allowAllSecrets` | If `true`, controller has access to all secrets in the cluster. | `false` | | `disableRestrictedSecurityGroupRules` | If disabled, controller will not specify port range restriction in the backend security group rules | `false` |
| `controllerConfig.featureGates` | set of `key: value` pairs that describe AWS load balance controller features | `{}` | | `objectSelector.matchExpressions` | Webhook configuration to select specific pods by specifying the expression to be matched | None |
| `ingressClassConfig.default` | If `true`, the ingressclass will be the default class of the cluster. | `false` | | `objectSelector.matchLabels` | Webhook configuration to select specific pods by specifying the key value label pair to be matched | None |
| `enableServiceMutatorWebhook` | If `false`, disable the Service Mutator webhook which makes all new services of type LoadBalancer reconciled by the lb controller | `true` | | `serviceMonitor.enabled` | Specifies whether a service monitor should be created, requires the ServiceMonitor CRD to be installed | `false` |
| `serviceMonitor.namespace` | Namespace in which to create the service monitor | None |
| `serviceMonitor.additionalLabels` | Labels to add to the service monitor | `{}` |
| `serviceMonitor.interval` | Prometheus scrape interval | `1m` |
| `serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `1m` |
| `serviceMonitor.relabelings` | Relabelings to apply to samples before ingestion | `1m` |
| `serviceMonitor.metricRelabelings` | Metric relabelings to apply to samples before ingestion | `1m` |
| `clusterSecretsPermissions.allowAllSecrets` | If `true`, controller has access to all secrets in the cluster. | `false` |
| `controllerConfig.featureGates` | set of `key: value` pairs that describe AWS load balance controller features | `{}` |
| `ingressClassConfig.default` | If `true`, the ingressclass will be the default class of the cluster. | `false` |
| `enableServiceMutatorWebhook` | If `false`, disable the Service Mutator webhook which makes all new services of type LoadBalancer reconciled by the lb controller | `true` |
| `serviceMutatorWebhookConfig.failurePolicy` | Failure policy for the Service Mutator webhook | `Fail` |
| `serviceMutatorWebhookConfig.objectSelector` | Object selector(s) to limit which objects will be mutated by the Service Mutator webhook | `[]` |
| `serviceMutatorWebhookConfig.operations` | List of operations that will trigger the the Service Mutator webhook | `[ CREATE ]` |
| `autoscaling` | If `autoscaling.enabled=true`, enable the HPA on the controller mainly to survive load induced failure by the calls to the `aws-load-balancer-webhook-service`. Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node | `false` |
| `serviceTargetENISGTags` | set of `key=value` pairs of AWS tags in addition to cluster name for finding the target ENI security group to which to add inbound rules from NLBs | None |
| `loadBalancerClass` | Sets the AWS load balancer type to be used when the Kubernetes service requests an external load balancer | `service.k8s.aws/nlb` |
| `creator` | if set to a `value!=helm`, it will disable the addition of default helm labels | `helm` |
| `runtimeClassName` | Runtime class name for the controller pods , such as `gvisor` or `kata`. An unspecified `nil` or empty `""` RuntimeClassName is equivalent to the backwards-compatible default behavior as if the RuntimeClass feature is disabled. | "" |

296
internal/constellation/helm/charts/aws-load-balancer-controller/crds/crds.yaml
View file

@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.11.1 controller-gen.kubebuilder.io/version: v0.14.0
creationTimestamp: null
name: ingressclassparams.elbv2.k8s.aws name: ingressclassparams.elbv2.k8s.aws
spec: spec:
group: elbv2.k8s.aws group: elbv2.k8s.aws
@ -36,20 +35,31 @@ spec:
description: IngressClassParams is the Schema for the IngressClassParams API description: IngressClassParams is the Schema for the IngressClassParams API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
spec: spec:
description: IngressClassParamsSpec defines the desired state of IngressClassParams description: IngressClassParamsSpec defines the desired state of IngressClassParams
properties: properties:
certificateArn:
description: CertificateArn specifies the ARN of the certificates
for all Ingresses that belong to IngressClass with this IngressClassParams.
items:
type: string
type: array
group: group:
description: Group defines the IngressGroup for all Ingresses that description: Group defines the IngressGroup for all Ingresses that
belong to IngressClass with this IngressClassParams. belong to IngressClass with this IngressClassParams.
@ -72,7 +82,38 @@ spec:
enum: enum:
- ipv4 - ipv4
- dualstack - dualstack
- dualstack-without-public-ipv4
type: string type: string
listeners:
description: Listeners define a list of listeners with their protocol,
port and attributes.
items:
properties:
listenerAttributes:
description: The attributes of the listener
items:
description: Attributes defines custom attributes on resources.
properties:
key:
description: The key of the attribute.
type: string
value:
description: The value of the attribute.
type: string
required:
- key
- value
type: object
type: array
port:
description: The port of the listener
format: int32
type: integer
protocol:
description: The protocol of the listener
type: string
type: object
type: array
loadBalancerAttributes: loadBalancerAttributes:
description: LoadBalancerAttributes define the custom attributes to description: LoadBalancerAttributes define the custom attributes to
LoadBalancers for all Ingress that that belong to IngressClass with LoadBalancers for all Ingress that that belong to IngressClass with
@ -91,50 +132,63 @@ spec:
- value - value
type: object type: object
type: array type: array
minimumLoadBalancerCapacity:
description: MinimumLoadBalancerCapacity define the capacity reservation
for LoadBalancers for all Ingress that belong to IngressClass with
this IngressClassParams.
properties:
capacityUnits:
description: The Capacity Units Value.
format: int32
type: integer
required:
- capacityUnits
type: object
namespaceSelector: namespaceSelector:
description: NamespaceSelector restrict the namespaces of Ingresses description: |-
that are allowed to specify the IngressClass with this IngressClassParams. NamespaceSelector restrict the namespaces of Ingresses that are allowed to specify the IngressClass with this IngressClassParams.
* if absent or present but empty, it selects all namespaces. * if absent or present but empty, it selects all namespaces.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that description: |-
contains values, a key, and an operator that relates the key A label selector requirement is a selector that contains values, a key, and an operator that
and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies description: key is the label key that the selector applies
to. to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to description: |-
a set of values. Valid operators are In, NotIn, Exists operator represents a key's relationship to a set of values.
and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the description: |-
operator is In or NotIn, the values array must be non-empty. values is an array of string values. If the operator is In or NotIn,
If the operator is Exists or DoesNotExist, the values the values array must be non-empty. If the operator is Exists or DoesNotExist,
array must be empty. This array is replaced during a strategic the values array must be empty. This array is replaced during a strategic
merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
x-kubernetes-list-type: atomic
required: required:
- key - key
- operator - operator
type: object type: object
type: array type: array
x-kubernetes-list-type: atomic
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single description: |-
{key,value} in the matchLabels map is equivalent to an element matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
of matchExpressions, whose key field is "key", the operator map is equivalent to an element of matchExpressions, whose key field is "key", the
is "In", and the values array contains only "value". The requirements operator is "In", and the values array contains only "value". The requirements are ANDed.
are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -167,10 +221,11 @@ spec:
items: items:
type: string type: string
type: array type: array
description: Tags specifies subnets in the load balancer's VPC description: |-
where each tag specified in the map key contains one of the Tags specifies subnets in the load balancer's VPC where each
values in the corresponding value list. Exactly one of this tag specified in the map key contains one of the values in the corresponding
or `ids` must be specified. value list.
Exactly one of this or `ids` must be specified.
type: object type: object
type: object type: object
tags: tags:
@ -200,8 +255,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.11.1 controller-gen.kubebuilder.io/version: v0.14.0
creationTimestamp: null
name: targetgroupbindings.elbv2.k8s.aws name: targetgroupbindings.elbv2.k8s.aws
spec: spec:
group: elbv2.k8s.aws group: elbv2.k8s.aws
@ -230,6 +284,11 @@ spec:
name: ARN name: ARN
priority: 1 priority: 1
type: string type: string
- description: The AWS TargetGroup's Name
jsonPath: .spec.targetGroupName
name: NAME
priority: 2
type: string
- jsonPath: .metadata.creationTimestamp - jsonPath: .metadata.creationTimestamp
name: AGE name: AGE
type: date type: date
@ -239,20 +298,29 @@ spec:
description: TargetGroupBinding is the Schema for the TargetGroupBinding API description: TargetGroupBinding is the Schema for the TargetGroupBinding API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
spec: spec:
description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding
properties: properties:
multiClusterTargetGroup:
description: MultiClusterTargetGroup Denotes if the TargetGroup is
shared among multiple clusters
type: boolean
networking: networking:
description: networking provides the networking setup for ELBV2 LoadBalancer description: networking provides the networking setup for ELBV2 LoadBalancer
to access targets in TargetGroup. to access targets in TargetGroup.
@ -263,28 +331,30 @@ spec:
items: items:
properties: properties:
from: from:
description: List of peers which should be able to access description: |-
the targets in TargetGroup. At least one NetworkingPeer List of peers which should be able to access the targets in TargetGroup.
should be specified. At least one NetworkingPeer should be specified.
items: items:
description: NetworkingPeer defines the source/destination description: NetworkingPeer defines the source/destination
peer for networking rules. peer for networking rules.
properties: properties:
ipBlock: ipBlock:
description: IPBlock defines an IPBlock peer. If specified, description: |-
none of the other fields can be set. IPBlock defines an IPBlock peer.
If specified, none of the other fields can be set.
properties: properties:
cidr: cidr:
description: CIDR is the network CIDR. Both IPV4 description: |-
or IPV6 CIDR are accepted. CIDR is the network CIDR.
Both IPV4 or IPV6 CIDR are accepted.
type: string type: string
required: required:
- cidr - cidr
type: object type: object
securityGroup: securityGroup:
description: SecurityGroup defines a SecurityGroup description: |-
peer. If specified, none of the other fields can SecurityGroup defines a SecurityGroup peer.
be set. If specified, none of the other fields can be set.
properties: properties:
groupID: groupID:
description: GroupID is the EC2 SecurityGroupID. description: GroupID is the EC2 SecurityGroupID.
@ -295,24 +365,24 @@ spec:
type: object type: object
type: array type: array
ports: ports:
description: List of ports which should be made accessible description: |-
on the targets in TargetGroup. If ports is empty or unspecified, List of ports which should be made accessible on the targets in TargetGroup.
it defaults to all ports with TCP. If ports is empty or unspecified, it defaults to all ports with TCP.
items: items:
properties: properties:
port: port:
anyOf: anyOf:
- type: integer - type: integer
- type: string - type: string
description: The port which traffic must match. When description: |-
NodePort endpoints(instance TargetType) is used, The port which traffic must match.
this must be a numerical port. When Port endpoints(ip When NodePort endpoints(instance TargetType) is used, this must be a numerical port.
TargetType) is used, this can be either numerical When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods.
or named port on pods. if port is unspecified, it if port is unspecified, it defaults to all ports.
defaults to all ports.
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
protocol: protocol:
description: The protocol which traffic must match. description: |-
The protocol which traffic must match.
If protocol is unspecified, it defaults to TCP. If protocol is unspecified, it defaults to TCP.
enum: enum:
- TCP - TCP
@ -347,6 +417,9 @@ spec:
description: targetGroupARN is the Amazon Resource Name (ARN) for description: targetGroupARN is the Amazon Resource Name (ARN) for
the TargetGroup. the TargetGroup.
type: string type: string
targetGroupName:
description: targetGroupName is the Name of the TargetGroup.
type: string
targetType: targetType:
description: targetType is the TargetType of TargetGroup. If unspecified, description: targetType is the TargetType of TargetGroup. If unspecified,
it will be automatically inferred. it will be automatically inferred.
@ -356,7 +429,6 @@ spec:
type: string type: string
required: required:
- serviceRef - serviceRef
- targetGroupARN
type: object type: object
status: status:
description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding
@ -389,6 +461,11 @@ spec:
name: ARN name: ARN
priority: 1 priority: 1
type: string type: string
- description: The AWS TargetGroup's Name
jsonPath: .spec.targetGroupName
name: NAME
priority: 2
type: string
- jsonPath: .metadata.creationTimestamp - jsonPath: .metadata.creationTimestamp
name: AGE name: AGE
type: date type: date
@ -398,14 +475,19 @@ spec:
description: TargetGroupBinding is the Schema for the TargetGroupBinding API description: TargetGroupBinding is the Schema for the TargetGroupBinding API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: |-
of an object. Servers should convert recognized schemas to the latest APIVersion defines the versioned schema of this representation of an object.
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: |-
object represents. Servers may infer this from the endpoint the client Kind is a string value representing the REST resource this object represents.
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string type: string
metadata: metadata:
type: object type: object
@ -419,6 +501,10 @@ spec:
- ipv4 - ipv4
- ipv6 - ipv6
type: string type: string
multiClusterTargetGroup:
description: MultiClusterTargetGroup Denotes if the TargetGroup is
shared among multiple clusters
type: boolean
networking: networking:
description: networking defines the networking rules to allow ELBV2 description: networking defines the networking rules to allow ELBV2
LoadBalancer to access targets in TargetGroup. LoadBalancer to access targets in TargetGroup.
@ -431,28 +517,30 @@ spec:
of traffic that is allowed to access TargetGroup's targets. of traffic that is allowed to access TargetGroup's targets.
properties: properties:
from: from:
description: List of peers which should be able to access description: |-
the targets in TargetGroup. At least one NetworkingPeer List of peers which should be able to access the targets in TargetGroup.
should be specified. At least one NetworkingPeer should be specified.
items: items:
description: NetworkingPeer defines the source/destination description: NetworkingPeer defines the source/destination
peer for networking rules. peer for networking rules.
properties: properties:
ipBlock: ipBlock:
description: IPBlock defines an IPBlock peer. If specified, description: |-
none of the other fields can be set. IPBlock defines an IPBlock peer.
If specified, none of the other fields can be set.
properties: properties:
cidr: cidr:
description: CIDR is the network CIDR. Both IPV4 description: |-
or IPV6 CIDR are accepted. CIDR is the network CIDR.
Both IPV4 or IPV6 CIDR are accepted.
type: string type: string
required: required:
- cidr - cidr
type: object type: object
securityGroup: securityGroup:
description: SecurityGroup defines a SecurityGroup description: |-
peer. If specified, none of the other fields can SecurityGroup defines a SecurityGroup peer.
be set. If specified, none of the other fields can be set.
properties: properties:
groupID: groupID:
description: GroupID is the EC2 SecurityGroupID. description: GroupID is the EC2 SecurityGroupID.
@ -463,9 +551,9 @@ spec:
type: object type: object
type: array type: array
ports: ports:
description: List of ports which should be made accessible description: |-
on the targets in TargetGroup. If ports is empty or unspecified, List of ports which should be made accessible on the targets in TargetGroup.
it defaults to all ports with TCP. If ports is empty or unspecified, it defaults to all ports with TCP.
items: items:
description: NetworkingPort defines the port and protocol description: NetworkingPort defines the port and protocol
for networking rules. for networking rules.
@ -474,15 +562,15 @@ spec:
anyOf: anyOf:
- type: integer - type: integer
- type: string - type: string
description: The port which traffic must match. When description: |-
NodePort endpoints(instance TargetType) is used, The port which traffic must match.
this must be a numerical port. When Port endpoints(ip When NodePort endpoints(instance TargetType) is used, this must be a numerical port.
TargetType) is used, this can be either numerical When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods.
or named port on pods. if port is unspecified, it if port is unspecified, it defaults to all ports.
defaults to all ports.
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
protocol: protocol:
description: The protocol which traffic must match. description: |-
The protocol which traffic must match.
If protocol is unspecified, it defaults to TCP. If protocol is unspecified, it defaults to TCP.
enum: enum:
- TCP - TCP
@ -504,41 +592,42 @@ spec:
description: matchExpressions is a list of label selector requirements. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed. The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that description: |-
contains values, a key, and an operator that relates the key A label selector requirement is a selector that contains values, a key, and an operator that
and values. relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies description: key is the label key that the selector applies
to. to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to description: |-
a set of values. Valid operators are In, NotIn, Exists operator represents a key's relationship to a set of values.
and DoesNotExist. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the description: |-
operator is In or NotIn, the values array must be non-empty. values is an array of string values. If the operator is In or NotIn,
If the operator is Exists or DoesNotExist, the values the values array must be non-empty. If the operator is Exists or DoesNotExist,
array must be empty. This array is replaced during a strategic the values array must be empty. This array is replaced during a strategic
merge patch. merge patch.
items: items:
type: string type: string
type: array type: array
x-kubernetes-list-type: atomic
required: required:
- key - key
- operator - operator
type: object type: object
type: array type: array
x-kubernetes-list-type: atomic
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single description: |-
{key,value} in the matchLabels map is equivalent to an element matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
of matchExpressions, whose key field is "key", the operator map is equivalent to an element of matchExpressions, whose key field is "key", the
is "In", and the values array contains only "value". The requirements operator is "In", and the values array contains only "value". The requirements are ANDed.
are ANDed.
type: object type: object
type: object type: object
x-kubernetes-map-type: atomic x-kubernetes-map-type: atomic
@ -562,7 +651,9 @@ spec:
targetGroupARN: targetGroupARN:
description: targetGroupARN is the Amazon Resource Name (ARN) for description: targetGroupARN is the Amazon Resource Name (ARN) for
the TargetGroup. the TargetGroup.
minLength: 1 type: string
targetGroupName:
description: targetGroupName is the Name of the TargetGroup.
type: string type: string
targetType: targetType:
description: targetType is the TargetType of TargetGroup. If unspecified, description: targetType is the TargetType of TargetGroup. If unspecified,
@ -571,9 +662,12 @@ spec:
- instance - instance
- ip - ip
type: string type: string
vpcID:
description: VpcID is the VPC of the TargetGroup. If unspecified,
it will be automatically inferred.
type: string
required: required:
- serviceRef - serviceRef
- targetGroupARN
type: object type: object
status: status:
description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding

4
internal/constellation/helm/charts/aws-load-balancer-controller/templates/_helpers.tpl
View file

@ -45,12 +45,14 @@ This enables using a shorter name for the resources, for example aws-load-balanc
Common labels Common labels
*/}} */}}
{{- define "aws-load-balancer-controller.labels" -}} {{- define "aws-load-balancer-controller.labels" -}}
{{- if eq (default "helm" .Values.creator) "helm" -}}
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ include "aws-load-balancer-controller.chart" . }} helm.sh/chart: {{ include "aws-load-balancer-controller.chart" . }}
{{- end }}
{{ include "aws-load-balancer-controller.selectorLabels" . }} {{ include "aws-load-balancer-controller.selectorLabels" . }}
{{- if .Chart.AppVersion }} {{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }} {{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.additionalLabels }} {{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels }} {{ toYaml .Values.additionalLabels }}
{{- end -}} {{- end -}}

58
internal/constellation/helm/charts/aws-load-balancer-controller/templates/deployment.yaml
View file

@ -11,6 +11,7 @@ metadata:
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }} {{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
spec: spec:
replicas: {{ .Values.replicaCount }} replicas: {{ .Values.replicaCount }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
selector: selector:
matchLabels: matchLabels:
{{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }} {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }}
@ -37,6 +38,9 @@ spec:
{{- with .Values.imagePullSecrets }} {{- with .Values.imagePullSecrets }}
imagePullSecrets: imagePullSecrets:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.runtimeClassName }}
runtimeClassName: {{ .Values.runtimeClassName }}
{{- end }} {{- end }}
serviceAccountName: {{ include "aws-load-balancer-controller.serviceAccountName" . }} serviceAccountName: {{ include "aws-load-balancer-controller.serviceAccountName" . }}
volumes: volumes:
@ -58,15 +62,17 @@ spec:
containers: containers:
- name: {{ .Chart.Name }} - name: {{ .Chart.Name }}
args: args:
- --cluster-name={{ required "Chart cannot be installed without a valid clusterName!" .Values.clusterName }} - --cluster-name={{ required "Chart cannot be installed without a valid clusterName!" (tpl (default "" .Values.clusterName) .) }}
{{- if .Values.ingressClass }} {{- if .Values.ingressClass }}
- --ingress-class={{ .Values.ingressClass }} - --ingress-class={{ .Values.ingressClass }}
{{- end }} {{- end }}
{{- if .Values.region }} {{- $region := tpl (default "" .Values.region) . }}
{{- if $region }}
- --aws-region={{ .Values.region }} - --aws-region={{ .Values.region }}
{{- end }} {{- end }}
{{- if .Values.vpcId }} {{- $vpcID := tpl (default "" .Values.vpcId) . }}
- --aws-vpc-id={{ .Values.vpcId }} {{- if $vpcID }}
- --aws-vpc-id={{ $vpcID }}
{{- end }} {{- end }}
{{- if .Values.awsApiEndpoints }} {{- if .Values.awsApiEndpoints }}
- --aws-api-endpoints={{ .Values.awsApiEndpoints }} - --aws-api-endpoints={{ .Values.awsApiEndpoints }}
@ -104,6 +110,9 @@ spec:
{{- if .Values.targetgroupbindingMaxExponentialBackoffDelay }} {{- if .Values.targetgroupbindingMaxExponentialBackoffDelay }}
- --targetgroupbinding-max-exponential-backoff-delay={{ .Values.targetgroupbindingMaxExponentialBackoffDelay }} - --targetgroupbinding-max-exponential-backoff-delay={{ .Values.targetgroupbindingMaxExponentialBackoffDelay }}
{{- end }} {{- end }}
{{- if .Values.lbStabilizationMonitorInterval }}
- --lb-stabilization-monitor-interval={{ .Values.lbStabilizationMonitorInterval }}
{{- end }}
{{- if .Values.logLevel }} {{- if .Values.logLevel }}
- --log-level={{ .Values.logLevel }} - --log-level={{ .Values.logLevel }}
{{- end }} {{- end }}
@ -122,6 +131,12 @@ spec:
{{- if kindIs "bool" .Values.disableIngressGroupNameAnnotation }} {{- if kindIs "bool" .Values.disableIngressGroupNameAnnotation }}
- --disable-ingress-group-name-annotation={{ .Values.disableIngressGroupNameAnnotation }} - --disable-ingress-group-name-annotation={{ .Values.disableIngressGroupNameAnnotation }}
{{- end }} {{- end }}
{{- if kindIs "bool" .Values.tolerateNonExistentBackendService }}
- --tolerate-non-existent-backend-service={{ .Values.tolerateNonExistentBackendService }}
{{- end }}
{{- if kindIs "bool" .Values.tolerateNonExistentBackendAction }}
- --tolerate-non-existent-backend-action={{ .Values.tolerateNonExistentBackendAction }}
{{- end }}
{{- if .Values.defaultSSLPolicy }} {{- if .Values.defaultSSLPolicy }}
- --default-ssl-policy={{ .Values.defaultSSLPolicy }} - --default-ssl-policy={{ .Values.defaultSSLPolicy }}
{{- end }} {{- end }}
@ -149,13 +164,42 @@ spec:
{{- if ne .Values.defaultTargetType "instance" }} {{- if ne .Values.defaultTargetType "instance" }}
- --default-target-type={{ .Values.defaultTargetType }} - --default-target-type={{ .Values.defaultTargetType }}
{{- end }} {{- end }}
{{- if .Values.env }} {{- if .Values.serviceTargetENISGTags }}
- --service-target-eni-security-group-tags={{ .Values.serviceTargetENISGTags }}
{{- end }}
{{- if .Values.certDiscovery.allowedCertificateAuthorityARNs }}
- --allowed-certificate-authority-arns={{ .Values.certDiscovery.allowedCertificateAuthorityARNs }}
{{- end }}
{{- if .Values.loadBalancerClass }}
- --load-balancer-class={{ .Values.loadBalancerClass }}
{{- end }}
{{- if or .Values.env .Values.envSecretName }}
env: env:
{{- if .Values.env}}
{{- range $key, $value := .Values.env }} {{- range $key, $value := .Values.env }}
- name: {{ $key }} - name: {{ $key }}
value: "{{ $value }}" value: "{{ $value }}"
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.envSecretName }}
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: {{ .Values.envSecretName }}
key: key_id
optional: true
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.envSecretName }}
key: access_key
optional: true
{{- end }}
{{- end }}
{{- if .Values.envFrom }}
envFrom:
{{- toYaml .Values.envFrom | nindent 10 }}
{{- end }}
securityContext: securityContext:
{{- toYaml .Values.securityContext | nindent 10 }} {{- toYaml .Values.securityContext | nindent 10 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@ -180,6 +224,10 @@ spec:
livenessProbe: livenessProbe:
{{- toYaml . | nindent 10 }} {{- toYaml . | nindent 10 }}
{{- end }} {{- end }}
{{- with .Values.readinessProbe }}
readinessProbe:
{{- toYaml . | nindent 10 }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- with .Values.nodeSelector }} {{- with .Values.nodeSelector }}
nodeSelector: nodeSelector:

34
internal/constellation/helm/charts/aws-load-balancer-controller/templates/hpa.yaml Normal file
View file

@ -0,0 +1,34 @@
{{- if .Values.autoscaling.enabled }}
{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.Version)}}
apiVersion: autoscaling/v2
{{- else }}
apiVersion: autoscaling/v2beta2
{{- end }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "aws-load-balancer-controller.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "aws-load-balancer-controller.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ required "A valid .Values.autoscaling.maxReplicas value is required" .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
type: Utilization
{{- end }}
{{- if .Values.autoscaling.autoscaleBehavior }}
behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
{{- end }}
{{- end }}

3
internal/constellation/helm/charts/aws-load-balancer-controller/templates/rbac.yaml
View file

@ -75,6 +75,9 @@ rules:
- apiGroups: [""] - apiGroups: [""]
resources: [nodes, namespaces, endpoints] resources: [nodes, namespaces, endpoints]
verbs: [get, list, watch] verbs: [get, list, watch]
- apiGroups: [""]
resources: [configmaps]
verbs: [get, delete, create, update]
{{- if .Values.clusterSecretsPermissions.allowAllSecrets }} {{- if .Values.clusterSecretsPermissions.allowAllSecrets }}
- apiGroups: [""] - apiGroups: [""]
resources: [secrets] resources: [secrets]

28
internal/constellation/helm/charts/aws-load-balancer-controller/templates/servicemonitor.yaml
View file

@ -3,18 +3,14 @@ apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:
name: {{ include "aws-load-balancer-controller.fullname" . }} name: {{ include "aws-load-balancer-controller.fullname" . }}
{{- if .Values.serviceMonitor.namespace }} namespace: {{ default .Release.Namespace .Values.serviceMonitor.namespace }}
namespace: {{ .Values.serviceMonitor.namespace }}
{{- else }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
labels: labels:
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }} {{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
{{- with .Values.serviceMonitor.additionalLabels }} {{- with .Values.serviceMonitor.additionalLabels }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
spec: spec:
jobLabel: {{ .Release.Name }} jobLabel: app.kubernetes.io/instance
namespaceSelector: namespaceSelector:
matchNames: matchNames:
- {{ .Release.Namespace }} - {{ .Release.Namespace }}
@ -29,7 +25,19 @@ spec:
endpoints: endpoints:
- port: metrics-server - port: metrics-server
path: /metrics path: /metrics
{{- with .Values.serviceMonitor.interval }} scheme: http
{{- with .Values.serviceMonitor.interval }}
interval: {{ . }} interval: {{ . }}
{{- end }} {{- end }}
{{- with .Values.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
{{- with .Values.serviceMonitor.relabelings }}
relabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end -}} {{- end -}}

14
internal/constellation/helm/charts/aws-load-balancer-controller/templates/webhook.yaml
View file

@ -65,7 +65,7 @@ webhooks:
name: {{ template "aws-load-balancer-controller.webhookService" . }} name: {{ template "aws-load-balancer-controller.webhookService" . }}
namespace: {{ $.Release.Namespace }} namespace: {{ $.Release.Namespace }}
path: /mutate-v1-service path: /mutate-v1-service
failurePolicy: Fail failurePolicy: {{ .Values.serviceMutatorWebhookConfig.failurePolicy }}
name: mservice.elbv2.k8s.aws name: mservice.elbv2.k8s.aws
admissionReviewVersions: admissionReviewVersions:
- v1beta1 - v1beta1
@ -75,13 +75,21 @@ webhooks:
operator: NotIn operator: NotIn
values: values:
- {{ include "aws-load-balancer-controller.name" . }} - {{ include "aws-load-balancer-controller.name" . }}
{{- if .Values.serviceMutatorWebhookConfig.objectSelector.matchExpressions }}
{{- toYaml .Values.serviceMutatorWebhookConfig.objectSelector.matchExpressions | nindent 4 }}
{{- end }}
{{- if .Values.serviceMutatorWebhookConfig.objectSelector.matchLabels }}
matchLabels:
{{- toYaml .Values.serviceMutatorWebhookConfig.objectSelector.matchLabels | nindent 6 }}
{{- end }}
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
apiVersions: apiVersions:
- v1 - v1
operations: operations:
- CREATE {{- toYaml .Values.serviceMutatorWebhookConfig.operations | nindent 4 }}
resources: resources:
- services - services
sideEffects: None sideEffects: None
@ -173,6 +181,7 @@ webhooks:
resources: resources:
- targetgroupbindings - targetgroupbindings
sideEffects: None sideEffects: None
{{- if not $.Values.webhookConfig.disableIngressValidation }}
- clientConfig: - clientConfig:
{{ if not $.Values.enableCertManager -}} {{ if not $.Values.enableCertManager -}}
caBundle: {{ $tls.caCert }} caBundle: {{ $tls.caCert }}
@ -197,6 +206,7 @@ webhooks:
resources: resources:
- ingresses - ingresses
sideEffects: None sideEffects: None
{{- end }}
--- ---
{{- if not $.Values.enableCertManager }} {{- if not $.Values.enableCertManager }}
apiVersion: v1 apiVersion: v1

101
internal/constellation/helm/charts/aws-load-balancer-controller/values.yaml
View file

@ -4,15 +4,29 @@
replicaCount: 2 replicaCount: 2
revisionHistoryLimit: 10
image: image:
repository: public.ecr.aws/eks/aws-load-balancer-controller repository: public.ecr.aws/eks/aws-load-balancer-controller
tag: v2.5.3 tag: v2.11.0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
runtimeClassName: ""
imagePullSecrets: [] imagePullSecrets: []
nameOverride: "" nameOverride: ""
fullnameOverride: "" fullnameOverride: ""
# AWS LBC only has 1 main working pod, other pods are just standby
# the purpose of enable hpa is to survive load induced failure by the calls to the aws-load-balancer-webhook-service
# since the calls from kube-apiserver are sent round-robin to all replicas, and the failure policy on those webhooks is Fail
# if the pods become overloaded and do not respond within the timeout that could block the creation of pods, targetgroupbindings or ingresses
# Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
serviceAccount: serviceAccount:
# Specifies whether a service account should be created # Specifies whether a service account should be created
create: true create: true
@ -106,8 +120,8 @@ clusterName:
# cluster contains configurations specific to the kubernetes cluster # cluster contains configurations specific to the kubernetes cluster
cluster: cluster:
# Cluster DNS domain (required for requesting TLS certificates) # Cluster DNS domain (required for requesting TLS certificates)
dnsDomain: cluster.local dnsDomain: cluster.local
# The ingress class this controller will satisfy. If not specified, controller will match all # The ingress class this controller will satisfy. If not specified, controller will match all
# ingresses without ingress class annotation and ingresses of type alb # ingresses without ingress class annotation and ingresses of type alb
@ -187,6 +201,10 @@ logLevel:
# The address the metric endpoint binds to. (default ":8080") # The address the metric endpoint binds to. (default ":8080")
metricsBindAddr: "" metricsBindAddr: ""
webhookConfig:
# disableIngressValidation disables the validation of resources of kind Ingress, false by default
disableIngressValidation:
# The TCP port the Webhook server binds to. (default 9443) # The TCP port the Webhook server binds to. (default 9443)
webhookBindPort: webhookBindPort:
@ -196,7 +214,7 @@ webhookTLS:
cert: cert:
key: key:
# array of namespace selectors for the webhook # array of namespace selectors for the pod mutator webhook
webhookNamespaceSelectors: webhookNamespaceSelectors:
# - key: elbv2.k8s.aws/pod-readiness-gate-inject # - key: elbv2.k8s.aws/pod-readiness-gate-inject
# operator: In # operator: In
@ -215,7 +233,10 @@ targetgroupbindingMaxConcurrentReconciles:
# Maximum duration of exponential backoff for targetGroupBinding reconcile failures # Maximum duration of exponential backoff for targetGroupBinding reconcile failures
targetgroupbindingMaxExponentialBackoffDelay: targetgroupbindingMaxExponentialBackoffDelay:
# Period at which the controller forces the repopulation of its local object stores. (default 1h0m0s) # Interval at which the controller monitors the state of load balancer after creation for stabilization
lbStabilizationMonitorInterval:
# Period at which the controller forces the repopulation of its local object stores. (default 10h0m0s)
syncPeriod: syncPeriod:
# Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched. # Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched.
@ -227,6 +248,12 @@ disableIngressClassAnnotation:
# disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default # disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default
disableIngressGroupNameAnnotation: disableIngressGroupNameAnnotation:
# tolerateNonExistentBackendService permits rules which specify backend services that don't exist, true by default (When enabled, it will return 503 error if backend service not exist)
tolerateNonExistentBackendService:
# tolerateNonExistentBackendAction permits rules which specify backend actions that don't exist, true by default (When enabled, it will return 503 error if backend action not exist)
tolerateNonExistentBackendAction:
# defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners # defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners
defaultSSLPolicy: defaultSSLPolicy:
@ -240,6 +267,17 @@ livenessProbe:
initialDelaySeconds: 30 initialDelaySeconds: 30
timeoutSeconds: 10 timeoutSeconds: 10
# readiness probe configuration for the controller
readinessProbe:
failureThreshold: 2
httpGet:
path: /readyz
port: 61779
scheme: HTTP
successThreshold: 1
initialDelaySeconds: 10
timeoutSeconds: 10
# Environment variables to set for aws-load-balancer-controller pod. # Environment variables to set for aws-load-balancer-controller pod.
# We strongly discourage programming access credentials in the controller environment. You should setup IRSA or # We strongly discourage programming access credentials in the controller environment. You should setup IRSA or
# comparable solutions like kube2iam, kiam etc instead. # comparable solutions like kube2iam, kiam etc instead.
@ -247,8 +285,15 @@ env:
# ENV_1: "" # ENV_1: ""
# ENV_2: "" # ENV_2: ""
# Use Environment variables credentials from Secret (aws-secret) for aws-load-balancer-controller pod similarly as The EBS CSI Driver does.
# envSecretName: aws-secret
# Use envFrom to set environment variables from a Secret or ConfigMap
# envFrom:
# - secretRef:
# name: my-secret
# Specifies if aws-load-balancer-controller should be started in hostNetwork mode. # Specifies if aws-load-balancer-controller should be started in hostNetwork mode.
#
# This is required if using a custom CNI where the managed control plane nodes are unable to initiate # This is required if using a custom CNI where the managed control plane nodes are unable to initiate
# network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or # network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or
# recommended if using the Amazon VPC CNI plugin. # recommended if using the Amazon VPC CNI plugin.
@ -315,6 +360,11 @@ controllerConfig:
# EnableIPTargetType: true # EnableIPTargetType: true
# SubnetsClusterTagCheck: true # SubnetsClusterTagCheck: true
# NLBHealthCheckAdvancedConfig: true # NLBHealthCheckAdvancedConfig: true
# ALBSingleSubnet: false
# LBCapacityReservation: true
certDiscovery:
allowedCertificateAuthorityARNs: "" # empty means all CAs are in scope
# objectSelector for webhook # objectSelector for webhook
objectSelector: objectSelector:
@ -329,12 +379,18 @@ objectSelector:
serviceMonitor: serviceMonitor:
# Specifies whether a service monitor should be created # Specifies whether a service monitor should be created
enabled: false enabled: false
# Labels to add to the service account # Namespace to create the service monitor in
namespace:
# Labels to add to the service monitor
additionalLabels: {} additionalLabels: {}
# Prometheus scrape interval # Prometheus scrape interval
interval: 1m interval: 1m
# Namespace to create the service monitor in # Prometheus scrape timeout
namespace: scrapeTimeout:
# Relabelings to apply to samples before ingestion
relabelings:
# Metric relabelings to apply to samples before ingestion
metricRelabelings:
# clusterSecretsPermissions lets you configure RBAC permissions for secret resources # clusterSecretsPermissions lets you configure RBAC permissions for secret resources
# Access to secrets resource is required only if you use the OIDC feature, and instead of # Access to secrets resource is required only if you use the OIDC feature, and instead of
@ -351,3 +407,30 @@ ingressClassConfig:
# enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer # enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer
enableServiceMutatorWebhook: true enableServiceMutatorWebhook: true
# serviceMutatorWebhook contains configurations specific to the service mutator webhook
serviceMutatorWebhookConfig:
# whether or not to fail the service creation if the webhook fails
failurePolicy: Fail
# limit webhook to only mutate services matching the objectSelector
objectSelector:
matchExpressions: []
# - key: <key>
# operator: <operator>
# values:
# - <value>
matchLabels: {}
# key: value
# which operations trigger the webhook
operations:
- CREATE
# - UPDATE
# serviceTargetENISGTags specifies AWS tags, in addition to the cluster tags, for finding the target ENI SG to which to add inbound rules from NLBs.
serviceTargetENISGTags:
# Specifies the class of load balancer to use for services. This affects how services are provisioned if type LoadBalancer is used (default service.k8s.aws/nlb)
loadBalancerClass:
# creator will disable helm default labels, so you can only add yours
# creator: "me"

2
internal/constellation/helm/update-aws-load-balancer-chart.sh
View file

@ -8,7 +8,7 @@ set -o errtrace
shopt -s inherit_errexit shopt -s inherit_errexit
echo "Updating AWS Load Balancer Controller Helm chart..." echo "Updating AWS Load Balancer Controller Helm chart..."
branch="v0.0.140" # releases can update the AWS load-balancer-controller chart branch="v0.0.190" # releases can update the AWS load-balancer-controller chart
# Required tools # Required tools
if ! command -v git &> /dev/null; then if ! command -v git &> /dev/null; then
echo "git could not be found" echo "git could not be found"