aws: use new LB controller to fix SecurityGroup cleanup on K8s service deletion (#2090)

* add current chart add current helm chart * disable service controller for aws ccm * add new iam roles * doc AWS internet LB + add to LB test * pass clusterName to helm for AWS LB * fix update-aws-lb chart to also include .helmignore * move chart outside services * working state * add subnet tags for AWS subnet discovery * fix .helmignore load rule with file in subdirectory * upgrade iam profile * revert new loader impl since cilium is not correctly loaded * install chart if not already present during `upgrade apply` * cleanup PR + fix build + add todos cleanup PR + add todos * shared helm pkg for cli install and bootstrapper * add link to eks docs * refactor iamMigrationCmd * delete unused helm.symwallk * move iammigrate to upgrade pkg * fixup! delete unused helm.symwallk * add to upgradecheck * remove nodeSelector from go code (Otto) * update iam docs and sort permission + remove duplicate roles * fix bug in `upgrade check` * better upgrade check output when svc version upgrade not possible * pr feedback * remove force flag in upgrade_test * use upgrader.GetUpgradeID instead of extra type * remove todos + fix check * update doc lb (leo) * remove bootstrapper helm package * Update cli/internal/cmd/upgradecheck.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * final nits * add docs for e2e upgrade test setup * Apply suggestions from code review Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update cli/internal/helm/loader.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update cli/internal/cmd/tfmigrationclient.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * fix daniel review * link to the iam permissions instead of manually updating them (agreed with leo) * disable iam upgrade in upgrade apply --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Malte Poll
2025-07-22 06:50:43 -04:00 · 2023-07-24 10:30:53 +02:00 · 2023-07-24 10:30:53 +02:00 · a87b7894db
commit a87b7894db
parent 8da6a23aa5
67 changed files with 3018 additions and 451 deletions
--- a/cli/internal/kubernetes/BUILD.bazel
+++ b/cli/internal/kubernetes/BUILD.bazel
@ -11,6 +11,7 @@ go_library(
    importpath = "github.com/edgelesssys/constellation/v2/cli/internal/kubernetes",
    visibility = ["//cli:__subpackages__"],
    deps = [
+        "//cli/internal/clusterid",
        "//cli/internal/helm",
        "//cli/internal/terraform",
        "//cli/internal/upgrade",
--- a/cli/internal/kubernetes/upgrade.go
+++ b/cli/internal/kubernetes/upgrade.go
@ -17,6 +17,7 @@ import (
 	"strings"
 	"time"

+	"github.com/edgelesssys/constellation/v2/cli/internal/clusterid"
 	"github.com/edgelesssys/constellation/v2/cli/internal/helm"
 	"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
 	"github.com/edgelesssys/constellation/v2/cli/internal/upgrade"
@ -155,6 +156,11 @@ func NewUpgrader(ctx context.Context, outWriter io.Writer, fileHandler file.Hand
 	return u, nil
 }

+// GetUpgradeID returns the upgrade ID.
+func (u *Upgrader) GetUpgradeID() string {
+	return u.upgradeID
+}
+
 // AddManualStateMigration adds a manual state migration to the Terraform client.
 // TODO(AB#3248): Remove this method after we can assume that all existing clusters have been migrated.
 func (u *Upgrader) AddManualStateMigration(migration terraform.StateMigration) {
@ -164,7 +170,7 @@ func (u *Upgrader) AddManualStateMigration(migration terraform.StateMigration) {
 // CheckTerraformMigrations checks whether Terraform migrations are possible in the current workspace.
 // If the files that will be written during the upgrade already exist, it returns an error.
 func (u *Upgrader) CheckTerraformMigrations() error {
-	return u.tfUpgrader.CheckTerraformMigrations(u.upgradeID)
+	return u.tfUpgrader.CheckTerraformMigrations(u.upgradeID, constants.TerraformUpgradeBackupDir)
 }

 // CleanUpTerraformMigrations cleans up the Terraform migration workspace, for example when an upgrade is
@ -180,7 +186,7 @@ func (u *Upgrader) PlanTerraformMigrations(ctx context.Context, opts upgrade.Ter
 	return u.tfUpgrader.PlanTerraformMigrations(ctx, opts, u.upgradeID)
 }

-// ApplyTerraformMigrations applies the migerations planned by PlanTerraformMigrations.
+// ApplyTerraformMigrations applies the migrations planned by PlanTerraformMigrations.
 // If PlanTerraformMigrations has not been executed before, it will return an error.
 // In case of a successful upgrade, the output will be written to the specified file and the old Terraform directory is replaced
 // By the new one.
@ -189,8 +195,8 @@ func (u *Upgrader) ApplyTerraformMigrations(ctx context.Context, opts upgrade.Te
 }

 // UpgradeHelmServices upgrade helm services.
-func (u *Upgrader) UpgradeHelmServices(ctx context.Context, config *config.Config, timeout time.Duration, allowDestructive bool, force bool) error {
-	return u.helmClient.Upgrade(ctx, config, timeout, allowDestructive, force, u.upgradeID)
+func (u *Upgrader) UpgradeHelmServices(ctx context.Context, config *config.Config, idFile clusterid.File, timeout time.Duration, allowDestructive bool, force bool) error {
+	return u.helmClient.Upgrade(ctx, config, idFile, timeout, allowDestructive, force, u.upgradeID)
 }

 // UpgradeNodeVersion upgrades the cluster's NodeVersion object and in turn triggers image & k8s version upgrades.
@ -578,7 +584,7 @@ func (u *stableClient) KubernetesVersion() (string, error) {
 }

 type helmInterface interface {
-	Upgrade(ctx context.Context, config *config.Config, timeout time.Duration, allowDestructive, force bool, upgradeID string) error
+	Upgrade(ctx context.Context, config *config.Config, idFile clusterid.File, timeout time.Duration, allowDestructive, force bool, upgradeID string) error
 }

 type debugLog interface {