From d911a9e0133915c8299a1e1d2e2f581517b58426 Mon Sep 17 00:00:00 2001 From: Adrian Stobbe Date: Thu, 13 Jul 2023 18:25:30 +0200 Subject: [PATCH] move chart outside services --- bootstrapper/internal/helm/helm.go | 10 + bootstrapper/internal/kubernetes/k8sutil.go | 1 + .../internal/kubernetes/kubernetes.go | 7 + .../internal/kubernetes/kubernetes_test.go | 4 + cli/internal/clusterid/id.go | 2 +- cli/internal/helm/BUILD.bazel | 40 ++- .../aws-load-balancer-controller/.helmignore | 0 .../aws-load-balancer-controller/Chart.yaml | 0 .../aws-load-balancer-controller/README.md | 0 .../ci/extra_args | 0 .../ci/values.yaml | 0 .../crds/crds.yaml | 0 .../templates/NOTES.txt | 0 .../templates/_helpers.tpl | 0 .../templates/deployment.yaml | 0 .../templates/ingressclass.yaml | 0 .../templates/pdb.yaml | 0 .../templates/rbac.yaml | 0 .../templates/service.yaml | 0 .../templates/serviceaccount.yaml | 0 .../templates/servicemonitor.yaml | 0 .../templates/webhook.yaml | 0 .../aws-load-balancer-controller/values.yaml | 10 +- .../constellation-services/.helmignore | 3 + .../crds/kustomization.yaml | 4 - .../aws-load-balancer-controller/test.yaml | 326 ------------------ .../constellation-services/values.yaml | 3 + cli/internal/helm/loader.go | 27 +- .../helm/update-aws-load-balancer-chart.sh | 7 +- internal/deploy/helm/helm.go | 9 +- 30 files changed, 92 insertions(+), 361 deletions(-) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/.helmignore (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/Chart.yaml (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/README.md (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/ci/extra_args (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/ci/values.yaml (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/crds/crds.yaml (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/templates/NOTES.txt (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/templates/_helpers.tpl (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/templates/deployment.yaml (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/templates/ingressclass.yaml (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/templates/pdb.yaml (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/templates/rbac.yaml (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/templates/service.yaml (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/templates/serviceaccount.yaml (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/templates/servicemonitor.yaml (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/templates/webhook.yaml (100%) rename cli/internal/helm/charts/{edgeless/constellation-services/charts => }/aws-load-balancer-controller/values.yaml (98%) delete mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/crds/kustomization.yaml delete mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/test.yaml diff --git a/bootstrapper/internal/helm/helm.go b/bootstrapper/internal/helm/helm.go index 55ac43cb7..8ac576069 100644 --- a/bootstrapper/internal/helm/helm.go +++ b/bootstrapper/internal/helm/helm.go @@ -66,6 +66,16 @@ func New(log *logger.Logger) (*Client, error) { }, nil } +// InstallAWSLoadBalancerController installs the AWS Load Balancer Controller. +func (h *Client) InstallAWSLoadBalancerController(ctx context.Context, release helm.Release) error { + h.ReleaseName = release.ReleaseName + if err := h.setWaitMode(release.WaitMode); err != nil { + return err + } + + return h.install(ctx, release.Chart, release.Values) +} + // InstallConstellationServices installs the constellation-services chart. In the future this chart should bundle all microservices. func (h *Client) InstallConstellationServices(ctx context.Context, release helm.Release, extraVals map[string]any) error { h.ReleaseName = release.ReleaseName diff --git a/bootstrapper/internal/kubernetes/k8sutil.go b/bootstrapper/internal/kubernetes/k8sutil.go index fa5f9da70..97c7f95ac 100644 --- a/bootstrapper/internal/kubernetes/k8sutil.go +++ b/bootstrapper/internal/kubernetes/k8sutil.go @@ -34,4 +34,5 @@ type helmClient interface { InstallCertManager(ctx context.Context, release helm.Release) error InstallOperators(ctx context.Context, release helm.Release, extraVals map[string]any) error InstallConstellationServices(ctx context.Context, release helm.Release, extraVals map[string]any) error + InstallAWSLoadBalancerController(ctx context.Context, release helm.Release) error } diff --git a/bootstrapper/internal/kubernetes/kubernetes.go b/bootstrapper/internal/kubernetes/kubernetes.go index 440f8f5f4..27770c14b 100644 --- a/bootstrapper/internal/kubernetes/kubernetes.go +++ b/bootstrapper/internal/kubernetes/kubernetes.go @@ -242,6 +242,13 @@ func (k *KubeWrapper) InitCluster( return nil, fmt.Errorf("installing cert-manager: %w", err) } + log.Infof("Installing AWS Load Balancer Controller") + if helmReleases.AWSLoadBalancerController.ReleaseName != "" { + if err = k.helmClient.InstallAWSLoadBalancerController(ctx, helmReleases.AWSLoadBalancerController); err != nil { + return nil, fmt.Errorf("installing AWS Load Balancer Controller: %w", err) + } + } + operatorVals, err := k.setupOperatorVals(ctx) if err != nil { return nil, fmt.Errorf("setting up operator vals: %w", err) diff --git a/bootstrapper/internal/kubernetes/kubernetes_test.go b/bootstrapper/internal/kubernetes/kubernetes_test.go index e1f7da7bb..860e7fbb4 100644 --- a/bootstrapper/internal/kubernetes/kubernetes_test.go +++ b/bootstrapper/internal/kubernetes/kubernetes_test.go @@ -592,6 +592,10 @@ func (s *stubHelmClient) InstallCilium(_ context.Context, _ k8sapi.Client, _ hel return s.ciliumError } +func (s *stubHelmClient) InstallAWSLoadBalancerController(_ context.Context, _ helm.Release) error { + return s.ciliumError +} + func (s *stubHelmClient) InstallCertManager(_ context.Context, _ helm.Release) error { return s.certManagerError } diff --git a/cli/internal/clusterid/id.go b/cli/internal/clusterid/id.go index 6159fe382..a5a4bcecd 100644 --- a/cli/internal/clusterid/id.go +++ b/cli/internal/clusterid/id.go @@ -31,5 +31,5 @@ type File struct { // GetClusterName returns the name of the cluster. func GetClusterName(cfgName string, idFile File) string { - return cfgName + idFile.UID + return cfgName + "-" + idFile.UID } diff --git a/cli/internal/helm/BUILD.bazel b/cli/internal/helm/BUILD.bazel index f1d11519b..41c685438 100644 --- a/cli/internal/helm/BUILD.bazel +++ b/cli/internal/helm/BUILD.bazel @@ -375,25 +375,27 @@ go_library( "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/storageclass_integrity.yaml", "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/volumesnapshotclass.yaml", "charts/edgeless/constellation-services/charts/aws-csi-driver/values.yaml", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/Chart.yaml", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/README.md", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/ci/extra_args", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/ci/values.yaml", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/crds/crds.yaml", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/crds/kustomization.yaml", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/NOTES.txt", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/_helpers.tpl", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/deployment.yaml", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/ingressclass.yaml", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/pdb.yaml", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/rbac.yaml", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/service.yaml", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/serviceaccount.yaml", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/servicemonitor.yaml", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/webhook.yaml", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/test.yaml", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/values.yaml", - "charts/edgeless/constellation-services/charts/aws-load-balancer-controller/.helmignore", + "charts/.DS_Store", + "charts/edgeless/.DS_Store", + "charts/edgeless/constellation-services/.DS_Store", + "charts/edgeless/constellation-services/charts/.DS_Store", + "charts/aws-load-balancer-controller/.helmignore", + "charts/aws-load-balancer-controller/Chart.yaml", + "charts/aws-load-balancer-controller/README.md", + "charts/aws-load-balancer-controller/ci/extra_args", + "charts/aws-load-balancer-controller/ci/values.yaml", + "charts/aws-load-balancer-controller/crds/crds.yaml", + "charts/aws-load-balancer-controller/templates/NOTES.txt", + "charts/aws-load-balancer-controller/templates/_helpers.tpl", + "charts/aws-load-balancer-controller/templates/deployment.yaml", + "charts/aws-load-balancer-controller/templates/ingressclass.yaml", + "charts/aws-load-balancer-controller/templates/pdb.yaml", + "charts/aws-load-balancer-controller/templates/rbac.yaml", + "charts/aws-load-balancer-controller/templates/service.yaml", + "charts/aws-load-balancer-controller/templates/serviceaccount.yaml", + "charts/aws-load-balancer-controller/templates/servicemonitor.yaml", + "charts/aws-load-balancer-controller/templates/webhook.yaml", + "charts/aws-load-balancer-controller/values.yaml", ], importpath = "github.com/edgelesssys/constellation/v2/cli/internal/helm", visibility = ["//cli:__subpackages__"], diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/.helmignore b/cli/internal/helm/charts/aws-load-balancer-controller/.helmignore similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/.helmignore rename to cli/internal/helm/charts/aws-load-balancer-controller/.helmignore diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/Chart.yaml b/cli/internal/helm/charts/aws-load-balancer-controller/Chart.yaml similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/Chart.yaml rename to cli/internal/helm/charts/aws-load-balancer-controller/Chart.yaml diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/README.md b/cli/internal/helm/charts/aws-load-balancer-controller/README.md similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/README.md rename to cli/internal/helm/charts/aws-load-balancer-controller/README.md diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/ci/extra_args b/cli/internal/helm/charts/aws-load-balancer-controller/ci/extra_args similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/ci/extra_args rename to cli/internal/helm/charts/aws-load-balancer-controller/ci/extra_args diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/ci/values.yaml b/cli/internal/helm/charts/aws-load-balancer-controller/ci/values.yaml similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/ci/values.yaml rename to cli/internal/helm/charts/aws-load-balancer-controller/ci/values.yaml diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/crds/crds.yaml b/cli/internal/helm/charts/aws-load-balancer-controller/crds/crds.yaml similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/crds/crds.yaml rename to cli/internal/helm/charts/aws-load-balancer-controller/crds/crds.yaml diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/NOTES.txt b/cli/internal/helm/charts/aws-load-balancer-controller/templates/NOTES.txt similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/NOTES.txt rename to cli/internal/helm/charts/aws-load-balancer-controller/templates/NOTES.txt diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/_helpers.tpl b/cli/internal/helm/charts/aws-load-balancer-controller/templates/_helpers.tpl similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/_helpers.tpl rename to cli/internal/helm/charts/aws-load-balancer-controller/templates/_helpers.tpl diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/deployment.yaml b/cli/internal/helm/charts/aws-load-balancer-controller/templates/deployment.yaml similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/deployment.yaml rename to cli/internal/helm/charts/aws-load-balancer-controller/templates/deployment.yaml diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/ingressclass.yaml b/cli/internal/helm/charts/aws-load-balancer-controller/templates/ingressclass.yaml similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/ingressclass.yaml rename to cli/internal/helm/charts/aws-load-balancer-controller/templates/ingressclass.yaml diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/pdb.yaml b/cli/internal/helm/charts/aws-load-balancer-controller/templates/pdb.yaml similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/pdb.yaml rename to cli/internal/helm/charts/aws-load-balancer-controller/templates/pdb.yaml diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/rbac.yaml b/cli/internal/helm/charts/aws-load-balancer-controller/templates/rbac.yaml similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/rbac.yaml rename to cli/internal/helm/charts/aws-load-balancer-controller/templates/rbac.yaml diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/service.yaml b/cli/internal/helm/charts/aws-load-balancer-controller/templates/service.yaml similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/service.yaml rename to cli/internal/helm/charts/aws-load-balancer-controller/templates/service.yaml diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/serviceaccount.yaml b/cli/internal/helm/charts/aws-load-balancer-controller/templates/serviceaccount.yaml similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/serviceaccount.yaml rename to cli/internal/helm/charts/aws-load-balancer-controller/templates/serviceaccount.yaml diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/servicemonitor.yaml b/cli/internal/helm/charts/aws-load-balancer-controller/templates/servicemonitor.yaml similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/servicemonitor.yaml rename to cli/internal/helm/charts/aws-load-balancer-controller/templates/servicemonitor.yaml diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/webhook.yaml b/cli/internal/helm/charts/aws-load-balancer-controller/templates/webhook.yaml similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/templates/webhook.yaml rename to cli/internal/helm/charts/aws-load-balancer-controller/templates/webhook.yaml diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/values.yaml b/cli/internal/helm/charts/aws-load-balancer-controller/values.yaml similarity index 98% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/values.yaml rename to cli/internal/helm/charts/aws-load-balancer-controller/values.yaml index dea199559..3bc10f653 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/values.yaml +++ b/cli/internal/helm/charts/aws-load-balancer-controller/values.yaml @@ -2,11 +2,11 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -replicaCount: 2 +replicaCount: 1 # TODO from 2 image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.5.3 + tag: v2.5.4 pullPolicy: IfNotPresent imagePullSecrets: [] @@ -61,7 +61,9 @@ resources: {} # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: system-cluster-critical -nodeSelector: {} +nodeSelector: { + node-role.kubernetes.io/control-plane: "" +} tolerations: [] @@ -215,7 +217,7 @@ targetgroupbindingMaxConcurrentReconciles: # Maximum duration of exponential backoff for targetGroupBinding reconcile failures targetgroupbindingMaxExponentialBackoffDelay: -# Period at which the controller forces the repopulation of its local object stores. (default 1h0m0s) +# Period at which the controller forces the repopulation of its local object stores. (default 10h0m0s) syncPeriod: # Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched. diff --git a/cli/internal/helm/charts/edgeless/constellation-services/.helmignore b/cli/internal/helm/charts/edgeless/constellation-services/.helmignore index 0e8a0eb36..2029bbe97 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/.helmignore +++ b/cli/internal/helm/charts/edgeless/constellation-services/.helmignore @@ -21,3 +21,6 @@ .idea/ *.tmproj .vscode/ + +#charts/aws-load-balancer-controller/crds/kustomization.yaml +#charts/aws-load-balancer-controller/test.yaml diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/crds/kustomization.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/crds/kustomization.yaml deleted file mode 100644 index 3f1d1cbba..000000000 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/crds/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- crds.yaml diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/test.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/test.yaml deleted file mode 100644 index 3c4a90754..000000000 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/aws-load-balancer-controller/test.yaml +++ /dev/null @@ -1,326 +0,0 @@ -# Default values for aws-load-balancer-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 2 - -image: - repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.5.3 - pullPolicy: IfNotPresent - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: - # Automount API credentials for a Service Account. - automountServiceAccountToken: true - # List of image pull secrets to add to the Service Account. - imagePullSecrets: - # - name: docker - -rbac: - # Specifies whether rbac resources should be created - create: true - -podSecurityContext: - fsGroup: 65534 - -securityContext: - # capabilities: - # drop: - # - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - allowPrivilegeEscalation: false - -# Time period for the controller pod to do a graceful shutdown -terminationGracePeriodSeconds: 10 - -resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 128Mi - -# priorityClassName specifies the PriorityClass to indicate the importance of controller pods -# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass -priorityClassName: system-cluster-critical - -nodeSelector: {} - -tolerations: [] - -# affinity specifies a custom affinity for the controller pods -affinity: {} - -# configureDefaultAffinity specifies whether to configure a default affinity for the controller pods to prevent -# co-location on the same node. This will get ignored if you specify a custom affinity configuration. -configureDefaultAffinity: true - -# topologySpreadConstraints is a stable feature of k8s v1.19 which provides the ability to -# control how Pods are spread across your cluster among failure-domains such as regions, zones, -# nodes, and other user-defined topology domains. -# -# more details here: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -topologySpreadConstraints: {} - -updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - -# serviceAnnotations contains annotations to be added to the provisioned webhook service resource -serviceAnnotations: {} - -# deploymentAnnotations contains annotations for the controller deployment -deploymentAnnotations: {} - -podAnnotations: {} - -podLabels: {} - -# additionalLabels -- Labels to add to each object of the chart. -additionalLabels: {} - -# Enable cert-manager -enableCertManager: false - -# The name of the Kubernetes cluster. A non-empty value is required -clusterName: test-cluster - -# cluster contains configurations specific to the kubernetes cluster -cluster: - # Cluster DNS domain (required for requesting TLS certificates) - dnsDomain: cluster.local - -# The ingress class this controller will satisfy. If not specified, controller will match all -# ingresses without ingress class annotation and ingresses of type alb -ingressClass: alb - -# ingressClassParams specify the IngressCLassParams that enforce settings for a set of Ingresses when using with ingress Controller. -ingressClassParams: - create: true - # The name of ingressClassParams resource will be referred in ingressClass - name: - spec: {} - # You always can set specifications in `helm install` command through `--set` or `--set-string` - # If you do want to specify specifications in values.yaml, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'spec:'. - # namespaceSelector: - # matchLabels: - # group: - # scheme: - # ipAddressType: - # tags: - -# To use IngressClass resource instead of annotation, before you need to install the IngressClass resource pointing to controller. -# If specified as true, the IngressClass resource will be created. -createIngressClassResource: true - -# The AWS region for the kubernetes cluster. Set to use KIAM or kube2iam for example. -region: - -# The VPC ID for the Kubernetes cluster. Set this manually when your pods are unable to use the metadata service to determine this automatically -vpcId: - -# Custom AWS API Endpoints (serviceID1=URL1,serviceID2=URL2) -awsApiEndpoints: - -# awsApiThrottle specifies custom AWS API throttle settings (serviceID1:operationRegex1=rate:burst,serviceID2:operationRegex2=rate:burst) -# example: --set awsApiThrottle="{Elastic Load Balancing v2:RegisterTargets|DeregisterTargets=4:20,Elastic Load Balancing v2:.*=10:40}" -awsApiThrottle: - -# Maximum retries for AWS APIs (default 10) -awsMaxRetries: - - - - -# If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods (default true) -enablePodReadinessGateInject: - -# Enable Shield addon for ALB (default true) -enableShield: - -# Enable WAF addon for ALB (default true) -enableWaf: - -# Enable WAF V2 addon for ALB (default true) -enableWafv2: - -# Maximum number of concurrently running reconcile loops for ingress (default 3) -ingressMaxConcurrentReconciles: - -# Set the controller log level - info(default), debug (default "info") -logLevel: - -# The address the metric endpoint binds to. (default ":8080") -metricsBindAddr: "" - -# The TCP port the Webhook server binds to. (default 9443) -webhookBindPort: - -# webhookTLS specifies TLS cert/key for the webhook -webhookTLS: - caCert: - cert: - key: - -# array of namespace selectors for the webhook -webhookNamespaceSelectors: - - key: elbv2.k8s.aws/pod-readiness-gate-inject - operator: In - values: - - enabled - -# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade -keepTLSSecret: true - -# Maximum number of concurrently running reconcile loops for service (default 3) -serviceMaxConcurrentReconciles: - -# Maximum number of concurrently running reconcile loops for targetGroupBinding -targetgroupbindingMaxConcurrentReconciles: - -# Maximum duration of exponential backoff for targetGroupBinding reconcile failures -targetgroupbindingMaxExponentialBackoffDelay: - -# Period at which the controller forces the repopulation of its local object stores. (default 1h0m0s) -syncPeriod: - -# Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched. -watchNamespace: - -# disableIngressClassAnnotation disables the usage of kubernetes.io/ingress.class annotation, false by default -disableIngressClassAnnotation: - -# disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default -disableIngressGroupNameAnnotation: - -# defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners -defaultSSLPolicy: - -# Liveness probe configuration for the controller -livenessProbe: - failureThreshold: 2 - httpGet: - path: /healthz - port: 61779 - scheme: HTTP - initialDelaySeconds: 30 - timeoutSeconds: 10 - -# Environment variables to set for aws-load-balancer-controller pod. -# We strongly discourage programming access credentials in the controller environment. You should setup IRSA or -# comparable solutions like kube2iam, kiam etc instead. -env: -# ENV_1: "" -# ENV_2: "" - -# Specifies if aws-load-balancer-controller should be started in hostNetwork mode. -# -# This is required if using a custom CNI where the managed control plane nodes are unable to initiate -# network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or -# recommended if using the Amazon VPC CNI plugin. -hostNetwork: false - -# Specifies the dnsPolicy that should be used for pods in the deployment -# -# This may need to be used to be changed given certain conditions. For instance, if one uses the cilium CNI -# with certain settings, one may need to set `hostNetwork: true` and webhooks won't work unless `dnsPolicy` -# is set to `ClusterFirstWithHostNet`. See https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy -dnsPolicy: - -# extraVolumeMounts are the additional volume mounts. This enables setting up IRSA on non-EKS Kubernetes cluster -extraVolumeMounts: - - name: aws-iam-token - mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount - readOnly: true - -# extraVolumes for the extraVolumeMounts. Useful to mount a projected service account token for example. -extraVolumes: - - name: aws-iam-token - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - audience: sts.amazonaws.com - expirationSeconds: 86400 - path: token - -# defaultTags are the tags to apply to all AWS resources managed by this controller -defaultTags: - default_tag1: value1 - default_tag2: value2 - -# podDisruptionBudget specifies the disruption budget for the controller pods. -# Disruption budget will be configured only when the replicaCount is greater than 1 -podDisruptionBudget: - maxUnavailable: 1 - -# externalManagedTags is the list of tag keys on AWS resources that will be managed externally -externalManagedTags: [] - -# enableEndpointSlices enables k8s EndpointSlices for IP targets instead of Endpoints (default false) -enableEndpointSlices: - -# enableBackendSecurityGroup enables shared security group for backend traffic (default true) -enableBackendSecurityGroup: - -# backendSecurityGroup specifies backend security group id (default controller auto create backend security group) -backendSecurityGroup: - -# disableRestrictedSecurityGroupRules specifies whether to disable creating port-range restricted security group rules for traffic -disableRestrictedSecurityGroupRules: - -# controllerConfig specifies controller configuration -controllerConfig: - # featureGates set of key: value pairs that describe AWS load balance controller features - featureGates: {} - # ServiceTypeLoadBalancerOnly: true - # EndpointsFailOpen: true - -# objectSelector for webhook -objectSelector: - matchExpressions: - # - key: - # operator: - # values: - # - - matchLabels: - # key: value - -serviceMonitor: - # Specifies whether a service monitor should be created - enabled: false - # Labels to add to the service account - additionalLabels: {} - # Prometheus scrape interval - interval: 1m - # Namespace to create the service monitor in - namespace: - -# clusterSecretsPermissions lets you configure RBAC permissions for secret resources -# Access to secrets resource is required only if you use the OIDC feature, and instead of -# enabling access to all secrets, we recommend configuring namespaced role/rolebinding. -# This option is for backwards compatibility only, and will potentially be deprecated in future. -clusterSecretsPermissions: - # allowAllSecrets allows the controller to access all secrets in the cluster. - # This is to get backwards compatible behavior, but *NOT* recommended for security reasons - allowAllSecrets: false - -# ingressClassConfig contains configurations specific to the ingress class -ingressClassConfig: - default: false diff --git a/cli/internal/helm/charts/edgeless/constellation-services/values.yaml b/cli/internal/helm/charts/edgeless/constellation-services/values.yaml index 0cc989822..96210c956 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/values.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/values.yaml @@ -1,3 +1,6 @@ +#aws-load-balancer-controller: + #fullnameOverride: aws-load-balancer-controller + global: # Port on which the KeyService will listen. Global since join-service also uses the value. keyServicePort: 9000 diff --git a/cli/internal/helm/loader.go b/cli/internal/helm/loader.go index 9bc4de171..0899e2c47 100644 --- a/cli/internal/helm/loader.go +++ b/cli/internal/helm/loader.go @@ -51,6 +51,8 @@ var ( certManagerInfo = chartInfo{releaseName: "cert-manager", chartName: "cert-manager", path: "charts/cert-manager"} constellationOperatorsInfo = chartInfo{releaseName: "constellation-operators", chartName: "constellation-operators", path: "charts/edgeless/operators"} constellationServicesInfo = chartInfo{releaseName: "constellation-services", chartName: "constellation-services", path: "charts/edgeless/constellation-services"} + + awsInfo = chartInfo{releaseName: "aws-load-balancer-controller", chartName: "aws-load-balancer-controller", path: "charts/aws-load-balancer-controller"} ) // ChartLoader loads embedded helm charts. @@ -129,6 +131,13 @@ func (i *ChartLoader) Load(config *config.Config, conformanceMode bool, helmWait } releases := helm.Releases{Cilium: ciliumRelease, CertManager: certManagerRelease, Operators: operatorRelease, ConstellationServices: conServicesRelease} + if config.HasProvider(cloudprovider.AWS) { + awsRelease, err := i.loadRelease(awsInfo, helmWaitMode) + if err != nil { + return nil, fmt.Errorf("loading aws-services: %w", err) + } + releases.AWSLoadBalancerController = awsRelease + } rel, err := json.Marshal(releases) if err != nil { @@ -159,9 +168,11 @@ func (i *ChartLoader) loadRelease(info chartInfo, helmWaitMode helm.WaitMode) (h updateVersions(chart, compatibility.EnsurePrefixV(constants.VersionInfo())) values, err = i.loadConstellationServicesValues() + case awsInfo.releaseName: + values, err = i.loadAWSLoadBalancerControllerValues() } - if err != nil { + if err != nil || values == nil { return helm.Release{}, fmt.Errorf("loading %s values: %w", info.releaseName, err) } @@ -173,6 +184,20 @@ func (i *ChartLoader) loadRelease(info chartInfo, helmWaitMode helm.WaitMode) (h return helm.Release{Chart: chartRaw, Values: values, ReleaseName: info.releaseName, WaitMode: helmWaitMode}, nil } +func (i *ChartLoader) loadAWSLoadBalancerControllerValues() (map[string]any, error) { + valuesFile, err := helmFS.ReadFile(awsInfo.path + "/values.yaml") + if err != nil { + return nil, err + } + values, err := chartutil.ReadValues(valuesFile) + if err != nil { + return nil, err + } + values["clusterName"] = i.clusterName + // TODO add custom settings like nodeSelector here or keep in values.yaml? + return values, nil +} + // loadCiliumValues is used to separate the marshalling step from the loading step. // This reduces the time unit tests take to execute. func (i *ChartLoader) loadCiliumValues() (map[string]any, error) { diff --git a/cli/internal/helm/update-aws-load-balancer-chart.sh b/cli/internal/helm/update-aws-load-balancer-chart.sh index b53fad574..d2d9f1564 100755 --- a/cli/internal/helm/update-aws-load-balancer-chart.sh +++ b/cli/internal/helm/update-aws-load-balancer-chart.sh @@ -4,7 +4,7 @@ # script is mostly copied from cli/internal/helm/update-csi-charts.sh set -euo pipefail -set -o errtrace +set -o errtrac shopt -s inherit_errexit echo "Updating AWS Load Balancer Controller Helm chart..." @@ -18,7 +18,7 @@ fi callDir=$(pwd) repo_tmp_dir=$(mktemp -d) -chart_base_path="charts/edgeless/constellation-services/charts" +chart_base_path="charts" chart_name="aws-load-balancer-controller" chart_url="https://github.com/aws/eks-charts" @@ -35,6 +35,9 @@ git clone \ git sparse-checkout add "${chart_dir}" git checkout cd "${callDir}" +rm "${repo_tmp_dir}/${chart_dir}/crds/kustomization.yaml" +rm "${repo_tmp_dir}/${chart_dir}/test.yaml" +rm "${repo_tmp_dir}/${chart_dir}/values.yaml" # remove old chart rm -r "${chart_base_path:?}/${chart_name}" diff --git a/internal/deploy/helm/helm.go b/internal/deploy/helm/helm.go index 81ac0a8c4..a0d22f9c6 100644 --- a/internal/deploy/helm/helm.go +++ b/internal/deploy/helm/helm.go @@ -17,10 +17,11 @@ type Release struct { // Releases bundles all helm releases to be deployed to Constellation. type Releases struct { - Cilium Release - CertManager Release - Operators Release - ConstellationServices Release + AWSLoadBalancerController Release + Cilium Release + CertManager Release + Operators Release + ConstellationServices Release } // MergeMaps returns a new map that is the merger of it's inputs.