mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-13 18:04:20 -05:00
a87b7894db
* add current chart add current helm chart * disable service controller for aws ccm * add new iam roles * doc AWS internet LB + add to LB test * pass clusterName to helm for AWS LB * fix update-aws-lb chart to also include .helmignore * move chart outside services * working state * add subnet tags for AWS subnet discovery * fix .helmignore load rule with file in subdirectory * upgrade iam profile * revert new loader impl since cilium is not correctly loaded * install chart if not already present during `upgrade apply` * cleanup PR + fix build + add todos cleanup PR + add todos * shared helm pkg for cli install and bootstrapper * add link to eks docs * refactor iamMigrationCmd * delete unused helm.symwallk * move iammigrate to upgrade pkg * fixup! delete unused helm.symwallk * add to upgradecheck * remove nodeSelector from go code (Otto) * update iam docs and sort permission + remove duplicate roles * fix bug in `upgrade check` * better upgrade check output when svc version upgrade not possible * pr feedback * remove force flag in upgrade_test * use upgrader.GetUpgradeID instead of extra type * remove todos + fix check * update doc lb (leo) * remove bootstrapper helm package * Update cli/internal/cmd/upgradecheck.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * final nits * add docs for e2e upgrade test setup * Apply suggestions from code review Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update cli/internal/helm/loader.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update cli/internal/cmd/tfmigrationclient.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * fix daniel review * link to the iam permissions instead of manually updating them (agreed with leo) * disable iam upgrade in upgrade apply --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Malte Poll
354 lines
12 KiB
YAML
354 lines
12 KiB
YAML
# Default values for aws-load-balancer-controller.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
replicaCount: 2
|
|
|
|
image:
|
|
repository: public.ecr.aws/eks/aws-load-balancer-controller
|
|
tag: v2.5.3
|
|
pullPolicy: IfNotPresent
|
|
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: true
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name:
|
|
# Automount API credentials for a Service Account.
|
|
automountServiceAccountToken: true
|
|
# List of image pull secrets to add to the Service Account.
|
|
imagePullSecrets:
|
|
# - name: docker
|
|
|
|
rbac:
|
|
# Specifies whether rbac resources should be created
|
|
create: true
|
|
|
|
podSecurityContext:
|
|
fsGroup: 65534
|
|
|
|
securityContext:
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
allowPrivilegeEscalation: false
|
|
|
|
# Time period for the controller pod to do a graceful shutdown
|
|
terminationGracePeriodSeconds: 10
|
|
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
# priorityClassName specifies the PriorityClass to indicate the importance of controller pods
|
|
# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
|
priorityClassName: system-cluster-critical
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
# affinity specifies a custom affinity for the controller pods
|
|
affinity: {}
|
|
|
|
# configureDefaultAffinity specifies whether to configure a default affinity for the controller pods to prevent
|
|
# co-location on the same node. This will get ignored if you specify a custom affinity configuration.
|
|
configureDefaultAffinity: true
|
|
|
|
# topologySpreadConstraints is a stable feature of k8s v1.19 which provides the ability to
|
|
# control how Pods are spread across your cluster among failure-domains such as regions, zones,
|
|
# nodes, and other user-defined topology domains.
|
|
#
|
|
# more details here: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
|
|
topologySpreadConstraints: {}
|
|
|
|
updateStrategy: {}
|
|
# type: RollingUpdate
|
|
# rollingUpdate:
|
|
# maxSurge: 1
|
|
# maxUnavailable: 1
|
|
|
|
# serviceAnnotations contains annotations to be added to the provisioned webhook service resource
|
|
serviceAnnotations: {}
|
|
|
|
# deploymentAnnotations contains annotations for the controller deployment
|
|
deploymentAnnotations: {}
|
|
|
|
podAnnotations: {}
|
|
|
|
podLabels: {}
|
|
|
|
# additionalLabels -- Labels to add to each object of the chart.
|
|
additionalLabels: {}
|
|
|
|
# Enable cert-manager
|
|
enableCertManager: false
|
|
|
|
# The name of the Kubernetes cluster. A non-empty value is required
|
|
clusterName:
|
|
|
|
# cluster contains configurations specific to the kubernetes cluster
|
|
cluster:
|
|
# Cluster DNS domain (required for requesting TLS certificates)
|
|
dnsDomain: cluster.local
|
|
|
|
# The ingress class this controller will satisfy. If not specified, controller will match all
|
|
# ingresses without ingress class annotation and ingresses of type alb
|
|
ingressClass: alb
|
|
|
|
# ingressClassParams specify the IngressCLassParams that enforce settings for a set of Ingresses when using with ingress Controller.
|
|
ingressClassParams:
|
|
create: true
|
|
# The name of ingressClassParams resource will be referred in ingressClass
|
|
name:
|
|
spec: {}
|
|
# Due to dependency issue, the validation webhook ignores this particular ingressClassParams resource.
|
|
# We recommend creating ingressClassParams resources separately after installing this chart and the
|
|
# controller is functional.
|
|
#
|
|
# You can set the specifications in the `helm install` command through `--set` or `--set-string`
|
|
# If you do want to specify in the values.yaml, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'spec:'
|
|
#
|
|
# namespaceSelector:
|
|
# matchLabels:
|
|
# group:
|
|
# scheme:
|
|
# ipAddressType:
|
|
# tags:
|
|
# loadBalancerAttributes:
|
|
# - key:
|
|
# value:
|
|
|
|
# To use IngressClass resource instead of annotation, before you need to install the IngressClass resource pointing to controller.
|
|
# If specified as true, the IngressClass resource will be created.
|
|
createIngressClassResource: true
|
|
|
|
# The AWS region for the kubernetes cluster. Set to use KIAM or kube2iam for example.
|
|
region:
|
|
|
|
# The VPC ID for the Kubernetes cluster. Set this manually when your pods are unable to use the metadata service to determine this automatically
|
|
vpcId:
|
|
|
|
# Custom AWS API Endpoints (serviceID1=URL1,serviceID2=URL2)
|
|
awsApiEndpoints:
|
|
|
|
# awsApiThrottle specifies custom AWS API throttle settings (serviceID1:operationRegex1=rate:burst,serviceID2:operationRegex2=rate:burst)
|
|
# example: --set awsApiThrottle="{Elastic Load Balancing v2:RegisterTargets|DeregisterTargets=4:20,Elastic Load Balancing v2:.*=10:40}"
|
|
awsApiThrottle:
|
|
|
|
# Maximum retries for AWS APIs (default 10)
|
|
awsMaxRetries:
|
|
|
|
# Default target type. Used as the default value of the "alb.ingress.kubernetes.io/target-type" and
|
|
# "service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations.
|
|
# Possible values are "ip" and "instance"
|
|
# The value "ip" should be used for ENI-based CNIs, such as the Amazon VPC CNI,
|
|
# Calico with encapsulation disabled, or Cilium with masquerading disabled.
|
|
# The value "instance" should be used for overlay-based CNIs, such as Calico in VXLAN or IPIP mode or
|
|
# Cilium with masquerading enabled.
|
|
defaultTargetType: instance
|
|
|
|
# If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods (default true)
|
|
enablePodReadinessGateInject:
|
|
|
|
# Enable Shield addon for ALB (default true)
|
|
enableShield:
|
|
|
|
# Enable WAF addon for ALB (default true)
|
|
enableWaf:
|
|
|
|
# Enable WAF V2 addon for ALB (default true)
|
|
enableWafv2:
|
|
|
|
# Maximum number of concurrently running reconcile loops for ingress (default 3)
|
|
ingressMaxConcurrentReconciles:
|
|
|
|
# Set the controller log level - info(default), debug (default "info")
|
|
logLevel:
|
|
|
|
# The address the metric endpoint binds to. (default ":8080")
|
|
metricsBindAddr: ""
|
|
|
|
# The TCP port the Webhook server binds to. (default 9443)
|
|
webhookBindPort:
|
|
|
|
# webhookTLS specifies TLS cert/key for the webhook
|
|
webhookTLS:
|
|
caCert:
|
|
cert:
|
|
key:
|
|
|
|
# array of namespace selectors for the webhook
|
|
webhookNamespaceSelectors:
|
|
# - key: elbv2.k8s.aws/pod-readiness-gate-inject
|
|
# operator: In
|
|
# values:
|
|
# - enabled
|
|
|
|
# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade
|
|
keepTLSSecret: true
|
|
|
|
# Maximum number of concurrently running reconcile loops for service (default 3)
|
|
serviceMaxConcurrentReconciles:
|
|
|
|
# Maximum number of concurrently running reconcile loops for targetGroupBinding
|
|
targetgroupbindingMaxConcurrentReconciles:
|
|
|
|
# Maximum duration of exponential backoff for targetGroupBinding reconcile failures
|
|
targetgroupbindingMaxExponentialBackoffDelay:
|
|
|
|
# Period at which the controller forces the repopulation of its local object stores. (default 1h0m0s)
|
|
syncPeriod:
|
|
|
|
# Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched.
|
|
watchNamespace:
|
|
|
|
# disableIngressClassAnnotation disables the usage of kubernetes.io/ingress.class annotation, false by default
|
|
disableIngressClassAnnotation:
|
|
|
|
# disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default
|
|
disableIngressGroupNameAnnotation:
|
|
|
|
# defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners
|
|
defaultSSLPolicy:
|
|
|
|
# Liveness probe configuration for the controller
|
|
livenessProbe:
|
|
failureThreshold: 2
|
|
httpGet:
|
|
path: /healthz
|
|
port: 61779
|
|
scheme: HTTP
|
|
initialDelaySeconds: 30
|
|
timeoutSeconds: 10
|
|
|
|
# Environment variables to set for aws-load-balancer-controller pod.
|
|
# We strongly discourage programming access credentials in the controller environment. You should setup IRSA or
|
|
# comparable solutions like kube2iam, kiam etc instead.
|
|
env:
|
|
# ENV_1: ""
|
|
# ENV_2: ""
|
|
|
|
# Specifies if aws-load-balancer-controller should be started in hostNetwork mode.
|
|
#
|
|
# This is required if using a custom CNI where the managed control plane nodes are unable to initiate
|
|
# network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or
|
|
# recommended if using the Amazon VPC CNI plugin.
|
|
hostNetwork: false
|
|
|
|
# Specifies the dnsPolicy that should be used for pods in the deployment
|
|
#
|
|
# This may need to be used to be changed given certain conditions. For instance, if one uses the cilium CNI
|
|
# with certain settings, one may need to set `hostNetwork: true` and webhooks won't work unless `dnsPolicy`
|
|
# is set to `ClusterFirstWithHostNet`. See https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
|
|
dnsPolicy:
|
|
|
|
# extraVolumeMounts are the additional volume mounts. This enables setting up IRSA on non-EKS Kubernetes cluster
|
|
extraVolumeMounts:
|
|
# - name: aws-iam-token
|
|
# mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
|
|
# readOnly: true
|
|
|
|
# extraVolumes for the extraVolumeMounts. Useful to mount a projected service account token for example.
|
|
extraVolumes:
|
|
# - name: aws-iam-token
|
|
# projected:
|
|
# defaultMode: 420
|
|
# sources:
|
|
# - serviceAccountToken:
|
|
# audience: sts.amazonaws.com
|
|
# expirationSeconds: 86400
|
|
# path: token
|
|
|
|
# defaultTags are the tags to apply to all AWS resources managed by this controller
|
|
defaultTags: {}
|
|
# default_tag1: value1
|
|
# default_tag2: value2
|
|
|
|
# podDisruptionBudget specifies the disruption budget for the controller pods.
|
|
# Disruption budget will be configured only when the replicaCount is greater than 1
|
|
podDisruptionBudget: {}
|
|
# maxUnavailable: 1
|
|
|
|
# externalManagedTags is the list of tag keys on AWS resources that will be managed externally
|
|
externalManagedTags: []
|
|
|
|
# enableEndpointSlices enables k8s EndpointSlices for IP targets instead of Endpoints (default false)
|
|
enableEndpointSlices:
|
|
|
|
# enableBackendSecurityGroup enables shared security group for backend traffic (default true)
|
|
enableBackendSecurityGroup:
|
|
|
|
# backendSecurityGroup specifies backend security group id (default controller auto create backend security group)
|
|
backendSecurityGroup:
|
|
|
|
# disableRestrictedSecurityGroupRules specifies whether to disable creating port-range restricted security group rules for traffic
|
|
disableRestrictedSecurityGroupRules:
|
|
|
|
# controllerConfig specifies controller configuration
|
|
controllerConfig:
|
|
# featureGates set of key: value pairs that describe AWS load balance controller features
|
|
featureGates: {}
|
|
# ListenerRulesTagging: true
|
|
# WeightedTargetGroups: true
|
|
# ServiceTypeLoadBalancerOnly: false
|
|
# EndpointsFailOpen: true
|
|
# EnableServiceController: true
|
|
# EnableIPTargetType: true
|
|
# SubnetsClusterTagCheck: true
|
|
# NLBHealthCheckAdvancedConfig: true
|
|
|
|
# objectSelector for webhook
|
|
objectSelector:
|
|
matchExpressions:
|
|
# - key: <key>
|
|
# operator: <operator>
|
|
# values:
|
|
# - <value>
|
|
matchLabels:
|
|
# key: value
|
|
|
|
serviceMonitor:
|
|
# Specifies whether a service monitor should be created
|
|
enabled: false
|
|
# Labels to add to the service account
|
|
additionalLabels: {}
|
|
# Prometheus scrape interval
|
|
interval: 1m
|
|
# Namespace to create the service monitor in
|
|
namespace:
|
|
|
|
# clusterSecretsPermissions lets you configure RBAC permissions for secret resources
|
|
# Access to secrets resource is required only if you use the OIDC feature, and instead of
|
|
# enabling access to all secrets, we recommend configuring namespaced role/rolebinding.
|
|
# This option is for backwards compatibility only, and will potentially be deprecated in future.
|
|
clusterSecretsPermissions:
|
|
# allowAllSecrets allows the controller to access all secrets in the cluster.
|
|
# This is to get backwards compatible behavior, but *NOT* recommended for security reasons
|
|
allowAllSecrets: false
|
|
|
|
# ingressClassConfig contains configurations specific to the ingress class
|
|
ingressClassConfig:
|
|
default: false
|
|
|
|
# enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer
|
|
enableServiceMutatorWebhook: true
|