aws-load-balancer-controller: v2.8.0 (#1105)

aws · May 17, 2024 · e55a24a · e55a24a
1 parent 51da639
commit e55a24a
Show file tree

Hide file tree

Showing 8 changed files with 216 additions and 120 deletions.
diff --git a/stable/aws-load-balancer-controller/Chart.yaml b/stable/aws-load-balancer-controller/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
 name: aws-load-balancer-controller
 description: AWS Load Balancer Controller Helm chart for Kubernetes
-version: 1.7.2
-appVersion: v2.7.2
+version: 1.8.0
+appVersion: v2.8.0
 home: https://github.com/aws/eks-charts
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 sources:

diff --git a/stable/aws-load-balancer-controller/README.md b/stable/aws-load-balancer-controller/README.md
diff --git a/stable/aws-load-balancer-controller/crds/crds.yaml b/stable/aws-load-balancer-controller/crds/crds.yaml
@@ -54,6 +54,12 @@ spec:
           spec:
             description: IngressClassParamsSpec defines the desired state of IngressClassParams
             properties:
+              certificateArn:
+                description: CertificateArn specifies the ARN of the certificates
+                  for all Ingresses that belong to IngressClass with this IngressClassParams.
+                items:
+                  type: string
+                type: array
               group:
                 description: Group defines the IngressGroup for all Ingresses that
                   belong to IngressClass with this IngressClassParams.
@@ -76,6 +82,7 @@ spec:
                 enum:
                 - ipv4
                 - dualstack
+                - dualstack-without-public-ipv4
                 type: string
               loadBalancerAttributes:
                 description: LoadBalancerAttributes define the custom attributes to
@@ -587,6 +594,10 @@ spec:
                 - instance
                 - ip
                 type: string
+              vpcID:
+                description: VpcID is the VPC of the TargetGroup. If unspecified,
+                  it will be automatically inferred.
+                type: string
             required:
             - serviceRef
             - targetGroupARN

diff --git a/stable/aws-load-balancer-controller/templates/deployment.yaml b/stable/aws-load-balancer-controller/templates/deployment.yaml
@@ -38,6 +38,9 @@ spec:
     {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.runtimeClassName }}
+      runtimeClassName: {{ .Values.runtimeClassName }}
     {{- end }}
       serviceAccountName: {{ include "aws-load-balancer-controller.serviceAccountName" . }}
       volumes:
@@ -59,15 +62,17 @@ spec:
       containers:
       - name: {{ .Chart.Name }}
         args:
-        - --cluster-name={{ required "Chart cannot be installed without a valid clusterName!" .Values.clusterName }}
+        - --cluster-name={{ required "Chart cannot be installed without a valid clusterName!" (tpl (default "" .Values.clusterName) .) }}
         {{- if .Values.ingressClass }}
         - --ingress-class={{ .Values.ingressClass }}
         {{- end }}
-        {{- if .Values.region }}
+        {{- $region := tpl (default "" .Values.region) . }}
+        {{- if $region }}
         - --aws-region={{ .Values.region }}
         {{- end }}
-        {{- if .Values.vpcId }}
-        - --aws-vpc-id={{ .Values.vpcId }}
+        {{- $vpcID := tpl (default "" .Values.vpcId) . }}
+        {{- if $vpcID }}
+        - --aws-vpc-id={{ $vpcID }}
         {{- end }}
         {{- if .Values.awsApiEndpoints }}
         - --aws-api-endpoints={{ .Values.awsApiEndpoints }}
@@ -162,6 +167,9 @@ spec:
         {{- if .Values.certDiscovery.allowedCertificateAuthorityARNs }}
         - --allowed-certificate-authority-arns={{ .Values.certDiscovery.allowedCertificateAuthorityARNs }}
         {{- end }}
+        {{- if .Values.loadBalancerClass }}
+        - --load-balancer-class={{ .Values.loadBalancerClass }}
+        {{- end }}
         {{- if or .Values.env .Values.envSecretName }}
         env:
         {{- if .Values.env}}

diff --git a/stable/aws-load-balancer-controller/templates/servicemonitor.yaml b/stable/aws-load-balancer-controller/templates/servicemonitor.yaml
@@ -3,18 +3,14 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ include "aws-load-balancer-controller.fullname" . }}
-  {{- if .Values.serviceMonitor.namespace }}
-  namespace: {{ .Values.serviceMonitor.namespace }}
-  {{- else }}
-  namespace: {{ .Release.Namespace | quote }}
-  {{- end }}
+  namespace: {{ default .Release.Namespace .Values.serviceMonitor.namespace }}
   labels:
     {{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
-    {{- with .Values.serviceMonitor.additionalLabels }}
+  {{- with .Values.serviceMonitor.additionalLabels }}
     {{- toYaml . | nindent 4 }}
-    {{- end }}
+  {{- end }}
 spec:
-  jobLabel: {{ .Release.Name }}
+  jobLabel: app.kubernetes.io/instance
   namespaceSelector:
     matchNames:
       - {{ .Release.Namespace }}
@@ -29,7 +25,19 @@ spec:
   endpoints:
     - port: metrics-server
       path: /metrics
-      {{- with .Values.serviceMonitor.interval }}
+      scheme: http
+    {{- with .Values.serviceMonitor.interval }}
       interval: {{ . }}
-      {{- end }}
-{{- end -}}
+    {{- end }}
+    {{- with .Values.serviceMonitor.scrapeTimeout  }}
+      scrapeTimeout: {{ . }}
+    {{- end }}
+    {{- with .Values.serviceMonitor.relabelings }}
+      relabelings:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.serviceMonitor.metricRelabelings }}
+      metricRelabelings:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+{{- end -}}
diff --git a/stable/aws-load-balancer-controller/templates/webhook.yaml b/stable/aws-load-balancer-controller/templates/webhook.yaml
@@ -65,7 +65,7 @@ webhooks:
       name: {{ template "aws-load-balancer-controller.webhookService" . }}
       namespace: {{ $.Release.Namespace }}
       path: /mutate-v1-service
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.serviceMutatorWebhookConfig.failurePolicy }}
   name: mservice.elbv2.k8s.aws
   admissionReviewVersions:
   - v1beta1
@@ -75,13 +75,21 @@ webhooks:
       operator: NotIn
       values:
       - {{ include "aws-load-balancer-controller.name" . }}
+    {{- if .Values.serviceMutatorWebhookConfig.objectSelector.matchExpressions }}
+    {{- toYaml .Values.serviceMutatorWebhookConfig.objectSelector.matchExpressions | nindent 4 }}
+    {{- end }}
+
+    {{- if .Values.serviceMutatorWebhookConfig.objectSelector.matchLabels }}
+    matchLabels:
+    {{- toYaml .Values.serviceMutatorWebhookConfig.objectSelector.matchLabels | nindent 6 }}
+    {{- end }}
   rules:
   - apiGroups:
     - ""
     apiVersions:
     - v1
     operations:
-    - CREATE
+    {{- toYaml .Values.serviceMutatorWebhookConfig.operations | nindent 4 }}
     resources:
     - services
   sideEffects: None

diff --git a/stable/aws-load-balancer-controller/test.yaml b/stable/aws-load-balancer-controller/test.yaml
@@ -6,12 +6,13 @@ replicaCount: 2
 
 image:
   repository: public.ecr.aws/eks/aws-load-balancer-controller
-  tag: v2.7.2
+  tag: v2.8.0
   pullPolicy: IfNotPresent
 
 imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
+runtimeClassName: ""
 
 serviceAccount:
   # Specifies whether a service account should be created
@@ -330,3 +331,25 @@ clusterSecretsPermissions:
 # ingressClassConfig contains configurations specific to the ingress class
 ingressClassConfig:
   default: false
+
+# enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer
+# should deprecate this in favor of serviceMutatorWebhook.enabled
+enableServiceMutatorWebhook: true
+
+# serviceMutatorWebhook contains configurations specific to the service mutator webhook
+serviceMutatorWebhookConfig:
+  # whether or not to fail the service creation if the webhook fails
+  failurePolicy: Fail
+  # limit webhook to only mutate services matching the objectSelector
+  objectSelector:
+    matchExpressions: []
+    # - key: <key>
+    #   operator: <operator>
+    #   values:
+    #   - <value>
+    matchLabels: {}
+      # key: value
+  # which operations trigger the webhook
+  operations:
+  - CREATE
+  # - UPDATE
diff --git a/stable/aws-load-balancer-controller/values.yaml b/stable/aws-load-balancer-controller/values.yaml
@@ -8,9 +8,10 @@ revisionHistoryLimit: 10
 
 image:
   repository: public.ecr.aws/eks/aws-load-balancer-controller
-  tag: v2.7.2
+  tag: v2.8.0
   pullPolicy: IfNotPresent
 
+runtimeClassName: ""
 imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
@@ -119,8 +120,8 @@ clusterName:
 
 # cluster contains configurations specific to the kubernetes cluster
 cluster:
-    # Cluster DNS domain (required for requesting TLS certificates)
-    dnsDomain: cluster.local
+  # Cluster DNS domain (required for requesting TLS certificates)
+  dnsDomain: cluster.local
 
 # The ingress class this controller will satisfy. If not specified, controller will match all
 # ingresses without ingress class annotation and ingresses of type alb
@@ -209,7 +210,7 @@ webhookTLS:
   cert:
   key:
 
-# array of namespace selectors for the webhook
+# array of namespace selectors for the pod mutator webhook
 webhookNamespaceSelectors:
 # - key: elbv2.k8s.aws/pod-readiness-gate-inject
 #   operator: In
@@ -350,7 +351,7 @@ controllerConfig:
   # NLBHealthCheckAdvancedConfig: true
   # ALBSingleSubnet: false
 
-certDiscovery: 
+certDiscovery:
   allowedCertificateAuthorityARNs: "" # empty means all CAs are in scope
 
 # objectSelector for webhook
@@ -366,12 +367,18 @@ objectSelector:
 serviceMonitor:
   # Specifies whether a service monitor should be created
   enabled: false
-  # Labels to add to the service account
+  # Namespace to create the service monitor in
+  namespace:
+  # Labels to add to the service monitor
   additionalLabels: {}
   # Prometheus scrape interval
   interval: 1m
-  # Namespace to create the service monitor in
-  namespace:
+  # Prometheus scrape timeout
+  scrapeTimeout:
+  # Relabelings to apply to samples before ingestion
+  relabelings:
+  # Metric relabelings to apply to samples before ingestion
+  metricRelabelings:
 
 # clusterSecretsPermissions lets you configure RBAC permissions for secret resources
 # Access to secrets resource is required only if you use the OIDC feature, and instead of
@@ -389,5 +396,26 @@ ingressClassConfig:
 # enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer
 enableServiceMutatorWebhook: true
 
+# serviceMutatorWebhook contains configurations specific to the service mutator webhook
+serviceMutatorWebhookConfig:
+  # whether or not to fail the service creation if the webhook fails
+  failurePolicy: Fail
+  # limit webhook to only mutate services matching the objectSelector
+  objectSelector:
+    matchExpressions: []
+    # - key: <key>
+    #   operator: <operator>
+    #   values:
+    #   - <value>
+    matchLabels: {}
+      # key: value
+  # which operations trigger the webhook
+  operations:
+  - CREATE
+    # - UPDATE
+
 # serviceTargetENISGTags specifies AWS tags, in addition to the cluster tags, for finding the target ENI SG to which to add inbound rules from NLBs.
 serviceTargetENISGTags:
+
+# Specifies the class of load balancer to use for services. This affects how services are provisioned if type LoadBalancer is used (default service.k8s.aws/nlb)
+loadBalancerClass: