diff --git a/stable/aws-load-balancer-controller/Chart.yaml b/stable/aws-load-balancer-controller/Chart.yaml index 912dc38e5..0a6be7b6c 100644 --- a/stable/aws-load-balancer-controller/Chart.yaml +++ b/stable/aws-load-balancer-controller/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: aws-load-balancer-controller description: AWS Load Balancer Controller Helm chart for Kubernetes -version: 1.12.0 -appVersion: v2.12.0 +version: 1.13.0 +appVersion: v2.13.0 home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/stable/aws-load-balancer-controller/README.md b/stable/aws-load-balancer-controller/README.md index 4b544f58c..6da919857 100644 --- a/stable/aws-load-balancer-controller/README.md +++ b/stable/aws-load-balancer-controller/README.md @@ -17,6 +17,7 @@ AWS Load Balancer controller manages the following AWS resources - Network Load Balancers to satisfy Kubernetes service objects of type LoadBalancer with appropriate annotations ## Security updates + **Note**: Deployed chart does not receive security updates automatically. You need to manually upgrade to a newer chart. #### Node isolation As a security best practice, we recommend isolating the controller deployment pods to specific node groups which run critical components. The helm chart provides parameters ```nodeSelector```, ```tolerations``` and ```affinity``` to configure node isolation. For more information, please refer to the guidance [here](https://aws.github.io/aws-eks-best-practices/security/docs/multitenancy/#isolating-tenant-workloads-to-specific-nodes). @@ -179,86 +180,89 @@ The following tables lists the configurable parameters of the chart and their de The default values set by the application itself can be confirmed [here](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/configurations/#controller-configuration-options). -| Parameter | Description | Default | -| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- | -| `image.repository` | image repository | `public.ecr.aws/eks/aws-load-balancer-controller` | -| `image.tag` | image tag | `` | -| `image.pullPolicy` | image pull policy | `IfNotPresent` | -| `clusterName` | Kubernetes cluster name | None | -| `cluster.dnsDomain` | DNS domain of the Kubernetes cluster, included in TLS certificate requests | `cluster.local` | -| `securityContext` | Set to security context for pod | `{}` | -| `resources` | Controller pod resource requests & limits | `{}` | -| `priorityClassName` | Controller pod priority class | system-cluster-critical | -| `nodeSelector` | Node labels for controller pod assignment | `{}` | -| `tolerations` | Controller pod toleration for taints | `{}` | -| `affinity` | Affinity for pod assignment | `{}` | -| `configureDefaultAffinity` | Configure soft pod anti-affinity if custom affinity is not configured | `true` | -| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `{}` | -| `deploymentAnnotations` | Annotations to add to deployment | `{}` | -| `podAnnotations` | Annotations to add to each pod | `{}` | -| `podLabels` | Labels to add to each pod | `{}` | -| `additionalLabels` | Labels to add to all components | `{}` | -| `rbac.create` | if `true`, create and use RBAC resources | `true` | -| `serviceAccount.annotations` | optional annotations to add to service account | None | -| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a Service Account | `true` | -| `serviceAccount.imagePullSecrets` | List of image pull secrets to add to the Service Account | `[]` | -| `serviceAccount.create` | If `true`, create a new service account | `true` | -| `serviceAccount.name` | Service account to be used | None | -| `terminationGracePeriodSeconds` | Time period for controller pod to do a graceful shutdown | 10 | -| `ingressClass` | The ingress class to satisfy | alb | -| `createIngressClassResource` | Create ingressClass resource | true | -| `ingressClassParams.name` | IngressClassParams resource's name, default to the aws load balancer controller's name | None | -| `ingressClassParams.create` | If `true`, create a new ingressClassParams | true | -| `ingressClassParams.spec` | IngressClassParams defined ingress specifications | {} | -| `region` | The AWS region for the kubernetes cluster | None | -| `vpcId` | The VPC ID for the Kubernetes cluster | None | -| `vpcTags` | This is alternative to vpcId. Set this when your pods are unable to use the metadata service to determine VPC automatically. | None -| `awsApiEndpoints` | Custom AWS API Endpoints | None | -| `awsApiThrottle` | Custom AWS API throttle settings | None | -| `awsMaxRetries` | Maximum retries for AWS APIs | None | -| `defaultTargetType` | Default target type. Used as the default value of the `alb.ingress.kubernetes.io/target-type` and `service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations.`Possible values are `ip` and `instance`. | `instance` | -| `enablePodReadinessGateInject` | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods | None | -| `enableShield` | Enable Shield addon for ALB | None | -| `enableWaf` | Enable WAF addon for ALB | None | -| `enableWafv2` | Enable WAF V2 addon for ALB | None | -| `ingressMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for ingress | None | -| `logLevel` | Set the controller log level - info, debug | None | -| `metricsBindAddr` | The address the metric endpoint binds to | "" | -| `webhookConfig.disableIngressValidation` | Disables the validation of resources of kind Ingress | None | -| `webhookBindPort` | The TCP port the Webhook server binds to | None | -| `webhookTLS.caCert` | TLS CA certificate for webhook (auto-generated if not provided) | "" | -| `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" | -| `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" | -| `webhookNamespaceSelectors` | Namespace selectors for the wekbook | None | -| `keepTLSSecret` | Reuse existing TLS Secret during chart upgrade | `true` | -| `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` | -| `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None | -| `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None | -| `targetgroupbindingMaxExponentialBackoffDelay` | Maximum duration of exponential backoff for targetGroupBinding reconcile failures | None | -| `syncPeriod` | Period at which the controller forces the repopulation of its local object stores | None | -| `watchNamespace` | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched | None | -| `disableIngressClassAnnotation` | Disables the usage of kubernetes.io/ingress.class annotation | None | -| `disableIngressGroupNameAnnotation` | Disables the usage of alb.ingress.kubernetes.io/group.name annotation | None | -| `tolerateNonExistentBackendService` | whether to allow rules that reference a backend service that does not exist. (When enabled, it will return 503 error if backend service not exist) | `true` | -| `tolerateNonExistentBackendAction` | whether to allow rules that reference a backend action that does not exist. (When enabled, it will return 503 error if backend action not exist) | `true` | -| `defaultSSLPolicy` | Specifies the default SSL policy to use for HTTPS or TLS listeners | None | -| `externalManagedTags` | Specifies the list of tag keys on AWS resources that are managed externally | `[]` | -| `livenessProbe` | Liveness probe settings for the controller | (see `values.yaml`) | -| `env` | Environment variables to set for aws-load-balancer-controller pod | None | -| `envFrom` | Environment variables to set for aws-load-balancer-controller pod from configMap or Secret | None | -| `envSecretName` | AWS credentials as environment variables from Secret (Secret keys `key_id` and `access_key`). | None | -| `hostNetwork` | If `true`, use hostNetwork | `false` | -| `dnsPolicy` | Set dnsPolicy if required | `ClusterFirst` | -| `extraVolumeMounts` | Extra volume mounts for the pod | `[]` | -| `extraVolumes` | Extra volumes for the pod | `[]` | -| `defaultTags` | Default tags to apply to all AWS resources managed by this controller | `{}` | -| `replicaCount` | Number of controller pods to run, only one will be active due to leader election | `2` | -| `revisionHistoryLimit` | Number of revisions to keep | `10` | -| `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` | -| `updateStrategy` | Defines the update strategy for the deployment | `{}` | -| `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template, requires cert-manager and it's CRDs to be installed | `false` | -| `enableEndpointSlices` | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets | `false` | -| `enableBackendSecurityGroup` | If enabled, controller uses shared security group for backend traffic | `true` | +| Parameter | Description | Default | +| ---------------------------------------------- |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------| +| `image.repository` | image repository | `public.ecr.aws/eks/aws-load-balancer-controller` | +| `image.tag` | image tag | `` | +| `image.pullPolicy` | image pull policy | `IfNotPresent` | +| `clusterName` | Kubernetes cluster name | None | +| `cluster.dnsDomain` | DNS domain of the Kubernetes cluster, included in TLS certificate requests | `cluster.local` | +| `securityContext` | Set to security context for pod | `{}` | +| `resources` | Controller pod resource requests & limits | `{}` | +| `priorityClassName` | Controller pod priority class | system-cluster-critical | +| `nodeSelector` | Node labels for controller pod assignment | `{}` | +| `tolerations` | Controller pod toleration for taints | `{}` | +| `affinity` | Affinity for pod assignment | `{}` | +| `configureDefaultAffinity` | Configure soft pod anti-affinity if custom affinity is not configured | `true` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `{}` | +| `deploymentAnnotations` | Annotations to add to deployment | `{}` | +| `podAnnotations` | Annotations to add to each pod | `{}` | +| `podLabels` | Labels to add to each pod | `{}` | +| `additionalLabels` | Labels to add to all components | `{}` | +| `rbac.create` | if `true`, create and use RBAC resources | `true` | +| `serviceAccount.annotations` | optional annotations to add to service account | None | +| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a Service Account | `true` | +| `serviceAccount.imagePullSecrets` | List of image pull secrets to add to the Service Account | `[]` | +| `serviceAccount.create` | If `true`, create a new service account | `true` | +| `serviceAccount.name` | Service account to be used | None | +| `terminationGracePeriodSeconds` | Time period for controller pod to do a graceful shutdown | 10 | +| `ingressClass` | The ingress class to satisfy | alb | +| `createIngressClassResource` | Create ingressClass resource | true | +| `ingressClassParams.name` | IngressClassParams resource's name, default to the aws load balancer controller's name | None | +| `ingressClassParams.create` | If `true`, create a new ingressClassParams | true | +| `ingressClassParams.spec` | IngressClassParams defined ingress specifications | {} | +| `region` | The AWS region for the kubernetes cluster | None | +| `vpcId` | The VPC ID for the Kubernetes cluster | None | +| `vpcTags` | This is alternative to vpcId. Set this when your pods are unable to use the metadata service to determine VPC automatically. | None +| `awsApiEndpoints` | Custom AWS API Endpoints | None | +| `awsApiThrottle` | Custom AWS API throttle settings | None | +| `awsMaxRetries` | Maximum retries for AWS APIs | None | +| `defaultTargetType` | Default target type. Used as the default value of the `alb.ingress.kubernetes.io/target-type` and `service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations.`Possible values are `ip` and `instance`. | `instance` | +| `enablePodReadinessGateInject` | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods | None | +| `enableShield` | Enable Shield addon for ALB | None | +| `enableWaf` | Enable WAF addon for ALB | None | +| `enableWafv2` | Enable WAF V2 addon for ALB | None | +| `ingressMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for ingress | None | +| `logLevel` | Set the controller log level - info, debug | None | +| `metricsBindAddr` | The address the metric endpoint binds to | "" | +| `webhookConfig.disableIngressValidation` | Disables the validation of resources of kind Ingress | None | +| `webhookBindPort` | The TCP port the Webhook server binds to | None | +| `webhookTLS.caCert` | TLS CA certificate for webhook (auto-generated if not provided) | "" | +| `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" | +| `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" | +| `webhookNamespaceSelectors` | Namespace selectors for the wekbook | None | +| `keepTLSSecret` | Reuse existing TLS Secret during chart upgrade | `true` | +| `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` | +| `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None | +| `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None | +| `targetgroupbindingMaxExponentialBackoffDelay` | Maximum duration of exponential backoff for targetGroupBinding reconcile failures | None | +| `syncPeriod` | Period at which the controller forces the repopulation of its local object stores | None | +| `watchNamespace` | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched | None | +| `disableIngressClassAnnotation` | Disables the usage of kubernetes.io/ingress.class annotation | None | +| `disableIngressGroupNameAnnotation` | Disables the usage of alb.ingress.kubernetes.io/group.name annotation | None | +| `tolerateNonExistentBackendService` | whether to allow rules that reference a backend service that does not exist. (When enabled, it will return 503 error if backend service not exist) | `true` | +| `tolerateNonExistentBackendAction` | whether to allow rules that reference a backend action that does not exist. (When enabled, it will return 503 error if backend action not exist) | `true` | +| `defaultSSLPolicy` | Specifies the default SSL policy to use for HTTPS or TLS listeners | None | +| `externalManagedTags` | Specifies the list of tag keys on AWS resources that are managed externally | `[]` | +| `livenessProbe` | Liveness probe settings for the controller | (see `values.yaml`) | +| `env` | Environment variables to set for aws-load-balancer-controller pod | None | +| `envFrom` | Environment variables to set for aws-load-balancer-controller pod from configMap or Secret | None | +| `envSecretName` | AWS credentials as environment variables from Secret (Secret keys `key_id` and `access_key`). | None | +| `hostNetwork` | If `true`, use hostNetwork | `false` | +| `dnsPolicy` | Set dnsPolicy if required | `ClusterFirst` | +| `extraVolumeMounts` | Extra volume mounts for the pod | `[]` | +| `extraVolumes` | Extra volumes for the pod | `[]` | +| `defaultTags` | Default tags to apply to all AWS resources managed by this controller | `{}` | +| `replicaCount` | Number of controller pods to run, only one will be active due to leader election | `2` | +| `revisionHistoryLimit` | Number of revisions to keep | `10` | +| `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` | +| `updateStrategy` | Defines the update strategy for the deployment | `{}` | +| `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template, requires cert-manager and it's CRDs to be installed | `false` | +| `certManager.duration` | Overrides the default expiry duration for the webhook certificates. defaults to `90d` | `""` | +| `certManager.renewBefore` | Overrides the renewal time period duration for the webhook certificates. defaults to `60d` | `""` | +| `enableEndpointSlices` | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets | `false` | +| `enableBackendSecurityGroup` | If enabled, controller uses shared security group for backend traffic | `true` | +| `enableManageBackendSecurityGroupRules` | If enabled, controller will manage security group rules | `false` | | `backendSecurityGroup` | Backend security group to use instead of auto created one if the feature is enabled | `` | | `disableRestrictedSecurityGroupRules` | If disabled, controller will not specify port range restriction in the backend security group rules | `false` | | `objectSelector.matchExpressions` | Webhook configuration to select specific pods by specifying the expression to be matched | None | diff --git a/stable/aws-load-balancer-controller/crds/crds.yaml b/stable/aws-load-balancer-controller/crds/crds.yaml index e5d1cc177..cbb325657 100644 --- a/stable/aws-load-balancer-controller/crds/crds.yaml +++ b/stable/aws-load-balancer-controller/crds/crds.yaml @@ -54,6 +54,12 @@ spec: spec: description: IngressClassParamsSpec defines the desired state of IngressClassParams properties: + PrefixListsIDs: + description: PrefixListsIDs defines the security group prefix lists + for all Ingresses that belong to IngressClass with this IngressClassParams. + items: + type: string + type: array certificateArn: description: CertificateArn specifies the ARN of the certificates for all Ingresses that belong to IngressClass with this IngressClassParams. @@ -254,6 +260,13 @@ spec: - value type: object type: array + targetType: + description: TargetType defines the target type of target groups for + all Ingresses that belong to IngressClass with this IngressClassParams. + enum: + - instance + - ip + type: string type: object type: object served: true diff --git a/stable/aws-load-balancer-controller/templates/deployment.yaml b/stable/aws-load-balancer-controller/templates/deployment.yaml index 130ca6158..42e6db518 100644 --- a/stable/aws-load-balancer-controller/templates/deployment.yaml +++ b/stable/aws-load-balancer-controller/templates/deployment.yaml @@ -154,6 +154,9 @@ spec: {{- if kindIs "bool" .Values.enableBackendSecurityGroup }} - --enable-backend-security-group={{ .Values.enableBackendSecurityGroup }} {{- end }} + {{- if kindIs "bool" .Values.enableManageBackendSecurityGroupRules }} + - --enable-manage-backend-security-group-rules={{ .Values.enableManageBackendSecurityGroupRules }} + {{- end }} {{- if .Values.backendSecurityGroup }} - --backend-security-group={{ .Values.backendSecurityGroup }} {{- end }} diff --git a/stable/aws-load-balancer-controller/templates/rbac.yaml b/stable/aws-load-balancer-controller/templates/rbac.yaml index 0dcc68c77..8b1ea55db 100644 --- a/stable/aws-load-balancer-controller/templates/rbac.yaml +++ b/stable/aws-load-balancer-controller/templates/rbac.yaml @@ -89,6 +89,33 @@ rules: - apiGroups: ["discovery.k8s.io"] resources: [endpointslices] verbs: [get, list, watch] +- apiGroups: ["gateway.k8s.aws"] + resources: [loadbalancerconfigurations, targetgroupconfigurations] + verbs: [get, list, watch] +- apiGroups: ["gateway.k8s.aws"] + resources: [loadbalancerconfigurations/finalizers, targetgroupconfigurations/finalizers] + verbs: [update] +- apiGroups: ["gateway.k8s.aws"] + resources: [loadbalancerconfigurations/status, targetgroupconfigurations/status] + verbs: [get, patch, watch] +- apiGroups: ["gateway.networking.k8s.io"] + resources: [gatewayclasses, gateways] + verbs: [get, list, watch, patch] +- apiGroups: ["gateway.networking.k8s.io"] + resources: [gatewayclasses/finalizers, gateways/finalizers] + verbs: [update] +- apiGroups: ["gateway.networking.k8s.io"] + resources: [gatewayclasses/status, gateways/status] + verbs: [get, patch, update] +- apiGroups: ["gateway.networking.k8s.io"] + resources: [grpcroutes, httproutes, tcproutes, tlsroutes, udproutes] + verbs: [get, list, watch] +- apiGroups: ["gateway.networking.k8s.io"] + resources: [grpcroutes/finalizers, httproutes/finalizers, tcproutes/finalizers, tlsroutes/finalizers, udproutes/finalizers] + verbs: [update] +- apiGroups: ["gateway.networking.k8s.io"] + resources: [grpcroutes/status, httproutes/status, tcproutes/status, tlsroutes/status, udproutes/status] + verbs: [get, patch, update] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/stable/aws-load-balancer-controller/templates/webhook.yaml b/stable/aws-load-balancer-controller/templates/webhook.yaml index 7d5fcae0f..d57822061 100644 --- a/stable/aws-load-balancer-controller/templates/webhook.yaml +++ b/stable/aws-load-balancer-controller/templates/webhook.yaml @@ -237,6 +237,14 @@ spec: kind: Issuer name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer secretName: {{ template "aws-load-balancer-controller.webhookCertSecret" . }} + {{- with .Values.certManager -}} + {{ if .duration }} + duration: {{ .duration }} + {{- end }} + {{- if .renewBefore }} + renewBefore: {{ .renewBefore }} + {{- end }} + {{- end }} --- apiVersion: cert-manager.io/v1 kind: Issuer diff --git a/stable/aws-load-balancer-controller/test.yaml b/stable/aws-load-balancer-controller/test.yaml index be074e92d..892691a61 100644 --- a/stable/aws-load-balancer-controller/test.yaml +++ b/stable/aws-load-balancer-controller/test.yaml @@ -6,7 +6,7 @@ replicaCount: 2 image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.12.0 + tag: v2.13.0 pullPolicy: IfNotPresent imagePullSecrets: [] diff --git a/stable/aws-load-balancer-controller/values.yaml b/stable/aws-load-balancer-controller/values.yaml index 7ccc789f1..8585416aa 100644 --- a/stable/aws-load-balancer-controller/values.yaml +++ b/stable/aws-load-balancer-controller/values.yaml @@ -8,7 +8,7 @@ revisionHistoryLimit: 10 image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.12.0 + tag: v2.13.0 pullPolicy: IfNotPresent runtimeClassName: "" @@ -115,6 +115,11 @@ additionalLabels: {} # Enable cert-manager enableCertManager: false +# Overrideable variables when enableCertManager is set to true +certManager: + duration: + renewBefore: + # The name of the Kubernetes cluster. A non-empty value is required clusterName: @@ -346,6 +351,9 @@ enableEndpointSlices: # enableBackendSecurityGroup enables shared security group for backend traffic (default true) enableBackendSecurityGroup: +# enableManageBackendSecurityGroupRules enables controller manages security group rules (default false) +enableManageBackendSecurityGroupRules: + # backendSecurityGroup specifies backend security group id (default controller auto create backend security group) backendSecurityGroup: