🤖 Chore: Auto-update container image versions (#1509)

gardener-github-actions[bot] · github-actions[bot] · hebelsan · web-flow · commit 07fa119605a4 · 2025-10-15T10:07:11.000+02:00
* Chore: Auto-update image versions

* Remove ccm 1.34 support

* Update load balancer controller charts

* Put back comments in image.yaml

* Harmonize load-balancer-controller rbac fields

---------

Co-authored-by: github-actions[bot] &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
Co-authored-by: Alexander Hebel &lt;a.hebelsun@gmail.com&gt;
diff --git a/charts/internal/seed-controlplane/charts/aws-load-balancer-controller/templates/deployment.yaml b/charts/internal/seed-controlplane/charts/aws-load-balancer-controller/templates/deployment.yaml
@@ -157,6 +157,12 @@ spec:
         {{- if kindIs "bool" .Values.disableIngressGroupNameAnnotation }}
         - --disable-ingress-group-name-annotation={{ .Values.disableIngressGroupNameAnnotation }}
         {{- end }}
+        {{- if kindIs "bool" .Values.tolerateNonExistentBackendService }}
+        - --tolerate-non-existent-backend-service={{ .Values.tolerateNonExistentBackendService }}
+        {{- end }}
+        {{- if kindIs "bool" .Values.tolerateNonExistentBackendAction }}
+        - --tolerate-non-existent-backend-action={{ .Values.tolerateNonExistentBackendAction }}
+        {{- end }}
         {{- if .Values.defaultSSLPolicy }}
         - --default-ssl-policy={{ .Values.defaultSSLPolicy }}
         {{- end }}
@@ -172,6 +178,9 @@ spec:
         {{- if kindIs "bool" .Values.enableBackendSecurityGroup }}
         - --enable-backend-security-group={{ .Values.enableBackendSecurityGroup }}
         {{- end }}
+        {{- if kindIs "bool" .Values.enableManageBackendSecurityGroupRules }}
+        - --enable-manage-backend-security-group-rules={{ .Values.enableManageBackendSecurityGroupRules }}
+        {{- end }}
         {{- if .Values.backendSecurityGroup }}
         - --backend-security-group={{ .Values.backendSecurityGroup }}
         {{- end }}
@@ -181,6 +190,15 @@ spec:
         {{- if .Values.controllerConfig.featureGates }}
         - --feature-gates={{ include "aws-load-balancer-controller.convertMapToCsv" .Values.controllerConfig.featureGates | trimSuffix "," }}
         {{- end }}
+        {{- if .Values.serviceTargetENISGTags }}
+        - --service-target-eni-security-group-tags={{ .Values.serviceTargetENISGTags }}
+        {{- end }}
+        {{- if .Values.loadBalancerClass }}
+        - --load-balancer-class={{ .Values.loadBalancerClass }}
+        {{- end }}
+        {{- if .Values.vpcTags }}
+        - --aws-vpc-tags={{ include "aws-load-balancer-controller.convertMapToCsv" .Values.vpcTags | trimSuffix "," }}
+        {{- end }}
         # start provider-aws-specific
         - --kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig
         - --leader-election-namespace=kube-system
diff --git a/charts/internal/seed-controlplane/charts/aws-load-balancer-controller/values.yaml b/charts/internal/seed-controlplane/charts/aws-load-balancer-controller/values.yaml
@@ -198,6 +198,12 @@ disableIngressClassAnnotation: true
 # disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default
 disableIngressGroupNameAnnotation:
 
+# tolerateNonExistentBackendService is a “graceful tolerance mode” for broken or in-flight changes, false by default
+tolerateNonExistentBackendService:
+
+# tolerateNonExistentBackendAction gives the option for a “graceful degradation” behavior, false by default
+tolerateNonExistentBackendAction:
+
 # defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners
 defaultSSLPolicy:
 
@@ -268,6 +274,9 @@ enableEndpointSlices:
 # enableBackendSecurityGroup enables shared security group for backend traffic (default true)
 enableBackendSecurityGroup:
 
+# enableManageBackendSecurityGroupRules enables managing rules of the backend security group (default false)
+enableManageBackendSecurityGroupRules:
+
 # backendSecurityGroup specifies backend security group id (default controller auto create backend security group)
 backendSecurityGroup:
 
@@ -281,6 +290,15 @@ controllerConfig:
   #  ServiceTypeLoadBalancerOnly: true
   #  EndpointsFailOpen: true
 
+# serviceTargetENISGTags extra tags used by the controller when finding the target ENI security group to which it should add inbound rules.
+serviceTargetENISGTags:
+
+# loadBalancerClass specifies the load balancer class to watch for
+loadBalancerClass:
+
+# Instead of (or in addition to) explicitly setting --aws-vpc-id, you can provide tags used to filter the correct VPC(s)
+vpcTags:
+
 # objectSelector for webhook
 objectSelector:
   matchExpressions:
diff --git a/charts/internal/shoot-system-components/charts/aws-load-balancer-controller/templates/rbac.yaml b/charts/internal/shoot-system-components/charts/aws-load-balancer-controller/templates/rbac.yaml
@@ -7,38 +7,20 @@ metadata:
   labels:
     {{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - create
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    resourceNames:
-      - aws-load-balancer-controller-leader
-    verbs:
-      - get
-      - update
-      - patch
-  - apiGroups:
-      - "coordination.k8s.io"
-    resources:
-      - leases
-    verbs:
-      - create
-  - apiGroups:
-      - "coordination.k8s.io"
-    resources:
-      - leases
-    resourceNames:
-      - aws-load-balancer-controller-leader
-    verbs:
-      - get
-      - update
-      - patch
+  - apiGroups: [""]
+    resources: [configmaps]
+    verbs: [create]
+  - apiGroups: [""]
+    resources: [configmaps]
+    resourceNames: [aws-load-balancer-controller-leader]
+    verbs: [get, patch, update]
+  - apiGroups: [ "coordination.k8s.io" ]
+    resources: [ leases ]
+    verbs: [ create ]
+  - apiGroups: [ "coordination.k8s.io" ]
+    resources: [ leases ]
+    resourceNames: [ aws-load-balancer-controller-leader ]
+    verbs: [ get, update, patch ]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/imagevector/images.yaml b/imagevector/images.yaml
