From f227568aef84a2313989f88605a0ade5026eea69 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Thu, 3 Oct 2024 11:46:06 -0500 Subject: [PATCH] chore: Deprecate `aws-load-balancer-controller` in favor of moving to upstream repository --- README.md | 3 +- .../aws-load-balancer-controller/.helmignore | 25 - .../aws-load-balancer-controller/Chart.yaml | 22 - stable/aws-load-balancer-controller/README.md | 283 -------- .../ci/extra_args | 1 - .../ci/values.yaml | 7 - .../crds/crds.yaml | 651 ------------------ .../crds/kustomization.yaml | 4 - .../templates/NOTES.txt | 1 - .../templates/_helpers.tpl | 131 ---- .../templates/deployment.yaml | 260 ------- .../templates/hpa.yaml | 34 - .../templates/ingressclass.yaml | 41 -- .../templates/pdb.yaml | 14 - .../templates/rbac.yaml | 104 --- .../templates/service.yaml | 41 -- .../templates/serviceaccount.yaml | 18 - .../templates/servicemonitor.yaml | 43 -- .../templates/webhook.yaml | 250 ------- stable/aws-load-balancer-controller/test.yaml | 355 ---------- .../aws-load-balancer-controller/values.yaml | 432 ------------ 21 files changed, 2 insertions(+), 2718 deletions(-) delete mode 100644 stable/aws-load-balancer-controller/.helmignore delete mode 100644 stable/aws-load-balancer-controller/Chart.yaml delete mode 100644 stable/aws-load-balancer-controller/README.md delete mode 100644 stable/aws-load-balancer-controller/ci/extra_args delete mode 100644 stable/aws-load-balancer-controller/ci/values.yaml delete mode 100644 stable/aws-load-balancer-controller/crds/crds.yaml delete mode 100644 stable/aws-load-balancer-controller/crds/kustomization.yaml delete mode 100644 stable/aws-load-balancer-controller/templates/NOTES.txt delete mode 100644 stable/aws-load-balancer-controller/templates/_helpers.tpl delete mode 100644 stable/aws-load-balancer-controller/templates/deployment.yaml delete mode 100644 stable/aws-load-balancer-controller/templates/hpa.yaml delete mode 100644 stable/aws-load-balancer-controller/templates/ingressclass.yaml delete mode 100644 stable/aws-load-balancer-controller/templates/pdb.yaml delete mode 100644 stable/aws-load-balancer-controller/templates/rbac.yaml delete mode 100644 stable/aws-load-balancer-controller/templates/service.yaml delete mode 100644 stable/aws-load-balancer-controller/templates/serviceaccount.yaml delete mode 100644 stable/aws-load-balancer-controller/templates/servicemonitor.yaml delete mode 100644 stable/aws-load-balancer-controller/templates/webhook.yaml delete mode 100644 stable/aws-load-balancer-controller/test.yaml delete mode 100644 stable/aws-load-balancer-controller/values.yaml diff --git a/README.md b/README.md index 1e0139865..4f656b6aa 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,8 @@ helm repo add eks https://aws.github.io/eks-charts ### AWS Load Balancer Controller -* [aws-load-balancer-controller](stable/aws-load-balancer-controller): A helm chart for [AWS Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller) +> [!WARNING] +> This Helm chart is now deprecated. Please see the current chart located in the [aws-load-balancer-controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller) repository which is now published on [Public ECR](https://gallery.ecr.aws/aws-ec2/helm/aws-node-termination-handler) ### AWS VPC CNI diff --git a/stable/aws-load-balancer-controller/.helmignore b/stable/aws-load-balancer-controller/.helmignore deleted file mode 100644 index 67263be0a..000000000 --- a/stable/aws-load-balancer-controller/.helmignore +++ /dev/null @@ -1,25 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ -crds/kustomization.yaml -test.yaml diff --git a/stable/aws-load-balancer-controller/Chart.yaml b/stable/aws-load-balancer-controller/Chart.yaml deleted file mode 100644 index 93d892dd6..000000000 --- a/stable/aws-load-balancer-controller/Chart.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v2 -name: aws-load-balancer-controller -description: AWS Load Balancer Controller Helm chart for Kubernetes -version: 1.9.0 -appVersion: v2.9.0 -home: https://github.com/aws/eks-charts -icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png -sources: - - https://github.com/aws/eks-charts -maintainers: - - name: kishorj - url: https://github.com/kishorj - email: kishorj@users.noreply.github.com - - name: m00nf1sh - url: https://github.com/m00nf1sh - email: m00nf1sh@users.noreply.github.com -keywords: - - eks - - alb - - load balancer - - ingress - - nlb diff --git a/stable/aws-load-balancer-controller/README.md b/stable/aws-load-balancer-controller/README.md deleted file mode 100644 index 180e50c08..000000000 --- a/stable/aws-load-balancer-controller/README.md +++ /dev/null @@ -1,283 +0,0 @@ -# AWS Load Balancer Controller - -AWS Load Balancer controller Helm chart for Kubernetes - -## TL;DR: -```sh -helm repo add eks https://aws.github.io/eks-charts -# If using IAM Roles for service account install as follows - NOTE: you need to specify both of the chart values `serviceAccount.create=false` and `serviceAccount.name=aws-load-balancer-controller` -helm install aws-load-balancer-controller eks/aws-load-balancer-controller --set clusterName=my-cluster -n kube-system --set serviceAccount.create=false --set serviceAccount.name=aws-load-balancer-controller -# If not using IAM Roles for service account -helm install aws-load-balancer-controller eks/aws-load-balancer-controller --set clusterName=my-cluster -n kube-system -``` - -## Introduction -AWS Load Balancer controller manages the following AWS resources -- Application Load Balancers to satisfy Kubernetes ingress objects -- Network Load Balancers to satisfy Kubernetes service objects of type LoadBalancer with appropriate annotations - -## Security updates -**Note**: Deployed chart does not receive security updates automatically. You need to manually upgrade to a newer chart. -#### Node isolation -As a security best practice, we recommend isolating the controller deployment pods to specific node groups which run critical components. The helm chart provides parameters ```nodeSelector```, ```tolerations``` and ```affinity``` to configure node isolation. For more information, please refer to the guidance [here](https://aws.github.io/aws-eks-best-practices/security/docs/multitenancy/#isolating-tenant-workloads-to-specific-nodes). - -## Prerequisites -- Supported Kubernetes Versions - - Chart version v1.5.0+ requires Kubernetes 1.22+ - - Chart version v1.4.0+ requires Kubernetes 1.19+ - - Chart version v1.2.0 - v1.3.3 supports Kubernetes 1.16-1.21 - - Chart version v1.1.6 and before supports Kubernetes 1.15 -- IAM permissions -- Helm v3 -- Optional dependencies - - cert-manager - - Prometheus Operator - -The controller runs on the worker nodes, so it needs access to the AWS ALB/NLB resources via IAM permissions. The -IAM permissions can either be setup via IAM roles for ServiceAccount or can be attached directly to the worker node IAM roles. - -#### Setup IAM for ServiceAccount -1. Create IAM OIDC provider - ``` - eksctl utils associate-iam-oidc-provider \ - --region \ - --cluster \ - --approve - ``` -1. Download IAM policy for the AWS Load Balancer Controller - ``` - curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json - ``` -1. Create an IAM policy called AWSLoadBalancerControllerIAMPolicy - ``` - aws iam create-policy \ - --policy-name AWSLoadBalancerControllerIAMPolicy \ - --policy-document file://iam-policy.json - ``` - Take note of the policy ARN that is returned - -1. Create a IAM role and ServiceAccount for the Load Balancer controller, use the ARN from the step above - ``` - eksctl create iamserviceaccount \ - --cluster= \ - --namespace=kube-system \ - --name=aws-load-balancer-controller \ - --attach-policy-arn=arn:aws:iam:::policy/AWSLoadBalancerControllerIAMPolicy \ - --approve - ``` -#### Setup IAM manually -If not setting up IAM for ServiceAccount, apply the IAM policies from the following URL at minimum. -``` -https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/main/docs/install/iam_policy.json -``` - -#### Upgrading from ALB ingress controller -If migrating from ALB ingress controller, grant [additional IAM permissions](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy_v1_to_v2_additional.json). - -#### Upgrading from AWS Load Balancer controller v2.1.3 and earlier -- Additional IAM permissions required, ensure you have granted the [required IAM permissions](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json). -- CRDs need to be updated as follows -```shell script -kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master" -``` -- you can run helm upgrade without uninstalling the old chart completely - -#### Installing cert-manager - -If you are setting `enableCertManager: true` you need to have installed cert-manager and it's CRDs before installing this chart; to install [cert-manager](https://artifacthub.io/packages/helm/cert-manager/cert-manager) follow the installation guide. - -The controller helm chart requires the cert-manager with apiVersion `cert-manager.io/v1`. - -Set `cluster.dnsDomain` (default: `cluster.local`) to the actual DNS domain of your cluster to include the FQDN in requested TLS certificates. - -#### Installing the Prometheus Operator - -If you are setting `serviceMonitor.enabled: true` you need to have installed the Prometheus Operator ServiceMonitor CRD before installing this chart and have the operator running to collect the metrics. The easiest way to do this is to install the [kube-prometheus-stack](https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack) Helm chart using the installation guide. - -## Installing the Chart -**Note**: You need to uninstall aws-alb-ingress-controller. Please refer to the [upgrade](#Upgrade) section below before you proceed. - -**Note**: Starting chart version 1.4.1, you need to explicitly set `clusterSecretsPermissions.allowAllSecrets` to true to grant the controller permission to access all secrets for OIDC feature. We recommend configuring access to individual secrets resource separately [[link](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/examples/secrets_access/)]. - -**Note**: To ensure compatibility, we recommend installing the AWS Load Balancer controller image version with its compatible Helm chart version. Use the ```helm search repo eks/aws-load-balancer-controller --versions``` command to find the compatible versions. - -Add the EKS repository to Helm: -```shell script -helm repo add eks https://aws.github.io/eks-charts -``` - -Install the TargetGroupBinding CRDs: - -```shell script -kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master" -``` - -Install the AWS Load Balancer controller, if using iamserviceaccount -```shell script -# NOTE: The clusterName value must be set either via the values.yaml or the Helm command line. The in the command -# below should be replaced with name of your k8s cluster before running it. -helm upgrade -i aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName= --set serviceAccount.create=false --set serviceAccount.name=aws-load-balancer-controller -``` - -Install the AWS Load Balancer controller, if not using iamserviceaccount -```shell script -helm upgrade -i aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName= -``` - -## Upgrade -The new controller is backwards compatible with the existing ingress objects. However, it will not coexist with the older aws-alb-ingress-controller. -The old controller must be uninstalled completely before installing the new version. -### Kubectl installation -If you had installed the previous version via kubectl, uninstall as follows -```shell script -$ kubectl delete deployment -n kube-system alb-ingress-controller -$ kubectl delete clusterRole alb-ingress-controller -$ kubectl delete ClusterRoleBinding alb-ingress-controller -$ kubectl delete ServiceAccount -n kube-system alb-ingress-controller - -# Alternatively you can find the version of the controller and delete as follows -$ kubectl describe deployment -n kube-system alb-ingress-controller |grep Image - Image: docker.io/amazon/aws-alb-ingress-controller:v1.1.8 -# You can delete the deployment now -$ kubectl delete deployment -n kube-system alb-ingress-controller -# In this case, the version is v1.1.8, the rbac roles can be removed as follows -$ kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.8/docs/examples/rbac-role.yaml -``` -### Helm installation -If you had installed the incubator/aws-alb-ingress-controller Helm chart, uninstall as follows -```shell script -# NOTE: If installed under a different chart name and namespace, please specify as appropriate -$ helm delete aws-alb-ingress-controller -n kube-system -``` - -If you had installed the 0.1.x version of eks-charts/aws-load-balancer-controller chart earlier, the upgrade to chart version 1.0.0 will -not work due to incompatibility of the webhook api version, uninstall as follows -```shell script -$ helm delete aws-load-balancer-controller -n kube-system -``` - -## Uninstalling the Chart -```sh -helm delete aws-load-balancer-controller -n kube-system -``` - -If you setup IAM Roles for ServiceAccount, you can cleanup as follows -``` -eksctl delete iamserviceaccount --cluster --namespace kube-system --name aws-load-balancer-controller -``` - -## HA configuration -Chart release v1.2.0 and later enables high availability configuration by default. -- The default number of replicas is 2. You can pass`--set replicaCount=1` flag during chart installation to disable this. Due to leader election, only one controller will actively reconcile resources. -- The default priority class for the controller pods is `system-cluster-critical` -- Soft pod anti-affinity is enabled for controller pods with `topologyKey: kubernetes.io/hostname` if you don't configure custom affinity and set `configureDefaultAffinity` to `true` -- Pod disruption budget (PDB) has not been set by default. If you plan on running at least 2 controller pods, you can pass `--set podDisruptionBudget.maxUnavailable=1` flag during chart installation - -## Configuration - -The following tables lists the configurable parameters of the chart and their default values. -The default values set by the application itself can be confirmed [here](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/configurations/#controller-configuration-options). - - -| Parameter | Description | Default | -| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- | -| `image.repository` | image repository | `public.ecr.aws/eks/aws-load-balancer-controller` | -| `image.tag` | image tag | `` | -| `image.pullPolicy` | image pull policy | `IfNotPresent` | -| `clusterName` | Kubernetes cluster name | None | -| `cluster.dnsDomain` | DNS domain of the Kubernetes cluster, included in TLS certificate requests | `cluster.local` | -| `securityContext` | Set to security context for pod | `{}` | -| `resources` | Controller pod resource requests & limits | `{}` | -| `priorityClassName` | Controller pod priority class | system-cluster-critical | -| `nodeSelector` | Node labels for controller pod assignment | `{}` | -| `tolerations` | Controller pod toleration for taints | `{}` | -| `affinity` | Affinity for pod assignment | `{}` | -| `configureDefaultAffinity` | Configure soft pod anti-affinity if custom affinity is not configured | `true` | -| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `{}` | -| `deploymentAnnotations` | Annotations to add to deployment | `{}` | -| `podAnnotations` | Annotations to add to each pod | `{}` | -| `podLabels` | Labels to add to each pod | `{}` | -| `additionalLabels` | Labels to add to all components | `{}` | -| `rbac.create` | if `true`, create and use RBAC resources | `true` | -| `serviceAccount.annotations` | optional annotations to add to service account | None | -| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a Service Account | `true` | -| `serviceAccount.imagePullSecrets` | List of image pull secrets to add to the Service Account | `[]` | -| `serviceAccount.create` | If `true`, create a new service account | `true` | -| `serviceAccount.name` | Service account to be used | None | -| `terminationGracePeriodSeconds` | Time period for controller pod to do a graceful shutdown | 10 | -| `ingressClass` | The ingress class to satisfy | alb | -| `createIngressClassResource` | Create ingressClass resource | true | -| `ingressClassParams.name` | IngressClassParams resource's name, default to the aws load balancer controller's name | None | -| `ingressClassParams.create` | If `true`, create a new ingressClassParams | true | -| `ingressClassParams.spec` | IngressClassParams defined ingress specifications | {} | -| `region` | The AWS region for the kubernetes cluster | None | -| `vpcId` | The VPC ID for the Kubernetes cluster | None | -| `awsApiEndpoints` | Custom AWS API Endpoints | None | -| `awsApiThrottle` | Custom AWS API throttle settings | None | -| `awsMaxRetries` | Maximum retries for AWS APIs | None | -| `defaultTargetType` | Default target type. Used as the default value of the `alb.ingress.kubernetes.io/target-type` and `service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations.`Possible values are `ip` and `instance`. | `instance` | -| `enablePodReadinessGateInject` | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods | None | -| `enableShield` | Enable Shield addon for ALB | None | -| `enableWaf` | Enable WAF addon for ALB | None | -| `enableWafv2` | Enable WAF V2 addon for ALB | None | -| `ingressMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for ingress | None | -| `logLevel` | Set the controller log level - info, debug | None | -| `metricsBindAddr` | The address the metric endpoint binds to | "" | -| `webhookConfig.disableIngressValidation` | Disables the validation of resources of kind Ingress | None | -| `webhookBindPort` | The TCP port the Webhook server binds to | None | -| `webhookTLS.caCert` | TLS CA certificate for webhook (auto-generated if not provided) | "" | -| `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" | -| `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" | -| `webhookNamespaceSelectors` | Namespace selectors for the wekbook | None | -| `keepTLSSecret` | Reuse existing TLS Secret during chart upgrade | `true` | -| `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` | -| `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None | -| `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None | -| `targetgroupbindingMaxExponentialBackoffDelay` | Maximum duration of exponential backoff for targetGroupBinding reconcile failures | None | -| `syncPeriod` | Period at which the controller forces the repopulation of its local object stores | None | -| `watchNamespace` | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched | None | -| `disableIngressClassAnnotation` | Disables the usage of kubernetes.io/ingress.class annotation | None | -| `disableIngressGroupNameAnnotation` | Disables the usage of alb.ingress.kubernetes.io/group.name annotation | None | -| `tolerateNonExistentBackendService` | whether to allow rules that reference a backend service that does not exist. (When enabled, it will return 503 error if backend service not exist) | `true` | -| `tolerateNonExistentBackendAction` | whether to allow rules that reference a backend action that does not exist. (When enabled, it will return 503 error if backend action not exist) | `true` | -| `defaultSSLPolicy` | Specifies the default SSL policy to use for HTTPS or TLS listeners | None | -| `externalManagedTags` | Specifies the list of tag keys on AWS resources that are managed externally | `[]` | -| `livenessProbe` | Liveness probe settings for the controller | (see `values.yaml`) | -| `env` | Environment variables to set for aws-load-balancer-controller pod | None | -| `envFrom` | Environment variables to set for aws-load-balancer-controller pod from configMap or Secret | None | -| `envSecretName` | AWS credentials as environment variables from Secret (Secret keys `key_id` and `access_key`). | None | -| `hostNetwork` | If `true`, use hostNetwork | `false` | -| `dnsPolicy` | Set dnsPolicy if required | `ClusterFirst` | -| `extraVolumeMounts` | Extra volume mounts for the pod | `[]` | -| `extraVolumes` | Extra volumes for the pod | `[]` | -| `defaultTags` | Default tags to apply to all AWS resources managed by this controller | `{}` | -| `replicaCount` | Number of controller pods to run, only one will be active due to leader election | `2` | -| `revisionHistoryLimit` | Number of revisions to keep | `10` | -| `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` | -| `updateStrategy` | Defines the update strategy for the deployment | `{}` | -| `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template, requires cert-manager and it's CRDs to be installed | `false` | -| `enableEndpointSlices` | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets | `false` | -| `enableBackendSecurityGroup` | If enabled, controller uses shared security group for backend traffic | `true` | -| `backendSecurityGroup` | Backend security group to use instead of auto created one if the feature is enabled | `` | -| `disableRestrictedSecurityGroupRules` | If disabled, controller will not specify port range restriction in the backend security group rules | `false` | -| `objectSelector.matchExpressions` | Webhook configuration to select specific pods by specifying the expression to be matched | None | -| `objectSelector.matchLabels` | Webhook configuration to select specific pods by specifying the key value label pair to be matched | None | -| `serviceMonitor.enabled` | Specifies whether a service monitor should be created, requires the ServiceMonitor CRD to be installed | `false` | -| `serviceMonitor.namespace` | Namespace in which to create the service monitor | None | -| `serviceMonitor.additionalLabels` | Labels to add to the service monitor | `{}` | -| `serviceMonitor.interval` | Prometheus scrape interval | `1m` | -| `serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `1m` | -| `serviceMonitor.relabelings` | Relabelings to apply to samples before ingestion | `1m` | -| `serviceMonitor.metricRelabelings` | Metric relabelings to apply to samples before ingestion | `1m` | -| `clusterSecretsPermissions.allowAllSecrets` | If `true`, controller has access to all secrets in the cluster. | `false` | -| `controllerConfig.featureGates` | set of `key: value` pairs that describe AWS load balance controller features | `{}` | -| `ingressClassConfig.default` | If `true`, the ingressclass will be the default class of the cluster. | `false` | -| `enableServiceMutatorWebhook` | If `false`, disable the Service Mutator webhook which makes all new services of type LoadBalancer reconciled by the lb controller | `true` | -| `serviceMutatorWebhookConfig.failurePolicy` | Failure policy for the Service Mutator webhook | `Fail` | -| `serviceMutatorWebhookConfig.objectSelector` | Object selector(s) to limit which objects will be mutated by the Service Mutator webhook | `[]` | -| `serviceMutatorWebhookConfig.operations` | List of operations that will trigger the the Service Mutator webhook | `[ CREATE ]` | -| `autoscaling` | If `autoscaling.enabled=true`, enable the HPA on the controller mainly to survive load induced failure by the calls to the `aws-load-balancer-webhook-service`. Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node | `false` | -| `serviceTargetENISGTags` | set of `key=value` pairs of AWS tags in addition to cluster name for finding the target ENI security group to which to add inbound rules from NLBs | None | -| `loadBalancerClass` | Sets the AWS load balancer type to be used when the Kubernetes service requests an external load balancer | `service.k8s.aws/nlb` | -| `creator` | if set to a `value!=helm`, it will disable the addition of default helm labels | `helm` | -| `runtimeClassName` | Runtime class name for the controller pods , such as `gvisor` or `kata`. An unspecified `nil` or empty `""` RuntimeClassName is equivalent to the backwards-compatible default behavior as if the RuntimeClass feature is disabled. | "" | diff --git a/stable/aws-load-balancer-controller/ci/extra_args b/stable/aws-load-balancer-controller/ci/extra_args deleted file mode 100644 index c72e0d8bc..000000000 --- a/stable/aws-load-balancer-controller/ci/extra_args +++ /dev/null @@ -1 +0,0 @@ ---set clusterName=k8s-ci-cluster diff --git a/stable/aws-load-balancer-controller/ci/values.yaml b/stable/aws-load-balancer-controller/ci/values.yaml deleted file mode 100644 index 4285476fa..000000000 --- a/stable/aws-load-balancer-controller/ci/values.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# CI testing values for aws-load-balancer-controller - -region: us-west-2 -image: - repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.4.5 - pullPolicy: Always diff --git a/stable/aws-load-balancer-controller/crds/crds.yaml b/stable/aws-load-balancer-controller/crds/crds.yaml deleted file mode 100644 index e2d92380b..000000000 --- a/stable/aws-load-balancer-controller/crds/crds.yaml +++ /dev/null @@ -1,651 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: ingressclassparams.elbv2.k8s.aws -spec: - group: elbv2.k8s.aws - names: - kind: IngressClassParams - listKind: IngressClassParamsList - plural: ingressclassparams - singular: ingressclassparams - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The Ingress Group name - jsonPath: .spec.group.name - name: GROUP-NAME - type: string - - description: The AWS Load Balancer scheme - jsonPath: .spec.scheme - name: SCHEME - type: string - - description: The AWS Load Balancer ipAddressType - jsonPath: .spec.ipAddressType - name: IP-ADDRESS-TYPE - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: IngressClassParams is the Schema for the IngressClassParams API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IngressClassParamsSpec defines the desired state of IngressClassParams - properties: - certificateArn: - description: CertificateArn specifies the ARN of the certificates - for all Ingresses that belong to IngressClass with this IngressClassParams. - items: - type: string - type: array - group: - description: Group defines the IngressGroup for all Ingresses that - belong to IngressClass with this IngressClassParams. - properties: - name: - description: Name is the name of IngressGroup. - type: string - required: - - name - type: object - inboundCIDRs: - description: InboundCIDRs specifies the CIDRs that are allowed to - access the Ingresses that belong to IngressClass with this IngressClassParams. - items: - type: string - type: array - ipAddressType: - description: IPAddressType defines the ip address type for all Ingresses - that belong to IngressClass with this IngressClassParams. - enum: - - ipv4 - - dualstack - - dualstack-without-public-ipv4 - type: string - listeners: - description: Listeners define a list of listeners with their protocol, - port and attributes. - items: - properties: - listenerAttributes: - description: The attributes of the listener - items: - description: Attributes defines custom attributes on resources. - properties: - key: - description: The key of the attribute. - type: string - value: - description: The value of the attribute. - type: string - required: - - key - - value - type: object - type: array - port: - description: The port of the listener - format: int32 - type: integer - protocol: - description: The protocol of the listener - type: string - type: object - type: array - loadBalancerAttributes: - description: LoadBalancerAttributes define the custom attributes to - LoadBalancers for all Ingress that that belong to IngressClass with - this IngressClassParams. - items: - description: Attributes defines custom attributes on resources. - properties: - key: - description: The key of the attribute. - type: string - value: - description: The value of the attribute. - type: string - required: - - key - - value - type: object - type: array - namespaceSelector: - description: |- - NamespaceSelector restrict the namespaces of Ingresses that are allowed to specify the IngressClass with this IngressClassParams. - * if absent or present but empty, it selects all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - scheme: - description: Scheme defines the scheme for all Ingresses that belong - to IngressClass with this IngressClassParams. - enum: - - internal - - internet-facing - type: string - sslPolicy: - description: SSLPolicy specifies the SSL Policy for all Ingresses - that belong to IngressClass with this IngressClassParams. - type: string - subnets: - description: Subnets defines the subnets for all Ingresses that belong - to IngressClass with this IngressClassParams. - properties: - ids: - description: IDs specify the resource IDs of subnets. Exactly - one of this or `tags` must be specified. - items: - description: SubnetID specifies a subnet ID. - pattern: subnet-[0-9a-f]+ - type: string - minItems: 1 - type: array - tags: - additionalProperties: - items: - type: string - type: array - description: |- - Tags specifies subnets in the load balancer's VPC where each - tag specified in the map key contains one of the values in the corresponding - value list. - Exactly one of this or `ids` must be specified. - type: object - type: object - tags: - description: Tags defines list of Tags on AWS resources provisioned - for Ingresses that belong to IngressClass with this IngressClassParams. - items: - description: Tag defines a AWS Tag on resources. - properties: - key: - description: The key of the tag. - type: string - value: - description: The value of the tag. - type: string - required: - - key - - value - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: targetgroupbindings.elbv2.k8s.aws -spec: - group: elbv2.k8s.aws - names: - kind: TargetGroupBinding - listKind: TargetGroupBindingList - plural: targetgroupbindings - singular: targetgroupbinding - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The Kubernetes Service's name - jsonPath: .spec.serviceRef.name - name: SERVICE-NAME - type: string - - description: The Kubernetes Service's port - jsonPath: .spec.serviceRef.port - name: SERVICE-PORT - type: string - - description: The AWS TargetGroup's TargetType - jsonPath: .spec.targetType - name: TARGET-TYPE - type: string - - description: The AWS TargetGroup's Amazon Resource Name - jsonPath: .spec.targetGroupARN - name: ARN - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: TargetGroupBinding is the Schema for the TargetGroupBinding API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding - properties: - networking: - description: networking provides the networking setup for ELBV2 LoadBalancer - to access targets in TargetGroup. - properties: - ingress: - description: List of ingress rules to allow ELBV2 LoadBalancer - to access targets in TargetGroup. - items: - properties: - from: - description: |- - List of peers which should be able to access the targets in TargetGroup. - At least one NetworkingPeer should be specified. - items: - description: NetworkingPeer defines the source/destination - peer for networking rules. - properties: - ipBlock: - description: |- - IPBlock defines an IPBlock peer. - If specified, none of the other fields can be set. - properties: - cidr: - description: |- - CIDR is the network CIDR. - Both IPV4 or IPV6 CIDR are accepted. - type: string - required: - - cidr - type: object - securityGroup: - description: |- - SecurityGroup defines a SecurityGroup peer. - If specified, none of the other fields can be set. - properties: - groupID: - description: GroupID is the EC2 SecurityGroupID. - type: string - required: - - groupID - type: object - type: object - type: array - ports: - description: |- - List of ports which should be made accessible on the targets in TargetGroup. - If ports is empty or unspecified, it defaults to all ports with TCP. - items: - properties: - port: - anyOf: - - type: integer - - type: string - description: |- - The port which traffic must match. - When NodePort endpoints(instance TargetType) is used, this must be a numerical port. - When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods. - if port is unspecified, it defaults to all ports. - x-kubernetes-int-or-string: true - protocol: - description: |- - The protocol which traffic must match. - If protocol is unspecified, it defaults to TCP. - enum: - - TCP - - UDP - type: string - type: object - type: array - required: - - from - - ports - type: object - type: array - type: object - serviceRef: - description: serviceRef is a reference to a Kubernetes Service and - ServicePort. - properties: - name: - description: Name is the name of the Service. - type: string - port: - anyOf: - - type: integer - - type: string - description: Port is the port of the ServicePort. - x-kubernetes-int-or-string: true - required: - - name - - port - type: object - targetGroupARN: - description: targetGroupARN is the Amazon Resource Name (ARN) for - the TargetGroup. - type: string - targetType: - description: targetType is the TargetType of TargetGroup. If unspecified, - it will be automatically inferred. - enum: - - instance - - ip - type: string - required: - - serviceRef - - targetGroupARN - type: object - status: - description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding - properties: - observedGeneration: - description: The generation observed by the TargetGroupBinding controller. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The Kubernetes Service's name - jsonPath: .spec.serviceRef.name - name: SERVICE-NAME - type: string - - description: The Kubernetes Service's port - jsonPath: .spec.serviceRef.port - name: SERVICE-PORT - type: string - - description: The AWS TargetGroup's TargetType - jsonPath: .spec.targetType - name: TARGET-TYPE - type: string - - description: The AWS TargetGroup's Amazon Resource Name - jsonPath: .spec.targetGroupARN - name: ARN - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: TargetGroupBinding is the Schema for the TargetGroupBinding API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding - properties: - ipAddressType: - description: ipAddressType specifies whether the target group is of - type IPv4 or IPv6. If unspecified, it will be automatically inferred. - enum: - - ipv4 - - ipv6 - type: string - networking: - description: networking defines the networking rules to allow ELBV2 - LoadBalancer to access targets in TargetGroup. - properties: - ingress: - description: List of ingress rules to allow ELBV2 LoadBalancer - to access targets in TargetGroup. - items: - description: NetworkingIngressRule defines a particular set - of traffic that is allowed to access TargetGroup's targets. - properties: - from: - description: |- - List of peers which should be able to access the targets in TargetGroup. - At least one NetworkingPeer should be specified. - items: - description: NetworkingPeer defines the source/destination - peer for networking rules. - properties: - ipBlock: - description: |- - IPBlock defines an IPBlock peer. - If specified, none of the other fields can be set. - properties: - cidr: - description: |- - CIDR is the network CIDR. - Both IPV4 or IPV6 CIDR are accepted. - type: string - required: - - cidr - type: object - securityGroup: - description: |- - SecurityGroup defines a SecurityGroup peer. - If specified, none of the other fields can be set. - properties: - groupID: - description: GroupID is the EC2 SecurityGroupID. - type: string - required: - - groupID - type: object - type: object - type: array - ports: - description: |- - List of ports which should be made accessible on the targets in TargetGroup. - If ports is empty or unspecified, it defaults to all ports with TCP. - items: - description: NetworkingPort defines the port and protocol - for networking rules. - properties: - port: - anyOf: - - type: integer - - type: string - description: |- - The port which traffic must match. - When NodePort endpoints(instance TargetType) is used, this must be a numerical port. - When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods. - if port is unspecified, it defaults to all ports. - x-kubernetes-int-or-string: true - protocol: - description: |- - The protocol which traffic must match. - If protocol is unspecified, it defaults to TCP. - enum: - - TCP - - UDP - type: string - type: object - type: array - required: - - from - - ports - type: object - type: array - type: object - nodeSelector: - description: node selector for instance type target groups to only - register certain nodes - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - serviceRef: - description: serviceRef is a reference to a Kubernetes Service and - ServicePort. - properties: - name: - description: Name is the name of the Service. - type: string - port: - anyOf: - - type: integer - - type: string - description: Port is the port of the ServicePort. - x-kubernetes-int-or-string: true - required: - - name - - port - type: object - targetGroupARN: - description: targetGroupARN is the Amazon Resource Name (ARN) for - the TargetGroup. - minLength: 1 - type: string - targetType: - description: targetType is the TargetType of TargetGroup. If unspecified, - it will be automatically inferred. - enum: - - instance - - ip - type: string - vpcID: - description: VpcID is the VPC of the TargetGroup. If unspecified, - it will be automatically inferred. - type: string - required: - - serviceRef - - targetGroupARN - type: object - status: - description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding - properties: - observedGeneration: - description: The generation observed by the TargetGroupBinding controller. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/stable/aws-load-balancer-controller/crds/kustomization.yaml b/stable/aws-load-balancer-controller/crds/kustomization.yaml deleted file mode 100644 index 3f1d1cbba..000000000 --- a/stable/aws-load-balancer-controller/crds/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- crds.yaml diff --git a/stable/aws-load-balancer-controller/templates/NOTES.txt b/stable/aws-load-balancer-controller/templates/NOTES.txt deleted file mode 100644 index 04e98e0a9..000000000 --- a/stable/aws-load-balancer-controller/templates/NOTES.txt +++ /dev/null @@ -1 +0,0 @@ -AWS Load Balancer controller installed! diff --git a/stable/aws-load-balancer-controller/templates/_helpers.tpl b/stable/aws-load-balancer-controller/templates/_helpers.tpl deleted file mode 100644 index d916b99c4..000000000 --- a/stable/aws-load-balancer-controller/templates/_helpers.tpl +++ /dev/null @@ -1,131 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "aws-load-balancer-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "aws-load-balancer-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "aws-load-balancer-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Chart name prefix for resource names -Strip the "-controller" suffix from the default .Chart.Name if the nameOverride is not specified. -This enables using a shorter name for the resources, for example aws-load-balancer-webhook. -*/}} -{{- define "aws-load-balancer-controller.namePrefix" -}} -{{- $defaultNamePrefix := .Chart.Name | trimSuffix "-controller" -}} -{{- default $defaultNamePrefix .Values.nameOverride | trunc 42 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "aws-load-balancer-controller.labels" -}} -{{- if eq (default "helm" .Values.creator) "helm" -}} -app.kubernetes.io/managed-by: {{ .Release.Service }} -helm.sh/chart: {{ include "aws-load-balancer-controller.chart" . }} -{{- end }} -{{ include "aws-load-balancer-controller.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels }} -{{- end -}} -{{- end -}} - -{{/* -Selector labels -*/}} -{{- define "aws-load-balancer-controller.selectorLabels" -}} -app.kubernetes.io/name: {{ include "aws-load-balancer-controller.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "aws-load-balancer-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "aws-load-balancer-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the webhook service -*/}} -{{- define "aws-load-balancer-controller.webhookService" -}} -{{- printf "%s-webhook-service" (include "aws-load-balancer-controller.namePrefix" .) -}} -{{- end -}} - -{{/* -Create the name of the webhook cert secret -*/}} -{{- define "aws-load-balancer-controller.webhookCertSecret" -}} -{{- printf "%s-tls" (include "aws-load-balancer-controller.namePrefix" .) -}} -{{- end -}} - -{{/* -Generate certificates for webhook -*/}} -{{- define "aws-load-balancer-controller.webhookCerts" -}} -{{- $serviceName := (include "aws-load-balancer-controller.webhookService" .) -}} -{{- $secretName := (include "aws-load-balancer-controller.webhookCertSecret" .) -}} -{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}} -{{- if (and .Values.webhookTLS.caCert .Values.webhookTLS.cert .Values.webhookTLS.key) -}} -caCert: {{ .Values.webhookTLS.caCert | b64enc }} -clientCert: {{ .Values.webhookTLS.cert | b64enc }} -clientKey: {{ .Values.webhookTLS.key | b64enc }} -{{- else if and .Values.keepTLSSecret $secret -}} -caCert: {{ index $secret.data "ca.crt" }} -clientCert: {{ index $secret.data "tls.crt" }} -clientKey: {{ index $secret.data "tls.key" }} -{{- else -}} -{{- $altNames := list (printf "%s.%s" $serviceName .Release.Namespace) (printf "%s.%s.svc" $serviceName .Release.Namespace) (printf "%s.%s.svc.%s" $serviceName .Release.Namespace .Values.cluster.dnsDomain) -}} -{{- $ca := genCA "aws-load-balancer-controller-ca" 3650 -}} -{{- $cert := genSignedCert (include "aws-load-balancer-controller.fullname" .) nil $altNames 3650 $ca -}} -caCert: {{ $ca.Cert | b64enc }} -clientCert: {{ $cert.Cert | b64enc }} -clientKey: {{ $cert.Key | b64enc }} -{{- end -}} -{{- end -}} - -{{/* -Convert map to comma separated key=value string -*/}} -{{- define "aws-load-balancer-controller.convertMapToCsv" -}} -{{- range $key, $value := . -}} {{ $key }}={{ $value }}, {{- end -}} -{{- end -}} - -{{/* -Create the name of the ingressClassParams -*/}} -{{- define "aws-load-balancer-controller.ingressClassParamsName" -}} -{{ default .Values.ingressClass .Values.ingressClassParams.name }} -{{- end -}} diff --git a/stable/aws-load-balancer-controller/templates/deployment.yaml b/stable/aws-load-balancer-controller/templates/deployment.yaml deleted file mode 100644 index da672ab34..000000000 --- a/stable/aws-load-balancer-controller/templates/deployment.yaml +++ /dev/null @@ -1,260 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "aws-load-balancer-controller.fullname" . }} - namespace: {{ .Release.Namespace }} - {{- if .Values.deploymentAnnotations }} - annotations: - {{- toYaml .Values.deploymentAnnotations | nindent 4 }} - {{- end }} - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - selector: - matchLabels: - {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }} - {{- with .Values.updateStrategy }} - strategy: - {{ toYaml . | nindent 4 }} - {{- end }} - template: - metadata: - labels: - {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 8 }} - {{- if .Values.podLabels }} - {{- toYaml .Values.podLabels | nindent 8 }} - {{- end }} - annotations: - {{- if not .Values.serviceMonitor.enabled }} - prometheus.io/scrape: "true" - prometheus.io/port: "{{ (split ":" .Values.metricsBindAddr)._1 | default 8080 }}" - {{- end}} - {{- if .Values.podAnnotations }} - {{- toYaml .Values.podAnnotations | nindent 8 }} - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.runtimeClassName }} - runtimeClassName: {{ .Values.runtimeClassName }} - {{- end }} - serviceAccountName: {{ include "aws-load-balancer-controller.serviceAccountName" . }} - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: {{ template "aws-load-balancer-controller.webhookCertSecret" . }} - {{- with .Values.extraVolumes }} - {{ toYaml . | nindent 6 }} - {{- end }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- if .Values.hostNetwork }} - hostNetwork: true - {{- end }} - {{- if .Values.dnsPolicy }} - dnsPolicy: {{ .Values.dnsPolicy }} - {{- end }} - containers: - - name: {{ .Chart.Name }} - args: - - --cluster-name={{ required "Chart cannot be installed without a valid clusterName!" (tpl (default "" .Values.clusterName) .) }} - {{- if .Values.ingressClass }} - - --ingress-class={{ .Values.ingressClass }} - {{- end }} - {{- $region := tpl (default "" .Values.region) . }} - {{- if $region }} - - --aws-region={{ .Values.region }} - {{- end }} - {{- $vpcID := tpl (default "" .Values.vpcId) . }} - {{- if $vpcID }} - - --aws-vpc-id={{ $vpcID }} - {{- end }} - {{- if .Values.awsApiEndpoints }} - - --aws-api-endpoints={{ .Values.awsApiEndpoints }} - {{- end }} - {{- if .Values.awsApiThrottle }} - - --aws-api-throttle={{ join "," .Values.awsApiThrottle }} - {{- end }} - {{- if .Values.awsMaxRetries }} - - --aws-max-retries={{ .Values.awsMaxRetries }} - {{- end }} - {{- if kindIs "bool" .Values.enablePodReadinessGateInject }} - - --enable-pod-readiness-gate-inject={{ .Values.enablePodReadinessGateInject }} - {{- end }} - {{- if kindIs "bool" .Values.enableShield }} - - --enable-shield={{ .Values.enableShield }} - {{- end }} - {{- if kindIs "bool" .Values.enableWaf }} - - --enable-waf={{ .Values.enableWaf }} - {{- end }} - {{- if kindIs "bool" .Values.enableWafv2 }} - - --enable-wafv2={{ .Values.enableWafv2 }} - {{- end }} - {{- if .Values.metricsBindAddr }} - - --metrics-bind-addr={{ .Values.metricsBindAddr }} - {{- end }} - {{- if .Values.ingressMaxConcurrentReconciles }} - - --ingress-max-concurrent-reconciles={{ .Values.ingressMaxConcurrentReconciles }} - {{- end }} - {{- if .Values.serviceMaxConcurrentReconciles }} - - --service-max-concurrent-reconciles={{ .Values.serviceMaxConcurrentReconciles }} - {{- end }} - {{- if .Values.targetgroupbindingMaxConcurrentReconciles }} - - --targetgroupbinding-max-concurrent-reconciles={{ .Values.targetgroupbindingMaxConcurrentReconciles }} - {{- end }} - {{- if .Values.targetgroupbindingMaxExponentialBackoffDelay }} - - --targetgroupbinding-max-exponential-backoff-delay={{ .Values.targetgroupbindingMaxExponentialBackoffDelay }} - {{- end }} - {{- if .Values.logLevel }} - - --log-level={{ .Values.logLevel }} - {{- end }} - {{- if .Values.webhookBindPort }} - - --webhook-bind-port={{ .Values.webhookBindPort }} - {{- end }} - {{- if .Values.syncPeriod }} - - --sync-period={{ .Values.syncPeriod }} - {{- end }} - {{- if .Values.watchNamespace }} - - --watch-namespace={{ .Values.watchNamespace }} - {{- end }} - {{- if kindIs "bool" .Values.disableIngressClassAnnotation }} - - --disable-ingress-class-annotation={{ .Values.disableIngressClassAnnotation }} - {{- end }} - {{- if kindIs "bool" .Values.disableIngressGroupNameAnnotation }} - - --disable-ingress-group-name-annotation={{ .Values.disableIngressGroupNameAnnotation }} - {{- end }} - {{- if kindIs "bool" .Values.tolerateNonExistentBackendService }} - - --tolerate-non-existent-backend-service={{ .Values.tolerateNonExistentBackendService }} - {{- end }} - {{- if kindIs "bool" .Values.tolerateNonExistentBackendAction }} - - --tolerate-non-existent-backend-action={{ .Values.tolerateNonExistentBackendAction }} - {{- end }} - {{- if .Values.defaultSSLPolicy }} - - --default-ssl-policy={{ .Values.defaultSSLPolicy }} - {{- end }} - {{- if .Values.externalManagedTags }} - - --external-managed-tags={{ join "," .Values.externalManagedTags }} - {{- end }} - {{- if .Values.defaultTags }} - - --default-tags={{ include "aws-load-balancer-controller.convertMapToCsv" .Values.defaultTags | trimSuffix "," }} - {{- end }} - {{- if kindIs "bool" .Values.enableEndpointSlices }} - - --enable-endpoint-slices={{ .Values.enableEndpointSlices }} - {{- end }} - {{- if kindIs "bool" .Values.enableBackendSecurityGroup }} - - --enable-backend-security-group={{ .Values.enableBackendSecurityGroup }} - {{- end }} - {{- if .Values.backendSecurityGroup }} - - --backend-security-group={{ .Values.backendSecurityGroup }} - {{- end }} - {{- if kindIs "bool" .Values.disableRestrictedSecurityGroupRules }} - - --disable-restricted-sg-rules={{ .Values.disableRestrictedSecurityGroupRules }} - {{- end }} - {{- if .Values.controllerConfig.featureGates }} - - --feature-gates={{ include "aws-load-balancer-controller.convertMapToCsv" .Values.controllerConfig.featureGates | trimSuffix "," }} - {{- end }} - {{- if ne .Values.defaultTargetType "instance" }} - - --default-target-type={{ .Values.defaultTargetType }} - {{- end }} - {{- if .Values.serviceTargetENISGTags }} - - --service-target-eni-security-group-tags={{ .Values.serviceTargetENISGTags }} - {{- end }} - {{- if .Values.certDiscovery.allowedCertificateAuthorityARNs }} - - --allowed-certificate-authority-arns={{ .Values.certDiscovery.allowedCertificateAuthorityARNs }} - {{- end }} - {{- if .Values.loadBalancerClass }} - - --load-balancer-class={{ .Values.loadBalancerClass }} - {{- end }} - {{- if or .Values.env .Values.envSecretName }} - env: - {{- if .Values.env}} - {{- range $key, $value := .Values.env }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- if .Values.envSecretName }} - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: {{ .Values.envSecretName }} - key: key_id - optional: true - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: {{ .Values.envSecretName }} - key: access_key - optional: true - {{- end }} - {{- end }} - {{- if .Values.envFrom }} - envFrom: - {{- toYaml .Values.envFrom | nindent 10 }} - {{- end }} - securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - {{- with .Values.extraVolumeMounts }} - {{ toYaml . | nindent 8 }} - {{- end }} - ports: - - name: webhook-server - containerPort: {{ .Values.webhookBindPort | default 9443 }} - protocol: TCP - - name: metrics-server - containerPort: {{ (split ":" .Values.metricsBindAddr)._1 | default 8080 }} - protocol: TCP - resources: - {{- toYaml .Values.resources | nindent 10 }} - {{- with .Values.livenessProbe }} - livenessProbe: - {{- toYaml . | nindent 10 }} - {{- end }} - {{- with .Values.readinessProbe }} - readinessProbe: - {{- toYaml . | nindent 10 }} - {{- end }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.affinity }} - affinity: - {{- toYaml .Values.affinity | nindent 8 }} - {{- else if .Values.configureDefaultAffinity }} - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: - - {{ include "aws-load-balancer-controller.name" . }} - topologyKey: kubernetes.io/hostname - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName | quote }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/stable/aws-load-balancer-controller/templates/hpa.yaml b/stable/aws-load-balancer-controller/templates/hpa.yaml deleted file mode 100644 index 68689ba66..000000000 --- a/stable/aws-load-balancer-controller/templates/hpa.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.Version)}} -apiVersion: autoscaling/v2 -{{- else }} -apiVersion: autoscaling/v2beta2 -{{- end }} -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "aws-load-balancer-controller.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "aws-load-balancer-controller.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ required "A valid .Values.autoscaling.maxReplicas value is required" .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} - {{- end }} -{{- end }} diff --git a/stable/aws-load-balancer-controller/templates/ingressclass.yaml b/stable/aws-load-balancer-controller/templates/ingressclass.yaml deleted file mode 100644 index feed802d2..000000000 --- a/stable/aws-load-balancer-controller/templates/ingressclass.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- /* -[caution] AWSLoadBalancerController <= v2.4.2 expects referenced IngressClassParams to be created before IngressClass. -We use a list here to force Helm create IngressClassParams(if any) before apply any IngressClass changes. -*/}} -{{- if .Values.createIngressClassResource }} -apiVersion: v1 -kind: List -metadata: - name: ingress-class -items: -{{- if .Values.ingressClassParams.create }} -- apiVersion: elbv2.k8s.aws/v1beta1 - kind: IngressClassParams - metadata: - name: {{ include "aws-load-balancer-controller.ingressClassParamsName" . }} - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 6 }} - {{- with .Values.ingressClassParams.spec }} - spec: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} -- apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - name: {{ .Values.ingressClass }} - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 6 }} - {{- if .Values.ingressClassConfig.default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" - {{- end }} - spec: - controller: ingress.k8s.aws/alb - {{- if or .Values.ingressClassParams.name (and .Values.ingressClassParams.create .Values.ingressClassParams.spec) }} - parameters: - apiGroup: elbv2.k8s.aws - kind: IngressClassParams - name: {{ include "aws-load-balancer-controller.ingressClassParamsName" . }} - {{- end }} -{{- end }} diff --git a/stable/aws-load-balancer-controller/templates/pdb.yaml b/stable/aws-load-balancer-controller/templates/pdb.yaml deleted file mode 100644 index f72abaf34..000000000 --- a/stable/aws-load-balancer-controller/templates/pdb.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if and .Values.podDisruptionBudget (gt (int .Values.replicaCount) 1) }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "aws-load-balancer-controller.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }} - {{- toYaml .Values.podDisruptionBudget | nindent 2 }} -{{- end }} diff --git a/stable/aws-load-balancer-controller/templates/rbac.yaml b/stable/aws-load-balancer-controller/templates/rbac.yaml deleted file mode 100644 index fc3bda695..000000000 --- a/stable/aws-load-balancer-controller/templates/rbac.yaml +++ /dev/null @@ -1,104 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "aws-load-balancer-controller.fullname" . }}-leader-election-role - namespace: {{ .Release.Namespace }} - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} -rules: -- apiGroups: [""] - resources: [configmaps] - verbs: [create] -- apiGroups: [""] - resources: [configmaps] - resourceNames: [aws-load-balancer-controller-leader] - verbs: [get, patch, update] -- apiGroups: - - "coordination.k8s.io" - resources: - - leases - verbs: - - create -- apiGroups: - - "coordination.k8s.io" - resources: - - leases - resourceNames: - - aws-load-balancer-controller-leader - verbs: - - get - - update - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "aws-load-balancer-controller.fullname" . }}-leader-election-rolebinding - namespace: {{ .Release.Namespace }} - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "aws-load-balancer-controller.fullname" . }}-leader-election-role -subjects: -- kind: ServiceAccount - name: {{ template "aws-load-balancer-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "aws-load-balancer-controller.fullname" . }}-role - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} -rules: -- apiGroups: ["elbv2.k8s.aws"] - resources: [targetgroupbindings] - verbs: [create, delete, get, list, patch, update, watch] -- apiGroups: ["elbv2.k8s.aws"] - resources: [ingressclassparams] - verbs: [get, list, watch] -- apiGroups: [""] - resources: [events] - verbs: [create, patch] -- apiGroups: [""] - resources: [pods] - verbs: [get, list, watch] -- apiGroups: ["networking.k8s.io"] - resources: [ingressclasses] - verbs: [get, list, watch] -- apiGroups: ["", "extensions", "networking.k8s.io"] - resources: [services, ingresses] - verbs: [get, list, patch, update, watch] -- apiGroups: [""] - resources: [nodes, namespaces, endpoints] - verbs: [get, list, watch] -{{- if .Values.clusterSecretsPermissions.allowAllSecrets }} -- apiGroups: [""] - resources: [secrets] - verbs: [get, list, watch] -{{- end }} -- apiGroups: ["elbv2.k8s.aws", "", "extensions", "networking.k8s.io"] - resources: [targetgroupbindings/status, pods/status, services/status, ingresses/status] - verbs: [update, patch] -- apiGroups: ["discovery.k8s.io"] - resources: [endpointslices] - verbs: [get, list, watch] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "aws-load-balancer-controller.fullname" . }}-rolebinding - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "aws-load-balancer-controller.fullname" . }}-role -subjects: -- kind: ServiceAccount - name: {{ template "aws-load-balancer-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/stable/aws-load-balancer-controller/templates/service.yaml b/stable/aws-load-balancer-controller/templates/service.yaml deleted file mode 100644 index aad0044eb..000000000 --- a/stable/aws-load-balancer-controller/templates/service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- if.Values.serviceMonitor.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "aws-load-balancer-controller.fullname" . }} - namespace: {{ .Release.Namespace }} - {{- with .Values.serviceAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} -spec: - ports: - - port: 8080 - name: metrics-server - targetPort: metrics-server - selector: - {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 4 }} ---- -{{- end }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "aws-load-balancer-controller.webhookService" . }} - namespace: {{ .Release.Namespace }} - {{- with .Values.serviceAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} - app.kubernetes.io/component: webhook - prometheus.io/service-monitor: "false" -spec: - ports: - - port: 443 - name: webhook-server - targetPort: webhook-server - selector: - {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 4 }} diff --git a/stable/aws-load-balancer-controller/templates/serviceaccount.yaml b/stable/aws-load-balancer-controller/templates/serviceaccount.yaml deleted file mode 100644 index f4cfcac69..000000000 --- a/stable/aws-load-balancer-controller/templates/serviceaccount.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "aws-load-balancer-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} -{{- with .Values.serviceAccount.imagePullSecrets }} -imagePullSecrets: -{{ toYaml . }} -{{- end }} -{{- end -}} diff --git a/stable/aws-load-balancer-controller/templates/servicemonitor.yaml b/stable/aws-load-balancer-controller/templates/servicemonitor.yaml deleted file mode 100644 index 0454558c2..000000000 --- a/stable/aws-load-balancer-controller/templates/servicemonitor.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if.Values.serviceMonitor.enabled -}} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "aws-load-balancer-controller.fullname" . }} - namespace: {{ default .Release.Namespace .Values.serviceMonitor.namespace }} - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} - {{- with .Values.serviceMonitor.additionalLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - jobLabel: app.kubernetes.io/instance - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchLabels: - {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }} - matchExpressions: - - key: prometheus.io/service-monitor - operator: NotIn - values: - - "false" - endpoints: - - port: metrics-server - path: /metrics - scheme: http - {{- with .Values.serviceMonitor.interval }} - interval: {{ . }} - {{- end }} - {{- with .Values.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ . }} - {{- end }} - {{- with .Values.serviceMonitor.relabelings }} - relabelings: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.serviceMonitor.metricRelabelings }} - metricRelabelings: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end -}} diff --git a/stable/aws-load-balancer-controller/templates/webhook.yaml b/stable/aws-load-balancer-controller/templates/webhook.yaml deleted file mode 100644 index 504f08ccb..000000000 --- a/stable/aws-load-balancer-controller/templates/webhook.yaml +++ /dev/null @@ -1,250 +0,0 @@ -{{ $tls := fromYaml ( include "aws-load-balancer-controller.webhookCerts" . ) }} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if $.Values.enableCertManager }} - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "aws-load-balancer-controller.namePrefix" . }}-serving-cert -{{- end }} - name: {{ include "aws-load-balancer-controller.namePrefix" . }}-webhook - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} -webhooks: -- clientConfig: - {{ if not $.Values.enableCertManager -}} - caBundle: {{ $tls.caCert }} - {{ end }} - service: - name: {{ template "aws-load-balancer-controller.webhookService" . }} - namespace: {{ $.Release.Namespace }} - path: /mutate-v1-pod - failurePolicy: Fail - name: mpod.elbv2.k8s.aws - admissionReviewVersions: - - v1beta1 - namespaceSelector: - matchExpressions: - {{ if .Values.webhookNamespaceSelectors }} - {{ toYaml .Values.webhookNamespaceSelectors | nindent 4 }} - {{ else }} - - key: elbv2.k8s.aws/pod-readiness-gate-inject - operator: In - values: - - enabled - {{ end }} - objectSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: NotIn - values: - - {{ include "aws-load-balancer-controller.name" . }} - {{- if .Values.objectSelector.matchExpressions }} - {{- toYaml .Values.objectSelector.matchExpressions | nindent 4 }} - {{- end }} - {{- if .Values.objectSelector.matchLabels }} - matchLabels: - {{- toYaml .Values.objectSelector.matchLabels | nindent 6 }} - {{- end }} - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - pods - sideEffects: None -{{- if .Values.enableServiceMutatorWebhook }} -- clientConfig: - {{ if not $.Values.enableCertManager -}} - caBundle: {{ $tls.caCert }} - {{ end }} - service: - name: {{ template "aws-load-balancer-controller.webhookService" . }} - namespace: {{ $.Release.Namespace }} - path: /mutate-v1-service - failurePolicy: {{ .Values.serviceMutatorWebhookConfig.failurePolicy }} - name: mservice.elbv2.k8s.aws - admissionReviewVersions: - - v1beta1 - objectSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: NotIn - values: - - {{ include "aws-load-balancer-controller.name" . }} - {{- if .Values.serviceMutatorWebhookConfig.objectSelector.matchExpressions }} - {{- toYaml .Values.serviceMutatorWebhookConfig.objectSelector.matchExpressions | nindent 4 }} - {{- end }} - - {{- if .Values.serviceMutatorWebhookConfig.objectSelector.matchLabels }} - matchLabels: - {{- toYaml .Values.serviceMutatorWebhookConfig.objectSelector.matchLabels | nindent 6 }} - {{- end }} - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - {{- toYaml .Values.serviceMutatorWebhookConfig.operations | nindent 4 }} - resources: - - services - sideEffects: None -{{- end }} -- clientConfig: - {{ if not $.Values.enableCertManager -}} - caBundle: {{ $tls.caCert }} - {{ end }} - service: - name: {{ template "aws-load-balancer-controller.webhookService" . }} - namespace: {{ $.Release.Namespace }} - path: /mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding - failurePolicy: Fail - name: mtargetgroupbinding.elbv2.k8s.aws - admissionReviewVersions: - - v1beta1 - rules: - - apiGroups: - - elbv2.k8s.aws - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - targetgroupbindings - sideEffects: None ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: -{{- if $.Values.enableCertManager }} - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "aws-load-balancer-controller.namePrefix" . }}-serving-cert -{{- end }} - name: {{ include "aws-load-balancer-controller.namePrefix" . }}-webhook - labels: - {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} -webhooks: -- clientConfig: - {{ if not $.Values.enableCertManager -}} - caBundle: {{ $tls.caCert }} - {{ end }} - service: - name: {{ template "aws-load-balancer-controller.webhookService" . }} - namespace: {{ $.Release.Namespace }} - path: /validate-elbv2-k8s-aws-v1beta1-ingressclassparams - failurePolicy: Fail - name: vingressclassparams.elbv2.k8s.aws - admissionReviewVersions: - - v1beta1 - objectSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: NotIn - values: - - {{ include "aws-load-balancer-controller.name" . }} - rules: - - apiGroups: - - elbv2.k8s.aws - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - ingressclassparams - sideEffects: None -- clientConfig: - {{ if not $.Values.enableCertManager -}} - caBundle: {{ $tls.caCert }} - {{ end }} - service: - name: {{ template "aws-load-balancer-controller.webhookService" . }} - namespace: {{ $.Release.Namespace }} - path: /validate-elbv2-k8s-aws-v1beta1-targetgroupbinding - failurePolicy: Fail - name: vtargetgroupbinding.elbv2.k8s.aws - admissionReviewVersions: - - v1beta1 - rules: - - apiGroups: - - elbv2.k8s.aws - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - targetgroupbindings - sideEffects: None -{{- if not $.Values.webhookConfig.disableIngressValidation }} -- clientConfig: - {{ if not $.Values.enableCertManager -}} - caBundle: {{ $tls.caCert }} - {{ end }} - service: - name: {{ template "aws-load-balancer-controller.webhookService" . }} - namespace: {{ $.Release.Namespace }} - path: /validate-networking-v1-ingress - failurePolicy: Fail - matchPolicy: Equivalent - name: vingress.elbv2.k8s.aws - admissionReviewVersions: - - v1beta1 - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - sideEffects: None -{{- end }} ---- -{{- if not $.Values.enableCertManager }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "aws-load-balancer-controller.webhookCertSecret" . }} - namespace: {{ .Release.Namespace }} - labels: -{{ include "aws-load-balancer-controller.labels" . | indent 4 }} -type: kubernetes.io/tls -data: - ca.crt: {{ $tls.caCert }} - tls.crt: {{ $tls.clientCert }} - tls.key: {{ $tls.clientKey }} -{{- else }} -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ template "aws-load-balancer-controller.namePrefix" . }}-serving-cert - namespace: {{ .Release.Namespace }} - labels: -{{ include "aws-load-balancer-controller.labels" . | indent 4 }} -spec: - dnsNames: - - {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc - - {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc.{{ .Values.cluster.dnsDomain }} - issuerRef: - kind: Issuer - name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer - secretName: {{ template "aws-load-balancer-controller.webhookCertSecret" . }} ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer - namespace: {{ .Release.Namespace }} - labels: -{{ include "aws-load-balancer-controller.labels" . | indent 4 }} -spec: - selfSigned: {} -{{- end }} diff --git a/stable/aws-load-balancer-controller/test.yaml b/stable/aws-load-balancer-controller/test.yaml deleted file mode 100644 index e0dc7ef98..000000000 --- a/stable/aws-load-balancer-controller/test.yaml +++ /dev/null @@ -1,355 +0,0 @@ -# Default values for aws-load-balancer-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 2 - -image: - repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.9.0 - pullPolicy: IfNotPresent - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" -runtimeClassName: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: - # Automount API credentials for a Service Account. - automountServiceAccountToken: true - # List of image pull secrets to add to the Service Account. - imagePullSecrets: - # - name: docker - -rbac: - # Specifies whether rbac resources should be created - create: true - -podSecurityContext: - fsGroup: 65534 - -securityContext: - # capabilities: - # drop: - # - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - allowPrivilegeEscalation: false - -# Time period for the controller pod to do a graceful shutdown -terminationGracePeriodSeconds: 10 - -resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 128Mi - -# priorityClassName specifies the PriorityClass to indicate the importance of controller pods -# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass -priorityClassName: system-cluster-critical - -nodeSelector: {} - -tolerations: [] - -# affinity specifies a custom affinity for the controller pods -affinity: {} - -# configureDefaultAffinity specifies whether to configure a default affinity for the controller pods to prevent -# co-location on the same node. This will get ignored if you specify a custom affinity configuration. -configureDefaultAffinity: true - -# topologySpreadConstraints is a stable feature of k8s v1.19 which provides the ability to -# control how Pods are spread across your cluster among failure-domains such as regions, zones, -# nodes, and other user-defined topology domains. -# -# more details here: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -topologySpreadConstraints: {} - -updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - -# serviceAnnotations contains annotations to be added to the provisioned webhook service resource -serviceAnnotations: {} - -# deploymentAnnotations contains annotations for the controller deployment -deploymentAnnotations: {} - -podAnnotations: {} - -podLabels: {} - -# additionalLabels -- Labels to add to each object of the chart. -additionalLabels: {} - -# Enable cert-manager -enableCertManager: false - -# The name of the Kubernetes cluster. A non-empty value is required -clusterName: test-cluster - -# cluster contains configurations specific to the kubernetes cluster -cluster: - # Cluster DNS domain (required for requesting TLS certificates) - dnsDomain: cluster.local - -# The ingress class this controller will satisfy. If not specified, controller will match all -# ingresses without ingress class annotation and ingresses of type alb -ingressClass: alb - -# ingressClassParams specify the IngressCLassParams that enforce settings for a set of Ingresses when using with ingress Controller. -ingressClassParams: - create: true - # The name of ingressClassParams resource will be referred in ingressClass - name: - spec: {} - # You always can set specifications in `helm install` command through `--set` or `--set-string` - # If you do want to specify specifications in values.yaml, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'spec:'. - # namespaceSelector: - # matchLabels: - # group: - # scheme: - # ipAddressType: - # tags: - -# To use IngressClass resource instead of annotation, before you need to install the IngressClass resource pointing to controller. -# If specified as true, the IngressClass resource will be created. -createIngressClassResource: true - -# The AWS region for the kubernetes cluster. Set to use KIAM or kube2iam for example. -region: - -# The VPC ID for the Kubernetes cluster. Set this manually when your pods are unable to use the metadata service to determine this automatically -vpcId: - -# Custom AWS API Endpoints (serviceID1=URL1,serviceID2=URL2) -awsApiEndpoints: - -# awsApiThrottle specifies custom AWS API throttle settings (serviceID1:operationRegex1=rate:burst,serviceID2:operationRegex2=rate:burst) -# example: --set awsApiThrottle="{Elastic Load Balancing v2:RegisterTargets|DeregisterTargets=4:20,Elastic Load Balancing v2:.*=10:40}" -awsApiThrottle: - -# Maximum retries for AWS APIs (default 10) -awsMaxRetries: - - - - -# If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods (default true) -enablePodReadinessGateInject: - -# Enable Shield addon for ALB (default true) -enableShield: - -# Enable WAF addon for ALB (default true) -enableWaf: - -# Enable WAF V2 addon for ALB (default true) -enableWafv2: - -# Maximum number of concurrently running reconcile loops for ingress (default 3) -ingressMaxConcurrentReconciles: - -# Set the controller log level - info(default), debug (default "info") -logLevel: - -# The address the metric endpoint binds to. (default ":8080") -metricsBindAddr: "" - -# The TCP port the Webhook server binds to. (default 9443) -webhookBindPort: - -# webhookTLS specifies TLS cert/key for the webhook -webhookTLS: - caCert: - cert: - key: - -# array of namespace selectors for the webhook -webhookNamespaceSelectors: - - key: elbv2.k8s.aws/pod-readiness-gate-inject - operator: In - values: - - enabled - -# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade -keepTLSSecret: true - -# Maximum number of concurrently running reconcile loops for service (default 3) -serviceMaxConcurrentReconciles: - -# Maximum number of concurrently running reconcile loops for targetGroupBinding -targetgroupbindingMaxConcurrentReconciles: - -# Maximum duration of exponential backoff for targetGroupBinding reconcile failures -targetgroupbindingMaxExponentialBackoffDelay: - -# Period at which the controller forces the repopulation of its local object stores. (default 1h0m0s) -syncPeriod: - -# Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched. -watchNamespace: - -# disableIngressClassAnnotation disables the usage of kubernetes.io/ingress.class annotation, false by default -disableIngressClassAnnotation: - -# disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default -disableIngressGroupNameAnnotation: - -# tolerateNonExistentBackendService permits rules which specify backend services that don't exist, true by default (When enabled, it will return 503 error if backend service not exist) -tolerateNonExistentBackendService: - -# tolerateNonExistentBackendAction permits rules which specify backend actions that don't exist, true by default (When enabled, it will return 503 error if backend action not exist) -tolerateNonExistentBackendAction: - -# defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners -defaultSSLPolicy: - -# Liveness probe configuration for the controller -livenessProbe: - failureThreshold: 2 - httpGet: - path: /healthz - port: 61779 - scheme: HTTP - initialDelaySeconds: 30 - timeoutSeconds: 10 - -# Environment variables to set for aws-load-balancer-controller pod. -# We strongly discourage programming access credentials in the controller environment. You should setup IRSA or -# comparable solutions like kube2iam, kiam etc instead. -env: -# ENV_1: "" -# ENV_2: "" - -# Specifies if aws-load-balancer-controller should be started in hostNetwork mode. -# -# This is required if using a custom CNI where the managed control plane nodes are unable to initiate -# network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or -# recommended if using the Amazon VPC CNI plugin. -hostNetwork: false - -# Specifies the dnsPolicy that should be used for pods in the deployment -# -# This may need to be used to be changed given certain conditions. For instance, if one uses the cilium CNI -# with certain settings, one may need to set `hostNetwork: true` and webhooks won't work unless `dnsPolicy` -# is set to `ClusterFirstWithHostNet`. See https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy -dnsPolicy: - -# extraVolumeMounts are the additional volume mounts. This enables setting up IRSA on non-EKS Kubernetes cluster -extraVolumeMounts: - - name: aws-iam-token - mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount - readOnly: true - -# extraVolumes for the extraVolumeMounts. Useful to mount a projected service account token for example. -extraVolumes: - - name: aws-iam-token - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - audience: sts.amazonaws.com - expirationSeconds: 86400 - path: token - -# defaultTags are the tags to apply to all AWS resources managed by this controller -defaultTags: - default_tag1: value1 - default_tag2: value2 - -# podDisruptionBudget specifies the disruption budget for the controller pods. -# Disruption budget will be configured only when the replicaCount is greater than 1 -podDisruptionBudget: - maxUnavailable: 1 - -# externalManagedTags is the list of tag keys on AWS resources that will be managed externally -externalManagedTags: [] - -# enableEndpointSlices enables k8s EndpointSlices for IP targets instead of Endpoints (default false) -enableEndpointSlices: - -# enableBackendSecurityGroup enables shared security group for backend traffic (default true) -enableBackendSecurityGroup: - -# backendSecurityGroup specifies backend security group id (default controller auto create backend security group) -backendSecurityGroup: - -# disableRestrictedSecurityGroupRules specifies whether to disable creating port-range restricted security group rules for traffic -disableRestrictedSecurityGroupRules: - -# controllerConfig specifies controller configuration -controllerConfig: - # featureGates set of key: value pairs that describe AWS load balance controller features - featureGates: {} - # ServiceTypeLoadBalancerOnly: true - # EndpointsFailOpen: true - -# objectSelector for webhook -objectSelector: - matchExpressions: - # - key: - # operator: - # values: - # - - matchLabels: - # key: value - -serviceMonitor: - # Specifies whether a service monitor should be created - enabled: false - # Labels to add to the service account - additionalLabels: {} - # Prometheus scrape interval - interval: 1m - # Namespace to create the service monitor in - namespace: - -# clusterSecretsPermissions lets you configure RBAC permissions for secret resources -# Access to secrets resource is required only if you use the OIDC feature, and instead of -# enabling access to all secrets, we recommend configuring namespaced role/rolebinding. -# This option is for backwards compatibility only, and will potentially be deprecated in future. -clusterSecretsPermissions: - # allowAllSecrets allows the controller to access all secrets in the cluster. - # This is to get backwards compatible behavior, but *NOT* recommended for security reasons - allowAllSecrets: false - -# ingressClassConfig contains configurations specific to the ingress class -ingressClassConfig: - default: false - -# enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer -# should deprecate this in favor of serviceMutatorWebhook.enabled -enableServiceMutatorWebhook: true - -# serviceMutatorWebhook contains configurations specific to the service mutator webhook -serviceMutatorWebhookConfig: - # whether or not to fail the service creation if the webhook fails - failurePolicy: Fail - # limit webhook to only mutate services matching the objectSelector - objectSelector: - matchExpressions: [] - # - key: - # operator: - # values: - # - - matchLabels: {} - # key: value - # which operations trigger the webhook - operations: - - CREATE - # - UPDATE diff --git a/stable/aws-load-balancer-controller/values.yaml b/stable/aws-load-balancer-controller/values.yaml deleted file mode 100644 index 1be4b62d2..000000000 --- a/stable/aws-load-balancer-controller/values.yaml +++ /dev/null @@ -1,432 +0,0 @@ -# Default values for aws-load-balancer-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 2 - -revisionHistoryLimit: 10 - -image: - repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.9.0 - pullPolicy: IfNotPresent - -runtimeClassName: "" -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -# AWS LBC only has 1 main working pod, other pods are just standby -# the purpose of enable hpa is to survive load induced failure by the calls to the aws-load-balancer-webhook-service -# since the calls from kube-apiserver are sent round-robin to all replicas, and the failure policy on those webhooks is Fail -# if the pods become overloaded and do not respond within the timeout that could block the creation of pods, targetgroupbindings or ingresses -# Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: - # Automount API credentials for a Service Account. - automountServiceAccountToken: true - # List of image pull secrets to add to the Service Account. - imagePullSecrets: - # - name: docker - -rbac: - # Specifies whether rbac resources should be created - create: true - -podSecurityContext: - fsGroup: 65534 - -securityContext: - # capabilities: - # drop: - # - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - allowPrivilegeEscalation: false - -# Time period for the controller pod to do a graceful shutdown -terminationGracePeriodSeconds: 10 - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -# priorityClassName specifies the PriorityClass to indicate the importance of controller pods -# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass -priorityClassName: system-cluster-critical - -nodeSelector: {} - -tolerations: [] - -# affinity specifies a custom affinity for the controller pods -affinity: {} - -# configureDefaultAffinity specifies whether to configure a default affinity for the controller pods to prevent -# co-location on the same node. This will get ignored if you specify a custom affinity configuration. -configureDefaultAffinity: true - -# topologySpreadConstraints is a stable feature of k8s v1.19 which provides the ability to -# control how Pods are spread across your cluster among failure-domains such as regions, zones, -# nodes, and other user-defined topology domains. -# -# more details here: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -topologySpreadConstraints: {} - -updateStrategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 1 - # maxUnavailable: 1 - -# serviceAnnotations contains annotations to be added to the provisioned webhook service resource -serviceAnnotations: {} - -# deploymentAnnotations contains annotations for the controller deployment -deploymentAnnotations: {} - -podAnnotations: {} - -podLabels: {} - -# additionalLabels -- Labels to add to each object of the chart. -additionalLabels: {} - -# Enable cert-manager -enableCertManager: false - -# The name of the Kubernetes cluster. A non-empty value is required -clusterName: - -# cluster contains configurations specific to the kubernetes cluster -cluster: - # Cluster DNS domain (required for requesting TLS certificates) - dnsDomain: cluster.local - -# The ingress class this controller will satisfy. If not specified, controller will match all -# ingresses without ingress class annotation and ingresses of type alb -ingressClass: alb - -# ingressClassParams specify the IngressCLassParams that enforce settings for a set of Ingresses when using with ingress Controller. -ingressClassParams: - create: true - # The name of ingressClassParams resource will be referred in ingressClass - name: - spec: {} - # Due to dependency issue, the validation webhook ignores this particular ingressClassParams resource. - # We recommend creating ingressClassParams resources separately after installing this chart and the - # controller is functional. - # - # You can set the specifications in the `helm install` command through `--set` or `--set-string` - # If you do want to specify in the values.yaml, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'spec:' - # - # namespaceSelector: - # matchLabels: - # group: - # scheme: - # ipAddressType: - # tags: - # loadBalancerAttributes: - # - key: - # value: - -# To use IngressClass resource instead of annotation, before you need to install the IngressClass resource pointing to controller. -# If specified as true, the IngressClass resource will be created. -createIngressClassResource: true - -# The AWS region for the kubernetes cluster. Set to use KIAM or kube2iam for example. -region: - -# The VPC ID for the Kubernetes cluster. Set this manually when your pods are unable to use the metadata service to determine this automatically -vpcId: - -# Custom AWS API Endpoints (serviceID1=URL1,serviceID2=URL2) -awsApiEndpoints: - -# awsApiThrottle specifies custom AWS API throttle settings (serviceID1:operationRegex1=rate:burst,serviceID2:operationRegex2=rate:burst) -# example: --set awsApiThrottle="{Elastic Load Balancing v2:RegisterTargets|DeregisterTargets=4:20,Elastic Load Balancing v2:.*=10:40}" -awsApiThrottle: - -# Maximum retries for AWS APIs (default 10) -awsMaxRetries: - -# Default target type. Used as the default value of the "alb.ingress.kubernetes.io/target-type" and -# "service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations. -# Possible values are "ip" and "instance" -# The value "ip" should be used for ENI-based CNIs, such as the Amazon VPC CNI, -# Calico with encapsulation disabled, or Cilium with masquerading disabled. -# The value "instance" should be used for overlay-based CNIs, such as Calico in VXLAN or IPIP mode or -# Cilium with masquerading enabled. -defaultTargetType: instance - -# If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods (default true) -enablePodReadinessGateInject: - -# Enable Shield addon for ALB (default true) -enableShield: - -# Enable WAF addon for ALB (default true) -enableWaf: - -# Enable WAF V2 addon for ALB (default true) -enableWafv2: - -# Maximum number of concurrently running reconcile loops for ingress (default 3) -ingressMaxConcurrentReconciles: - -# Set the controller log level - info(default), debug (default "info") -logLevel: - -# The address the metric endpoint binds to. (default ":8080") -metricsBindAddr: "" - -webhookConfig: - # disableIngressValidation disables the validation of resources of kind Ingress, false by default - disableIngressValidation: - -# The TCP port the Webhook server binds to. (default 9443) -webhookBindPort: - -# webhookTLS specifies TLS cert/key for the webhook -webhookTLS: - caCert: - cert: - key: - -# array of namespace selectors for the pod mutator webhook -webhookNamespaceSelectors: -# - key: elbv2.k8s.aws/pod-readiness-gate-inject -# operator: In -# values: -# - enabled - -# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade -keepTLSSecret: true - -# Maximum number of concurrently running reconcile loops for service (default 3) -serviceMaxConcurrentReconciles: - -# Maximum number of concurrently running reconcile loops for targetGroupBinding -targetgroupbindingMaxConcurrentReconciles: - -# Maximum duration of exponential backoff for targetGroupBinding reconcile failures -targetgroupbindingMaxExponentialBackoffDelay: - -# Period at which the controller forces the repopulation of its local object stores. (default 10h0m0s) -syncPeriod: - -# Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched. -watchNamespace: - -# disableIngressClassAnnotation disables the usage of kubernetes.io/ingress.class annotation, false by default -disableIngressClassAnnotation: - -# disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default -disableIngressGroupNameAnnotation: - -# tolerateNonExistentBackendService permits rules which specify backend services that don't exist, true by default (When enabled, it will return 503 error if backend service not exist) -tolerateNonExistentBackendService: - -# tolerateNonExistentBackendAction permits rules which specify backend actions that don't exist, true by default (When enabled, it will return 503 error if backend action not exist) -tolerateNonExistentBackendAction: - -# defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners -defaultSSLPolicy: - -# Liveness probe configuration for the controller -livenessProbe: - failureThreshold: 2 - httpGet: - path: /healthz - port: 61779 - scheme: HTTP - initialDelaySeconds: 30 - timeoutSeconds: 10 - -# readiness probe configuration for the controller -readinessProbe: - failureThreshold: 2 - httpGet: - path: /readyz - port: 61779 - scheme: HTTP - successThreshold: 1 - initialDelaySeconds: 10 - timeoutSeconds: 10 - -# Environment variables to set for aws-load-balancer-controller pod. -# We strongly discourage programming access credentials in the controller environment. You should setup IRSA or -# comparable solutions like kube2iam, kiam etc instead. -env: - # ENV_1: "" - # ENV_2: "" - -# Use Environment variables credentials from Secret (aws-secret) for aws-load-balancer-controller pod similarly as The EBS CSI Driver does. -# envSecretName: aws-secret - -# Use envFrom to set environment variables from a Secret or ConfigMap -# envFrom: -# - secretRef: -# name: my-secret - -# Specifies if aws-load-balancer-controller should be started in hostNetwork mode. -# This is required if using a custom CNI where the managed control plane nodes are unable to initiate -# network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or -# recommended if using the Amazon VPC CNI plugin. -hostNetwork: false - -# Specifies the dnsPolicy that should be used for pods in the deployment -# -# This may need to be used to be changed given certain conditions. For instance, if one uses the cilium CNI -# with certain settings, one may need to set `hostNetwork: true` and webhooks won't work unless `dnsPolicy` -# is set to `ClusterFirstWithHostNet`. See https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy -dnsPolicy: - -# extraVolumeMounts are the additional volume mounts. This enables setting up IRSA on non-EKS Kubernetes cluster -extraVolumeMounts: - # - name: aws-iam-token - # mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount - # readOnly: true - -# extraVolumes for the extraVolumeMounts. Useful to mount a projected service account token for example. -extraVolumes: - # - name: aws-iam-token - # projected: - # defaultMode: 420 - # sources: - # - serviceAccountToken: - # audience: sts.amazonaws.com - # expirationSeconds: 86400 - # path: token - -# defaultTags are the tags to apply to all AWS resources managed by this controller -defaultTags: {} - # default_tag1: value1 - # default_tag2: value2 - -# podDisruptionBudget specifies the disruption budget for the controller pods. -# Disruption budget will be configured only when the replicaCount is greater than 1 -podDisruptionBudget: {} -# maxUnavailable: 1 - -# externalManagedTags is the list of tag keys on AWS resources that will be managed externally -externalManagedTags: [] - -# enableEndpointSlices enables k8s EndpointSlices for IP targets instead of Endpoints (default false) -enableEndpointSlices: - -# enableBackendSecurityGroup enables shared security group for backend traffic (default true) -enableBackendSecurityGroup: - -# backendSecurityGroup specifies backend security group id (default controller auto create backend security group) -backendSecurityGroup: - -# disableRestrictedSecurityGroupRules specifies whether to disable creating port-range restricted security group rules for traffic -disableRestrictedSecurityGroupRules: - -# controllerConfig specifies controller configuration -controllerConfig: - # featureGates set of key: value pairs that describe AWS load balance controller features - featureGates: {} - # ListenerRulesTagging: true - # WeightedTargetGroups: true - # ServiceTypeLoadBalancerOnly: false - # EndpointsFailOpen: true - # EnableServiceController: true - # EnableIPTargetType: true - # SubnetsClusterTagCheck: true - # NLBHealthCheckAdvancedConfig: true - # ALBSingleSubnet: false - -certDiscovery: - allowedCertificateAuthorityARNs: "" # empty means all CAs are in scope - -# objectSelector for webhook -objectSelector: - matchExpressions: - # - key: - # operator: - # values: - # - - matchLabels: - # key: value - -serviceMonitor: - # Specifies whether a service monitor should be created - enabled: false - # Namespace to create the service monitor in - namespace: - # Labels to add to the service monitor - additionalLabels: {} - # Prometheus scrape interval - interval: 1m - # Prometheus scrape timeout - scrapeTimeout: - # Relabelings to apply to samples before ingestion - relabelings: - # Metric relabelings to apply to samples before ingestion - metricRelabelings: - -# clusterSecretsPermissions lets you configure RBAC permissions for secret resources -# Access to secrets resource is required only if you use the OIDC feature, and instead of -# enabling access to all secrets, we recommend configuring namespaced role/rolebinding. -# This option is for backwards compatibility only, and will potentially be deprecated in future. -clusterSecretsPermissions: - # allowAllSecrets allows the controller to access all secrets in the cluster. - # This is to get backwards compatible behavior, but *NOT* recommended for security reasons - allowAllSecrets: false - -# ingressClassConfig contains configurations specific to the ingress class -ingressClassConfig: - default: false - -# enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer -enableServiceMutatorWebhook: true - -# serviceMutatorWebhook contains configurations specific to the service mutator webhook -serviceMutatorWebhookConfig: - # whether or not to fail the service creation if the webhook fails - failurePolicy: Fail - # limit webhook to only mutate services matching the objectSelector - objectSelector: - matchExpressions: [] - # - key: - # operator: - # values: - # - - matchLabels: {} - # key: value - # which operations trigger the webhook - operations: - - CREATE - # - UPDATE - -# serviceTargetENISGTags specifies AWS tags, in addition to the cluster tags, for finding the target ENI SG to which to add inbound rules from NLBs. -serviceTargetENISGTags: - -# Specifies the class of load balancer to use for services. This affects how services are provisioned if type LoadBalancer is used (default service.k8s.aws/nlb) -loadBalancerClass: - -# creator will disable helm default labels, so you can only add yours -# creator: "me"