From b733201628fe709d4495eb45f92e114c027ad7f5 Mon Sep 17 00:00:00 2001 From: Joseph Chen <76720045+jchen6585@users.noreply.github.com> Date: Thu, 25 Jan 2024 07:34:37 -0800 Subject: [PATCH 01/19] v1.16.2 chart release for VPC CNI (#1052) Co-authored-by: Joseph Chen --- stable/aws-vpc-cni/Chart.yaml | 4 ++-- stable/aws-vpc-cni/README.md | 4 ++-- stable/aws-vpc-cni/values.yaml | 6 +++--- stable/cni-metrics-helper/Chart.yaml | 4 ++-- stable/cni-metrics-helper/README.md | 2 +- stable/cni-metrics-helper/values.yaml | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/stable/aws-vpc-cni/Chart.yaml b/stable/aws-vpc-cni/Chart.yaml index aec987a8b..c9f3bac81 100644 --- a/stable/aws-vpc-cni/Chart.yaml +++ b/stable/aws-vpc-cni/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: aws-vpc-cni -version: 1.16.0 -appVersion: "v1.16.0" +version: 1.16.2 +appVersion: "v1.16.2" description: A Helm chart for the AWS VPC CNI icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png home: https://github.com/aws/amazon-vpc-cni-k8s diff --git a/stable/aws-vpc-cni/README.md b/stable/aws-vpc-cni/README.md index 3ef9a6ddd..ebb47757c 100644 --- a/stable/aws-vpc-cni/README.md +++ b/stable/aws-vpc-cni/README.md @@ -48,7 +48,7 @@ The following table lists the configurable parameters for this chart and their d | `minimumWindowsIPTarget`| Minimum IP target value for Windows prefix delegation | `3` | | `branchENICooldown` | Number of seconds that branch ENIs remain in cooldown | `60` | | `fullnameOverride` | Override the fullname of the chart | `aws-node` | -| `image.tag` | Image tag | `v1.16.0` | +| `image.tag` | Image tag | `v1.16.2` | | `image.domain` | ECR repository domain | `amazonaws.com` | | `image.region` | ECR repository region to use. Should match your cluster | `us-west-2` | | `image.endpoint` | ECR repository endpoint to use. | `ecr` | @@ -56,7 +56,7 @@ The following table lists the configurable parameters for this chart and their d | `image.pullPolicy` | Container pull policy | `IfNotPresent` | | `image.override` | A custom docker image to use | `nil` | | `imagePullSecrets` | Docker registry pull secret | `[]` | -| `init.image.tag` | Image tag | `v1.16.0` | +| `init.image.tag` | Image tag | `v1.16.2` | | `init.image.domain` | ECR repository domain | `amazonaws.com` | | `init.image.region` | ECR repository region to use. Should match your cluster | `us-west-2` | | `init.image.endpoint` | ECR repository endpoint to use. | `ecr` | diff --git a/stable/aws-vpc-cni/values.yaml b/stable/aws-vpc-cni/values.yaml index 94f382430..e16c97fc9 100644 --- a/stable/aws-vpc-cni/values.yaml +++ b/stable/aws-vpc-cni/values.yaml @@ -8,7 +8,7 @@ nameOverride: aws-node init: image: - tag: v1.16.0 + tag: v1.16.2 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -50,7 +50,7 @@ nodeAgent: resources: {} image: - tag: v1.16.0 + tag: v1.16.2 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -83,7 +83,7 @@ env: DISABLE_NETWORK_RESOURCE_PROVISIONING: "false" ENABLE_IPv4: "true" ENABLE_IPv6: "false" - VPC_CNI_VERSION: "v1.16.0" + VPC_CNI_VERSION: "v1.16.2" # this flag enables you to use the match label that was present in the original daemonset deployed by EKS # You can then annotate and label the original aws-node resources and 'adopt' them into a helm release diff --git a/stable/cni-metrics-helper/Chart.yaml b/stable/cni-metrics-helper/Chart.yaml index c00398d48..53b6dfa61 100644 --- a/stable/cni-metrics-helper/Chart.yaml +++ b/stable/cni-metrics-helper/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: cni-metrics-helper -version: 1.16.0 -appVersion: v1.16.0 +version: 1.16.2 +appVersion: v1.16.2 description: A Helm chart for the AWS VPC CNI Metrics Helper icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png home: https://github.com/aws/amazon-vpc-cni-k8s diff --git a/stable/cni-metrics-helper/README.md b/stable/cni-metrics-helper/README.md index b79d9c3e0..8b062ece2 100644 --- a/stable/cni-metrics-helper/README.md +++ b/stable/cni-metrics-helper/README.md @@ -47,7 +47,7 @@ The following table lists the configurable parameters for this chart and their d |------------------------------|---------------------------------------------------------------|--------------------| | fullnameOverride | Override the fullname of the chart | cni-metrics-helper | | image.region | ECR repository region to use. Should match your cluster | us-west-2 | -| image.tag | Image tag | v1.16.0 | +| image.tag | Image tag | v1.16.2 | | image.account | ECR repository account number | 602401143452 | | image.domain | ECR repository domain | amazonaws.com | | env.USE_CLOUDWATCH | Whether to export CNI metrics to CloudWatch | true | diff --git a/stable/cni-metrics-helper/values.yaml b/stable/cni-metrics-helper/values.yaml index 644b2d94e..1de08b33b 100644 --- a/stable/cni-metrics-helper/values.yaml +++ b/stable/cni-metrics-helper/values.yaml @@ -4,7 +4,7 @@ nameOverride: cni-metrics-helper image: region: us-west-2 - tag: v1.16.0 + tag: v1.16.2 account: "602401143452" domain: "amazonaws.com" # Set to use custom image From 941aba5a3ae3a8b2548182cd3ef648146f3c6b31 Mon Sep 17 00:00:00 2001 From: Shraddha Bang <18206078+shraddhabang@users.noreply.github.com> Date: Thu, 1 Feb 2024 10:49:28 -0800 Subject: [PATCH 02/19] aws load balancer controller v2.7.0 (#1054) * aws-load-balancer-controller: v2.7.0 * removing bak files --------- Co-authored-by: eks-bot --- .../aws-load-balancer-controller/Chart.yaml | 4 +-- stable/aws-load-balancer-controller/README.md | 4 +++ .../templates/deployment.yaml | 23 ++++++++++++- .../templates/hpa.yaml | 34 +++++++++++++++++++ stable/aws-load-balancer-controller/test.yaml | 6 ++-- .../aws-load-balancer-controller/values.yaml | 29 ++++++++++++++-- 6 files changed, 91 insertions(+), 9 deletions(-) create mode 100644 stable/aws-load-balancer-controller/templates/hpa.yaml diff --git a/stable/aws-load-balancer-controller/Chart.yaml b/stable/aws-load-balancer-controller/Chart.yaml index 8816d9062..e16be6bf6 100644 --- a/stable/aws-load-balancer-controller/Chart.yaml +++ b/stable/aws-load-balancer-controller/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: aws-load-balancer-controller description: AWS Load Balancer Controller Helm chart for Kubernetes -version: 1.6.2 -appVersion: v2.6.2 +version: 1.7.0 +appVersion: v2.7.0 home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/stable/aws-load-balancer-controller/README.md b/stable/aws-load-balancer-controller/README.md index 452408528..dbb5aaf04 100644 --- a/stable/aws-load-balancer-controller/README.md +++ b/stable/aws-load-balancer-controller/README.md @@ -233,16 +233,20 @@ The default values set by the application itself can be confirmed [here](https:/ | `watchNamespace` | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched | None | | `disableIngressClassAnnotation` | Disables the usage of kubernetes.io/ingress.class annotation | None | | `disableIngressGroupNameAnnotation` | Disables the usage of alb.ingress.kubernetes.io/group.name annotation | None | +| `tolerateNonExistentBackendService` | whether to allow rules that reference a backend service that does not exist. (When enabled, it will return 503 error if backend service not exist) | `true` | +| `tolerateNonExistentBackendAction` | whether to allow rules that reference a backend action that does not exist. (When enabled, it will return 503 error if backend action not exist) | `true` | | `defaultSSLPolicy` | Specifies the default SSL policy to use for HTTPS or TLS listeners | None | | `externalManagedTags` | Specifies the list of tag keys on AWS resources that are managed externally | `[]` | | `livenessProbe` | Liveness probe settings for the controller | (see `values.yaml`) | | `env` | Environment variables to set for aws-load-balancer-controller pod | None | +| `envSecretName` | AWS credentials as environment variables from Secret (Secret keys `key_id` and `access_key`). | None | | `hostNetwork` | If `true`, use hostNetwork | `false` | | `dnsPolicy` | Set dnsPolicy if required | `ClusterFirst` | | `extraVolumeMounts` | Extra volume mounts for the pod | `[]` | | `extraVolumes` | Extra volumes for the pod | `[]` | | `defaultTags` | Default tags to apply to all AWS resources managed by this controller | `{}` | | `replicaCount` | Number of controller pods to run, only one will be active due to leader election | `2` | +| `revisionHistoryLimit` | Number of revisions to keep | `10` | | `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` | | `updateStrategy` | Defines the update strategy for the deployment | `{}` | | `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template, requires cert-manager and it's CRDs to be installed | `false` | diff --git a/stable/aws-load-balancer-controller/templates/deployment.yaml b/stable/aws-load-balancer-controller/templates/deployment.yaml index 7030dd923..3984bf450 100644 --- a/stable/aws-load-balancer-controller/templates/deployment.yaml +++ b/stable/aws-load-balancer-controller/templates/deployment.yaml @@ -11,6 +11,7 @@ metadata: {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} selector: matchLabels: {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }} @@ -155,13 +156,29 @@ spec: {{- if ne .Values.defaultTargetType "instance" }} - --default-target-type={{ .Values.defaultTargetType }} {{- end }} - {{- if .Values.env }} + {{- if or .Values.env .Values.envSecretName }} env: + {{- if .Values.env}} {{- range $key, $value := .Values.env }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} + {{- if .Values.envSecretName }} + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: {{ .Values.envSecretName }} + key: key_id + optional: true + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.envSecretName }} + key: access_key + optional: true + {{- end }} + {{- end }} securityContext: {{- toYaml .Values.securityContext | nindent 10 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -186,6 +203,10 @@ spec: livenessProbe: {{- toYaml . | nindent 10 }} {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 10 }} + {{- end }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- with .Values.nodeSelector }} nodeSelector: diff --git a/stable/aws-load-balancer-controller/templates/hpa.yaml b/stable/aws-load-balancer-controller/templates/hpa.yaml new file mode 100644 index 000000000..2ce96ef42 --- /dev/null +++ b/stable/aws-load-balancer-controller/templates/hpa.yaml @@ -0,0 +1,34 @@ +{{- if .Values.autoscaling.enabled }} +{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} +apiVersion: autoscaling/v2 +{{- else }} +apiVersion: autoscaling/v2beta2 +{{- end }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "aws-load-balancer-controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "aws-load-balancer-controller.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ required "A valid .Values.autoscaling.maxReplicas value is required" .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/aws-load-balancer-controller/test.yaml b/stable/aws-load-balancer-controller/test.yaml index 88e00fd91..5753f1210 100644 --- a/stable/aws-load-balancer-controller/test.yaml +++ b/stable/aws-load-balancer-controller/test.yaml @@ -6,7 +6,7 @@ replicaCount: 2 image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.6.2 + tag: v2.7.0 pullPolicy: IfNotPresent imagePullSecrets: [] @@ -209,10 +209,10 @@ disableIngressClassAnnotation: # disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default disableIngressGroupNameAnnotation: -# tolerateNonExistentBackendService permits rules which specify backend services that don't exist, true by default +# tolerateNonExistentBackendService permits rules which specify backend services that don't exist, true by default (When enabled, it will return 503 error if backend service not exist) tolerateNonExistentBackendService: -# tolerateNonExistentBackendAction permits rules which specify backend actions that don't exist, true by default +# tolerateNonExistentBackendAction permits rules which specify backend actions that don't exist, true by default (When enabled, it will return 503 error if backend action not exist) tolerateNonExistentBackendAction: # defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners diff --git a/stable/aws-load-balancer-controller/values.yaml b/stable/aws-load-balancer-controller/values.yaml index 755450b46..4145743b7 100644 --- a/stable/aws-load-balancer-controller/values.yaml +++ b/stable/aws-load-balancer-controller/values.yaml @@ -4,15 +4,23 @@ replicaCount: 2 +revisionHistoryLimit: 10 + image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.6.2 + tag: v2.7.0 pullPolicy: IfNotPresent imagePullSecrets: [] nameOverride: "" fullnameOverride: "" +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + serviceAccount: # Specifies whether a service account should be created create: true @@ -227,10 +235,10 @@ disableIngressClassAnnotation: # disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default disableIngressGroupNameAnnotation: -# tolerateNonExistentBackendService permits rules which specify backend services that don't exist, true by default +# tolerateNonExistentBackendService permits rules which specify backend services that don't exist, true by default (When enabled, it will return 503 error if backend service not exist) tolerateNonExistentBackendService: -# tolerateNonExistentBackendAction permits rules which specify backend actions that don't exist, true by default +# tolerateNonExistentBackendAction permits rules which specify backend actions that don't exist, true by default (When enabled, it will return 503 error if backend action not exist) tolerateNonExistentBackendAction: # defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners @@ -246,6 +254,17 @@ livenessProbe: initialDelaySeconds: 30 timeoutSeconds: 10 +# readiness probe configuration for the controller +readinessProbe: + failureThreshold: 2 + httpGet: + path: /readyz + port: 61779 + scheme: HTTP + successThreshold: 1 + initialDelaySeconds: 10 + timeoutSeconds: 10 + # Environment variables to set for aws-load-balancer-controller pod. # We strongly discourage programming access credentials in the controller environment. You should setup IRSA or # comparable solutions like kube2iam, kiam etc instead. @@ -253,6 +272,9 @@ env: # ENV_1: "" # ENV_2: "" +# Use Environment variables credentials from Secret (aws-secret) for aws-load-balancer-controller pod similarly as The EBS CSI Driver does. +# envSecretName: aws-secret + # Specifies if aws-load-balancer-controller should be started in hostNetwork mode. # # This is required if using a custom CNI where the managed control plane nodes are unable to initiate @@ -321,6 +343,7 @@ controllerConfig: # EnableIPTargetType: true # SubnetsClusterTagCheck: true # NLBHealthCheckAdvancedConfig: true + # ALBSingleSubnet: false # objectSelector for webhook objectSelector: From 699a124160e67be844ee8134104dc54e9bed64dc Mon Sep 17 00:00:00 2001 From: MRT <124278662+tvignoli@users.noreply.github.com> Date: Wed, 7 Feb 2024 23:46:26 +0100 Subject: [PATCH 03/19] aws-cloudwatch-metrics: Add container insights with enhanced observability (#1041) * aws-cloudwatch-metrics: Add enhanced_container_insights * aws-cloudwatch-metrics: Update image tag versioning to latest available * aws-cloudwatch-metrics: Update chart tag * aws-cloudwatch-metrics: Readme modified * extended ClusterRole permissions --------- Co-authored-by: nx1thovignol --- stable/aws-cloudwatch-metrics/Chart.yaml | 4 ++-- stable/aws-cloudwatch-metrics/README.md | 1 + stable/aws-cloudwatch-metrics/templates/clusterrole.yaml | 2 +- stable/aws-cloudwatch-metrics/templates/configmap.yaml | 1 + stable/aws-cloudwatch-metrics/values.yaml | 5 ++++- 5 files changed, 9 insertions(+), 4 deletions(-) diff --git a/stable/aws-cloudwatch-metrics/Chart.yaml b/stable/aws-cloudwatch-metrics/Chart.yaml index ab789f2a2..87025d9af 100644 --- a/stable/aws-cloudwatch-metrics/Chart.yaml +++ b/stable/aws-cloudwatch-metrics/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: aws-cloudwatch-metrics description: A Helm chart to deploy aws-cloudwatch-metrics project -version: 0.0.9 -appVersion: "1.247350" +version: 0.0.10 +appVersion: "1.300032.2b361" home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/stable/aws-cloudwatch-metrics/README.md b/stable/aws-cloudwatch-metrics/README.md index 68550c315..ff0ea14b3 100755 --- a/stable/aws-cloudwatch-metrics/README.md +++ b/stable/aws-cloudwatch-metrics/README.md @@ -26,6 +26,7 @@ helm upgrade --install aws-cloudwatch-metrics \ | `image.tag` | Image tag to deploy | `1.247345.36b249270` | `image.pullPolicy` | Pull policy for the image | `IfNotPresent` | ✔ | `clusterName` | Name of your cluster | `cluster_name` | ✔ +| `enhancedContainerInsights` | EKS cluster with enhanced monitoring | `true` | | `serviceAccount.create` | Whether a new service account should be created | `true` | | `serviceAccount.name` | Service account to be used | | | `hostNetwork` | Allow to use the network namespace and network resources of the node | `false` | diff --git a/stable/aws-cloudwatch-metrics/templates/clusterrole.yaml b/stable/aws-cloudwatch-metrics/templates/clusterrole.yaml index 95ead1732..be3a6ef51 100755 --- a/stable/aws-cloudwatch-metrics/templates/clusterrole.yaml +++ b/stable/aws-cloudwatch-metrics/templates/clusterrole.yaml @@ -7,7 +7,7 @@ rules: resources: ["pods", "nodes", "endpoints"] verbs: ["list", "watch"] - apiGroups: ["apps"] - resources: ["replicasets"] + resources: ["replicasets", "daemonsets", "deployments", "statefulsets"] verbs: ["list", "watch"] - apiGroups: ["batch"] resources: ["jobs"] diff --git a/stable/aws-cloudwatch-metrics/templates/configmap.yaml b/stable/aws-cloudwatch-metrics/templates/configmap.yaml index bf7b6d64c..d21056cfc 100755 --- a/stable/aws-cloudwatch-metrics/templates/configmap.yaml +++ b/stable/aws-cloudwatch-metrics/templates/configmap.yaml @@ -11,6 +11,7 @@ data: "metrics_collected": { "kubernetes": { "cluster_name": "{{ .Values.clusterName }}", + "enhanced_container_insights": "{{ .Values.enhancedContainerInsights.enabled }}", "metrics_collection_interval": 60 } }, diff --git a/stable/aws-cloudwatch-metrics/values.yaml b/stable/aws-cloudwatch-metrics/values.yaml index ad58cd193..0967bb132 100644 --- a/stable/aws-cloudwatch-metrics/values.yaml +++ b/stable/aws-cloudwatch-metrics/values.yaml @@ -1,10 +1,13 @@ image: repository: amazon/cloudwatch-agent - tag: 1.247350.0b251780 + tag: 1.300032.2b361 pullPolicy: IfNotPresent clusterName: cluster_name +enhancedContainerInsights: + enabled: true + resources: limits: cpu: 200m From 8fc76663ef7448c565092440212ac6ae484646bf Mon Sep 17 00:00:00 2001 From: M00nF1sh Date: Fri, 9 Feb 2024 11:02:06 -0800 Subject: [PATCH 04/19] =?UTF-8?q?=F0=9F=A5=B3=20aws-load-balancer-controll?= =?UTF-8?q?er=20v2.7.1=20Automated=20Release!=20=F0=9F=A5=91=20(#1061)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * aws-load-balancer-controller: v2.7.1 * Delete stable/aws-load-balancer-controller/Chart.yaml.bak * Delete stable/aws-load-balancer-controller/test.yaml.bak * Delete stable/aws-load-balancer-controller/values.yaml.bak --------- Co-authored-by: eks-bot --- stable/aws-load-balancer-controller/Chart.yaml | 4 ++-- stable/aws-load-balancer-controller/README.md | 5 +++++ .../templates/deployment.yaml | 3 +++ stable/aws-load-balancer-controller/test.yaml | 2 +- stable/aws-load-balancer-controller/values.yaml | 10 +++++++++- 5 files changed, 20 insertions(+), 4 deletions(-) diff --git a/stable/aws-load-balancer-controller/Chart.yaml b/stable/aws-load-balancer-controller/Chart.yaml index e16be6bf6..2e2d591a0 100644 --- a/stable/aws-load-balancer-controller/Chart.yaml +++ b/stable/aws-load-balancer-controller/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: aws-load-balancer-controller description: AWS Load Balancer Controller Helm chart for Kubernetes -version: 1.7.0 -appVersion: v2.7.0 +version: 1.7.1 +appVersion: v2.7.1 home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/stable/aws-load-balancer-controller/README.md b/stable/aws-load-balancer-controller/README.md index dbb5aaf04..5dd580324 100644 --- a/stable/aws-load-balancer-controller/README.md +++ b/stable/aws-load-balancer-controller/README.md @@ -96,8 +96,11 @@ If you are setting `serviceMonitor.enabled: true` you need to have installed the ## Installing the Chart **Note**: You need to uninstall aws-alb-ingress-controller. Please refer to the [upgrade](#Upgrade) section below before you proceed. + **Note**: Starting chart version 1.4.1, you need to explicitly set `clusterSecretsPermissions.allowAllSecrets` to true to grant the controller permission to access all secrets for OIDC feature. We recommend configuring access to individual secrets resource separately [[link](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/examples/secrets_access/)]. +**Note**: To ensure compatibility, we recommend installing the AWS Load Balancer controller image version with its compatible Helm chart version. Use the ```helm search repo eks/aws-load-balancer-controller --versions``` command to find the compatible versions. + Add the EKS repository to Helm: ```shell script helm repo add eks https://aws.github.io/eks-charts @@ -264,3 +267,5 @@ The default values set by the application itself can be confirmed [here](https:/ | `controllerConfig.featureGates` | set of `key: value` pairs that describe AWS load balance controller features | `{}` | | `ingressClassConfig.default` | If `true`, the ingressclass will be the default class of the cluster. | `false` | | `enableServiceMutatorWebhook` | If `false`, disable the Service Mutator webhook which makes all new services of type LoadBalancer reconciled by the lb controller | `true` | +| `autoscaling` | If `autoscaling.enabled=true`, enable the HPA on the controller mainly to survive load induced failure by the calls to the `aws-load-balancer-webhook-service`. Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node | `false` | +| `serviceTargetENISGTags` | set of `key=value` pairs of AWS tags in addition to cluster name for finding the target ENI security group to which to add inbound rules from NLBs | None | diff --git a/stable/aws-load-balancer-controller/templates/deployment.yaml b/stable/aws-load-balancer-controller/templates/deployment.yaml index 3984bf450..c1bed7b86 100644 --- a/stable/aws-load-balancer-controller/templates/deployment.yaml +++ b/stable/aws-load-balancer-controller/templates/deployment.yaml @@ -156,6 +156,9 @@ spec: {{- if ne .Values.defaultTargetType "instance" }} - --default-target-type={{ .Values.defaultTargetType }} {{- end }} + {{- if .Values.serviceTargetENISGTags }} + - --service-target-eni-security-group-tags={{ .Values.serviceTargetENISGTags }} + {{- end }} {{- if or .Values.env .Values.envSecretName }} env: {{- if .Values.env}} diff --git a/stable/aws-load-balancer-controller/test.yaml b/stable/aws-load-balancer-controller/test.yaml index 5753f1210..94567edaa 100644 --- a/stable/aws-load-balancer-controller/test.yaml +++ b/stable/aws-load-balancer-controller/test.yaml @@ -6,7 +6,7 @@ replicaCount: 2 image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.7.0 + tag: v2.7.1 pullPolicy: IfNotPresent imagePullSecrets: [] diff --git a/stable/aws-load-balancer-controller/values.yaml b/stable/aws-load-balancer-controller/values.yaml index 4145743b7..91f0cab61 100644 --- a/stable/aws-load-balancer-controller/values.yaml +++ b/stable/aws-load-balancer-controller/values.yaml @@ -8,13 +8,18 @@ revisionHistoryLimit: 10 image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.7.0 + tag: v2.7.1 pullPolicy: IfNotPresent imagePullSecrets: [] nameOverride: "" fullnameOverride: "" +# AWS LBC only has 1 main working pod, other pods are just standby +# the purpose of enable hpa is to survive load induced failure by the calls to the aws-load-balancer-webhook-service +# since the calls from kube-apiserver are sent round-robin to all replicas, and the failure policy on those webhooks is Fail +# if the pods become overloaded and do not respond within the timeout that could block the creation of pods, targetgroupbindings or ingresses +# Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node autoscaling: enabled: false minReplicas: 1 @@ -380,3 +385,6 @@ ingressClassConfig: # enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer enableServiceMutatorWebhook: true + +# serviceTargetENISGTags specifies AWS tags, in addition to the cluster tags, for finding the target ENI SG to which to add inbound rules from NLBs. +serviceTargetENISGTags: From 439b59cf4d3ba114652456905e1ceaa2c856ea36 Mon Sep 17 00:00:00 2001 From: Zach Dorame-Barajas <43703863+zachdorame@users.noreply.github.com> Date: Tue, 13 Feb 2024 13:30:53 -0800 Subject: [PATCH 05/19] updated EFA version and refreshed supported instances list (#1056) Co-authored-by: Zach Dorame-Barajas --- stable/aws-efa-k8s-device-plugin/Chart.yaml | 4 +- stable/aws-efa-k8s-device-plugin/README.md | 2 +- stable/aws-efa-k8s-device-plugin/values.yaml | 112 ++++++++++--------- 3 files changed, 62 insertions(+), 56 deletions(-) diff --git a/stable/aws-efa-k8s-device-plugin/Chart.yaml b/stable/aws-efa-k8s-device-plugin/Chart.yaml index fa37ec8f0..c040ec032 100644 --- a/stable/aws-efa-k8s-device-plugin/Chart.yaml +++ b/stable/aws-efa-k8s-device-plugin/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: aws-efa-k8s-device-plugin description: A Helm chart for EFA device plugin. -version: v0.4.2 -appVersion: "v0.4.2" +version: v0.4.4 +appVersion: "v0.4.4" home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/stable/aws-efa-k8s-device-plugin/README.md b/stable/aws-efa-k8s-device-plugin/README.md index 04923069e..39229dbc7 100644 --- a/stable/aws-efa-k8s-device-plugin/README.md +++ b/stable/aws-efa-k8s-device-plugin/README.md @@ -22,7 +22,7 @@ helm install efa ./aws-efa-k8s-device-plugin -n kube-system Paramter | Description | Default --- | --- | --- `image.repository` | EFA image repository | `602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efa-k8s-device-plugin` -`image.tag` | EFA image tag | `v0.4.2` +`image.tag` | EFA image tag | `v0.4.4` `securityContext.allowPrivilegeEscalation` | Controls whether a process can gain more privilege than its parent process | `false` `securityContext` | EFA plugin security context | `capabilities: drop: ["ALL"] runAsNonRoot: false` `supportedInstanceLabels.keys` | Kubernetes key to interpret as instance type | `nodes.kubernetes.io/instance-type` diff --git a/stable/aws-efa-k8s-device-plugin/values.yaml b/stable/aws-efa-k8s-device-plugin/values.yaml index c8e36190c..5691a9771 100644 --- a/stable/aws-efa-k8s-device-plugin/values.yaml +++ b/stable/aws-efa-k8s-device-plugin/values.yaml @@ -1,7 +1,7 @@ image: repository: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efa-k8s-device-plugin # Overrides the image tag whose default is the chart appVersion. - tag: "v0.4.2" + tag: "v0.4.4" securityContext: allowPrivilegeEscalation: false capabilities: @@ -11,49 +11,6 @@ supportedInstanceLabels: # EFA supported instances: https://docs.aws.amazon.com/ keys: - "node.kubernetes.io/instance-type" values: - - c5n.18xlarge - - c5n.9xlarge - - c5n.metal - - c6a.48xlarge - - c6a.metal - - c6gn.16xlarge - - c6i.32xlarge - - c6i.metal - - c6id.32xlarge - - c6id.metal - - c6in.32xlarge - - c6in.metal - - c7a.48xlarge - - c7a.metal-48xl - - c7g.16xlarge - - c7g.metal - - c7gd.16xlarge - - c7gn.16xlarge - - c7i.48xlarge - - c7i.metal-48xl - - dl1.24xlarge - - dl2q.24xlarge - - g4dn.12xlarge - - g4dn.16xlarge - - g4dn.8xlarge - - g4dn.metal - - g5.12xlarge - - g5.16xlarge - - g5.24xlarge - - g5.48xlarge - - g5.8xlarge - - hpc6a.48xlarge - - hpc7g.16xlarge - - hpc7g.8xlarge - - hpc7g.4xlarge - - i3en.12xlarge - - i3en.24xlarge - - i3en.metal - - i4g.16xlarge - - i4i.32xlarge - - i4i.metal - - im4gn.16xlarge - - inf1.24xlarge - m5dn.24xlarge - m5dn.metal - m5n.24xlarge @@ -77,9 +34,26 @@ supportedInstanceLabels: # EFA supported instances: https://docs.aws.amazon.com/ - m7gd.16xlarge - m7i.48xlarge - m7i.metal-48xl - - p3dn.24xlarge - - p4d.24xlarge - - p5.48xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5n.metal + - c6a.48xlarge + - c6a.metal + - c6gn.16xlarge + - c6i.32xlarge + - c6i.metal + - c6id.32xlarge + - c6id.metal + - c6in.32xlarge + - c6in.metal + - c7a.48xlarge + - c7a.metal-48xl + - c7g.16xlarge + - c7g.metal + - c7gd.16xlarge + - c7gn.16xlarge + - c7i.48xlarge + - c7i.metal-48xl - r5dn.24xlarge - r5dn.metal - r5n.24xlarge @@ -88,12 +62,12 @@ supportedInstanceLabels: # EFA supported instances: https://docs.aws.amazon.com/ - r6a.metal - r6i.32xlarge - r6i.metal - - r6id.32xlarge - - r6id.metal - r6idn.32xlarge - r6idn.metal - r6in.32xlarge - r6in.metal + - r6id.32xlarge + - r6id.metal - r7a.48xlarge - r7a.metal-48xl - r7g.16xlarge @@ -103,15 +77,47 @@ supportedInstanceLabels: # EFA supported instances: https://docs.aws.amazon.com/ - r7i.metal-48xl - r7iz.32xlarge - r7iz.metal-32xl - - trn1.32xlarge - - trn1n.32xlarge - - vt1.24xlarge - x2idn.32xlarge - x2idn.metal - x2iedn.32xlarge - x2iedn.metal - x2iezn.12xlarge - - x2iezn.metal + - x2iezn.metal + - i3en.12xlarge + - i3en.24xlarge + - i3en.metal + - i4g.16xlarge + - i4i.32xlarge + - i4i.metal + - im4gn.16xlarge + - dl1.24xlarge + - dl2q.24xlarge + - g4dn.8xlarge + - g4dn.12xlarge + - g4dn.16xlarge + - g4dn.metal + - g5.8xlarge + - g5.12xlarge + - g5.16xlarge + - g5.24xlarge + - g5.48xlarge + - inf1.24xlarge + - p3dn.24xlarge + - p4d.24xlarge + - p4de.24xlarge + - p5.48xlarge + - trn1.32xlarge + - trn1n.32xlarge + - vt1.24xlarge + - hpc6a.48xlarge + - hpc6id.32xlarge + - hpc7a.12xlarge + - hpc7a.24xlarge + - hpc7a.48xlarge + - hpc7a.96xlarge + - hpc7g.4xlarge + - hpc7g.8xlarge + - hpc7g.16xlarge resources: # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little From b8f67dee47be617e4b78e4483f10947e4f97dea8 Mon Sep 17 00:00:00 2001 From: Jeffrey Nelson Date: Tue, 20 Feb 2024 11:32:30 -0600 Subject: [PATCH 06/19] Update aws-vpc-cni and cni-metrics-helper charts for v1.16.3 release (#1067) --- stable/aws-vpc-cni/Chart.yaml | 4 ++-- stable/aws-vpc-cni/README.md | 11 ++++++++--- stable/aws-vpc-cni/values.yaml | 8 ++++---- stable/cni-metrics-helper/Chart.yaml | 4 ++-- stable/cni-metrics-helper/README.md | 3 ++- stable/cni-metrics-helper/templates/deployment.yaml | 6 ++++++ stable/cni-metrics-helper/values.yaml | 4 +++- 7 files changed, 27 insertions(+), 13 deletions(-) diff --git a/stable/aws-vpc-cni/Chart.yaml b/stable/aws-vpc-cni/Chart.yaml index c9f3bac81..7b51a4852 100644 --- a/stable/aws-vpc-cni/Chart.yaml +++ b/stable/aws-vpc-cni/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: aws-vpc-cni -version: 1.16.2 -appVersion: "v1.16.2" +version: 1.16.3 +appVersion: "v1.16.3" description: A Helm chart for the AWS VPC CNI icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png home: https://github.com/aws/amazon-vpc-cni-k8s diff --git a/stable/aws-vpc-cni/README.md b/stable/aws-vpc-cni/README.md index ebb47757c..c2e7b5fbd 100644 --- a/stable/aws-vpc-cni/README.md +++ b/stable/aws-vpc-cni/README.md @@ -48,7 +48,7 @@ The following table lists the configurable parameters for this chart and their d | `minimumWindowsIPTarget`| Minimum IP target value for Windows prefix delegation | `3` | | `branchENICooldown` | Number of seconds that branch ENIs remain in cooldown | `60` | | `fullnameOverride` | Override the fullname of the chart | `aws-node` | -| `image.tag` | Image tag | `v1.16.2` | +| `image.tag` | Image tag | `v1.16.3` | | `image.domain` | ECR repository domain | `amazonaws.com` | | `image.region` | ECR repository region to use. Should match your cluster | `us-west-2` | | `image.endpoint` | ECR repository endpoint to use. | `ecr` | @@ -56,7 +56,7 @@ The following table lists the configurable parameters for this chart and their d | `image.pullPolicy` | Container pull policy | `IfNotPresent` | | `image.override` | A custom docker image to use | `nil` | | `imagePullSecrets` | Docker registry pull secret | `[]` | -| `init.image.tag` | Image tag | `v1.16.2` | +| `init.image.tag` | Image tag | `v1.16.3` | | `init.image.domain` | ECR repository domain | `amazonaws.com` | | `init.image.region` | ECR repository region to use. Should match your cluster | `us-west-2` | | `init.image.endpoint` | ECR repository endpoint to use. | `ecr` | @@ -69,7 +69,7 @@ The following table lists the configurable parameters for this chart and their d | `originalMatchLabels` | Use the original daemonset matchLabels | `false` | | `nameOverride` | Override the name of the chart | `aws-node` | | `nodeAgent.enabled` | If the Node Agent container should be created | `true` | -| `nodeAgent.image.tag` | Image tag for Node Agent | `v1.0.7` | +| `nodeAgent.image.tag` | Image tag for Node Agent | `v1.0.8` | | `nodeAgent.image.domain`| ECR repository domain | `amazonaws.com` | | `nodeAgent.image.region`| ECR repository region to use. Should match your cluster | `us-west-2` | | `nodeAgent.image.endpoint` | ECR repository endpoint to use. | `ecr` | @@ -122,6 +122,11 @@ for kind in daemonSet clusterRole clusterRoleBinding serviceAccount; do kubectl -n kube-system annotate --overwrite $kind aws-node meta.helm.sh/release-namespace=kube-system kubectl -n kube-system label --overwrite $kind aws-node app.kubernetes.io/managed-by=Helm done + +kubectl -n kube-system annotate --overwrite configmap amazon-vpc-cni meta.helm.sh/release-name=YOUR_HELM_RELEASE_NAME_HERE +kubectl -n kube-system annotate --overwrite configmap amazon-vpc-cni meta.helm.sh/release-namespace=kube-system +kubectl -n kube-system label --overwrite configmap amazon-vpc-cni app.kubernetes.io/managed-by=Helm + ``` ## Migrate from Helm v2 to Helm v3 diff --git a/stable/aws-vpc-cni/values.yaml b/stable/aws-vpc-cni/values.yaml index e16c97fc9..df0f5211d 100644 --- a/stable/aws-vpc-cni/values.yaml +++ b/stable/aws-vpc-cni/values.yaml @@ -8,7 +8,7 @@ nameOverride: aws-node init: image: - tag: v1.16.2 + tag: v1.16.3 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -27,7 +27,7 @@ init: nodeAgent: enabled: true image: - tag: v1.0.7 + tag: v1.0.8 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -50,7 +50,7 @@ nodeAgent: resources: {} image: - tag: v1.16.2 + tag: v1.16.3 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -83,7 +83,7 @@ env: DISABLE_NETWORK_RESOURCE_PROVISIONING: "false" ENABLE_IPv4: "true" ENABLE_IPv6: "false" - VPC_CNI_VERSION: "v1.16.2" + VPC_CNI_VERSION: "v1.16.3" # this flag enables you to use the match label that was present in the original daemonset deployed by EKS # You can then annotate and label the original aws-node resources and 'adopt' them into a helm release diff --git a/stable/cni-metrics-helper/Chart.yaml b/stable/cni-metrics-helper/Chart.yaml index 53b6dfa61..5cc33b4bb 100644 --- a/stable/cni-metrics-helper/Chart.yaml +++ b/stable/cni-metrics-helper/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: cni-metrics-helper -version: 1.16.2 -appVersion: v1.16.2 +version: 1.16.3 +appVersion: v1.16.3 description: A Helm chart for the AWS VPC CNI Metrics Helper icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png home: https://github.com/aws/amazon-vpc-cni-k8s diff --git a/stable/cni-metrics-helper/README.md b/stable/cni-metrics-helper/README.md index 8b062ece2..54c7b111b 100644 --- a/stable/cni-metrics-helper/README.md +++ b/stable/cni-metrics-helper/README.md @@ -47,7 +47,7 @@ The following table lists the configurable parameters for this chart and their d |------------------------------|---------------------------------------------------------------|--------------------| | fullnameOverride | Override the fullname of the chart | cni-metrics-helper | | image.region | ECR repository region to use. Should match your cluster | us-west-2 | -| image.tag | Image tag | v1.16.2 | +| image.tag | Image tag | v1.16.3 | | image.account | ECR repository account number | 602401143452 | | image.domain | ECR repository domain | amazonaws.com | | env.USE_CLOUDWATCH | Whether to export CNI metrics to CloudWatch | true | @@ -59,6 +59,7 @@ The following table lists the configurable parameters for this chart and their d | serviceAccount.name | The name of the ServiceAccount to use | nil | | serviceAccount.create | Specifies whether a ServiceAccount should be created | true | | serviceAccount.annotations | Specifies the annotations for ServiceAccount | {} | +| podAnnotations | Specifies the annotations for pods | {} | | revisionHistoryLimit | The number of revisions to keep | 10 | | podSecurityContext | SecurityContext to set on the pod | {} | | containerSecurityContext | SecurityContext to set on the container | {} | diff --git a/stable/cni-metrics-helper/templates/deployment.yaml b/stable/cni-metrics-helper/templates/deployment.yaml index 70f75d4e2..adadf2bf7 100644 --- a/stable/cni-metrics-helper/templates/deployment.yaml +++ b/stable/cni-metrics-helper/templates/deployment.yaml @@ -12,6 +12,12 @@ spec: k8s-app: cni-metrics-helper template: metadata: + {{- if .Values.podAnnotations }} + annotations: + {{- range $key, $value := .Values.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} labels: k8s-app: cni-metrics-helper spec: diff --git a/stable/cni-metrics-helper/values.yaml b/stable/cni-metrics-helper/values.yaml index 1de08b33b..5fcaa195a 100644 --- a/stable/cni-metrics-helper/values.yaml +++ b/stable/cni-metrics-helper/values.yaml @@ -4,7 +4,7 @@ nameOverride: cni-metrics-helper image: region: us-west-2 - tag: v1.16.2 + tag: v1.16.3 account: "602401143452" domain: "amazonaws.com" # Set to use custom image @@ -34,3 +34,5 @@ revisionHistoryLimit: 10 podSecurityContext: {} containerSecurityContext: {} + +podAnnotations: {} From dde57207fd2c76a21061df8c1cbeb2d0c43762b4 Mon Sep 17 00:00:00 2001 From: Jeffrey Nelson Date: Mon, 4 Mar 2024 13:17:19 -0600 Subject: [PATCH 07/19] Update aws-vpc-cni and cni-metrics-helper charts for v1.16.4 release (#1071) --- stable/aws-vpc-cni/Chart.yaml | 4 ++-- stable/aws-vpc-cni/README.md | 14 ++++++++------ stable/aws-vpc-cni/values.yaml | 6 +++--- stable/cni-metrics-helper/Chart.yaml | 4 ++-- stable/cni-metrics-helper/README.md | 2 +- stable/cni-metrics-helper/values.yaml | 2 +- 6 files changed, 17 insertions(+), 15 deletions(-) diff --git a/stable/aws-vpc-cni/Chart.yaml b/stable/aws-vpc-cni/Chart.yaml index 7b51a4852..2fc6860d5 100644 --- a/stable/aws-vpc-cni/Chart.yaml +++ b/stable/aws-vpc-cni/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: aws-vpc-cni -version: 1.16.3 -appVersion: "v1.16.3" +version: 1.16.4 +appVersion: "v1.16.4" description: A Helm chart for the AWS VPC CNI icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png home: https://github.com/aws/amazon-vpc-cni-k8s diff --git a/stable/aws-vpc-cni/README.md b/stable/aws-vpc-cni/README.md index c2e7b5fbd..52d071635 100644 --- a/stable/aws-vpc-cni/README.md +++ b/stable/aws-vpc-cni/README.md @@ -48,7 +48,7 @@ The following table lists the configurable parameters for this chart and their d | `minimumWindowsIPTarget`| Minimum IP target value for Windows prefix delegation | `3` | | `branchENICooldown` | Number of seconds that branch ENIs remain in cooldown | `60` | | `fullnameOverride` | Override the fullname of the chart | `aws-node` | -| `image.tag` | Image tag | `v1.16.3` | +| `image.tag` | Image tag | `v1.16.4` | | `image.domain` | ECR repository domain | `amazonaws.com` | | `image.region` | ECR repository region to use. Should match your cluster | `us-west-2` | | `image.endpoint` | ECR repository endpoint to use. | `ecr` | @@ -56,7 +56,7 @@ The following table lists the configurable parameters for this chart and their d | `image.pullPolicy` | Container pull policy | `IfNotPresent` | | `image.override` | A custom docker image to use | `nil` | | `imagePullSecrets` | Docker registry pull secret | `[]` | -| `init.image.tag` | Image tag | `v1.16.3` | +| `init.image.tag` | Image tag | `v1.16.4` | | `init.image.domain` | ECR repository domain | `amazonaws.com` | | `init.image.region` | ECR repository region to use. Should match your cluster | `us-west-2` | | `init.image.endpoint` | ECR repository endpoint to use. | `ecr` | @@ -108,9 +108,8 @@ $ helm install aws-vpc-cni --namespace kube-system eks/aws-vpc-cni --values valu ## Adopting the existing aws-node resources in an EKS cluster -If you do not want to delete the existing aws-node resources in your cluster that run the aws-vpc-cni and then install this helm chart, you can adopt the resources into a release instead. Refer to the script below to import existing resources into helm. Once you have annotated and labeled all the resources this chart specifies, enable the `originalMatchLabels` flag. If you have been careful this should not diff and leave all the resources unmodified and now under management of helm. +If you do not want to delete the existing aws-node resources in your cluster that run the aws-vpc-cni and then install this helm chart, you can adopt the resources into a release instead. Refer to the script below to import existing resources into helm. Once you have annotated and labeled all the resources this chart specifies, enable the `originalMatchLabels` flag. If you have been careful, this should not diff and leave all the resources unmodified and now under management of helm. -WARNING: Substitute YOUR_HELM_RELEASE_NAME_HERE with the name of your helm release. ``` #!/usr/bin/env bash @@ -118,15 +117,18 @@ set -euo pipefail for kind in daemonSet clusterRole clusterRoleBinding serviceAccount; do echo "setting annotations and labels on $kind/aws-node" - kubectl -n kube-system annotate --overwrite $kind aws-node meta.helm.sh/release-name=YOUR_HELM_RELEASE_NAME_HERE + kubectl -n kube-system annotate --overwrite $kind aws-node meta.helm.sh/release-name=aws-vpc-cni kubectl -n kube-system annotate --overwrite $kind aws-node meta.helm.sh/release-namespace=kube-system kubectl -n kube-system label --overwrite $kind aws-node app.kubernetes.io/managed-by=Helm done -kubectl -n kube-system annotate --overwrite configmap amazon-vpc-cni meta.helm.sh/release-name=YOUR_HELM_RELEASE_NAME_HERE +kubectl -n kube-system annotate --overwrite configmap amazon-vpc-cni meta.helm.sh/release-name=aws-vpc-cni kubectl -n kube-system annotate --overwrite configmap amazon-vpc-cni meta.helm.sh/release-namespace=kube-system kubectl -n kube-system label --overwrite configmap amazon-vpc-cni app.kubernetes.io/managed-by=Helm +Kubernetes recommends using server-side apply for more control over the field manager. After adopting the chart resources, you can run the following command to apply the chart: +``` +helm template aws-vpc-cni --include-crds --namespace kube-system eks/aws-vpc-cni --set originalMatchLabels=true | kubectl apply --server-side --force-conflicts --field-manager Helm -f - ``` ## Migrate from Helm v2 to Helm v3 diff --git a/stable/aws-vpc-cni/values.yaml b/stable/aws-vpc-cni/values.yaml index df0f5211d..253c25f93 100644 --- a/stable/aws-vpc-cni/values.yaml +++ b/stable/aws-vpc-cni/values.yaml @@ -8,7 +8,7 @@ nameOverride: aws-node init: image: - tag: v1.16.3 + tag: v1.16.4 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -50,7 +50,7 @@ nodeAgent: resources: {} image: - tag: v1.16.3 + tag: v1.16.4 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -83,7 +83,7 @@ env: DISABLE_NETWORK_RESOURCE_PROVISIONING: "false" ENABLE_IPv4: "true" ENABLE_IPv6: "false" - VPC_CNI_VERSION: "v1.16.3" + VPC_CNI_VERSION: "v1.16.4" # this flag enables you to use the match label that was present in the original daemonset deployed by EKS # You can then annotate and label the original aws-node resources and 'adopt' them into a helm release diff --git a/stable/cni-metrics-helper/Chart.yaml b/stable/cni-metrics-helper/Chart.yaml index 5cc33b4bb..eaa988790 100644 --- a/stable/cni-metrics-helper/Chart.yaml +++ b/stable/cni-metrics-helper/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: cni-metrics-helper -version: 1.16.3 -appVersion: v1.16.3 +version: 1.16.4 +appVersion: v1.16.4 description: A Helm chart for the AWS VPC CNI Metrics Helper icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png home: https://github.com/aws/amazon-vpc-cni-k8s diff --git a/stable/cni-metrics-helper/README.md b/stable/cni-metrics-helper/README.md index 54c7b111b..4991765a7 100644 --- a/stable/cni-metrics-helper/README.md +++ b/stable/cni-metrics-helper/README.md @@ -47,7 +47,7 @@ The following table lists the configurable parameters for this chart and their d |------------------------------|---------------------------------------------------------------|--------------------| | fullnameOverride | Override the fullname of the chart | cni-metrics-helper | | image.region | ECR repository region to use. Should match your cluster | us-west-2 | -| image.tag | Image tag | v1.16.3 | +| image.tag | Image tag | v1.16.4 | | image.account | ECR repository account number | 602401143452 | | image.domain | ECR repository domain | amazonaws.com | | env.USE_CLOUDWATCH | Whether to export CNI metrics to CloudWatch | true | diff --git a/stable/cni-metrics-helper/values.yaml b/stable/cni-metrics-helper/values.yaml index 5fcaa195a..470dfe8cf 100644 --- a/stable/cni-metrics-helper/values.yaml +++ b/stable/cni-metrics-helper/values.yaml @@ -4,7 +4,7 @@ nameOverride: cni-metrics-helper image: region: us-west-2 - tag: v1.16.3 + tag: v1.16.4 account: "602401143452" domain: "amazonaws.com" # Set to use custom image From 2c26551812d8aa4c61f2e62506fae2d3a8a7a89e Mon Sep 17 00:00:00 2001 From: Andrew Gorman <48646785+kangadrewie@users.noreply.github.com> Date: Tue, 12 Mar 2024 20:55:17 +0000 Subject: [PATCH 08/19] [aws-cloudwatch-metrics] fix: update `enhanced_container_insights` template from string to boolean (#1062) * fix: use boolean instead of string enhanced_container_insights * [aws-cloudwatch-metrics] fix: update enhanced_container_insights template from string to boolean --------- Co-authored-by: Andrew Gorman --- stable/aws-cloudwatch-metrics/Chart.yaml | 2 +- stable/aws-cloudwatch-metrics/templates/configmap.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/aws-cloudwatch-metrics/Chart.yaml b/stable/aws-cloudwatch-metrics/Chart.yaml index 87025d9af..d6ac4d066 100644 --- a/stable/aws-cloudwatch-metrics/Chart.yaml +++ b/stable/aws-cloudwatch-metrics/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: aws-cloudwatch-metrics description: A Helm chart to deploy aws-cloudwatch-metrics project -version: 0.0.10 +version: 0.0.11 appVersion: "1.300032.2b361" home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png diff --git a/stable/aws-cloudwatch-metrics/templates/configmap.yaml b/stable/aws-cloudwatch-metrics/templates/configmap.yaml index d21056cfc..8710c8d86 100755 --- a/stable/aws-cloudwatch-metrics/templates/configmap.yaml +++ b/stable/aws-cloudwatch-metrics/templates/configmap.yaml @@ -11,7 +11,7 @@ data: "metrics_collected": { "kubernetes": { "cluster_name": "{{ .Values.clusterName }}", - "enhanced_container_insights": "{{ .Values.enhancedContainerInsights.enabled }}", + "enhanced_container_insights": {{ .Values.enhancedContainerInsights.enabled }}, "metrics_collection_interval": 60 } }, From ae7599cafa237c86af91a54ebfda0a16e836c59f Mon Sep 17 00:00:00 2001 From: Jay Deokar <23660509+jaydeokar@users.noreply.github.com> Date: Mon, 18 Mar 2024 16:39:46 -0700 Subject: [PATCH 09/19] Update helm charts for CNI v1.17.1 release (#1076) --- stable/aws-vpc-cni/Chart.yaml | 4 ++-- stable/aws-vpc-cni/README.md | 6 +++--- stable/aws-vpc-cni/values.yaml | 9 +++++---- stable/cni-metrics-helper/Chart.yaml | 4 ++-- stable/cni-metrics-helper/README.md | 2 +- stable/cni-metrics-helper/values.yaml | 2 +- 6 files changed, 14 insertions(+), 13 deletions(-) diff --git a/stable/aws-vpc-cni/Chart.yaml b/stable/aws-vpc-cni/Chart.yaml index 2fc6860d5..474437984 100644 --- a/stable/aws-vpc-cni/Chart.yaml +++ b/stable/aws-vpc-cni/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: aws-vpc-cni -version: 1.16.4 -appVersion: "v1.16.4" +version: 1.17.1 +appVersion: "v1.17.1" description: A Helm chart for the AWS VPC CNI icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png home: https://github.com/aws/amazon-vpc-cni-k8s diff --git a/stable/aws-vpc-cni/README.md b/stable/aws-vpc-cni/README.md index 52d071635..914033da2 100644 --- a/stable/aws-vpc-cni/README.md +++ b/stable/aws-vpc-cni/README.md @@ -48,7 +48,7 @@ The following table lists the configurable parameters for this chart and their d | `minimumWindowsIPTarget`| Minimum IP target value for Windows prefix delegation | `3` | | `branchENICooldown` | Number of seconds that branch ENIs remain in cooldown | `60` | | `fullnameOverride` | Override the fullname of the chart | `aws-node` | -| `image.tag` | Image tag | `v1.16.4` | +| `image.tag` | Image tag | `v1.17.1` | | `image.domain` | ECR repository domain | `amazonaws.com` | | `image.region` | ECR repository region to use. Should match your cluster | `us-west-2` | | `image.endpoint` | ECR repository endpoint to use. | `ecr` | @@ -56,7 +56,7 @@ The following table lists the configurable parameters for this chart and their d | `image.pullPolicy` | Container pull policy | `IfNotPresent` | | `image.override` | A custom docker image to use | `nil` | | `imagePullSecrets` | Docker registry pull secret | `[]` | -| `init.image.tag` | Image tag | `v1.16.4` | +| `init.image.tag` | Image tag | `v1.17.1` | | `init.image.domain` | ECR repository domain | `amazonaws.com` | | `init.image.region` | ECR repository region to use. Should match your cluster | `us-west-2` | | `init.image.endpoint` | ECR repository endpoint to use. | `ecr` | @@ -69,7 +69,7 @@ The following table lists the configurable parameters for this chart and their d | `originalMatchLabels` | Use the original daemonset matchLabels | `false` | | `nameOverride` | Override the name of the chart | `aws-node` | | `nodeAgent.enabled` | If the Node Agent container should be created | `true` | -| `nodeAgent.image.tag` | Image tag for Node Agent | `v1.0.8` | +| `nodeAgent.image.tag` | Image tag for Node Agent | `v1.1.0` | | `nodeAgent.image.domain`| ECR repository domain | `amazonaws.com` | | `nodeAgent.image.region`| ECR repository region to use. Should match your cluster | `us-west-2` | | `nodeAgent.image.endpoint` | ECR repository endpoint to use. | `ecr` | diff --git a/stable/aws-vpc-cni/values.yaml b/stable/aws-vpc-cni/values.yaml index 253c25f93..b9a2ba9d2 100644 --- a/stable/aws-vpc-cni/values.yaml +++ b/stable/aws-vpc-cni/values.yaml @@ -8,7 +8,7 @@ nameOverride: aws-node init: image: - tag: v1.16.4 + tag: v1.17.1 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -27,7 +27,7 @@ init: nodeAgent: enabled: true image: - tag: v1.0.8 + tag: v1.1.0 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -50,7 +50,7 @@ nodeAgent: resources: {} image: - tag: v1.16.4 + tag: v1.17.1 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -83,7 +83,8 @@ env: DISABLE_NETWORK_RESOURCE_PROVISIONING: "false" ENABLE_IPv4: "true" ENABLE_IPv6: "false" - VPC_CNI_VERSION: "v1.16.4" + VPC_CNI_VERSION: "v1.17.1" + NETWORK_POLICY_ENFORCING_MODE: "standard" # this flag enables you to use the match label that was present in the original daemonset deployed by EKS # You can then annotate and label the original aws-node resources and 'adopt' them into a helm release diff --git a/stable/cni-metrics-helper/Chart.yaml b/stable/cni-metrics-helper/Chart.yaml index eaa988790..e0a3cf0d3 100644 --- a/stable/cni-metrics-helper/Chart.yaml +++ b/stable/cni-metrics-helper/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: cni-metrics-helper -version: 1.16.4 -appVersion: v1.16.4 +version: 1.17.1 +appVersion: v1.17.1 description: A Helm chart for the AWS VPC CNI Metrics Helper icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png home: https://github.com/aws/amazon-vpc-cni-k8s diff --git a/stable/cni-metrics-helper/README.md b/stable/cni-metrics-helper/README.md index 4991765a7..4bbf0f8b8 100644 --- a/stable/cni-metrics-helper/README.md +++ b/stable/cni-metrics-helper/README.md @@ -47,7 +47,7 @@ The following table lists the configurable parameters for this chart and their d |------------------------------|---------------------------------------------------------------|--------------------| | fullnameOverride | Override the fullname of the chart | cni-metrics-helper | | image.region | ECR repository region to use. Should match your cluster | us-west-2 | -| image.tag | Image tag | v1.16.4 | +| image.tag | Image tag | v1.17.1 | | image.account | ECR repository account number | 602401143452 | | image.domain | ECR repository domain | amazonaws.com | | env.USE_CLOUDWATCH | Whether to export CNI metrics to CloudWatch | true | diff --git a/stable/cni-metrics-helper/values.yaml b/stable/cni-metrics-helper/values.yaml index 470dfe8cf..919681586 100644 --- a/stable/cni-metrics-helper/values.yaml +++ b/stable/cni-metrics-helper/values.yaml @@ -4,7 +4,7 @@ nameOverride: cni-metrics-helper image: region: us-west-2 - tag: v1.16.4 + tag: v1.17.1 account: "602401143452" domain: "amazonaws.com" # Set to use custom image From cd707ae0b950e4ab1b49cd51a5eee2fe9ae91996 Mon Sep 17 00:00:00 2001 From: wweiwei-li <79778352+wweiwei-li@users.noreply.github.com> Date: Fri, 22 Mar 2024 16:17:45 -0700 Subject: [PATCH 10/19] aws-load-balancer-controller: v2.7.2 (#1079) --- .../aws-load-balancer-controller/Chart.yaml | 4 +- .../crds/crds.yaml | 212 ++++++++++-------- .../templates/deployment.yaml | 3 + stable/aws-load-balancer-controller/test.yaml | 2 +- .../aws-load-balancer-controller/values.yaml | 5 +- 5 files changed, 124 insertions(+), 102 deletions(-) diff --git a/stable/aws-load-balancer-controller/Chart.yaml b/stable/aws-load-balancer-controller/Chart.yaml index 2e2d591a0..f28df0989 100644 --- a/stable/aws-load-balancer-controller/Chart.yaml +++ b/stable/aws-load-balancer-controller/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: aws-load-balancer-controller description: AWS Load Balancer Controller Helm chart for Kubernetes -version: 1.7.1 -appVersion: v2.7.1 +version: 1.7.2 +appVersion: v2.7.2 home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/stable/aws-load-balancer-controller/crds/crds.yaml b/stable/aws-load-balancer-controller/crds/crds.yaml index 78c226660..4a7a24f40 100644 --- a/stable/aws-load-balancer-controller/crds/crds.yaml +++ b/stable/aws-load-balancer-controller/crds/crds.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: ingressclassparams.elbv2.k8s.aws spec: group: elbv2.k8s.aws @@ -36,14 +35,19 @@ spec: description: IngressClassParams is the Schema for the IngressClassParams API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -92,32 +96,32 @@ spec: type: object type: array namespaceSelector: - description: NamespaceSelector restrict the namespaces of Ingresses - that are allowed to specify the IngressClass with this IngressClassParams. + description: |- + NamespaceSelector restrict the namespaces of Ingresses that are allowed to specify the IngressClass with this IngressClassParams. * if absent or present but empty, it selects all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -130,11 +134,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -167,10 +170,11 @@ spec: items: type: string type: array - description: Tags specifies subnets in the load balancer's VPC - where each tag specified in the map key contains one of the - values in the corresponding value list. Exactly one of this - or `ids` must be specified. + description: |- + Tags specifies subnets in the load balancer's VPC where each + tag specified in the map key contains one of the values in the corresponding + value list. + Exactly one of this or `ids` must be specified. type: object type: object tags: @@ -200,8 +204,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: targetgroupbindings.elbv2.k8s.aws spec: group: elbv2.k8s.aws @@ -239,14 +242,19 @@ spec: description: TargetGroupBinding is the Schema for the TargetGroupBinding API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -263,28 +271,30 @@ spec: items: properties: from: - description: List of peers which should be able to access - the targets in TargetGroup. At least one NetworkingPeer - should be specified. + description: |- + List of peers which should be able to access the targets in TargetGroup. + At least one NetworkingPeer should be specified. items: description: NetworkingPeer defines the source/destination peer for networking rules. properties: ipBlock: - description: IPBlock defines an IPBlock peer. If specified, - none of the other fields can be set. + description: |- + IPBlock defines an IPBlock peer. + If specified, none of the other fields can be set. properties: cidr: - description: CIDR is the network CIDR. Both IPV4 - or IPV6 CIDR are accepted. + description: |- + CIDR is the network CIDR. + Both IPV4 or IPV6 CIDR are accepted. type: string required: - cidr type: object securityGroup: - description: SecurityGroup defines a SecurityGroup - peer. If specified, none of the other fields can - be set. + description: |- + SecurityGroup defines a SecurityGroup peer. + If specified, none of the other fields can be set. properties: groupID: description: GroupID is the EC2 SecurityGroupID. @@ -295,24 +305,24 @@ spec: type: object type: array ports: - description: List of ports which should be made accessible - on the targets in TargetGroup. If ports is empty or unspecified, - it defaults to all ports with TCP. + description: |- + List of ports which should be made accessible on the targets in TargetGroup. + If ports is empty or unspecified, it defaults to all ports with TCP. items: properties: port: anyOf: - type: integer - type: string - description: The port which traffic must match. When - NodePort endpoints(instance TargetType) is used, - this must be a numerical port. When Port endpoints(ip - TargetType) is used, this can be either numerical - or named port on pods. if port is unspecified, it - defaults to all ports. + description: |- + The port which traffic must match. + When NodePort endpoints(instance TargetType) is used, this must be a numerical port. + When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods. + if port is unspecified, it defaults to all ports. x-kubernetes-int-or-string: true protocol: - description: The protocol which traffic must match. + description: |- + The protocol which traffic must match. If protocol is unspecified, it defaults to TCP. enum: - TCP @@ -398,14 +408,19 @@ spec: description: TargetGroupBinding is the Schema for the TargetGroupBinding API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -431,28 +446,30 @@ spec: of traffic that is allowed to access TargetGroup's targets. properties: from: - description: List of peers which should be able to access - the targets in TargetGroup. At least one NetworkingPeer - should be specified. + description: |- + List of peers which should be able to access the targets in TargetGroup. + At least one NetworkingPeer should be specified. items: description: NetworkingPeer defines the source/destination peer for networking rules. properties: ipBlock: - description: IPBlock defines an IPBlock peer. If specified, - none of the other fields can be set. + description: |- + IPBlock defines an IPBlock peer. + If specified, none of the other fields can be set. properties: cidr: - description: CIDR is the network CIDR. Both IPV4 - or IPV6 CIDR are accepted. + description: |- + CIDR is the network CIDR. + Both IPV4 or IPV6 CIDR are accepted. type: string required: - cidr type: object securityGroup: - description: SecurityGroup defines a SecurityGroup - peer. If specified, none of the other fields can - be set. + description: |- + SecurityGroup defines a SecurityGroup peer. + If specified, none of the other fields can be set. properties: groupID: description: GroupID is the EC2 SecurityGroupID. @@ -463,9 +480,9 @@ spec: type: object type: array ports: - description: List of ports which should be made accessible - on the targets in TargetGroup. If ports is empty or unspecified, - it defaults to all ports with TCP. + description: |- + List of ports which should be made accessible on the targets in TargetGroup. + If ports is empty or unspecified, it defaults to all ports with TCP. items: description: NetworkingPort defines the port and protocol for networking rules. @@ -474,15 +491,15 @@ spec: anyOf: - type: integer - type: string - description: The port which traffic must match. When - NodePort endpoints(instance TargetType) is used, - this must be a numerical port. When Port endpoints(ip - TargetType) is used, this can be either numerical - or named port on pods. if port is unspecified, it - defaults to all ports. + description: |- + The port which traffic must match. + When NodePort endpoints(instance TargetType) is used, this must be a numerical port. + When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods. + if port is unspecified, it defaults to all ports. x-kubernetes-int-or-string: true protocol: - description: The protocol which traffic must match. + description: |- + The protocol which traffic must match. If protocol is unspecified, it defaults to TCP. enum: - TCP @@ -504,24 +521,24 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -534,11 +551,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic diff --git a/stable/aws-load-balancer-controller/templates/deployment.yaml b/stable/aws-load-balancer-controller/templates/deployment.yaml index c1bed7b86..fb646ea6f 100644 --- a/stable/aws-load-balancer-controller/templates/deployment.yaml +++ b/stable/aws-load-balancer-controller/templates/deployment.yaml @@ -159,6 +159,9 @@ spec: {{- if .Values.serviceTargetENISGTags }} - --service-target-eni-security-group-tags={{ .Values.serviceTargetENISGTags }} {{- end }} + {{- if .Values.certDiscovery.allowedCertificateAuthorityARNs }} + - --allowed-certificate-authority-arns={{ .Values.certDiscovery.allowedCertificateAuthorityARNs }} + {{- end }} {{- if or .Values.env .Values.envSecretName }} env: {{- if .Values.env}} diff --git a/stable/aws-load-balancer-controller/test.yaml b/stable/aws-load-balancer-controller/test.yaml index 94567edaa..801af28a9 100644 --- a/stable/aws-load-balancer-controller/test.yaml +++ b/stable/aws-load-balancer-controller/test.yaml @@ -6,7 +6,7 @@ replicaCount: 2 image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.7.1 + tag: v2.7.2 pullPolicy: IfNotPresent imagePullSecrets: [] diff --git a/stable/aws-load-balancer-controller/values.yaml b/stable/aws-load-balancer-controller/values.yaml index 91f0cab61..9ebfdaf89 100644 --- a/stable/aws-load-balancer-controller/values.yaml +++ b/stable/aws-load-balancer-controller/values.yaml @@ -8,7 +8,7 @@ revisionHistoryLimit: 10 image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.7.1 + tag: v2.7.2 pullPolicy: IfNotPresent imagePullSecrets: [] @@ -350,6 +350,9 @@ controllerConfig: # NLBHealthCheckAdvancedConfig: true # ALBSingleSubnet: false +certDiscovery: + allowedCertificateAuthorityARNs: "" # empty means all CAs are in scope + # objectSelector for webhook objectSelector: matchExpressions: From 4c9d554fd7e0718ea8dea11c14c5249c51ee78c9 Mon Sep 17 00:00:00 2001 From: Joseph Chen <76720045+jchen6585@users.noreply.github.com> Date: Tue, 2 Apr 2024 09:24:41 -0700 Subject: [PATCH 11/19] Update VPC-CNI charts for v1.18.0 (#1082) Co-authored-by: Joseph Chen --- stable/aws-vpc-cni/Chart.yaml | 4 ++-- stable/aws-vpc-cni/README.md | 4 ++-- stable/aws-vpc-cni/values.yaml | 7 ++++--- stable/cni-metrics-helper/Chart.yaml | 4 ++-- stable/cni-metrics-helper/README.md | 2 +- stable/cni-metrics-helper/values.yaml | 2 +- 6 files changed, 12 insertions(+), 11 deletions(-) diff --git a/stable/aws-vpc-cni/Chart.yaml b/stable/aws-vpc-cni/Chart.yaml index 474437984..0fd2105b0 100644 --- a/stable/aws-vpc-cni/Chart.yaml +++ b/stable/aws-vpc-cni/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: aws-vpc-cni -version: 1.17.1 -appVersion: "v1.17.1" +version: 1.18.0 +appVersion: "v1.18.0" description: A Helm chart for the AWS VPC CNI icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png home: https://github.com/aws/amazon-vpc-cni-k8s diff --git a/stable/aws-vpc-cni/README.md b/stable/aws-vpc-cni/README.md index 914033da2..6e352119a 100644 --- a/stable/aws-vpc-cni/README.md +++ b/stable/aws-vpc-cni/README.md @@ -48,7 +48,7 @@ The following table lists the configurable parameters for this chart and their d | `minimumWindowsIPTarget`| Minimum IP target value for Windows prefix delegation | `3` | | `branchENICooldown` | Number of seconds that branch ENIs remain in cooldown | `60` | | `fullnameOverride` | Override the fullname of the chart | `aws-node` | -| `image.tag` | Image tag | `v1.17.1` | +| `image.tag` | Image tag | `v1.18.0` | | `image.domain` | ECR repository domain | `amazonaws.com` | | `image.region` | ECR repository region to use. Should match your cluster | `us-west-2` | | `image.endpoint` | ECR repository endpoint to use. | `ecr` | @@ -56,7 +56,7 @@ The following table lists the configurable parameters for this chart and their d | `image.pullPolicy` | Container pull policy | `IfNotPresent` | | `image.override` | A custom docker image to use | `nil` | | `imagePullSecrets` | Docker registry pull secret | `[]` | -| `init.image.tag` | Image tag | `v1.17.1` | +| `init.image.tag` | Image tag | `v1.18.0` | | `init.image.domain` | ECR repository domain | `amazonaws.com` | | `init.image.region` | ECR repository region to use. Should match your cluster | `us-west-2` | | `init.image.endpoint` | ECR repository endpoint to use. | `ecr` | diff --git a/stable/aws-vpc-cni/values.yaml b/stable/aws-vpc-cni/values.yaml index b9a2ba9d2..eaa6713d1 100644 --- a/stable/aws-vpc-cni/values.yaml +++ b/stable/aws-vpc-cni/values.yaml @@ -8,7 +8,7 @@ nameOverride: aws-node init: image: - tag: v1.17.1 + tag: v1.18.0 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -50,7 +50,7 @@ nodeAgent: resources: {} image: - tag: v1.17.1 + tag: v1.18.0 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -83,8 +83,9 @@ env: DISABLE_NETWORK_RESOURCE_PROVISIONING: "false" ENABLE_IPv4: "true" ENABLE_IPv6: "false" - VPC_CNI_VERSION: "v1.17.1" + VPC_CNI_VERSION: "v1.18.0" NETWORK_POLICY_ENFORCING_MODE: "standard" + ENABLE_SUBNET_DISCOVERY: "true" # this flag enables you to use the match label that was present in the original daemonset deployed by EKS # You can then annotate and label the original aws-node resources and 'adopt' them into a helm release diff --git a/stable/cni-metrics-helper/Chart.yaml b/stable/cni-metrics-helper/Chart.yaml index e0a3cf0d3..6b1a089f1 100644 --- a/stable/cni-metrics-helper/Chart.yaml +++ b/stable/cni-metrics-helper/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: cni-metrics-helper -version: 1.17.1 -appVersion: v1.17.1 +version: 1.18.0 +appVersion: v1.18.0 description: A Helm chart for the AWS VPC CNI Metrics Helper icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png home: https://github.com/aws/amazon-vpc-cni-k8s diff --git a/stable/cni-metrics-helper/README.md b/stable/cni-metrics-helper/README.md index 4bbf0f8b8..4e21d7fb2 100644 --- a/stable/cni-metrics-helper/README.md +++ b/stable/cni-metrics-helper/README.md @@ -47,7 +47,7 @@ The following table lists the configurable parameters for this chart and their d |------------------------------|---------------------------------------------------------------|--------------------| | fullnameOverride | Override the fullname of the chart | cni-metrics-helper | | image.region | ECR repository region to use. Should match your cluster | us-west-2 | -| image.tag | Image tag | v1.17.1 | +| image.tag | Image tag | v1.18.0 | | image.account | ECR repository account number | 602401143452 | | image.domain | ECR repository domain | amazonaws.com | | env.USE_CLOUDWATCH | Whether to export CNI metrics to CloudWatch | true | diff --git a/stable/cni-metrics-helper/values.yaml b/stable/cni-metrics-helper/values.yaml index 919681586..c1f6649c8 100644 --- a/stable/cni-metrics-helper/values.yaml +++ b/stable/cni-metrics-helper/values.yaml @@ -4,7 +4,7 @@ nameOverride: cni-metrics-helper image: region: us-west-2 - tag: v1.17.1 + tag: v1.18.0 account: "602401143452" domain: "amazonaws.com" # Set to use custom image From 8314721a7666d64becb3da29514162a54b45f257 Mon Sep 17 00:00:00 2001 From: Joseph Chen <76720045+jchen6585@users.noreply.github.com> Date: Wed, 24 Apr 2024 15:18:19 -0700 Subject: [PATCH 12/19] Update VPC-CNI charts for v1.18.1 (#1100) Co-authored-by: Joseph Chen --- stable/aws-vpc-cni/Chart.yaml | 4 ++-- stable/aws-vpc-cni/README.md | 6 +++--- stable/aws-vpc-cni/values.yaml | 8 ++++---- stable/cni-metrics-helper/Chart.yaml | 4 ++-- stable/cni-metrics-helper/README.md | 2 +- stable/cni-metrics-helper/values.yaml | 2 +- 6 files changed, 13 insertions(+), 13 deletions(-) diff --git a/stable/aws-vpc-cni/Chart.yaml b/stable/aws-vpc-cni/Chart.yaml index 0fd2105b0..326db0431 100644 --- a/stable/aws-vpc-cni/Chart.yaml +++ b/stable/aws-vpc-cni/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: aws-vpc-cni -version: 1.18.0 -appVersion: "v1.18.0" +version: 1.18.1 +appVersion: "v1.18.1" description: A Helm chart for the AWS VPC CNI icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png home: https://github.com/aws/amazon-vpc-cni-k8s diff --git a/stable/aws-vpc-cni/README.md b/stable/aws-vpc-cni/README.md index 6e352119a..155b127f3 100644 --- a/stable/aws-vpc-cni/README.md +++ b/stable/aws-vpc-cni/README.md @@ -48,7 +48,7 @@ The following table lists the configurable parameters for this chart and their d | `minimumWindowsIPTarget`| Minimum IP target value for Windows prefix delegation | `3` | | `branchENICooldown` | Number of seconds that branch ENIs remain in cooldown | `60` | | `fullnameOverride` | Override the fullname of the chart | `aws-node` | -| `image.tag` | Image tag | `v1.18.0` | +| `image.tag` | Image tag | `v1.18.1` | | `image.domain` | ECR repository domain | `amazonaws.com` | | `image.region` | ECR repository region to use. Should match your cluster | `us-west-2` | | `image.endpoint` | ECR repository endpoint to use. | `ecr` | @@ -56,7 +56,7 @@ The following table lists the configurable parameters for this chart and their d | `image.pullPolicy` | Container pull policy | `IfNotPresent` | | `image.override` | A custom docker image to use | `nil` | | `imagePullSecrets` | Docker registry pull secret | `[]` | -| `init.image.tag` | Image tag | `v1.18.0` | +| `init.image.tag` | Image tag | `v1.18.1` | | `init.image.domain` | ECR repository domain | `amazonaws.com` | | `init.image.region` | ECR repository region to use. Should match your cluster | `us-west-2` | | `init.image.endpoint` | ECR repository endpoint to use. | `ecr` | @@ -69,7 +69,7 @@ The following table lists the configurable parameters for this chart and their d | `originalMatchLabels` | Use the original daemonset matchLabels | `false` | | `nameOverride` | Override the name of the chart | `aws-node` | | `nodeAgent.enabled` | If the Node Agent container should be created | `true` | -| `nodeAgent.image.tag` | Image tag for Node Agent | `v1.1.0` | +| `nodeAgent.image.tag` | Image tag for Node Agent | `v1.1.1` | | `nodeAgent.image.domain`| ECR repository domain | `amazonaws.com` | | `nodeAgent.image.region`| ECR repository region to use. Should match your cluster | `us-west-2` | | `nodeAgent.image.endpoint` | ECR repository endpoint to use. | `ecr` | diff --git a/stable/aws-vpc-cni/values.yaml b/stable/aws-vpc-cni/values.yaml index eaa6713d1..4a7022bb6 100644 --- a/stable/aws-vpc-cni/values.yaml +++ b/stable/aws-vpc-cni/values.yaml @@ -8,7 +8,7 @@ nameOverride: aws-node init: image: - tag: v1.18.0 + tag: v1.18.1 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -27,7 +27,7 @@ init: nodeAgent: enabled: true image: - tag: v1.1.0 + tag: v1.1.1 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -50,7 +50,7 @@ nodeAgent: resources: {} image: - tag: v1.18.0 + tag: v1.18.1 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -83,7 +83,7 @@ env: DISABLE_NETWORK_RESOURCE_PROVISIONING: "false" ENABLE_IPv4: "true" ENABLE_IPv6: "false" - VPC_CNI_VERSION: "v1.18.0" + VPC_CNI_VERSION: "v1.18.1" NETWORK_POLICY_ENFORCING_MODE: "standard" ENABLE_SUBNET_DISCOVERY: "true" diff --git a/stable/cni-metrics-helper/Chart.yaml b/stable/cni-metrics-helper/Chart.yaml index 6b1a089f1..5bc50145c 100644 --- a/stable/cni-metrics-helper/Chart.yaml +++ b/stable/cni-metrics-helper/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: cni-metrics-helper -version: 1.18.0 -appVersion: v1.18.0 +version: 1.18.1 +appVersion: v1.18.1 description: A Helm chart for the AWS VPC CNI Metrics Helper icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png home: https://github.com/aws/amazon-vpc-cni-k8s diff --git a/stable/cni-metrics-helper/README.md b/stable/cni-metrics-helper/README.md index 4e21d7fb2..a6a165113 100644 --- a/stable/cni-metrics-helper/README.md +++ b/stable/cni-metrics-helper/README.md @@ -47,7 +47,7 @@ The following table lists the configurable parameters for this chart and their d |------------------------------|---------------------------------------------------------------|--------------------| | fullnameOverride | Override the fullname of the chart | cni-metrics-helper | | image.region | ECR repository region to use. Should match your cluster | us-west-2 | -| image.tag | Image tag | v1.18.0 | +| image.tag | Image tag | v1.18.1 | | image.account | ECR repository account number | 602401143452 | | image.domain | ECR repository domain | amazonaws.com | | env.USE_CLOUDWATCH | Whether to export CNI metrics to CloudWatch | true | diff --git a/stable/cni-metrics-helper/values.yaml b/stable/cni-metrics-helper/values.yaml index c1f6649c8..3f4416e06 100644 --- a/stable/cni-metrics-helper/values.yaml +++ b/stable/cni-metrics-helper/values.yaml @@ -4,7 +4,7 @@ nameOverride: cni-metrics-helper image: region: us-west-2 - tag: v1.18.0 + tag: v1.18.1 account: "602401143452" domain: "amazonaws.com" # Set to use custom image From ca71d793c54faeb479e7c9089c6c1cdaaf9fb81c Mon Sep 17 00:00:00 2001 From: Wesley Pettit Date: Tue, 30 Apr 2024 17:24:24 -0700 Subject: [PATCH 13/19] aws-for-fluent-bit: Bump stable to 2.32.2.20240425 Signed-off-by: Wesley Pettit --- stable/aws-for-fluent-bit/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/aws-for-fluent-bit/values.yaml b/stable/aws-for-fluent-bit/values.yaml index 8d41adaf5..48b2876ae 100644 --- a/stable/aws-for-fluent-bit/values.yaml +++ b/stable/aws-for-fluent-bit/values.yaml @@ -4,7 +4,7 @@ global: image: repository: public.ecr.aws/aws-observability/aws-for-fluent-bit - tag: 2.31.12.20231011 + tag: 2.32.2.20240425 pullPolicy: IfNotPresent imagePullSecrets: [] From 5f8fb2ec379aa3f902b2f6ab2e260d91bd12ef4e Mon Sep 17 00:00:00 2001 From: Wesley Pettit Date: Tue, 30 Apr 2024 17:29:51 -0700 Subject: [PATCH 14/19] aws-for-fluent-bit: bump chart version to 0.1.33 Signed-off-by: Wesley Pettit --- stable/aws-for-fluent-bit/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/aws-for-fluent-bit/Chart.yaml b/stable/aws-for-fluent-bit/Chart.yaml index 69868c9f0..8df324955 100644 --- a/stable/aws-for-fluent-bit/Chart.yaml +++ b/stable/aws-for-fluent-bit/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: aws-for-fluent-bit description: A Helm chart to deploy aws-for-fluent-bit project -version: 0.1.32 +version: 0.1.33 appVersion: 2.31.12.20231011 home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png From 51da63976f26974672d35556e9ea965412d0ff1d Mon Sep 17 00:00:00 2001 From: Wesley Pettit Date: Tue, 30 Apr 2024 17:33:39 -0700 Subject: [PATCH 15/19] aws-for-fluent-bit: update appVersion to 2.32.2.20240425 Signed-off-by: Wesley Pettit --- stable/aws-for-fluent-bit/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/aws-for-fluent-bit/Chart.yaml b/stable/aws-for-fluent-bit/Chart.yaml index 8df324955..200e52bcc 100644 --- a/stable/aws-for-fluent-bit/Chart.yaml +++ b/stable/aws-for-fluent-bit/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 name: aws-for-fluent-bit description: A Helm chart to deploy aws-for-fluent-bit project version: 0.1.33 -appVersion: 2.31.12.20231011 +appVersion: 2.32.2.20240425 home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: From e55a24a29915493003aa217fcf034dee3e687b4c Mon Sep 17 00:00:00 2001 From: wweiwei-li <79778352+wweiwei-li@users.noreply.github.com> Date: Fri, 17 May 2024 16:59:05 -0700 Subject: [PATCH 16/19] aws-load-balancer-controller: v2.8.0 (#1105) --- .../aws-load-balancer-controller/Chart.yaml | 4 +- stable/aws-load-balancer-controller/README.md | 194 +++++++++--------- .../crds/crds.yaml | 11 + .../templates/deployment.yaml | 16 +- .../templates/servicemonitor.yaml | 30 ++- .../templates/webhook.yaml | 12 +- stable/aws-load-balancer-controller/test.yaml | 25 ++- .../aws-load-balancer-controller/values.yaml | 44 +++- 8 files changed, 216 insertions(+), 120 deletions(-) diff --git a/stable/aws-load-balancer-controller/Chart.yaml b/stable/aws-load-balancer-controller/Chart.yaml index f28df0989..8b2f182a5 100644 --- a/stable/aws-load-balancer-controller/Chart.yaml +++ b/stable/aws-load-balancer-controller/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: aws-load-balancer-controller description: AWS Load Balancer Controller Helm chart for Kubernetes -version: 1.7.2 -appVersion: v2.7.2 +version: 1.8.0 +appVersion: v2.8.0 home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/stable/aws-load-balancer-controller/README.md b/stable/aws-load-balancer-controller/README.md index 5dd580324..0cbe3f3f9 100644 --- a/stable/aws-load-balancer-controller/README.md +++ b/stable/aws-load-balancer-controller/README.md @@ -22,7 +22,7 @@ AWS Load Balancer controller manages the following AWS resources As a security best practice, we recommend isolating the controller deployment pods to specific node groups which run critical components. The helm chart provides parameters ```nodeSelector```, ```tolerations``` and ```affinity``` to configure node isolation. For more information, please refer to the guidance [here](https://aws.github.io/aws-eks-best-practices/security/docs/multitenancy/#isolating-tenant-workloads-to-specific-nodes). ## Prerequisites -- Supported Kubernetes Versions +- Supported Kubernetes Versions - Chart version v1.5.0+ requires Kubernetes 1.22+ - Chart version v1.4.0+ requires Kubernetes 1.19+ - Chart version v1.2.0 - v1.3.3 supports Kubernetes 1.16-1.21 @@ -178,94 +178,104 @@ Chart release v1.2.0 and later enables high availability configuration by defaul The following tables lists the configurable parameters of the chart and their default values. The default values set by the application itself can be confirmed [here](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/configurations/#controller-configuration-options). -| Parameter | Description | Default | -|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------| -| `image.repository` | image repository | `public.ecr.aws/eks/aws-load-balancer-controller` | -| `image.tag` | image tag | `` | -| `image.pullPolicy` | image pull policy | `IfNotPresent` | -| `clusterName` | Kubernetes cluster name | None | -| `cluster.dnsDomain` | DNS domain of the Kubernetes cluster, included in TLS certificate requests | `cluster.local` | -| `securityContext` | Set to security context for pod | `{}` | -| `resources` | Controller pod resource requests & limits | `{}` | -| `priorityClassName` | Controller pod priority class | system-cluster-critical | -| `nodeSelector` | Node labels for controller pod assignment | `{}` | -| `tolerations` | Controller pod toleration for taints | `{}` | -| `affinity` | Affinity for pod assignment | `{}` | -| `configureDefaultAffinity` | Configure soft pod anti-affinity if custom affinity is not configured | `true` | -| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `{}` | -| `deploymentAnnotations` | Annotations to add to deployment | `{}` | -| `podAnnotations` | Annotations to add to each pod | `{}` | -| `podLabels` | Labels to add to each pod | `{}` | -| `additionalLabels` | Labels to add to all components | `{}` | -| `rbac.create` | if `true`, create and use RBAC resources | `true` | -| `serviceAccount.annotations` | optional annotations to add to service account | None | -| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a Service Account | `true` | -| `serviceAccount.imagePullSecrets` | List of image pull secrets to add to the Service Account | `[]` | -| `serviceAccount.create` | If `true`, create a new service account | `true` | -| `serviceAccount.name` | Service account to be used | None | -| `terminationGracePeriodSeconds` | Time period for controller pod to do a graceful shutdown | 10 | -| `ingressClass` | The ingress class to satisfy | alb | -| `createIngressClassResource` | Create ingressClass resource | true | -| `ingressClassParams.name` | IngressClassParams resource's name, default to the aws load balancer controller's name | None | -| `ingressClassParams.create` | If `true`, create a new ingressClassParams | true | -| `ingressClassParams.spec` | IngressClassParams defined ingress specifications | {} | -| `region` | The AWS region for the kubernetes cluster | None | -| `vpcId` | The VPC ID for the Kubernetes cluster | None | -| `awsApiEndpoints` | Custom AWS API Endpoints | None | -| `awsApiThrottle` | Custom AWS API throttle settings | None | -| `awsMaxRetries` | Maximum retries for AWS APIs | None | -| `defaultTargetType` | Default target type. Used as the default value of the `alb.ingress.kubernetes.io/target-type` and `service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations.`Possible values are `ip` and `instance`. | `instance` | -| `enablePodReadinessGateInject` | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods | None | -| `enableShield` | Enable Shield addon for ALB | None | -| `enableWaf` | Enable WAF addon for ALB | None | -| `enableWafv2` | Enable WAF V2 addon for ALB | None | -| `ingressMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for ingress | None | -| `logLevel` | Set the controller log level - info, debug | None | -| `metricsBindAddr` | The address the metric endpoint binds to | "" | -| `webhookBindPort` | The TCP port the Webhook server binds to | None | -| `webhookTLS.caCert` | TLS CA certificate for webhook (auto-generated if not provided) | "" | -| `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" | -| `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" | -| `webhookNamespaceSelectors` | Namespace selectors for the wekbook | None | -| `keepTLSSecret` | Reuse existing TLS Secret during chart upgrade | `true` | -| `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` | -| `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None | -| `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None | -| `targetgroupbindingMaxExponentialBackoffDelay` | Maximum duration of exponential backoff for targetGroupBinding reconcile failures | None | -| `syncPeriod` | Period at which the controller forces the repopulation of its local object stores | None | -| `watchNamespace` | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched | None | -| `disableIngressClassAnnotation` | Disables the usage of kubernetes.io/ingress.class annotation | None | -| `disableIngressGroupNameAnnotation` | Disables the usage of alb.ingress.kubernetes.io/group.name annotation | None | -| `tolerateNonExistentBackendService` | whether to allow rules that reference a backend service that does not exist. (When enabled, it will return 503 error if backend service not exist) | `true` | -| `tolerateNonExistentBackendAction` | whether to allow rules that reference a backend action that does not exist. (When enabled, it will return 503 error if backend action not exist) | `true` | -| `defaultSSLPolicy` | Specifies the default SSL policy to use for HTTPS or TLS listeners | None | -| `externalManagedTags` | Specifies the list of tag keys on AWS resources that are managed externally | `[]` | -| `livenessProbe` | Liveness probe settings for the controller | (see `values.yaml`) | -| `env` | Environment variables to set for aws-load-balancer-controller pod | None | -| `envSecretName` | AWS credentials as environment variables from Secret (Secret keys `key_id` and `access_key`). | None | -| `hostNetwork` | If `true`, use hostNetwork | `false` | -| `dnsPolicy` | Set dnsPolicy if required | `ClusterFirst` | -| `extraVolumeMounts` | Extra volume mounts for the pod | `[]` | -| `extraVolumes` | Extra volumes for the pod | `[]` | -| `defaultTags` | Default tags to apply to all AWS resources managed by this controller | `{}` | -| `replicaCount` | Number of controller pods to run, only one will be active due to leader election | `2` | -| `revisionHistoryLimit` | Number of revisions to keep | `10` | -| `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` | -| `updateStrategy` | Defines the update strategy for the deployment | `{}` | -| `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template, requires cert-manager and it's CRDs to be installed | `false` | -| `enableEndpointSlices` | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets | `false` | -| `enableBackendSecurityGroup` | If enabled, controller uses shared security group for backend traffic | `true` | -| `backendSecurityGroup` | Backend security group to use instead of auto created one if the feature is enabled | `` | -| `disableRestrictedSecurityGroupRules` | If disabled, controller will not specify port range restriction in the backend security group rules | `false` | -| `objectSelector.matchExpressions` | Webhook configuration to select specific pods by specifying the expression to be matched | None | -| `objectSelector.matchLabels` | Webhook configuration to select specific pods by specifying the key value label pair to be matched | None | -| `serviceMonitor.enabled` | Specifies whether a service monitor should be created, requires the ServiceMonitor CRD to be installed | `false` | -| `serviceMonitor.additionalLabels` | Labels to add to the service account | `{}` | -| `serviceMonitor.interval` | Prometheus scrape interval | `1m` | -| `serviceMonitor.namespace` | Namespace in which Prometheus is running | None | -| `clusterSecretsPermissions.allowAllSecrets` | If `true`, controller has access to all secrets in the cluster. | `false` | -| `controllerConfig.featureGates` | set of `key: value` pairs that describe AWS load balance controller features | `{}` | -| `ingressClassConfig.default` | If `true`, the ingressclass will be the default class of the cluster. | `false` | -| `enableServiceMutatorWebhook` | If `false`, disable the Service Mutator webhook which makes all new services of type LoadBalancer reconciled by the lb controller | `true` | -| `autoscaling` | If `autoscaling.enabled=true`, enable the HPA on the controller mainly to survive load induced failure by the calls to the `aws-load-balancer-webhook-service`. Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node | `false` | -| `serviceTargetENISGTags` | set of `key=value` pairs of AWS tags in addition to cluster name for finding the target ENI security group to which to add inbound rules from NLBs | None | + +| Parameter | Description | Default | +| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- | +| `image.repository` | image repository | `public.ecr.aws/eks/aws-load-balancer-controller` | +| `image.tag` | image tag | `` | +| `image.pullPolicy` | image pull policy | `IfNotPresent` | +| `clusterName` | Kubernetes cluster name | None | +| `cluster.dnsDomain` | DNS domain of the Kubernetes cluster, included in TLS certificate requests | `cluster.local` | +| `securityContext` | Set to security context for pod | `{}` | +| `resources` | Controller pod resource requests & limits | `{}` | +| `priorityClassName` | Controller pod priority class | system-cluster-critical | +| `nodeSelector` | Node labels for controller pod assignment | `{}` | +| `tolerations` | Controller pod toleration for taints | `{}` | +| `affinity` | Affinity for pod assignment | `{}` | +| `configureDefaultAffinity` | Configure soft pod anti-affinity if custom affinity is not configured | `true` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `{}` | +| `deploymentAnnotations` | Annotations to add to deployment | `{}` | +| `podAnnotations` | Annotations to add to each pod | `{}` | +| `podLabels` | Labels to add to each pod | `{}` | +| `additionalLabels` | Labels to add to all components | `{}` | +| `rbac.create` | if `true`, create and use RBAC resources | `true` | +| `serviceAccount.annotations` | optional annotations to add to service account | None | +| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a Service Account | `true` | +| `serviceAccount.imagePullSecrets` | List of image pull secrets to add to the Service Account | `[]` | +| `serviceAccount.create` | If `true`, create a new service account | `true` | +| `serviceAccount.name` | Service account to be used | None | +| `terminationGracePeriodSeconds` | Time period for controller pod to do a graceful shutdown | 10 | +| `ingressClass` | The ingress class to satisfy | alb | +| `createIngressClassResource` | Create ingressClass resource | true | +| `ingressClassParams.name` | IngressClassParams resource's name, default to the aws load balancer controller's name | None | +| `ingressClassParams.create` | If `true`, create a new ingressClassParams | true | +| `ingressClassParams.spec` | IngressClassParams defined ingress specifications | {} | +| `region` | The AWS region for the kubernetes cluster | None | +| `vpcId` | The VPC ID for the Kubernetes cluster | None | +| `awsApiEndpoints` | Custom AWS API Endpoints | None | +| `awsApiThrottle` | Custom AWS API throttle settings | None | +| `awsMaxRetries` | Maximum retries for AWS APIs | None | +| `defaultTargetType` | Default target type. Used as the default value of the `alb.ingress.kubernetes.io/target-type` and `service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations.`Possible values are `ip` and `instance`. | `instance` | +| `enablePodReadinessGateInject` | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods | None | +| `enableShield` | Enable Shield addon for ALB | None | +| `enableWaf` | Enable WAF addon for ALB | None | +| `enableWafv2` | Enable WAF V2 addon for ALB | None | +| `ingressMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for ingress | None | +| `logLevel` | Set the controller log level - info, debug | None | +| `metricsBindAddr` | The address the metric endpoint binds to | "" | +| `webhookBindPort` | The TCP port the Webhook server binds to | None | +| `webhookTLS.caCert` | TLS CA certificate for webhook (auto-generated if not provided) | "" | +| `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" | +| `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" | +| `webhookNamespaceSelectors` | Namespace selectors for the wekbook | None | +| `keepTLSSecret` | Reuse existing TLS Secret during chart upgrade | `true` | +| `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` | +| `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None | +| `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None | +| `targetgroupbindingMaxExponentialBackoffDelay` | Maximum duration of exponential backoff for targetGroupBinding reconcile failures | None | +| `syncPeriod` | Period at which the controller forces the repopulation of its local object stores | None | +| `watchNamespace` | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched | None | +| `disableIngressClassAnnotation` | Disables the usage of kubernetes.io/ingress.class annotation | None | +| `disableIngressGroupNameAnnotation` | Disables the usage of alb.ingress.kubernetes.io/group.name annotation | None | +| `tolerateNonExistentBackendService` | whether to allow rules that reference a backend service that does not exist. (When enabled, it will return 503 error if backend service not exist) | `true` | +| `tolerateNonExistentBackendAction` | whether to allow rules that reference a backend action that does not exist. (When enabled, it will return 503 error if backend action not exist) | `true` | +| `defaultSSLPolicy` | Specifies the default SSL policy to use for HTTPS or TLS listeners | None | +| `externalManagedTags` | Specifies the list of tag keys on AWS resources that are managed externally | `[]` | +| `livenessProbe` | Liveness probe settings for the controller | (see `values.yaml`) | +| `env` | Environment variables to set for aws-load-balancer-controller pod | None | +| `envSecretName` | AWS credentials as environment variables from Secret (Secret keys `key_id` and `access_key`). | None | +| `hostNetwork` | If `true`, use hostNetwork | `false` | +| `dnsPolicy` | Set dnsPolicy if required | `ClusterFirst` | +| `extraVolumeMounts` | Extra volume mounts for the pod | `[]` | +| `extraVolumes` | Extra volumes for the pod | `[]` | +| `defaultTags` | Default tags to apply to all AWS resources managed by this controller | `{}` | +| `replicaCount` | Number of controller pods to run, only one will be active due to leader election | `2` | +| `revisionHistoryLimit` | Number of revisions to keep | `10` | +| `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` | +| `updateStrategy` | Defines the update strategy for the deployment | `{}` | +| `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template, requires cert-manager and it's CRDs to be installed | `false` | +| `enableEndpointSlices` | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets | `false` | +| `enableBackendSecurityGroup` | If enabled, controller uses shared security group for backend traffic | `true` | +| `backendSecurityGroup` | Backend security group to use instead of auto created one if the feature is enabled | `` | +| `disableRestrictedSecurityGroupRules` | If disabled, controller will not specify port range restriction in the backend security group rules | `false` | +| `objectSelector.matchExpressions` | Webhook configuration to select specific pods by specifying the expression to be matched | None | +| `objectSelector.matchLabels` | Webhook configuration to select specific pods by specifying the key value label pair to be matched | None | +| `serviceMonitor.enabled` | Specifies whether a service monitor should be created, requires the ServiceMonitor CRD to be installed | `false` | +| `serviceMonitor.namespace` | Namespace in which to create the service monitor | None | +| `serviceMonitor.additionalLabels` | Labels to add to the service monitor | `{}` | +| `serviceMonitor.interval` | Prometheus scrape interval | `1m` | +| `serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `1m` | +| `serviceMonitor.relabelings` | Relabelings to apply to samples before ingestion | `1m` | +| `serviceMonitor.metricRelabelings` | Metric relabelings to apply to samples before ingestion | `1m` | +| `clusterSecretsPermissions.allowAllSecrets` | If `true`, controller has access to all secrets in the cluster. | `false` | +| `controllerConfig.featureGates` | set of `key: value` pairs that describe AWS load balance controller features | `{}` | +| `ingressClassConfig.default` | If `true`, the ingressclass will be the default class of the cluster. | `false` | +| `enableServiceMutatorWebhook` | If `false`, disable the Service Mutator webhook which makes all new services of type LoadBalancer reconciled by the lb controller | `true` | +| `serviceMutatorWebhookConfig.failurePolicy` | Failure policy for the Service Mutator webhook | `Fail` | +| `serviceMutatorWebhookConfig.objectSelector` | Object selector(s) to limit which objects will be mutated by the Service Mutator webhook | `[]` | +| `serviceMutatorWebhookConfig.operations` | List of operations that will trigger the the Service Mutator webhook | `[ CREATE ]` | +| `autoscaling` | If `autoscaling.enabled=true`, enable the HPA on the controller mainly to survive load induced failure by the calls to the `aws-load-balancer-webhook-service`. Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node | `false` | +| `serviceTargetENISGTags` | set of `key=value` pairs of AWS tags in addition to cluster name for finding the target ENI security group to which to add inbound rules from NLBs | None | +| `loadBalancerClass` | Sets the AWS load balancer type to be used when the Kubernetes service requests an external load balancer | `service.k8s.aws/nlb` | + +| `runtimeClassName` | Runtime class name for the controller pods , such as `gvisor` or `kata`. An unspecified `nil` or empty `""` RuntimeClassName is equivalent to the backwards-compatible default behavior as if the RuntimeClass feature is disabled. | "" | diff --git a/stable/aws-load-balancer-controller/crds/crds.yaml b/stable/aws-load-balancer-controller/crds/crds.yaml index 4a7a24f40..323c44d57 100644 --- a/stable/aws-load-balancer-controller/crds/crds.yaml +++ b/stable/aws-load-balancer-controller/crds/crds.yaml @@ -54,6 +54,12 @@ spec: spec: description: IngressClassParamsSpec defines the desired state of IngressClassParams properties: + certificateArn: + description: CertificateArn specifies the ARN of the certificates + for all Ingresses that belong to IngressClass with this IngressClassParams. + items: + type: string + type: array group: description: Group defines the IngressGroup for all Ingresses that belong to IngressClass with this IngressClassParams. @@ -76,6 +82,7 @@ spec: enum: - ipv4 - dualstack + - dualstack-without-public-ipv4 type: string loadBalancerAttributes: description: LoadBalancerAttributes define the custom attributes to @@ -587,6 +594,10 @@ spec: - instance - ip type: string + vpcID: + description: VpcID is the VPC of the TargetGroup. If unspecified, + it will be automatically inferred. + type: string required: - serviceRef - targetGroupARN diff --git a/stable/aws-load-balancer-controller/templates/deployment.yaml b/stable/aws-load-balancer-controller/templates/deployment.yaml index fb646ea6f..ab0c69649 100644 --- a/stable/aws-load-balancer-controller/templates/deployment.yaml +++ b/stable/aws-load-balancer-controller/templates/deployment.yaml @@ -38,6 +38,9 @@ spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.runtimeClassName }} + runtimeClassName: {{ .Values.runtimeClassName }} {{- end }} serviceAccountName: {{ include "aws-load-balancer-controller.serviceAccountName" . }} volumes: @@ -59,15 +62,17 @@ spec: containers: - name: {{ .Chart.Name }} args: - - --cluster-name={{ required "Chart cannot be installed without a valid clusterName!" .Values.clusterName }} + - --cluster-name={{ required "Chart cannot be installed without a valid clusterName!" (tpl (default "" .Values.clusterName) .) }} {{- if .Values.ingressClass }} - --ingress-class={{ .Values.ingressClass }} {{- end }} - {{- if .Values.region }} + {{- $region := tpl (default "" .Values.region) . }} + {{- if $region }} - --aws-region={{ .Values.region }} {{- end }} - {{- if .Values.vpcId }} - - --aws-vpc-id={{ .Values.vpcId }} + {{- $vpcID := tpl (default "" .Values.vpcId) . }} + {{- if $vpcID }} + - --aws-vpc-id={{ $vpcID }} {{- end }} {{- if .Values.awsApiEndpoints }} - --aws-api-endpoints={{ .Values.awsApiEndpoints }} @@ -162,6 +167,9 @@ spec: {{- if .Values.certDiscovery.allowedCertificateAuthorityARNs }} - --allowed-certificate-authority-arns={{ .Values.certDiscovery.allowedCertificateAuthorityARNs }} {{- end }} + {{- if .Values.loadBalancerClass }} + - --load-balancer-class={{ .Values.loadBalancerClass }} + {{- end }} {{- if or .Values.env .Values.envSecretName }} env: {{- if .Values.env}} diff --git a/stable/aws-load-balancer-controller/templates/servicemonitor.yaml b/stable/aws-load-balancer-controller/templates/servicemonitor.yaml index c811be253..0454558c2 100644 --- a/stable/aws-load-balancer-controller/templates/servicemonitor.yaml +++ b/stable/aws-load-balancer-controller/templates/servicemonitor.yaml @@ -3,18 +3,14 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ include "aws-load-balancer-controller.fullname" . }} - {{- if .Values.serviceMonitor.namespace }} - namespace: {{ .Values.serviceMonitor.namespace }} - {{- else }} - namespace: {{ .Release.Namespace | quote }} - {{- end }} + namespace: {{ default .Release.Namespace .Values.serviceMonitor.namespace }} labels: {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} - {{- with .Values.serviceMonitor.additionalLabels }} + {{- with .Values.serviceMonitor.additionalLabels }} {{- toYaml . | nindent 4 }} - {{- end }} + {{- end }} spec: - jobLabel: {{ .Release.Name }} + jobLabel: app.kubernetes.io/instance namespaceSelector: matchNames: - {{ .Release.Namespace }} @@ -29,7 +25,19 @@ spec: endpoints: - port: metrics-server path: /metrics - {{- with .Values.serviceMonitor.interval }} + scheme: http + {{- with .Values.serviceMonitor.interval }} interval: {{ . }} - {{- end }} -{{- end -}} \ No newline at end of file + {{- end }} + {{- with .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end -}} diff --git a/stable/aws-load-balancer-controller/templates/webhook.yaml b/stable/aws-load-balancer-controller/templates/webhook.yaml index e7d557e41..666770d0d 100644 --- a/stable/aws-load-balancer-controller/templates/webhook.yaml +++ b/stable/aws-load-balancer-controller/templates/webhook.yaml @@ -65,7 +65,7 @@ webhooks: name: {{ template "aws-load-balancer-controller.webhookService" . }} namespace: {{ $.Release.Namespace }} path: /mutate-v1-service - failurePolicy: Fail + failurePolicy: {{ .Values.serviceMutatorWebhookConfig.failurePolicy }} name: mservice.elbv2.k8s.aws admissionReviewVersions: - v1beta1 @@ -75,13 +75,21 @@ webhooks: operator: NotIn values: - {{ include "aws-load-balancer-controller.name" . }} + {{- if .Values.serviceMutatorWebhookConfig.objectSelector.matchExpressions }} + {{- toYaml .Values.serviceMutatorWebhookConfig.objectSelector.matchExpressions | nindent 4 }} + {{- end }} + + {{- if .Values.serviceMutatorWebhookConfig.objectSelector.matchLabels }} + matchLabels: + {{- toYaml .Values.serviceMutatorWebhookConfig.objectSelector.matchLabels | nindent 6 }} + {{- end }} rules: - apiGroups: - "" apiVersions: - v1 operations: - - CREATE + {{- toYaml .Values.serviceMutatorWebhookConfig.operations | nindent 4 }} resources: - services sideEffects: None diff --git a/stable/aws-load-balancer-controller/test.yaml b/stable/aws-load-balancer-controller/test.yaml index 801af28a9..6094cd5d1 100644 --- a/stable/aws-load-balancer-controller/test.yaml +++ b/stable/aws-load-balancer-controller/test.yaml @@ -6,12 +6,13 @@ replicaCount: 2 image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.7.2 + tag: v2.8.0 pullPolicy: IfNotPresent imagePullSecrets: [] nameOverride: "" fullnameOverride: "" +runtimeClassName: "" serviceAccount: # Specifies whether a service account should be created @@ -330,3 +331,25 @@ clusterSecretsPermissions: # ingressClassConfig contains configurations specific to the ingress class ingressClassConfig: default: false + +# enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer +# should deprecate this in favor of serviceMutatorWebhook.enabled +enableServiceMutatorWebhook: true + +# serviceMutatorWebhook contains configurations specific to the service mutator webhook +serviceMutatorWebhookConfig: + # whether or not to fail the service creation if the webhook fails + failurePolicy: Fail + # limit webhook to only mutate services matching the objectSelector + objectSelector: + matchExpressions: [] + # - key: + # operator: + # values: + # - + matchLabels: {} + # key: value + # which operations trigger the webhook + operations: + - CREATE + # - UPDATE diff --git a/stable/aws-load-balancer-controller/values.yaml b/stable/aws-load-balancer-controller/values.yaml index 9ebfdaf89..1c3ce8bce 100644 --- a/stable/aws-load-balancer-controller/values.yaml +++ b/stable/aws-load-balancer-controller/values.yaml @@ -8,9 +8,10 @@ revisionHistoryLimit: 10 image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.7.2 + tag: v2.8.0 pullPolicy: IfNotPresent +runtimeClassName: "" imagePullSecrets: [] nameOverride: "" fullnameOverride: "" @@ -119,8 +120,8 @@ clusterName: # cluster contains configurations specific to the kubernetes cluster cluster: - # Cluster DNS domain (required for requesting TLS certificates) - dnsDomain: cluster.local + # Cluster DNS domain (required for requesting TLS certificates) + dnsDomain: cluster.local # The ingress class this controller will satisfy. If not specified, controller will match all # ingresses without ingress class annotation and ingresses of type alb @@ -209,7 +210,7 @@ webhookTLS: cert: key: -# array of namespace selectors for the webhook +# array of namespace selectors for the pod mutator webhook webhookNamespaceSelectors: # - key: elbv2.k8s.aws/pod-readiness-gate-inject # operator: In @@ -350,7 +351,7 @@ controllerConfig: # NLBHealthCheckAdvancedConfig: true # ALBSingleSubnet: false -certDiscovery: +certDiscovery: allowedCertificateAuthorityARNs: "" # empty means all CAs are in scope # objectSelector for webhook @@ -366,12 +367,18 @@ objectSelector: serviceMonitor: # Specifies whether a service monitor should be created enabled: false - # Labels to add to the service account + # Namespace to create the service monitor in + namespace: + # Labels to add to the service monitor additionalLabels: {} # Prometheus scrape interval interval: 1m - # Namespace to create the service monitor in - namespace: + # Prometheus scrape timeout + scrapeTimeout: + # Relabelings to apply to samples before ingestion + relabelings: + # Metric relabelings to apply to samples before ingestion + metricRelabelings: # clusterSecretsPermissions lets you configure RBAC permissions for secret resources # Access to secrets resource is required only if you use the OIDC feature, and instead of @@ -389,5 +396,26 @@ ingressClassConfig: # enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer enableServiceMutatorWebhook: true +# serviceMutatorWebhook contains configurations specific to the service mutator webhook +serviceMutatorWebhookConfig: + # whether or not to fail the service creation if the webhook fails + failurePolicy: Fail + # limit webhook to only mutate services matching the objectSelector + objectSelector: + matchExpressions: [] + # - key: + # operator: + # values: + # - + matchLabels: {} + # key: value + # which operations trigger the webhook + operations: + - CREATE + # - UPDATE + # serviceTargetENISGTags specifies AWS tags, in addition to the cluster tags, for finding the target ENI SG to which to add inbound rules from NLBs. serviceTargetENISGTags: + +# Specifies the class of load balancer to use for services. This affects how services are provisioned if type LoadBalancer is used (default service.k8s.aws/nlb) +loadBalancerClass: From 9b36a39fcc81d3ac80af2729a1e0a63a2eec851a Mon Sep 17 00:00:00 2001 From: Jay Deokar <23660509+jaydeokar@users.noreply.github.com> Date: Fri, 24 May 2024 14:30:56 -0700 Subject: [PATCH 17/19] Releasing new charts version for v1.18.1 (#1104) --- stable/aws-vpc-cni/Chart.yaml | 2 +- stable/aws-vpc-cni/templates/daemonset.yaml | 1 + stable/aws-vpc-cni/values.yaml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/stable/aws-vpc-cni/Chart.yaml b/stable/aws-vpc-cni/Chart.yaml index 326db0431..2dc468a51 100644 --- a/stable/aws-vpc-cni/Chart.yaml +++ b/stable/aws-vpc-cni/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: aws-vpc-cni -version: 1.18.1 +version: 1.3.0 appVersion: "v1.18.1" description: A Helm chart for the AWS VPC CNI icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png diff --git a/stable/aws-vpc-cni/templates/daemonset.yaml b/stable/aws-vpc-cni/templates/daemonset.yaml index 3b47d880a..d119a37d6 100644 --- a/stable/aws-vpc-cni/templates/daemonset.yaml +++ b/stable/aws-vpc-cni/templates/daemonset.yaml @@ -183,6 +183,7 @@ spec: - name: xtables-lock hostPath: path: /run/xtables.lock + type: FileOrCreate {{- with .Values.extraVolumes }} {{- toYaml .| nindent 6 }} {{- end }} diff --git a/stable/aws-vpc-cni/values.yaml b/stable/aws-vpc-cni/values.yaml index 4a7022bb6..1bf88b53f 100644 --- a/stable/aws-vpc-cni/values.yaml +++ b/stable/aws-vpc-cni/values.yaml @@ -83,9 +83,9 @@ env: DISABLE_NETWORK_RESOURCE_PROVISIONING: "false" ENABLE_IPv4: "true" ENABLE_IPv6: "false" + ENABLE_SUBNET_DISCOVERY: "true" VPC_CNI_VERSION: "v1.18.1" NETWORK_POLICY_ENFORCING_MODE: "standard" - ENABLE_SUBNET_DISCOVERY: "true" # this flag enables you to use the match label that was present in the original daemonset deployed by EKS # You can then annotate and label the original aws-node resources and 'adopt' them into a helm release From 7248e07287ab5906eaa5bc0a075872b13f08d6b9 Mon Sep 17 00:00:00 2001 From: Zach Dorame-Barajas <43703863+zachdorame@users.noreply.github.com> Date: Fri, 24 May 2024 16:03:36 -0700 Subject: [PATCH 18/19] Updated EFA plugin version, added a new volume for EFA plugin to mount (#1069) --- stable/aws-efa-k8s-device-plugin/Chart.yaml | 4 ++-- stable/aws-efa-k8s-device-plugin/templates/daemonset.yaml | 7 ++++++- stable/aws-efa-k8s-device-plugin/values.yaml | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/stable/aws-efa-k8s-device-plugin/Chart.yaml b/stable/aws-efa-k8s-device-plugin/Chart.yaml index c040ec032..af00a1493 100644 --- a/stable/aws-efa-k8s-device-plugin/Chart.yaml +++ b/stable/aws-efa-k8s-device-plugin/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: aws-efa-k8s-device-plugin description: A Helm chart for EFA device plugin. -version: v0.4.4 -appVersion: "v0.4.4" +version: v0.5.1 +appVersion: "v0.5.1" home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/stable/aws-efa-k8s-device-plugin/templates/daemonset.yaml b/stable/aws-efa-k8s-device-plugin/templates/daemonset.yaml index d6c08fabd..6fad9cd4d 100644 --- a/stable/aws-efa-k8s-device-plugin/templates/daemonset.yaml +++ b/stable/aws-efa-k8s-device-plugin/templates/daemonset.yaml @@ -67,7 +67,12 @@ spec: volumeMounts: - name: device-plugin mountPath: /var/lib/kubelet/device-plugins + - name: infiniband-volume + mountPath: /dev/infiniband/ volumes: - name: device-plugin hostPath: - path: /var/lib/kubelet/device-plugins \ No newline at end of file + path: /var/lib/kubelet/device-plugins + - name: infiniband-volume + hostPath: + path: /dev/infiniband/ \ No newline at end of file diff --git a/stable/aws-efa-k8s-device-plugin/values.yaml b/stable/aws-efa-k8s-device-plugin/values.yaml index 5691a9771..6900c50a5 100644 --- a/stable/aws-efa-k8s-device-plugin/values.yaml +++ b/stable/aws-efa-k8s-device-plugin/values.yaml @@ -1,7 +1,7 @@ image: repository: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efa-k8s-device-plugin # Overrides the image tag whose default is the chart appVersion. - tag: "v0.4.4" + tag: "v0.5.1" securityContext: allowPrivilegeEscalation: false capabilities: From 893efca068bc0b63518c2c8eae5f6346adbc3845 Mon Sep 17 00:00:00 2001 From: Joseph Chen <76720045+jchen6585@users.noreply.github.com> Date: Fri, 24 May 2024 16:22:59 -0700 Subject: [PATCH 19/19] EFA v0.5.2 release (#1110) Co-authored-by: Joseph Chen --- stable/aws-efa-k8s-device-plugin/Chart.yaml | 4 ++-- stable/aws-efa-k8s-device-plugin/README.md | 2 +- stable/aws-efa-k8s-device-plugin/values.yaml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/stable/aws-efa-k8s-device-plugin/Chart.yaml b/stable/aws-efa-k8s-device-plugin/Chart.yaml index af00a1493..e74928376 100644 --- a/stable/aws-efa-k8s-device-plugin/Chart.yaml +++ b/stable/aws-efa-k8s-device-plugin/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: aws-efa-k8s-device-plugin description: A Helm chart for EFA device plugin. -version: v0.5.1 -appVersion: "v0.5.1" +version: v0.5.2 +appVersion: "v0.5.2" home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/stable/aws-efa-k8s-device-plugin/README.md b/stable/aws-efa-k8s-device-plugin/README.md index 39229dbc7..3d0e12ab8 100644 --- a/stable/aws-efa-k8s-device-plugin/README.md +++ b/stable/aws-efa-k8s-device-plugin/README.md @@ -22,7 +22,7 @@ helm install efa ./aws-efa-k8s-device-plugin -n kube-system Paramter | Description | Default --- | --- | --- `image.repository` | EFA image repository | `602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efa-k8s-device-plugin` -`image.tag` | EFA image tag | `v0.4.4` +`image.tag` | EFA image tag | `v0.5.2` `securityContext.allowPrivilegeEscalation` | Controls whether a process can gain more privilege than its parent process | `false` `securityContext` | EFA plugin security context | `capabilities: drop: ["ALL"] runAsNonRoot: false` `supportedInstanceLabels.keys` | Kubernetes key to interpret as instance type | `nodes.kubernetes.io/instance-type` diff --git a/stable/aws-efa-k8s-device-plugin/values.yaml b/stable/aws-efa-k8s-device-plugin/values.yaml index 6900c50a5..a2880028e 100644 --- a/stable/aws-efa-k8s-device-plugin/values.yaml +++ b/stable/aws-efa-k8s-device-plugin/values.yaml @@ -1,7 +1,7 @@ image: repository: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efa-k8s-device-plugin # Overrides the image tag whose default is the chart appVersion. - tag: "v0.5.1" + tag: "v0.5.2" securityContext: allowPrivilegeEscalation: false capabilities: @@ -139,4 +139,4 @@ additionalPodAnnotations: {} additionalPodLabels: {} nameOverride: "" fullnameOverride: "" -imagePullSecrets: [] \ No newline at end of file +imagePullSecrets: []