Merge pull request kubernetes-sigs#2264 from oliviassss/chart_reuse_TLS

Enable Helm chart to reuse existing TLS secrets
gmerlin-claranet · Oct 5, 2021 · 79fdb7f · 79fdb7f
2 parents 9cb9759 + 6b664e5
commit 79fdb7f
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 24 deletions.
diff --git a/helm/aws-load-balancer-controller/Chart.yaml b/helm/aws-load-balancer-controller/Chart.yaml
@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v2
 name: aws-load-balancer-controller
 description: AWS Load Balancer Controller Helm chart for Kubernetes
 version: 1.2.10

diff --git a/helm/aws-load-balancer-controller/README.md b/helm/aws-load-balancer-controller/README.md
@@ -26,6 +26,7 @@ AWS Load Balancer controller manages the following AWS resources
    - 1.18.18+ for 1.18
    - 1.19.10+ for 1.19
 - IAM permissions
+- Helm v3 is needed
 
 The controller runs on the worker nodes, so it needs access to the AWS ALB/NLB resources via IAM permissions. The
 IAM permissions can either be setup via IAM roles for ServiceAccount or can be attached directly to the worker node IAM roles.
@@ -187,6 +188,7 @@ The default values set by the application itself can be confirmed [here](https:/
 | `webhookTLS.caCert`                         | TLS CA certificate for webhook (auto-generated if not provided)                                          | ""                                                                                 |
 | `webhookTLS.cert`                           | TLS certificate for webhook (auto-generated if not provided)                                             | ""                                                                                 |
 | `webhookTLS.key`                            | TLS private key for webhook (auto-generated if not provided)                                             | ""                                                                                 |
+| `keepTLSSecret`                             | Reuse existing TLS Secret during chart upgrade                                                           | `false`                                                                            |
 | `serviceAnnotations`                        | Annotations to be added to the provisioned webhook service resource                                      | `{}`                                                                               |
 | `serviceMaxConcurrentReconciles`            | Maximum number of concurrently running reconcile loops for service                                       | None                                                                               |
 | `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding                            | None                                                                               |

diff --git a/helm/aws-load-balancer-controller/templates/_helpers.tpl b/helm/aws-load-balancer-controller/templates/_helpers.tpl
@@ -76,12 +76,17 @@ Create the name of the service account to use
 Generate certificates for webhook
 */}}
 {{- define "aws-load-balancer-controller.webhook-certs" -}}
+{{- $namePrefix := ( include "aws-load-balancer-controller.namePrefix" . ) -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" $namePrefix) -}}
 {{- if (and .Values.webhookTLS.caCert .Values.webhookTLS.cert .Values.webhookTLS.key) -}}
 caCert: {{ .Values.webhookTLS.caCert | b64enc }}
 clientCert: {{ .Values.webhookTLS.cert | b64enc }}
 clientKey: {{ .Values.webhookTLS.key | b64enc }}
+{{- else if and .Values.keepTLSSecret $secret -}}
+caCert: {{ index $secret.data "ca.crt" }}
+clientCert: {{ index $secret.data "tls.crt" }}
+clientKey: {{ index $secret.data "tls.key" }}
 {{- else -}}
-{{- $namePrefix := ( include "aws-load-balancer-controller.namePrefix" . ) -}}
 {{- $altNames := list ( printf "%s-%s.%s" $namePrefix "webhook-service" .Release.Namespace ) ( printf "%s-%s.%s.svc" $namePrefix "webhook-service" .Release.Namespace ) -}}
 {{- $ca := genCA "aws-load-balancer-controller-ca" 3650 -}}
 {{- $cert := genSignedCert ( include "aws-load-balancer-controller.fullname" . ) nil $altNames 3650 $ca -}}

diff --git a/helm/aws-load-balancer-controller/values.yaml b/helm/aws-load-balancer-controller/values.yaml
@@ -133,6 +133,9 @@ webhookTLS:
   cert:
   key:
 
+# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade
+keepTLSSecret: false
+
 # Maximum number of concurrently running reconcile loops for service (default 3)
 serviceMaxConcurrentReconciles:
 

diff --git a/test/helm/helm-lint.sh b/test/helm/helm-lint.sh
@@ -7,7 +7,6 @@ SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
 TMP_DIR="$SCRIPTPATH/../../build"
 PLATFORM=$(uname | tr '[:upper:]' '[:lower:]')
 HELM3_VERSION="3.3.1"
-HELM2_VERSION="2.16.10"
 HELM_DIR="${SCRIPTPATH}/../../helm"
 LB_HELM_CHART=${HELM_DIR}/aws-load-balancer-controller
 
@@ -21,37 +20,16 @@ if [ ! -x "$TMP_DIR/helm" ]; then
     echo " Downloaded the \"helm\" binary"
 fi
 
-if [ ! -x "$TMP_DIR/helm2" ]; then
-    echo " Downloading the \"helm2\" binary"
-    curl -L https://get.helm.sh/helm-v$HELM2_VERSION-$PLATFORM-amd64.tar.gz | tar zxf - -C $TMP_DIR
-    mv $TMP_DIR/$PLATFORM-amd64/helm $TMP_DIR/helm2
-    chmod +x $TMP_DIR/helm2
-    echo " Downloaded the \"helm2\" binary"
-fi
 export PATH=$TMP_DIR:$PATH
 
 echo "=============================================================================="
 echo "                     Linting Helm Chart w/ Helm v3"
 echo "=============================================================================="
 helm lint $LB_HELM_CHART
 
-echo "=============================================================================="
-echo "                     Linting Helm Chart w/ Helm v2"
-echo "=============================================================================="
-helm2 lint $LB_HELM_CHART
-
-echo " Helm Linting for v2 and v3 have successfully completed!"
-
 echo "=============================================================================="
 echo "                   Generate Template w/ Helm v3"
 echo "=============================================================================="
 
 helm template aws-load-balancer-controller "${LB_HELM_CHART}" --debug --namespace=kube-system -f "${LB_HELM_CHART}/test.yaml" > /dev/null
 
-echo "=============================================================================="
-echo "                   Generate Template w/ Helm v2"
-echo "=============================================================================="
-
-helm2 template --name aws-load-balancer-controller "${LB_HELM_CHART}" --debug --namespace=kube-system -f "${LB_HELM_CHART}/test.yaml" > /dev/null
-
-echo " Helm template generation for v2 and v3 have successfully completed!"