diff --git a/helm/aws-load-balancer-controller/Chart.yaml b/helm/aws-load-balancer-controller/Chart.yaml index 508d36d8a..57ade760b 100644 --- a/helm/aws-load-balancer-controller/Chart.yaml +++ b/helm/aws-load-balancer-controller/Chart.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v2 name: aws-load-balancer-controller description: AWS Load Balancer Controller Helm chart for Kubernetes version: 1.2.10 diff --git a/helm/aws-load-balancer-controller/README.md b/helm/aws-load-balancer-controller/README.md index 2c215cdbd..ea053c757 100644 --- a/helm/aws-load-balancer-controller/README.md +++ b/helm/aws-load-balancer-controller/README.md @@ -26,6 +26,7 @@ AWS Load Balancer controller manages the following AWS resources - 1.18.18+ for 1.18 - 1.19.10+ for 1.19 - IAM permissions +- Helm v3 is needed The controller runs on the worker nodes, so it needs access to the AWS ALB/NLB resources via IAM permissions. The IAM permissions can either be setup via IAM roles for ServiceAccount or can be attached directly to the worker node IAM roles. @@ -187,6 +188,7 @@ The default values set by the application itself can be confirmed [here](https:/ | `webhookTLS.caCert` | TLS CA certificate for webhook (auto-generated if not provided) | "" | | `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" | | `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" | +| `keepTLSSecret` | Reuse existing TLS Secret during chart upgrade | `false` | | `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` | | `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None | | `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None | diff --git a/helm/aws-load-balancer-controller/templates/_helpers.tpl b/helm/aws-load-balancer-controller/templates/_helpers.tpl index d110a5601..7d8188bdf 100644 --- a/helm/aws-load-balancer-controller/templates/_helpers.tpl +++ b/helm/aws-load-balancer-controller/templates/_helpers.tpl @@ -76,12 +76,17 @@ Create the name of the service account to use Generate certificates for webhook */}} {{- define "aws-load-balancer-controller.webhook-certs" -}} +{{- $namePrefix := ( include "aws-load-balancer-controller.namePrefix" . ) -}} +{{- $secret := lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" $namePrefix) -}} {{- if (and .Values.webhookTLS.caCert .Values.webhookTLS.cert .Values.webhookTLS.key) -}} caCert: {{ .Values.webhookTLS.caCert | b64enc }} clientCert: {{ .Values.webhookTLS.cert | b64enc }} clientKey: {{ .Values.webhookTLS.key | b64enc }} +{{- else if and .Values.keepTLSSecret $secret -}} +caCert: {{ index $secret.data "ca.crt" }} +clientCert: {{ index $secret.data "tls.crt" }} +clientKey: {{ index $secret.data "tls.key" }} {{- else -}} -{{- $namePrefix := ( include "aws-load-balancer-controller.namePrefix" . ) -}} {{- $altNames := list ( printf "%s-%s.%s" $namePrefix "webhook-service" .Release.Namespace ) ( printf "%s-%s.%s.svc" $namePrefix "webhook-service" .Release.Namespace ) -}} {{- $ca := genCA "aws-load-balancer-controller-ca" 3650 -}} {{- $cert := genSignedCert ( include "aws-load-balancer-controller.fullname" . ) nil $altNames 3650 $ca -}} diff --git a/helm/aws-load-balancer-controller/values.yaml b/helm/aws-load-balancer-controller/values.yaml index 32706c9fa..2bfdb9485 100644 --- a/helm/aws-load-balancer-controller/values.yaml +++ b/helm/aws-load-balancer-controller/values.yaml @@ -133,6 +133,9 @@ webhookTLS: cert: key: +# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade +keepTLSSecret: false + # Maximum number of concurrently running reconcile loops for service (default 3) serviceMaxConcurrentReconciles: diff --git a/test/helm/helm-lint.sh b/test/helm/helm-lint.sh index 46f648d66..424d00eab 100755 --- a/test/helm/helm-lint.sh +++ b/test/helm/helm-lint.sh @@ -7,7 +7,6 @@ SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )" TMP_DIR="$SCRIPTPATH/../../build" PLATFORM=$(uname | tr '[:upper:]' '[:lower:]') HELM3_VERSION="3.3.1" -HELM2_VERSION="2.16.10" HELM_DIR="${SCRIPTPATH}/../../helm" LB_HELM_CHART=${HELM_DIR}/aws-load-balancer-controller @@ -21,13 +20,6 @@ if [ ! -x "$TMP_DIR/helm" ]; then echo " Downloaded the \"helm\" binary" fi -if [ ! -x "$TMP_DIR/helm2" ]; then - echo " Downloading the \"helm2\" binary" - curl -L https://get.helm.sh/helm-v$HELM2_VERSION-$PLATFORM-amd64.tar.gz | tar zxf - -C $TMP_DIR - mv $TMP_DIR/$PLATFORM-amd64/helm $TMP_DIR/helm2 - chmod +x $TMP_DIR/helm2 - echo " Downloaded the \"helm2\" binary" -fi export PATH=$TMP_DIR:$PATH echo "==============================================================================" @@ -35,23 +27,9 @@ echo " Linting Helm Chart w/ Helm v3" echo "==============================================================================" helm lint $LB_HELM_CHART -echo "==============================================================================" -echo " Linting Helm Chart w/ Helm v2" -echo "==============================================================================" -helm2 lint $LB_HELM_CHART - -echo " Helm Linting for v2 and v3 have successfully completed!" - echo "==============================================================================" echo " Generate Template w/ Helm v3" echo "==============================================================================" helm template aws-load-balancer-controller "${LB_HELM_CHART}" --debug --namespace=kube-system -f "${LB_HELM_CHART}/test.yaml" > /dev/null -echo "==============================================================================" -echo " Generate Template w/ Helm v2" -echo "==============================================================================" - -helm2 template --name aws-load-balancer-controller "${LB_HELM_CHART}" --debug --namespace=kube-system -f "${LB_HELM_CHART}/test.yaml" > /dev/null - -echo " Helm template generation for v2 and v3 have successfully completed!"