From c9bb3248c02e61681847091de4c8c3fbec21862e Mon Sep 17 00:00:00 2001 From: Olivia Song Date: Thu, 30 Sep 2021 12:20:33 -0700 Subject: [PATCH 1/2] Enable Helm chart to reuse existing TLS secrets --- helm/aws-load-balancer-controller/README.md | 1 + helm/aws-load-balancer-controller/templates/_helpers.tpl | 7 ++++++- helm/aws-load-balancer-controller/values.yaml | 3 +++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/helm/aws-load-balancer-controller/README.md b/helm/aws-load-balancer-controller/README.md index b80a5d3f1..293ca6701 100644 --- a/helm/aws-load-balancer-controller/README.md +++ b/helm/aws-load-balancer-controller/README.md @@ -187,6 +187,7 @@ The default values set by the application itself can be confirmed [here](https:/ | `webhookTLS.caCert` | TLS CA certificate for webhook (auto-generated if not provided) | "" | | `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" | | `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" | +| `keepTLSSecret` | Keeps the usage of existing TLS Secret | `false` | | `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` | | `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None | | `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None | diff --git a/helm/aws-load-balancer-controller/templates/_helpers.tpl b/helm/aws-load-balancer-controller/templates/_helpers.tpl index d110a5601..7d8188bdf 100644 --- a/helm/aws-load-balancer-controller/templates/_helpers.tpl +++ b/helm/aws-load-balancer-controller/templates/_helpers.tpl @@ -76,12 +76,17 @@ Create the name of the service account to use Generate certificates for webhook */}} {{- define "aws-load-balancer-controller.webhook-certs" -}} +{{- $namePrefix := ( include "aws-load-balancer-controller.namePrefix" . ) -}} +{{- $secret := lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" $namePrefix) -}} {{- if (and .Values.webhookTLS.caCert .Values.webhookTLS.cert .Values.webhookTLS.key) -}} caCert: {{ .Values.webhookTLS.caCert | b64enc }} clientCert: {{ .Values.webhookTLS.cert | b64enc }} clientKey: {{ .Values.webhookTLS.key | b64enc }} +{{- else if and .Values.keepTLSSecret $secret -}} +caCert: {{ index $secret.data "ca.crt" }} +clientCert: {{ index $secret.data "tls.crt" }} +clientKey: {{ index $secret.data "tls.key" }} {{- else -}} -{{- $namePrefix := ( include "aws-load-balancer-controller.namePrefix" . ) -}} {{- $altNames := list ( printf "%s-%s.%s" $namePrefix "webhook-service" .Release.Namespace ) ( printf "%s-%s.%s.svc" $namePrefix "webhook-service" .Release.Namespace ) -}} {{- $ca := genCA "aws-load-balancer-controller-ca" 3650 -}} {{- $cert := genSignedCert ( include "aws-load-balancer-controller.fullname" . ) nil $altNames 3650 $ca -}} diff --git a/helm/aws-load-balancer-controller/values.yaml b/helm/aws-load-balancer-controller/values.yaml index 32706c9fa..b7972dbbb 100644 --- a/helm/aws-load-balancer-controller/values.yaml +++ b/helm/aws-load-balancer-controller/values.yaml @@ -133,6 +133,9 @@ webhookTLS: cert: key: +# keepTLSSecret keeps using the existing TLS secrets, false by default +keepTLSSecret: false + # Maximum number of concurrently running reconcile loops for service (default 3) serviceMaxConcurrentReconciles: From 6b664e5df9bf999d4f2c3a16f9e5ca59d06eebc2 Mon Sep 17 00:00:00 2001 From: Olivia Song Date: Mon, 4 Oct 2021 12:22:18 -0700 Subject: [PATCH 2/2] Move to Helm v3 --- helm/aws-load-balancer-controller/Chart.yaml | 2 +- helm/aws-load-balancer-controller/README.md | 3 ++- helm/aws-load-balancer-controller/values.yaml | 2 +- test/helm/helm-lint.sh | 22 ------------------- 4 files changed, 4 insertions(+), 25 deletions(-) diff --git a/helm/aws-load-balancer-controller/Chart.yaml b/helm/aws-load-balancer-controller/Chart.yaml index f48cc294f..afe4c24b4 100644 --- a/helm/aws-load-balancer-controller/Chart.yaml +++ b/helm/aws-load-balancer-controller/Chart.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v2 name: aws-load-balancer-controller description: AWS Load Balancer Controller Helm chart for Kubernetes version: 1.2.9 diff --git a/helm/aws-load-balancer-controller/README.md b/helm/aws-load-balancer-controller/README.md index 293ca6701..ea3ee3883 100644 --- a/helm/aws-load-balancer-controller/README.md +++ b/helm/aws-load-balancer-controller/README.md @@ -26,6 +26,7 @@ AWS Load Balancer controller manages the following AWS resources - 1.18.18+ for 1.18 - 1.19.10+ for 1.19 - IAM permissions +- Helm v3 is needed The controller runs on the worker nodes, so it needs access to the AWS ALB/NLB resources via IAM permissions. The IAM permissions can either be setup via IAM roles for ServiceAccount or can be attached directly to the worker node IAM roles. @@ -187,7 +188,7 @@ The default values set by the application itself can be confirmed [here](https:/ | `webhookTLS.caCert` | TLS CA certificate for webhook (auto-generated if not provided) | "" | | `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" | | `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" | -| `keepTLSSecret` | Keeps the usage of existing TLS Secret | `false` | +| `keepTLSSecret` | Reuse existing TLS Secret during chart upgrade | `false` | | `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` | | `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None | | `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None | diff --git a/helm/aws-load-balancer-controller/values.yaml b/helm/aws-load-balancer-controller/values.yaml index b7972dbbb..2bfdb9485 100644 --- a/helm/aws-load-balancer-controller/values.yaml +++ b/helm/aws-load-balancer-controller/values.yaml @@ -133,7 +133,7 @@ webhookTLS: cert: key: -# keepTLSSecret keeps using the existing TLS secrets, false by default +# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade keepTLSSecret: false # Maximum number of concurrently running reconcile loops for service (default 3) diff --git a/test/helm/helm-lint.sh b/test/helm/helm-lint.sh index 46f648d66..424d00eab 100755 --- a/test/helm/helm-lint.sh +++ b/test/helm/helm-lint.sh @@ -7,7 +7,6 @@ SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )" TMP_DIR="$SCRIPTPATH/../../build" PLATFORM=$(uname | tr '[:upper:]' '[:lower:]') HELM3_VERSION="3.3.1" -HELM2_VERSION="2.16.10" HELM_DIR="${SCRIPTPATH}/../../helm" LB_HELM_CHART=${HELM_DIR}/aws-load-balancer-controller @@ -21,13 +20,6 @@ if [ ! -x "$TMP_DIR/helm" ]; then echo " Downloaded the \"helm\" binary" fi -if [ ! -x "$TMP_DIR/helm2" ]; then - echo " Downloading the \"helm2\" binary" - curl -L https://get.helm.sh/helm-v$HELM2_VERSION-$PLATFORM-amd64.tar.gz | tar zxf - -C $TMP_DIR - mv $TMP_DIR/$PLATFORM-amd64/helm $TMP_DIR/helm2 - chmod +x $TMP_DIR/helm2 - echo " Downloaded the \"helm2\" binary" -fi export PATH=$TMP_DIR:$PATH echo "==============================================================================" @@ -35,23 +27,9 @@ echo " Linting Helm Chart w/ Helm v3" echo "==============================================================================" helm lint $LB_HELM_CHART -echo "==============================================================================" -echo " Linting Helm Chart w/ Helm v2" -echo "==============================================================================" -helm2 lint $LB_HELM_CHART - -echo " Helm Linting for v2 and v3 have successfully completed!" - echo "==============================================================================" echo " Generate Template w/ Helm v3" echo "==============================================================================" helm template aws-load-balancer-controller "${LB_HELM_CHART}" --debug --namespace=kube-system -f "${LB_HELM_CHART}/test.yaml" > /dev/null -echo "==============================================================================" -echo " Generate Template w/ Helm v2" -echo "==============================================================================" - -helm2 template --name aws-load-balancer-controller "${LB_HELM_CHART}" --debug --namespace=kube-system -f "${LB_HELM_CHART}/test.yaml" > /dev/null - -echo " Helm template generation for v2 and v3 have successfully completed!"