From 56d1aff291d34f7f935f5a3f6c09c06b10362fa8 Mon Sep 17 00:00:00 2001 From: eks-bot Date: Tue, 12 Sep 2023 11:18:01 -0700 Subject: [PATCH 1/4] aws-load-balancer-controller: v2.6.1 --- .../aws-load-balancer-controller/Chart.yaml | 4 +- .../Chart.yaml.bak | 22 ++ stable/aws-load-balancer-controller/README.md | 6 +- stable/aws-load-balancer-controller/test.yaml | 2 +- .../test.yaml.bak | 326 ++++++++++++++++ .../aws-load-balancer-controller/values.yaml | 2 +- .../values.yaml.bak | 353 ++++++++++++++++++ 7 files changed, 710 insertions(+), 5 deletions(-) create mode 100644 stable/aws-load-balancer-controller/Chart.yaml.bak create mode 100644 stable/aws-load-balancer-controller/test.yaml.bak create mode 100644 stable/aws-load-balancer-controller/values.yaml.bak diff --git a/stable/aws-load-balancer-controller/Chart.yaml b/stable/aws-load-balancer-controller/Chart.yaml index e10c2fe1f..a980f624d 100644 --- a/stable/aws-load-balancer-controller/Chart.yaml +++ b/stable/aws-load-balancer-controller/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: aws-load-balancer-controller description: AWS Load Balancer Controller Helm chart for Kubernetes -version: 1.6.0 -appVersion: v2.6.0 +version: 1.6.1 +appVersion: v2.6.1 home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/stable/aws-load-balancer-controller/Chart.yaml.bak b/stable/aws-load-balancer-controller/Chart.yaml.bak new file mode 100644 index 000000000..e10c2fe1f --- /dev/null +++ b/stable/aws-load-balancer-controller/Chart.yaml.bak @@ -0,0 +1,22 @@ +apiVersion: v2 +name: aws-load-balancer-controller +description: AWS Load Balancer Controller Helm chart for Kubernetes +version: 1.6.0 +appVersion: v2.6.0 +home: https://github.com/aws/eks-charts +icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png +sources: + - https://github.com/aws/eks-charts +maintainers: + - name: kishorj + url: https://github.com/kishorj + email: kishorj@users.noreply.github.com + - name: m00nf1sh + url: https://github.com/m00nf1sh + email: m00nf1sh@users.noreply.github.com +keywords: + - eks + - alb + - load balancer + - ingress + - nlb diff --git a/stable/aws-load-balancer-controller/README.md b/stable/aws-load-balancer-controller/README.md index ee4be9aad..452408528 100644 --- a/stable/aws-load-balancer-controller/README.md +++ b/stable/aws-load-balancer-controller/README.md @@ -22,7 +22,11 @@ AWS Load Balancer controller manages the following AWS resources As a security best practice, we recommend isolating the controller deployment pods to specific node groups which run critical components. The helm chart provides parameters ```nodeSelector```, ```tolerations``` and ```affinity``` to configure node isolation. For more information, please refer to the guidance [here](https://aws.github.io/aws-eks-best-practices/security/docs/multitenancy/#isolating-tenant-workloads-to-specific-nodes). ## Prerequisites -- Kubernetes >= 1.19 +- Supported Kubernetes Versions + - Chart version v1.5.0+ requires Kubernetes 1.22+ + - Chart version v1.4.0+ requires Kubernetes 1.19+ + - Chart version v1.2.0 - v1.3.3 supports Kubernetes 1.16-1.21 + - Chart version v1.1.6 and before supports Kubernetes 1.15 - IAM permissions - Helm v3 - Optional dependencies diff --git a/stable/aws-load-balancer-controller/test.yaml b/stable/aws-load-balancer-controller/test.yaml index 207369ce2..0b1db3513 100644 --- a/stable/aws-load-balancer-controller/test.yaml +++ b/stable/aws-load-balancer-controller/test.yaml @@ -6,7 +6,7 @@ replicaCount: 2 image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.6.0 + tag: v2.6.1 pullPolicy: IfNotPresent imagePullSecrets: [] diff --git a/stable/aws-load-balancer-controller/test.yaml.bak b/stable/aws-load-balancer-controller/test.yaml.bak new file mode 100644 index 000000000..207369ce2 --- /dev/null +++ b/stable/aws-load-balancer-controller/test.yaml.bak @@ -0,0 +1,326 @@ +# Default values for aws-load-balancer-controller. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 2 + +image: + repository: public.ecr.aws/eks/aws-load-balancer-controller + tag: v2.6.0 + pullPolicy: IfNotPresent + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + # Automount API credentials for a Service Account. + automountServiceAccountToken: true + # List of image pull secrets to add to the Service Account. + imagePullSecrets: + # - name: docker + +rbac: + # Specifies whether rbac resources should be created + create: true + +podSecurityContext: + fsGroup: 65534 + +securityContext: + # capabilities: + # drop: + # - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false + +# Time period for the controller pod to do a graceful shutdown +terminationGracePeriodSeconds: 10 + +resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + +# priorityClassName specifies the PriorityClass to indicate the importance of controller pods +# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass +priorityClassName: system-cluster-critical + +nodeSelector: {} + +tolerations: [] + +# affinity specifies a custom affinity for the controller pods +affinity: {} + +# configureDefaultAffinity specifies whether to configure a default affinity for the controller pods to prevent +# co-location on the same node. This will get ignored if you specify a custom affinity configuration. +configureDefaultAffinity: true + +# topologySpreadConstraints is a stable feature of k8s v1.19 which provides the ability to +# control how Pods are spread across your cluster among failure-domains such as regions, zones, +# nodes, and other user-defined topology domains. +# +# more details here: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +topologySpreadConstraints: {} + +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + +# serviceAnnotations contains annotations to be added to the provisioned webhook service resource +serviceAnnotations: {} + +# deploymentAnnotations contains annotations for the controller deployment +deploymentAnnotations: {} + +podAnnotations: {} + +podLabels: {} + +# additionalLabels -- Labels to add to each object of the chart. +additionalLabels: {} + +# Enable cert-manager +enableCertManager: false + +# The name of the Kubernetes cluster. A non-empty value is required +clusterName: test-cluster + +# cluster contains configurations specific to the kubernetes cluster +cluster: + # Cluster DNS domain (required for requesting TLS certificates) + dnsDomain: cluster.local + +# The ingress class this controller will satisfy. If not specified, controller will match all +# ingresses without ingress class annotation and ingresses of type alb +ingressClass: alb + +# ingressClassParams specify the IngressCLassParams that enforce settings for a set of Ingresses when using with ingress Controller. +ingressClassParams: + create: true + # The name of ingressClassParams resource will be referred in ingressClass + name: + spec: {} + # You always can set specifications in `helm install` command through `--set` or `--set-string` + # If you do want to specify specifications in values.yaml, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'spec:'. + # namespaceSelector: + # matchLabels: + # group: + # scheme: + # ipAddressType: + # tags: + +# To use IngressClass resource instead of annotation, before you need to install the IngressClass resource pointing to controller. +# If specified as true, the IngressClass resource will be created. +createIngressClassResource: true + +# The AWS region for the kubernetes cluster. Set to use KIAM or kube2iam for example. +region: + +# The VPC ID for the Kubernetes cluster. Set this manually when your pods are unable to use the metadata service to determine this automatically +vpcId: + +# Custom AWS API Endpoints (serviceID1=URL1,serviceID2=URL2) +awsApiEndpoints: + +# awsApiThrottle specifies custom AWS API throttle settings (serviceID1:operationRegex1=rate:burst,serviceID2:operationRegex2=rate:burst) +# example: --set awsApiThrottle="{Elastic Load Balancing v2:RegisterTargets|DeregisterTargets=4:20,Elastic Load Balancing v2:.*=10:40}" +awsApiThrottle: + +# Maximum retries for AWS APIs (default 10) +awsMaxRetries: + + + + +# If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods (default true) +enablePodReadinessGateInject: + +# Enable Shield addon for ALB (default true) +enableShield: + +# Enable WAF addon for ALB (default true) +enableWaf: + +# Enable WAF V2 addon for ALB (default true) +enableWafv2: + +# Maximum number of concurrently running reconcile loops for ingress (default 3) +ingressMaxConcurrentReconciles: + +# Set the controller log level - info(default), debug (default "info") +logLevel: + +# The address the metric endpoint binds to. (default ":8080") +metricsBindAddr: "" + +# The TCP port the Webhook server binds to. (default 9443) +webhookBindPort: + +# webhookTLS specifies TLS cert/key for the webhook +webhookTLS: + caCert: + cert: + key: + +# array of namespace selectors for the webhook +webhookNamespaceSelectors: + - key: elbv2.k8s.aws/pod-readiness-gate-inject + operator: In + values: + - enabled + +# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade +keepTLSSecret: true + +# Maximum number of concurrently running reconcile loops for service (default 3) +serviceMaxConcurrentReconciles: + +# Maximum number of concurrently running reconcile loops for targetGroupBinding +targetgroupbindingMaxConcurrentReconciles: + +# Maximum duration of exponential backoff for targetGroupBinding reconcile failures +targetgroupbindingMaxExponentialBackoffDelay: + +# Period at which the controller forces the repopulation of its local object stores. (default 1h0m0s) +syncPeriod: + +# Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched. +watchNamespace: + +# disableIngressClassAnnotation disables the usage of kubernetes.io/ingress.class annotation, false by default +disableIngressClassAnnotation: + +# disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default +disableIngressGroupNameAnnotation: + +# defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners +defaultSSLPolicy: + +# Liveness probe configuration for the controller +livenessProbe: + failureThreshold: 2 + httpGet: + path: /healthz + port: 61779 + scheme: HTTP + initialDelaySeconds: 30 + timeoutSeconds: 10 + +# Environment variables to set for aws-load-balancer-controller pod. +# We strongly discourage programming access credentials in the controller environment. You should setup IRSA or +# comparable solutions like kube2iam, kiam etc instead. +env: +# ENV_1: "" +# ENV_2: "" + +# Specifies if aws-load-balancer-controller should be started in hostNetwork mode. +# +# This is required if using a custom CNI where the managed control plane nodes are unable to initiate +# network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or +# recommended if using the Amazon VPC CNI plugin. +hostNetwork: false + +# Specifies the dnsPolicy that should be used for pods in the deployment +# +# This may need to be used to be changed given certain conditions. For instance, if one uses the cilium CNI +# with certain settings, one may need to set `hostNetwork: true` and webhooks won't work unless `dnsPolicy` +# is set to `ClusterFirstWithHostNet`. See https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: + +# extraVolumeMounts are the additional volume mounts. This enables setting up IRSA on non-EKS Kubernetes cluster +extraVolumeMounts: + - name: aws-iam-token + mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount + readOnly: true + +# extraVolumes for the extraVolumeMounts. Useful to mount a projected service account token for example. +extraVolumes: + - name: aws-iam-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + audience: sts.amazonaws.com + expirationSeconds: 86400 + path: token + +# defaultTags are the tags to apply to all AWS resources managed by this controller +defaultTags: + default_tag1: value1 + default_tag2: value2 + +# podDisruptionBudget specifies the disruption budget for the controller pods. +# Disruption budget will be configured only when the replicaCount is greater than 1 +podDisruptionBudget: + maxUnavailable: 1 + +# externalManagedTags is the list of tag keys on AWS resources that will be managed externally +externalManagedTags: [] + +# enableEndpointSlices enables k8s EndpointSlices for IP targets instead of Endpoints (default false) +enableEndpointSlices: + +# enableBackendSecurityGroup enables shared security group for backend traffic (default true) +enableBackendSecurityGroup: + +# backendSecurityGroup specifies backend security group id (default controller auto create backend security group) +backendSecurityGroup: + +# disableRestrictedSecurityGroupRules specifies whether to disable creating port-range restricted security group rules for traffic +disableRestrictedSecurityGroupRules: + +# controllerConfig specifies controller configuration +controllerConfig: + # featureGates set of key: value pairs that describe AWS load balance controller features + featureGates: {} + # ServiceTypeLoadBalancerOnly: true + # EndpointsFailOpen: true + +# objectSelector for webhook +objectSelector: + matchExpressions: + # - key: + # operator: + # values: + # - + matchLabels: + # key: value + +serviceMonitor: + # Specifies whether a service monitor should be created + enabled: false + # Labels to add to the service account + additionalLabels: {} + # Prometheus scrape interval + interval: 1m + # Namespace to create the service monitor in + namespace: + +# clusterSecretsPermissions lets you configure RBAC permissions for secret resources +# Access to secrets resource is required only if you use the OIDC feature, and instead of +# enabling access to all secrets, we recommend configuring namespaced role/rolebinding. +# This option is for backwards compatibility only, and will potentially be deprecated in future. +clusterSecretsPermissions: + # allowAllSecrets allows the controller to access all secrets in the cluster. + # This is to get backwards compatible behavior, but *NOT* recommended for security reasons + allowAllSecrets: false + +# ingressClassConfig contains configurations specific to the ingress class +ingressClassConfig: + default: false diff --git a/stable/aws-load-balancer-controller/values.yaml b/stable/aws-load-balancer-controller/values.yaml index 649e86516..1147fb24a 100644 --- a/stable/aws-load-balancer-controller/values.yaml +++ b/stable/aws-load-balancer-controller/values.yaml @@ -6,7 +6,7 @@ replicaCount: 2 image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.6.0 + tag: v2.6.1 pullPolicy: IfNotPresent imagePullSecrets: [] diff --git a/stable/aws-load-balancer-controller/values.yaml.bak b/stable/aws-load-balancer-controller/values.yaml.bak new file mode 100644 index 000000000..649e86516 --- /dev/null +++ b/stable/aws-load-balancer-controller/values.yaml.bak @@ -0,0 +1,353 @@ +# Default values for aws-load-balancer-controller. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 2 + +image: + repository: public.ecr.aws/eks/aws-load-balancer-controller + tag: v2.6.0 + pullPolicy: IfNotPresent + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + # Automount API credentials for a Service Account. + automountServiceAccountToken: true + # List of image pull secrets to add to the Service Account. + imagePullSecrets: + # - name: docker + +rbac: + # Specifies whether rbac resources should be created + create: true + +podSecurityContext: + fsGroup: 65534 + +securityContext: + # capabilities: + # drop: + # - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false + +# Time period for the controller pod to do a graceful shutdown +terminationGracePeriodSeconds: 10 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# priorityClassName specifies the PriorityClass to indicate the importance of controller pods +# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass +priorityClassName: system-cluster-critical + +nodeSelector: {} + +tolerations: [] + +# affinity specifies a custom affinity for the controller pods +affinity: {} + +# configureDefaultAffinity specifies whether to configure a default affinity for the controller pods to prevent +# co-location on the same node. This will get ignored if you specify a custom affinity configuration. +configureDefaultAffinity: true + +# topologySpreadConstraints is a stable feature of k8s v1.19 which provides the ability to +# control how Pods are spread across your cluster among failure-domains such as regions, zones, +# nodes, and other user-defined topology domains. +# +# more details here: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +topologySpreadConstraints: {} + +updateStrategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 1 + # maxUnavailable: 1 + +# serviceAnnotations contains annotations to be added to the provisioned webhook service resource +serviceAnnotations: {} + +# deploymentAnnotations contains annotations for the controller deployment +deploymentAnnotations: {} + +podAnnotations: {} + +podLabels: {} + +# additionalLabels -- Labels to add to each object of the chart. +additionalLabels: {} + +# Enable cert-manager +enableCertManager: false + +# The name of the Kubernetes cluster. A non-empty value is required +clusterName: + +# cluster contains configurations specific to the kubernetes cluster +cluster: + # Cluster DNS domain (required for requesting TLS certificates) + dnsDomain: cluster.local + +# The ingress class this controller will satisfy. If not specified, controller will match all +# ingresses without ingress class annotation and ingresses of type alb +ingressClass: alb + +# ingressClassParams specify the IngressCLassParams that enforce settings for a set of Ingresses when using with ingress Controller. +ingressClassParams: + create: true + # The name of ingressClassParams resource will be referred in ingressClass + name: + spec: {} + # Due to dependency issue, the validation webhook ignores this particular ingressClassParams resource. + # We recommend creating ingressClassParams resources separately after installing this chart and the + # controller is functional. + # + # You can set the specifications in the `helm install` command through `--set` or `--set-string` + # If you do want to specify in the values.yaml, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'spec:' + # + # namespaceSelector: + # matchLabels: + # group: + # scheme: + # ipAddressType: + # tags: + # loadBalancerAttributes: + # - key: + # value: + +# To use IngressClass resource instead of annotation, before you need to install the IngressClass resource pointing to controller. +# If specified as true, the IngressClass resource will be created. +createIngressClassResource: true + +# The AWS region for the kubernetes cluster. Set to use KIAM or kube2iam for example. +region: + +# The VPC ID for the Kubernetes cluster. Set this manually when your pods are unable to use the metadata service to determine this automatically +vpcId: + +# Custom AWS API Endpoints (serviceID1=URL1,serviceID2=URL2) +awsApiEndpoints: + +# awsApiThrottle specifies custom AWS API throttle settings (serviceID1:operationRegex1=rate:burst,serviceID2:operationRegex2=rate:burst) +# example: --set awsApiThrottle="{Elastic Load Balancing v2:RegisterTargets|DeregisterTargets=4:20,Elastic Load Balancing v2:.*=10:40}" +awsApiThrottle: + +# Maximum retries for AWS APIs (default 10) +awsMaxRetries: + +# Default target type. Used as the default value of the "alb.ingress.kubernetes.io/target-type" and +# "service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations. +# Possible values are "ip" and "instance" +# The value "ip" should be used for ENI-based CNIs, such as the Amazon VPC CNI, +# Calico with encapsulation disabled, or Cilium with masquerading disabled. +# The value "instance" should be used for overlay-based CNIs, such as Calico in VXLAN or IPIP mode or +# Cilium with masquerading enabled. +defaultTargetType: instance + +# If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods (default true) +enablePodReadinessGateInject: + +# Enable Shield addon for ALB (default true) +enableShield: + +# Enable WAF addon for ALB (default true) +enableWaf: + +# Enable WAF V2 addon for ALB (default true) +enableWafv2: + +# Maximum number of concurrently running reconcile loops for ingress (default 3) +ingressMaxConcurrentReconciles: + +# Set the controller log level - info(default), debug (default "info") +logLevel: + +# The address the metric endpoint binds to. (default ":8080") +metricsBindAddr: "" + +# The TCP port the Webhook server binds to. (default 9443) +webhookBindPort: + +# webhookTLS specifies TLS cert/key for the webhook +webhookTLS: + caCert: + cert: + key: + +# array of namespace selectors for the webhook +webhookNamespaceSelectors: +# - key: elbv2.k8s.aws/pod-readiness-gate-inject +# operator: In +# values: +# - enabled + +# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade +keepTLSSecret: true + +# Maximum number of concurrently running reconcile loops for service (default 3) +serviceMaxConcurrentReconciles: + +# Maximum number of concurrently running reconcile loops for targetGroupBinding +targetgroupbindingMaxConcurrentReconciles: + +# Maximum duration of exponential backoff for targetGroupBinding reconcile failures +targetgroupbindingMaxExponentialBackoffDelay: + +# Period at which the controller forces the repopulation of its local object stores. (default 10h0m0s) +syncPeriod: + +# Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched. +watchNamespace: + +# disableIngressClassAnnotation disables the usage of kubernetes.io/ingress.class annotation, false by default +disableIngressClassAnnotation: + +# disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default +disableIngressGroupNameAnnotation: + +# defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners +defaultSSLPolicy: + +# Liveness probe configuration for the controller +livenessProbe: + failureThreshold: 2 + httpGet: + path: /healthz + port: 61779 + scheme: HTTP + initialDelaySeconds: 30 + timeoutSeconds: 10 + +# Environment variables to set for aws-load-balancer-controller pod. +# We strongly discourage programming access credentials in the controller environment. You should setup IRSA or +# comparable solutions like kube2iam, kiam etc instead. +env: + # ENV_1: "" + # ENV_2: "" + +# Specifies if aws-load-balancer-controller should be started in hostNetwork mode. +# +# This is required if using a custom CNI where the managed control plane nodes are unable to initiate +# network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or +# recommended if using the Amazon VPC CNI plugin. +hostNetwork: false + +# Specifies the dnsPolicy that should be used for pods in the deployment +# +# This may need to be used to be changed given certain conditions. For instance, if one uses the cilium CNI +# with certain settings, one may need to set `hostNetwork: true` and webhooks won't work unless `dnsPolicy` +# is set to `ClusterFirstWithHostNet`. See https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: + +# extraVolumeMounts are the additional volume mounts. This enables setting up IRSA on non-EKS Kubernetes cluster +extraVolumeMounts: + # - name: aws-iam-token + # mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount + # readOnly: true + +# extraVolumes for the extraVolumeMounts. Useful to mount a projected service account token for example. +extraVolumes: + # - name: aws-iam-token + # projected: + # defaultMode: 420 + # sources: + # - serviceAccountToken: + # audience: sts.amazonaws.com + # expirationSeconds: 86400 + # path: token + +# defaultTags are the tags to apply to all AWS resources managed by this controller +defaultTags: {} + # default_tag1: value1 + # default_tag2: value2 + +# podDisruptionBudget specifies the disruption budget for the controller pods. +# Disruption budget will be configured only when the replicaCount is greater than 1 +podDisruptionBudget: {} +# maxUnavailable: 1 + +# externalManagedTags is the list of tag keys on AWS resources that will be managed externally +externalManagedTags: [] + +# enableEndpointSlices enables k8s EndpointSlices for IP targets instead of Endpoints (default false) +enableEndpointSlices: + +# enableBackendSecurityGroup enables shared security group for backend traffic (default true) +enableBackendSecurityGroup: + +# backendSecurityGroup specifies backend security group id (default controller auto create backend security group) +backendSecurityGroup: + +# disableRestrictedSecurityGroupRules specifies whether to disable creating port-range restricted security group rules for traffic +disableRestrictedSecurityGroupRules: + +# controllerConfig specifies controller configuration +controllerConfig: + # featureGates set of key: value pairs that describe AWS load balance controller features + featureGates: {} + # ListenerRulesTagging: true + # WeightedTargetGroups: true + # ServiceTypeLoadBalancerOnly: false + # EndpointsFailOpen: true + # EnableServiceController: true + # EnableIPTargetType: true + # SubnetsClusterTagCheck: true + # NLBHealthCheckAdvancedConfig: true + +# objectSelector for webhook +objectSelector: + matchExpressions: + # - key: + # operator: + # values: + # - + matchLabels: + # key: value + +serviceMonitor: + # Specifies whether a service monitor should be created + enabled: false + # Labels to add to the service account + additionalLabels: {} + # Prometheus scrape interval + interval: 1m + # Namespace to create the service monitor in + namespace: + +# clusterSecretsPermissions lets you configure RBAC permissions for secret resources +# Access to secrets resource is required only if you use the OIDC feature, and instead of +# enabling access to all secrets, we recommend configuring namespaced role/rolebinding. +# This option is for backwards compatibility only, and will potentially be deprecated in future. +clusterSecretsPermissions: + # allowAllSecrets allows the controller to access all secrets in the cluster. + # This is to get backwards compatible behavior, but *NOT* recommended for security reasons + allowAllSecrets: false + +# ingressClassConfig contains configurations specific to the ingress class +ingressClassConfig: + default: false + +# enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer +enableServiceMutatorWebhook: true From b9dc38c1c5b0691fc7b069087572a30240fe692d Mon Sep 17 00:00:00 2001 From: M00nF1sh Date: Tue, 12 Sep 2023 11:19:36 -0700 Subject: [PATCH 2/4] Delete stable/aws-load-balancer-controller/Chart.yaml.bak --- .../Chart.yaml.bak | 22 ------------------- 1 file changed, 22 deletions(-) delete mode 100644 stable/aws-load-balancer-controller/Chart.yaml.bak diff --git a/stable/aws-load-balancer-controller/Chart.yaml.bak b/stable/aws-load-balancer-controller/Chart.yaml.bak deleted file mode 100644 index e10c2fe1f..000000000 --- a/stable/aws-load-balancer-controller/Chart.yaml.bak +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v2 -name: aws-load-balancer-controller -description: AWS Load Balancer Controller Helm chart for Kubernetes -version: 1.6.0 -appVersion: v2.6.0 -home: https://github.com/aws/eks-charts -icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png -sources: - - https://github.com/aws/eks-charts -maintainers: - - name: kishorj - url: https://github.com/kishorj - email: kishorj@users.noreply.github.com - - name: m00nf1sh - url: https://github.com/m00nf1sh - email: m00nf1sh@users.noreply.github.com -keywords: - - eks - - alb - - load balancer - - ingress - - nlb From 9e7647c81e552a9e385dfbb2d417ed60405dac1d Mon Sep 17 00:00:00 2001 From: M00nF1sh Date: Tue, 12 Sep 2023 11:19:56 -0700 Subject: [PATCH 3/4] Delete stable/aws-load-balancer-controller/test.yaml.bak --- .../test.yaml.bak | 326 ------------------ 1 file changed, 326 deletions(-) delete mode 100644 stable/aws-load-balancer-controller/test.yaml.bak diff --git a/stable/aws-load-balancer-controller/test.yaml.bak b/stable/aws-load-balancer-controller/test.yaml.bak deleted file mode 100644 index 207369ce2..000000000 --- a/stable/aws-load-balancer-controller/test.yaml.bak +++ /dev/null @@ -1,326 +0,0 @@ -# Default values for aws-load-balancer-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 2 - -image: - repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.6.0 - pullPolicy: IfNotPresent - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: - # Automount API credentials for a Service Account. - automountServiceAccountToken: true - # List of image pull secrets to add to the Service Account. - imagePullSecrets: - # - name: docker - -rbac: - # Specifies whether rbac resources should be created - create: true - -podSecurityContext: - fsGroup: 65534 - -securityContext: - # capabilities: - # drop: - # - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - allowPrivilegeEscalation: false - -# Time period for the controller pod to do a graceful shutdown -terminationGracePeriodSeconds: 10 - -resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 128Mi - -# priorityClassName specifies the PriorityClass to indicate the importance of controller pods -# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass -priorityClassName: system-cluster-critical - -nodeSelector: {} - -tolerations: [] - -# affinity specifies a custom affinity for the controller pods -affinity: {} - -# configureDefaultAffinity specifies whether to configure a default affinity for the controller pods to prevent -# co-location on the same node. This will get ignored if you specify a custom affinity configuration. -configureDefaultAffinity: true - -# topologySpreadConstraints is a stable feature of k8s v1.19 which provides the ability to -# control how Pods are spread across your cluster among failure-domains such as regions, zones, -# nodes, and other user-defined topology domains. -# -# more details here: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -topologySpreadConstraints: {} - -updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - -# serviceAnnotations contains annotations to be added to the provisioned webhook service resource -serviceAnnotations: {} - -# deploymentAnnotations contains annotations for the controller deployment -deploymentAnnotations: {} - -podAnnotations: {} - -podLabels: {} - -# additionalLabels -- Labels to add to each object of the chart. -additionalLabels: {} - -# Enable cert-manager -enableCertManager: false - -# The name of the Kubernetes cluster. A non-empty value is required -clusterName: test-cluster - -# cluster contains configurations specific to the kubernetes cluster -cluster: - # Cluster DNS domain (required for requesting TLS certificates) - dnsDomain: cluster.local - -# The ingress class this controller will satisfy. If not specified, controller will match all -# ingresses without ingress class annotation and ingresses of type alb -ingressClass: alb - -# ingressClassParams specify the IngressCLassParams that enforce settings for a set of Ingresses when using with ingress Controller. -ingressClassParams: - create: true - # The name of ingressClassParams resource will be referred in ingressClass - name: - spec: {} - # You always can set specifications in `helm install` command through `--set` or `--set-string` - # If you do want to specify specifications in values.yaml, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'spec:'. - # namespaceSelector: - # matchLabels: - # group: - # scheme: - # ipAddressType: - # tags: - -# To use IngressClass resource instead of annotation, before you need to install the IngressClass resource pointing to controller. -# If specified as true, the IngressClass resource will be created. -createIngressClassResource: true - -# The AWS region for the kubernetes cluster. Set to use KIAM or kube2iam for example. -region: - -# The VPC ID for the Kubernetes cluster. Set this manually when your pods are unable to use the metadata service to determine this automatically -vpcId: - -# Custom AWS API Endpoints (serviceID1=URL1,serviceID2=URL2) -awsApiEndpoints: - -# awsApiThrottle specifies custom AWS API throttle settings (serviceID1:operationRegex1=rate:burst,serviceID2:operationRegex2=rate:burst) -# example: --set awsApiThrottle="{Elastic Load Balancing v2:RegisterTargets|DeregisterTargets=4:20,Elastic Load Balancing v2:.*=10:40}" -awsApiThrottle: - -# Maximum retries for AWS APIs (default 10) -awsMaxRetries: - - - - -# If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods (default true) -enablePodReadinessGateInject: - -# Enable Shield addon for ALB (default true) -enableShield: - -# Enable WAF addon for ALB (default true) -enableWaf: - -# Enable WAF V2 addon for ALB (default true) -enableWafv2: - -# Maximum number of concurrently running reconcile loops for ingress (default 3) -ingressMaxConcurrentReconciles: - -# Set the controller log level - info(default), debug (default "info") -logLevel: - -# The address the metric endpoint binds to. (default ":8080") -metricsBindAddr: "" - -# The TCP port the Webhook server binds to. (default 9443) -webhookBindPort: - -# webhookTLS specifies TLS cert/key for the webhook -webhookTLS: - caCert: - cert: - key: - -# array of namespace selectors for the webhook -webhookNamespaceSelectors: - - key: elbv2.k8s.aws/pod-readiness-gate-inject - operator: In - values: - - enabled - -# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade -keepTLSSecret: true - -# Maximum number of concurrently running reconcile loops for service (default 3) -serviceMaxConcurrentReconciles: - -# Maximum number of concurrently running reconcile loops for targetGroupBinding -targetgroupbindingMaxConcurrentReconciles: - -# Maximum duration of exponential backoff for targetGroupBinding reconcile failures -targetgroupbindingMaxExponentialBackoffDelay: - -# Period at which the controller forces the repopulation of its local object stores. (default 1h0m0s) -syncPeriod: - -# Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched. -watchNamespace: - -# disableIngressClassAnnotation disables the usage of kubernetes.io/ingress.class annotation, false by default -disableIngressClassAnnotation: - -# disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default -disableIngressGroupNameAnnotation: - -# defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners -defaultSSLPolicy: - -# Liveness probe configuration for the controller -livenessProbe: - failureThreshold: 2 - httpGet: - path: /healthz - port: 61779 - scheme: HTTP - initialDelaySeconds: 30 - timeoutSeconds: 10 - -# Environment variables to set for aws-load-balancer-controller pod. -# We strongly discourage programming access credentials in the controller environment. You should setup IRSA or -# comparable solutions like kube2iam, kiam etc instead. -env: -# ENV_1: "" -# ENV_2: "" - -# Specifies if aws-load-balancer-controller should be started in hostNetwork mode. -# -# This is required if using a custom CNI where the managed control plane nodes are unable to initiate -# network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or -# recommended if using the Amazon VPC CNI plugin. -hostNetwork: false - -# Specifies the dnsPolicy that should be used for pods in the deployment -# -# This may need to be used to be changed given certain conditions. For instance, if one uses the cilium CNI -# with certain settings, one may need to set `hostNetwork: true` and webhooks won't work unless `dnsPolicy` -# is set to `ClusterFirstWithHostNet`. See https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy -dnsPolicy: - -# extraVolumeMounts are the additional volume mounts. This enables setting up IRSA on non-EKS Kubernetes cluster -extraVolumeMounts: - - name: aws-iam-token - mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount - readOnly: true - -# extraVolumes for the extraVolumeMounts. Useful to mount a projected service account token for example. -extraVolumes: - - name: aws-iam-token - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - audience: sts.amazonaws.com - expirationSeconds: 86400 - path: token - -# defaultTags are the tags to apply to all AWS resources managed by this controller -defaultTags: - default_tag1: value1 - default_tag2: value2 - -# podDisruptionBudget specifies the disruption budget for the controller pods. -# Disruption budget will be configured only when the replicaCount is greater than 1 -podDisruptionBudget: - maxUnavailable: 1 - -# externalManagedTags is the list of tag keys on AWS resources that will be managed externally -externalManagedTags: [] - -# enableEndpointSlices enables k8s EndpointSlices for IP targets instead of Endpoints (default false) -enableEndpointSlices: - -# enableBackendSecurityGroup enables shared security group for backend traffic (default true) -enableBackendSecurityGroup: - -# backendSecurityGroup specifies backend security group id (default controller auto create backend security group) -backendSecurityGroup: - -# disableRestrictedSecurityGroupRules specifies whether to disable creating port-range restricted security group rules for traffic -disableRestrictedSecurityGroupRules: - -# controllerConfig specifies controller configuration -controllerConfig: - # featureGates set of key: value pairs that describe AWS load balance controller features - featureGates: {} - # ServiceTypeLoadBalancerOnly: true - # EndpointsFailOpen: true - -# objectSelector for webhook -objectSelector: - matchExpressions: - # - key: - # operator: - # values: - # - - matchLabels: - # key: value - -serviceMonitor: - # Specifies whether a service monitor should be created - enabled: false - # Labels to add to the service account - additionalLabels: {} - # Prometheus scrape interval - interval: 1m - # Namespace to create the service monitor in - namespace: - -# clusterSecretsPermissions lets you configure RBAC permissions for secret resources -# Access to secrets resource is required only if you use the OIDC feature, and instead of -# enabling access to all secrets, we recommend configuring namespaced role/rolebinding. -# This option is for backwards compatibility only, and will potentially be deprecated in future. -clusterSecretsPermissions: - # allowAllSecrets allows the controller to access all secrets in the cluster. - # This is to get backwards compatible behavior, but *NOT* recommended for security reasons - allowAllSecrets: false - -# ingressClassConfig contains configurations specific to the ingress class -ingressClassConfig: - default: false From bf81752438f9eb3c9325888322015bcec0b3698d Mon Sep 17 00:00:00 2001 From: M00nF1sh Date: Tue, 12 Sep 2023 11:20:05 -0700 Subject: [PATCH 4/4] Delete stable/aws-load-balancer-controller/values.yaml.bak --- .../values.yaml.bak | 353 ------------------ 1 file changed, 353 deletions(-) delete mode 100644 stable/aws-load-balancer-controller/values.yaml.bak diff --git a/stable/aws-load-balancer-controller/values.yaml.bak b/stable/aws-load-balancer-controller/values.yaml.bak deleted file mode 100644 index 649e86516..000000000 --- a/stable/aws-load-balancer-controller/values.yaml.bak +++ /dev/null @@ -1,353 +0,0 @@ -# Default values for aws-load-balancer-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 2 - -image: - repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.6.0 - pullPolicy: IfNotPresent - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: - # Automount API credentials for a Service Account. - automountServiceAccountToken: true - # List of image pull secrets to add to the Service Account. - imagePullSecrets: - # - name: docker - -rbac: - # Specifies whether rbac resources should be created - create: true - -podSecurityContext: - fsGroup: 65534 - -securityContext: - # capabilities: - # drop: - # - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - allowPrivilegeEscalation: false - -# Time period for the controller pod to do a graceful shutdown -terminationGracePeriodSeconds: 10 - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -# priorityClassName specifies the PriorityClass to indicate the importance of controller pods -# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass -priorityClassName: system-cluster-critical - -nodeSelector: {} - -tolerations: [] - -# affinity specifies a custom affinity for the controller pods -affinity: {} - -# configureDefaultAffinity specifies whether to configure a default affinity for the controller pods to prevent -# co-location on the same node. This will get ignored if you specify a custom affinity configuration. -configureDefaultAffinity: true - -# topologySpreadConstraints is a stable feature of k8s v1.19 which provides the ability to -# control how Pods are spread across your cluster among failure-domains such as regions, zones, -# nodes, and other user-defined topology domains. -# -# more details here: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -topologySpreadConstraints: {} - -updateStrategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 1 - # maxUnavailable: 1 - -# serviceAnnotations contains annotations to be added to the provisioned webhook service resource -serviceAnnotations: {} - -# deploymentAnnotations contains annotations for the controller deployment -deploymentAnnotations: {} - -podAnnotations: {} - -podLabels: {} - -# additionalLabels -- Labels to add to each object of the chart. -additionalLabels: {} - -# Enable cert-manager -enableCertManager: false - -# The name of the Kubernetes cluster. A non-empty value is required -clusterName: - -# cluster contains configurations specific to the kubernetes cluster -cluster: - # Cluster DNS domain (required for requesting TLS certificates) - dnsDomain: cluster.local - -# The ingress class this controller will satisfy. If not specified, controller will match all -# ingresses without ingress class annotation and ingresses of type alb -ingressClass: alb - -# ingressClassParams specify the IngressCLassParams that enforce settings for a set of Ingresses when using with ingress Controller. -ingressClassParams: - create: true - # The name of ingressClassParams resource will be referred in ingressClass - name: - spec: {} - # Due to dependency issue, the validation webhook ignores this particular ingressClassParams resource. - # We recommend creating ingressClassParams resources separately after installing this chart and the - # controller is functional. - # - # You can set the specifications in the `helm install` command through `--set` or `--set-string` - # If you do want to specify in the values.yaml, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'spec:' - # - # namespaceSelector: - # matchLabels: - # group: - # scheme: - # ipAddressType: - # tags: - # loadBalancerAttributes: - # - key: - # value: - -# To use IngressClass resource instead of annotation, before you need to install the IngressClass resource pointing to controller. -# If specified as true, the IngressClass resource will be created. -createIngressClassResource: true - -# The AWS region for the kubernetes cluster. Set to use KIAM or kube2iam for example. -region: - -# The VPC ID for the Kubernetes cluster. Set this manually when your pods are unable to use the metadata service to determine this automatically -vpcId: - -# Custom AWS API Endpoints (serviceID1=URL1,serviceID2=URL2) -awsApiEndpoints: - -# awsApiThrottle specifies custom AWS API throttle settings (serviceID1:operationRegex1=rate:burst,serviceID2:operationRegex2=rate:burst) -# example: --set awsApiThrottle="{Elastic Load Balancing v2:RegisterTargets|DeregisterTargets=4:20,Elastic Load Balancing v2:.*=10:40}" -awsApiThrottle: - -# Maximum retries for AWS APIs (default 10) -awsMaxRetries: - -# Default target type. Used as the default value of the "alb.ingress.kubernetes.io/target-type" and -# "service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations. -# Possible values are "ip" and "instance" -# The value "ip" should be used for ENI-based CNIs, such as the Amazon VPC CNI, -# Calico with encapsulation disabled, or Cilium with masquerading disabled. -# The value "instance" should be used for overlay-based CNIs, such as Calico in VXLAN or IPIP mode or -# Cilium with masquerading enabled. -defaultTargetType: instance - -# If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods (default true) -enablePodReadinessGateInject: - -# Enable Shield addon for ALB (default true) -enableShield: - -# Enable WAF addon for ALB (default true) -enableWaf: - -# Enable WAF V2 addon for ALB (default true) -enableWafv2: - -# Maximum number of concurrently running reconcile loops for ingress (default 3) -ingressMaxConcurrentReconciles: - -# Set the controller log level - info(default), debug (default "info") -logLevel: - -# The address the metric endpoint binds to. (default ":8080") -metricsBindAddr: "" - -# The TCP port the Webhook server binds to. (default 9443) -webhookBindPort: - -# webhookTLS specifies TLS cert/key for the webhook -webhookTLS: - caCert: - cert: - key: - -# array of namespace selectors for the webhook -webhookNamespaceSelectors: -# - key: elbv2.k8s.aws/pod-readiness-gate-inject -# operator: In -# values: -# - enabled - -# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade -keepTLSSecret: true - -# Maximum number of concurrently running reconcile loops for service (default 3) -serviceMaxConcurrentReconciles: - -# Maximum number of concurrently running reconcile loops for targetGroupBinding -targetgroupbindingMaxConcurrentReconciles: - -# Maximum duration of exponential backoff for targetGroupBinding reconcile failures -targetgroupbindingMaxExponentialBackoffDelay: - -# Period at which the controller forces the repopulation of its local object stores. (default 10h0m0s) -syncPeriod: - -# Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched. -watchNamespace: - -# disableIngressClassAnnotation disables the usage of kubernetes.io/ingress.class annotation, false by default -disableIngressClassAnnotation: - -# disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default -disableIngressGroupNameAnnotation: - -# defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners -defaultSSLPolicy: - -# Liveness probe configuration for the controller -livenessProbe: - failureThreshold: 2 - httpGet: - path: /healthz - port: 61779 - scheme: HTTP - initialDelaySeconds: 30 - timeoutSeconds: 10 - -# Environment variables to set for aws-load-balancer-controller pod. -# We strongly discourage programming access credentials in the controller environment. You should setup IRSA or -# comparable solutions like kube2iam, kiam etc instead. -env: - # ENV_1: "" - # ENV_2: "" - -# Specifies if aws-load-balancer-controller should be started in hostNetwork mode. -# -# This is required if using a custom CNI where the managed control plane nodes are unable to initiate -# network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or -# recommended if using the Amazon VPC CNI plugin. -hostNetwork: false - -# Specifies the dnsPolicy that should be used for pods in the deployment -# -# This may need to be used to be changed given certain conditions. For instance, if one uses the cilium CNI -# with certain settings, one may need to set `hostNetwork: true` and webhooks won't work unless `dnsPolicy` -# is set to `ClusterFirstWithHostNet`. See https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy -dnsPolicy: - -# extraVolumeMounts are the additional volume mounts. This enables setting up IRSA on non-EKS Kubernetes cluster -extraVolumeMounts: - # - name: aws-iam-token - # mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount - # readOnly: true - -# extraVolumes for the extraVolumeMounts. Useful to mount a projected service account token for example. -extraVolumes: - # - name: aws-iam-token - # projected: - # defaultMode: 420 - # sources: - # - serviceAccountToken: - # audience: sts.amazonaws.com - # expirationSeconds: 86400 - # path: token - -# defaultTags are the tags to apply to all AWS resources managed by this controller -defaultTags: {} - # default_tag1: value1 - # default_tag2: value2 - -# podDisruptionBudget specifies the disruption budget for the controller pods. -# Disruption budget will be configured only when the replicaCount is greater than 1 -podDisruptionBudget: {} -# maxUnavailable: 1 - -# externalManagedTags is the list of tag keys on AWS resources that will be managed externally -externalManagedTags: [] - -# enableEndpointSlices enables k8s EndpointSlices for IP targets instead of Endpoints (default false) -enableEndpointSlices: - -# enableBackendSecurityGroup enables shared security group for backend traffic (default true) -enableBackendSecurityGroup: - -# backendSecurityGroup specifies backend security group id (default controller auto create backend security group) -backendSecurityGroup: - -# disableRestrictedSecurityGroupRules specifies whether to disable creating port-range restricted security group rules for traffic -disableRestrictedSecurityGroupRules: - -# controllerConfig specifies controller configuration -controllerConfig: - # featureGates set of key: value pairs that describe AWS load balance controller features - featureGates: {} - # ListenerRulesTagging: true - # WeightedTargetGroups: true - # ServiceTypeLoadBalancerOnly: false - # EndpointsFailOpen: true - # EnableServiceController: true - # EnableIPTargetType: true - # SubnetsClusterTagCheck: true - # NLBHealthCheckAdvancedConfig: true - -# objectSelector for webhook -objectSelector: - matchExpressions: - # - key: - # operator: - # values: - # - - matchLabels: - # key: value - -serviceMonitor: - # Specifies whether a service monitor should be created - enabled: false - # Labels to add to the service account - additionalLabels: {} - # Prometheus scrape interval - interval: 1m - # Namespace to create the service monitor in - namespace: - -# clusterSecretsPermissions lets you configure RBAC permissions for secret resources -# Access to secrets resource is required only if you use the OIDC feature, and instead of -# enabling access to all secrets, we recommend configuring namespaced role/rolebinding. -# This option is for backwards compatibility only, and will potentially be deprecated in future. -clusterSecretsPermissions: - # allowAllSecrets allows the controller to access all secrets in the cluster. - # This is to get backwards compatible behavior, but *NOT* recommended for security reasons - allowAllSecrets: false - -# ingressClassConfig contains configurations specific to the ingress class -ingressClassConfig: - default: false - -# enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer -enableServiceMutatorWebhook: true