Update to latest lb controller helm release

README.md

@@ -4,37 +4,34 @@ This module deploys
 [AWS LoadBalancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller)
 to a Kubernetes Cluster.
 
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.28 |
-| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2 |
-| <a name="requirement_http"></a> [http](#requirement\_http) | >= 2.1 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.28 |
-| <a name="provider_helm"></a> [helm](#provider\_helm) | >= 2 |
-| <a name="provider_http"></a> [http](#provider\_http) | >= 2.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.17.1 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.5.1 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_iam_assumable_role_admin"></a> [iam\_assumable\_role\_admin](#module\_iam\_assumable\_role\_admin) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 4.0 |
+| <a name="module_lb_controller_role"></a> [lb\_controller\_role](#module\_lb\_controller\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 4.21.1 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [aws_iam_role_policy.controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [helm_release.release](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
-| [http_http.iam_policy](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
 
 ## Inputs
 
@@ -46,9 +43,9 @@ to a Kubernetes Cluster.
 | <a name="input_chart_namespace"></a> [chart\_namespace](#input\_chart\_namespace) | Namespace to install the chart into | `string` | `"kube-system"` | no |
 | <a name="input_chart_repository"></a> [chart\_repository](#input\_chart\_repository) | Helm repository for the chart | `string` | `"https://aws.github.io/eks-charts"` | no |
 | <a name="input_chart_timeout"></a> [chart\_timeout](#input\_chart\_timeout) | Timeout to wait for the Chart to be deployed. | `number` | `300` | no |
-| <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | Version of Chart to install. Set to empty to install the latest version | `string` | `"1.3.2"` | no |
+| <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | Version of Chart to install. Set to empty to install the latest version | `string` | `"1.4.2"` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of Kubernetes Cluster | `string` | n/a | yes |
-| <a name="input_cluster_oidc_issuer_url"></a> [cluster\_oidc\_issuer\_url](#input\_cluster\_oidc\_issuer\_url) | OIDC provider URL for EKS cluster | `string` | n/a | yes |
+| <a name="input_create_ingress_class_resource"></a> [create\_ingress\_class\_resource](#input\_create\_ingress\_class\_resource) | To use IngressClass resource instead of annotation, If specified as true, the IngressClass resource will be created. | `bool` | `true` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | Default tags to apply to all AWS resources managed by this controller | `map(string)` | `{}` | no |
 | <a name="input_enable_cert_manager"></a> [enable\_cert\_manager](#input\_enable\_cert\_manager) | Enable cert-manager injection of webhook certficates | `bool` | `false` | no |
 | <a name="input_enable_pod_readiness_gate_inject"></a> [enable\_pod\_readiness\_gate\_inject](#input\_enable\_pod\_readiness\_gate\_inject) | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods (default true) | `bool` | `true` | no |
@@ -61,19 +58,20 @@ to a Kubernetes Cluster.
 | <a name="input_fullname_override"></a> [fullname\_override](#input\_fullname\_override) | Full name override for resources | `string` | `""` | no |
 | <a name="input_host_network"></a> [host\_network](#input\_host\_network) | Use Host Network for pod | `bool` | `false` | no |
 | <a name="input_iam_role_description"></a> [iam\_role\_description](#input\_iam\_role\_description) | Description for IAM role for controller | `string` | `"Used by AWS Load Balancer Controller for EKS"` | no |
-| <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Name of IAM role for controller | `string` | `"aws-load-balancer-controller"` | no |
+| <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Name of IAM role for controller | `string` | `""` | no |
 | <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | IAM Role path for controller | `string` | `""` | no |
 | <a name="input_iam_role_permission_boundary"></a> [iam\_role\_permission\_boundary](#input\_iam\_role\_permission\_boundary) | Permission boundary ARN for IAM Role for controller | `string` | `""` | no |
 | <a name="input_iam_role_policy"></a> [iam\_role\_policy](#input\_iam\_role\_policy) | Override the IAM policy for the controller | `string` | `""` | no |
 | <a name="input_iam_role_tags"></a> [iam\_role\_tags](#input\_iam\_role\_tags) | Tags for IAM Role for controller | `map(string)` | `{}` | no |
 | <a name="input_image_repository"></a> [image\_repository](#input\_image\_repository) | Image repository on Dockerhub | `string` | `"amazon/aws-alb-ingress-controller"` | no |
-| <a name="input_image_tag"></a> [image\_tag](#input\_image\_tag) | Image tag | `string` | `"v2.3.0"` | no |
+| <a name="input_image_tag"></a> [image\_tag](#input\_image\_tag) | Image tag | `string` | `"v2.4.2"` | no |
 | <a name="input_ingress_class"></a> [ingress\_class](#input\_ingress\_class) | The ingress class this controller will satisfy. If not specified, controller will match all ingresses without ingress class annotation and ingresses of type alb | `string` | `"alb"` | no |
 | <a name="input_ingress_max_concurrent_reconciles"></a> [ingress\_max\_concurrent\_reconciles](#input\_ingress\_max\_concurrent\_reconciles) | Maximum number of concurrently running reconcile loops for ingress (default 3) | `number` | `3` | no |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Log level. Either `info` or `debug` | `string` | `"info"` | no |
 | <a name="input_max_history"></a> [max\_history](#input\_max\_history) | Max History for Helm | `number` | `20` | no |
 | <a name="input_metrics_bind_addr"></a> [metrics\_bind\_addr](#input\_metrics\_bind\_addr) | The address the metric endpoint binds to. (default ':8080') | `string` | `":8080"` | no |
 | <a name="input_name_override"></a> [name\_override](#input\_name\_override) | Name override for resources | `string` | `""` | no |
+| <a name="input_oidc_provider_arn"></a> [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | OIDC Provider ARN for IRSA | `string` | n/a | yes |
 | <a name="input_pdb"></a> [pdb](#input\_pdb) | PDB for pod | `map(any)` | `{}` | no |
 | <a name="input_pod_annotations"></a> [pod\_annotations](#input\_pod\_annotations) | Additional annotations on a pod | `map(string)` | `{}` | no |
 | <a name="input_pod_labels"></a> [pod\_labels](#input\_pod\_labels) | Additional labels on a pod | `map(string)` | `{}` | no |
@@ -85,7 +83,8 @@ to a Kubernetes Cluster.
 | <a name="input_replicas"></a> [replicas](#input\_replicas) | Number of replicas | `number` | `1` | no |
 | <a name="input_resources"></a> [resources](#input\_resources) | Pod Resources | `map(any)` | <pre>{<br>  "limits": {<br>    "cpu": "200m",<br>    "memory": "500Mi"<br>  },<br>  "requests": {<br>    "cpu": "100m",<br>    "memory": "500Mi"<br>  }<br>}</pre> | no |
 | <a name="input_security_context"></a> [security\_context](#input\_security\_context) | Security Context for container | `map(any)` | <pre>{<br>  "allowPrivilegeEscalation": false,<br>  "readOnlyRootFilesystem": true,<br>  "runAsNonRoot": true<br>}</pre> | no |
-| <a name="input_service_account_annotations"></a> [service\_account\_annotations](#input\_service\_account\_annotations) | Addiitional Annotations for service account | `map(string)` | `{}` | no |
+| <a name="input_service_account_annotations"></a> [service\_account\_annotations](#input\_service\_account\_annotations) | Additional Annotations for service account | `map(string)` | `{}` | no |
+| <a name="input_service_account_automount_token"></a> [service\_account\_automount\_token](#input\_service\_account\_automount\_token) | Whether, Automount API credentials for a Service Account. | `bool` | `true` | no |
 | <a name="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name) | Name of service account to create. Not generated | `string` | `"aws-load-balancer-controller"` | no |
 | <a name="input_service_max_concurrent_reconciles"></a> [service\_max\_concurrent\_reconciles](#input\_service\_max\_concurrent\_reconciles) | Maximum number of concurrently running reconcile loops for service (default 3) | `number` | `3` | no |
 | <a name="input_sync_period"></a> [sync\_period](#input\_sync\_period) | Period at which the controller forces the repopulation of its local object stores. (default 1h0m0s) | `string` | `"1h0m0s"` | no |
@@ -104,3 +103,4 @@ to a Kubernetes Cluster.
 | <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | Name of IAM role |
 | <a name="output_iam_role_path"></a> [iam\_role\_path](#output\_iam\_role\_path) | Path of IAM role |
 | <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Unique ID of IAM role |
+<!-- END_TF_DOCS -->

main.tf

@@ -20,6 +20,7 @@ locals {
       },
       var.service_account_annotations,
     ))
+    service_account_automount_token = var.service_account_automount_token
 
     pod_security_context             = jsonencode(var.pod_security_context)
     security_context                 = jsonencode(var.security_context)
@@ -43,6 +44,7 @@ locals {
 
     cluster_name                                 = var.cluster_name
     ingress_class                                = var.ingress_class
+    create_ingress_class_resource                = var.create_ingress_class_resource
     region                                       = var.region
     vpc_id                                       = var.vpc_id
     aws_max_retries                              = var.aws_max_retries

templates/values.yaml

@@ -24,6 +24,8 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ${service_account_name}
+  # Automount API credentials for a Service Account.
+  automountServiceAccountToken: ${service_account_automount_token}
 
 rbac:
   # Specifies whether rbac resources should be created
@@ -65,6 +67,15 @@ tolerations: ${tolerations}
 
 affinity: ${affinity}
 
+updateStrategy: {}
+  # type: RollingUpdate
+  # rollingUpdate:
+  #   maxSurge: 1
+  #   maxUnavailable: 1
+
+# serviceAnnotations contains annotations to be added to the provisioned webhook service resource
+serviceAnnotations: {}
+
 podAnnotations: ${pod_annotations}
 
 podLabels: ${pod_labels}
@@ -76,12 +87,35 @@ enableCertManager: ${enable_cert_manager}
 # ingresses without ingress class annotation and ingresses of type alb
 ingressClass: ${ingress_class}
 
+# ingressClassParams specify the IngressCLassParams that enforce settings for a set of Ingresses when using with ingress Controller.
+ingressClassParams:
+  create: true
+  # The name of ingressClassParams resource will be referred in ingressClass
+  name:
+  spec: {}
+    # You always can set specifications in `helm install` command through `--set` or `--set-string`
+    # If you do want to specify specifications in values.yaml, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'spec:'.
+    # namespaceSelector:
+    #   matchLabels:
+    # group:
+    # scheme:
+    # ipAddressType:
+    # tags:
+
+# To use IngressClass resource instead of annotation, before you need to install the IngressClass resource pointing to controller.
+# If specified as true, the IngressClass resource will be created.
+createIngressClassResource: ${create_ingress_class_resource}
+
 # The AWS region for the kubernetes cluster. Set to use KIAM or kube2iam for example.
 region: ${region}
 
 # The VPC ID for the Kubernetes cluster. Set this manually when your pods are unable to use the metadata service to determine this automatically
 vpcId: ${vpc_id}
 
+# Custom AWS API Endpoints (serviceID1=URL1,serviceID2=URL2)
+awsApiEndpoints:
+
 # Maximum retries for AWS APIs (default 10)
 awsMaxRetries: ${aws_max_retries}
 
@@ -109,18 +143,39 @@ metricsBindAddr: ${metrics_bind_addr}
 # The TCP port the Webhook server binds to. (default 9443)
 webhookBindPort: ${webhook_bind_port}
 
+# webhookTLS specifies TLS cert/key for the webhook
+webhookTLS:
+  caCert:
+  cert:
+  key:
+
+# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade
+keepTLSSecret: true
+
 # Maximum number of concurrently running reconcile loops for service (default 3)
 serviceMaxConcurrentReconciles: ${service_max_concurrent_reconciles}
 
 # Maximum number of concurrently running reconcile loops for targetGroupBinding
 targetgroupbindingMaxConcurrentReconciles: ${targetgroupbinding_max_concurrent_reconciles}
 
+# Maximum duration of exponential backoff for targetGroupBinding reconcile failures
+targetgroupbindingMaxExponentialBackoffDelay:
+
 # Period at which the controller forces the repopulation of its local object stores. (default 1h0m0s)
 syncPeriod: ${sync_period}
 
 # Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched.
 watchNamespace: ${watch_namespace}
 
+# disableIngressClassAnnotation disables the usage of kubernetes.io/ingress.class annotation, false by default
+disableIngressClassAnnotation:
+
+# disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default
+disableIngressGroupNameAnnotation:
+
+# defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners
+defaultSSLPolicy:
+
 # Liveness probe configuration for the controller
 livenessProbe:
   failureThreshold: 2
@@ -145,6 +200,13 @@ env: ${env}
 # recommended if using the Amazon VPC CNI plugin.
 hostNetwork: ${host_network}
 
+# Specifies the dnsPolicy that should be used for pods in the deployment
+#
+# This may need to be used to be changed given certain conditions. For instance, if one uses the cilium CNI
+# with certain settings, one may need to set `hostNetwork: true` and webhooks won't work unless `dnsPolicy`
+# is set to `ClusterFirstWithHostNet`. See https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
+dnsPolicy:
+
 # extraVolumeMounts are the additional volume mounts. This enables setting up IRSA on non-EKS Kubernetes cluster
 extraVolumeMounts: ${extra_volume_mounts}
   # - name: aws-iam-token
@@ -167,5 +229,49 @@ defaultTags: ${default_tags}
   # default_tag1: value1
   # default_tag2: value2
 
+# podDisruptionBudget specifies the disruption budget for the controller pods.
+# Disruption budget will be configured only when the replicaCount is greater than 1
 podDisruptionBudget: ${pdb}
 #  maxUnavailable: 1
+
+# externalManagedTags is the list of tag keys on AWS resources that will be managed externally
+externalManagedTags: []
+
+# enableEndpointSlices enables k8s EndpointSlices for IP targets instead of Endpoints (default false)
+enableEndpointSlices:
+
+# enableBackendSecurityGroup enables shared security group for backend traffic (default true)
+enableBackendSecurityGroup:
+
+# backendSecurityGroup specifies backend security group id (default controller auto create backend security group)
+backendSecurityGroup:
+
+# disableRestrictedSecurityGroupRules specifies whether to disable creating port-range restricted security group rules for traffic
+disableRestrictedSecurityGroupRules:
+
+# objectSelector for webhook
+objectSelector:
+  matchExpressions:
+  # - key: <key>
+  #   operator: <operator>
+  #   values:
+  #   - <value>
+  matchLabels:
+  #   key: value
+
+serviceMonitor:
+  # Specifies whether a service monitor should be created
+  enabled: false
+  # Labels to add to the service account
+  additionalLabels: {}
+  # Prometheus scrape interval
+  interval: 1m
+
+# clusterSecretsPermissions lets you configure RBAC permissions for secret resources
+# Access to secrets resource is required only if you use the OIDC feature, and instead of
+# enabling access to all secrets, we recommend configuring namespaced role/rolebinding.
+# This option is for backwards compatibility only, and will potentially be deprecated in future.
+clusterSecretsPermissions:
+  # allowAllSecrets allows the controller to access all secrets in the cluster.
+  # This is to get backwards compatible behavior, but *NOT* recommended for security reasons
+  allowAllSecrets: false

variables.tf

@@ -19,7 +19,7 @@ variable "chart_repository" {
 variable "chart_version" {
   description = "Version of Chart to install. Set to empty to install the latest version"
   type        = string
-  default     = "1.3.2"
+  default     = "1.4.2"
 }
 
 variable "chart_namespace" {
@@ -64,7 +64,7 @@ variable "prefer_ecr_repositories" {
 variable "image_tag" {
   description = "Image tag"
   type        = string
-  default     = "v2.3.0"
+  default     = "v2.4.2"
 }
 
 variable "name_override" {
@@ -86,11 +86,17 @@ variable "service_account_name" {
 }
 
 variable "service_account_annotations" {
-  description = "Addiitional Annotations for service account"
+  description = "Additional Annotations for service account"
   type        = map(string)
   default     = {}
 }
 
+variable "service_account_automount_token" {
+  description = "Whether, Automount API credentials for a Service Account."
+  type        = bool
+  default     = true
+}
+
 variable "pod_security_context" {
   description = "Pod Security Context"
   type        = map(any)
@@ -210,6 +216,12 @@ variable "ingress_class" {
   default     = "alb"
 }
 
+variable "create_ingress_class_resource" {
+  description = " To use IngressClass resource instead of annotation, If specified as true, the IngressClass resource will be created."
+  type        = bool
+  default     = true
+}
+
 variable "region" {
   description = "The AWS region for the kubernetes cluster. Set to use KIAM or kube2iam for example."
   type        = string