add objectSelector to the controller webhooks (#3165)

The service mutator and ingressclassparams validator webhooks
ignore the services and the ingressclassparams resources included
in the controller manifest.

The webhook service is of type ClusterIP and need not be mutated
by the webhook. This change resolves the cyclic dependency between
the service and the mutator webhook. In the long term we will use
the `matchConditions` once `AdmissionWebhookMatchConditions` feature
is GA.

As for the `ingressclassparams`, the webhook might not be available
during chart install/upgrade time causing the operation to fail. This
is a short term fix to get backward compatible behavior.

Author: kishorj

config/webhook/ingressclassparams_validator_patch.yaml

@@ -0,0 +1,12 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: webhook
+webhooks:
+  - name: vingressclassparams.elbv2.k8s.aws
+    objectSelector:
+      matchExpressions:
+        - key: app.kubernetes.io/name
+          operator: NotIn
+          values:
+            - aws-load-balancer-controller

config/webhook/kustomization.yaml

@@ -7,3 +7,5 @@ configurations:
 
 patchesStrategicMerge:
   - pod_mutator_patch.yaml
+  - service_mutator_patch.yaml
+  - ingressclassparams_validator_patch.yaml

config/webhook/service_mutator_patch.yaml

@@ -0,0 +1,12 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: webhook
+webhooks:
+  - name: mservice.elbv2.k8s.aws
+    objectSelector:
+      matchExpressions:
+        - key: app.kubernetes.io/name
+          operator: NotIn
+          values:
+            - aws-load-balancer-controller

helm/aws-load-balancer-controller/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: aws-load-balancer-controller
 description: AWS Load Balancer Controller Helm chart for Kubernetes
-version: 1.5.1
+version: 1.5.2
 appVersion: v2.5.1
 home: https://github.com/aws/eks-charts
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png

helm/aws-load-balancer-controller/templates/webhook.yaml

@@ -69,6 +69,12 @@ webhooks:
   name: mservice.elbv2.k8s.aws
   admissionReviewVersions:
   - v1beta1
+  objectSelector:
+    matchExpressions:
+    - key: app.kubernetes.io/name
+      operator: NotIn
+      values:
+      - {{ include "aws-load-balancer-controller.name" . }}
   rules:
   - apiGroups:
     - ""
@@ -127,6 +133,12 @@ webhooks:
   name: vingressclassparams.elbv2.k8s.aws
   admissionReviewVersions:
   - v1beta1
+  objectSelector:
+    matchExpressions:
+    - key: app.kubernetes.io/name
+      operator: NotIn
+      values:
+      - {{ include "aws-load-balancer-controller.name" . }}
   rules:
   - apiGroups:
     - elbv2.k8s.aws

helm/aws-load-balancer-controller/values.yaml

@@ -119,14 +119,18 @@ ingressClassParams:
   # The name of ingressClassParams resource will be referred in ingressClass
   name:
   spec: {}
-    # You always can set specifications in `helm install` command through `--set` or `--set-string`
-    # If you do want to specify specifications in values.yaml, uncomment the following
-    # lines, adjust them as necessary, and remove the curly braces after 'spec:'.
+    # Due to dependency issue, the validation webhook ignores this particular ingressClassParams resource.
+    # We recommend creating ingressClassParams resources separately after installing this chart and the
+    # controller is functional.
+    #
+    # You can set the specifications in the `helm install` command through `--set` or `--set-string`
+    # If you do want to specify in the values.yaml, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'spec:'
+    #
     # namespaceSelector:
     #   matchLabels:
     # group:
     # scheme:
-    # subnets:
     # ipAddressType:
     # tags:
     # loadBalancerAttributes: