feat(eks): pass helm chart values to aws-load-balancer-controller #29723
Conversation
github-actions
bot
added
the
beginning-contributor
github-actions
bot
added
feature-request
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
added
the
pr/needs-community-review
mtrspringer
force-pushed
the
aws-eks-alb-controller-values
branch
from
ec6de8a
to
afcd343
Compare
aws-cdk-automation
added
pr/needs-maintainer-review
mtrspringer
force-pushed
the
aws-eks-alb-controller-values
branch
3 times, most recently
from
2926163
to
5e9a3f6
Compare
| * | ||
| * @default - No values are provided to the chart. | ||
| */ | ||
| readonly values?: {[key: string]: any}; |
There was a problem hiding this comment.
| readonly values?: {[key: string]: any}; | |
| readonly helmChartValues?: {[key: string]: any}; |
Can you rename this to helmChartValues? Just having this be values in this context is not clear what these values are being used for. Ideally I'd have like the property within Helm Chart to be named something other than values as well but unfortunately it's too late for that now.
There was a problem hiding this comment.
yes that's fine with me. I was using the HelmChartProps as an guide but I can see the value in being specific within the scope of a broader construct that's not limited to helm already.
| * values: { | ||
| * autoscaling: false, | ||
| * ingressClassParams: { create: true } | ||
| * } | ||
| * | ||
| * Note that the following values are set by the controller and cannot be overridden: | ||
| * - clusterName | ||
| * - serviceAccount.create | ||
| * - serviceAccount.name | ||
| * - region | ||
| * - vpcId | ||
| * - image.repository | ||
| * - image.tag |
There was a problem hiding this comment.
Do we know the full set of values that can be passed in to the helmChart.values property? If so could we add some stronger typing checks to them? If not then could we add some validation for the values that cannot be overridden?
From your unit test case it seems like Helm Chart will just ignore these values but I would rather prevent these values from being set at all instead of allowing it to be passed in and have it silently fail.
There was a problem hiding this comment.
i think the set of values varies (or can potentially vary) depending on the helm chart version. I think defining a type (e.g. AlbControllerHelmChartValues) will create a loose link to the helm chart that has the potential for breaking. Validating the passed values against the keys we know we explicitly set seems like a better approach to me.
There was a problem hiding this comment.
Gotcha, thanks for clarifying. Then let's go with the second option to validate the passed values that cannot be overridden.
There was a problem hiding this comment.
@paulhcsun i've updated with the requested changes. Assuming the suite passes, would you (or someone else) be able to run/update the integration tests? I ran into some issues with the teardown last time.
There was a problem hiding this comment.
Hey @mtrspringer, thanks for making the changes! and ya for sure, I'll give that a run later today.
There was a problem hiding this comment.
Hey @mtrspringer, apologies some other items came up. I will run the tests now.
There was a problem hiding this comment.
It took a while to run on Friday and looks like it failed due to a credentials related error but it still seems to have updated the snapshots. I've pushed them so hopefully the codebuild will be happy with the new snapshots.
There was a problem hiding this comment.
@paulhcsun thanks very much! yes it takes ages, looks like the build is passing though
mtrspringer
force-pushed
the
aws-eks-alb-controller-values
branch
from
5e9a3f6
to
4289418
Compare
mtrspringer
force-pushed
the
aws-eks-alb-controller-values
branch
2 times, most recently
from
4625454
to
b55781a
Compare
mtrspringer
force-pushed
the
aws-eks-alb-controller-values
branch
from
b55781a
to
cd2f5a8
Compare
|
Hi @mtrspringer, apologies for another delay to getting around to reviewing this. I was oncall last week. Thank you for making the requested changes for validating the values that can be passed to Would you mind explaining what the changes within |
mtrspringer
force-pushed
the
aws-eks-alb-controller-values
branch
from
cd2f5a8
to
0d9c286
Compare
|
@paulhcsun hi sorry i've been on vacation the last 2 weeks. I dont remember making any changes to those files, maybe they got included when i updated my branch via the github button? im happy to leave them out |
mtrspringer
force-pushed
the
aws-eks-alb-controller-values
branch
3 times, most recently
from
bff33f3
to
285af63
Compare
|
@paulhcsun looks like they were .d.ts and .js files that somehow got included. i've just removed them so this PR should be ready for review now |
| * | ||
| * @default - No values are provided to the chart. | ||
| */ | ||
| readonly helmChartValues?: {[key: string]: any}; |
There was a problem hiding this comment.
I don't think that this is quite the right direction here. From what I can tell, only one or two values need to be overridden for your use case and this is basically giving the user carte blanche to override far more than that. I chatted with @paulhcsun about this PR and I'm thinking that it would likely be better to have a function that can be called after instantiation to disable the load balancer wafv2 behavior instead of adding a prop.
In general, we don't want props to contradict one another or allow values that we know are not allowed (i.e. the list of values you added in the docstring).
What I'm really having trouble with here is understanding how those values are being set in the first place, in your use case. Can you explain what's going on in your specific case a bit more so that our suggestions for the fix don't send you in circles?
There was a problem hiding this comment.
I would also probably suggest that the function to update this behavior should be scoped to the ALB controller but, again, I'd like to understand better how these fields are being set before saying you should make this code change.
There was a problem hiding this comment.
hi @TheRealAmazonKendra thanks for your review.
you are correct that for my specific use case I only need to update one or two values, but my intention with this PR is to address the issue of aws-cdk-lib/aws-eks package not exposing the ability to set whatever values the user wants (apart from the ones it is already setting).
the AlbController is just a thin wrapper around the HelmChart construct, yet its constructor's props do not expose any ability to pass values to the underlying helm chart. IMO this was a poor design choice, as I don't think aws-cdk should be the arbiter of which values can be passed to the aws-load-balancer-controller helm chart.
the initial implementation of the Cluster construct did not include any props related to the albController. They were later added as a convenience due to the fact that it is commonly utilized to integrate with aws elbv2. my assumption is that the AlbController construct was defined at the same time, due to the fact that AlbControllerOptions = Omit<AlbControllerProps, 'cluster'>. However, the lack of an interface exposing configuration of the helm chart's values means that any user leveraging aws firewall manager either cannot use the "official" construct for the helm chart, or they have to accept that aws-load-balancer-controller will periodically disassociate an fms-applied web acl and their albs willbe unprotected until fms can detect & remediate (usually this is a couple minutes, but we have had occurrences of the remediation failing and albs being unprotected for hours).
Due to the fact that a helm chart's values.yml is the way in which every helm chart's default behavior is overridden, i feel that adding a prop for passing values to the AlbController is a valid design choice. There may be other default behaviors of the helm chart beyond waf management that users may want to disable. Due to the fact that the supported values for aws-load-balancer-controller may vary from one version to the next, I didn't feel it was wise to define a type/interface for a subset of configurable values that will then need to be kept up-to-date. I think if users decide to pass values to the AlbController, they are at the point where they know they need to and we should trust that they are able to decide which values to set.
as far as your suggestion for a function to update values after instantiation, this would need to be exposed on both the AlbController construct and the HelmChart construct. i feel like this is not a great approach and it expands the scope of the solution beyond the AlbController construct.
in short, i feel that this is a fix for an overly-restrictive construct props definition.
There was a problem hiding this comment.
Hello, I would also want to be able to edit values through this way, in my case for values enableCertManager, cluster.dnsDomain and some more.
I wonder why this functionality wasn't introduced from the beginning...
|
Hi, any updates or estimation on this? Can i help somehow? |
mtrspringer
force-pushed
the
aws-eks-alb-controller-values
branch
from
81733cc
to
89d6dbd
Compare
mergify
bot
dismissed
TheRealAmazonKendra’s stale review
Pull request has been modified.
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
|
hi @Necrokefalos im still waiting on a response as to what changes, if any, need to be made. good to know that the values also need to be modified for cert-manager as we are looking to adopt that sometime soon. in the meantime i think the integration tests need to be run again before the checks pass. @paulhcsun would you be able to do that again at your earliest convenience? thanks. |
mtrspringer
force-pushed
the
aws-eks-alb-controller-values
branch
from
89d6dbd
to
ab070af
Compare
|
The pull request linter fails with the following errors: PRs must pass status checks before we can provide a meaningful review. If you would like to request an exemption from the status checks or clarification on feedback, please leave a comment on this PR containing |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Issue # (if applicable)
Closes #29707
Reason for this change
Need to be able to disable aws-load-balancer-controller wafv2 behavior so it doesn't remove waf associations created by AWS FMS.
Description of changes
I added a
valuesproperty to theAlbControllerOptionsinterface for passing optional values to the underlying helm chart.Description of how you validated changes
I added two tests to validate my changes:
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license