mservice.elbv2.k8s.aws mutating webhook blocks Helm rollbacks

[diversario]

Describe the bug
When using Helm to deploy a Service object (of type LoadBalancer) into a cluster, the installation and subsequent updates succeed, but a rollback with --force fails.

This is because the webhook only activates for CREATE and not for UPDATE operations - meaning, when Helm attempts to roll back and update the Service to its previous state, this previous state does not include the spec.loadBalancerClass field set by the webhook. This results in

[helm rollback - release: echoserver]  Error: failed to replace object:
 Service "echoserver-nlb" is invalid:
 spec.loadBalancerClass:
 Invalid value: "null": may not change once set

because (afaik) Helm sends the entire Service object to the API server due to the --force flag.

Steps to reproduce
Deploy any Helm chart with an LB service. I'll use AWS LBC chart as a placeholder for this example.

1. Deploy the chart 2-3 times so there's a release history:
   helm upgrade --install --wait --wait-for-jobs --timeout 10m --atomic aws-lbc eks/aws-load-balancer-controller
2. Run a rollback with --force:
   helm rollback aws-lbc 1 --force --wait --no-hooks --timeout 600s

Expected outcome
Not an error; I expect the webhook to modify the service objects appropriately, and the rollback to complete.

Environment

• AWS Load Balancer controller version
  6.7.1
• Kubernetes version
  1.28.3
• Using EKS (yes/no), if so version?
  no

Additional Context:
Using Helm 3.10.3

[aravindsagar]

/kind bug

[PowerSurj]

• AWS Load Balancer controller version
  6.7.1

are you sure? do you mean Helm Chart version 2.7.1

[diversario]

Yes, sorry. The AWS LBC version 2.7.1, chart version is the one that sets that appVersion.

[shraddhabang]

Delivered in v2.8.0