From 9431c0ab6944b3c569479bb154d9238579a7f3a3 Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Wed, 16 Feb 2022 21:35:52 +0100 Subject: [PATCH] Update LBC to 2.4.0 --- cmd/kops/integration_test.go | 10 +- pkg/apis/kops/validation/validation.go | 4 - .../scenarios/aws-lb-controller/run-test.sh | 4 - ...controller.addons.k8s.io-k8s-1.19_content} | 41 +- ...nimal.example.com-addons-bootstrap_content | 6 +- .../aws-lb-controller/kubernetes.tf | 6 +- ...controller.addons.k8s.io-k8s-1.19_content} | 41 +- ...nimal.example.com-addons-bootstrap_content | 6 +- .../many-addons-ccm-irsa/kubernetes.tf | 6 +- ....kube-system.sa.minimal.example.com_policy | 17 + ....kube-system.sa.minimal.example.com_policy | 40 + ...cket_object_cluster-completed.spec_content | 2 + ...-controller.addons.k8s.io-k8s-1.19_content | 1136 +++++++++++++++++ ...nimal.example.com-addons-bootstrap_content | 8 + .../many-addons-ccm-irsa23/in-v1alpha2.yaml | 4 +- .../many-addons-ccm-irsa23/kubernetes.tf | 34 + ...controller.addons.k8s.io-k8s-1.19_content} | 41 +- ...nimal.example.com-addons-bootstrap_content | 6 +- .../many-addons-ccm/kubernetes.tf | 6 +- ...controller.addons.k8s.io-k8s-1.19_content} | 41 +- ...nimal.example.com-addons-bootstrap_content | 6 +- .../update_cluster/many-addons/kubernetes.tf | 6 +- upup/models/BUILD.bazel | 1 + .../k8s-1.19.yaml.template | 950 ++++++++++++++ .../bootstrapchannelbuilder.go | 13 +- 25 files changed, 2380 insertions(+), 55 deletions(-) rename tests/integration/update_cluster/aws-lb-controller/data/{aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content => aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content} (97%) rename tests/integration/update_cluster/many-addons-ccm-irsa/data/{aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content => aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content} (97%) create mode 100644 tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_iam_role_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy create mode 100644 tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy create mode 100644 tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content rename tests/integration/update_cluster/many-addons-ccm/data/{aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content => aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content} (97%) rename tests/integration/update_cluster/many-addons/data/{aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content => aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content} (97%) create mode 100644 upup/models/cloudup/resources/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml.template diff --git a/cmd/kops/integration_test.go b/cmd/kops/integration_test.go index 5b86025345d50..e6a98636e5d43 100644 --- a/cmd/kops/integration_test.go +++ b/cmd/kops/integration_test.go @@ -519,7 +519,7 @@ func TestAWSLBController(t *testing.T) { withOIDCDiscovery(). withServiceAccountRole("dns-controller.kube-system", true). withServiceAccountRole("aws-load-balancer-controller.kube-system", true). - withAddons("aws-load-balancer-controller.addons.k8s.io-k8s-1.9", + withAddons("aws-load-balancer-controller.addons.k8s.io-k8s-1.19", "certmanager.io-k8s-1.16", dnsControllerAddon). runTestTerraformAWS(t) @@ -528,7 +528,7 @@ func TestAWSLBController(t *testing.T) { func TestManyAddons(t *testing.T) { newIntegrationTest("minimal.example.com", "many-addons"). withAddons("aws-ebs-csi-driver.addons.k8s.io-k8s-1.17", - "aws-load-balancer-controller.addons.k8s.io-k8s-1.9", + "aws-load-balancer-controller.addons.k8s.io-k8s-1.19", "certmanager.io-k8s-1.16", "cluster-autoscaler.addons.k8s.io-k8s-1.15", "networking.amazon-vpc-routed-eni-k8s-1.16", @@ -549,7 +549,7 @@ func TestManyAddonsCCMIRSA(t *testing.T) { withServiceAccountRole("aws-node-termination-handler.kube-system", true). withAddons( "aws-ebs-csi-driver.addons.k8s.io-k8s-1.17", - "aws-load-balancer-controller.addons.k8s.io-k8s-1.9", + "aws-load-balancer-controller.addons.k8s.io-k8s-1.19", "certmanager.io-k8s-1.16", "cluster-autoscaler.addons.k8s.io-k8s-1.15", "networking.amazon-vpc-routed-eni-k8s-1.16", @@ -564,12 +564,14 @@ func TestManyAddonsCCMIRSA(t *testing.T) { func TestManyAddonsCCMIRSA23(t *testing.T) { newIntegrationTest("minimal.example.com", "many-addons-ccm-irsa23"). withOIDCDiscovery(). + withServiceAccountRole("aws-load-balancer-controller.kube-system", true). withServiceAccountRole("dns-controller.kube-system", true). withServiceAccountRole("aws-cloud-controller-manager.kube-system", true). withServiceAccountRole("cluster-autoscaler.kube-system", true). withServiceAccountRole("ebs-csi-controller-sa.kube-system", true). withServiceAccountRole("aws-node-termination-handler.kube-system", true). withAddons( + "aws-load-balancer-controller.addons.k8s.io-k8s-1.19", "aws-ebs-csi-driver.addons.k8s.io-k8s-1.17", "certmanager.io-k8s-1.16", "cluster-autoscaler.addons.k8s.io-k8s-1.15", @@ -587,7 +589,7 @@ func TestCCM(t *testing.T) { newIntegrationTest("minimal.example.com", "many-addons-ccm"). withAddons( "aws-ebs-csi-driver.addons.k8s.io-k8s-1.17", - "aws-load-balancer-controller.addons.k8s.io-k8s-1.9", + "aws-load-balancer-controller.addons.k8s.io-k8s-1.19", "certmanager.io-k8s-1.16", "cluster-autoscaler.addons.k8s.io-k8s-1.15", "networking.amazon-vpc-routed-eni-k8s-1.16", diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go index 493b91b9ae48c..d6b3bb650e3d2 100644 --- a/pkg/apis/kops/validation/validation.go +++ b/pkg/apis/kops/validation/validation.go @@ -159,10 +159,6 @@ func validateClusterSpec(spec *kops.ClusterSpec, c *kops.Cluster, fieldPath *fie allErrs = append(allErrs, validateKubelet(spec.MasterKubelet, c, fieldPath.Child("masterKubelet"))...) } - if spec.AWSLoadBalancerController != nil && fi.BoolValue(spec.AWSLoadBalancerController.Enabled) && c.IsKubernetesGTE("1.22") { - allErrs = append(allErrs, field.Forbidden(fieldPath.Child("awsLoadBalancerController", "enabled"), "AWS load balancer controller is supported only for Kubernetes 1.21 and lower")) - } - if spec.Networking != nil { allErrs = append(allErrs, validateNetworking(c, spec.Networking, fieldPath.Child("networking"))...) if spec.Networking.Calico != nil { diff --git a/tests/e2e/scenarios/aws-lb-controller/run-test.sh b/tests/e2e/scenarios/aws-lb-controller/run-test.sh index 02fe3b5e367e4..4f6cdfe1ba261 100755 --- a/tests/e2e/scenarios/aws-lb-controller/run-test.sh +++ b/tests/e2e/scenarios/aws-lb-controller/run-test.sh @@ -29,10 +29,6 @@ OVERRIDES="${OVERRIDES} --set=cluster.spec.certManager.enabled=true" # shellcheck disable=SC2034 ZONES="eu-west-1a,eu-west-1b,eu-west-1c" -# TODO remove when kops#11689 is addressed -K8S_VERSION="1.21.6" -export K8S_VERSION - kops-up VPC=$(${KOPS} toolbox dump -o json | jq -r .vpc.id) diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content b/tests/integration/update_cluster/aws-lb-controller/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content similarity index 97% rename from tests/integration/update_cluster/aws-lb-controller/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content rename to tests/integration/update_cluster/aws-lb-controller/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content index 4fe2e7e6b2aca..d3488b2daf5cf 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content @@ -889,7 +889,7 @@ spec: value: arn:aws-test:iam::123456789012:role/aws-load-balancer-controller.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: amazon/aws-alb-ingress-controller:v2.3.1 + image: amazon/aws-alb-ingress-controller:v2.4.0 livenessProbe: failureThreshold: 2 httpGet: @@ -926,7 +926,8 @@ spec: serviceAccountName: aws-load-balancer-controller terminationGracePeriodSeconds: 10 tolerations: - - operator: Exists + - key: node-role.kubernetes.io/master + operator: Exists topologySpreadConstraints: - labelSelector: matchLabels: @@ -1086,7 +1087,7 @@ webhooks: service: name: aws-load-balancer-webhook-service namespace: kube-system - path: /validate-networking-v1beta1-ingress + path: /validate-networking-v1-ingress failurePolicy: Fail matchPolicy: Equivalent name: vingress.elbv2.k8s.aws @@ -1094,10 +1095,42 @@ webhooks: - apiGroups: - networking.k8s.io apiVersions: - - v1beta1 + - v1 operations: - CREATE - UPDATE resources: - ingresses sideEffects: None + +--- + +apiVersion: elbv2.k8s.aws/v1beta1 +kind: IngressClassParams +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: alb + +--- + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: alb +spec: + controller: ingress.k8s.aws/alb + parameters: + apiGroup: elbv2.k8s.aws + kind: IngressClassParams + name: alb diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/aws-lb-controller/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content index 0bf130bfe4f02..6fe28fb612662 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content @@ -51,9 +51,9 @@ spec: name: certmanager.io selector: null version: 9.99.0 - - id: k8s-1.9 - manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.9.yaml - manifestHash: 1bb026be85f6a5a3fd73d996e3f5bb33df7c5eb9dc859347d55ec2ae4c97949e + - id: k8s-1.19 + manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml + manifestHash: a26e4a85ef790c4c02077118857d90a856ab6bc219ac895af8ee458485e6c0b2 name: aws-load-balancer-controller.addons.k8s.io needsPKI: true selector: diff --git a/tests/integration/update_cluster/aws-lb-controller/kubernetes.tf b/tests/integration/update_cluster/aws-lb-controller/kubernetes.tf index 68a351f916b18..d092cd94c4936 100644 --- a/tests/integration/update_cluster/aws-lb-controller/kubernetes.tf +++ b/tests/integration/update_cluster/aws-lb-controller/kubernetes.tf @@ -634,10 +634,10 @@ resource "aws_s3_bucket_object" "manifests-static-kube-apiserver-healthcheck" { server_side_encryption = "AES256" } -resource "aws_s3_bucket_object" "minimal-example-com-addons-aws-load-balancer-controller-addons-k8s-io-k8s-1-9" { +resource "aws_s3_bucket_object" "minimal-example-com-addons-aws-load-balancer-controller-addons-k8s-io-k8s-1-19" { bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content") - key = "clusters.example.com/minimal.example.com/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.9.yaml" + content = file("${path.module}/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content") + key = "clusters.example.com/minimal.example.com/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml" provider = aws.files server_side_encryption = "AES256" } diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content similarity index 97% rename from tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content rename to tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content index 4fe2e7e6b2aca..d3488b2daf5cf 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content @@ -889,7 +889,7 @@ spec: value: arn:aws-test:iam::123456789012:role/aws-load-balancer-controller.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: amazon/aws-alb-ingress-controller:v2.3.1 + image: amazon/aws-alb-ingress-controller:v2.4.0 livenessProbe: failureThreshold: 2 httpGet: @@ -926,7 +926,8 @@ spec: serviceAccountName: aws-load-balancer-controller terminationGracePeriodSeconds: 10 tolerations: - - operator: Exists + - key: node-role.kubernetes.io/master + operator: Exists topologySpreadConstraints: - labelSelector: matchLabels: @@ -1086,7 +1087,7 @@ webhooks: service: name: aws-load-balancer-webhook-service namespace: kube-system - path: /validate-networking-v1beta1-ingress + path: /validate-networking-v1-ingress failurePolicy: Fail matchPolicy: Equivalent name: vingress.elbv2.k8s.aws @@ -1094,10 +1095,42 @@ webhooks: - apiGroups: - networking.k8s.io apiVersions: - - v1beta1 + - v1 operations: - CREATE - UPDATE resources: - ingresses sideEffects: None + +--- + +apiVersion: elbv2.k8s.aws/v1beta1 +kind: IngressClassParams +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: alb + +--- + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: alb +spec: + controller: ingress.k8s.aws/alb + parameters: + apiGroup: elbv2.k8s.aws + kind: IngressClassParams + name: alb diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content index a2b48d64cf322..d0b1a022e2e84 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content @@ -101,9 +101,9 @@ spec: selector: k8s-addon: node-termination-handler.aws version: 9.99.0 - - id: k8s-1.9 - manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.9.yaml - manifestHash: 1bb026be85f6a5a3fd73d996e3f5bb33df7c5eb9dc859347d55ec2ae4c97949e + - id: k8s-1.19 + manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml + manifestHash: a26e4a85ef790c4c02077118857d90a856ab6bc219ac895af8ee458485e6c0b2 name: aws-load-balancer-controller.addons.k8s.io needsPKI: true selector: diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/kubernetes.tf b/tests/integration/update_cluster/many-addons-ccm-irsa/kubernetes.tf index 545b630429b1e..4f1cf8a919161 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/kubernetes.tf +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/kubernetes.tf @@ -754,10 +754,10 @@ resource "aws_s3_bucket_object" "minimal-example-com-addons-aws-ebs-csi-driver-a server_side_encryption = "AES256" } -resource "aws_s3_bucket_object" "minimal-example-com-addons-aws-load-balancer-controller-addons-k8s-io-k8s-1-9" { +resource "aws_s3_bucket_object" "minimal-example-com-addons-aws-load-balancer-controller-addons-k8s-io-k8s-1-19" { bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content") - key = "clusters.example.com/minimal.example.com/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.9.yaml" + content = file("${path.module}/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content") + key = "clusters.example.com/minimal.example.com/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml" provider = aws.files server_side_encryption = "AES256" } diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_iam_role_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_iam_role_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy new file mode 100644 index 0000000000000..94a18743494c1 --- /dev/null +++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_iam_role_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy @@ -0,0 +1,17 @@ +{ + "Statement": [ + { + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "discovery.example.com/minimal.example.com:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller" + } + }, + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws-test:iam::123456789012:oidc-provider/discovery.example.com/minimal.example.com" + } + } + ], + "Version": "2012-10-17" +} diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy new file mode 100644 index 0000000000000..b2d55cb7f128e --- /dev/null +++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy @@ -0,0 +1,40 @@ +{ + "Statement": [ + { + "Action": [ + "acm:DescribeCertificate", + "acm:ListCertificates", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeNetworkInterfaces", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:DescribeListenerCertificates", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetHealth" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupIngress", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:DeleteRule", + "elasticloadbalancing:ModifyRule", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:RemoveTags" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" +} diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_cluster-completed.spec_content b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_cluster-completed.spec_content index 2c26f821fe18d..cb23e2e0cc03d 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_cluster-completed.spec_content @@ -8,6 +8,8 @@ spec: dns: {} authorization: alwaysAllow: {} + awsLoadBalancerController: + enabled: true certManager: enabled: true channel: stable diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content new file mode 100644 index 0000000000000..d3488b2daf5cf --- /dev/null +++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content @@ -0,0 +1,1136 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: ingressclassparams.elbv2.k8s.aws +spec: + group: elbv2.k8s.aws + names: + kind: IngressClassParams + listKind: IngressClassParamsList + plural: ingressclassparams + singular: ingressclassparams + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Ingress Group name + jsonPath: .spec.group.name + name: GROUP-NAME + type: string + - description: The AWS Load Balancer scheme + jsonPath: .spec.scheme + name: SCHEME + type: string + - description: The AWS Load Balancer ipAddressType + jsonPath: .spec.ipAddressType + name: IP-ADDRESS-TYPE + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: IngressClassParams is the Schema for the IngressClassParams API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressClassParamsSpec defines the desired state of IngressClassParams + properties: + group: + description: Group defines the IngressGroup for all Ingresses that + belong to IngressClass with this IngressClassParams. + properties: + name: + description: Name is the name of IngressGroup. + type: string + required: + - name + type: object + ipAddressType: + description: IPAddressType defines the ip address type for all Ingresses + that belong to IngressClass with this IngressClassParams. + enum: + - ipv4 + - dualstack + type: string + loadBalancerAttributes: + description: LoadBalancerAttributes define the custom attributes to + LoadBalancers for all Ingress that that belong to IngressClass with + this IngressClassParams. + items: + description: Attributes defines custom attributes on resources. + properties: + key: + description: The key of the attribute. + type: string + value: + description: The value of the attribute. + type: string + required: + - key + - value + type: object + type: array + namespaceSelector: + description: NamespaceSelector restrict the namespaces of Ingresses + that are allowed to specify the IngressClass with this IngressClassParams. + * if absent or present but empty, it selects all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + scheme: + description: Scheme defines the scheme for all Ingresses that belong + to IngressClass with this IngressClassParams. + enum: + - internal + - internet-facing + type: string + tags: + description: Tags defines list of Tags on AWS resources provisioned + for Ingresses that belong to IngressClass with this IngressClassParams. + items: + description: Tag defines a AWS Tag on resources. + properties: + key: + description: The key of the tag. + type: string + value: + description: The value of the tag. + type: string + required: + - key + - value + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: targetgroupbindings.elbv2.k8s.aws +spec: + group: elbv2.k8s.aws + names: + kind: TargetGroupBinding + listKind: TargetGroupBindingList + plural: targetgroupbindings + singular: targetgroupbinding + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Kubernetes Service's name + jsonPath: .spec.serviceRef.name + name: SERVICE-NAME + type: string + - description: The Kubernetes Service's port + jsonPath: .spec.serviceRef.port + name: SERVICE-PORT + type: string + - description: The AWS TargetGroup's TargetType + jsonPath: .spec.targetType + name: TARGET-TYPE + type: string + - description: The AWS TargetGroup's Amazon Resource Name + jsonPath: .spec.targetGroupARN + name: ARN + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TargetGroupBinding is the Schema for the TargetGroupBinding API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding + properties: + networking: + description: networking provides the networking setup for ELBV2 LoadBalancer + to access targets in TargetGroup. + properties: + ingress: + description: List of ingress rules to allow ELBV2 LoadBalancer + to access targets in TargetGroup. + items: + properties: + from: + description: List of peers which should be able to access + the targets in TargetGroup. At least one NetworkingPeer + should be specified. + items: + description: NetworkingPeer defines the source/destination + peer for networking rules. + properties: + ipBlock: + description: IPBlock defines an IPBlock peer. If specified, + none of the other fields can be set. + properties: + cidr: + description: CIDR is the network CIDR. Both IPV4 + or IPV6 CIDR are accepted. + type: string + required: + - cidr + type: object + securityGroup: + description: SecurityGroup defines a SecurityGroup + peer. If specified, none of the other fields can + be set. + properties: + groupID: + description: GroupID is the EC2 SecurityGroupID. + type: string + required: + - groupID + type: object + type: object + type: array + ports: + description: List of ports which should be made accessible + on the targets in TargetGroup. If ports is empty or unspecified, + it defaults to all ports with TCP. + items: + properties: + port: + anyOf: + - type: integer + - type: string + description: The port which traffic must match. When + NodePort endpoints(instance TargetType) is used, + this must be a numerical port. When Port endpoints(ip + TargetType) is used, this can be either numerical + or named port on pods. if port is unspecified, it + defaults to all ports. + x-kubernetes-int-or-string: true + protocol: + description: The protocol which traffic must match. + If protocol is unspecified, it defaults to TCP. + enum: + - TCP + - UDP + type: string + type: object + type: array + required: + - from + - ports + type: object + type: array + type: object + serviceRef: + description: serviceRef is a reference to a Kubernetes Service and + ServicePort. + properties: + name: + description: Name is the name of the Service. + type: string + port: + anyOf: + - type: integer + - type: string + description: Port is the port of the ServicePort. + x-kubernetes-int-or-string: true + required: + - name + - port + type: object + targetGroupARN: + description: targetGroupARN is the Amazon Resource Name (ARN) for + the TargetGroup. + type: string + targetType: + description: targetType is the TargetType of TargetGroup. If unspecified, + it will be automatically inferred. + enum: + - instance + - ip + type: string + required: + - serviceRef + - targetGroupARN + type: object + status: + description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding + properties: + observedGeneration: + description: The generation observed by the TargetGroupBinding controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The Kubernetes Service's name + jsonPath: .spec.serviceRef.name + name: SERVICE-NAME + type: string + - description: The Kubernetes Service's port + jsonPath: .spec.serviceRef.port + name: SERVICE-PORT + type: string + - description: The AWS TargetGroup's TargetType + jsonPath: .spec.targetType + name: TARGET-TYPE + type: string + - description: The AWS TargetGroup's Amazon Resource Name + jsonPath: .spec.targetGroupARN + name: ARN + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: TargetGroupBinding is the Schema for the TargetGroupBinding API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding + properties: + ipAddressType: + description: ipAddressType specifies whether the target group is of + type IPv4 or IPv6. If unspecified, it will be automatically inferred. + enum: + - ipv4 + - ipv6 + type: string + networking: + description: networking defines the networking rules to allow ELBV2 + LoadBalancer to access targets in TargetGroup. + properties: + ingress: + description: List of ingress rules to allow ELBV2 LoadBalancer + to access targets in TargetGroup. + items: + description: NetworkingIngressRule defines a particular set + of traffic that is allowed to access TargetGroup's targets. + properties: + from: + description: List of peers which should be able to access + the targets in TargetGroup. At least one NetworkingPeer + should be specified. + items: + description: NetworkingPeer defines the source/destination + peer for networking rules. + properties: + ipBlock: + description: IPBlock defines an IPBlock peer. If specified, + none of the other fields can be set. + properties: + cidr: + description: CIDR is the network CIDR. Both IPV4 + or IPV6 CIDR are accepted. + type: string + required: + - cidr + type: object + securityGroup: + description: SecurityGroup defines a SecurityGroup + peer. If specified, none of the other fields can + be set. + properties: + groupID: + description: GroupID is the EC2 SecurityGroupID. + type: string + required: + - groupID + type: object + type: object + type: array + ports: + description: List of ports which should be made accessible + on the targets in TargetGroup. If ports is empty or unspecified, + it defaults to all ports with TCP. + items: + description: NetworkingPort defines the port and protocol + for networking rules. + properties: + port: + anyOf: + - type: integer + - type: string + description: The port which traffic must match. When + NodePort endpoints(instance TargetType) is used, + this must be a numerical port. When Port endpoints(ip + TargetType) is used, this can be either numerical + or named port on pods. if port is unspecified, it + defaults to all ports. + x-kubernetes-int-or-string: true + protocol: + description: The protocol which traffic must match. + If protocol is unspecified, it defaults to TCP. + enum: + - TCP + - UDP + type: string + type: object + type: array + required: + - from + - ports + type: object + type: array + type: object + nodeSelector: + description: node selector for instance type target groups to only + register certain nodes + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + serviceRef: + description: serviceRef is a reference to a Kubernetes Service and + ServicePort. + properties: + name: + description: Name is the name of the Service. + type: string + port: + anyOf: + - type: integer + - type: string + description: Port is the port of the ServicePort. + x-kubernetes-int-or-string: true + required: + - name + - port + type: object + targetGroupARN: + description: targetGroupARN is the Amazon Resource Name (ARN) for + the TargetGroup. + minLength: 1 + type: string + targetType: + description: targetType is the TargetType of TargetGroup. If unspecified, + it will be automatically inferred. + enum: + - instance + - ip + type: string + required: + - serviceRef + - targetGroupARN + type: object + status: + description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding + properties: + observedGeneration: + description: The generation observed by the TargetGroupBinding controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/component: controller + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: aws-load-balancer-controller + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: aws-load-balancer-controller-leader-election-role + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resourceNames: + - aws-load-balancer-controller-leader + resources: + - configmaps + verbs: + - get + - update + - patch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: aws-load-balancer-controller-role +rules: +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/status + verbs: + - patch + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - services/status + verbs: + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - elbv2.k8s.aws + resources: + - ingressclassparams + verbs: + - get + - list + - watch +- apiGroups: + - elbv2.k8s.aws + resources: + - targetgroupbindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - elbv2.k8s.aws + resources: + - targetgroupbindings/status + verbs: + - patch + - update +- apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: aws-load-balancer-controller-leader-election-rolebinding + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: aws-load-balancer-controller-leader-election-role +subjects: +- kind: ServiceAccount + name: aws-load-balancer-controller + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: aws-load-balancer-controller-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aws-load-balancer-controller-role +subjects: +- kind: ServiceAccount + name: aws-load-balancer-controller + namespace: kube-system + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: aws-load-balancer-webhook-service + namespace: kube-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/name: aws-load-balancer-controller + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/component: controller + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: aws-load-balancer-controller + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: aws-load-balancer-controller + template: + metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: aws-load-balancer-controller + spec: + containers: + - args: + - --cluster-name=minimal.example.com + - --enable-waf=false + - --enable-wafv2=false + - --enable-shield=false + - --ingress-class=alb + - --default-tags=KubernetesCluster=minimal.example.com + - --aws-region=us-test-1 + env: + - name: AWS_ROLE_ARN + value: arn:aws-test:iam::123456789012:role/aws-load-balancer-controller.kube-system.sa.minimal.example.com + - name: AWS_WEB_IDENTITY_TOKEN_FILE + value: /var/run/secrets/amazonaws.com/token + image: amazon/aws-alb-ingress-controller:v2.4.0 + livenessProbe: + failureThreshold: 2 + httpGet: + path: /healthz + port: 61779 + scheme: HTTP + initialDelaySeconds: 30 + timeoutSeconds: 10 + name: controller + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + requests: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - mountPath: /var/run/secrets/amazonaws.com/ + name: token-amazonaws-com + readOnly: true + nodeSelector: + node-role.kubernetes.io/master: "" + priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1337 + serviceAccountName: aws-load-balancer-controller + terminationGracePeriodSeconds: 10 + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: aws-load-balancer-controller + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: aws-load-balancer-controller + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: aws-load-balancer-webhook-tls + - name: token-amazonaws-com + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + audience: amazonaws.com + expirationSeconds: 86400 + path: token + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: aws-load-balancer-serving-cert + namespace: kube-system +spec: + dnsNames: + - aws-load-balancer-webhook-service.kube-system.svc + - aws-load-balancer-webhook-service.kube-system.svc.cluster.local + issuerRef: + kind: Issuer + name: aws-load-balancer-controller.addons.k8s.io + secretName: aws-load-balancer-webhook-tls + +--- + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: kube-system/aws-load-balancer-serving-cert + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: aws-load-balancer-webhook +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: aws-load-balancer-webhook-service + namespace: kube-system + path: /mutate-v1-pod + failurePolicy: Fail + name: mpod.elbv2.k8s.aws + namespaceSelector: + matchExpressions: + - key: elbv2.k8s.aws/pod-readiness-gate-inject + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - aws-load-balancer-controller + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: aws-load-balancer-webhook-service + namespace: kube-system + path: /mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding + failurePolicy: Fail + name: mtargetgroupbinding.elbv2.k8s.aws + rules: + - apiGroups: + - elbv2.k8s.aws + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - targetgroupbindings + sideEffects: None + +--- + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: kube-system/aws-load-balancer-serving-cert + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: aws-load-balancer-webhook +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: aws-load-balancer-webhook-service + namespace: kube-system + path: /validate-elbv2-k8s-aws-v1beta1-targetgroupbinding + failurePolicy: Fail + name: vtargetgroupbinding.elbv2.k8s.aws + rules: + - apiGroups: + - elbv2.k8s.aws + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - targetgroupbindings + sideEffects: None +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: aws-load-balancer-webhook-service + namespace: kube-system + path: /validate-networking-v1-ingress + failurePolicy: Fail + matchPolicy: Equivalent + name: vingress.elbv2.k8s.aws + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None + +--- + +apiVersion: elbv2.k8s.aws/v1beta1 +kind: IngressClassParams +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: alb + +--- + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: alb +spec: + controller: ingress.k8s.aws/alb + parameters: + apiGroup: elbv2.k8s.aws + kind: IngressClassParams + name: alb diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content index 16b384b0eac07..7d46a4ba5dc1f 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content @@ -108,6 +108,14 @@ spec: selector: k8s-addon: node-termination-handler.aws version: 9.99.0 + - id: k8s-1.19 + manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml + manifestHash: a26e4a85ef790c4c02077118857d90a856ab6bc219ac895af8ee458485e6c0b2 + name: aws-load-balancer-controller.addons.k8s.io + needsPKI: true + selector: + k8s-addon: aws-load-balancer-controller.addons.k8s.io + version: 9.99.0 - id: v1.15.0 manifest: storage-aws.addons.k8s.io/v1.15.0.yaml manifestHash: 4e2cda50cd5048133aad1b5e28becb60f4629d3f9e09c514a2757c27998b4200 diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa23/in-v1alpha2.yaml b/tests/integration/update_cluster/many-addons-ccm-irsa23/in-v1alpha2.yaml index cb815b3930fd5..988d1962ec7ed 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa23/in-v1alpha2.yaml +++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/in-v1alpha2.yaml @@ -4,8 +4,8 @@ metadata: creationTimestamp: "2016-12-10T22:42:27Z" name: minimal.example.com spec: - #awsLoadBalancerController: - # enabled: true + awsLoadBalancerController: + enabled: true certManager: enabled: true clusterAutoscaler: diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa23/kubernetes.tf b/tests/integration/update_cluster/many-addons-ccm-irsa23/kubernetes.tf index 2b3983ea16d80..a8ab1283ecf1a 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa23/kubernetes.tf +++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/kubernetes.tf @@ -4,6 +4,8 @@ locals { iam_openid_connect_provider_issuer = "discovery.example.com/minimal.example.com" kube-system-aws-cloud-controller-manager_role_arn = aws_iam_role.aws-cloud-controller-manager-kube-system-sa-minimal-example-com.arn kube-system-aws-cloud-controller-manager_role_name = aws_iam_role.aws-cloud-controller-manager-kube-system-sa-minimal-example-com.name + kube-system-aws-load-balancer-controller_role_arn = aws_iam_role.aws-load-balancer-controller-kube-system-sa-minimal-example-com.arn + kube-system-aws-load-balancer-controller_role_name = aws_iam_role.aws-load-balancer-controller-kube-system-sa-minimal-example-com.name kube-system-aws-node-termination-handler_role_arn = aws_iam_role.aws-node-termination-handler-kube-system-sa-minimal-example-com.arn kube-system-aws-node-termination-handler_role_name = aws_iam_role.aws-node-termination-handler-kube-system-sa-minimal-example-com.name kube-system-cluster-autoscaler_role_arn = aws_iam_role.cluster-autoscaler-kube-system-sa-minimal-example-com.arn @@ -48,6 +50,14 @@ output "kube-system-aws-cloud-controller-manager_role_name" { value = aws_iam_role.aws-cloud-controller-manager-kube-system-sa-minimal-example-com.name } +output "kube-system-aws-load-balancer-controller_role_arn" { + value = aws_iam_role.aws-load-balancer-controller-kube-system-sa-minimal-example-com.arn +} + +output "kube-system-aws-load-balancer-controller_role_name" { + value = aws_iam_role.aws-load-balancer-controller-kube-system-sa-minimal-example-com.name +} + output "kube-system-aws-node-termination-handler_role_arn" { value = aws_iam_role.aws-node-termination-handler-kube-system-sa-minimal-example-com.arn } @@ -331,6 +341,16 @@ resource "aws_iam_role" "aws-cloud-controller-manager-kube-system-sa-minimal-exa } } +resource "aws_iam_role" "aws-load-balancer-controller-kube-system-sa-minimal-example-com" { + assume_role_policy = file("${path.module}/data/aws_iam_role_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy") + name = "aws-load-balancer-controller.kube-system.sa.minimal.example.com" + tags = { + "KubernetesCluster" = "minimal.example.com" + "Name" = "aws-load-balancer-controller.kube-system.sa.minimal.example.com" + "kubernetes.io/cluster/minimal.example.com" = "owned" + } +} + resource "aws_iam_role" "aws-node-termination-handler-kube-system-sa-minimal-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_aws-node-termination-handler.kube-system.sa.minimal.example.com_policy") name = "aws-node-termination-handler.kube-system.sa.minimal.example.com" @@ -397,6 +417,12 @@ resource "aws_iam_role_policy" "aws-cloud-controller-manager-kube-system-sa-mini role = aws_iam_role.aws-cloud-controller-manager-kube-system-sa-minimal-example-com.name } +resource "aws_iam_role_policy" "aws-load-balancer-controller-kube-system-sa-minimal-example-com" { + name = "aws-load-balancer-controller.kube-system.sa.minimal.example.com" + policy = file("${path.module}/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy") + role = aws_iam_role.aws-load-balancer-controller-kube-system-sa-minimal-example-com.name +} + resource "aws_iam_role_policy" "aws-node-termination-handler-kube-system-sa-minimal-example-com" { name = "aws-node-termination-handler.kube-system.sa.minimal.example.com" policy = file("${path.module}/data/aws_iam_role_policy_aws-node-termination-handler.kube-system.sa.minimal.example.com_policy") @@ -728,6 +754,14 @@ resource "aws_s3_bucket_object" "minimal-example-com-addons-aws-ebs-csi-driver-a server_side_encryption = "AES256" } +resource "aws_s3_bucket_object" "minimal-example-com-addons-aws-load-balancer-controller-addons-k8s-io-k8s-1-19" { + bucket = "testingBucket" + content = file("${path.module}/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content") + key = "clusters.example.com/minimal.example.com/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml" + provider = aws.files + server_side_encryption = "AES256" +} + resource "aws_s3_bucket_object" "minimal-example-com-addons-bootstrap" { bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content") diff --git a/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content b/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content similarity index 97% rename from tests/integration/update_cluster/many-addons-ccm/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content rename to tests/integration/update_cluster/many-addons-ccm/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content index e29a357b83fa6..a340509a9cc6e 100644 --- a/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content +++ b/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content @@ -884,7 +884,7 @@ spec: - --ingress-class=alb - --default-tags=KubernetesCluster=minimal.example.com - --aws-region=us-test-1 - image: amazon/aws-alb-ingress-controller:v2.3.1 + image: amazon/aws-alb-ingress-controller:v2.4.0 livenessProbe: failureThreshold: 2 httpGet: @@ -918,7 +918,8 @@ spec: serviceAccountName: aws-load-balancer-controller terminationGracePeriodSeconds: 10 tolerations: - - operator: Exists + - key: node-role.kubernetes.io/master + operator: Exists topologySpreadConstraints: - labelSelector: matchLabels: @@ -1070,7 +1071,7 @@ webhooks: service: name: aws-load-balancer-webhook-service namespace: kube-system - path: /validate-networking-v1beta1-ingress + path: /validate-networking-v1-ingress failurePolicy: Fail matchPolicy: Equivalent name: vingress.elbv2.k8s.aws @@ -1078,10 +1079,42 @@ webhooks: - apiGroups: - networking.k8s.io apiVersions: - - v1beta1 + - v1 operations: - CREATE - UPDATE resources: - ingresses sideEffects: None + +--- + +apiVersion: elbv2.k8s.aws/v1beta1 +kind: IngressClassParams +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: alb + +--- + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: alb +spec: + controller: ingress.k8s.aws/alb + parameters: + apiGroup: elbv2.k8s.aws + kind: IngressClassParams + name: alb diff --git a/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content index ad74a14219304..6de2591c685fb 100644 --- a/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content @@ -101,9 +101,9 @@ spec: selector: k8s-addon: node-termination-handler.aws version: 9.99.0 - - id: k8s-1.9 - manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.9.yaml - manifestHash: 6408751d40ce8e95d26ee7c205c5569bf2132fe50345ce677eb9a93540d7e368 + - id: k8s-1.19 + manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml + manifestHash: 9f57097ea954a71cb3a67444d2e8654bdb59b54444870b2c9ae9c40700fe318e name: aws-load-balancer-controller.addons.k8s.io needsPKI: true selector: diff --git a/tests/integration/update_cluster/many-addons-ccm/kubernetes.tf b/tests/integration/update_cluster/many-addons-ccm/kubernetes.tf index 9ffdf41bc5df9..6341c89cc4dc3 100644 --- a/tests/integration/update_cluster/many-addons-ccm/kubernetes.tf +++ b/tests/integration/update_cluster/many-addons-ccm/kubernetes.tf @@ -559,10 +559,10 @@ resource "aws_s3_bucket_object" "minimal-example-com-addons-aws-ebs-csi-driver-a server_side_encryption = "AES256" } -resource "aws_s3_bucket_object" "minimal-example-com-addons-aws-load-balancer-controller-addons-k8s-io-k8s-1-9" { +resource "aws_s3_bucket_object" "minimal-example-com-addons-aws-load-balancer-controller-addons-k8s-io-k8s-1-19" { bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content") - key = "clusters.example.com/minimal.example.com/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.9.yaml" + content = file("${path.module}/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content") + key = "clusters.example.com/minimal.example.com/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml" provider = aws.files server_side_encryption = "AES256" } diff --git a/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content b/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content similarity index 97% rename from tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content rename to tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content index e29a357b83fa6..a340509a9cc6e 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content +++ b/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content @@ -884,7 +884,7 @@ spec: - --ingress-class=alb - --default-tags=KubernetesCluster=minimal.example.com - --aws-region=us-test-1 - image: amazon/aws-alb-ingress-controller:v2.3.1 + image: amazon/aws-alb-ingress-controller:v2.4.0 livenessProbe: failureThreshold: 2 httpGet: @@ -918,7 +918,8 @@ spec: serviceAccountName: aws-load-balancer-controller terminationGracePeriodSeconds: 10 tolerations: - - operator: Exists + - key: node-role.kubernetes.io/master + operator: Exists topologySpreadConstraints: - labelSelector: matchLabels: @@ -1070,7 +1071,7 @@ webhooks: service: name: aws-load-balancer-webhook-service namespace: kube-system - path: /validate-networking-v1beta1-ingress + path: /validate-networking-v1-ingress failurePolicy: Fail matchPolicy: Equivalent name: vingress.elbv2.k8s.aws @@ -1078,10 +1079,42 @@ webhooks: - apiGroups: - networking.k8s.io apiVersions: - - v1beta1 + - v1 operations: - CREATE - UPDATE resources: - ingresses sideEffects: None + +--- + +apiVersion: elbv2.k8s.aws/v1beta1 +kind: IngressClassParams +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: alb + +--- + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: aws-load-balancer-controller.addons.k8s.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: aws-load-balancer-controller + k8s-addon: aws-load-balancer-controller.addons.k8s.io + name: alb +spec: + controller: ingress.k8s.aws/alb + parameters: + apiGroup: elbv2.k8s.aws + kind: IngressClassParams + name: alb diff --git a/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content index 3b12066048b3d..e502d9c4c11c4 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content @@ -101,9 +101,9 @@ spec: selector: k8s-addon: node-termination-handler.aws version: 9.99.0 - - id: k8s-1.9 - manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.9.yaml - manifestHash: 6408751d40ce8e95d26ee7c205c5569bf2132fe50345ce677eb9a93540d7e368 + - id: k8s-1.19 + manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml + manifestHash: 9f57097ea954a71cb3a67444d2e8654bdb59b54444870b2c9ae9c40700fe318e name: aws-load-balancer-controller.addons.k8s.io needsPKI: true selector: diff --git a/tests/integration/update_cluster/many-addons/kubernetes.tf b/tests/integration/update_cluster/many-addons/kubernetes.tf index 0a1bd17427826..f8941a4c3bdfa 100644 --- a/tests/integration/update_cluster/many-addons/kubernetes.tf +++ b/tests/integration/update_cluster/many-addons/kubernetes.tf @@ -551,10 +551,10 @@ resource "aws_s3_bucket_object" "minimal-example-com-addons-aws-ebs-csi-driver-a server_side_encryption = "AES256" } -resource "aws_s3_bucket_object" "minimal-example-com-addons-aws-load-balancer-controller-addons-k8s-io-k8s-1-9" { +resource "aws_s3_bucket_object" "minimal-example-com-addons-aws-load-balancer-controller-addons-k8s-io-k8s-1-19" { bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.9_content") - key = "clusters.example.com/minimal.example.com/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.9.yaml" + content = file("${path.module}/data/aws_s3_bucket_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content") + key = "clusters.example.com/minimal.example.com/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml" provider = aws.files server_side_encryption = "AES256" } diff --git a/upup/models/BUILD.bazel b/upup/models/BUILD.bazel index f79908606b922..44385d40ad50e 100644 --- a/upup/models/BUILD.bazel +++ b/upup/models/BUILD.bazel @@ -57,6 +57,7 @@ go_library( "cloudup/resources/addons/leader-migration.rbac.addons.k8s.io/k8s-1.25.yaml", "cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template", "cloudup/resources/addons/gcp-cloud-controller.addons.k8s.io/k8s-1.23.yaml.template", + "cloudup/resources/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml.template", ], importpath = "k8s.io/kops/upup/models", visibility = ["//visibility:public"], diff --git a/upup/models/cloudup/resources/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml.template b/upup/models/cloudup/resources/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml.template new file mode 100644 index 0000000000000..9bf6463fd32fa --- /dev/null +++ b/upup/models/cloudup/resources/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml.template @@ -0,0 +1,950 @@ +# sourced from https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.4.0/v2_4_0_full.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + labels: + app.kubernetes.io/name: aws-load-balancer-controller + name: ingressclassparams.elbv2.k8s.aws +spec: + group: elbv2.k8s.aws + names: + kind: IngressClassParams + listKind: IngressClassParamsList + plural: ingressclassparams + singular: ingressclassparams + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The Ingress Group name + jsonPath: .spec.group.name + name: GROUP-NAME + type: string + - description: The AWS Load Balancer scheme + jsonPath: .spec.scheme + name: SCHEME + type: string + - description: The AWS Load Balancer ipAddressType + jsonPath: .spec.ipAddressType + name: IP-ADDRESS-TYPE + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: IngressClassParams is the Schema for the IngressClassParams API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressClassParamsSpec defines the desired state of IngressClassParams + properties: + group: + description: Group defines the IngressGroup for all Ingresses that belong to IngressClass with this IngressClassParams. + properties: + name: + description: Name is the name of IngressGroup. + type: string + required: + - name + type: object + ipAddressType: + description: IPAddressType defines the ip address type for all Ingresses that belong to IngressClass with this IngressClassParams. + enum: + - ipv4 + - dualstack + type: string + loadBalancerAttributes: + description: LoadBalancerAttributes define the custom attributes to LoadBalancers for all Ingress that that belong to IngressClass with this IngressClassParams. + items: + description: Attributes defines custom attributes on resources. + properties: + key: + description: The key of the attribute. + type: string + value: + description: The value of the attribute. + type: string + required: + - key + - value + type: object + type: array + namespaceSelector: + description: NamespaceSelector restrict the namespaces of Ingresses that are allowed to specify the IngressClass with this IngressClassParams. * if absent or present but empty, it selects all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + scheme: + description: Scheme defines the scheme for all Ingresses that belong to IngressClass with this IngressClassParams. + enum: + - internal + - internet-facing + type: string + tags: + description: Tags defines list of Tags on AWS resources provisioned for Ingresses that belong to IngressClass with this IngressClassParams. + items: + description: Tag defines a AWS Tag on resources. + properties: + key: + description: The key of the tag. + type: string + value: + description: The value of the tag. + type: string + required: + - key + - value + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + labels: + app.kubernetes.io/name: aws-load-balancer-controller + name: targetgroupbindings.elbv2.k8s.aws +spec: + group: elbv2.k8s.aws + names: + kind: TargetGroupBinding + listKind: TargetGroupBindingList + plural: targetgroupbindings + singular: targetgroupbinding + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Kubernetes Service's name + jsonPath: .spec.serviceRef.name + name: SERVICE-NAME + type: string + - description: The Kubernetes Service's port + jsonPath: .spec.serviceRef.port + name: SERVICE-PORT + type: string + - description: The AWS TargetGroup's TargetType + jsonPath: .spec.targetType + name: TARGET-TYPE + type: string + - description: The AWS TargetGroup's Amazon Resource Name + jsonPath: .spec.targetGroupARN + name: ARN + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TargetGroupBinding is the Schema for the TargetGroupBinding API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding + properties: + networking: + description: networking provides the networking setup for ELBV2 LoadBalancer to access targets in TargetGroup. + properties: + ingress: + description: List of ingress rules to allow ELBV2 LoadBalancer to access targets in TargetGroup. + items: + properties: + from: + description: List of peers which should be able to access the targets in TargetGroup. At least one NetworkingPeer should be specified. + items: + description: NetworkingPeer defines the source/destination peer for networking rules. + properties: + ipBlock: + description: IPBlock defines an IPBlock peer. If specified, none of the other fields can be set. + properties: + cidr: + description: CIDR is the network CIDR. Both IPV4 or IPV6 CIDR are accepted. + type: string + required: + - cidr + type: object + securityGroup: + description: SecurityGroup defines a SecurityGroup peer. If specified, none of the other fields can be set. + properties: + groupID: + description: GroupID is the EC2 SecurityGroupID. + type: string + required: + - groupID + type: object + type: object + type: array + ports: + description: List of ports which should be made accessible on the targets in TargetGroup. If ports is empty or unspecified, it defaults to all ports with TCP. + items: + properties: + port: + anyOf: + - type: integer + - type: string + description: The port which traffic must match. When NodePort endpoints(instance TargetType) is used, this must be a numerical port. When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods. if port is unspecified, it defaults to all ports. + x-kubernetes-int-or-string: true + protocol: + description: The protocol which traffic must match. If protocol is unspecified, it defaults to TCP. + enum: + - TCP + - UDP + type: string + type: object + type: array + required: + - from + - ports + type: object + type: array + type: object + serviceRef: + description: serviceRef is a reference to a Kubernetes Service and ServicePort. + properties: + name: + description: Name is the name of the Service. + type: string + port: + anyOf: + - type: integer + - type: string + description: Port is the port of the ServicePort. + x-kubernetes-int-or-string: true + required: + - name + - port + type: object + targetGroupARN: + description: targetGroupARN is the Amazon Resource Name (ARN) for the TargetGroup. + type: string + targetType: + description: targetType is the TargetType of TargetGroup. If unspecified, it will be automatically inferred. + enum: + - instance + - ip + type: string + required: + - serviceRef + - targetGroupARN + type: object + status: + description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding + properties: + observedGeneration: + description: The generation observed by the TargetGroupBinding controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The Kubernetes Service's name + jsonPath: .spec.serviceRef.name + name: SERVICE-NAME + type: string + - description: The Kubernetes Service's port + jsonPath: .spec.serviceRef.port + name: SERVICE-PORT + type: string + - description: The AWS TargetGroup's TargetType + jsonPath: .spec.targetType + name: TARGET-TYPE + type: string + - description: The AWS TargetGroup's Amazon Resource Name + jsonPath: .spec.targetGroupARN + name: ARN + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: TargetGroupBinding is the Schema for the TargetGroupBinding API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TargetGroupBindingSpec defines the desired state of TargetGroupBinding + properties: + ipAddressType: + description: ipAddressType specifies whether the target group is of type IPv4 or IPv6. If unspecified, it will be automatically inferred. + enum: + - ipv4 + - ipv6 + type: string + networking: + description: networking defines the networking rules to allow ELBV2 LoadBalancer to access targets in TargetGroup. + properties: + ingress: + description: List of ingress rules to allow ELBV2 LoadBalancer to access targets in TargetGroup. + items: + description: NetworkingIngressRule defines a particular set of traffic that is allowed to access TargetGroup's targets. + properties: + from: + description: List of peers which should be able to access the targets in TargetGroup. At least one NetworkingPeer should be specified. + items: + description: NetworkingPeer defines the source/destination peer for networking rules. + properties: + ipBlock: + description: IPBlock defines an IPBlock peer. If specified, none of the other fields can be set. + properties: + cidr: + description: CIDR is the network CIDR. Both IPV4 or IPV6 CIDR are accepted. + type: string + required: + - cidr + type: object + securityGroup: + description: SecurityGroup defines a SecurityGroup peer. If specified, none of the other fields can be set. + properties: + groupID: + description: GroupID is the EC2 SecurityGroupID. + type: string + required: + - groupID + type: object + type: object + type: array + ports: + description: List of ports which should be made accessible on the targets in TargetGroup. If ports is empty or unspecified, it defaults to all ports with TCP. + items: + description: NetworkingPort defines the port and protocol for networking rules. + properties: + port: + anyOf: + - type: integer + - type: string + description: The port which traffic must match. When NodePort endpoints(instance TargetType) is used, this must be a numerical port. When Port endpoints(ip TargetType) is used, this can be either numerical or named port on pods. if port is unspecified, it defaults to all ports. + x-kubernetes-int-or-string: true + protocol: + description: The protocol which traffic must match. If protocol is unspecified, it defaults to TCP. + enum: + - TCP + - UDP + type: string + type: object + type: array + required: + - from + - ports + type: object + type: array + type: object + nodeSelector: + description: node selector for instance type target groups to only register certain nodes + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + serviceRef: + description: serviceRef is a reference to a Kubernetes Service and ServicePort. + properties: + name: + description: Name is the name of the Service. + type: string + port: + anyOf: + - type: integer + - type: string + description: Port is the port of the ServicePort. + x-kubernetes-int-or-string: true + required: + - name + - port + type: object + targetGroupARN: + description: targetGroupARN is the Amazon Resource Name (ARN) for the TargetGroup. + minLength: 1 + type: string + targetType: + description: targetType is the TargetType of TargetGroup. If unspecified, it will be automatically inferred. + enum: + - instance + - ip + type: string + required: + - serviceRef + - targetGroupARN + type: object + status: + description: TargetGroupBindingStatus defines the observed state of TargetGroupBinding + properties: + observedGeneration: + description: The generation observed by the TargetGroupBinding controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: aws-load-balancer-controller + name: aws-load-balancer-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: aws-load-balancer-controller + name: aws-load-balancer-controller-leader-election-role + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resourceNames: + - aws-load-balancer-controller-leader + resources: + - configmaps + verbs: + - get + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/name: aws-load-balancer-controller + name: aws-load-balancer-controller-role +rules: +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/status + verbs: + - patch + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - services/status + verbs: + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - elbv2.k8s.aws + resources: + - ingressclassparams + verbs: + - get + - list + - watch +- apiGroups: + - elbv2.k8s.aws + resources: + - targetgroupbindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - elbv2.k8s.aws + resources: + - targetgroupbindings/status + verbs: + - patch + - update +- apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: aws-load-balancer-controller + name: aws-load-balancer-controller-leader-election-rolebinding + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: aws-load-balancer-controller-leader-election-role +subjects: +- kind: ServiceAccount + name: aws-load-balancer-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: aws-load-balancer-controller + name: aws-load-balancer-controller-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aws-load-balancer-controller-role +subjects: +- kind: ServiceAccount + name: aws-load-balancer-controller + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: aws-load-balancer-controller + name: aws-load-balancer-webhook-service + namespace: kube-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/name: aws-load-balancer-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: aws-load-balancer-controller + name: aws-load-balancer-controller + namespace: kube-system +spec: + replicas: {{ ControlPlaneControllerReplicas false }} + selector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: aws-load-balancer-controller + template: + metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: aws-load-balancer-controller + spec: + containers: + - args: + - --cluster-name={{ ClusterName }} + - --enable-waf=false + - --enable-wafv2=false + - --enable-shield=false + - --ingress-class=alb + - "--default-tags={{ CloudLabels }}" + - --aws-region={{ Region }} + image: amazon/aws-alb-ingress-controller:{{ or .AWSLoadBalancerController.Version "v2.4.0" }} + livenessProbe: + failureThreshold: 2 + httpGet: + path: /healthz + port: 61779 + scheme: HTTP + initialDelaySeconds: 30 + timeoutSeconds: 10 + name: controller + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + requests: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + priorityClassName: system-cluster-critical + nodeSelector: + node-role.kubernetes.io/master: "" + securityContext: + fsGroup: 1337 + serviceAccountName: aws-load-balancer-controller + terminationGracePeriodSeconds: 10 + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "topology.kubernetes.io/zone" + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: aws-load-balancer-controller + - maxSkew: 1 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: aws-load-balancer-controller + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: aws-load-balancer-webhook-tls +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/name: aws-load-balancer-controller + name: aws-load-balancer-serving-cert + namespace: kube-system +spec: + dnsNames: + - aws-load-balancer-webhook-service.kube-system.svc + - aws-load-balancer-webhook-service.kube-system.svc.cluster.local + issuerRef: + kind: Issuer + name: aws-load-balancer-controller.addons.k8s.io + secretName: aws-load-balancer-webhook-tls +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: kube-system/aws-load-balancer-serving-cert + labels: + app.kubernetes.io/name: aws-load-balancer-controller + name: aws-load-balancer-webhook +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: aws-load-balancer-webhook-service + namespace: kube-system + path: /mutate-v1-pod + failurePolicy: Fail + name: mpod.elbv2.k8s.aws + namespaceSelector: + matchExpressions: + - key: elbv2.k8s.aws/pod-readiness-gate-inject + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - aws-load-balancer-controller + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: aws-load-balancer-webhook-service + namespace: kube-system + path: /mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding + failurePolicy: Fail + name: mtargetgroupbinding.elbv2.k8s.aws + rules: + - apiGroups: + - elbv2.k8s.aws + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - targetgroupbindings + sideEffects: None +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: kube-system/aws-load-balancer-serving-cert + labels: + app.kubernetes.io/name: aws-load-balancer-controller + name: aws-load-balancer-webhook +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: aws-load-balancer-webhook-service + namespace: kube-system + path: /validate-elbv2-k8s-aws-v1beta1-targetgroupbinding + failurePolicy: Fail + name: vtargetgroupbinding.elbv2.k8s.aws + rules: + - apiGroups: + - elbv2.k8s.aws + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - targetgroupbindings + sideEffects: None +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: aws-load-balancer-webhook-service + namespace: kube-system + path: /validate-networking-v1-ingress + failurePolicy: Fail + matchPolicy: Equivalent + name: vingress.elbv2.k8s.aws + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None +--- +apiVersion: elbv2.k8s.aws/v1beta1 +kind: IngressClassParams +metadata: + labels: + app.kubernetes.io/name: aws-load-balancer-controller + name: alb +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/name: aws-load-balancer-controller + name: alb +spec: + controller: ingress.k8s.aws/alb + parameters: + apiGroup: elbv2.k8s.aws + kind: IngressClassParams + name: alb diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go index 08728724638d3..38c0bbb90688d 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go @@ -680,10 +680,21 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*Addon key := "aws-load-balancer-controller.addons.k8s.io" - { + if b.IsKubernetesLT("1.19") { location := key + "/k8s-1.9.yaml" id := "k8s-1.9" + addons.Add(&channelsapi.AddonSpec{ + Name: fi.String(key), + Selector: map[string]string{"k8s-addon": key}, + Manifest: fi.String(location), + Id: id, + NeedsPKI: true, + }) + } else { + location := key + "/k8s-1.19.yaml" + id := "k8s-1.19" + addons.Add(&channelsapi.AddonSpec{ Name: fi.String(key), Selector: map[string]string{"k8s-addon": key},