Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NE-1808: Bump controller to v2.8.2 #139

Merged
merged 1 commit into from
Dec 18, 2024
Merged

NE-1808: Bump controller to v2.8.2 #139

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion assets/iam-policy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,8 @@
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTags"
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTrustStores"
Copy link

@gcs278 gcs278 Dec 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is updating the iam-policy automated at all, or do you just have to manually look at https://github.com/openshift/aws-load-balancer-controller/blob/d0c13bf1576965a3b65fc09ebce94ed9f86833a2/docs/install/iam_policy.json to see if anything changed and manually sync it?

Edit: I commented on the wrong file, I know there's iamctl to sync iam-policy within the ALBO repo, but just curious if the upstream change is manually synced to this repo, and if so, is that something that we could fix in the future?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now, the process is manual. Initially I planned to automate it in this PR and even created a dedicated hack file for that purpose. However, I noticed that the semantic difference can sometimes be much smaller than the byte-by-byte difference because certain statements might be reshuffled upstream.

In this particular case, the semantic change was limited to adding the elasticloadbalancing:DescribeTrustStores action for the mTLS support (which we don't support yet).

I couldn’t find a straightforward way to sort the upstream policy that would minimize the diff while avoiding the risk of losing statements. As a result, I decided to keep the process manual so that multiple people can validate the changes.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. If someone in the future missed a iam-policy update on a rebase, would you expect it to get caught by E2E tests? Or is it a solid "maybe"?

Copy link
Contributor Author

@alebedev87 alebedev87 Dec 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not as solid as I would like it to be. The e2e tests cover only the scenarios described in the docs. If IAM policy changes go beyond this - we may miss them.

],
"Resource": "*"
},
Expand Down
2 changes: 1 addition & 1 deletion bundle/manifests/aws-load-balancer-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,7 +287,7 @@ spec:
- /manager
env:
- name: RELATED_IMAGE_CONTROLLER
value: quay.io/aws-load-balancer-operator/aws-load-balancer-controller@sha256:72a5057abe61e5e0de19cdaccba81326baf242bf087f74e10f303deeaae181a2
value: quay.io/aws-load-balancer-operator/aws-load-balancer-controller@sha256:75c5e5c1c650b27c273875d6e9497ede335c0ded6719064b0db63a6da8369937
- name: TARGET_NAMESPACE
valueFrom:
fieldRef:
Expand Down
101 changes: 75 additions & 26 deletions bundle/manifests/elbv2.k8s.aws_ingressclassparams.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
controller-gen.kubebuilder.io/version: v0.14.0
creationTimestamp: null
name: ingressclassparams.elbv2.k8s.aws
spec:
Expand Down Expand Up @@ -36,20 +36,31 @@ spec:
description: IngressClassParams is the Schema for the IngressClassParams API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: IngressClassParamsSpec defines the desired state of IngressClassParams
properties:
certificateArn:
description: CertificateArn specifies the ARN of the certificates
for all Ingresses that belong to IngressClass with this IngressClassParams.
items:
type: string
type: array
group:
description: Group defines the IngressGroup for all Ingresses that
belong to IngressClass with this IngressClassParams.
Expand All @@ -60,12 +71,19 @@ spec:
required:
- name
type: object
inboundCIDRs:
description: InboundCIDRs specifies the CIDRs that are allowed to
access the Ingresses that belong to IngressClass with this IngressClassParams.
items:
type: string
type: array
ipAddressType:
description: IPAddressType defines the ip address type for all Ingresses
that belong to IngressClass with this IngressClassParams.
enum:
- ipv4
- dualstack
- dualstack-without-public-ipv4
type: string
loadBalancerAttributes:
description: LoadBalancerAttributes define the custom attributes to
Expand All @@ -86,58 +104,89 @@ spec:
type: object
type: array
namespaceSelector:
description: NamespaceSelector restrict the namespaces of Ingresses
that are allowed to specify the IngressClass with this IngressClassParams.
description: |-
NamespaceSelector restrict the namespaces of Ingresses that are allowed to specify the IngressClass with this IngressClassParams.
* if absent or present but empty, it selects all namespaces.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
scheme:
description: Scheme defines the scheme for all Ingresses that belong
to IngressClass with this IngressClassParams.
enum:
- internal
- internet-facing
type: string
sslPolicy:
description: SSLPolicy specifies the SSL Policy for all Ingresses
that belong to IngressClass with this IngressClassParams.
type: string
subnets:
description: Subnets defines the subnets for all Ingresses that belong
to IngressClass with this IngressClassParams.
properties:
ids:
description: IDs specify the resource IDs of subnets. Exactly
one of this or `tags` must be specified.
items:
description: SubnetID specifies a subnet ID.
pattern: subnet-[0-9a-f]+
type: string
minItems: 1
type: array
tags:
additionalProperties:
items:
type: string
type: array
description: |-
Tags specifies subnets in the load balancer's VPC where each
tag specified in the map key contains one of the values in the corresponding
value list.
Exactly one of this or `ids` must be specified.
type: object
type: object
tags:
description: Tags defines list of Tags on AWS resources provisioned
for Ingresses that belong to IngressClass with this IngressClassParams.
Expand All @@ -164,5 +213,5 @@ status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
conditions: null
storedVersions: null
Loading