Merge pull request #50 from aws-samples/feature/aws-load-balancer-controller

Updated AWS LB controller per new design requirements

kubernetes-addons.tf

@@ -54,21 +54,13 @@ module "prometheus" {
   depends_on = [module.aws_eks]
 }
 
-# TODO Upgrade
 module "lb_ingress_controller" {
-  count  = var.create_eks && var.aws_lb_ingress_controller_enable ? 1 : 0
-  source = "./kubernetes-addons/lb-ingress-controller"
-
-  private_container_repo_url  = var.private_container_repo_url
-  clusterName                 = module.aws_eks.cluster_id
-  eks_oidc_issuer_url         = module.aws_eks.cluster_oidc_issuer_url
-  eks_oidc_provider_arn       = module.aws_eks.oidc_provider_arn
-  public_docker_repo          = var.public_docker_repo
-  aws_lb_image_tag            = var.aws_lb_image_tag
-  aws_lb_helm_chart_version   = var.aws_lb_helm_chart_version
-  aws_lb_image_repo_name      = var.aws_lb_image_repo_name
-  aws_lb_helm_repo_url        = var.aws_lb_helm_repo_url
-  aws_lb_helm_helm_chart_name = var.aws_lb_helm_helm_chart_name
+  count                          = var.create_eks && var.aws_lb_ingress_controller_enable ? 1 : 0
+  source                         = "./kubernetes-addons/lb-ingress-controller"
+  eks_cluster_id                 = module.aws_eks.cluster_id
+  lb_ingress_controller_helm_app = var.aws_lb_ingress_controller_helm_app
+  eks_oidc_issuer_url            = module.aws_eks.cluster_oidc_issuer_url
+  eks_oidc_provider_arn          = module.aws_eks.oidc_provider_arn
 
   depends_on = [module.aws_eks]
 }

kubernetes-addons/lb-ingress-controller/README.md

+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this
+software and associated documentation files (the "Software"), to deal in the Software
+without restriction, including without limitation the rights to use, copy, modify,
+merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
 # LB Ingress Controller Deployment Guide
 
 # Introduction
@@ -98,26 +115,18 @@ No modules.
 | [aws_iam_role.eks_lb_controller_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.eks_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [helm_release.lb_ingress](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
-| [helm_release.lb_ingress_crd](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubernetes_service_account.eks_lb_controller_sa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
 | [aws_iam_policy_document.eks_lb_controller_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_aws_lb_helm_chart_version"></a> [aws\_lb\_helm\_chart\_version](#input\_aws\_lb\_helm\_chart\_version) | n/a | `string` | `"1.2.7"` | no |
-| <a name="input_aws_lb_helm_helm_chart_name"></a> [aws\_lb\_helm\_helm\_chart\_name](#input\_aws\_lb\_helm\_helm\_chart\_name) | n/a | `string` | `"aws-load-balancer-controller"` | no |
-| <a name="input_aws_lb_helm_repo_url"></a> [aws\_lb\_helm\_repo\_url](#input\_aws\_lb\_helm\_repo\_url) | n/a | `string` | `"https://aws.github.io/eks-charts"` | no |
-| <a name="input_aws_lb_image_repo_name"></a> [aws\_lb\_image\_repo\_name](#input\_aws\_lb\_image\_repo\_name) | n/a | `string` | `"amazon/aws-load-balancer-controller"` | no |
-| <a name="input_aws_lb_image_tag"></a> [aws\_lb\_image\_tag](#input\_aws\_lb\_image\_tag) | n/a | `string` | `"v2.2.4"` | no |
-| <a name="input_clusterName"></a> [clusterName](#input\_clusterName) | n/a | `string` | n/a | yes |
-| <a name="input_eks_oidc_issuer_url"></a> [eks\_oidc\_issuer\_url](#input\_eks\_oidc\_issuer\_url) | n/a | `string` | n/a | yes |
-| <a name="input_eks_oidc_provider_arn"></a> [eks\_oidc\_provider\_arn](#input\_eks\_oidc\_provider\_arn) | n/a | `string` | n/a | yes |
-| <a name="input_private_container_repo_url"></a> [private\_container\_repo\_url](#input\_private\_container\_repo\_url) | n/a | `string` | n/a | yes |
-| <a name="input_public_docker_repo"></a> [public\_docker\_repo](#input\_public\_docker\_repo) | n/a | `bool` | n/a | yes |
-| <a name="input_public_image_repo"></a> [public\_image\_repo](#input\_public\_image\_repo) | n/a | `string` | `"602401143452.dkr.ecr.us-west-2.amazonaws.com"` | no |
-| <a name="input_replicas"></a> [replicas](#input\_replicas) | n/a | `string` | `"2"` | no |
+| <a name="input_eks_cluster_id"></a> [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS cluster Id | `string` | n/a | yes |
+| <a name="input_eks_oidc_issuer_url"></a> [eks\_oidc\_issuer\_url](#input\_eks\_oidc\_issuer\_url) | The URL on the EKS cluster OIDC Issuer | `string` | n/a | yes |
+| <a name="input_eks_oidc_provider_arn"></a> [eks\_oidc\_provider\_arn](#input\_eks\_oidc\_provider\_arn) | The ARN of the OIDC Provider if `enable_irsa = true`. | `string` | n/a | yes |
+| <a name="input_lb_ingress_controller_helm_app"></a> [lb\_ingress\_controller\_helm\_app](#input\_lb\_ingress\_controller\_helm\_app) | Helm chart definition for lb\_ingress\_controller. | `any` | `{}` | no |
 
 ## Outputs
 

kubernetes-addons/lb-ingress-controller/chart/lb_crds/Chart.yaml

-apiVersion: v2
-name: aws-lb-crd-helm-chart
-description: A Helm chart for AWS lb ingress controller crd
-type: application
-version: 1.2.3
-appVersion: v2.2.1

kubernetes-addons/lb-ingress-controller/lb_ingress_controller.yaml → kubernetes-addons/lb-ingress-controller/lb-ingress-controller.yaml

@@ -9,7 +9,7 @@ clusterName: ${clusterName}
 serviceAccount:
   # Specifies whether a service account should be created
   create: false
-  name: eks-lb-controller-sa
+  name: ${aws_lb_controller_sa}
 
 rbac:
   # Specifies whether rbac resources should be created

kubernetes-addons/lb-ingress-controller/locals.tf

+data "aws_region" "current" {}
+
+locals {
+  aws_lb_controller_sa = "aws-load-balancer-controller"
+
+  default_lb_ingress_controller_helm_app = {
+    name             = "aws-lb-ingress-controller"
+    chart            = "aws-load-balancer-controller"
+    repository       = "https://aws.github.io/eks-charts"
+    version          = "1.3.1"
+    namespace        = "kube-system"
+    timeout          = "1200"
+    create_namespace = false
+    values = [templatefile("${path.module}/lb-ingress-controller.yaml", {
+      region               = data.aws_region.current.name,
+      image                = "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller"
+      tag                  = "v2.3.0"
+      clusterName          = var.eks_cluster_id
+      aws_lb_controller_sa = local.aws_lb_controller_sa
+      replicaCount         = "1"
+    })]
+    set = [
+      {
+        name  = "nodeSelector.kubernetes\\.io/os"
+        value = "linux"
+      },
+      {
+        name  = "serviceAccount.create"
+        value = "false"
+      },
+      {
+        name  = "serviceAccount.name"
+        value = local.aws_lb_controller_sa
+      }
+    ]
+    set_sensitive              = null
+    lint                       = true
+    wait                       = true
+    wait_for_jobs              = false
+    description                = "aws-lb-ingress-controller Helm Chart for ingress resources"
+    verify                     = false
+    keyring                    = ""
+    repository_key_file        = ""
+    repository_cert_file       = ""
+    repository_ca_file         = ""
+    repository_username        = ""
+    repository_password        = ""
+    disable_webhooks           = false
+    reuse_values               = false
+    reset_values               = false
+    force_update               = false
+    recreate_pods              = false
+    cleanup_on_fail            = false
+    max_history                = 0
+    atomic                     = false
+    skip_crds                  = false
+    render_subchart_notes      = true
+    disable_openapi_validation = false
+    dependency_update          = false
+    replace                    = false
+    postrender                 = ""
+
+  }
+  lb_ingress_controller_helm_app = merge(
+    local.default_lb_ingress_controller_helm_app,
+  var.lb_ingress_controller_helm_app)
+}

kubernetes-addons/lb-ingress-controller/main.tf

@@ -16,37 +16,75 @@
  * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
 
-locals {
-  public_image_repo = var.public_image_repo
-  image_url         = var.public_docker_repo ? "${local.public_image_repo}/${var.aws_lb_image_repo_name}" : "${var.private_container_repo_url}/${var.aws_lb_image_repo_name}"
-}
-
 resource "helm_release" "lb_ingress" {
-  name       = var.aws_lb_helm_helm_chart_name
-  repository = var.aws_lb_helm_repo_url
-  chart      = var.aws_lb_helm_helm_chart_name
-  version    = var.aws_lb_helm_chart_version
-  namespace  = "kube-system"
-  timeout    = "1200"
+  name                       = local.lb_ingress_controller_helm_app["name"]
+  repository                 = local.lb_ingress_controller_helm_app["repository"]
+  chart                      = local.lb_ingress_controller_helm_app["chart"]
+  version                    = local.lb_ingress_controller_helm_app["version"]
+  namespace                  = local.lb_ingress_controller_helm_app["namespace"]
+  timeout                    = local.lb_ingress_controller_helm_app["timeout"]
+  values                     = local.lb_ingress_controller_helm_app["values"]
+  create_namespace           = local.lb_ingress_controller_helm_app["create_namespace"]
+  lint                       = local.lb_ingress_controller_helm_app["lint"]
+  description                = local.lb_ingress_controller_helm_app["description"]
+  repository_key_file        = local.lb_ingress_controller_helm_app["repository_key_file"]
+  repository_cert_file       = local.lb_ingress_controller_helm_app["repository_cert_file"]
+  repository_ca_file         = local.lb_ingress_controller_helm_app["repository_ca_file"]
+  repository_username        = local.lb_ingress_controller_helm_app["repository_username"]
+  repository_password        = local.lb_ingress_controller_helm_app["repository_password"]
+  verify                     = local.lb_ingress_controller_helm_app["verify"]
+  keyring                    = local.lb_ingress_controller_helm_app["keyring"]
+  disable_webhooks           = local.lb_ingress_controller_helm_app["disable_webhooks"]
+  reuse_values               = local.lb_ingress_controller_helm_app["reuse_values"]
+  reset_values               = local.lb_ingress_controller_helm_app["reset_values"]
+  force_update               = local.lb_ingress_controller_helm_app["force_update"]
+  recreate_pods              = local.lb_ingress_controller_helm_app["recreate_pods"]
+  cleanup_on_fail            = local.lb_ingress_controller_helm_app["cleanup_on_fail"]
+  max_history                = local.lb_ingress_controller_helm_app["max_history"]
+  atomic                     = local.lb_ingress_controller_helm_app["atomic"]
+  skip_crds                  = local.lb_ingress_controller_helm_app["skip_crds"]
+  render_subchart_notes      = local.lb_ingress_controller_helm_app["render_subchart_notes"]
+  disable_openapi_validation = local.lb_ingress_controller_helm_app["disable_openapi_validation"]
+  wait                       = local.lb_ingress_controller_helm_app["wait"]
+  wait_for_jobs              = local.lb_ingress_controller_helm_app["wait_for_jobs"]
+  dependency_update          = local.lb_ingress_controller_helm_app["dependency_update"]
+  replace                    = local.lb_ingress_controller_helm_app["replace"]
+
+  postrender {
+    binary_path = local.lb_ingress_controller_helm_app["postrender"]
+  }
 
-  values = [templatefile("${path.module}/lb_ingress_controller.yaml", {
-    image        = local.image_url
-    tag          = var.aws_lb_image_tag
-    clusterName  = var.clusterName
-    replicaCount = var.replicas
-  })]
-  depends_on = [helm_release.lb_ingress_crd, kubernetes_service_account.eks_lb_controller_sa]
+  dynamic "set" {
+    iterator = each_item
+    for_each = local.lb_ingress_controller_helm_app["set"] == null ? [] : local.lb_ingress_controller_helm_app["set"]
 
-}
+    content {
+      name  = each_item.value.name
+      value = each_item.value.value
+    }
+  }
+
+  dynamic "set_sensitive" {
+    iterator = each_item
+    for_each = local.lb_ingress_controller_helm_app["set_sensitive"] == null ? [] : local.lb_ingress_controller_helm_app["set_sensitive"]
+
+    content {
+      name  = each_item.value.name
+      value = each_item.value.value
+    }
+  }
 
-resource "helm_release" "lb_ingress_crd" {
-  chart     = "${path.module}/chart/lb_crds"
-  name      = "lb-crd-target-group"
-  namespace = "kube-system"
+  depends_on = [aws_iam_role.eks_lb_controller_role, kubernetes_service_account.eks_lb_controller_sa]
 }
 
+//resource "helm_release" "lb_ingress_crd" {
+//  chart     = "${path.module}/chart/lb_crds"
+//  name      = "lb-crd-target-group"
+//  namespace = "kube-system"
+//}
+
 resource "aws_iam_policy" "eks_lb_controller" {
-  name        = "${var.clusterName}-lb-controller-policy"
+  name        = "${var.eks_cluster_id}-lb-controller-policy"
   description = "Allows lb controller to manage ALB and NLB"
 
   policy = <<EOF
@@ -286,7 +324,7 @@ data "aws_iam_policy_document" "eks_lb_controller_assume_policy" {
     condition {
       test     = "StringEquals"
       variable = "${replace(var.eks_oidc_issuer_url, "https://", "")}:sub"
-      values   = ["system:serviceaccount:kube-system:eks-lb-controller-sa"]
+      values   = ["system:serviceaccount:kube-system:${local.aws_lb_controller_sa}"]
     }
 
     principals {
@@ -298,7 +336,7 @@ data "aws_iam_policy_document" "eks_lb_controller_assume_policy" {
 
 # IAM role for eks alb controller
 resource "aws_iam_role" "eks_lb_controller_role" {
-  name               = "${var.clusterName}-lb-controller-role"
+  name               = "${var.eks_cluster_id}-lb-controller-role"
   assume_role_policy = data.aws_iam_policy_document.eks_lb_controller_assume_policy.json
 }
 
@@ -312,7 +350,7 @@ resource "aws_iam_role_policy_attachment" "eks_role_policy" {
 # Kubernetes service account for lb controller
 resource "kubernetes_service_account" "eks_lb_controller_sa" {
   metadata {
-    name        = "eks-lb-controller-sa"
+    name        = local.aws_lb_controller_sa
     namespace   = "kube-system"
     annotations = { "eks.amazonaws.com/role-arn" : aws_iam_role.eks_lb_controller_role.arn }
   }

kubernetes-addons/lb-ingress-controller/variables.tf

@@ -16,54 +16,22 @@
  * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
 
-variable "aws_lb_helm_repo_url" {
-  type    = string
-  default = "https://aws.github.io/eks-charts"
+variable "lb_ingress_controller_helm_app" {
+  type        = any
+  description = "Helm chart definition for lb_ingress_controller."
+  default     = {}
 }
-
-variable "aws_lb_helm_helm_chart_name" {
-  type    = string
-  default = "aws-load-balancer-controller"
-}
-variable "public_docker_repo" {
-  type = bool
-}
-
-variable "private_container_repo_url" {
-  type = string
-}
-
-variable "aws_lb_image_repo_name" {
-  type    = string
-  default = "amazon/aws-load-balancer-controller"
-}
-
-variable "public_image_repo" {
-  type    = string
-  default = "602401143452.dkr.ecr.us-west-2.amazonaws.com"
+variable "eks_cluster_id" {
+  type        = string
+  description = "EKS cluster Id"
 }
-variable "aws_lb_image_tag" {
-  type    = string
-  default = "v2.2.4"
-}
-variable "aws_lb_helm_chart_version" {
-  type    = string
-  default = "1.2.7"
-}
-
-variable "replicas" {
-  type    = string
-  default = "2"
-}
-
-variable "clusterName" {
-  type = string
+variable "eks_oidc_issuer_url" {
+  type        = string
+  description = "The URL on the EKS cluster OIDC Issuer"
 }
 
 variable "eks_oidc_provider_arn" {
-  type = string
-}
+  type        = string
+  description = "The ARN of the OIDC Provider if `enable_irsa = true`."
 
-variable "eks_oidc_issuer_url" {
-  type = string
 }

variables.tf

@@ -305,25 +305,10 @@ variable "aws_lb_ingress_controller_enable" {
   default     = false
   description = "enabling LB Ingress Controller on eks cluster"
 }
-variable "aws_lb_image_repo_name" {
-  type    = string
-  default = "amazon/aws-load-balancer-controller"
-}
-variable "aws_lb_helm_repo_url" {
-  type    = string
-  default = "https://aws.github.io/eks-charts"
-}
-variable "aws_lb_helm_helm_chart_name" {
-  type    = string
-  default = "aws-load-balancer-controller"
-}
-variable "aws_lb_image_tag" {
-  type    = string
-  default = "v2.2.4"
-}
-variable "aws_lb_helm_chart_version" {
-  type    = string
-  default = "1.2.7"
+variable "aws_lb_ingress_controller_helm_app" {
+  type        = any
+  description = "Helm chart definition for aws_lb_ingress_controller"
+  default     = {}
 }
 #-----------NGINX-------------
 variable "nginx_ingress_controller_enable" {