From 22fcc22790da9672b49f9bb31bfc8378d0e8ddc5 Mon Sep 17 00:00:00 2001 From: Shraddha Bang <18206078+shraddhabang@users.noreply.github.com> Date: Thu, 17 Oct 2024 13:05:59 -0700 Subject: [PATCH] Release v2.9.2 (#3901) * Fix controller crash due enabling shield protection after AWS SDK Go v2 upgrades * Skip listener attributes reconcile for Isolated regions (#3884) * cut v2.9.2 release --------- Co-authored-by: wweiwei-li <79778352+wweiwei-li@users.noreply.github.com> --- Makefile | 2 +- config/controller/kustomization.yaml | 2 +- docs/deploy/installation.md | 16 +++++------ docs/examples/echo_server.md | 10 +++---- helm/aws-load-balancer-controller/Chart.yaml | 4 +-- helm/aws-load-balancer-controller/test.yaml | 2 +- helm/aws-load-balancer-controller/values.yaml | 2 +- pkg/deploy/elbv2/listener_manager.go | 21 +++++++++++++-- pkg/deploy/shield/protection_manager.go | 2 +- test/e2e/service/nlb_instance_target_test.go | 27 ++++++++++--------- version-stable.txt | 2 +- version.txt | 2 +- 12 files changed, 56 insertions(+), 36 deletions(-) diff --git a/Makefile b/Makefile index 66ff4ebea..80d141bcb 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ MAKEFILE_PATH = $(dir $(realpath -s $(firstword $(MAKEFILE_LIST)))) # Image URL to use all building/pushing image targets -IMG ?= public.ecr.aws/eks/aws-load-balancer-controller:v2.9.1 +IMG ?= public.ecr.aws/eks/aws-load-balancer-controller:v2.9.2 # Image URL to use for builder stage in Docker build GOLANG_VERSION ?= $(shell cat .go-version) BUILD_IMAGE ?= public.ecr.aws/docker/library/golang:$(GOLANG_VERSION) diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml index 32050f9d6..a0662a51c 100644 --- a/config/controller/kustomization.yaml +++ b/config/controller/kustomization.yaml @@ -9,4 +9,4 @@ kind: Kustomization images: - name: controller newName: public.ecr.aws/eks/aws-load-balancer-controller - newTag: v2.9.1 + newTag: v2.9.2 diff --git a/docs/deploy/installation.md b/docs/deploy/installation.md index 4e653f8aa..67f6cc7fe 100644 --- a/docs/deploy/installation.md +++ b/docs/deploy/installation.md @@ -90,15 +90,15 @@ Example condition for cluster name resource tag: 2. Download an IAM policy for the LBC using one of the following commands:

If your cluster is in a US Gov Cloud region: ``` - curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.1/docs/install/iam_policy_us-gov.json + curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.2/docs/install/iam_policy_us-gov.json ``` If your cluster is in a China region: ``` - curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.1/docs/install/iam_policy_cn.json + curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.2/docs/install/iam_policy_cn.json ``` If your cluster is in any other region: ``` - curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.1/docs/install/iam_policy.json + curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.2/docs/install/iam_policy.json ``` 3. Create an IAM policy named `AWSLoadBalancerControllerIAMPolicy`. If you downloaded a different policy, replace `iam-policy` with the name of the policy that you downloaded. @@ -124,7 +124,7 @@ Example condition for cluster name resource tag: ### Option B: Attach IAM policies to nodes If you're not setting up IAM roles for service accounts, apply the IAM policies from the following URL at a minimum. Please be aware of the possibility that the controller permissions may be assumed by other users in a pod after retrieving the node role credentials, so the best practice would be using IRSA instead of attaching IAM policy directly. ``` -curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.1/docs/install/iam_policy.json +curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.2/docs/install/iam_policy.json ``` The following IAM permissions subset is for those using `TargetGroupBinding` only and don't plan to use the LBC to manage security group rules: @@ -209,7 +209,7 @@ We recommend using the Helm chart to install the controller. The chart supports ### Apply YAML 1. Download the spec for the LBC. ``` - wget https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.9.1/v2_9_1_full.yaml + wget https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.9.2/v2_9_2_full.yaml ``` 2. Edit the saved yaml file, go to the Deployment spec, and set the controller `--cluster-name` arg value to your EKS cluster name ``` @@ -233,15 +233,15 @@ We recommend using the Helm chart to install the controller. The chart supports ``` 4. Apply the yaml file ``` - kubectl apply -f v2_9_1_full.yaml + kubectl apply -f v2_9_2_full.yaml ``` 5. Optionally download the default ingressclass and ingressclass params ``` - wget https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.9.1/v2_9_1_ingclass.yaml + wget https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.9.2/v2_9_2_ingclass.yaml ``` 6. Apply the ingressclass and params ``` - kubectl apply -f v2_9_1_ingclass.yaml + kubectl apply -f v2_9_2_ingclass.yaml ``` ## Create Update Strategy diff --git a/docs/examples/echo_server.md b/docs/examples/echo_server.md index edb04b117..5f8767101 100644 --- a/docs/examples/echo_server.md +++ b/docs/examples/echo_server.md @@ -87,9 +87,9 @@ In this walkthrough, you'll 1. Deploy all the echoserver resources (namespace, service, deployment) ```bash - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.1/docs/examples/echoservice/echoserver-namespace.yaml &&\ - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.1/docs/examples/echoservice/echoserver-service.yaml &&\ - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.1/docs/examples/echoservice/echoserver-deployment.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.2/docs/examples/echoservice/echoserver-namespace.yaml &&\ + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.2/docs/examples/echoservice/echoserver-service.yaml &&\ + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.2/docs/examples/echoservice/echoserver-deployment.yaml ``` 1. List all the resources to ensure they were created. @@ -113,7 +113,7 @@ In this walkthrough, you'll 1. Download the echoserver ingress manifest locally. ```bash - wget https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.1/docs/examples/echoservice/echoserver-ingress.yaml + wget https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.2/docs/examples/echoservice/echoserver-ingress.yaml ``` 1. Configure the subnets, either by add annotation to the ingress or add tags to subnets. This step is optional in lieu of auto-discovery. @@ -300,7 +300,7 @@ You should get back a valid response. follow below steps if you want to use kube2iam to provide the AWS credentials 1. configure the proper policy - The policy to be used can be fetched from https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.1/docs/install/iam_policy.json + The policy to be used can be fetched from https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.9.2/docs/install/iam_policy.json 1. configure the proper role and create the trust relationship You have to find which role is associated with your K8S nodes. Once you found take note of the full arn: diff --git a/helm/aws-load-balancer-controller/Chart.yaml b/helm/aws-load-balancer-controller/Chart.yaml index df8ad92f1..b3aba9275 100644 --- a/helm/aws-load-balancer-controller/Chart.yaml +++ b/helm/aws-load-balancer-controller/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: aws-load-balancer-controller description: AWS Load Balancer Controller Helm chart for Kubernetes -version: 1.9.1 -appVersion: v2.9.1 +version: 1.9.2 +appVersion: v2.9.2 home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/helm/aws-load-balancer-controller/test.yaml b/helm/aws-load-balancer-controller/test.yaml index 2163430d6..d5b513926 100644 --- a/helm/aws-load-balancer-controller/test.yaml +++ b/helm/aws-load-balancer-controller/test.yaml @@ -6,7 +6,7 @@ replicaCount: 2 image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.9.1 + tag: v2.9.2 pullPolicy: IfNotPresent imagePullSecrets: [] diff --git a/helm/aws-load-balancer-controller/values.yaml b/helm/aws-load-balancer-controller/values.yaml index dcf09fd3c..616ac6482 100644 --- a/helm/aws-load-balancer-controller/values.yaml +++ b/helm/aws-load-balancer-controller/values.yaml @@ -8,7 +8,7 @@ revisionHistoryLimit: 10 image: repository: public.ecr.aws/eks/aws-load-balancer-controller - tag: v2.9.1 + tag: v2.9.2 pullPolicy: IfNotPresent runtimeClassName: "" diff --git a/pkg/deploy/elbv2/listener_manager.go b/pkg/deploy/elbv2/listener_manager.go index 89e398640..1aa4a6b70 100644 --- a/pkg/deploy/elbv2/listener_manager.go +++ b/pkg/deploy/elbv2/listener_manager.go @@ -3,6 +3,7 @@ package elbv2 import ( "context" "reflect" + "strings" "time" awssdk "github.com/aws/aws-sdk-go-v2/aws" @@ -101,7 +102,8 @@ func (m *defaultListenerManager) Create(ctx context.Context, resLS *elbv2model.L }); err != nil { return elbv2model.ListenerStatus{}, errors.Wrap(err, "failed to update extra certificates on listener") } - if areListenerAttributesSupported(resLS.Spec.Protocol) { + listenerARN := awssdk.ToString(sdkLS.Listener.ListenerArn) + if !isIsolatedRegion(getRegionFromARN(listenerARN)) && areListenerAttributesSupported(resLS.Spec.Protocol) { if err := m.attributesReconciler.Reconcile(ctx, resLS, sdkLS); err != nil { return elbv2model.ListenerStatus{}, err } @@ -121,7 +123,8 @@ func (m *defaultListenerManager) Update(ctx context.Context, resLS *elbv2model.L if err := m.updateSDKListenerWithExtraCertificates(ctx, resLS, sdkLS, false); err != nil { return elbv2model.ListenerStatus{}, err } - if areListenerAttributesSupported(resLS.Spec.Protocol) { + listenerARN := awssdk.ToString(sdkLS.Listener.ListenerArn) + if !isIsolatedRegion(getRegionFromARN(listenerARN)) && areListenerAttributesSupported(resLS.Spec.Protocol) { if err := m.attributesReconciler.Reconcile(ctx, resLS, sdkLS); err != nil { return elbv2model.ListenerStatus{}, err } @@ -379,3 +382,17 @@ func areListenerAttributesSupported(protocol elbv2model.Protocol) bool { supported, exists := PROTOCOLS_SUPPORTING_LISTENER_ATTRIBUTES[protocol] return exists && supported } + +func getRegionFromARN(arn string) string { + if strings.HasPrefix(arn, "arn:") { + arnElements := strings.Split(arn, ":") + if len(arnElements) > 3 { + return arnElements[3] + } + } + return "" +} + +func isIsolatedRegion(region string) bool { + return strings.Contains(strings.ToLower(region), "-iso-") +} diff --git a/pkg/deploy/shield/protection_manager.go b/pkg/deploy/shield/protection_manager.go index 12f98529d..b8266fbad 100644 --- a/pkg/deploy/shield/protection_manager.go +++ b/pkg/deploy/shield/protection_manager.go @@ -125,7 +125,7 @@ func (m *defaultProtectionManager) GetProtection(ctx context.Context, resourceAR return nil, err } } - if resp.Protection != nil { + if resp != nil && resp.Protection != nil { protectionInfo = &ProtectionInfo{ Name: awssdk.ToString(resp.Protection.Name), ID: awssdk.ToString(resp.Protection.Id), diff --git a/test/e2e/service/nlb_instance_target_test.go b/test/e2e/service/nlb_instance_target_test.go index 89fa1dec5..169bd8fa0 100644 --- a/test/e2e/service/nlb_instance_target_test.go +++ b/test/e2e/service/nlb_instance_target_test.go @@ -160,20 +160,23 @@ var _ = Describe("test k8s service reconciled by the aws load balancer controlle }) Expect(err).NotTo(HaveOccurred()) }) - By("modifying listener attributes", func() { - err := stack.UpdateServiceAnnotations(ctx, tf, map[string]string{ - "service.beta.kubernetes.io/aws-load-balancer-listener-attributes.TCP-80": "tcp.idle_timeout.seconds=400", - }) - Expect(err).NotTo(HaveOccurred()) + // remove this once listener attributes are available in isolated region + if !strings.Contains(tf.Options.AWSRegion, "-iso-") { + By("modifying listener attributes", func() { + err := stack.UpdateServiceAnnotations(ctx, tf, map[string]string{ + "service.beta.kubernetes.io/aws-load-balancer-listener-attributes.TCP-80": "tcp.idle_timeout.seconds=400", + }) + Expect(err).NotTo(HaveOccurred()) - lsARN := getLoadBalancerListenerARN(ctx, tf, lbARN, "80") + lsARN := getLoadBalancerListenerARN(ctx, tf, lbARN, "80") - Eventually(func() bool { - return verifyListenerAttributes(ctx, tf, lsARN, map[string]string{ - "tcp.idle_timeout.seconds": "400", - }) == nil - }, utils.PollTimeoutShort, utils.PollIntervalMedium).Should(BeTrue()) - }) + Eventually(func() bool { + return verifyListenerAttributes(ctx, tf, lsARN, map[string]string{ + "tcp.idle_timeout.seconds": "400", + }) == nil + }, utils.PollTimeoutShort, utils.PollIntervalMedium).Should(BeTrue()) + }) + } }) It("should provision internal load-balancer resources", func() { By("deploying stack", func() { diff --git a/version-stable.txt b/version-stable.txt index dedcc7d43..5d9ade10c 100644 --- a/version-stable.txt +++ b/version-stable.txt @@ -1 +1 @@ -2.9.1 +2.9.2 diff --git a/version.txt b/version.txt index dedcc7d43..5d9ade10c 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -2.9.1 +2.9.2