Skip to content

Commit 67de256

Browse files
zac-nixonzac-nixon
authored
Add EnhancedDefaulting flag to do sensible defaulting when possible (#4344)
* introduce enhanced defaulting to address weird defaulting behavior :) * remove subnet resolver / az check from mtls builder in gateway api * add ALPN defaulting * refactor addons for gateway to allow setting ELB PC * remove defaulting from MutualAuth as not all ALB zones support it
1 parent 4fd56b4 commit 67de256

30 files changed

+1339
-468
lines changed

apis/gateway/v1beta1/loadbalancerconfig_types.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -175,7 +175,6 @@ type ListenerConfiguration struct {
175175

176176
// mutualAuthentication defines the mutual authentication configuration information.
177177
// +optional
178-
// +kubebuilder:default={"mode": "off"}
179178
MutualAuthentication *MutualAuthenticationAttributes `json:"mutualAuthentication,omitempty"`
180179

181180
// listenerAttributes defines the attributes for the listener

config/crd/gateway/gateway-crds.yaml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -515,8 +515,6 @@ spec:
515515
type: object
516516
type: array
517517
mutualAuthentication:
518-
default:
519-
mode: "off"
520518
description: mutualAuthentication defines the mutual authentication
521519
configuration information.
522520
properties:

config/crd/gateway/gateway.k8s.aws_loadbalancerconfigurations.yaml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -117,8 +117,6 @@ spec:
117117
type: object
118118
type: array
119119
mutualAuthentication:
120-
default:
121-
mode: "off"
122120
description: mutualAuthentication defines the mutual authentication
123121
configuration information.
124122
properties:

controllers/gateway/addons.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,8 @@ import (
1414
)
1515

1616
var (
17-
albAddons = []addon.Addon{addon.WAFv2, addon.Shield}
18-
nlbAddons []addon.Addon
17+
albAddons = []addon.Addon{addon.WAFv2, addon.Shield, addon.ProvisionedCapacity}
18+
nlbAddons = []addon.Addon{addon.ProvisionedCapacity}
1919
)
2020

2121
const (

controllers/gateway/gateway_controller.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@ func newGatewayReconciler(controllerName string, lbType elbv2model.LoadBalancerT
7676
modelBuilder := gatewaymodel.NewModelBuilder(subnetResolver, vpcInfoProvider, cloud.VpcID(), lbType, trackingProvider, elbv2TaggingManager, controllerConfig, cloud.EC2(), cloud.ELBV2(), cloud.ACM(), k8sClient, controllerConfig.FeatureGates, controllerConfig.ClusterName, controllerConfig.DefaultTags, sets.New(controllerConfig.ExternalManagedTags...), controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.DefaultLoadBalancerScheme, backendSGProvider, sgResolver, controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, controllerConfig.IngressConfig.AllowedCertificateAuthorityARNs, supportedAddons, logger)
7777

7878
stackMarshaller := deploy.NewDefaultStackMarshaller()
79-
stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingManager, networkingSGManager, networkingSGReconciler, elbv2TaggingManager, controllerConfig, gatewayTagPrefix, logger, metricsCollector, controllerName, targetGroupCollector)
79+
stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingManager, networkingSGManager, networkingSGReconciler, elbv2TaggingManager, controllerConfig, gatewayTagPrefix, logger, metricsCollector, controllerName, true, targetGroupCollector)
8080

8181
cfgResolver := newGatewayConfigResolver()
8282

controllers/ingress/group_controller.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ func NewGroupReconciler(cloud services.Cloud, k8sClient client.Client, eventReco
7070
controllerConfig.EnableBackendSecurityGroup, controllerConfig.EnableManageBackendSecurityGroupRules, controllerConfig.DisableRestrictedSGRules, controllerConfig.IngressConfig.AllowedCertificateAuthorityARNs, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), logger, metricsCollector)
7171
stackMarshaller := deploy.NewDefaultStackMarshaller()
7272
stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingManager, networkingSGManager, networkingSGReconciler, elbv2TaggingManager,
73-
controllerConfig, ingressTagPrefix, logger, metricsCollector, controllerName, targetGroupCollector)
73+
controllerConfig, ingressTagPrefix, logger, metricsCollector, controllerName, controllerConfig.FeatureGates.Enabled(config.EnhancedDefaultBehavior), targetGroupCollector)
7474
classLoader := ingress.NewDefaultClassLoader(k8sClient, true)
7575
classAnnotationMatcher := ingress.NewDefaultClassAnnotationMatcher(controllerConfig.IngressConfig.IngressClass)
7676
manageIngressesWithoutIngressClass := controllerConfig.IngressConfig.IngressClass == ""

controllers/service/service_controller.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@ func NewServiceReconciler(cloud services.Cloud, k8sClient client.Client, eventRe
5555
controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.DefaultLoadBalancerScheme, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), serviceUtils,
5656
backendSGProvider, sgResolver, controllerConfig.EnableBackendSecurityGroup, controllerConfig.EnableManageBackendSecurityGroupRules, controllerConfig.DisableRestrictedSGRules, logger, metricsCollector, controllerConfig.FeatureGates.Enabled(config.EnableTCPUDPListenerType))
5757
stackMarshaller := deploy.NewDefaultStackMarshaller()
58-
stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingManager, networkingSGManager, networkingSGReconciler, elbv2TaggingManager, controllerConfig, serviceTagPrefix, logger, metricsCollector, controllerName, targetGroupCollector)
58+
stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingManager, networkingSGManager, networkingSGReconciler, elbv2TaggingManager, controllerConfig, serviceTagPrefix, logger, metricsCollector, controllerName, controllerConfig.FeatureGates.Enabled(config.EnhancedDefaultBehavior), targetGroupCollector)
5959
return &serviceReconciler{
6060
k8sClient: k8sClient,
6161
eventRecorder: eventRecorder,

docs/deploy/configurations.md

Lines changed: 15 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -172,18 +172,19 @@ If running on EC2, the default values are obtained from the instance metadata se
172172
### Feature Gates
173173
There are a set of key=value pairs that describe AWS load balancer controller features. You can use it as flags `--feature-gates=key1=value1,key2=value2`
174174
175-
|Features-gate Supported Key | Type | Default Value | Description |
176-
|---------------------------------------|---------------------------------|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
177-
| ListenerRulesTagging | string | true | Enable or disable tagging AWS load balancer listeners and rules |
178-
| WeightedTargetGroups | string | true | Enable or disable weighted target groups |
179-
| ServiceTypeLoadBalancerOnly | string | false | If enabled, controller will be limited to reconciling service of type `LoadBalancer` |
180-
| EndpointsFailOpen | string | true | Enable or disable allowing endpoints with `ready:unknown` state in the target groups. |
181-
| EnableServiceController | string | true | Toggles support for `Service` type resources. |
182-
| EnableIPTargetType | string | true | Used to toggle support for target-type `ip` across `Ingress` and `Service` type resources. |
183-
| EnableRGTAPI | string | false | If enabled, the tagging manager will describe resource tags via RGT APIs, otherwise via ELB APIs. In order to enable RGT API, `tag:GetResources` is needed in controller IAM policy. |
184-
| SubnetsClusterTagCheck | string | true | Enable or disable the check for `kubernetes.io/cluster/${cluster-name}` during subnet auto-discovery |
185-
| NLBHealthCheckAdvancedConfiguration | string | true | Enable or disable advanced health check configuration for NLB, for example health check timeout |
186-
| ALBSingleSubnet | string | false | If enabled, controller will allow using only 1 subnet for provisioning ALB, which need to get whitelisted by ELB in advance |
175+
|Features-gate Supported Key | Type | Default Value | Description |
176+
|---------------------------------------|---------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
177+
| ListenerRulesTagging | string | true | Enable or disable tagging AWS load balancer listeners and rules |
178+
| WeightedTargetGroups | string | true | Enable or disable weighted target groups |
179+
| ServiceTypeLoadBalancerOnly | string | false | If enabled, controller will be limited to reconciling service of type `LoadBalancer` |
180+
| EndpointsFailOpen | string | true | Enable or disable allowing endpoints with `ready:unknown` state in the target groups. |
181+
| EnableServiceController | string | true | Toggles support for `Service` type resources. |
182+
| EnableIPTargetType | string | true | Used to toggle support for target-type `ip` across `Ingress` and `Service` type resources. |
183+
| EnableRGTAPI | string | false | If enabled, the tagging manager will describe resource tags via RGT APIs, otherwise via ELB APIs. In order to enable RGT API, `tag:GetResources` is needed in controller IAM policy. |
184+
| SubnetsClusterTagCheck | string | true | Enable or disable the check for `kubernetes.io/cluster/${cluster-name}` during subnet auto-discovery |
185+
| NLBHealthCheckAdvancedConfiguration | string | true | Enable or disable advanced health check configuration for NLB, for example health check timeout |
186+
| ALBSingleSubnet | string | false | If enabled, controller will allow using only 1 subnet for provisioning ALB, which need to get whitelisted by ELB in advance |
187187
| NLBSecurityGroup | string | true | Enable or disable all NLB security groups actions including frontend sg creation, backend sg creation, and backend sg modifications. This same behavior is able to be applied to an individual service by using the annotation `aws-load-balancer-disable-nlb-sg` |
188-
| LBCapacityReservation | string | true | Enable or disable the capacity reservation feature on ALB and NLB |
189-
| EnableTCPUDPListenerType | string | false | Enable or disable creation of TCP_UDP type listeners. This value can be overriden at the Service level by the annotation `service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener` |
188+
| LBCapacityReservation | string | true | Enable or disable the capacity reservation feature on ALB and NLB |
189+
| EnableTCPUDPListenerType | string | false | Enable or disable creation of TCP_UDP type listeners. This value can be overriden at the Service level by the annotation `service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener` |
190+
| EnhancedDefaultBehavior | string | false | Enable this feature to allow the controller to remove Provisioned Capacity or mTLS settings by removing the corresponding annotation. |

helm/aws-load-balancer-controller/crds/gateway-crds.yaml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -515,8 +515,6 @@ spec:
515515
type: object
516516
type: array
517517
mutualAuthentication:
518-
default:
519-
mode: "off"
520518
description: mutualAuthentication defines the mutual authentication
521519
configuration information.
522520
properties:

helm/aws-load-balancer-controller/values.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -375,6 +375,7 @@ controllerConfig:
375375
# NLBHealthCheckAdvancedConfig: true
376376
# ALBSingleSubnet: false
377377
# LBCapacityReservation: true
378+
# EnhancedDefaultBehavior: false
378379

379380
certDiscovery:
380381
allowedCertificateAuthorityARNs: "" # empty means all CAs are in scope

0 commit comments

Comments
 (0)