feat(eks): pass helm chart values to aws-load-balancer-controller

[mtrspringer]

Issue # (if applicable)

Closes #29707

Reason for this change

Need to be able to disable aws-load-balancer-controller wafv2 behavior so it doesn't remove waf associations created by AWS FMS.

Description of changes

I added a values property to the AlbControllerOptions interface for passing optional values to the underlying helm chart.

Description of how you validated changes

I added two tests to validate my changes:

• a test to check that values passed appear in the template output
• a test to check that values passed do not override values currently set by the AlbController construct

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[lpizzinidev]

Looks good, thanks! 👍
Left some minor suggestions for updating the documentation.

[paulhcsun]

Suggested change

	readonly values?: {[key: string]: any};
	readonly helmChartValues?: {[key: string]: any};

Can you rename this to helmChartValues? Just having this be values in this context is not clear what these values are being used for. Ideally I'd have like the property within Helm Chart to be named something other than values as well but unfortunately it's too late for that now.

[mtrspringer]

yes that's fine with me. I was using the HelmChartProps as an guide but I can see the value in being specific within the scope of a broader construct that's not limited to helm already.

[paulhcsun]

Do we know the full set of values that can be passed in to the helmChart.values property? If so could we add some stronger typing checks to them? If not then could we add some validation for the values that cannot be overridden?

From your unit test case it seems like Helm Chart will just ignore these values but I would rather prevent these values from being set at all instead of allowing it to be passed in and have it silently fail.

[mtrspringer]

i think the set of values varies (or can potentially vary) depending on the helm chart version. I think defining a type (e.g. AlbControllerHelmChartValues) will create a loose link to the helm chart that has the potential for breaking. Validating the passed values against the keys we know we explicitly set seems like a better approach to me.

[paulhcsun]

Gotcha, thanks for clarifying. Then let's go with the second option to validate the passed values that cannot be overridden.

[mtrspringer]

@paulhcsun i've updated with the requested changes. Assuming the suite passes, would you (or someone else) be able to run/update the integration tests? I ran into some issues with the teardown last time.

[paulhcsun]

Hey @mtrspringer, thanks for making the changes! and ya for sure, I'll give that a run later today.

[paulhcsun]

Hey @mtrspringer, apologies some other items came up. I will run the tests now.

[paulhcsun]

It took a while to run on Friday and looks like it failed due to a credentials related error but it still seems to have updated the snapshots. I've pushed them so hopefully the codebuild will be happy with the new snapshots.

[mtrspringer]

@paulhcsun thanks very much! yes it takes ages, looks like the build is passing though

Pull request has been modified.

[paulhcsun]

Hi @mtrspringer, apologies for another delay to getting around to reviewing this. I was oncall last week. Thank you for making the requested changes for validating the values that can be passed to helmChart.values.

Would you mind explaining what the changes within @aws-cdk/sdk-v2-to-v3-adapter are for? I don't remember seeing them during the initial review and I'm not quite sure how they're related to this change.

[mtrspringer]

@paulhcsun hi sorry i've been on vacation the last 2 weeks. I dont remember making any changes to those files, maybe they got included when i updated my branch via the github button? im happy to leave them out

[mtrspringer]

@paulhcsun looks like they were .d.ts and .js files that somehow got included. i've just removed them so this PR should be ready for review now

Pull request has been modified.

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[mtrspringer]

hi @Necrokefalos im still waiting on a response as to what changes, if any, need to be made. good to know that the values also need to be modified for cert-manager as we are looking to adopt that sometime soon. in the meantime i think the integration tests need to be run again before the checks pass. @paulhcsun would you be able to do that again at your earliest convenience? thanks.

[mtrspringer]

@Necrokefalos not sure if this will work for your use-case (and it's hacky) but in the interim while this is being deliberated I realized we can "disable" alb controller behavior via the serviceAccount policy, which we can access via the construct node.findChild api:

    // TODO: remove once cdk supports passing values to albController Helm Chart:
    const {enableWafv2 = false} = albControllerValues;
    if (!enableWafv2) {
      const albControllerServiceAccount =
        this.eksCluster.albController!.node.findChild(
          'alb-sa'
        ) as eks.ServiceAccount;
      albControllerServiceAccount.addToPrincipalPolicy(
        new iam.PolicyStatement({
          effect: iam.Effect.DENY,
          actions: [
            'waf-regional:GetWebACL',
            'waf-regional:GetWebACLForResource',
            'waf-regional:AssociateWebACL',
            'waf-regional:DisassociateWebACL',
            'wafv2:GetWebACL',
            'wafv2:GetWebACLForResource',
            'wafv2:AssociateWebACL',
            'wafv2:DisassociateWebACL',
          ],
          resources: ['*'],
        })
      );
    }

i still have to test how this affects the controller's operation (i.e. can it gracefully handle the permission errors) but it might be easier than replacing the cdk.eks.Cluster.albController with a custom HelmChart implementation.

[paulhcsun]

Hi @mtrspringer, apologies for the late response I was away recently and just got back to this. I've started running the integ tests so hopefully i'll get those pushed today or tmr. I think when I last discussed with Kendra there was one design change for how we allow the users to update the helm chart values. I will confirm with her and get back asap. Apologies for the churn.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[paulhcsun]

I've pushed the snapshot changes for the integ.alb-controller.js test however the test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js test currently fails with this error:

Tests:    1 failed, 921 total
Failed: /Volumes/workplace/forks-cdk/mtrspringer/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js

Running integration tests for failed tests...

Running in parallel across regions: us-east-1, us-east-2, us-west-2
Running test /Volumes/workplace/forks-cdk/mtrspringer/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js in us-east-1
/Volumes/workplace/forks-cdk/mtrspringer/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.js:93
                throw new Error(`'denyAllIgwTraffic' may only be set on load balancers with ${enums_1().IpAddressType.DUAL_STACK} addressing.`);
                ^

Error: 'denyAllIgwTraffic' may only be set on load balancers with dualstack addressing.
    at new BaseLoadBalancer (/Volumes/workplace/forks-cdk/mtrspringer/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.js:93:23)
    at new NetworkLoadBalancer (/Volumes/workplace/forks-cdk/mtrspringer/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.js:165:9)
    at Object.<anonymous> (/Volumes/workplace/forks-cdk/mtrspringer/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js:13:1)
    at Module._compile (node:internal/modules/cjs/loader:1368:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1426:10)
    at Module.load (node:internal/modules/cjs/loader:1205:32)
    at Module._load (node:internal/modules/cjs/loader:1021:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:142:12)
    at node:internal/main/run_main_module:28:49

Node.js v21.7.1
  ERROR      /Volumes/workplace/forks-cdk/mtrspringer/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js (undefined/us-east-1) 0.17s
      Error during integration test: Error: Command exited with status 1

Test Results:

Tests:    1 failed, 1 total
Error: Some integration tests failed!
    at main (/Volumes/workplace/forks-cdk/mtrspringer/packages/@aws-cdk/integ-runner/lib/cli.js:166:23)
error Command failed with exit code 1.

I'm not quite sure how this test is related or why it's failing now. Don't se anything related to denyAllIgwTraffic within that test or in any of your changes...

[mtrspringer]

@paulhcsun thanks yeah thats bizarre, i didnt make any changes to the nlb tests or source code. maybe something strange happened with the test assets during rebasing?

should i revert all asset/generated changes so that its just my desired code and let you run the suite again?

[shikha372]

Thank you @mtrspringer for submitting the PR, looking at the initial suggestion here I would also prefer a function based implementation that can give users the option to override only set of allowed values possible for alb-controller.

Pull request has been modified.

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[mtrspringer]

@paulhcsun hi sorry i've been busy with my end-of-year work. i've just rebased the PR is there any chance you could run the integration tests again please? the iam-based disabling hack i commented about here has not worked as the aws-load-balancer-controller helm chart fails to complete the ingress update if the waf action it wants to perform fails. in this light i'd really like to try and get this feature over the line.

@shikha372 could you please elaborate on what you are looking for that's different from the current implementation? i have already updated to throw an error if a user attempts to set a helm chart value other that the AwsLoadBalancerController construct wants to set in response to previous comments. is this sufficient?

thanks

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Features must contain a change to an integration test file and the resulting snapshot.

PRs must pass status checks before we can provide a meaningful review.

If you would like to request an exemption from the status checks or clarification on feedback, please leave a comment on this PR containing Exemption Request and/or Clarification Request.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: b123336
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[paulhcsun]

Hi @mtrspringer, I've ran the integ tests and the integ.alb-controller.js test still fails with the error below. Strangely though a few other integ tests are failing too but that may because there are some changes on the branch that are out of date. Would you like me to push the snapshots for the integ.alb-controller.js test to help you debug the issue or is the error message enough to go off of?

Running test /Volumes/workplace/forks-cdk/mtrspringer/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.js in us-east-1
/Volumes/workplace/forks-cdk/mtrspringer/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.js:97
                throw new Error(`'denyAllIgwTraffic' may only be set on load balancers with ${enums_1().IpAddressType.DUAL_STACK} addressing.`);
                ^

Error: 'denyAllIgwTraffic' may only be set on load balancers with dualstack addressing.
    at new BaseLoadBalancer (/Volumes/workplace/forks-cdk/mtrspringer/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.js:97:23)
    at new NetworkLoadBalancer (/Volumes/workplace/forks-cdk/mtrspringer/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.js:165:9)
    at Object.<anonymous> (/Volumes/workplace/forks-cdk/mtrspringer/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js:13:1)
    at Module._compile (node:internal/modules/cjs/loader:1368:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1426:10)
    at Module.load (node:internal/modules/cjs/loader:1205:32)
    at Module._load (node:internal/modules/cjs/loader:1021:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:142:12)
    at node:internal/main/run_main_module:28:49

This is the full list of tests that ran and failed:

Snapshot Results:

Tests:    6 failed, 1004 total
Failed: /Volumes/workplace/forks-cdk/mtrspringer/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.js
Failed: /Volumes/workplace/forks-cdk/mtrspringer/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js
Failed: /Volumes/workplace/forks-cdk/mtrspringer/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js
Failed: /Volumes/workplace/forks-cdk/mtrspringer/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js
Failed: /Volumes/workplace/forks-cdk/mtrspringer/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.js
Failed: /Volumes/workplace/forks-cdk/mtrspringer/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js

[paulhcsun]

@shikha372 could you please elaborate on what you are looking for that's different from the current implementation? i have already updated to throw an error if a user attempts to set a helm chart value other that the AwsLoadBalancerController construct wants to set in response to previous comments. is this sufficient?

thanks

What @shikha372 is referring to is the solution that @TheRealAmazonKendra recommended to use a function that can be called after instantiation to override the desired values. I believe this is a good halfway compromise because we can still add in more methods for the properties that we want to support overrides for. I understand that for your use case and probably @Necrokefalos too, it would be fine to let you have control over all of the properties you want to override but this change would be applied to all other users too and we want to have some sort of safety net. In general in the CDK we try to make it impossible to set conflicting property values or properties that cannot be changed rather than to allow it to be set but prevent the deployment with error handling.