🥳 aws-vpc-cni v1.10.1 Automated Release! 🥑

stable/aws-load-balancer-controller/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: aws-load-balancer-controller
 description: AWS Load Balancer Controller Helm chart for Kubernetes
-version: 1.3.0
+version: 1.3.2
 appVersion: v2.3.0
 home: https://github.com/aws/eks-charts
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png

stable/aws-load-balancer-controller/README.md

@@ -209,3 +209,7 @@ The default values set by the application itself can be confirmed [here](https:/
 | `podDisruptionBudget`                       | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes      | `{}`                                                                               |
 | `updateStrategy`                            | Defines the update strategy for the deployment                                                           | `{}`                                                                               |
 | `enableCertManager`                         | If enabled, cert-manager issues the webhook certificates instead of the helm template                    | `false`                                                                            |
+| `enableEndpointSlices`                      | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets                       | `false`                                                                            |
+| `enableBackendSecurityGroup`                | If enabled, controller uses shared security group for backend traffic                                    | `true`                                                                             |
+| `backendSecurityGroup`                      | Backend security group to use instead of auto created one if the feature is enabled                      | ``                                                                                 |
+| `disableRestrictedSecurityGroupRules`       | If disabled, controller will not specify port range restriction in the backend security group rules      | `true`                                                                             |

stable/aws-load-balancer-controller/templates/deployment.yaml

@@ -119,6 +119,18 @@ spec:
         {{- if .Values.defaultTags }}
         - --default-tags={{ include "aws-load-balancer-controller.convert-map-to-csv" .Values.defaultTags | trimSuffix "," }}
         {{- end }}
+        {{- if kindIs "bool" .Values.enableEndpointSlices }}
+        - --enable-endpoint-slices={{ .Values.enableEndpointSlices }}
+        {{- end }}
+        {{- if kindIs "bool" .Values.enableBackendSecurityGroup }}
+        - --enable-backend-security-group={{ .Values.enableBackendSecurityGroup }}
+        {{- end }}
+        {{- if .Values.backendSecurityGroup }}
+        - --backend-security-group={{ .Values.backendSecurityGroup }}
+        {{- end }}
+        {{- if kindIs "bool" .Values.disableRestrictedSecurityGroupRules }}
+        - --disable-restricted-sg-rules={{ .Values.disableRestrictedSecurityGroupRules }}
+        {{- end }}
         {{- if .Values.env }}
         env:
         {{- range $key, $value := .Values.env }}

stable/aws-load-balancer-controller/values.yaml

@@ -213,3 +213,15 @@ podDisruptionBudget: {}
 
 # externalManagedTags is the list of tag keys on AWS resources that will be managed externally
 externalManagedTags: []
+
+# enableEndpointSlices enables k8s EndpointSlices for IP targets instead of Endpoints (default false)
+enableEndpointSlices:
+
+# enableBackendSecurityGroup enables shared security group for backend traffic (default true)
+enableBackendSecurityGroup:
+
+# backendSecurityGroup specifies backend security group id (default controller auto create backend security group)
+backendSecurityGroup:
+
+# disableRestrictedSecurityGroupRules specifies whether to disable creating port-range restricted security group rules for traffic
+disableRestrictedSecurityGroupRules: true

stable/aws-node-termination-handler/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
 name: aws-node-termination-handler
 description: A Helm chart for the AWS Node Termination Handler
-version: 0.15.4
-appVersion: 1.13.4
+version: 0.16.0
+appVersion: 1.14.0
 home: https://github.com/aws/eks-charts
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 sources:

stable/aws-node-termination-handler/README.md

@@ -4,7 +4,7 @@ AWS Node Termination Handler Helm chart for Kubernetes. For more information on
 
 ## Prerequisites
 
-* Kubernetes >= 1.11
+* Kubernetes >= 1.14
 
 ## Installing the Chart
 
@@ -80,11 +80,6 @@ Parameter | Description | Default
 `enableProbesServer` | If true, start an http server exposing `/healthz` endpoint for probes. | `false`
 `probesServerPort` | Replaces the default HTTP port for exposing probes endpoint. | `8080`
 `probesServerEndpoint` | Replaces the default endpoint for exposing probes endpoint. | `/healthz`
-`podMonitor.create` | If `true`, create a PodMonitor | `false`
-`podMonitor.interval` | Prometheus scrape interval | `30s`
-`podMonitor.sampleLimit` | Number of scraped samples accepted | `5000`
-`podMonitor.labels` | Additional PodMonitor metadata labels | `{}`
-`podMonitor.namespace` | Override podMonitor Helm release namespace | `{{ .Release.Namespace }}`
 `emitKubernetesEvents` | If `true`, Kubernetes events will be emitted when interruption events are received and when actions are taken on Kubernetes nodes. In IMDS Processor mode a default set of annotations with all the node metadata gathered from IMDS will be attached to each event. More information [here](https://github.com/aws/aws-node-termination-handler/blob/main/docs/kubernetes_events.md) | `false`
 `kubernetesExtraEventsAnnotations` | A comma-separated list of `key=value` extra annotations to attach to all emitted Kubernetes events. Example: `first=annotation,sample.annotation/number=two"` | None
 
@@ -100,6 +95,11 @@ Parameter | Description | Default
 `workers` | The maximum amount of parallel event processors | `10`
 `replicas` | The number of replicas in the NTH deployment when using queue-processor mode (NOTE: increasing replicas may cause duplicate webhooks since NTH pods are stateless) | `1`
 `podDisruptionBudget` | Limit the disruption for controller pods, requires at least 2 controller replicas | `{}`
+`serviceMonitor.create` | If `true`, create a ServiceMonitor (this requires enableSqsTerminationDraining and enablePrometheusServer to be set) | `false`
+`serviceMonitor.interval` | Prometheus scrape interval | `30s`
+`serviceMonitor.sampleLimit` | Number of scraped samples accepted | `5000`
+`serviceMonitor.labels` | Additional ServiceMonitor metadata labels | `{}`
+`serviceMonitor.namespace` | Override ServiceMonitor Helm release namespace | `{{ .Release.Namespace }}`
 
 ### AWS Node Termination Handler - IMDS Mode Configuration
 
@@ -110,6 +110,11 @@ Parameter | Description | Default
 `enableRebalanceDraining` | If true, drain nodes when the rebalance recommendation notice is received | `false`
 `enableRebalanceMonitoring` | If true, cordon nodes when the rebalance recommendation notice is received. If you'd like to drain the node in addition to cordoning, then also set `enableRebalanceDraining`. | `false`
 `useHostNetwork` | If `true`, enables `hostNetwork` for the Linux DaemonSet. NOTE: setting this to `false` may cause issues accessing IMDSv2 if your account is not configured with an IP hop count of 2 | `true`
+`podMonitor.create` | If `true`, create a PodMonitor (this requires enableSqsTerminationDraining to not be set and enablePrometheusServer to be set) | `false`
+`podMonitor.interval` | Prometheus scrape interval | `30s`
+`podMonitor.sampleLimit` | Number of scraped samples accepted | `5000`
+`podMonitor.labels` | Additional PodMonitor metadata labels | `{}`
+`podMonitor.namespace` | Override PodMonitor Helm release namespace | `{{ .Release.Namespace }}`
 
 ### Kubernetes Configuration
 
@@ -142,8 +147,8 @@ Parameter | Description | Default
 `serviceAccount.annotations` | Specifies the annotations for ServiceAccount       | `{}`
 `securityContext.runAsUserID` | User ID to run the container | `1000`
 `securityContext.runAsGroupID` | Group ID to run the container | `1000`
-`nodeSelectorTermsOs` | Operating System Node Selector Key | >=1.14: `kubernetes.io/os`, <1.14: `beta.kubernetes.io/os`
-`nodeSelectorTermsArch` | CPU Architecture Node Selector Key | >=1.14: `kubernetes.io/arch`, <1.14: `beta.kubernetes.io/arch`
+`nodeSelectorTermsOs` | Operating System Node Selector Key | `kubernetes.io/os`
+`nodeSelectorTermsArch` | CPU Architecture Node Selector Key | `kubernetes.io/arch`
 `targetNodeOs` | Space separated list of node OS's to target, e.g. "linux", "windows", "linux windows".  Note: Windows support is experimental. | `"linux"`
 `updateStrategy` | Update strategy for the all DaemonSets (Linux and Windows) | `type=RollingUpdate,rollingUpdate.maxUnavailable=1`
 `linuxUpdateStrategy` | Update strategy for the Linux DaemonSet | `type=RollingUpdate,rollingUpdate.maxUnavailable=1`

stable/aws-node-termination-handler/templates/_helpers.tpl

@@ -72,13 +72,9 @@ Create the name of the service account to use
 
 {{/*
 Get the default node selector term prefix.
-
-In 1.14 "beta.kubernetes.io" was deprecated and is scheduled for removal in 1.18.
-See https://v1-14.docs.kubernetes.io/docs/setup/release/notes/#deprecations
 */}}
 {{- define "aws-node-termination-handler.defaultNodeSelectorTermsPrefix" -}}
-    {{- $k8sVersion := printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor | replace "+" "" -}}
-    {{- semverCompare "<1.14" $k8sVersion | ternary "beta.kubernetes.io" "kubernetes.io" -}}
+kubernetes.io
 {{- end -}}
 
 {{/*

stable/aws-node-termination-handler/templates/podmonitor.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.podMonitor.create }}
+{{- if and (not .Values.enableSqsTerminationDraining) (and .Values.enablePrometheusServer .Values.podMonitor.create) -}}
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
@@ -17,13 +17,17 @@ spec:
   jobLabel: {{ include "aws-node-termination-handler.name" . }}
   namespaceSelector:
     matchNames:
-    - {{ .Release.Namespace }}
+      - {{ .Release.Namespace }}
   podMetricsEndpoints:
-  - interval: {{ .Values.podMonitor.interval }}
-    path: /metrics
-    port: http-metrics
-  sampleLimit: {{ .Values.podMonitor.sampleLimit }}
+    - port: http-metrics
+      path: /metrics
+      {{- with .Values.podMonitor.interval }}
+      interval: {{ . }}
+      {{- end }}
+  {{- with .Values.podMonitor.sampleLimit }}
+  sampleLimit: {{ . }}
+  {{- end }}
   selector:
     matchLabels:
       {{- include "aws-node-termination-handler.selectorLabels" . | nindent 6 }}
-{{- end }}
+{{- end -}}

stable/aws-node-termination-handler/templates/service.yaml

@@ -0,0 +1,17 @@
+{{- if and .Values.enableSqsTerminationDraining .Values.enablePrometheusServer -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "aws-node-termination-handler.fullname" . }}
+  labels:
+    {{- include "aws-node-termination-handler.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  selector:
+    {{- include "aws-node-termination-handler.selectorLabels" . | nindent 4 }}
+  ports:
+    - name: http-metrics
+      port: {{ .Values.prometheusServerPort }}
+      targetPort: http-metrics
+      protocol: TCP
+{{- end -}}

stable/aws-node-termination-handler/templates/servicemonitor.yaml

@@ -0,0 +1,33 @@
+{{- if and .Values.enableSqsTerminationDraining (and .Values.enablePrometheusServer .Values.serviceMonitor.create) -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "aws-node-termination-handler.fullname" . }}
+  {{- if .Values.serviceMonitor.namespace }}
+  namespace: {{ .Values.serviceMonitor.namespace }}
+  {{- else }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+    {{- include "aws-node-termination-handler.labels" . | nindent 4 }}
+  {{- with .Values.serviceMonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  jobLabel: {{ include "aws-node-termination-handler.name" . }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  endpoints:
+    - port: http-metrics
+      path: /metrics
+      {{- with .Values.serviceMonitor.interval }}
+      interval: {{ . }}
+      {{- end }}
+  {{- with .Values.serviceMonitor.sampleLimit }}
+  sampleLimit: {{ . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "aws-node-termination-handler.selectorLabels" . | nindent 6 }}
+{{- end -}}

stable/aws-node-termination-handler/values.yaml

@@ -4,7 +4,7 @@
 
 image:
   repository: public.ecr.aws/aws-ec2/aws-node-termination-handler
-  tag: v1.13.4
+  tag: v1.14.0
   pullPolicy: IfNotPresent
   pullSecrets: []
 
@@ -192,16 +192,33 @@ dnsPolicy: ""
 
 podMonitor:
   # Specifies whether PodMonitor should be created
+  # this needs enableSqsTerminationDraining: false
+  # and enablePrometheusServer: true
   create: false
-   # The Prometheus scrape interval
+  # Specifies whether the PodMonitor should be created in a different namespace than
+  # the Helm release
+  namespace:
+  # Additional labels to add to the metadata
+  labels: {}
+  # The Prometheus scrape interval
   interval: 30s
   # The number of scraped samples that will be accepted
   sampleLimit: 5000
-   # Additional labels to add to the metadata
-  labels: {}
-  # Specifies whether a pod monitor should be created in a different namespace than
+
+serviceMonitor:
+  # Specifies whether ServiceMonitor should be created
+  # this needs enableSqsTerminationDraining: rue
+  # and enablePrometheusServer: true
+  create: false
+  # Specifies whether the ServiceMonitor should be created in a different namespace than
   # the Helm release
-  # namespace: monitoring
+  namespace:
+  # Additional labels to add to the metadata
+  labels: {}
+  # The Prometheus scrape interval
+  interval: 30s
+  # The number of scraped samples that will be accepted
+  sampleLimit: 5000
 
 # K8s DaemonSet update strategy.
 updateStrategy:

stable/aws-vpc-cni/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: aws-vpc-cni
-version: 1.1.10
-appVersion: "v1.9.3"
+version: 1.1.12
+appVersion: "v1.10.1"
 description: A Helm chart for the AWS VPC CNI
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 home: https://github.com/aws/amazon-vpc-cni-k8s

stable/aws-vpc-cni/templates/clusterrole.yaml

@@ -14,10 +14,17 @@ rules:
     resources:
       - namespaces
     verbs: ["list", "watch", "get"]
+{{- if .Values.env.ANNOTATE_POD_IP }}
   - apiGroups: [""]
     resources:
       - pods
     verbs: ["list", "watch", "get", "patch"]
+{{- else }}
+  - apiGroups: [""]
+    resources:
+      - pods
+    verbs: ["list", "watch", "get"]
+{{- end }}        
   - apiGroups: [""]
     resources:
       - nodes

stable/aws-vpc-cni/templates/customresourcedefinition.yaml

@@ -8,6 +8,7 @@ metadata:
 spec:
   scope: Cluster
   group: crd.k8s.amazonaws.com
+  preserveUnknownFields: false
   versions:
     - name: v1alpha1
       served: true

stable/aws-vpc-cni/templates/daemonset.yaml

@@ -2,6 +2,7 @@ kind: DaemonSet
 apiVersion: apps/v1
 metadata:
   name: {{ include "aws-vpc-cni.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
 {{ include "aws-vpc-cni.labels" . | indent 4 }}
 spec:
@@ -39,8 +40,7 @@ spec:
       hostNetwork: true
       initContainers:
       - name: aws-vpc-cni-init
-        image: "{{- if .Values.init.image.override }}{{- .Values.init.image.override }}{{- else }}602401143452.dkr.ecr.{{- .Values.init.image.region }}.amazonaws.com/amazon-k8s-cni-init:{{- .Values.init.image.tag }}{{- end}}"
-        imagePullPolicy: {{ .Values.init.image.pullPolicy }}
+        image: "{{- if .Values.init.image.override }}{{- .Values.init.image.override }}{{- else }}{{- .Values.init.image.account }}.dkr.ecr.{{- .Values.init.image.region }}.{{- .Values.init.image.domain }}/amazon-k8s-cni-init:{{- .Values.init.image.tag }}{{- end}}"
         env:
 {{- range $key, $value := .Values.init.env }}
           - name: {{ $key }}
@@ -62,15 +62,16 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: aws-node
-          image: "{{- if .Values.image.override }}{{- .Values.image.override }}{{- else }}602401143452.dkr.ecr.{{- .Values.image.region }}.amazonaws.com/amazon-k8s-cni:{{- .Values.image.tag }}{{- end}}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          image: "{{- if .Values.image.override }}{{- .Values.image.override }}{{- else }}{{- .Values.image.account }}.dkr.ecr.{{- .Values.image.region }}.{{- .Values.image.domain }}/amazon-k8s-cni:{{- .Values.image.tag }}{{- end}}"
           ports:
             - containerPort: 61678
               name: metrics
           livenessProbe:
 {{ toYaml .Values.livenessProbe | indent 12 }}
+            timeoutSeconds: {{ .Values.livenessProbeTimeoutSeconds }}
           readinessProbe:
 {{ toYaml .Values.readinessProbe | indent 12 }}
+            timeoutSeconds: {{ .Values.readinessProbeTimeoutSeconds }}
           env:
 {{- range $key, $value := .Values.env }}
             - name: {{ $key }}

stable/aws-vpc-cni/templates/serviceaccount.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "aws-vpc-cni.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
 {{- with .Values.serviceAccount.annotations }}
   annotations:
 {{ toYaml . | indent 4 }}