Skip to content

Commit 7f2837a

Browse files
authored
Remove KeepTLS parameter in helm chart (#4548)
* Reapply "fix: Race condition in webhook certificate renewal with cert-manager self-signed issuer without a dedicated CA certificate #4019" This reverts commit 37ba56a. * remove keep secret flag from helm
1 parent d52bd30 commit 7f2837a

File tree

7 files changed

+164
-37
lines changed

7 files changed

+164
-37
lines changed

docs/deploy/cert-manager.md

Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
# Cert Manager Integration
2+
3+
The AWS Load Balancer Controller uses admission webhooks to validate and mutate resources. These webhooks require TLS certificates to operate securely. You can use cert-manager to automatically provision and manage these certificates.
4+
5+
## Upgrade Notes
6+
7+
When upgrading from a previous version, the following scenarios are handled automatically:
8+
9+
- If you're using cert-manager with a custom issuer:
10+
- Set `certManager.issuerRef` to keep using your issuer
11+
- The new CA hierarchy will not be created
12+
- Your existing certificate configuration is preserved
13+
- If you're using cert-manager without a custom issuer:
14+
- A new CA hierarchy will be created
15+
- New certificates will be issued using this CA
16+
- The transition is handled automatically by cert-manager
17+
18+
## How it Works
19+
20+
When using cert-manager integration, the controller creates a certificate hierarchy that consists of:
21+
22+
1. A self-signed issuer used only to create the root CA certificate
23+
2. A root CA certificate with a 5-year validity period
24+
3. A CA issuer that uses the root certificate to sign webhook serving certificates
25+
4. Webhook serving certificates with 1-year validity that are automatically renewed
26+
27+
This setup prevents race conditions during certificate renewal by:
28+
- Using a long-lived (5 years) root CA certificate that remains stable
29+
- Only renewing the serving certificates while keeping the CA constant
30+
- Letting cert-manager's CA injector handle caBundle updates in webhook configurations
31+
32+
## Configuration
33+
34+
To enable cert-manager integration, set `enableCertManager: true` in your Helm values.
35+
36+
You can customize the certificate configuration through these values:
37+
38+
```yaml
39+
enableCertManager: true
40+
41+
certManager:
42+
# Webhook serving certificate configuration
43+
duration: "8760h0m0s" # 1 year (default)
44+
renewBefore: "720h0m0s" # 30 days (optional)
45+
revisionHistoryLimit: 10 # Optional
46+
47+
# Root CA certificate configuration
48+
rootCert:
49+
duration: "43800h0m0s" # 5 years (default)
50+
51+
# Optional: Use your own issuer instead of the auto-generated one
52+
# issuerRef:
53+
# name: my-issuer
54+
# kind: ClusterIssuer
55+
```
56+
57+
### Using Custom Issuers
58+
59+
If you want to use your own cert-manager issuer instead of the auto-generated CA, you can configure it through `certManager.issuerRef`:
60+
61+
```yaml
62+
certManager:
63+
issuerRef:
64+
name: my-issuer
65+
kind: ClusterIssuer # or Issuer
66+
```
67+
68+
When a custom issuer is specified:
69+
- The controller will not create its own CA certificate chain
70+
- The specified issuer will be used directly to issue webhook serving certificates
71+
- You are responsible for ensuring the issuer is properly configured and available
72+
73+
### Certificate Renewal
74+
75+
1. Root CA Certificate:
76+
- Valid for 5 years by default
77+
- Used only for signing webhook certificates
78+
- Not renewed automatically to maintain stability
79+
80+
2. Webhook Serving Certificates:
81+
- Valid for 1 year by default
82+
- Renewed automatically 30 days before expiry
83+
- Updates handled seamlessly by cert-manager
84+
85+
### Best Practices
86+
87+
1. Use the default certificate hierarchy unless you have specific requirements
88+
2. If using a custom issuer, ensure it's highly available and properly configured
89+
3. Monitor certificate resources for renewal status and potential issues
90+
4. Keep cert-manager up to date to benefit from the latest improvements

helm/aws-load-balancer-controller/README.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -232,7 +232,6 @@ The default values set by the application itself can be confirmed [here](https:/
232232
| `webhookTLS.cert` | TLS certificate for webhook (auto-generated if not provided) | "" |
233233
| `webhookTLS.key` | TLS private key for webhook (auto-generated if not provided) | "" |
234234
| `webhookNamespaceSelectors` | Namespace selectors for the wekbook | None |
235-
| `keepTLSSecret` | Reuse existing TLS Secret during chart upgrade | `true` |
236235
| `serviceAnnotations` | Annotations to be added to the provisioned webhook service resource | `{}` |
237236
| `serviceMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for service | None |
238237
| `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding | None |

helm/aws-load-balancer-controller/templates/_helpers.tpl

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -102,10 +102,6 @@ Generate certificates for webhook
102102
caCert: {{ .Values.webhookTLS.caCert | b64enc }}
103103
clientCert: {{ .Values.webhookTLS.cert | b64enc }}
104104
clientKey: {{ .Values.webhookTLS.key | b64enc }}
105-
{{- else if and .Values.keepTLSSecret $secret -}}
106-
caCert: {{ index $secret.data "ca.crt" }}
107-
clientCert: {{ index $secret.data "tls.crt" }}
108-
clientKey: {{ index $secret.data "tls.key" }}
109105
{{- else -}}
110106
{{- $altNames := list (printf "%s.%s" $serviceName .Release.Namespace) (printf "%s.%s.svc" $serviceName .Release.Namespace) (printf "%s.%s.svc.%s" $serviceName .Release.Namespace .Values.cluster.dnsDomain) -}}
111107
{{- $ca := genCA "aws-load-balancer-controller-ca" 3650 -}}
Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
{{- if and .Values.enableCertManager (not .Values.certManager.issuerRef) -}}
2+
# Create a selfsigned Issuer, in order to create a root CA certificate for
3+
# signing webhook serving certificates
4+
apiVersion: cert-manager.io/v1
5+
kind: Issuer
6+
metadata:
7+
name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer
8+
namespace: {{ .Release.Namespace }}
9+
labels:
10+
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
11+
spec:
12+
selfSigned: {}
13+
---
14+
# Generate a CA Certificate used to sign certificates for the webhook
15+
apiVersion: cert-manager.io/v1
16+
kind: Certificate
17+
metadata:
18+
name: {{ template "aws-load-balancer-controller.namePrefix" . }}-root-cert
19+
namespace: {{ .Release.Namespace }}
20+
labels:
21+
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
22+
spec:
23+
secretName: {{ template "aws-load-balancer-controller.namePrefix" . }}-root-cert
24+
duration: {{ .Values.certManager.rootCert.duration | default "43800h0m0s" | quote }}
25+
issuerRef:
26+
name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer
27+
commonName: "ca.webhook.aws-load-balancer-controller"
28+
isCA: true
29+
subject:
30+
organizations:
31+
- aws-load-balancer-controller
32+
---
33+
# Create an Issuer that uses the above generated CA certificate to issue certs
34+
apiVersion: cert-manager.io/v1
35+
kind: Issuer
36+
metadata:
37+
name: {{ template "aws-load-balancer-controller.namePrefix" . }}-root-issuer
38+
namespace: {{ .Release.Namespace }}
39+
labels:
40+
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
41+
spec:
42+
ca:
43+
secretName: {{ template "aws-load-balancer-controller.namePrefix" . }}-root-cert
44+
{{- end -}}

helm/aws-load-balancer-controller/templates/webhook.yaml

Lines changed: 18 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,9 @@ metadata:
1212
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
1313
webhooks:
1414
- clientConfig:
15-
{{ if not $.Values.enableCertManager -}}
15+
{{- if not $.Values.enableCertManager }}
1616
caBundle: {{ $tls.caCert }}
17-
{{ end }}
17+
{{- end }}
1818
service:
1919
name: {{ template "aws-load-balancer-controller.webhookService" . }}
2020
namespace: {{ $.Release.Namespace }}
@@ -103,9 +103,9 @@ webhooks:
103103
sideEffects: None
104104
{{- if .Values.enableServiceMutatorWebhook }}
105105
- clientConfig:
106-
{{ if not $.Values.enableCertManager -}}
106+
{{- if not $.Values.enableCertManager }}
107107
caBundle: {{ $tls.caCert }}
108-
{{ end }}
108+
{{- end }}
109109
service:
110110
name: {{ template "aws-load-balancer-controller.webhookService" . }}
111111
namespace: {{ $.Release.Namespace }}
@@ -140,9 +140,9 @@ webhooks:
140140
sideEffects: None
141141
{{- end }}
142142
- clientConfig:
143-
{{ if not $.Values.enableCertManager -}}
143+
{{- if not $.Values.enableCertManager }}
144144
caBundle: {{ $tls.caCert }}
145-
{{ end }}
145+
{{- end }}
146146
service:
147147
name: {{ template "aws-load-balancer-controller.webhookService" . }}
148148
namespace: {{ $.Release.Namespace }}
@@ -249,9 +249,9 @@ metadata:
249249
{{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
250250
webhooks:
251251
- clientConfig:
252-
{{ if not $.Values.enableCertManager -}}
252+
{{- if not $.Values.enableCertManager }}
253253
caBundle: {{ $tls.caCert }}
254-
{{ end }}
254+
{{- end }}
255255
service:
256256
name: {{ template "aws-load-balancer-controller.webhookService" . }}
257257
namespace: {{ $.Release.Namespace }}
@@ -278,9 +278,9 @@ webhooks:
278278
- ingressclassparams
279279
sideEffects: None
280280
- clientConfig:
281-
{{ if not $.Values.enableCertManager -}}
281+
{{- if not $.Values.enableCertManager }}
282282
caBundle: {{ $tls.caCert }}
283-
{{ end }}
283+
{{- end }}
284284
service:
285285
name: {{ template "aws-load-balancer-controller.webhookService" . }}
286286
namespace: {{ $.Release.Namespace }}
@@ -302,9 +302,9 @@ webhooks:
302302
sideEffects: None
303303
{{- if not $.Values.webhookConfig.disableIngressValidation }}
304304
- clientConfig:
305-
{{ if not $.Values.enableCertManager -}}
305+
{{- if not $.Values.enableCertManager }}
306306
caBundle: {{ $tls.caCert }}
307-
{{ end }}
307+
{{- end }}
308308
service:
309309
name: {{ template "aws-load-balancer-controller.webhookService" . }}
310310
namespace: {{ $.Release.Namespace }}
@@ -383,12 +383,16 @@ spec:
383383
- {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc
384384
- {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc.{{ .Values.cluster.dnsDomain }}
385385
issuerRef:
386+
{{- if .Values.certManager.issuerRef }}
387+
{{- toYaml .Values.certManager.issuerRef | nindent 4 }}
388+
{{- else }}
386389
kind: Issuer
387-
name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer
390+
name: {{ template "aws-load-balancer-controller.namePrefix" . }}-root-issuer
391+
{{- end }}
388392
secretName: {{ template "aws-load-balancer-controller.webhookCertSecret" . }}
389393
{{- with .Values.certManager -}}
390394
{{ if .duration }}
391-
duration: {{ .duration }}
395+
duration: {{ .duration | default "8760h0m0s" | quote }}
392396
{{- end }}
393397
{{- if .renewBefore }}
394398
renewBefore: {{ .renewBefore }}
@@ -397,14 +401,4 @@ spec:
397401
revisionHistoryLimit: {{ .revisionHistoryLimit }}
398402
{{- end }}
399403
{{- end }}
400-
---
401-
apiVersion: cert-manager.io/v1
402-
kind: Issuer
403-
metadata:
404-
name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer
405-
namespace: {{ .Release.Namespace }}
406-
labels:
407-
{{ include "aws-load-balancer-controller.labels" . | indent 4 }}
408-
spec:
409-
selfSigned: {}
410404
{{- end }}

helm/aws-load-balancer-controller/test.yaml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -188,9 +188,6 @@ webhookNamespaceSelectors:
188188
values:
189189
- enabled
190190

191-
# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade
192-
keepTLSSecret: true
193-
194191
# Maximum number of concurrently running reconcile loops for service (default 3)
195192
serviceMaxConcurrentReconciles:
196193

helm/aws-load-balancer-controller/values.yaml

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -117,10 +117,20 @@ enableCertManager: false
117117

118118
# Overrideable variables when enableCertManager is set to true
119119
certManager:
120-
duration:
121-
renewBefore:
120+
# Webhook serving certificate configuration
121+
duration: "8760h0m0s" # 1 year
122+
renewBefore: "720h0m0s" # 30 days
122123
revisionHistoryLimit:
123124

125+
# Root CA certificate configuration
126+
rootCert:
127+
duration: "43800h0m0s" # 5 years
128+
129+
# Optional: custom issuer reference
130+
# issuerRef:
131+
# name: my-issuer
132+
# kind: ClusterIssuer
133+
124134
# The name of the Kubernetes cluster. A non-empty value is required
125135
clusterName:
126136

@@ -236,9 +246,6 @@ webhookNamespaceSelectors:
236246
# values:
237247
# - enabled
238248

239-
# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade
240-
keepTLSSecret: true
241-
242249
# Maximum number of concurrently running reconcile loops for service (default 3)
243250
serviceMaxConcurrentReconciles:
244251

0 commit comments

Comments
 (0)