feat(eks): pass additional helm chart values to aws-load-balancer-controller (#34077)

### Issue # (if applicable)

Closes #29707 .

### Reason for this change

Currently passing in additional value to ALB helm chart is not supported.
Added support for value `enableWaf` and `enableWafv2`
List of supported values can be verified from https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/helm/aws-load-balancer-controller/values.yaml#L199

### Description of changes

- Added new interface `AlbControllerHelmChartOptions` to support additional helm chart values
- Added support for boolean type value `enableWaf` and `enableWafv2`

### Describe any new or updated permissions being added

NA


### Description of how you validated changes

- Added Unit test
- Modified integration test

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: shikha372

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.js.snapshot/aws-cdk-eks-cluster-alb-controller.template.json

@@ -1642,7 +1642,7 @@
        {
         "Ref": "Vpc8378EB38"
        },
-       "\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.8.2\"}}"
+       "\",\"image\":{\"repository\":\"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller\",\"tag\":\"v2.8.2\"},\"enableWafv2\":false}"
       ]
      ]
     },

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.js.snapshot/tree.json

@@ -22,6 +22,9 @@ class EksClusterAlbControllerStack extends Stack {
       ...getClusterVersionConfig(this, eks.KubernetesVersion.V1_30),
       albController: {
         version: LATEST_VERSION,
+        additionalHelmChartValues: {
+          enableWafv2: false,
+        },
       },
     });
 

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.ts

@@ -694,6 +694,23 @@ new eks.Cluster(this, 'HelloEKS', {
 });
 ```
 
+To provide additional Helm chart values supported by `albController` in CDK, use the `additionalHelmChartValues` property. For example, the following code snippet shows how to set the `enableWafV2` flag:
+
+```ts
+import { KubectlV32Layer } from '@aws-cdk/lambda-layer-kubectl-v32';
+
+new eks.Cluster(this, 'HelloEKS', {
+  version: eks.KubernetesVersion.V1_32,
+  albController: {
+    version: eks.AlbControllerVersion.V2_8_2,
+    additionalHelmChartValues: {
+      enableWafv2: false
+    }
+  },
+  kubectlLayer: new KubectlV32Layer(this, 'kubectl'),
+});
+```
+
 The `albController` requires `defaultCapacity` or at least one nodegroup. If there's no `defaultCapacity` or available
 nodegroup for the cluster, the `albController` deployment would fail.
 

packages/aws-cdk-lib/aws-eks/README.md

@@ -8,7 +8,7 @@ import * as iam from '../../aws-iam';
 
 // v2 - keep this import as a separate section to reduce merge conflict when forward merging with the v2 branch.
 // eslint-disable-next-line
-import { Aws, Duration, Names, Stack } from '../../core';
+import { Aws, Duration, Names, Stack, ValidationError } from '../../core';
 
 /**
  * Controller version.
@@ -238,6 +238,28 @@ export enum AlbScheme {
   INTERNET_FACING = 'internet-facing',
 }
 
+/**
+ * Helm chart options that can be set for AlbControllerChart
+ * To add any new supported values refer
+ * https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/helm/aws-load-balancer-controller/values.yaml
+ */
+export interface AlbControllerHelmChartOptions {
+
+  /**
+   * Enable or disable AWS WAFv2 on the ALB ingress controller.
+   *
+   * @default - no value defined for this helm chart option, so it will not be set in the helm chart values
+   */
+  readonly enableWafv2?: boolean;
+
+  /**
+   * Enable or disable AWS WAF on the ALB ingress controller.
+   *
+   * @default - no value defined for this helm chart option, so it will not be set in the helm chart values
+   */
+  readonly enableWaf?: boolean;
+}
+
 /**
  * Options for `AlbController`.
  */
@@ -270,6 +292,13 @@ export interface AlbControllerOptions {
    * @default - Corresponds to the predefined version.
    */
   readonly policy?: any;
+
+  /**
+   * Additional helm chart values for ALB controller
+   *
+   * @default - no additional helm chart values
+   */
+  readonly additionalHelmChartValues?: AlbControllerHelmChartOptions;
 }
 
 /**
@@ -315,7 +344,7 @@ export class AlbController extends Construct {
     const serviceAccount = new ServiceAccount(this, 'alb-sa', { namespace, name: 'aws-load-balancer-controller', cluster: props.cluster });
 
     if (props.version.custom && !props.policy) {
-      throw new Error("'albControllerOptions.policy' is required when using a custom controller version");
+      throw new ValidationError("'albControllerOptions.policy' is required when using a custom controller version", this);
     }
 
     // https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/deploy/installation/#iam-permissions
@@ -337,7 +366,6 @@ export class AlbController extends Construct {
       namespace,
       release: 'aws-load-balancer-controller',
       version: props.version.helmChartVersion,
-
       wait: true,
       timeout: Duration.minutes(15),
       values: {
@@ -352,6 +380,7 @@ export class AlbController extends Construct {
           repository: props.repository ?? '602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller',
           tag: props.version.version,
         },
+        ...props.additionalHelmChartValues, // additional helm chart options for ALB controller chart
       },
     });
 

packages/aws-cdk-lib/aws-eks/lib/alb-controller.ts

@@ -157,6 +157,46 @@ test('correct helm chart version is set for selected alb controller version', ()
   });
 });
 
+test.each([
+  { setting: 'enableWaf', value: false },
+  { setting: 'enableWafv2', value: false },
+  { setting: 'enableWaf', value: true },
+  { setting: 'enableWafv2', value: true },
+])('custom WAF settings - $setting', ({ setting, value }) => {
+  // GIVEN
+  const { stack } = testFixture();
+  const cluster = new Cluster(stack, 'Cluster', {
+    version: KubernetesVersion.V1_27,
+    kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
+  });
+
+  // WHEN
+  new AlbController(stack, 'AlbController', {
+    cluster,
+    version: AlbControllerVersion.V2_4_1,
+    additionalHelmChartValues: {
+      [setting]: value,
+    },
+  });
+
+  // THEN
+  const template = Template.fromStack(stack);
+  template.hasResourceProperties(HelmChart.RESOURCE_TYPE, {
+    Values: {
+      'Fn::Join': [
+        '',
+        Match.arrayWith([
+          '{"clusterName":"',
+          { Ref: 'Cluster9EE0221C' },
+          '","serviceAccount":{"create":false,"name":"aws-load-balancer-controller"},"region":"us-east-1","vpcId":"',
+          { Ref: 'ClusterDefaultVpcFA9F2722' },
+          `","image":{"repository":"602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller","tag":"v2.4.1"},"${setting}":${value}}`,
+        ]),
+      ],
+    },
+  });
+});
+
 describe('AlbController AwsAuth creation', () => {
   const setupTest = (authenticationMode?: AuthenticationMode) => {
     const { stack } = testFixture();