Skip to content

Commit de50bdd

Browse files
usamaahmadkhanusamaahmadkhan
authored
Allow override of Certificate resource fields for duration of webhook certs (#4105)
* Allow override Certificate fields for duration * Add docs for new fields * Update documentation text to be more precise * fix typo
1 parent 539245d commit de50bdd

File tree

3 files changed

+16
-0
lines changed

3 files changed

+16
-0
lines changed

helm/aws-load-balancer-controller/README.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ AWS Load Balancer controller manages the following AWS resources
1717
- Network Load Balancers to satisfy Kubernetes service objects of type LoadBalancer with appropriate annotations
1818

1919
## Security updates
20+
2021
**Note**: Deployed chart does not receive security updates automatically. You need to manually upgrade to a newer chart.
2122
#### Node isolation
2223
As a security best practice, we recommend isolating the controller deployment pods to specific node groups which run critical components. The helm chart provides parameters ```nodeSelector```, ```tolerations``` and ```affinity``` to configure node isolation. For more information, please refer to the guidance [here](https://aws.github.io/aws-eks-best-practices/security/docs/multitenancy/#isolating-tenant-workloads-to-specific-nodes).
@@ -257,6 +258,8 @@ The default values set by the application itself can be confirmed [here](https:/
257258
| `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` |
258259
| `updateStrategy` | Defines the update strategy for the deployment | `{}` |
259260
| `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template, requires cert-manager and it's CRDs to be installed | `false` |
261+
| `certManager.duration` | Overrides the default expiry duration for the webhook certificates. defaults to `90d` | `""` |
262+
| `certManager.renewBefore` | Overrides the renewal time period duration for the webhook certificates. defaults to `60d` | `""` |
260263
| `enableEndpointSlices` | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets | `false` |
261264
| `enableBackendSecurityGroup` | If enabled, controller uses shared security group for backend traffic | `true` |
262265
| `backendSecurityGroup` | Backend security group to use instead of auto created one if the feature is enabled | `` |

helm/aws-load-balancer-controller/templates/webhook.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -237,6 +237,14 @@ spec:
237237
kind: Issuer
238238
name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer
239239
secretName: {{ template "aws-load-balancer-controller.webhookCertSecret" . }}
240+
{{- with .Values.certManager -}}
241+
{{ if .duration }}
242+
duration: {{ .duration }}
243+
{{- end }}
244+
{{- if .renewBefore }}
245+
renewBefore: {{ .renewBefore }}
246+
{{- end }}
247+
{{- end }}
240248
---
241249
apiVersion: cert-manager.io/v1
242250
kind: Issuer

helm/aws-load-balancer-controller/values.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -115,6 +115,11 @@ additionalLabels: {}
115115
# Enable cert-manager
116116
enableCertManager: false
117117

118+
# Overrideable variables when enableCertManager is set to true
119+
certManager:
120+
duration:
121+
renewBefore:
122+
118123
# The name of the Kubernetes cluster. A non-empty value is required
119124
clusterName:
120125

0 commit comments

Comments
 (0)