Merge branch 'kubernetes-sigs:main' into main

Author: arnaud-dezandee

.go-version

@@ -1 +1 @@
-1.22.3
+1.22.5

Pipfile

@@ -6,9 +6,9 @@ name = "pypi"
 [packages]
 
 [dev-packages]
-mkdocs = "==1.1.2"
-mkdocs-material = "==7.1.5"
-mike = "==1.0.0"
+mkdocs = "==1.6.0"
+mkdocs-material = "==9.5.31"
+mike = "==2.1.2"
 
 [requires]
-python_version = "3.9"
+python_version = "3.12"

Pipfile.lock

@@ -907,35 +907,53 @@ In addition, you can use annotations to specify additional tags
 
 ## Addons
 
-!!!note
-    If waf-acl-arn is specified via the ingress annotations, the controller will make sure the waf-acl is associated to the provisioned ALB with the ingress. 
-    If there is not such annotation, the controller will make sure no waf-acl is associated, so it may remove the existing waf-acl on the ALB provisioned. 
-    If users do not want the controller to manage the waf-acl on the ALBs, they can disable the feature by setting controller command line flags `--enable-waf=false` or `--enable-wafv2=false`
-
-- <a name="waf-acl-id">`alb.ingress.kubernetes.io/waf-acl-id`</a> specifies the identifier for the Amazon WAF web ACL.
+- <a name="waf-acl-id">`alb.ingress.kubernetes.io/waf-acl-id`</a> specifies the identifier for the Amazon WAF Classic web ACL.
 
     !!!warning ""
-        Only Regional WAF is supported.
+        Only Regional WAF Classic is supported.
+
+    !!!note ""
+        When this annotation is absent or empty, the controller will keep LoadBalancer WAF Classic settings unchanged.
+        To disable WAF Classic, explicitly set the annotation value to 'none'.
 
     !!!example
-        ```alb.ingress.kubernetes.io/waf-acl-id: 499e8b99-6671-4614-a86d-adb1810b7fbe
-        ```
+        - enable WAF Classic
+            ```alb.ingress.kubernetes.io/waf-acl-id: 499e8b99-6671-4614-a86d-adb1810b7fbe
+            ```
+        - disable WAF Classic
+            ```alb.ingress.kubernetes.io/waf-acl-id: none
+            ```
 
 - <a name="wafv2-acl-arn">`alb.ingress.kubernetes.io/wafv2-acl-arn`</a> specifies ARN for the Amazon WAFv2 web ACL.
 
     !!!warning ""
         Only Regional WAFv2 is supported.
 
+    !!!note ""
+        When this annotation is absent or empty, the controller will keep LoadBalancer WAFv2 settings unchanged.
+        To disable WAFv2, explicitly set the annotation value to 'none'.
+
     !!!tip ""
         To get the WAFv2 Web ACL ARN from the Console, click the gear icon in the upper right and enable the ARN column.
 
     !!!example
-        ```alb.ingress.kubernetes.io/wafv2-acl-arn: arn:aws:wafv2:us-west-2:xxxxx:regional/webacl/xxxxxxx/3ab78708-85b0-49d3-b4e1-7a9615a6613b
-        ```
-
+        - enable WAFv2
+            ```alb.ingress.kubernetes.io/wafv2-acl-arn: arn:aws:wafv2:us-west-2:xxxxx:regional/webacl/xxxxxxx/3ab78708-85b0-49d3-b4e1-7a9615a6613b
+            ```
+        - disable WAFV2
+            ```alb.ingress.kubernetes.io/wafv2-acl-arn: none
+            ```
+  
 - <a name="shield-advanced-protection">`alb.ingress.kubernetes.io/shield-advanced-protection`</a> turns on / off the AWS Shield Advanced protection for the load balancer.
 
-    !!!example
-        ```alb.ingress.kubernetes.io/shield-advanced-protection: 'true'
-        ```
+    !!!note ""
+        When this annotation is absent, the controller will keep LoadBalancer shield protection settings unchanged.
+        To disable shield protection, explicitly set the annotation value to 'false'.
 
+    !!!example
+        - enable shield protection
+            ```alb.ingress.kubernetes.io/shield-advanced-protection: 'true'
+            ```
+        - disable shield protection
+            ```alb.ingress.kubernetes.io/shield-advanced-protection: 'false'
+            ```

docs/guide/ingress/annotations.md

@@ -170,17 +170,14 @@ spec:
         {{- if .Values.loadBalancerClass }}
         - --load-balancer-class={{ .Values.loadBalancerClass }}
         {{- end }}
-        {{- if or .Values.env .Values.envSecretName .Values.envFrom }}
+        {{- if or .Values.env .Values.envSecretName }}
         env:
         {{- if .Values.env}}
         {{- range $key, $value := .Values.env }}
         - name: {{ $key }}
           value: "{{ $value }}"
         {{- end }}
         {{- end }}
-        {{- if .Values.envFrom }}
-        {{ .Values.envFrom | toYaml | nindent 8 }}
-        {{- end }}
         {{- if .Values.envSecretName  }}
         - name: AWS_ACCESS_KEY_ID
           valueFrom:
@@ -196,6 +193,10 @@ spec:
               optional: true
         {{- end }}
         {{- end }}
+        {{- if .Values.envFrom }}
+        envFrom:
+        {{- toYaml .Values.envFrom | nindent 10 }}
+        {{- end }}
         securityContext:
           {{- toYaml .Values.securityContext | nindent 10 }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"

helm/aws-load-balancer-controller/templates/deployment.yaml

@@ -282,10 +282,9 @@ env:
 # envSecretName: aws-secret
 
 # Use envFrom to set environment variables from a Secret or ConfigMap
-envFrom: 
-  # valueFrom:
-  #   - secretKeyRef:
-  #       name: aws-load-balancer-controller
+# envFrom:
+#   - secretRef:
+#       name: my-secret
 
 # Specifies if aws-load-balancer-controller should be started in hostNetwork mode.
 # This is required if using a custom CNI where the managed control plane nodes are unable to initiate

helm/aws-load-balancer-controller/values.yaml

@@ -70,8 +70,8 @@ markdown_extensions:
   - pymdownx.superfences
   - pymdownx.tabbed
   - pymdownx.emoji:
-      emoji_index: !!python/name:materialx.emoji.twemoji
-      emoji_generator: !!python/name:materialx.emoji.to_svg
+      emoji_index: !!python/name:material.extensions.emoji.twemoji
+      emoji_generator: !!python/name:material.extensions.emoji.to_svg
   - toc:
       permalink: true
 extra_css:

mkdocs.yml

@@ -0,0 +1,18 @@
+package algorithm
+
+import "cmp"
+
+// RemoveSliceDuplicates returns a copy of the slice without duplicate entries.
+func RemoveSliceDuplicates[S ~[]E, E cmp.Ordered](s S) []E {
+	result := make([]E, 0, len(s))
+	found := make(map[E]struct{}, len(s))
+
+	for _, x := range s {
+		if _, ok := found[x]; !ok {
+			found[x] = struct{}{}
+			result = append(result, x)
+		}
+	}
+
+	return result
+}

pkg/algorithm/slices.go

@@ -0,0 +1,46 @@
+package algorithm
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_RemoveSliceDuplicates(t *testing.T) {
+	type args struct {
+		data []string
+	}
+	tests := []struct {
+		name string
+		args args
+		want []string
+	}{
+		{
+			name: "empty",
+			args: args{
+				data: []string{},
+			},
+			want: []string{},
+		},
+		{
+			name: "no duplicate entries",
+			args: args{
+				data: []string{"a", "b", "c", "d"},
+			},
+			want: []string{"a", "b", "c", "d"},
+		},
+		{
+			name: "with duplicates",
+			args: args{
+				data: []string{"a", "b", "a", "c", "b"},
+			},
+			want: []string{"a", "b", "c"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := RemoveSliceDuplicates(tt.args.data)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

pkg/algorithm/slices_test.go

@@ -2,11 +2,11 @@ package shield
 
 import (
 	"context"
+	"fmt"
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
-	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
 	shieldmodel "sigs.k8s.io/aws-load-balancer-controller/pkg/model/shield"
 )
 
@@ -32,25 +32,18 @@ type protectionSynthesizer struct {
 
 func (s *protectionSynthesizer) Synthesize(ctx context.Context) error {
 	var resProtections []*shieldmodel.Protection
-	s.stack.ListResources(&resProtections)
+	if err := s.stack.ListResources(&resProtections); err != nil {
+		return fmt.Errorf("[should never happen] failed to list resources: %w", err)
+	}
+	if len(resProtections) == 0 {
+		return nil
+	}
 	resProtectionsByResARN, err := mapResProtectionByResourceARN(resProtections)
 	if err != nil {
 		return err
 	}
-
-	var resLBs []*elbv2model.LoadBalancer
-	s.stack.ListResources(&resLBs)
-	for _, resLB := range resLBs {
-		// shield protection can only be associated with ALB for now.
-		if resLB.Spec.Type != elbv2model.LoadBalancerTypeApplication {
-			continue
-		}
-		lbARN, err := resLB.LoadBalancerARN().Resolve(ctx)
-		if err != nil {
-			return err
-		}
-		resProtections := resProtectionsByResARN[lbARN]
-		if err := s.synthesizeProtectionsOnLB(ctx, lbARN, resProtections); err != nil {
+	for resARN, protections := range resProtectionsByResARN {
+		if err := s.synthesizeProtectionsOnLB(ctx, resARN, protections); err != nil {
 			return err
 		}
 	}
@@ -63,18 +56,13 @@ func (s *protectionSynthesizer) PostSynthesize(ctx context.Context) error {
 }
 
 func (s *protectionSynthesizer) synthesizeProtectionsOnLB(ctx context.Context, lbARN string, resProtections []*shieldmodel.Protection) error {
-	if len(resProtections) > 1 {
-		return errors.Errorf("[should never happen] multiple shield protection desired on LoadBalancer: %v", lbARN)
-	}
-
-	enableProtection := false
-	if len(resProtections) == 1 {
-		enableProtection = true
+	if len(resProtections) != 1 {
+		return errors.Errorf("[should never happen] should be exactly one shield protection desired on LoadBalancer: %v", lbARN)
 	}
-
+	enableProtection := resProtections[0].Spec.Enabled
 	protectionInfo, err := s.protectionManager.GetProtection(ctx, lbARN)
 	if err != nil {
-		return err
+		return errors.Wrap(err, "failed to get shield protection on LoadBalancer")
 	}
 	switch {
 	case !enableProtection && protectionInfo != nil: