[aws-load-balancer-controller ]chart generates non empty diff

[admssa]

Hi guys. I have a small issue with aws-load-balancer-controller helm chart. It designed in such way that it generates non-empty diff each apply/upgrade.
It creates a secret with new values each time:

data:
  ca.crt: {{ $tls.caCert }}
  tls.crt: {{ $tls.clientCert }}
  tls.key: {{ $tls.clientKey }}

and generates non-empty helm diff
Use case: this chart prevents us from implementing CD for our infrastructure code.
I saw enableCertManager flag but I wasn't going to use certMamager.

[joncolby]

I am running into the same issue. I also am not using cert manager.

[kishorj]

@admssa would it be acceptable to be able to specify the private key during chart installation/template generation?

[tyrken]

Also hit this while not using cert-manager. I guess the options are to provide it as optional helm input values or read it from an existing secret.

Would have preferred the latter except I'm not sure it will work given kubernetes/kubernetes#72944 (K8s cannot read webhook's CABundle from secret). Not sure if some helm-trickery can do it at apply time...

[eytanhanig]

For those using Argo CD, I wrote the following code to ignore these specific fields. All you need to do is add it to your Application manifest:

kind: Application
spec:
  ignoreDifferences:
  - kind: Secret
    name: aws-load-balancer-tls
    jsonPointers:
    - /data/ca.crt
    - /data/tls.crt
    - /data/tls.key
  - group: admissionregistration.k8s.io
    kind: MutatingWebhookConfiguration
    name: aws-load-balancer-webhook
    jsonPointers:
    - /webhooks/0/clientConfig/caBundle
    - /webhooks/1/clientConfig/caBundle
  - group: admissionregistration.k8s.io
    kind: ValidatingWebhookConfiguration
    name: aws-load-balancer-webhook
    jsonPointers:
    - /webhooks/0/clientConfig/caBundle

[NArnott]

I am trying to apply this chart using Pulumi, and get the same diff with every deploy. Specifing a specific key so this doesn't happen every time would be helpful.

[johnjeffers]

I had to make a minor change to @eytanhanig 's solution above after upgrading to aws-load-balancer-controller 2.2.0.

kind: Application
spec:
  ignoreDifferences:
  - kind: Secret
    name: aws-load-balancer-tls
    jsonPointers:
    - /data/ca.crt
    - /data/tls.crt
    - /data/tls.key
  - group: admissionregistration.k8s.io
    kind: MutatingWebhookConfiguration
    name: aws-load-balancer-webhook
    jsonPointers:
    - /webhooks/0/clientConfig/caBundle
    - /webhooks/1/clientConfig/caBundle
  - group: admissionregistration.k8s.io
    kind: ValidatingWebhookConfiguration
    name: aws-load-balancer-webhook
    jsonPointers:
    - /webhooks/0/clientConfig/caBundle
    - /webhooks/1/clientConfig/caBundle

The extra last line is the only change.

[ypicard]

Has anyone managed to get rid of this output using Helmfile ?

[kishorj]

@admssa, we will provide options to reuse existing TLS secrets via the upstream PR kubernetes-sigs/aws-load-balancer-controller#2264.

All new features/fixes to the lb controller helm chart goes to the upstream repository and we sync up to eks-charts during release. I'm closing the issue. If you have further concerns please open an issue in the upstream repo.

[davidroth]

@Kishorb I upgraded to the helm chart version 1.3.1 and configured keepTLSSecret: true.
Unfortunately, the issue remains. Is there anything else I need to configure?

[lcaproni-pp]

I am in the boat with @davidroth - still seeing this issue after upgrading. Even tried re-installing from scratch etc. but no dice.

[ypicard]

If you open a new issue, please mention here for tracking purposes @davidroth @lcaproni-pp.

[lcaproni-pp]

I opened an issue here

[K3ndu]

If you encounter this problem with new version of alb-controller again, it seems they added new caBundle, to fix it just add another line:
name: aws-load-balancer-webhook
jsonPointers:
- /webhooks/0/clientConfig/caBundle
- /webhooks/1/clientConfig/caBundle
- /webhooks/2/clientConfig/caBundle