NE-1808: Bump controller to v2.8.2

[alebedev87]

• Updated controller image to the latest version from downstream.
• Re-generated operator bundle using make bundle, which also updated controller CRDs.
• Synced IAM policy with the latest downstream version.
• Re-generated managed IAM policy and credentials request using make generate.
• Updated managed controller RBAC to include permissions for leases.
  • Note: Controller-runtime no longer supports ConfigMaps for leader election.

Integrates openshift/aws-load-balancer-controller#23 into the operator.

[openshift-ci-robot]

@alebedev87: This pull request references NE-1807 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

• Updated controller image to the latest version from downstream.
• Re-generated operator bundle using make bundle, which also updated controller CRDs.
• Synced IAM policy with the latest downstream version.
• Re-generated managed IAM policy and credentials request using make generate.
• Updated managed controller RBAC to include permissions for leases.
• Note: Controller-runtime no longer supports ConfigMaps for leader election.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@alebedev87: This pull request references NE-1807 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

• Updated controller image to the latest version from downstream.
• Re-generated operator bundle using make bundle, which also updated controller CRDs.
• Synced IAM policy with the latest downstream version.
• Re-generated managed IAM policy and credentials request using make generate.
• Updated managed controller RBAC to include permissions for leases.
• Note: Controller-runtime no longer supports ConfigMaps for leader election.

Integrates openshift/aws-load-balancer-controller#23 into the operator.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@alebedev87: This pull request references NE-1808 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

• Updated controller image to the latest version from downstream.
• Re-generated operator bundle using make bundle, which also updated controller CRDs.
• Synced IAM policy with the latest downstream version.
• Re-generated managed IAM policy and credentials request using make generate.
• Updated managed controller RBAC to include permissions for leases.
• Note: Controller-runtime no longer supports ConfigMaps for leader election.

Integrates openshift/aws-load-balancer-controller#23 into the operator.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[alebedev87]

/test e2e-aws-rosa-operator

WAF ACL creation may conflict with other PRs.
openshift/release#59728 addresses this.

[alebedev87]

/test e2e-aws-proxy-operator

[alebedev87]

/test e2e-aws-rosa-operator

[alebedev87]

The e2e test passed but

Process did not finish before 4h0m0s timeout

Addressed in openshift/release#59745.

/test e2e-aws-rosa-operator

[candita]

/assign @gcs278

[alebedev87]

/retest

[gcs278]

Is updating the iam-policy automated at all, or do you just have to manually look at https://github.com/openshift/aws-load-balancer-controller/blob/d0c13bf1576965a3b65fc09ebce94ed9f86833a2/docs/install/iam_policy.json to see if anything changed and manually sync it?

Edit: I commented on the wrong file, I know there's iamctl to sync iam-policy within the ALBO repo, but just curious if the upstream change is manually synced to this repo, and if so, is that something that we could fix in the future?

[alebedev87]

For now, the process is manual. Initially I planned to automate it in this PR and even created a dedicated hack file for that purpose. However, I noticed that the semantic difference can sometimes be much smaller than the byte-by-byte difference because certain statements might be reshuffled upstream.

In this particular case, the semantic change was limited to adding the elasticloadbalancing:DescribeTrustStores action for the mTLS support (which we don't support yet).

I couldn’t find a straightforward way to sort the upstream policy that would minimize the diff while avoiding the risk of losing statements. As a result, I decided to keep the process manual so that multiple people can validate the changes.

[gcs278]

Makes sense. If someone in the future missed a iam-policy update on a rebase, would you expect it to get caught by E2E tests? Or is it a solid "maybe"?

[alebedev87]

Not as solid as I would like it to be. The e2e tests cover only the scenarios described in the docs. If IAM policy changes go beyond this - we may miss them.

[gcs278]

Do you need to bump

aws-load-balancer-operator/go.mod

Line 25 in 2f421cd

sigs.k8s.io/aws-load-balancer-controller v0.0.0-20220923211742-8d282339857c

in the go.mod file? I see it's only used for operator_test.go, so it might not matter, but maybe it's good to do it for completeness, as it appears the schema has changed on this bump.

[alebedev87]

Do you need to bump sigs.k8s.io/aws-load-balancer-controller in the go.mod file? I see it's only used for operator_test.go, so it might not matter, but maybe it's good to do it for completeness, as it appears the schema has changed on this bump.

Right, I do. Let me do it in #143 because it needs k8s.io 0.30.z. Upd: done.

[alebedev87]

/retest

[gcs278]

Thanks!
/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gcs278

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [gcs278]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[alebedev87]

/label px-approved

The docs are enough for this feature.

[ahardin-rh]

/label docs-approved

[ShudiLi]

tested it with 4.18.0-0.ci.test-2024-12-18-012548-ci-ln-h9xtjxb-latest

1.
% oc get clusterversion
NAME      VERSION                                                   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.18.0-0.ci.test-2024-12-18-012548-ci-ln-h9xtjxb-latest   True        False         37m     Cluster version is 4.18.0-0.ci.test-2024-12-18-012548-ci-ln-h9xtjxb-latest

2.
% oc -n aws-load-balancer-operator  get pods                                                                                                                 
NAME                                                              READY   STATUS      RESTARTS   AGE
35b5a855d06d8296bb3b140bd95fc6eb70ff19c94d535f5b2a707bea99c8865   1/1     Running     0          31m
aws-load-balancer-controller-cluster-7c5c987cfd-qwrb2             1/1     Running     0          22m
aws-load-balancer-operator-controller-manager-b7fdf64bc-2mw4w     2/2     Running     0          31m
da32229ded5cc96453559786df040a1e59fbaa3ba6dbf73ddb11aa3117zxnz2   0/1     Completed   0          31m

3.
% oc -n aws-load-balancer-operator  get pod aws-load-balancer-operator-controller-manager-b7fdf64bc-2mw4w -oyaml | grep -i quay.io/aws-load-balancer-operator
      value: quay.io/aws-load-balancer-operator/aws-load-balancer-controller@sha256:75c5e5c1c650b27c273875d6e9497ede335c0ded6719064b0db63a6da8369937

4.
% oc get CustomResourceDefinition ingressclassparams.elbv2.k8s.aws -oyaml
% oc get CustomResourceDefinition ingressclassparams.elbv2.k8s.aws -oyaml | grep "controller-gen.kubebuilder.io/version"
    controller-gen.kubebuilder.io/version: v0.14.0
% oc get CustomResourceDefinition ingressclassparams.elbv2.k8s.aws -oyaml | grep "APIVersion defines the versioned schema of this representation of an object" 
              APIVersion defines the versioned schema of this representation of an object.
% oc get CustomResourceDefinition ingressclassparams.elbv2.k8s.aws -oyaml | grep "Kind is a string value representing the REST resource this object represents"
              Kind is a string value representing the REST resource this object represents.

5.
% oc -n test get ingress
NAME           CLASS   HOSTS                   ADDRESS                                                               PORTS   AGE
ingress-test   alb     www.user2-example.com   k8s-test-ingresst-4efc854f6c-1287644373.us-east-1.elb.amazonaws.com   80      3m38s

6.
% curl http://k8s-test-ingresst-4efc854f6c-1287644373.us-east-1.elb.amazonaws.com -H "host: www.user2-example.com"
Hello-OpenShift web-server-1 http-8080

[ShudiLi]

/label qe-approved
thanks

[openshift-ci-robot]

@alebedev87: This pull request references NE-1808 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

• Updated controller image to the latest version from downstream.
• Re-generated operator bundle using make bundle, which also updated controller CRDs.
• Synced IAM policy with the latest downstream version.
• Re-generated managed IAM policy and credentials request using make generate.
• Updated managed controller RBAC to include permissions for leases.
• Note: Controller-runtime no longer supports ConfigMaps for leader election.

Integrates openshift/aws-load-balancer-controller#23 into the operator.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 1ac0bcf and 2 for PR HEAD 0089375 in total

[ShudiLi]

/retest-required

[openshift-ci]

@alebedev87: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.