[scripts] Update dependency kubernetes-sigs/aws-load-balancer-controller to v3

[renovate]

This PR contains the following updates:

Package	Update	Change
kubernetes-sigs/aws-load-balancer-controller	major	v2.17.1 → v3.1.0

---

Release Notes

kubernetes-sigs/aws-load-balancer-controller (kubernetes-sigs/aws-load-balancer-controller)

v3.1.0

Compare Source

📚 Quick Links

v3.1.0 (requires Kubernetes 1.22+)

Image: public.ecr.aws/eks/aws-load-balancer-controller:v3.1.0

Documentation

Thanks to all our contributors!💜💜💜

⚠️ Action Required

CRD Updates

Action : Please apply the latest CRD definitions

• kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

If using Gateway API feature

• Installation of LBC Gateway API specific CRDs: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/gateway/gateway-crds.yaml
• Standard Gateway API CRDs: kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml [REQUIRED]
• Experimental Gateway API CRDs: kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml [OPTIONAL: Used for L4 Routes]

🚀 What's New

Gateway API Enhancements

• [ALB Gateway] Port defaulting for scheme - Fixed redirect port handling to comply with Gateway API spec. When port is not specified in HTTPRequestRedirectFilter, the controller correctly defaults to well-known ports (80 for http, 443 for https) based on the redirect scheme.
• [ALB Gateway] Improved regex handling - Corrected regex value handling in Gateway API route matching
• [Gateway] Status hostname normalization - Gateway status hostnames are now normalized to lowercase for consistency

AWS Global Accelerator Controller

• [AGA] Cross-namespace reference support - AGA resources can now reference resources across namespaces, enabling more flexible multi-tenant architectures

🔧 Enhancements and Fixes

• [NLB Gateway] TLS passthrough listener - Fixed TLS listener construction to respect TLS mode configuration. NLB Gateways now support passthrough, termination, and re-encryption modes as defined in Gateway API spec. Note: SNI-based routing is not supported due to AWS NLB dataplane limitations.
• [Ingress] Rule optimizer - Fixed incorrect removal of regex-based listener rules that could cause routing failures
• [HelmUpgrade] Webhook certificate regeneration - Fixed certificate regeneration issues during Helm upgrades. Reintroduce the keepTLSSecret parameter with improved logic that maintains cert-manager compatibility.
• [Gateway] NPE on invalid parameters - Added null pointer protection and enhanced debugging for invalid parameter references

Documentation Updates

• Updated service.beta.kubernetes.io/aws-load-balancer-type annotation documentation
• Moved QUIC documentation to L4 section for better organization
• Updated Helm chart information

Changelog since v3.0.0

• [feat aga] Add cross-namespace reference support for AGA by @​shraddhabang in #​4547
• fix TLS passthrough listener by @​zac-nixon in #​4559
• Fix NPE on invalid parameters ref, add more debugging details to accepted status by @​zac-nixon in #​4562
• add port defaulting for scheme by @​zac-nixon in #​4568
• move QUIC documentation to l4 by @​zac-nixon in #​4570
• Fix rule optimizer incorrectly removing regex-based listener rules by @​shraddhabang in #​4569
• correct regex value handling in gateway api by @​zac-nixon in #​4577
• Add k8s event for TGB failures by @​vishwas121 in #​4571
• Update docs for service.beta.kubernetes.io/aws-load-balancer-type annotation by @​kellyyan in #​4578
• update helm info by @​zac-nixon in #​4583
• Fix webhook certificate regeneration on Helm upgrades by @​shraddhabang in #​4581
• Filter RequeueNeeded errors to skip event triggers on TGB controller by @​vishwas121 in #​4584
• fix(gateway): normalize status hostname to lowercase by @​TOGEP in #​4591

New Contributors

• @​vishwas121 made their first contribution in #​4571
• @​TOGEP made their first contribution in #​4591

Full Changelog: kubernetes-sigs/aws-load-balancer-controller@v3.0.0...v3.1.0

v3.0.0

Compare Source

📚 Quick Links

v3.0.0 (requires Kubernetes 1.22+)

Image: public.ecr.aws/eks/aws-load-balancer-controller:v3.0.0

Documentation

Thanks to all our contributors!💜💜💜

---

🎉 Gateway API is Now GA!

We are excited to announce that Gateway API support is now Generally Available (GA) in AWS Load Balancer Controller v3.0.0! This milestone marks the production-ready status of Gateway API features for managing AWS Application Load Balancers and Network Load Balancers through the Kubernetes Gateway API. We encourage you to try it out and welcome any feedback via GitHub Issues.
For more gateway api details, please refer to our live doc.

⚠️ Action Required

CRD Updates

Action : Please apply the latest CRD definitions

• kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

If using Gateway API feature

• Installation of LBC Gateway API specific CRDs: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/gateway/gateway-crds.yaml
• Standard Gateway API CRDs: kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml [REQUIRED]
• Experimental Gateway API CRDs: kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml [OPTIONAL: Used for L4 Routes]

Webhook Certificate Issue

• Issue: #​4359 attempted to fix a race condition in webhook certificate renewal but introduced a critical bug. The aws-load-balancer-tls Secret persists but the Certificate that owned and renewed it was removed, causing eventual certificate expiration and webhook TLS failures (#​4541). This prevents the controller from updating target group bindings and can lead to outages. This bug impacts users deploying with Helm and utilizing the enableCertManager=true flag.
• Action for users staying on older versions: Set keepTLSSecret=false in your helm chart to mitigate the issue
• Action for users upgrading to v3.0.0: No action required - the fix is included in this release

🔧 Enhancements and Fixes

• Helm Chart Version Alignment: Helm chart version now aligns with LBC version. Previously, LBC v2.x used Helm chart v1.x (e.g., LBC v2.17 = Helm v1.17). Starting with v3.0.0, both versions match.
• Gateway Deletion: Removed route count check when deleting gateways, allowing deletion of gateways with attached routes (#​4549)
• Subnet Ordering: Fixed subnet order preservation when using aws-load-balancer-subnets annotation - now maintains requested order instead of non-deterministic ordering (#​4504)
• AZ Mismatch Fix: Fixed orphaned targets issue caused by AvailabilityZone mismatch in refreshUnhealthyTargets - targets are now properly deregistered regardless of cached AZ (#​4544)
• NLB Target Group Limit: Fixed target group association limit error for weighted configs by including base service UID in target group name generation (#​4540)
• Listener Error Propagation: Fixed target group tuple error messages not being propagated to end users (#​4545)
• Webhook Certificate: Reverted race condition fix in webhook certificate renewal that caused issues (#​4542)

📋 Full Changelog

• Revert "fix: Race condition in webhook certificate renewal with cert-… by @​zac-nixon in #​4542
• Fix NLB target group association limit issue for weighted configs by @​shraddhabang in #​4540
• Fix AZ mismatch in refreshUnhealthyTargets causing orphaned targets by @​MinhNguyen-at in #​4544
• Update model_build_listener.go by @​zac-nixon in #​4545
• Fix: preserve requested order for subnets when using aws-load-balancer-subnets annotation by @​nelsen129 in #​4504
• Remove KeepTLS parameter in helm chart by @​zac-nixon in #​4548
• [gateway api] remove route count check for deleting gateway by @​zac-nixon in #​4549
• [feat gateway-api]update gw api doc by @​shuqz in #​4550
• cut v3.0.0 release by @​shuqz in #​4551

New Contributors

• @​MinhNguyen-at made their first contribution in #​4544
• @​nelsen129 made their first contribution in #​4504

Full Changelog: kubernetes-sigs/aws-load-balancer-controller@v2.17.1...v3.0.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Diff (dev)

No diff detected!