gitops: adopt the aws-load-balancer-controller Helm release into GitOps (reconstruct values; CRDs)

[ausbru87]

Goal

Adopt the live aws-load-balancer-controller Helm release into GitOps in
place. Plan: docs/plans/gitops-adoption.md.

Source of truth

• Chart aws-load-balancer-controller (eks-charts), namespace kube-system, live revision v1, 2 replicas.
• No values file is committed (installed via CLI flags), so the desired state must be reconstructed before adoption.

Tasks

• Reconstruct values from the live release: helm get values aws-load-balancer-controller -n kube-system. Capture clusterName=usgov-coderdemo, region=us-gov-west-1, vpcId, the controller image (ECR mirror path), and the serviceAccount name plus its IRSA role ARN. Note: the LB controller IRSA role name is listed as unverified in docs/as-built/80-iac-vs-imperative.md; capture it live.
• Commit the reconstructed values file under deploy/platform/.
• Create an Argo Application (Helm source), unsynced first; render and diff; accept metadata-only diffs.
• CRDs TargetGroupBinding and IngressClassParams: adopt with ServerSideApply=true (large CRDs exceed the client-side last-applied annotation limit). Assign exactly one Application as the CRD owner.
• Adopt before/with ingress-nginx, since this controller reconciles that NLB.
• Keep the prior Helm release Secret until verified, then delete.

Landmines

• Missing committed values: a blind adoption would render an incomplete or default spec and could disrupt the NLB. Reconstruct first.
• CRD ownership and annotation-size limit.

Generated by Coder Agents.