Replace ALB annotations with IngressClassParams

[stevehipwell]

Is your feature request related to a problem? I'd like to be able to replace more of the alb.ingress.kubernetes.io annotations with the IngressClassParams to abstract away the ALB specification from the Ingress resources using it. I mistakenly thought that #2190 was doing this, but after re-reading I think that's just replacing the alb.ingress.kubernetes.io/load-balancer-attributes annotation.

Describe the solution you'd like I'd like to be able to specify the following annotations in the IngressClassParams directly.

• alb.ingress.kubernetes.io/target-type
• alb.ingress.kubernetes.io/subnets
• alb.ingress.kubernetes.io/listen-ports
• alb.ingress.kubernetes.io/ssl-redirect
• alb.ingress.kubernetes.io/inbound-cidrs
• alb.ingress.kubernetes.io/certificate-arn

Describe alternatives you've considered n/a

[M00nF1sh]

/kind feature

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[msvticket]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[stevehipwell]

/remove-lifecycle stale

[nikskiz]

It would be nice to have spec.params.targetGroupAttributes

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[stevehipwell]

/remove-lifecycle stale

[Nuru]

Really, I think any of the 14 annotations that are "Exclusive" (must only be set once per Group) should be configurable via IngressClass (possibly via IngressClassParams). Then we can move that configuration out of the individual services so we do not have to worry about them fighting over control of them.

As of version 2.4, the following annotations are marked "Exclusive", but only a few of them can be specified in IngressClass and most (all?) of the rest cannot be specified anywhere but via annotations. This is a poor separation of concerns.

1. alb.ingress.kubernetes.io/load-balancer-name
2. alb.ingress.kubernetes.io/ip-address-type
3. alb.ingress.kubernetes.io/scheme
4. alb.ingress.kubernetes.io/subnets
5. alb.ingress.kubernetes.io/security-groups
6. alb.ingress.kubernetes.io/manage-backend-security-group-rules
7. alb.ingress.kubernetes.io/customer-owned-ipv4-pool
8. alb.ingress.kubernetes.io/load-balancer-attributes
9. alb.ingress.kubernetes.io/wafv2-acl-arn
10. alb.ingress.kubernetes.io/waf-acl-id
11. alb.ingress.kubernetes.io/shield-advanced-protection
12. alb.ingress.kubernetes.io/ssl-redirect
13. alb.ingress.kubernetes.io/inbound-cidrs
14. alb.ingress.kubernetes.io/ssl-policy

Related to, but different than #2600

[kwohlfahrt]

I would be particularly interested in alb.ingress.kubernetes.io/auth-* annotations being defined with class params.

That would make it easy to set up an ingress class with sensible authentication defaults for external ingresses.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[sjmisterm]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[sjmisterm]

/remove-lifecycle stale

[johngmyers]

#2920 is chipping away the ones that have Exclusive MergeBehavior. For the ones that have Merge, listen-ports has per-Ingress semantics that complicate things. certificate-arn has good reasons for specifying per-Ingress.

[visit1985]

certificate-arn has good reasons for specifying per-Ingress.

Agreed, but having a default cert in IngressClassParams would still make sense.

[omri-shilton]

is there an update on this issue?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[sjmisterm]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[sjmisterm]

/remove-lifecycle stale