Skip to content

feature: add ssl redirect port to IngressClassParams #4308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
+294 −2
Open

feature: add ssl redirect port to IngressClassParams #4308

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ab021ab
feat: add ssl redirect to IngressClassParams
1ms-ms Aug 6, 2025
5f06464
chore: merge
1ms-ms Aug 13, 2025
5be47e0
feature: correct docs
1ms-ms Aug 13, 2025
576c96b
feature: add test
1ms-ms Aug 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion apis/elbv2/v1beta1/ingressclassparams_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,11 @@ type IngressClassParamsSpec struct {

// SSLPolicy specifies the SSL Policy for all Ingresses that belong to IngressClass with this IngressClassParams.
// +optional
SSLPolicy string `json:"sslPolicy,omitEmpty"`
SSLPolicy string `json:"sslPolicy,omitempty"`

// SSLRedirectPort specifies the SSL Redirect Port for all Ingresses that belong to IngressClass with this IngressClassParams.
// +optional
SSLRedirectPort string `json:"sslRedirectPort,omitempty"`

// Subnets defines the subnets for all Ingresses that belong to IngressClass with this IngressClassParams.
// +optional
Expand Down
4 changes: 4 additions & 0 deletions config/crd/bases/elbv2.k8s.aws_ingressclassparams.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,10 @@ spec:
description: SSLPolicy specifies the SSL Policy for all Ingresses
that belong to IngressClass with this IngressClassParams.
type: string
sslRedirectPort:
description: SSLRedirectPort specifies the SSL Redirect Port for all
Ingresses that belong to IngressClass with this IngressClassParams.
type: string
subnets:
description: Subnets defines the subnets for all Ingresses that belong
to IngressClass with this IngressClassParams.
Expand Down
17 changes: 16 additions & 1 deletion docs/guide/ingress/ingress_class.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,15 @@ You can use IngressClassParams to enforce settings for a set of Ingresses.
spec:
targetType: ip
```
- with sslRedirectPort
```
apiVersion: elbv2.k8s.aws/v1beta1
kind: IngressClassParams
metadata:
name: class2048-config
spec:
sslRedirectPort: '443'
```
- with IPv4IPAMPoolId
```
apiVersion: elbv2.k8s.aws/v1beta1
Expand Down Expand Up @@ -272,9 +281,15 @@ If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/certif

#### spec.sslPolicy

Cluster administrators can use the optional `sslPolicy` field to specify the SSL policy for the load balancers that belong to this IngressClass.
Cluster administrators can use the optional `sslPolicy` field to specify the SSL policy for the load balancers that belongs to this IngressClass.
If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/ssl-policy` annotation.

#### spec.sslRedirectPort

Cluster administrators can use the optional `sslRedirectPort` field to specify the SSL redirect port for the load balancers that belongs to this IngressClass.
If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/ssl-redirect` annotation.


#### spec.subnets

Cluster administrators can use the optional `subnets` field to specify the subnets for the load balancers that belong to this IngressClass.
Expand Down
4 changes: 4 additions & 0 deletions helm/aws-load-balancer-controller/crds/crds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,10 @@ spec:
description: SSLPolicy specifies the SSL Policy for all Ingresses
that belong to IngressClass with this IngressClassParams.
type: string
sslRedirectPort:
description: SSLRedirectPort specifies the SSL Redirect Port for all
Ingresses that belong to IngressClass with this IngressClassParams.
type: string
subnets:
description: Subnets defines the subnets for all Ingresses that belong
to IngressClass with this IngressClassParams.
Expand Down
9 changes: 9 additions & 0 deletions pkg/ingress/model_builder.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -450,6 +450,15 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
func (t *defaultModelBuildTask) buildSSLRedirectConfig(ctx context.Context, listenPortConfigByPort map[int32]listenPortConfig) (*SSLRedirectConfig, error) {
explicitSSLRedirectPorts := sets.Int32{}
for _, member := range t.ingGroup.Members {
if member.IngClassConfig.IngClassParams != nil && member.IngClassConfig.IngClassParams.Spec.SSLRedirectPort != "" {
sslRedirectPort, err := strconv.ParseInt(member.IngClassConfig.IngClassParams.Spec.SSLRedirectPort, 10, 32)
if err != nil {
return nil, nil
}
explicitSSLRedirectPorts.Insert(int32(sslRedirectPort))
continue
}

var rawSSLRedirectPort int32
exists, err := t.annotationParser.ParseInt32Annotation(annotations.IngressSuffixSSLRedirect, &rawSSLRedirectPort, member.Ing.Annotations)
if err != nil {
Expand Down
256 changes: 256 additions & 0 deletions pkg/ingress/model_builder_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4972,6 +4972,69 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) {
},
wantErr: nil,
},
{
name: "single Ingress with IngressClassParam for ssl-redirect",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a new test for case single Ingress with IngressClassParam for ssl-redirect, while preserving the existing annotation-based test single Ingress with ssl-redirect annotation.

fields: fields{
ingGroup: Group{
ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
Members: []ClassifiedIngress{
{
IngClassConfig: ClassConfiguration{
IngClassParams: &v1beta1.IngressClassParams{
Spec: v1beta1.IngressClassParamsSpec{
SSLRedirectPort: "443",
},
},
},
Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
Namespace: "ns-1",
Name: "ing-1",
},
Spec: networking.IngressSpec{
Rules: []networking.IngressRule{
{
Host: "app-1.example.com",
IngressRuleValue: networking.IngressRuleValue{
HTTP: &networking.HTTPIngressRuleValue{
Paths: []networking.HTTPIngressPath{
{
Path: "/svc-1",
Backend: networking.IngressBackend{
Service: &networking.IngressServiceBackend{
Name: "svc-1",
Port: networking.ServiceBackendPort{
Name: "http",
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
args: args{
listenPortConfigByPort: map[int32]listenPortConfig{
80: {
protocol: elbv2model.ProtocolHTTP,
},
443: {
protocol: elbv2model.ProtocolHTTPS,
},
},
},
want: &SSLRedirectConfig{
SSLPort: 443,
StatusCode: "HTTP_301",
},
wantErr: nil,
},
{
name: "single Ingress with ssl-redirect annotation but refer non-exists port",
fields: fields{
Expand Down Expand Up @@ -5258,6 +5321,199 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) {
},
wantErr: nil,
},
{
name: "multiple Ingress with one IngressClassParam for ssl-redirect",
fields: fields{
ingGroup: Group{
ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
Members: []ClassifiedIngress{
{
IngClassConfig: ClassConfiguration{
IngClassParams: &v1beta1.IngressClassParams{
Spec: v1beta1.IngressClassParamsSpec{
SSLRedirectPort: "443",
},
},
},
Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
Namespace: "ns-1",
Name: "ing-1",
Annotations: map[string]string{},
},
Spec: networking.IngressSpec{
Rules: []networking.IngressRule{
{
Host: "app-1.example.com",
IngressRuleValue: networking.IngressRuleValue{
HTTP: &networking.HTTPIngressRuleValue{
Paths: []networking.HTTPIngressPath{
{
Path: "/svc-1",
Backend: networking.IngressBackend{
Service: &networking.IngressServiceBackend{
Name: "svc-1",
Port: networking.ServiceBackendPort{
Name: "http",
},
},
},
},
},
},
},
},
},
},
},
},
{
Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
Namespace: "ns-2",
Name: "ing-2",
},
Spec: networking.IngressSpec{
Rules: []networking.IngressRule{
{
Host: "app-2.example.com",
IngressRuleValue: networking.IngressRuleValue{
HTTP: &networking.HTTPIngressRuleValue{
Paths: []networking.HTTPIngressPath{
{
Path: "/svc-2",
Backend: networking.IngressBackend{
Service: &networking.IngressServiceBackend{
Name: "svc-2",
Port: networking.ServiceBackendPort{
Name: "http",
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
args: args{
listenPortConfigByPort: map[int32]listenPortConfig{
80: {
protocol: elbv2model.ProtocolHTTP,
},
443: {
protocol: elbv2model.ProtocolHTTPS,
},
},
},
want: &SSLRedirectConfig{
SSLPort: 443,
StatusCode: "HTTP_301",
},
wantErr: nil,
},
{
name: "multiple Ingress with SSLRedirectPort defined by both annotation and IngressClassParams",
fields: fields{
ingGroup: Group{
ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
Members: []ClassifiedIngress{
{
IngClassConfig: ClassConfiguration{
IngClassParams: &v1beta1.IngressClassParams{
Spec: v1beta1.IngressClassParamsSpec{
SSLRedirectPort: "443",
},
},
},
Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
Namespace: "ns-1",
Name: "ing-1",
Annotations: map[string]string{},
},
Spec: networking.IngressSpec{
Rules: []networking.IngressRule{
{
Host: "app-1.example.com",
IngressRuleValue: networking.IngressRuleValue{
HTTP: &networking.HTTPIngressRuleValue{
Paths: []networking.HTTPIngressPath{
{
Path: "/svc-1",
Backend: networking.IngressBackend{
Service: &networking.IngressServiceBackend{
Name: "svc-1",
Port: networking.ServiceBackendPort{
Name: "http",
},
},
},
},
},
},
},
},
},
},
},
},
{
Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
Namespace: "ns-2",
Name: "ing-2",
Annotations: map[string]string{
"alb.ingress.kubernetes.io/ssl-redirect": "443",
},
},
Spec: networking.IngressSpec{
Rules: []networking.IngressRule{
{
Host: "app-2.example.com",
IngressRuleValue: networking.IngressRuleValue{
HTTP: &networking.HTTPIngressRuleValue{
Paths: []networking.HTTPIngressPath{
{
Path: "/svc-2",
Backend: networking.IngressBackend{
Service: &networking.IngressServiceBackend{
Name: "svc-2",
Port: networking.ServiceBackendPort{
Name: "http",
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
args: args{
listenPortConfigByPort: map[int32]listenPortConfig{
80: {
protocol: elbv2model.ProtocolHTTP,
},
443: {
protocol: elbv2model.ProtocolHTTPS,
},
},
},
want: &SSLRedirectConfig{
SSLPort: 443,
StatusCode: "HTTP_301",
},
wantErr: nil,
},
{
name: "multiple Ingress with same ssl-redirect annotation",
fields: fields{
Expand Down