Daily - Arnaud's links

All links of one day
in a single page.
<Previous day - Next day>

Daily RSS Feed

The Daily Shaarli floral_right

——————————— Today - Saturday 06, September 2025 ———————————

Sat Sep 6 09:38:13 2025

alb - ingress -

Annotations - AWS Load Balancer Controller

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group#health_check

Condensed annotations doc


# INGRESS GROUP

alb.ingress.kubernetes.io/group.name: my-group
# [-1000,1000] default 0, not sure who has priority: bigger or smaller?
alb.ingress.kubernetes.io/group.order:

# TRAFFIC LISTENING

alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
#Once defined on a single Ingress, it impacts every Ingress within IngressGroup.
alb.ingress.kubernetes.io/ssl-redirect: '443'

# TAFFIC ROUTING

alb.ingress.kubernetes.io/load-balancer-name: custom-name
alb.ingress.kubernetes.io/target-type: ip

# protocol to reach backend HTTP, HTTPS
alb.ingress.kubernetes.io/backend-protocol: HTTP

# protocol version to reach backend : HTTP1 (default) or GRPC or HTTP2
alb.ingress.kubernetes.io/backend-protocol-version: HTTP1
# can use subnetName tag!
alb.ingress.kubernetes.io/subnets: subnet-name-a, subnet-name-b, subnet-name-c

# ACCESS CONTROL

# internal or internet-facing
alb.ingress.kubernetes.io/scheme: internal

# When this annotation is not present, the controller will automatically create one security group
# we can use sg name!
alb.ingress.kubernetes.io/security-groups: nameOfSg1, nameOfSg2

# AUTHENTICATION (oidc)
alb.ingress.kubernetes.io/auth-type: oidc
alb.ingress.kubernetes.io/auth-idp-oidc: '{"issuer":"https://example.com","authorizationEndpoint":"https://authorization.example.com","tokenEndpoint":"https://token.example.com","userInfoEndpoint":"https://userinfo.example.com","secretName":"my-k8s-secret"}'
alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
alb.ingress.kubernetes.io/auth-session-timeout: '86400'
alb.ingress.kubernetes.io/auth-session-cookie: auth-service-a

# HEALTH CHECK

alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
alb.ingress.kubernetes.io/healthcheck-path: /ping

# The range is 5-300. Default to 30
alb.ingress.kubernetes.io/healthcheck-interval-seconds: 5

# The range is 2–120 seconds, default to 6
alb.ingress.kubernetes.io/healthcheck-timeout-seconds: 2

#  The range is 2-10. Defaults to 3.
alb.ingress.kubernetes.io/healthy-threshold-count: 2

# The range is 2-10. Defaults to 3.
alb.ingress.kubernetes.io/unhealthy-threshold-count: 2

# TLS
# can be discovered automatically see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.13/guide/ingress/cert_discovery/
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx

# CUSTOM

# enable access log to s3
alb.ingress.kubernetes.io/load-balancer-attributes: access_logs.s3.enabled=true,access_logs.s3.bucket=my-access-log-bucket,access_logs.s3.prefix=my-app

# enable http2 support
alb.ingress.kubernetes.io/load-balancer-attributes: routing.http2.enabled=true

Main Ingress example

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: shared-ingress-a
  namespace: default
  annotations:
    # Ingress group
    alb.ingress.kubernetes.io/group.name: shared-ingress-a
    # Traffic Listening
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
    alb.ingress.kubernetes.io/ssl-redirect: '443'
    # Traffic routing
    alb.ingress.kubernetes.io/load-balancer-name: shared-ingress-a
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/subnets: subnet-name-a, subnet-name-b, subnet-name-c
    # Access control
    alb.ingress.kubernetes.io/scheme: internal
    alb.ingress.kubernetes.io/security-groups: nameOfSg1, nameOfSg2
    # Health check
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/healthcheck-path: /ping
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: 5
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: 2
    alb.ingress.kubernetes.io/healthy-threshold-count: 2
    alb.ingress.kubernetes.io/unhealthy-threshold-count: 2
    # TLS => should be autodiscovered
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx

spec:
  ingressClassName: alb

Child Ingress example

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-service-a
  namespace: my-service-a
  annotations:
    alb.ingress.kubernetes.io/group.name: shared-ingress-a
    alb.ingress.kubernetes.io/group.order: 
spec:
  ingressClassName: alb
  rules:
    - host: my-service-a.example.com
      http:
        paths:
          - path: /*
            pathType: ImplementationSpecific
            backend:
              service:
                name: "my-service-a"
                port:
                  number: 80