Condensed annotations doc
# INGRESS GROUP
alb.ingress.kubernetes.io/group.name: my-group
# [-1000,1000] default 0, not sure who has priority: bigger or smaller?
alb.ingress.kubernetes.io/group.order:
# TRAFFIC LISTENING
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
#Once defined on a single Ingress, it impacts every Ingress within IngressGroup.
alb.ingress.kubernetes.io/ssl-redirect: '443'
# TAFFIC ROUTING
alb.ingress.kubernetes.io/load-balancer-name: custom-name
alb.ingress.kubernetes.io/target-type: ip
# protocol to reach backend HTTP, HTTPS
alb.ingress.kubernetes.io/backend-protocol: HTTP
# protocol version to reach backend : HTTP1 (default) or GRPC or HTTP2
alb.ingress.kubernetes.io/backend-protocol-version: HTTP1
# can use subnetName tag!
alb.ingress.kubernetes.io/subnets: subnet-name-a, subnet-name-b, subnet-name-c
# ACCESS CONTROL
# internal or internet-facing
alb.ingress.kubernetes.io/scheme: internal
# When this annotation is not present, the controller will automatically create one security group
# we can use sg name!
alb.ingress.kubernetes.io/security-groups: nameOfSg1, nameOfSg2
# AUTHENTICATION (oidc)
alb.ingress.kubernetes.io/auth-type: oidc
alb.ingress.kubernetes.io/auth-idp-oidc: '{"issuer":"https://example.com","authorizationEndpoint":"https://authorization.example.com","tokenEndpoint":"https://token.example.com","userInfoEndpoint":"https://userinfo.example.com","secretName":"my-k8s-secret"}'
alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
alb.ingress.kubernetes.io/auth-session-timeout: '86400'
alb.ingress.kubernetes.io/auth-session-cookie: auth-service-a
# HEALTH CHECK
alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
alb.ingress.kubernetes.io/healthcheck-path: /ping
# The range is 5-300. Default to 30
alb.ingress.kubernetes.io/healthcheck-interval-seconds: 5
# The range is 2–120 seconds, default to 6
alb.ingress.kubernetes.io/healthcheck-timeout-seconds: 2
# The range is 2-10. Defaults to 3.
alb.ingress.kubernetes.io/healthy-threshold-count: 2
# The range is 2-10. Defaults to 3.
alb.ingress.kubernetes.io/unhealthy-threshold-count: 2
# TLS
# can be discovered automatically see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.13/guide/ingress/cert_discovery/
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx
# CUSTOM
# enable access log to s3
alb.ingress.kubernetes.io/load-balancer-attributes: access_logs.s3.enabled=true,access_logs.s3.bucket=my-access-log-bucket,access_logs.s3.prefix=my-app
# enable http2 support
alb.ingress.kubernetes.io/load-balancer-attributes: routing.http2.enabled=true
Main Ingress example
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: shared-ingress-a
namespace: default
annotations:
# Ingress group
alb.ingress.kubernetes.io/group.name: shared-ingress-a
# Traffic Listening
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
alb.ingress.kubernetes.io/ssl-redirect: '443'
# Traffic routing
alb.ingress.kubernetes.io/load-balancer-name: shared-ingress-a
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/subnets: subnet-name-a, subnet-name-b, subnet-name-c
# Access control
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/security-groups: nameOfSg1, nameOfSg2
# Health check
alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
alb.ingress.kubernetes.io/healthcheck-path: /ping
alb.ingress.kubernetes.io/healthcheck-interval-seconds: 5
alb.ingress.kubernetes.io/healthcheck-timeout-seconds: 2
alb.ingress.kubernetes.io/healthy-threshold-count: 2
alb.ingress.kubernetes.io/unhealthy-threshold-count: 2
# TLS => should be autodiscovered
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx
spec:
ingressClassName: alb
Child Ingress example
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-service-a
namespace: my-service-a
annotations:
alb.ingress.kubernetes.io/group.name: shared-ingress-a
alb.ingress.kubernetes.io/group.order:
spec:
ingressClassName: alb
rules:
- host: my-service-a.example.com
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: "my-service-a"
port:
number: 80
To replace pushbullet on iphone
If you created a presigned URL by using a temporary token, then the URL expires when the token expires, even if you created the URL with a later expiration time. For more information about how the credentials you use affect the expiration time, see Who can create a presigned URL.
So you have to use regular IAM user instead of IAM role for service generating presigned urls..? :-/