Skip to content

Add EnhancedDefaulting flag to do sensible defaulting when possible #4344

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Sep 26, 2025
+1,342 −469
Merged

Add EnhancedDefaulting flag to do sensible defaulting when possible #4344

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8637979
introduce enhanced defaulting to address weird defaulting behavior :)
zac-nixon Sep 19, 2025
478915c
remove subnet resolver / az check from mtls builder in gateway api
zac-nixon Sep 19, 2025
9679986
add ALPN defaulting
zac-nixon Sep 20, 2025
48b11fd
refactor addons for gateway to allow setting ELB PC
zac-nixon Sep 22, 2025
01a7b9a
remove defaulting from MutualAuth as not all ALB zones support it
zac-nixon Sep 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion apis/gateway/v1beta1/loadbalancerconfig_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,6 @@ type ListenerConfiguration struct {

// mutualAuthentication defines the mutual authentication configuration information.
// +optional
// +kubebuilder:default={"mode": "off"}
MutualAuthentication *MutualAuthenticationAttributes `json:"mutualAuthentication,omitempty"`

// listenerAttributes defines the attributes for the listener
Expand Down
2 changes: 0 additions & 2 deletions config/crd/gateway/gateway-crds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -515,8 +515,6 @@ spec:
type: object
type: array
mutualAuthentication:
default:
mode: "off"
description: mutualAuthentication defines the mutual authentication
configuration information.
properties:
Expand Down
2 changes: 0 additions & 2 deletions config/crd/gateway/gateway.k8s.aws_loadbalancerconfigurations.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,8 +117,6 @@ spec:
type: object
type: array
mutualAuthentication:
default:
mode: "off"
description: mutualAuthentication defines the mutual authentication
configuration information.
properties:
Expand Down
4 changes: 2 additions & 2 deletions controllers/gateway/addons.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ import (
)

var (
albAddons = []addon.Addon{addon.WAFv2, addon.Shield}
nlbAddons []addon.Addon
albAddons = []addon.Addon{addon.WAFv2, addon.Shield, addon.ProvisionedCapacity}
nlbAddons = []addon.Addon{addon.ProvisionedCapacity}
)

const (
Expand Down
6 changes: 4 additions & 2 deletions controllers/gateway/gateway_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ func newGatewayReconciler(controllerName string, lbType elbv2model.LoadBalancerT
modelBuilder := gatewaymodel.NewModelBuilder(subnetResolver, vpcInfoProvider, cloud.VpcID(), lbType, trackingProvider, elbv2TaggingManager, controllerConfig, cloud.EC2(), cloud.ELBV2(), cloud.ACM(), k8sClient, controllerConfig.FeatureGates, controllerConfig.ClusterName, controllerConfig.DefaultTags, sets.New(controllerConfig.ExternalManagedTags...), controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.DefaultLoadBalancerScheme, backendSGProvider, sgResolver, controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, controllerConfig.IngressConfig.AllowedCertificateAuthorityARNs, supportedAddons, logger)

stackMarshaller := deploy.NewDefaultStackMarshaller()
stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingManager, networkingSGManager, networkingSGReconciler, elbv2TaggingManager, controllerConfig, gatewayTagPrefix, logger, metricsCollector, controllerName, targetGroupCollector)
stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingManager, networkingSGManager, networkingSGReconciler, elbv2TaggingManager, controllerConfig, gatewayTagPrefix, logger, metricsCollector, controllerName, true, targetGroupCollector)

cfgResolver := newGatewayConfigResolver()

Expand Down Expand Up @@ -344,7 +344,9 @@ func (r *gatewayReconciler) deployModel(ctx context.Context, gw *gwv1.Gateway, s
return err
}
r.logger.Info("successfully deployed model", "gateway", k8s.NamespacedName(gw))
r.secretsManager.MonitorSecrets(k8s.NamespacedName(gw).String(), secrets)
if r.lbType == elbv2model.LoadBalancerTypeApplication {
r.secretsManager.MonitorSecrets(k8s.NamespacedName(gw).String(), secrets)
}
return nil
}

Expand Down
2 changes: 1 addition & 1 deletion controllers/ingress/group_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ func NewGroupReconciler(cloud services.Cloud, k8sClient client.Client, eventReco
controllerConfig.EnableBackendSecurityGroup, controllerConfig.EnableManageBackendSecurityGroupRules, controllerConfig.DisableRestrictedSGRules, controllerConfig.IngressConfig.AllowedCertificateAuthorityARNs, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), logger, metricsCollector)
stackMarshaller := deploy.NewDefaultStackMarshaller()
stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingManager, networkingSGManager, networkingSGReconciler, elbv2TaggingManager,
controllerConfig, ingressTagPrefix, logger, metricsCollector, controllerName, targetGroupCollector)
controllerConfig, ingressTagPrefix, logger, metricsCollector, controllerName, controllerConfig.FeatureGates.Enabled(config.EnhancedDefaultBehavior), targetGroupCollector)
classLoader := ingress.NewDefaultClassLoader(k8sClient, true)
classAnnotationMatcher := ingress.NewDefaultClassAnnotationMatcher(controllerConfig.IngressConfig.IngressClass)
manageIngressesWithoutIngressClass := controllerConfig.IngressConfig.IngressClass == ""
Expand Down
2 changes: 1 addition & 1 deletion controllers/service/service_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ func NewServiceReconciler(cloud services.Cloud, k8sClient client.Client, eventRe
controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.DefaultLoadBalancerScheme, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), serviceUtils,
backendSGProvider, sgResolver, controllerConfig.EnableBackendSecurityGroup, controllerConfig.EnableManageBackendSecurityGroupRules, controllerConfig.DisableRestrictedSGRules, logger, metricsCollector, controllerConfig.FeatureGates.Enabled(config.EnableTCPUDPListenerType))
stackMarshaller := deploy.NewDefaultStackMarshaller()
stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingManager, networkingSGManager, networkingSGReconciler, elbv2TaggingManager, controllerConfig, serviceTagPrefix, logger, metricsCollector, controllerName, targetGroupCollector)
stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingManager, networkingSGManager, networkingSGReconciler, elbv2TaggingManager, controllerConfig, serviceTagPrefix, logger, metricsCollector, controllerName, controllerConfig.FeatureGates.Enabled(config.EnhancedDefaultBehavior), targetGroupCollector)
return &serviceReconciler{
k8sClient: k8sClient,
eventRecorder: eventRecorder,
Expand Down
29 changes: 15 additions & 14 deletions docs/deploy/configurations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,18 +172,19 @@ If running on EC2, the default values are obtained from the instance metadata se
### Feature Gates
There are a set of key=value pairs that describe AWS load balancer controller features. You can use it as flags `--feature-gates=key1=value1,key2=value2`

|Features-gate Supported Key | Type | Default Value | Description |
|---------------------------------------|---------------------------------|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ListenerRulesTagging | string | true | Enable or disable tagging AWS load balancer listeners and rules |
| WeightedTargetGroups | string | true | Enable or disable weighted target groups |
| ServiceTypeLoadBalancerOnly | string | false | If enabled, controller will be limited to reconciling service of type `LoadBalancer` |
| EndpointsFailOpen | string | true | Enable or disable allowing endpoints with `ready:unknown` state in the target groups. |
| EnableServiceController | string | true | Toggles support for `Service` type resources. |
| EnableIPTargetType | string | true | Used to toggle support for target-type `ip` across `Ingress` and `Service` type resources. |
| EnableRGTAPI | string | false | If enabled, the tagging manager will describe resource tags via RGT APIs, otherwise via ELB APIs. In order to enable RGT API, `tag:GetResources` is needed in controller IAM policy. |
| SubnetsClusterTagCheck | string | true | Enable or disable the check for `kubernetes.io/cluster/${cluster-name}` during subnet auto-discovery |
| NLBHealthCheckAdvancedConfiguration | string | true | Enable or disable advanced health check configuration for NLB, for example health check timeout |
| ALBSingleSubnet | string | false | If enabled, controller will allow using only 1 subnet for provisioning ALB, which need to get whitelisted by ELB in advance |
|Features-gate Supported Key | Type | Default Value | Description |
|---------------------------------------|---------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ListenerRulesTagging | string | true | Enable or disable tagging AWS load balancer listeners and rules |
| WeightedTargetGroups | string | true | Enable or disable weighted target groups |
| ServiceTypeLoadBalancerOnly | string | false | If enabled, controller will be limited to reconciling service of type `LoadBalancer` |
| EndpointsFailOpen | string | true | Enable or disable allowing endpoints with `ready:unknown` state in the target groups. |
| EnableServiceController | string | true | Toggles support for `Service` type resources. |
| EnableIPTargetType | string | true | Used to toggle support for target-type `ip` across `Ingress` and `Service` type resources. |
| EnableRGTAPI | string | false | If enabled, the tagging manager will describe resource tags via RGT APIs, otherwise via ELB APIs. In order to enable RGT API, `tag:GetResources` is needed in controller IAM policy. |
| SubnetsClusterTagCheck | string | true | Enable or disable the check for `kubernetes.io/cluster/${cluster-name}` during subnet auto-discovery |
| NLBHealthCheckAdvancedConfiguration | string | true | Enable or disable advanced health check configuration for NLB, for example health check timeout |
| ALBSingleSubnet | string | false | If enabled, controller will allow using only 1 subnet for provisioning ALB, which need to get whitelisted by ELB in advance |
| NLBSecurityGroup | string | true | Enable or disable all NLB security groups actions including frontend sg creation, backend sg creation, and backend sg modifications. This same behavior is able to be applied to an individual service by using the annotation `aws-load-balancer-disable-nlb-sg` |
| LBCapacityReservation | string | true | Enable or disable the capacity reservation feature on ALB and NLB |
| EnableTCPUDPListenerType | string | false | Enable or disable creation of TCP_UDP type listeners. This value can be overriden at the Service level by the annotation `service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener` |
| LBCapacityReservation | string | true | Enable or disable the capacity reservation feature on ALB and NLB |
| EnableTCPUDPListenerType | string | false | Enable or disable creation of TCP_UDP type listeners. This value can be overriden at the Service level by the annotation `service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener` |
| EnhancedDefaultBehavior | string | false | Enable this feature to allow the controller to remove Provisioned Capacity or mTLS settings by removing the corresponding annotation. |
2 changes: 0 additions & 2 deletions helm/aws-load-balancer-controller/crds/gateway-crds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -515,8 +515,6 @@ spec:
type: object
type: array
mutualAuthentication:
default:
mode: "off"
description: mutualAuthentication defines the mutual authentication
configuration information.
properties:
Expand Down
1 change: 1 addition & 0 deletions helm/aws-load-balancer-controller/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -375,6 +375,7 @@ controllerConfig:
# NLBHealthCheckAdvancedConfig: true
# ALBSingleSubnet: false
# LBCapacityReservation: true
# EnhancedDefaultBehavior: false

certDiscovery:
allowedCertificateAuthorityARNs: "" # empty means all CAs are in scope
Expand Down
7 changes: 4 additions & 3 deletions pkg/addon/addon.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,13 @@ package addon
type Addon string

const (
WAFv2 Addon = "WAFv2"
Shield Addon = "Shield"
WAFv2 Addon = "WAFv2"
Shield Addon = "Shield"
ProvisionedCapacity Addon = "ProvisionedCapacity"
)

var (
AllAddons = []Addon{WAFv2, Shield}
AllAddons = []Addon{WAFv2, Shield, ProvisionedCapacity}
)

type AddonMetadata struct {
Expand Down
2 changes: 2 additions & 0 deletions pkg/config/feature_gates.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ const (
SubnetDiscoveryByReachability Feature = "SubnetDiscoveryByReachability"
NLBGatewayAPI Feature = "NLBGatewayAPI"
ALBGatewayAPI Feature = "ALBGatewayAPI"
EnhancedDefaultBehavior Feature = "EnhancedDefaultBehavior"
)

type FeatureGates interface {
Expand Down Expand Up @@ -70,6 +71,7 @@ func NewFeatureGates() FeatureGates {
NLBGatewayAPI: false,
ALBGatewayAPI: false,
EnableTCPUDPListenerType: false,
EnhancedDefaultBehavior: false,
},
}
}
Expand Down
Loading
Loading