Ingress rule is not added to ALB when using ingress group in multi-ingress

[xiangyanw]

Bug Description

I am using ingress group feature to share one ALB for multiple ingresses in different. The ingress rule of my second ingress is not updated to ALB if I only configure the alb.ingress.kubernetes.io/group.name in the second ingress. It is working well if I configure exactly same annotations in both ingresses.

Steps to Reproduce

• Step-by-step guide to reproduce the bug:
  Deploy two ingresses in two different namespaces.
• Manifests applied while reproducing the issue:

#First ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-northeast-1:xxxx:certificate/xxxx
    alb.ingress.kubernetes.io/group.name: xxx-dev-test
    alb.ingress.kubernetes.io/inbound-cidrs: x.x.x.x/32
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]'
    alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=60,client_keep_alive.seconds=60
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    alb.ingress.kubernetes.io/tags: Environment=Dev
    alb.ingress.kubernetes.io/target-group-attributes: stickiness.enabled=true,stickiness.lb_cookie.duration_seconds=60
    alb.ingress.kubernetes.io/target-type: ip
    kubernetes.io/ingress.class: alb
  labels:
    ...
  name: xxx
  namespace: xxx-dev
spec:
  rules:
  - host: dev-xxx.example.com
    http:
      paths:
      - backend:
          service:
            name: xxx
            port:
              number: 80
        path: /
        pathType: Prefix
#Second ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/group.name: xxx-dev-test
  labels:
    ...
  name: xxx
  namespace: xxx-dev3
spec:
  rules:
  - host: dev3-xxx.example.com
    http:
      paths:
      - backend:
          service:
            name: xxx
            port:
              number: 80
        path: /
        pathType: Prefix

• Controller logs/error messages while reproducing the issue:

Expected Behavior

Rules of both ingresses are added to ALB.

Actual Behavior

Only the rule of the first ingess is added to ALB.

Regression
Was the functionality working correctly in a previous version ? No, this is a new setup.

Current Workarounds

Configure the exact same (full) annotations for both ingresses.

Environment

• AWS Load Balancer controller version: v2.8.1
• Kubernetes version: 1.31
• Using EKS (yes/no), if so version?: 1.31
• Using Service or Ingress: Ingress
• AWS region: ap-northeast-1
• How was the aws-load-balancer-controller installed: helm
  • If helm was used then please show output of helm ls -A | grep -i aws-load-balancer-controller
    aws-load-balancer-controller kube-system 1 2024-08-05 02:41:05.933649033 +0000 UTC deployed aws-load-balancer-controller-1.8.1 v2.8.1
  • If helm was used then please show output of helm -n <controllernamespace> get values <helmreleasename>
    clusterName: xxx-xxx
    enableShield: false
    enableWaf: false
    enableWafv2: false
    region: ap-northeast-1
    serviceAccount:
    create: false
    name: aws-load-balancer-controller
    vpcId: vpc-xxxx
• Current state of the Controller configuration:
  • kubectl -n <controllernamespace> describe deployment aws-load-balancer-controller
• Current state of the Ingress/Service configuration:
  • kubectl describe ingressclasses
    Name: alb
    Labels:
    Annotations: ingressclass.kubernetes.io/is-default-class: true
    Controller: ingress.k8s.aws/alb
    Events:
  • kubectl -n <appnamespace> describe ingress <ingressname>
  • kubectl -n <appnamespace> describe svc <servicename>

Possible Solution (Optional)

Contribution Intention (Optional)

• Yes, I'm willing to submit a PR to fix this issue
• No, I cannot work on a PR at this time

Additional Context

[shraddhabang]

I see you are using SSl-Redirect in your first ingress. hence the HTTP:80 port must be having a redirect rule on your ALB. Can you confirm this?

[xiangyanw]

No, there is no HTTP:80 port in my ALB.

[wweiwei-li]

Hey,

1. If your question is about the ingress rule of your second ingress is not being updated to ALB when you only configure the alb.ingress.kubernetes.io/group.name in the first ingress - this is expected behavior, you need to add it to all ingresses so their rules will be configured into one ALB.

2. If your question is why there is no HTTP:80 listener. Can you share the complete view of your ingress two annotations. I suspect you added certs so it will create an https :443.

https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#listen-ports

defaults to '[{"HTTP": 80}]' or '[{"HTTPS": 443}]' depending on whether certificate-arn is specified.

[xiangyanw]

My question is the first one. But my understanding is that "Exclusive" behaviors could be set on a single Ingress. Please clarify if otherwise.

AWS Load Balancer Controller Guide: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/ingress/annotations/

Secondly, if what you said is the case, what will happen in the middle when I am updating an annotation on all these ingress one by one? (I mean I can't guarantee to update them all at exactly the same time.)