Merge pull request #4308 from 1ms-ms/feature/add-ssl-redirect-param

k8s-ci-robot · web-flow · commit 7b76760ede87 · 2025-08-26T13:58:09.000-07:00
feature: add ssl redirect port to IngressClassParams
diff --git a/apis/elbv2/v1beta1/ingressclassparams_types.go b/apis/elbv2/v1beta1/ingressclassparams_types.go
@@ -144,7 +144,11 @@ type IngressClassParamsSpec struct {
 
 	// SSLPolicy specifies the SSL Policy for all Ingresses that belong to IngressClass with this IngressClassParams.
 	// +optional
-	SSLPolicy string `json:"sslPolicy,omitEmpty"`
+	SSLPolicy string `json:"sslPolicy,omitempty"`
+
+	// SSLRedirectPort specifies the SSL Redirect Port for all Ingresses that belong to IngressClass with this IngressClassParams.
+	// +optional
+	SSLRedirectPort string `json:"sslRedirectPort,omitempty"`
 
 	// Subnets defines the subnets for all Ingresses that belong to IngressClass with this IngressClassParams.
 	// +optional
diff --git a/config/crd/bases/elbv2.k8s.aws_ingressclassparams.yaml b/config/crd/bases/elbv2.k8s.aws_ingressclassparams.yaml
@@ -230,6 +230,10 @@ spec:
                 description: SSLPolicy specifies the SSL Policy for all Ingresses
                   that belong to IngressClass with this IngressClassParams.
                 type: string
+              sslRedirectPort:
+                description: SSLRedirectPort specifies the SSL Redirect Port for all
+                  Ingresses that belong to IngressClass with this IngressClassParams.
+                type: string
               subnets:
                 description: Subnets defines the subnets for all Ingresses that belong
                   to IngressClass with this IngressClassParams.
diff --git a/docs/guide/ingress/ingress_class.md b/docs/guide/ingress/ingress_class.md
@@ -174,6 +174,15 @@ You can use IngressClassParams to enforce settings for a set of Ingresses.
     spec:
       targetType: ip
     ```
+  - with sslRedirectPort
+    ```
+    apiVersion: elbv2.k8s.aws/v1beta1
+    kind: IngressClassParams
+    metadata:
+      name: class2048-config
+    spec:
+      sslRedirectPort: '443'
+    ```
     - with IPv4IPAMPoolId
     ```
     apiVersion: elbv2.k8s.aws/v1beta1
@@ -281,9 +290,15 @@ If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/certif
 
 #### spec.sslPolicy
 
-Cluster administrators can use the optional `sslPolicy` field to specify the SSL policy for the load balancers that belong to this IngressClass.
+Cluster administrators can use the optional `sslPolicy` field to specify the SSL policy for the load balancers that belongs to this IngressClass.
 If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/ssl-policy` annotation.
 
+#### spec.sslRedirectPort
+
+Cluster administrators can use the optional `sslRedirectPort` field to specify the SSL redirect port for the load balancers that belongs to this IngressClass.
+If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/ssl-redirect` annotation.
+
+
 #### spec.subnets
 
 Cluster administrators can use the optional `subnets` field to specify the subnets for the load balancers that belong to this IngressClass.
diff --git a/helm/aws-load-balancer-controller/crds/crds.yaml b/helm/aws-load-balancer-controller/crds/crds.yaml
@@ -229,6 +229,10 @@ spec:
                 description: SSLPolicy specifies the SSL Policy for all Ingresses
                   that belong to IngressClass with this IngressClassParams.
                 type: string
+              sslRedirectPort:
+                description: SSLRedirectPort specifies the SSL Redirect Port for all
+                  Ingresses that belong to IngressClass with this IngressClassParams.
+                type: string
               subnets:
                 description: Subnets defines the subnets for all Ingresses that belong
                   to IngressClass with this IngressClassParams.
diff --git a/pkg/ingress/model_builder.go b/pkg/ingress/model_builder.go
@@ -458,6 +458,15 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 func (t *defaultModelBuildTask) buildSSLRedirectConfig(ctx context.Context, listenPortConfigByPort map[int32]listenPortConfig) (*SSLRedirectConfig, error) {
 	explicitSSLRedirectPorts := sets.Int32{}
 	for _, member := range t.ingGroup.Members {
+		if member.IngClassConfig.IngClassParams != nil && member.IngClassConfig.IngClassParams.Spec.SSLRedirectPort != "" {
+			sslRedirectPort, err := strconv.ParseInt(member.IngClassConfig.IngClassParams.Spec.SSLRedirectPort, 10, 32)
+			if err != nil {
+				return nil, nil
+			}
+			explicitSSLRedirectPorts.Insert(int32(sslRedirectPort))
+			continue
+		}
+
 		var rawSSLRedirectPort int32
 		exists, err := t.annotationParser.ParseInt32Annotation(annotations.IngressSuffixSSLRedirect, &rawSSLRedirectPort, member.Ing.Annotations)
 		if err != nil {
diff --git a/pkg/ingress/model_builder_test.go b/pkg/ingress/model_builder_test.go
@@ -4972,6 +4972,69 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) {
 			},
 			wantErr: nil,
 		},
+		{
+			name: "single Ingress with IngressClassParam for ssl-redirect",
+			fields: fields{
+				ingGroup: Group{
+					ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
+					Members: []ClassifiedIngress{
+						{
+							IngClassConfig: ClassConfiguration{
+								IngClassParams: &v1beta1.IngressClassParams{
+									Spec: v1beta1.IngressClassParamsSpec{
+										SSLRedirectPort: "443",
+									},
+								},
+							},
+							Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
+								Namespace: "ns-1",
+								Name:      "ing-1",
+							},
+								Spec: networking.IngressSpec{
+									Rules: []networking.IngressRule{
+										{
+											Host: "app-1.example.com",
+											IngressRuleValue: networking.IngressRuleValue{
+												HTTP: &networking.HTTPIngressRuleValue{
+													Paths: []networking.HTTPIngressPath{
+														{
+															Path: "/svc-1",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: "svc-1",
+																	Port: networking.ServiceBackendPort{
+																		Name: "http",
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			args: args{
+				listenPortConfigByPort: map[int32]listenPortConfig{
+					80: {
+						protocol: elbv2model.ProtocolHTTP,
+					},
+					443: {
+						protocol: elbv2model.ProtocolHTTPS,
+					},
+				},
+			},
+			want: &SSLRedirectConfig{
+				SSLPort:    443,
+				StatusCode: "HTTP_301",
+			},
+			wantErr: nil,
+		},
 		{
 			name: "single Ingress with ssl-redirect annotation but refer non-exists port",
 			fields: fields{
@@ -5258,6 +5321,199 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) {
 			},
 			wantErr: nil,
 		},
+		{
+			name: "multiple Ingress with one IngressClassParam for ssl-redirect",
+			fields: fields{
+				ingGroup: Group{
+					ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
+					Members: []ClassifiedIngress{
+						{
+							IngClassConfig: ClassConfiguration{
+								IngClassParams: &v1beta1.IngressClassParams{
+									Spec: v1beta1.IngressClassParamsSpec{
+										SSLRedirectPort: "443",
+									},
+								},
+							},
+							Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
+								Namespace:   "ns-1",
+								Name:        "ing-1",
+								Annotations: map[string]string{},
+							},
+								Spec: networking.IngressSpec{
+									Rules: []networking.IngressRule{
+										{
+											Host: "app-1.example.com",
+											IngressRuleValue: networking.IngressRuleValue{
+												HTTP: &networking.HTTPIngressRuleValue{
+													Paths: []networking.HTTPIngressPath{
+														{
+															Path: "/svc-1",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: "svc-1",
+																	Port: networking.ServiceBackendPort{
+																		Name: "http",
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+						{
+							Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
+								Namespace: "ns-2",
+								Name:      "ing-2",
+							},
+								Spec: networking.IngressSpec{
+									Rules: []networking.IngressRule{
+										{
+											Host: "app-2.example.com",
+											IngressRuleValue: networking.IngressRuleValue{
+												HTTP: &networking.HTTPIngressRuleValue{
+													Paths: []networking.HTTPIngressPath{
+														{
+															Path: "/svc-2",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: "svc-2",
+																	Port: networking.ServiceBackendPort{
+																		Name: "http",
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			args: args{
+				listenPortConfigByPort: map[int32]listenPortConfig{
+					80: {
+						protocol: elbv2model.ProtocolHTTP,
+					},
+					443: {
+						protocol: elbv2model.ProtocolHTTPS,
+					},
+				},
+			},
+			want: &SSLRedirectConfig{
+				SSLPort:    443,
+				StatusCode: "HTTP_301",
+			},
+			wantErr: nil,
+		},
+		{
+			name: "multiple Ingress with SSLRedirectPort defined by both annotation and IngressClassParams",
+			fields: fields{
+				ingGroup: Group{
+					ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
+					Members: []ClassifiedIngress{
+						{
+							IngClassConfig: ClassConfiguration{
+								IngClassParams: &v1beta1.IngressClassParams{
+									Spec: v1beta1.IngressClassParamsSpec{
+										SSLRedirectPort: "443",
+									},
+								},
+							},
+							Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
+								Namespace:   "ns-1",
+								Name:        "ing-1",
+								Annotations: map[string]string{},
+							},
+								Spec: networking.IngressSpec{
+									Rules: []networking.IngressRule{
+										{
+											Host: "app-1.example.com",
+											IngressRuleValue: networking.IngressRuleValue{
+												HTTP: &networking.HTTPIngressRuleValue{
+													Paths: []networking.HTTPIngressPath{
+														{
+															Path: "/svc-1",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: "svc-1",
+																	Port: networking.ServiceBackendPort{
+																		Name: "http",
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+						{
+							Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
+								Namespace: "ns-2",
+								Name:      "ing-2",
+								Annotations: map[string]string{
+									"alb.ingress.kubernetes.io/ssl-redirect": "443",
+								},
+							},
+								Spec: networking.IngressSpec{
+									Rules: []networking.IngressRule{
+										{
+											Host: "app-2.example.com",
+											IngressRuleValue: networking.IngressRuleValue{
+												HTTP: &networking.HTTPIngressRuleValue{
+													Paths: []networking.HTTPIngressPath{
+														{
+															Path: "/svc-2",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: "svc-2",
+																	Port: networking.ServiceBackendPort{
+																		Name: "http",
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			args: args{
+				listenPortConfigByPort: map[int32]listenPortConfig{
+					80: {
+						protocol: elbv2model.ProtocolHTTP,
+					},
+					443: {
+						protocol: elbv2model.ProtocolHTTPS,
+					},
+				},
+			},
+			want: &SSLRedirectConfig{
+				SSLPort:    443,
+				StatusCode: "HTTP_301",
+			},
+			wantErr: nil,
+		},
 		{
 			name: "multiple Ingress with same ssl-redirect annotation",
 			fields: fields{
