WIP: Add Application Load Balancer Controller Manager

[kamilprzybyl]

How to categorize this PR?

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Breaking changes:

[ske-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign timebertt for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Adi146]

might be good to create separate examples for that

[Adi146]

does this work with * host matcher?

[Adi146]

do we really want to delete certificates? That could be very dangerous as users might just not associate the certificate anymore and want to keep it.

[kamilprzybyl]

Each Ingress TLS secret reference is mapped to a unique ALB Certificate resource. Even if multiple Ingresses reference the same k8s Secret, they will each trigger the creation of a separate, independent certificate on the ALB. That means, deleting one Ingress (and its associated ALB Certificate) does not impact the certificates still being used by other Ingresses.

[Adi146]

isn't that already handled by the certificate api?

[kamilprzybyl]

The Cert API only checks if the public and private keys are matching + if the certificate is a valid X.509 format but it does not reject incomplete chains.

Renamed the function from isCertValid to isCertReady and clarified the function in the comment above.

[ske-prow]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[fischerman]

It doesn't make sense to pass albIngressList if it is always empty.

[kamilprzybyl]

You're right, passing an empty list is useless. And with that, the controller does not clean up certificates properly as the list is always empty.

Removed the redundant ingresses parameter from handleIngressClassWithoutIngresses since it was always empty. Updated cleanupCerts to identify and delete certificates using the IngressClass UID prefix, ensuring orphaned certificates are properly removed even when no Ingress resources exist.

[kamilprzybyl]

We currently only delete certificates when the IngressClass is deleted or no Ingress references the IngressClass.
We need to add logic to clean up certificates that are no longer referenced by active Ingresses.

[ske-prow]

@kamilprzybyl: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cloud-provider-stackit-verify	3ad18ef	link	true	/test pull-cloud-provider-stackit-verify

Full PR test history. Your PR dashboard. Command help for this repository.
Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see the gardener testing guideline for how to avoid and hunt flakes.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.