feat: ALB Ingress allow http10 support

Closes:.
commit_hash:8e20454fd8a53b4d80f1668a2901b47a0ae704dc

Author: vaniog

.changes/v0.2.26.md

@@ -0,0 +1,3 @@
+## v0.2.26 - October 13, 2025
+### Added
+* ingress.alb.yc.io/allow-http10 annotation

.mapping.json

@@ -13,6 +13,7 @@
   ".changes/v0.2.23.md":"opensource/yc-alb-ingress-controller/.changes/v0.2.23.md",
   ".changes/v0.2.24.md":"opensource/yc-alb-ingress-controller/.changes/v0.2.24.md",
   ".changes/v0.2.25.md":"opensource/yc-alb-ingress-controller/.changes/v0.2.25.md",
+  ".changes/v0.2.26.md":"opensource/yc-alb-ingress-controller/.changes/v0.2.26.md",
   ".changie.yaml":"opensource/yc-alb-ingress-controller/.changie.yaml",
   ".env.example":"opensource/yc-alb-ingress-controller/.env.example",
   ".gitignore":"opensource/yc-alb-ingress-controller/.gitignore",

CHANGELOG.md

@@ -1,6 +1,10 @@
 # Changelog
 
 
+## v0.2.26 - October 13, 2025
+### Added
+* ingress.alb.yc.io/allow-http10 annotation
+
 ## v0.2.25 - August 29, 2025
 ### Fixed
 * GRPCBackendGroup creation triggers services reconciliation now

pkg/builders/options.go

@@ -13,7 +13,12 @@ type ListenerOptions struct {
 	Addresses []*apploadbalancer.Address
 }
 
+type HandlerOptions struct {
+	AllowHTTP10 bool
+}
+
 type Options struct {
 	BalancerOptions
 	ListenerOptions
+	HandlerOptions
 }

pkg/builders/resolvers.go

@@ -50,6 +50,10 @@ func (r *Resolvers) AutoScalePolicy() *AutoScalePolicyResolver {
 	return &AutoScalePolicyResolver{}
 }
 
+func (r *Resolvers) AllowHTTP10() *AllowHTTP10Resolver {
+	return &AllowHTTP10Resolver{}
+}
+
 func (r *Resolvers) RouteOpts() RouteOptsResolver {
 	return RouteOptsResolver{}
 }
@@ -482,6 +486,44 @@ func (r *AutoScalePolicyResolver) Result() *apploadbalancer.AutoScalePolicy {
 	return p
 }
 
+type AllowHTTP10Resolver struct {
+	AllowHTTP10 *bool
+}
+
+func (r *AllowHTTP10Resolver) Resolve(allowHTTP10 string) error {
+	if allowHTTP10 == "" {
+		return nil
+	}
+
+	newAllowHTTP10 := false
+	switch allowHTTP10 {
+	case "true":
+		newAllowHTTP10 = true
+	case "false":
+		newAllowHTTP10 = false
+	default:
+		return fmt.Errorf("unsupported value for allow http10: %s", allowHTTP10)
+	}
+
+	if r.AllowHTTP10 == nil {
+		r.AllowHTTP10 = &newAllowHTTP10
+		return nil
+	}
+
+	if *r.AllowHTTP10 != newAllowHTTP10 {
+		return fmt.Errorf("different values provided for allow http10: %t, %t", *r.AllowHTTP10, newAllowHTTP10)
+	}
+
+	return nil
+}
+
+func (r *AllowHTTP10Resolver) Result() bool {
+	if r.AllowHTTP10 == nil {
+		return false
+	}
+	return *r.AllowHTTP10
+}
+
 type RouteOptsResolver struct{}
 
 func (r RouteOptsResolver) Resolve(

pkg/builders/snimatches.go

@@ -13,6 +13,7 @@ type HandlerBuilder struct {
 	names *metadata.Names
 	tag   string
 
+	opts HandlerOptions
 	// keep the order in which hosts are fed to this builder so that map randomization shouldn't cause updates
 	hostsOrder []string
 	// collect certificates per host and ensure no duplicated hosts
@@ -21,6 +22,10 @@ type HandlerBuilder struct {
 	hostAndCerts map[hostAndCert]struct{}
 }
 
+func (b *HandlerBuilder) AddHandlerOptions(opts HandlerOptions) {
+	b.opts = opts
+}
+
 func (b *HandlerBuilder) AddCertificate(hosts []string, certID string) {
 	for _, host := range hosts {
 		certsForHost, ok := b.certs[host]
@@ -43,7 +48,7 @@ func (b *HandlerBuilder) Build() []*apploadbalancer.SniMatch {
 		sniName := b.names.SNIMatchForHost(b.tag, host)
 		sniHandler := &apploadbalancer.TlsHandler{
 			Handler: &apploadbalancer.TlsHandler_HttpHandler{
-				HttpHandler: &apploadbalancer.HttpHandler{},
+				HttpHandler: BuildHTTPHandler(b.opts),
 			},
 			CertificateIds: certificateIDs,
 		}
@@ -55,3 +60,11 @@ func (b *HandlerBuilder) Build() []*apploadbalancer.SniMatch {
 	}
 	return ret
 }
+
+func BuildHTTPHandler(opts HandlerOptions) *apploadbalancer.HttpHandler {
+	handler := &apploadbalancer.HttpHandler{}
+	if opts.AllowHTTP10 {
+		handler.ProtocolSettings = &apploadbalancer.HttpHandler_AllowHttp10{AllowHttp10: true}
+	}
+	return handler
+}

pkg/builders/snimatches_test.go

@@ -16,9 +16,10 @@ import (
 
 func TestSNIMatches(t *testing.T) {
 	testData := []struct {
-		desc     string
-		tlsItems []*v1.IngressTLS
-		exp      []*apploadbalancer.SniMatch
+		desc        string
+		handlerOpts HandlerOptions
+		tlsItems    []*v1.IngressTLS
+		exp         []*apploadbalancer.SniMatch
 	}{
 		{
 			desc: "OK",
@@ -65,6 +66,30 @@ func TestSNIMatches(t *testing.T) {
 				},
 			},
 		},
+		{
+			desc: "OK with allow http1.0",
+			tlsItems: []*v1.IngressTLS{
+				{
+					Hosts:      []string{"example1.com"},
+					SecretName: "XXX1",
+				},
+			},
+			handlerOpts: HandlerOptions{AllowHTTP10: true},
+			exp: []*apploadbalancer.SniMatch{
+				{
+					Name:        "sni-1954a6fc86a55a010c3c8e48f0603e956a6054ec",
+					ServerNames: []string{"example1.com"},
+					Handler: &apploadbalancer.TlsHandler{
+						Handler: &apploadbalancer.TlsHandler_HttpHandler{
+							HttpHandler: &apploadbalancer.HttpHandler{
+								ProtocolSettings: &apploadbalancer.HttpHandler_AllowHttp10{AllowHttp10: true},
+							},
+						},
+						CertificateIds: []string{"XXX1"},
+					},
+				},
+			},
+		},
 		{
 			desc: "duplicated host+cert pair",
 			tlsItems: []*v1.IngressTLS{
@@ -123,6 +148,7 @@ func TestSNIMatches(t *testing.T) {
 			f := NewFactory("my-folder", "", &metadata.Names{ClusterID: "my-cluster"}, &metadata.Labels{ClusterID: "my-cluster"}, nil, tgRepo)
 
 			b := f.HandlerBuilder(tag)
+			b.AddHandlerOptions(tc.handlerOpts)
 			for _, tls := range tc.tlsItems {
 				b.AddCertificate(tls.Hosts, tls.SecretName)
 			}

pkg/k8s/annotations.go

@@ -23,6 +23,8 @@ const (
 	InternalIPv4Address = prefix + "/internal-ipv4-address"
 	InternalALBSubnet   = prefix + "/internal-alb-subnet"
 
+	AllowHTTP10 = prefix + "/allow-http10"
+
 	RequestTimeout = prefix + "/request-timeout"
 	IdleTimeout    = prefix + "/idle-timeout"
 	PrefixRewrite  = prefix + "/prefix-rewrite"

pkg/reconcile/ingressgroup_engine_builder.go

@@ -56,7 +56,7 @@ func NewDefaultDataBuilder(
 }
 
 // TODO: включать/выключать трафик в зоне - ?
-// TODO: httpHandler -> Http2Options, AllowHttp10 ?
+// TODO: httpHandler -> Http2Options ?
 func (d *DefaultEngineBuilder) Build(ctx context.Context, g *k8s.IngressGroup, settings *v1alpha1.IngressGroupSettings) (*IngressGroupEngine, error) {
 	if len(g.Items) == 0 {
 		return d.newIngressGroupEngine(nil), nil
@@ -75,6 +75,10 @@ func (d *DefaultEngineBuilder) Build(ctx context.Context, g *k8s.IngressGroup, s
 	if err != nil {
 		return nil, fmt.Errorf("failed to build auto scale policy: %w", err)
 	}
+	allowHTTP10, err := d.allowHTTP10(g)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build allow http10: %w", err)
+	}
 
 	opts := builders.Options{
 		BalancerOptions: builders.BalancerOptions{
@@ -86,15 +90,18 @@ func (d *DefaultEngineBuilder) Build(ctx context.Context, g *k8s.IngressGroup, s
 		ListenerOptions: builders.ListenerOptions{
 			Addresses: addresses,
 		},
+		HandlerOptions: builders.HandlerOptions{
+			AllowHTTP10: allowHTTP10,
+		},
 	}
 
 	b := builders.Data{}
 	b.HTTPRouter, b.TLSRouter, err = d.buildVirtualHosts(g)
 	if err != nil {
 		return nil, fmt.Errorf("failed to build virtual hosts: %w", err)
 	}
-	b.Handler = d.buildHTTPHandler(g)
-	b.SNIMatches, err = d.buildSNIMatches(ctx, g)
+	b.Handler = builders.BuildHTTPHandler(opts.HandlerOptions)
+	b.SNIMatches, err = d.buildSNIMatches(ctx, g, opts.HandlerOptions)
 	if err != nil {
 		return nil, fmt.Errorf("failed to build sni matches: %w", err)
 	}
@@ -149,6 +156,17 @@ func (d *DefaultEngineBuilder) autoScalePolicy(g *k8s.IngressGroup) (*apploadbal
 	return resolver.Result(), nil
 }
 
+func (d *DefaultEngineBuilder) allowHTTP10(g *k8s.IngressGroup) (bool, error) {
+	resolver := d.resolvers.AllowHTTP10()
+	for _, ing := range g.Items {
+		err := resolver.Resolve(ing.GetAnnotations()[k8s.AllowHTTP10])
+		if err != nil {
+			return false, fmt.Errorf("failed to resolve allow http10: %w", err)
+		}
+	}
+	return resolver.Result(), nil
+}
+
 func (d *DefaultEngineBuilder) routeOpts(ing networking.Ingress) (builders.RouteResolveOpts, error) {
 	r := d.resolvers.RouteOpts()
 	annotations := ing.GetAnnotations()
@@ -475,8 +493,10 @@ func (d *DefaultEngineBuilder) buildVirtualHosts(g *k8s.IngressGroup) (*builders
 	return httpVHBuilder.Build(), tlsVHBuilder.Build(), nil
 }
 
-func (d *DefaultEngineBuilder) buildSNIMatches(ctx context.Context, g *k8s.IngressGroup) ([]*apploadbalancer.SniMatch, error) {
+func (d *DefaultEngineBuilder) buildSNIMatches(ctx context.Context, g *k8s.IngressGroup, opts builders.HandlerOptions) ([]*apploadbalancer.SniMatch, error) {
 	b := d.factory.HandlerBuilder(g.Tag)
+	b.AddHandlerOptions(opts)
+
 	for _, ing := range g.Items {
 		for _, tls := range ing.Spec.TLS {
 			if strings.HasPrefix(tls.SecretName, k8s.CertIDPrefix) {
@@ -506,10 +526,6 @@ func (d *DefaultEngineBuilder) buildSNIMatches(ctx context.Context, g *k8s.Ingre
 	return b.Build(), nil
 }
 
-func (d *DefaultEngineBuilder) buildHTTPHandler(_ *k8s.IngressGroup) *apploadbalancer.HttpHandler {
-	return &apploadbalancer.HttpHandler{}
-}
-
 func (d *DefaultEngineBuilder) buildBalancer(handler *apploadbalancer.HttpHandler, matches []*apploadbalancer.SniMatch, logOpts *apploadbalancer.LogOptions,
 	tag string, opts builders.Options,
 ) *apploadbalancer.LoadBalancer {