listener-attributes don't work when header value is comma separated #4363
Description
Bug Description
listener-attributes doesn't work when the header_value is comma separated
Steps to Reproduce
Add this to the Ingress YAML:
alb.ingress.kubernetes.io/listener-attributes.HTTPS-443: >-
routing.http.response.access_control_allow_origin.header_value=*,
routing.http.response.access_control_allow_methods.header_value="GET,POST,OPTIONS",
routing.http.response.access_control_allow_headers.header_value="Content-Type,Authorization"❌ Then it doesn't work.
alb.ingress.kubernetes.io/listener-attributes.HTTPS-443: >-
routing.http.response.access_control_allow_origin.header_value=*,
routing.http.response.access_control_allow_methods.header_value=GET\,OPTIONS,
routing.http.response.access_control_allow_headers.header_value=Content-Type\,Authorization❌ Also doesn't work.
alb.ingress.kubernetes.io/listener-attributes.HTTPS-443: >-
routing.http.response.access_control_allow_origin.header_value=*,
routing.http.response.access_control_allow_methods.header_value=GET,OPTIONS,
routing.http.response.access_control_allow_headers.header_value=Content-Type,Authorization❌ Not working at all.
alb.ingress.kubernetes.io/listener-attributes.HTTPS-443: >-
routing.http.response.access_control_allow_origin.header_value=[*],
routing.http.response.access_control_allow_methods.header_value=[GET,OPTIONS],
routing.http.response.access_control_allow_headers.header_value=[Content-Type,Authorization]❌ A long shot, but doesn't work.
alb.ingress.kubernetes.io/listener-attributes.HTTPS-443: >-
routing.http.response.access_control_allow_origin.header_value='*',
routing.http.response.access_control_allow_methods.header_value='GET,POST,OPTIONS',
routing.http.response.access_control_allow_headers.header_value='Content-Type,Authorization'❌ Nope.
alb.ingress.kubernetes.io/listener-attributes.HTTPS-443: >-
routing.http.response.access_control_allow_origin.header_value=*,
routing.http.response.access_control_allow_methods.header_value=GET,
routing.http.response.access_control_allow_headers.header_value=Content-Type✅ Works fine.
Expected Behaviour
The Ingress controller modifies the listener to include the wanted changes in the attributes.
Actual Behaviour
Ingress controller gives an error:
Failed build model due to failed to parse stringMap annotation, alb.ingress.kubernetes.io/listener-attributes.HTTPS-443: routing.http.response.access_control_allow_origin.header_value=*, routing.http.response.access_control_allow_methods.header_value="GET,POST,OPTIONS", routing.http.response.access_control_allow_headers.header_value="Content-Type,Authorization"
Regression
Was the functionality working correctly in a previous version?
No.
Current Workarounds
Only select one option for the attribute when offered multiple, or don't modify the attribute at all.
Environment
- AWS Load Balancer controller version: 2.13.2
- Kubernetes version: 1.31
- Using EKS, if so version?: 1.31
- Using Service or Ingress: Ingress
- AWS region: eu-west-1
- How was the aws-load-balancer-controller installed:
2025-07-02 13:57:27.574198292 +0200 CEST deployed aws-load-balancer-controller-1.13.2 v2.13.2