Skip to content

Implement support for URL and Host Header Rewrite for Application Load Balancer #4396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 17, 2025
Merged

Implement support for URL and Host Header Rewrite for Application Load Balancer #4396

merged 1 commit into from
Oct 17, 2025
+2,769 −117

Conversation

andreybutenko
Copy link
Contributor

Implement support for URL and Host Header Rewrite for Application Load Balancer

Motivation

This PR adds AWS Load Balancer Controller support for 1/ URL and Host Header Rewrite, and 2/ regex rule conditions.

Usage in LBC

Transforms

Added alb.ingress.kubernetes.io/transforms.${transforms-name} annotation, which provides a method for specifying transforms on Ingress spec.

Example transform to remove the leading /api/ from request paths:

alb.ingress.kubernetes.io/transforms.my-service: >
    [
        {
            "type": "url-rewrite",
            "urlRewriteConfig": {
                "rewrites": [
                    {
                        "regex": "^\\/api\\/(.+)$",
                        "replace": "/$1"
                    }
                ]
            }
        }
    ]

Example transform to replace example.com with example.org from request host headers:

alb.ingress.kubernetes.io/transforms.my-service: >
    [
        {
            "type": "host-header-rewrite",
            "hostHeaderRewriteConfig": {
                "rewrites": [
                    {
                        "regex": "^(.+)\\.example\\.com$",
                        "replace": "$1.example.org"
                    }
                ]
            }
        }
    ]

Regex rule conditions (annotations)

Extended alb.ingress.kubernetes.io/conditions.${conditions-name} to support new regexValues property.

HTTP header condition using regex values:

alb.ingress.kubernetes.io/conditions.my-service: >
    [{ "field": "http-header", "httpHeaderConfig": { "httpHeaderName": "User-Agent", "regexValues": [ ".+Chrome.+" ] } }]

Path condition using regex values:

alb.ingress.kubernetes.io/conditions.my-service: >
    [{ "field": "path-pattern", "pathPatternConfig": { "regexValues": [ "^/api/?(.*)$" ] } }]

Host header condition using regex values:

alb.ingress.kubernetes.io/conditions.my-service: >
    [{ "field": "host-header", "hostHeaderConfig": { "regexValues": [ "^(.+)\\.example\\.com" ] } }]

Regex rule conditions (ingress spec)

Added alb.ingress.kubernetes.io/use-regex-path-match annotation, which configures whether HTTP paths in the Ingress specification should be evaluated using regex.

  • This configuration only applies to HTTP paths using pathType: ImplementationSpecific. HTTP paths using pathType: Exact or pathType: Prefix are not affected by this annotation.
  • A leading / must precede the regex. The leading / will be removed from the regex.

Annotation:

alb.ingress.kubernetes.io/use-regex-path-match: "true"

Ingress rule path:

-   path: "/^/api/(.+)$"
    pathType: ImplementationSpecific
    backend:
        service:
        name: service-2048
        port:
            number: 80

With this configuration, the rule condition regex value will be ^/api/(.+)$ as the leading / is removed from the regex.

Details

  • Implement support for RegexValues in conditions annotation
  • Implement support for RegexValues in ingress spec paths
    • Add alb.ingress.kubernetes.io/use-regex-path-match annotation
    • Update buildPathPatternsForImplementationSpecificPathType to treat spec path as regex when annotation is "true"
  • Implement transforms annotation
    • Implement buildTransforms to get transforms from transforms.${svc-name} annotation
    • Implement buildSDKTransforms to marshall transforms
    • Add interface for transforms model
    • Update enhanced backend, ListenerRuleManager, buildListenerRules, matchResAndSDKListenerRules to handle transforms
    • Rename resLRDesiredActionsAndConditionsPair to resLRDesiredRuleConfig, extend to support transforms property
    • Update matchResAndSDKListenerRules and related helpers to support transforms property
    • Implement CompareOptionForTransform to compare transforms objects
    • Add and update unit tests
  • Misc
    • Add documentation for URL Rewrite
    • Add client-side validation to prevent mixing Values and RegexValues for host-name and path-pattern conditions
    • Remove leading slash from regex rule path
    • Implement host regex value support

Issues

Checklist

  • Added tests that cover your change (if possible)
  • Added/modified documentation as required (such as the README.md, or the docs directory)
  • Manually tested
    • Previously did manual tests, doing some more final testing now
  • Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

  • Backfilled missing tests for code in same general area 🎉
  • Refactored something and made the world a better place 🌟

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 16, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @andreybutenko. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Oct 16, 2025
@zac-nixon
Copy link
Collaborator

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 16, 2025
shraddhabang
shraddhabang approved these changes Oct 16, 2025
View reviewed changes
Copy link
Collaborator

@shraddhabang shraddhabang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Oct 16, 2025
@andreybutenko
Copy link
Contributor Author

Looking at test failures

@andreybutenko
Implement support for URL and Host Header Rewrite for Application Loa…
08cbc9d 
…d Balancer

* Implement support for RegexValues in conditions annotation
* Implement support for RegexValues in ingress spec paths
    * Add `alb.ingress.kubernetes.io/use-regex-path-match` annotation
    * Update `buildPathPatternsForImplementationSpecificPathType` to treat spec path as regex when annotation is "true"
* Implement transforms annotation
    * Implement `buildTransforms` to get transforms from `transforms.${svc-name}` annotation
    * Implement `buildSDKTransforms` to marshall transforms
    * Add interface for transforms model
    * Update enhanced backend, `ListenerRuleManager`, `buildListenerRules`, `matchResAndSDKListenerRules` to handle transforms
    * Rename `resLRDesiredActionsAndConditionsPair` to `resLRDesiredRuleConfig`, extend to support transforms property
    * Update `matchResAndSDKListenerRules` and related helpers to support transforms property
    * Implement `CompareOptionForTransform` to compare transforms objects
    * Add and update unit tests
* Misc
    * Add documentation for URL Rewrite
    * Add client-side validation to prevent mixing Values and RegexValues for host-name and path-pattern conditions
    * Remove leading slash from regex rule path
    * Implement host regex value support
@andreybutenko andreybutenko force-pushed the 2025-10-16-public-url-rewrite-rebase branch from 5ab8fb1 to 08cbc9d Compare October 16, 2025 22:52
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 16, 2025
zac-nixon
zac-nixon approved these changes Oct 17, 2025
View reviewed changes
Copy link
Collaborator

@zac-nixon zac-nixon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 17, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andreybutenko, shraddhabang, zac-nixon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [shraddhabang,zac-nixon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit acc95aa into kubernetes-sigs:main Oct 17, 2025
9 checks passed
@zac-nixon zac-nixon mentioned this pull request Oct 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zac-nixon zac-nixon zac-nixon approved these changes

@shraddhabang shraddhabang shraddhabang approved these changes

@oliviassss oliviassss Awaiting requested review from oliviassss

Assignees

@zac-nixon zac-nixon

@shraddhabang shraddhabang

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@andreybutenko @k8s-ci-robot @zac-nixon @shraddhabang