The alb module

The alb module implements an Application Load Balancer (ALB) and allows you to publish applications through Kubernetes Gateway API. It deploys and configures the infrastructure for receiving and routing external requests, and also verifies the user configuration of the Gateway API.

The module supports:

• automatically creating and flexibly configuring infrastructure for Gateway objects (a service resource for configuring the traffic entry point into the cluster);
• handling incoming requests with ListenerSet objects (a custom resource);
• routing incoming requests with HTTPRoute, GRPCRoute, TCPRoute, and TLSRoute objects (custom resources);;
• validating Gateway API configuration.

Automatically creating and flexibly configuring infrastructure for Gateway objects

The module provides two custom resources (CRDs) for declarative description and management of infrastructure for Gateway objects: ClusterALBInstance and ALBInstance. The characteristics of these resources and the differences between them are described in the table below.

Creating a ClusterALBInstance object or an ALBInstance object results in creation of a managed Gateway object in the cluster. At the same time:

• Each Gateway object is served by at least one Envoy Proxy instance.
• Traffic reaches it through a Service object of type LoadBalancer or directly by using HostPort parameters.
• Each Gateway object creates two default listeners: d8-http (port 80) and d8-https (port 443). They are intended for service tasks such as gateway availability checks or cert-manager HTTP-01 challenges. They are not recommended for publishing applications; use ListenerSet for that purpose instead.

Several ClusterALBInstance objects or ALBInstance objects may point to the same Gateway object through the gatewayName field. In that case, they describe one shared gateway, but the request handling infrastructure may differ depending on settings. You can think of gatewayName as an analogue of ingressClass for IngressNginxController objects.

Handling incoming requests with ListenerSet objects

The ListenerSet object describes system and user traffic handlers that define hostname, TLS mode, port, and protocol. Each ListenerSet object is linked to a specific parent Gateway object through the spec.parentRef field, and routes are then attached to it.

Placement of ListenerSet objects depends on the type of Gateway object in use:

• for ClusterALBInstance, ListenerSet objects may be placed in any namespace;
• for ALBInstance, ListenerSet objects are recommended to be placed in the same namespace.

In both cases, it is recommended to place the ListenerSet object in the same namespace as the HTTPRoute, GRPCRoute, TCPRoute, and TLSRoute objects attached to it. This improves configuration readability and helps avoid additional setup such as ReferenceGrant objects.

Routing incoming requests with HTTPRoute, GRPCRoute, TCPRoute, and TLSRoute objects

At the moment, the module supports the following route types:

• HTTPRoute: For routing HTTP/HTTPS/TLS requests.
• GRPCRoute: For routing gRPC traffic.
• TLSRoute: For TLS passthrough routing.
• TCPRoute: For routing TCP traffic.

HTTPRoute objects support extended settings through annotations that complement the current Gateway API specification.

Validating Gateway API configuration

In addition to Gateway API infrastructure configuration, the module validates user settings to prevent conflicting configurations from being applied. For example, the module checks for conflicts between identical traffic handlers in different ListenerSet objects when they point to the same Gateway object.