Docs update about IngressClass & new controller-level flags (#2002)

* add docs for new flags

* add documentation for IngressClass & new controller-flags

* Update docs/deploy/configurations.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/deploy/configurations.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/deploy/configurations.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/guide/ingress/ingress_class.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/guide/ingress/ingress_class.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/deploy/configurations.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/guide/ingress/ingress_class.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/deploy/configurations.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/deploy/configurations.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/deploy/configurations.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/deploy/configurations.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/guide/ingress/ingress_class.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/guide/ingress/ingress_class.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/guide/ingress/ingress_class.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/guide/ingress/ingress_class.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/guide/ingress/ingress_class.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/guide/ingress/ingress_class.md

Co-authored-by: Tim Bannister <[email protected]>

* Update docs/guide/ingress/ingress_class.md

Co-authored-by: Tim Bannister <[email protected]>

Co-authored-by: Tim Bannister <[email protected]>

Author: M00nF1sh

docs/deploy/configurations.md

@@ -66,13 +66,16 @@ Currently, you can set only 1 namespace to watch in this flag. See [this Kuberne
 |aws-region                             | string                          | [instance metadata](#instance-metadata)    | AWS Region for the kubernetes cluster |
 |aws-vpc-id                             | string                          | [instance metadata](#instance-metadata)    | AWS VPC ID for the Kubernetes cluster |
 |cluster-name                           | string                          |                 | Kubernetes cluster name|
-|default-tags                           | stringMap                       |                 | Default AWS Tags that will be applied to all AWS resources managed by this controller |
-|default-ssl-policy                     | string                          | ELBSecurityPolicy-2016-08 | Default SSL Policy that will be applied to all ingresses or services that do not have the SSL Policy annotation. |
-|enable-leader-election                 | boolean                         | true            | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. |
-|enable-pod-readiness-gate-inject       | boolean                         | true            | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods. |
+|default-tags                           | stringMap                       |                 | AWS Tags that will be applied to all AWS resources managed by this controller. Specified Tags takes highest priority |
+|default-ssl-policy                     | string                          | ELBSecurityPolicy-2016-08 | Default SSL Policy that will be applied to all Ingresses or Services that do not have the SSL Policy annotation |
+|[disable-ingress-class-annotation](#disable-ingress-class-annotation)       | boolean                         | false           | Disable new usage of the `kubernetes.io/ingress.class` annotation |
+|[disable-ingress-group-name-annotation](#disable-ingress-group-name-annotation)  | boolean                         | false           | Disallow new use of the `alb.ingress.kubernetes.io/group.name` annotation |
+|enable-leader-election                 | boolean                         | true            | Enable leader election for the load balancer controller manager. Enabling this will ensure there is only one active controller manager |
+|enable-pod-readiness-gate-inject       | boolean                         | true            | If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods |
 |enable-shield                          | boolean                         | true            | Enable Shield addon for ALB |
 |enable-waf                             | boolean                         | true            | Enable WAF addon for ALB |
 |enable-wafv2                           | boolean                         | true            | Enable WAF V2 addon for ALB |
+|external-managed-tags                  | stringList                      |                 | AWS Tag keys that will be managed externally. Specified Tags are ignored during reconciliation |
 |ingress-class                          | string                          | alb             | Name of the ingress class this controller satisfies |
 |ingress-max-concurrent-reconciles      | int                             | 3               | Maximum number of concurrently running reconcile loops for ingress |
 |kubeconfig                             | string                          | in-cluster config | Path to the kubeconfig file containing authorization and API server information |
@@ -85,14 +88,34 @@ Currently, you can set only 1 namespace to watch in this flag. See [this Kuberne
 |targetgroupbinding-max-concurrent-reconciles | int                       | 3               | Maximum number of concurrently running reconcile loops for targetGroupBinding |
 |watch-namespace                        | string                          |                 | Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched. |
 |webhook-bind-port                      | int                             | 9443            | The TCP port the Webhook server binds to |
+|webhook-cert-dir                       | string                          | /tmp/k8s-webhook-server/serving-certs | The directory that contains the server key and certificate |
+|webhook-cert-file                      | string                          | tls.crt | The server certificate name |
+|webhook-key-file                       | string                          | tls.key | The server key name |
+
+### disable-ingress-class-annotation
+`--disable-ingress-class-annotation` controls whether to disable new usage of the `kubernetes.io/ingress.class` annotation.
+
+Once disabled:
+
+* you can no longer create Ingresses with the value of the `kubernetes.io/ingress.class` annotation equal to `alb` (can be overridden via `--ingress-class` flag of this controller).
+
+* you can no longer update Ingresses to set the value of the `kubernetes.io/ingress.class` annotation equal to `alb` (can be overridden via `--ingress-class` flag of this controller).
+
+* you can still create Ingresses with a `kubernetes.io/ingress.class` annotation that has other values (for example: "nginx")
+
+### disable-ingress-group-name-annotation
+`--disable-ingress-group-name-annotation` controls whether to disable new usage of `alb.ingress.kubernetes.io/group.name` annotation.
+
+Once disabled:
+
+* you can no longer create Ingresses with the `alb.ingress.kubernetes.io/group.name` annotation.
+* you can no longer alter the value of an `alb.ingress.kubernetes.io/group.name` annotation on an existing Ingress.
 
 
 ### Default throttle config
 ```
 WAF Regional:^AssociateWebACL|DisassociateWebACL=0.5:1,WAF Regional:^GetWebACLForResource|ListResourcesForWebACL=1:1,WAFV2:^AssociateWebACL|DisassociateWebACL=0.5:1,WAFV2:^GetWebACLForResource|ListResourcesForWebACL=1:1
 ```
 
-AWS Web Application Firewall (WAF) 
-
 ### Instance metadata
 If running on EC2, the default values are obtained from the instance metadata service.

docs/guide/ingress/ingress_class.md

@@ -0,0 +1,144 @@
+# [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)
+
+Ingresses can be implemented by different controllers, often with different configuration. Each Ingress should specify a
+class, a reference to an IngressClass resource that contains additional configuration including the name of the
+controller that should implement the class. IngressClass resources contain an optional parameters field. This can be
+used to reference additional implementation-specific configuration for this class.
+For the AWS Load Balancer controller, the implementation-specific configuration is
+[IngressClassParams](#ingressclassparams) in the `elbv2.k8s.aws` API group.
+
+!!!example
+    - specify controller as `ingress.k8s.aws/alb` to denote Ingresses should be managed by AWS Load Balancer Controller.
+    ```
+    apiVersion: networking.k8s.io/v1
+    kind: IngressClass
+    metadata:
+      name: awesome-class
+    spec:
+      controller: ingress.k8s.aws/alb
+    ```
+    - specify additional configurations by referencing an IngressClassParams resource.
+    ```
+    apiVersion: networking.k8s.io/v1
+    kind: IngressClass
+    metadata:
+      name: awesome-class
+    spec:
+      controller: ingress.k8s.aws/alb
+      parameters:
+        apiGroup: elbv2.k8s.aws
+        kind: IngressClassParams
+        name: awesome-class-cfg
+    ```
+
+!!!tip "[default IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class)"
+    You can mark a particular IngressClass as the default for your cluster. Setting the
+    `ingressclass.kubernetes.io/is-default-class` annotation to `true` on an IngressClass resource will ensure that new
+    Ingresses without an `ingressClassName` field specified will be assigned this default IngressClass.
+
+
+## [Deprecated `kubernetes.io/ingress.class` annotation](https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation)
+
+Before the IngressClass resource and `ingressClassName` field were added in Kubernetes 1.18, Ingress classes were
+specified with a `kubernetes.io/ingress.class` annotation on the Ingress. This annotation was never formally defined,
+but was widely supported by Ingress controllers.
+
+The newer `ingressClassName` field on Ingresses is a replacement for that annotation, but is not a direct equivalent.
+While the annotation was generally used to reference the name of the Ingress controller that should implement the
+Ingress, the field is a reference to an IngressClass resource that contains additional Ingress configuration, including
+the name of the Ingress controller.
+
+!!!tip "disable `kubernetes.io/ingress.class` annotation"
+    In order to maintain backwards-compatibility, `kubernetes.io/ingress.class` annotation is still supported currently.
+    You can enforce IngressClass resource adoption by disable the `kubernetes.io/ingress.class` annotation via [--disable-ingress-class-annotation](../../../deploy/configurations/#disable-ingress-class-annotation) controller flag.
+
+## IngressClassParams
+IngressClassParams is a [CRD](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) specific to the AWS Load Balancer Controller, which can be used along with IngressClass’s parameter field.
+You can use IngressClassParams to enforce settings for a set of Ingresses.
+
+!!!example
+    - with scheme & ipAddressType & tags
+    ```
+    apiVersion: elbv2.k8s.aws/v1beta1
+    kind: IngressClassParams
+    metadata:
+      name: awesome-class
+    spec:
+      scheme: internal
+      ipAddressType: dualstack
+      tags:
+      - key: org
+        value: my-org
+    ```
+    - with namespaceSelector
+    ```
+    apiVersion: elbv2.k8s.aws/v1beta1
+    kind: IngressClassParams
+    metadata:
+      name: awesome-class
+    spec:
+      namespaceSelector:
+        matchLabels:
+          team: team-a
+    ```
+    - with IngressGroup
+    ```
+    apiVersion: elbv2.k8s.aws/v1beta1
+    kind: IngressClassParams
+    metadata:
+      name: awesome-class
+    spec:
+      group:
+        name: my-group
+    ```
+
+### IngressClassParams specification
+
+#### spec.namespaceSelector
+`namespaceSelector` is an optional setting that follows general Kubernetes
+[label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors)
+semantics.
+
+Cluster administrators can use the `namespaceSelector` field to restrict the namespaces of Ingresses that are allowed to specify the IngressClass.
+
+1. If `namespaceSelector` specified, only Ingresses in selected namespaces can use IngressClasses with this parameter. The controller will refuse to reconcile for Ingresses that violates `namespaceSelector`.
+2. If `namespaceSelector` un-specified, all Ingresses in any namespace can use IngressClasses with this parameter.
+
+#### spec.group
+
+`group` is an optional setting.  The only available sub-field is `group.name`.
+
+Cluster administrators can use `group.name` field to denote the groupName for all Ingresses belong to this IngressClass.
+
+1. If `group.name` specified, all Ingresses with this IngressClass will belong to the same IngressGroup specified and result in a single ALB.
+If `group.name` is not specified, Ingresses with this IngressClass can use the older / legacy `alb.ingress.kubernetes.io/group.name` annotation to specify their IngressGroup. Ingresses that belong to the same IngressClass can form different IngressGroups via that annotation.
+
+#### spec.scheme
+
+`scheme` is an optional setting. The available options are `internet-facing` or `internal`.
+
+Cluster administrators can use the `scheme` field to restrict the scheme for all Ingresses that belong to this IngressClass.
+
+1. If `scheme` specified, all Ingresses with this IngressClass will have the specified scheme.
+2. If `scheme` un-specified, Ingresses with this IngressClass can continue to use `alb.ingress.kubernetes.io/scheme annotation` to specify scheme.
+
+#### spec.ipAddressType
+
+`ipAddressType` is an optional setting. The available options are `ipv4` or `dualstack`.
+
+Cluster administrators can use `ipAddressType` field to restrict the ipAddressType for all Ingresses that belong to this IngressClass.
+
+1. If `ipAddressType` specified, all Ingresses with this IngressClass will have the specified ipAddressType.
+2. If `ipAddressType` un-specified, Ingresses with this IngressClass can continue to use `alb.ingress.kubernetes.io/ip-address-type` annotation to specify ipAddressType.
+
+#### spec.tags
+
+`tags` is an optional setting.
+
+Cluster administrators can use `tags` field to specify the custom tags for AWS resources provisioned for all Ingresses belong to this IngressClass.
+
+1. If `tags` is set, AWS resources provisioned for all Ingresses with this IngressClass will have the specified tags.
+2. You can also use controller-level flag `--default-tags`  or `alb.ingress.kubernetes.io/tags` annotation to specify custom tags. These tags will be merged together based on tag-key. If same tag-key appears in multiple sources, the priority is as follows:
+    1. controller-level flag `--default-tags` will have the highest priority.
+    2. `spec.tags` in IngressClassParams will have the middle priority.
+    3. `alb.ingress.kubernetes.io/tags` annotation will have the lowest priority.

mkdocs.yml

@@ -18,6 +18,7 @@ nav:
       - Ingress:
           - Annotations: guide/ingress/annotations.md
           - Specification: guide/ingress/spec.md
+          - IngressClass: guide/ingress/ingress_class.md
           - Certificate Discovery: guide/ingress/cert_discovery.md
       - Service:
           - NLB-IP mode: guide/service/nlb_ip_mode.md