Summary

The current implementation of Ingress reconciliation in Cilium creates a LoadBalancer Service per Ingress resource. This is not the most efficient use of resources, and can be made much more efficient by sharing a single LoadBalancer config across all Ingress resources in the cluster.

Goals

• Allow the creation of Ingresses to provision a single shared load balancer, rather than dedicated.
• Allow cluster admins to still select dedicated load balancer mode for compatibliity purposes.
• Ingress conformance tests should still pass.

Proposed solution

We'll add a new annotation for Ingress resources that will allow choosing between Shared or Dedicated load balancer for that Ingress resource, along with a config item (settable using Helm as well), that will set the default (which will be dedicated for this release). The annotation will be ingress.cilium.io/loadbalancer-mode:shared|dedicated.

A new code path will translate Ingress resources into an internal representation of a generic load balancer config. This is a first step towards Gateway API support (#20655), as Gateway API also expects LB behavior like this.

Tasks

• Add a new Ingress annotation ingress.cilium.io/loadbalancer-mode:shared|dedicated. The default for if that annotation is not present will be shared, since that's how most ingress controllers work.
• Add a config setting for the default ingress mode, either dedicated or shared. This will default to dedicated for now.
• Update docs with instructions on using the new annotation, or changing the default. ingress: Follow-up items for shared LB mode #21493
• Add a new code path that translates all shared LB Ingress resources into a new internal representation, and then translates the internal representation into a single CiliumEnvoyConfig resource that can be consumed by the Cilium proxy layer.
• Ensure that Ingress conformance tests still pass on the shared LB
• Update documentation ingress: Follow-up items for shared LB mode #21493
  • Annotations reference
  • Getting Started Guide