Add label related alb tests to alb_spec_test.go

Write gingko test for ingressclass_controller.go
update done with "go mod tidy"

Author: Menekse Ceylan

go.mod

@@ -14,6 +14,8 @@ require (
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/pflag v1.0.10
 	github.com/stackitcloud/stackit-sdk-go/core v0.26.0
+	github.com/stackitcloud/stackit-sdk-go/services/alb v0.14.2
+	github.com/stackitcloud/stackit-sdk-go/services/certificates v1.7.0
 	github.com/stackitcloud/stackit-sdk-go/services/iaas v1.11.1
 	github.com/stackitcloud/stackit-sdk-go/services/loadbalancer v1.13.0
 	go.uber.org/mock v0.6.0
@@ -30,6 +32,7 @@ require (
 	k8s.io/klog/v2 v2.140.0
 	k8s.io/mount-utils v0.36.1
 	k8s.io/utils v0.0.0-20260507154919-ff6756f316d2
+	sigs.k8s.io/controller-runtime v0.24.1
 )
 
 replace k8s.io/cloud-provider => github.com/stackitcloud/cloud-provider v0.36.0-ske-1
@@ -48,11 +51,13 @@ require (
 	github.com/coreos/go-systemd/v22 v22.7.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.22.1 // indirect
 	github.com/go-openapi/jsonreference v0.21.2 // indirect
 	github.com/go-openapi/swag v0.25.1 // indirect
@@ -121,12 +126,14 @@ require (
 	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	golang.org/x/tools v0.44.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/apiextensions-apiserver v0.36.0 // indirect
 	k8s.io/apiserver v0.36.0 // indirect
 	k8s.io/component-helpers v0.36.0 // indirect
 	k8s.io/controller-manager v0.36.0 // indirect

go.sum

@@ -33,6 +33,10 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes=
 github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/evanphx/json-patch v0.5.2 h1:xVCHIVMUu1wtM/VkR9jVZ45N3FhZfYMMYGorLCR8P3k=
+github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
+github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
+github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
@@ -105,6 +109,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20260402051712-545e8a4df936 h1:EwtI+Al+DeppwYX2oXJCETMO23COyaKGP6fHVpkpWpg=
 github.com/google/pprof v0.0.0-20260402051712-545e8a4df936/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -159,6 +165,8 @@ github.com/onsi/ginkgo/v2 v2.29.0 h1:rfh+ZFjgJhYWRoIqVf3Uwx/W20yLrcrE2h2GmYVRaag
 github.com/onsi/ginkgo/v2 v2.29.0/go.mod h1:+aXOY+vzZ5mu2iI2HpTZUPmM//oQfsNFX6gU9kNcA44=
 github.com/onsi/gomega v1.41.0 h1:OwKp4pXNgVxf6sCplzYo794OFNuoL2q2SBMU5NSWOjA=
 github.com/onsi/gomega v1.41.0/go.mod h1:M/Uqpu/8qTjtzCLUA2zJHX9Iilrau25x1PdoSRbWh5A=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -186,6 +194,10 @@ github.com/stackitcloud/cloud-provider v0.36.0-ske-1 h1:CZaL+8FH1rOjPnlPkhmvfKUk
 github.com/stackitcloud/cloud-provider v0.36.0-ske-1/go.mod h1:y/3sksoC0taJZR0PcAAYUqVyD6Jzu2X0lD4yCEPXPuI=
 github.com/stackitcloud/stackit-sdk-go/core v0.26.0 h1:jQEb9gkehfp6VCP6TcYk7BI10cz4l0KM2L6hqYBH2QA=
 github.com/stackitcloud/stackit-sdk-go/core v0.26.0/go.mod h1:WU1hhxnjXw2EV7CYa1nlEvNpMiRY6CvmIOaHuL3pOaA=
+github.com/stackitcloud/stackit-sdk-go/services/alb v0.14.2 h1:hGzfOJjlCRoFpri5eYIiwhE27qu02pKZLprKvbsTC/w=
+github.com/stackitcloud/stackit-sdk-go/services/alb v0.14.2/go.mod h1:eK6oRB5Tmpt6KbXQ4UYBGg2LgW5bPtVoncL9E8JSRww=
+github.com/stackitcloud/stackit-sdk-go/services/certificates v1.7.0 h1:J7BVVHjRTS5YUyGf6DZEIE1uD9f/S4v9dDbpZWVEd3U=
+github.com/stackitcloud/stackit-sdk-go/services/certificates v1.7.0/go.mod h1:eJpB3/pukz+KzVPVHQ4g3DVtQkxGga18VbFBhq9ugdY=
 github.com/stackitcloud/stackit-sdk-go/services/iaas v1.11.1 h1:HcKqjwIjv4OAW1aWI0U/JWjnzTwzSvdr6DLasH940EU=
 github.com/stackitcloud/stackit-sdk-go/services/iaas v1.11.1/go.mod h1:Ts06id0KejUlQWbpR+/rm+tKng6QkTuFV1VQTPJ4dA4=
 github.com/stackitcloud/stackit-sdk-go/services/loadbalancer v1.13.0 h1:UuLNwFHjJCpL11y4F7B9oBKtZkxpu01VkNPILNkpex4=
@@ -326,6 +338,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
+gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
 gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
 google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 h1:tu/dtnW1o3wfaxCOjSLn5IRX4YDcJrtlpzYkhHhGaC4=
@@ -352,6 +366,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/api v0.36.1 h1:XbL/EMj8K2aJpJtePmqUyQMsM0D4QI2pvl7YKJ20FTY=
 k8s.io/api v0.36.1/go.mod h1:KOWo4ey3TINlXjeHVuwB3i+tXXnu+UcwFBHlI/9dvEo=
+k8s.io/apiextensions-apiserver v0.36.0 h1:Wt7E8J+VBCbj4FjiBfDTK/neXDDjyJVJc7xfuOHImZ0=
+k8s.io/apiextensions-apiserver v0.36.0/go.mod h1:kGDjH0msuiIB3tgsYRV0kS9GqpMYMUsQ3GHv7TApyug=
 k8s.io/apimachinery v0.36.1 h1:G63Gjx2W+q0YD+72Vo8oY0nDnePVwnuzTmmy5ENrVSA=
 k8s.io/apimachinery v0.36.1/go.mod h1:ibYOR00vW/I1kzvi5SF0dRuJ52BvKtfvRdOn35GPQ+8=
 k8s.io/apiserver v0.36.0 h1:Jg5OFAENUACByUCg15CmhZAYrr5ZyJ+jodyA1mHl3YE=
@@ -378,6 +394,8 @@ k8s.io/utils v0.0.0-20260507154919-ff6756f316d2 h1:wU4tMEhLGgIbLvXQb1cfN+EcM0wf7
 k8s.io/utils v0.0.0-20260507154919-ff6756f316d2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 h1:hSfpvjjTQXQY2Fol2CS0QHMNs/WI1MOSGzCm1KhM5ec=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
+sigs.k8s.io/controller-runtime v0.24.1 h1:miPEwrmirImAvgME1L9qebGHrOnGJoVmVdtOU9fRfo4=
+sigs.k8s.io/controller-runtime v0.24.1/go.mod h1:vFkfY5fGt5xAC/sKb8IBFKgWPNKG9OUG29dR8Y2wImw=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=

pkg/alb/ingress/alb_spec_test.go

@@ -6,8 +6,11 @@ import (
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	stackitmocks "github.com/stackitcloud/cloud-provider-stackit/pkg/stackit"
 	stackitconfig "github.com/stackitcloud/cloud-provider-stackit/pkg/stackit/config"
 	albsdk "github.com/stackitcloud/stackit-sdk-go/services/alb/v2api"
+	certsdk "github.com/stackitcloud/stackit-sdk-go/services/certificates/v2api"
+	"go.uber.org/mock/gomock"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -18,7 +21,9 @@ import (
 
 var _ = Describe("Node Controller", func() {
 	var (
-		k8sClient client.Client
+		k8sClient  client.Client
+		mockCtrl   *gomock.Controller
+		certClient *stackitmocks.MockCertificatesClient
 
 		ingressClass networkingv1.IngressClass
 		ingress      networkingv1.Ingress
@@ -34,7 +39,7 @@ var _ = Describe("Node Controller", func() {
 		networkID := "my-network"
 
 		ingressClass = networkingv1.IngressClass{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-ingress-class"},
+			ObjectMeta: metav1.ObjectMeta{Name: "test-ingress-class", UID: "test-ingress-class-uid"},
 			Spec:       networkingv1.IngressClassSpec{Controller: controllerName},
 		}
 
@@ -82,6 +87,7 @@ var _ = Describe("Node Controller", func() {
 
 		albSpec = albsdk.CreateLoadBalancerPayload{
 			DisableTargetSecurityGroupAssignment: new(true),
+			Labels:                               new(map[string]string{LabelIngressClassUID: "test-ingress-class-uid"}),
 			Listeners: []albsdk.Listener{
 				{
 					Http: new(albsdk.ProtocolOptionsHTTP{
@@ -145,14 +151,84 @@ var _ = Describe("Node Controller", func() {
 		It("should work with labels", func() {
 
 			reconciler.ALBConfig.ApplicationLoadBalancer.ExtraLabels = map[string]string{"managed-by": "alb-ingressClass"}
+			// adding extra labels to albSpec.Labels map
+			for k, v := range reconciler.ALBConfig.ApplicationLoadBalancer.ExtraLabels {
+				(*albSpec.Labels)[k] = v
+			}
 			spec, errorEventList, err := reconciler.getAlbSpecForIngressClass(context.Background(), &ingressClass)
 			Expect(err).To(Succeed())
 			Expect(errorEventList).To(BeEmpty())
 
-			albSpec.Labels = new(map[string]string{"managed-by": "alb-ingressClass"})
+			Expect(spec).ToNot(BeNil())
+			Expect(*spec).To(BeEquivalentTo(albSpec))
+		})
+
+		It("should work with certificates", func() {
+
+			mockCtrl = gomock.NewController(GinkgoT())
+			certClient = stackitmocks.NewMockCertificatesClient(mockCtrl)
+
+			// Bind this mock instance to live reconciler reference context
+			reconciler.CertificateClient = certClient
+
+			certSecret := corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "my-secret-cert",
+					UID:  "dummy-secret-uid-value-1234567",
+				},
+				Type: corev1.SecretTypeTLS,
+				Data: map[string][]byte{
+					"tls.crt": []byte("mock-public-key"),
+					"tls.key": []byte("mock-private-key"),
+				},
+			}
+			Expect(k8sClient.Create(context.Background(), &certSecret)).To(Succeed())
+
+			actualStoredSecret := &corev1.Secret{}
+			err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "my-secret-cert"}, actualStoredSecret)
+			Expect(err).NotTo(HaveOccurred())
+
+			expectedGeneratedCertName := getCertName(&ingressClass, actualStoredSecret)
+			targetCertID := "real-certificate-uuid-abc-123"
+
+			mockResponse := &certsdk.GetCertificateResponse{
+				Id:   new(targetCertID),
+				Name: new(expectedGeneratedCertName),
+			}
+
+			certClient.EXPECT().
+				CreateCertificate(
+					gomock.Any(),
+					"test-project",
+					"test-region",
+					gomock.Any(), // Intercepts any incoming *certsdk.CreateCertificatePayload matching
+				).
+				Return(mockResponse, nil).
+				Times(1)
+
+			httpsIngress := testHttpsIngress(&ingressClass, &service)
+			httpsIngress.Annotations = map[string]string{"alb.stackit.cloud/https-only": "true"}
+
+			Expect(k8sClient.Create(context.Background(), new(httpsIngress))).To(Succeed())
+
+			// expected albSpec should include new https listener
+			httpListener := testHttpListener(service.Spec.Ports[0].NodePort)
+			httpsListener := testHttpsListener(service.Spec.Ports[0].NodePort, targetCertID)
+			albSpec.Listeners = []albsdk.Listener{
+				httpsListener,
+				httpListener,
+			}
+
+			// get the specs and compare
+			spec, errorEventList, err := reconciler.getAlbSpecForIngressClass(context.Background(), &ingressClass)
+			Expect(err).To(Succeed())
+			Expect(errorEventList).To(BeEmpty())
 
 			Expect(spec).ToNot(BeNil())
+
+			// compare
 			Expect(*spec).To(BeEquivalentTo(albSpec))
+
 		})
 
 		It("should work with 2 ingresses different path", func() {
@@ -162,13 +238,19 @@ var _ = Describe("Node Controller", func() {
 
 			Expect(k8sClient.Create(context.Background(), &ingress2)).To(Succeed())
 
-			albSpec.Listeners[0].Http.Hosts[0].Rules = append(
-				albSpec.Listeners[0].Http.Hosts[0].Rules,
-				albsdk.Rule{
-					Path:       new(albsdk.Path{Prefix: new("/foobar")}),
-					TargetPool: albSpec.Listeners[0].Http.Hosts[0].Rules[0].TargetPool,
+			secTargetPool := *albSpec.Listeners[0].Http.Hosts[0].Rules[0].TargetPool
+			albSpec.Listeners[0].Http.Hosts[0].Rules = []albsdk.Rule{
+				{
+					Path:       &albsdk.Path{Prefix: new("/foobar")},
+					TargetPool: new(secTargetPool),
+					WebSocket:  new(false),
+				},
+				{
+					Path:       &albsdk.Path{Prefix: new("/")},
+					TargetPool: new(secTargetPool),
 					WebSocket:  new(false),
-				})
+				},
+			}
 
 			spec, errorEventList, err := reconciler.getAlbSpecForIngressClass(context.Background(), &ingressClass)
 			Expect(err).To(Succeed())
@@ -209,3 +291,90 @@ func testIngress(class *networkingv1.IngressClass, service *corev1.Service) netw
 		},
 	}
 }
+
+func testHttpsIngress(class *networkingv1.IngressClass, service *corev1.Service) networkingv1.Ingress {
+	return networkingv1.Ingress{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-https-ingress"},
+		Spec: networkingv1.IngressSpec{
+			IngressClassName: new(class.Name),
+			TLS: []networkingv1.IngressTLS{
+				{
+					Hosts:      []string{"secure.example.com"},
+					SecretName: "my-secret-cert",
+				},
+			},
+			Rules: []networkingv1.IngressRule{
+				{
+					Host: "secure.example.com",
+					IngressRuleValue: networkingv1.IngressRuleValue{
+						HTTP: &networkingv1.HTTPIngressRuleValue{
+							Paths: []networkingv1.HTTPIngressPath{
+								{
+									Path:     "/",
+									PathType: new(networkingv1.PathTypePrefix),
+									Backend: networkingv1.IngressBackend{
+										Service: &networkingv1.IngressServiceBackend{
+											Name: service.Name,
+											Port: networkingv1.ServiceBackendPort{Number: service.Spec.Ports[0].Port},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+// Returns a clean, isolated Port 80 HTTP Listener structure payload
+func testHttpListener(nodePort int32) albsdk.Listener {
+	return albsdk.Listener{
+		Name:     new("80-http"),
+		Port:     new(int32(80)),
+		Protocol: new("PROTOCOL_HTTP"),
+		Http: &albsdk.ProtocolOptionsHTTP{
+			Hosts: []albsdk.HostConfig{
+				{
+					Host: new("example.com"),
+					Rules: []albsdk.Rule{
+						{
+							Path:       &albsdk.Path{Prefix: new("/")},
+							TargetPool: new(fmt.Sprintf("port-%d", nodePort)),
+							WebSocket:  new(false),
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+// Returns a clean, isolated Port 443 HTTPS Listener structure payload containing certificate tracking parameters
+func testHttpsListener(nodePort int32, certID string) albsdk.Listener {
+	return albsdk.Listener{
+		Name:     new("443-https"),
+		Port:     new(int32(443)),
+		Protocol: new("PROTOCOL_HTTPS"),
+		Https: &albsdk.ProtocolOptionsHTTPS{
+			CertificateConfig: &albsdk.CertificateConfig{
+				CertificateIds: []string{certID},
+			},
+		},
+		Http: &albsdk.ProtocolOptionsHTTP{
+			Hosts: []albsdk.HostConfig{
+				{
+					Host: new("secure.example.com"),
+					Rules: []albsdk.Rule{
+						{
+							Path:       &albsdk.Path{Prefix: new("/")},
+							TargetPool: new(fmt.Sprintf("port-%d", nodePort)),
+							WebSocket:  new(false),
+						},
+					},
+				},
+			},
+		},
+	}
+}

pkg/alb/ingress/certificate.go

@@ -24,8 +24,7 @@ func (r *IngressClassReconciler) deleteAllCertsForClass(ctx context.Context, cla
 
 	for _, cert := range certificatesList.Items {
 		if cert.Labels == nil {
-			// This part will go away when Labels are supported by Cert API
-			// do I need to check if nil
+			continue
 		}
 
 		if val, ok := (*cert.Labels)[LabelIngressClassUID]; ok && val == targetUID {