Label-Based resource ownership - ALB and Certificates

[meneksece]

How to categorize this PR?

What this PR does / why we need it:

This PR introduces structured ownership for Application Load Balancer (ALB) and Certificate resources. By using a consistent labeling system based on the IngressClass UID, the controller can now easily find and clean up the resources it created.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Key Changes:

• Ownership Labeling: Introduced LabelIngressClassUID (prefixed with lb.customer.label/) to track resource provenance.

• Label Merging Logic: Added logic in getAlbSpecForResources to merge user-defined labels, global config labels, and the internal ownership label (with a safety limit of 64 labels).

• Extended Interface: Updated applyCertificates to accept the IngressClass object to ensure certificates are also labeled upon creation.

Breaking changes:

[ske-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign maboehm for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Adi146]

Not sure if this makes sense to check the label count here. If you intention is to validate the input before we submit it to the api then we also should check the label name and value for length and invalid characters

[kamilprzybyl]

labels

[kamilprzybyl]

This limit applies to both ALB and NLB so maybe consider moving it to the shared labels package

[kamilprzybyl]

Same here, I think it makes sense moving it to the shared labels package.

[kamilprzybyl]

We shouldn't silently drop customer labels, customers get confused. We should apply the ownership and global config labels first, then merge the customer labels last. If adding a customer label exceeds the 64-label limit, we return an error instead of silently evicting data.

[Adi146]

I think we should drop the label but also emit an event so the customer has a chance to spot whats going on

[Adi146]

this part could also be a bit more streamlined. Instead of removing a label again when you reach the maximum number you could add this label before you add the customer labels. And also validate the customer labels so that the controller forbids overwriting the LabelIngressClassUID key.

[Adi146]

make use of the maximumLabelCount constant

[Adi146]

this part could also be a bit more streamlined. Instead of removing a label again when you reach the maximum number you could add this label before you add the customer labels. And also validate the customer labels so that the controller forbids overwriting the LabelIngressClassUID key.

[ske-prow]

@meneksece: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cloud-provider-stackit-verify	bb55a87	link	true	/test pull-cloud-provider-stackit-verify

Full PR test history. Your PR dashboard. Command help for this repository.
Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see the gardener testing guideline for how to avoid and hunt flakes.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.