stackitcloud · dergeberl · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026
diff --git a/cmd/gardener-extension-provider-stackit/app/app.go b/cmd/gardener-extension-provider-stackit/app/app.go
@@ -184,11 +184,9 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command {
 			configFileOpts.Completed().ApplyETCDStorage(&stackitseedprovider.DefaultAddOptions.ETCDStorage)
 			configFileOpts.Completed().ApplyHealthCheckConfig(&healthcheck.DefaultAddOptions.HealthCheckConfig)
 			configFileOpts.Completed().ApplyRegistryCaches(&stackitwebhookcontrolplane.DefaultAddOptions.RegistryCaches)
-			configFileOpts.Completed().ApplyDeployALBIngressController(&stackitcontrolplane.DeployALBIngressController)
 			configFileOpts.Completed().ApplyCustomLabelDomain(&stackitworker.DefaultAddOptions.CustomLabelDomain)
 			configFileOpts.Completed().ApplyCustomLabelDomain(&stackitcontrolplane.DefaultAddOptions.CustomLabelDomain)
 			configFileOpts.Completed().ApplyCustomLabelDomain(&stackitinfrastructure.DefaultAddOptions.CustomLabelDomain)
-			log.Info("DeployALBIngressController?", "deploy", configFileOpts.Completed().Config.DeployALBIngressController)
 
 			bastionCtrlOpts.Completed().Apply(&stackitbastion.DefaultAddOptions.Controller)
 			configFileOpts.Completed().ApplyCustomLabelDomain(&stackitbastion.DefaultAddOptions.CustomLabelDomain)

diff --git a/imagevector/images.go b/imagevector/images.go
diff --git a/imagevector/images.yaml b/imagevector/images.yaml
@@ -132,6 +132,6 @@ images:
   repository: registry.k8s.io/sig-storage/livenessprobe
   tag: "v2.18.0"
 
-- name: stackit-alb-controller-manager
-  repository: reg3.infra.ske.eu01.stackit.cloud/temp/alb-controller-manager
-  tag: "1245"
+- name: stackit-application-load-balancer-controller-manager
+  repository: ghcr.io/stackitcloud/cloud-provider-stackit/application-load-balancer-controller-manager-dev
+  tag: "v1.34.0-132-g612f42f"
diff --git a/pkg/apis/config/types.go b/pkg/apis/config/types.go
@@ -31,9 +31,6 @@ type ControllerConfiguration struct {
 	// Deprecated: will be removed in a future version
 	RegistryCaches []RegistryCacheConfiguration
 
-	// DeployALBIngressController
-	DeployALBIngressController bool
-
 	// CustomLabelDomain is the domain prefix for custom labels applied to STACKIT infrastructure resources.
 	// For example, cluster labels will use "<domain>/cluster" (default: "kubernetes.io").
 	// NOTE: Only change this if you know what you are doing!!

diff --git a/pkg/apis/config/v1alpha1/types.go b/pkg/apis/config/v1alpha1/types.go
@@ -33,9 +33,6 @@ type ControllerConfiguration struct {
 	// +optional
 	RegistryCaches []RegistryCacheConfiguration `json:"registryCaches,omitempty"`
 
-	// DeployALBIngressController
-	DeployALBIngressController bool `json:"deployALBIngressController"`
-
 	// CustomLabelDomain is the domain prefix for custom labels applied to STACKIT infrastructure resources.
 	// For example, cluster labels will use "<domain>/cluster" (default: "kubernetes.io").
 	// +optional

diff --git a/pkg/apis/config/v1alpha1/zz_generated.conversion.go b/pkg/apis/config/v1alpha1/zz_generated.conversion.go
diff --git a/pkg/apis/stackit/v1alpha1/types_cloudprofile.go b/pkg/apis/stackit/v1alpha1/types_cloudprofile.go
@@ -207,9 +207,9 @@ type APIEndpoints struct {
 	// ApplicationLoadBalancer is the Endpoint of the Application LoadBalancer API.
 	// +optional
 	ApplicationLoadBalancer *string `json:"applicationLoadBalancer,omitempty"`
-	// LoadbalancerCertificate is the Endpoint of the LoadBalancerCertificate API.
+	// ApplicationLoadBalancerCertificate is the Endpoint of the ApplicationLoadBalancerCertificate API.
 	// +optional
-	LoadBalancerCertificate *string `json:"loadbalancerCertificate,omitempty"`
+	ApplicationLoadBalancerCertificate *string `json:"applicationLoadBalancerCertificate,omitempty"`
 	// TokenEndpoint is the token endpoint URL.
 	// +optional
 	TokenEndpoint *string `json:"tokenEndpoint,omitempty"`

diff --git a/pkg/cmd/config.go b/pkg/cmd/config.go
@@ -75,10 +75,6 @@ func (c *Config) ApplyRegistryCaches(regCaches *[]config.RegistryCacheConfigurat
 	*regCaches = c.Config.RegistryCaches
 }
 
-func (c *Config) ApplyDeployALBIngressController(deployALBIngressController *bool) {
-	*deployALBIngressController = c.Config.DeployALBIngressController
-}
-
 // ApplyCustomLabelDomain sets the custom label domain configuration for infrastructure resources.
 func (c *Config) ApplyCustomLabelDomain(customLabelDomain *string) {
 	*customLabelDomain = c.Config.CustomLabelDomain

diff --git a/pkg/controller/controlplane/add.go b/pkg/controller/controlplane/add.go
@@ -22,8 +22,6 @@ import (
 var (
 	// DefaultAddOptions are the default AddOptions for AddToManager.
 	DefaultAddOptions = AddOptions{}
-
-	DeployALBIngressController bool
 )
 
 // AddOptions are options to apply when adding the OpenStack controlplane controller to the manager.
@@ -46,7 +44,7 @@ func AddToManagerWithOptions(ctx context.Context, mgr manager.Manager, opts AddO
 	genericActuator, err := genericactuator.NewActuator(mgr, stackit.Name,
 		secretConfigsFunc, shootAccessSecretsFunc,
 		configChart, controlPlaneChart, controlPlaneShootChart, controlPlaneShootCRDsChart, storageClassChart,
-		NewValuesProvider(mgr, DeployALBIngressController, opts.CustomLabelDomain), extensionscontroller.ChartRendererFactoryFunc(util.NewChartRendererForShoot),
+		NewValuesProvider(mgr, opts.CustomLabelDomain), extensionscontroller.ChartRendererFactoryFunc(util.NewChartRendererForShoot),
 		imagevector.ImageVector(), "", nil, opts.WebhookServerNamespace)
 	if err != nil {
 		return err

diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go
@@ -199,12 +199,12 @@ var (
 				},
 			},
 			{
-				Name:   openstack.STACKITALBControllerManagerName,
-				Images: []string{imagevector.ImageNameStackitAlbControllerManager},
+				Name:   openstack.STACKITApplicationLoadBalancerControllerManagerName,
+				Images: []string{imagevector.ImageNameStackitApplicationLoadBalancerControllerManager},
 				Objects: []*chart.Object{
-					// stackit-alb-controller-manager
-					{Type: &appsv1.Deployment{}, Name: openstack.STACKITALBControllerManagerName},
-					{Type: &vpaautoscalingv1.VerticalPodAutoscaler{}, Name: openstack.STACKITALBControllerManagerName},
+					// stackit-application-load-balancer-controller-manager
+					{Type: &appsv1.Deployment{}, Name: openstack.STACKITApplicationLoadBalancerControllerManagerName},
+					{Type: &vpaautoscalingv1.VerticalPodAutoscaler{}, Name: openstack.STACKITApplicationLoadBalancerControllerManagerName},
 				},
 			},
 		},
@@ -333,22 +333,20 @@ var (
 )
 
 // NewValuesProvider creates a new ValuesProvider for the generic actuator.
-func NewValuesProvider(mgr manager.Manager, deployALBIngressController bool, customLabelDomain string) genericactuator.ValuesProvider {
+func NewValuesProvider(mgr manager.Manager, customLabelDomain string) genericactuator.ValuesProvider {
 	return &valuesProvider{
-		client:                     mgr.GetClient(),
-		decoder:                    serializer.NewCodecFactory(mgr.GetScheme(), serializer.EnableStrict).UniversalDecoder(),
-		deployALBIngressController: deployALBIngressController,
-		customLabelDomain:          customLabelDomain,
+		client:            mgr.GetClient(),
+		decoder:           serializer.NewCodecFactory(mgr.GetScheme(), serializer.EnableStrict).UniversalDecoder(),
+		customLabelDomain: customLabelDomain,
 	}
 }
 
 // valuesProvider is a ValuesProvider that provides OpenStack-specific values for the 2 charts applied by the generic actuator.
 type valuesProvider struct {
 	genericactuator.NoopValuesProvider
-	client                     k8sclient.Client
-	decoder                    runtime.Decoder
-	deployALBIngressController bool
-	customLabelDomain          string
+	client            k8sclient.Client
+	decoder           runtime.Decoder
+	customLabelDomain string
 }
 
 // GetConfigChartValues returns the values for the config chart applied by the generic actuator.
@@ -732,17 +730,16 @@ func (vp *valuesProvider) getControlPlaneChartValues(ctx context.Context, cpConf
 		openstack.STACKITCloudControllerManagerName: stackitccm,
 	})
 
-	if vp.deployALBIngressController {
-		fmt.Println("deploying ALB Ingress Controller")
-		albcm, err := getSTACKITALBCMChartValues(cpConfig, cluster, infra, stackitCredentialsConfig, apiEndpoints, scaledDown, stackitRegion)
+	if feature.StackitApplicationLoadBalancerControllerManager(cluster) && DeploySTACKITApplicationLoadBalancer(cpConfig) {
+		albcm, err := getSTACKITApplicationLoadBalancerCMChartValues(cpConfig, cluster, infra, stackitCredentialsConfig, apiEndpoints, scaledDown, stackitRegion)
 		if err != nil {
 			return nil, err
 		}
 
-		controlPlaneValues[openstack.STACKITALBControllerManagerName] = albcm
+		controlPlaneValues[openstack.STACKITApplicationLoadBalancerControllerManagerName] = albcm
 	} else {
 		// NOTE: ensure deletion of ALB deployment, if disabled
-		if err := vp.deleteControlPlaneComponentsForGivenChart(ctx, cp.Namespace, openstack.STACKITALBControllerManagerName); err != nil {
+		if err := vp.deleteControlPlaneComponentsForGivenChart(ctx, cp.Namespace, openstack.STACKITApplicationLoadBalancerControllerManagerName); err != nil {
 			return nil, err
 		}
 	}
@@ -972,7 +969,7 @@ func getCSIControllerChartValues(cluster *extensionscontroller.Cluster, userAgen
 	return values
 }
 
-func getSTACKITALBCMChartValues(
+func getSTACKITApplicationLoadBalancerCMChartValues(
 	cpConfig *stackitv1alpha1.ControlPlaneConfig,
 	cluster *extensionscontroller.Cluster,
 	infra *stackitv1alpha1.InfrastructureStatus,
@@ -981,10 +978,6 @@ func getSTACKITALBCMChartValues(
 	scaledDown bool,
 	stackitRegion string,
 ) (map[string]any, error) {
-	if !DeploySTACKITALB(cpConfig) {
-		return nil, nil
-	}
-
 	if credentials == nil {
 		return nil, fmt.Errorf("no STACKIT credentials are provided in cluster %s", cluster.Shoot.Name)
 	}
@@ -1003,8 +996,8 @@ func getSTACKITALBCMChartValues(
 			config["applicationLBApiUrl"] = apiEndpoints.ApplicationLoadBalancer
 		}
 
-		if apiEndpoints.LoadBalancerCertificate != nil {
-			config["certificateApiUrl"] = *apiEndpoints.LoadBalancerCertificate
+		if apiEndpoints.ApplicationLoadBalancerCertificate != nil {
+			config["certificateApiUrl"] = *apiEndpoints.ApplicationLoadBalancerCertificate
 		}
 
 		if apiEndpoints.TokenEndpoint != nil {
@@ -1021,7 +1014,7 @@ func getSTACKITALBCMChartValues(
 	return values, nil
 }
 
-func DeploySTACKITALB(cpConfig *stackitv1alpha1.ControlPlaneConfig) bool {
+func DeploySTACKITApplicationLoadBalancer(cpConfig *stackitv1alpha1.ControlPlaneConfig) bool {
 	return ptr.Deref(cpConfig.ApplicationLoadBalancer, stackitv1alpha1.ApplicationLoadBalancerConfig{}).Enabled
 }
 

diff --git a/pkg/controller/controlplane/valuesprovider_test.go b/pkg/controller/controlplane/valuesprovider_test.go
@@ -315,7 +315,7 @@ var _ = Describe("ValuesProvider", func() {
 		mgr = mockmanager.NewMockManager(ctrl)
 		mgr.EXPECT().GetClient().Return(c)
 		mgr.EXPECT().GetScheme().Return(scheme)
-		vp = NewValuesProvider(mgr, true, "kubernetes.io")
+		vp = NewValuesProvider(mgr, "kubernetes.io")
 	})
 
 	AfterEach(func() {
@@ -497,6 +497,11 @@ var _ = Describe("ValuesProvider", func() {
 		})
 
 		BeforeEach(func() {
+			Expect(feature.MutableGate.SetFromMap(map[string]bool{string(feature.STACKITALBControllerManager): true})).To(Succeed())
+			DeferCleanup(func() {
+				Expect(feature.MutableGate.SetFromMap(map[string]bool{string(feature.STACKITALBControllerManager): false})).To(Succeed())
+			})
+
 			c.EXPECT().Get(ctx, cpConfigKey, &corev1.Secret{}).DoAndReturn(clientGet(cpConfig))
 			c.EXPECT().Delete(context.TODO(), &networkingv1.NetworkPolicy{ObjectMeta: metav1.ObjectMeta{Name: "allow-kube-apiserver-to-csi-snapshot-validation", Namespace: cp.Namespace}})
 
@@ -558,7 +563,7 @@ var _ = Describe("ValuesProvider", func() {
 						"replicas": 1,
 					},
 				}),
-				openstack.STACKITALBControllerManagerName: empty(),
+				openstack.STACKITApplicationLoadBalancerControllerManagerName: empty(),
 			}))
 		})
 
@@ -601,7 +606,7 @@ var _ = Describe("ValuesProvider", func() {
 						"replicas": 1,
 					},
 				}),
-				openstack.STACKITALBControllerManagerName: empty(),
+				openstack.STACKITApplicationLoadBalancerControllerManagerName: empty(),
 			}))
 		})
 
@@ -658,7 +663,7 @@ var _ = Describe("ValuesProvider", func() {
 					stackitCCMDeletion(ctx, c)
 				}
 
-				vpStackitConf := NewValuesProvider(mgr, true, "kubernetes.io")
+				vpStackitConf := NewValuesProvider(mgr, "kubernetes.io")
 				values, err := vpStackitConf.GetControlPlaneChartValues(ctx, cp, &testCluster, fakeSecretsManager, checksums, false)
 				Expect(err).NotTo(HaveOccurred())
 				Expect(values).To(HaveKey(openstack.STACKITCloudControllerManagerName))
@@ -773,7 +778,7 @@ var _ = Describe("ValuesProvider", func() {
 				mgr.EXPECT().GetClient().Return(c)
 				mgr.EXPECT().GetScheme().Return(scheme)
 
-				vpCustomDomain := NewValuesProvider(mgr, true, customDomain)
+				vpCustomDomain := NewValuesProvider(mgr, customDomain)
 				values, err := vpCustomDomain.GetControlPlaneChartValues(ctx, cp, &testCluster, fakeSecretsManager, checksums, false)
 				Expect(err).NotTo(HaveOccurred())
 
@@ -877,7 +882,7 @@ var _ = Describe("ValuesProvider", func() {
 
 			values, err := vp.GetControlPlaneChartValues(ctx, cp, cluster, fakeSecretsManager, checksums, false)
 			Expect(err).NotTo(HaveOccurred())
-			Expect(values[openstack.STACKITALBControllerManagerName]).To(Equal(stackitAlbChartValues))
+			Expect(values[openstack.STACKITApplicationLoadBalancerControllerManagerName]).To(Equal(stackitAlbChartValues))
 		})
 	})
 

diff --git a/pkg/controller/healthcheck/add.go b/pkg/controller/healthcheck/add.go
@@ -16,6 +16,7 @@ import (
 	"github.com/gardener/gardener/extensions/pkg/util"
 	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
 	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
+	"github.com/stackitcloud/gardener-extension-provider-stackit/v2/pkg/feature"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/utils/ptr"
@@ -76,16 +77,11 @@ func RegisterHealthChecks(ctx context.Context, mgr manager.Manager, opts healthc
 			HealthCheck:   general.NewSeedDeploymentHealthChecker(controlplane.CSIStackitPrefix + "-" + openstack.CSISnapshotControllerName),
 			PreCheckFunc:  checkCSISTACKIT,
 		},
-	}
-
-	if controlplane.DeployALBIngressController {
-		healthchecks = append(healthchecks,
-			healthcheck.ConditionTypeToHealthCheck{
-				ConditionType: string(gardencorev1beta1.ShootControlPlaneHealthy),
-				HealthCheck:   general.NewSeedDeploymentHealthChecker(openstack.STACKITALBControllerManagerName),
-				PreCheckFunc:  checkALB,
-			},
-		)
+		{
+			ConditionType: string(gardencorev1beta1.ShootControlPlaneHealthy),
+			HealthCheck:   general.NewSeedDeploymentHealthChecker(openstack.STACKITApplicationLoadBalancerControllerManagerName),
+			PreCheckFunc:  checkALB,
+		},
 	}
 
 	if err := healthcheck.DefaultRegistration(
@@ -174,7 +170,7 @@ func checkALB(_ context.Context, client client.Client, _ client.Object, clusterO
 		return false
 	}
 
-	return controlplane.DeploySTACKITALB(cpConfig)
+	return controlplane.DeploySTACKITApplicationLoadBalancer(cpConfig) && feature.StackitApplicationLoadBalancerControllerManager(cluster)
 }
 
 // AddToManager adds a controller with the default Options.

diff --git a/pkg/feature/feature.go b/pkg/feature/feature.go
@@ -22,10 +22,14 @@ const (
 	UseSTACKITAPIInfrastructureController featuregate.Feature = "UseSTACKITAPIInfrastructureController"
 	// UseSTACKITMachineControllerManager Uses the STACKIT machine controller Manager to manage nodes.
 	UseSTACKITMachineControllerManager featuregate.Feature = "UseSTACKITMachineControllerManager"
+	// STACKITApplicationLoadBalancerControllerManager Enables the STACKIT ALP controller manager.
+	STACKITApplicationLoadBalancerControllerManager featuregate.Feature = "STACKITApplicationLoadBalancerControllerManager"
 	// ShootUseSTACKITMachineControllerManager Uses the STACKIT machine controller Manager to manage nodes for a specific Shoot.
 	ShootUseSTACKITMachineControllerManager = "shoot.gardener.cloud/use-stackit-machine-controller-manager"
 	// ShootUseSTACKITAPIInfrastructureController Uses the STACKIT API to create the shoot resources instead of OpenStack for a specific Shoot.
 	ShootUseSTACKITAPIInfrastructureController = "shoot.gardener.cloud/use-stackit-api-infrastructure-controller"
+	// ShootSTACKITApplicationLoadBalancerControllerManager Enables the STACKIT ALP controller manager for a specific Shoot.
+	ShootSTACKITApplicationLoadBalancerControllerManager = "shoot.gardener.cloud/stackit-application-load-balancer-controller-manager"
 )
 
 var (
@@ -42,10 +46,11 @@ var (
 	Gate featuregate.FeatureGate = MutableGate
 
 	allGates = map[featuregate.Feature]featuregate.FeatureSpec{
-		MutateDisableNTP:                      {Default: true, PreRelease: featuregate.Alpha},
-		EnsureSTACKITLBDeletion:               {Default: true, PreRelease: featuregate.Alpha},
-		UseSTACKITAPIInfrastructureController: {Default: true, PreRelease: featuregate.Alpha},
-		UseSTACKITMachineControllerManager:    {Default: true, PreRelease: featuregate.Alpha},
+		MutateDisableNTP:                                {Default: true, PreRelease: featuregate.Alpha},
+		EnsureSTACKITLBDeletion:                         {Default: true, PreRelease: featuregate.Alpha},
+		UseSTACKITAPIInfrastructureController:           {Default: true, PreRelease: featuregate.Alpha},
+		UseSTACKITMachineControllerManager:              {Default: true, PreRelease: featuregate.Alpha},
+		STACKITApplicationLoadBalancerControllerManager: {Default: false, PreRelease: featuregate.Alpha},
 	}
 )
 
@@ -78,3 +83,16 @@ func UseStackitAPIInfrastructureController(cluster *extensionscontroller.Cluster
 	}
 	return Gate.Enabled(UseSTACKITAPIInfrastructureController)
 }
+
+func StackitApplicationLoadBalancerControllerManager(cluster *extensionscontroller.Cluster) bool {
+	if cluster != nil && cluster.Shoot != nil {
+		annotation, ok := cluster.Shoot.Annotations[ShootSTACKITApplicationLoadBalancerControllerManager]
+		if ok {
+			enabledByAnnotation, err := strconv.ParseBool(annotation)
+			if err == nil {
+				return enabledByAnnotation
+			}
+		}
+	}
+	return Gate.Enabled(STACKITApplicationLoadBalancerControllerManager)
+}
diff --git a/pkg/openstack/types.go b/pkg/openstack/types.go
@@ -71,8 +71,8 @@ const (
 	CloudControllerManagerName = "cloud-controller-manager"
 	// STACKITCloudControllerManagerName is a constant for the name of the CloudController deployed by the worker controller. (stackit)
 	STACKITCloudControllerManagerName = "stackit-cloud-controller-manager"
-	// STACKITALBControllerManagerName is a constant for the name of the ALB CloudController. (stackit)
-	STACKITALBControllerManagerName = "stackit-alb-controller-manager"
+	// STACKITApplicationLoadBalancerControllerManagerName is a constant for the name of the ALB CloudController. (stackit)
+	STACKITApplicationLoadBalancerControllerManagerName = "stackit-application-load-balancer-controller-manager"
 	// CSIDiskDriverTopologyKey is the label on persistent volumes that represents availability by zone.
 	// See https://github.com/kubernetes/cloud-provider-openstack/blob/master/examples/cinder-csi-plugin/topology/example.yaml
 	// See https://gitlab.cern.ch/cloud/cloud-provider-openstack/-/blob/release-1.19/docs/using-cinder-csi-plugin.md#enable-topology-aware-dynamic-provisioning-for-cinder-volumes