Feature Overview

This Feature introduces an opt-in mechanism to enable reconciliation of ingress labels using a dedicated annotation, ensuring label updates are propagated to associated route objects automatically.

Goals

• Introduce an annotation (e.g., route.openshift.io/reconcile-labels: "true") that enables label reconciliation for ingress-derived route objects.
• Extend existing reconciliation logic to handle ingress label updates in addition to annotations.
• Ensure label updates and deletions on ingress resources are accurately reflected on associated route objects.
• Maintain backward compatibility by keeping the feature opt-in, preventing unintended label propagation on existing workloads.
• Improve operational consistency and reduce manual intervention when managing multiple ingress controllers.
• Mitigate potential security risks caused by outdated or incorrect route label propagation.

Potential solution using Annotations:

1. The developer creates an Ingress object with labels designating which ingress controller should handle the routes.  

   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     annotations:
       route.openshift.io/reconcile-labels: "true"
     labels:
       app.customer.ch/ingress-public: "true"

1. The OpenShift ingress-to-route controller creates a corresponding Route object, copying the ingress labels.

1. Later, the developer updates the ingress label from app.customer.ch/ingress-public: "true" to "false" to move the route from the public to the private ingress controller.

1. Because the route.openshift.io/reconcile-labels: "true" annotation is present, the controller detects the label change and updates the Route object accordingly.

1. The Route is reconciled automatically, ensuring that it is now managed by the correct (private) ingress controller.

1. The developer verifies the routing change without having to manually delete or recreate the Route.

Without Annotations:

• If the annotation is not present, label updates are ignored after initial route creation.

• The developer must manually delete and recreate the route to reflect the new label.

• This may lead to operational overhead or unintended exposure if the old route remains active.

Requirements

Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

Use Cases

• As a cluster administrator or application developer using multiple OpenShift ingress controllers, I want OpenShift to automatically reconcile changes to Ingress labels onto the corresponding Route objects when an opt-in annotation is enabled, so that updates to ingress routing intent are consistently reflected in the Route configuration without requiring manual deletion or recreation, reducing configuration drift and avoiding potential security exposure.

Questions to Answer (Optional)

Out of Scope

Background

Customers using multiple OpenShift ingress controllers often rely on ingress labels to control which ingress controller manages specific ingress or route objects. For example:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app.customer.ch/ingress-public: "true"

Currently, when a route object is created from an ingress resource, these labels are copied only at creation time. Subsequent updates to the ingress labels are not reconciled, leaving route objects in an outdated state. This creates potential inconsistencies, such as a developer believing a route is private when in fact it remains public.

While reconciliation for annotations is already implemented, labels are not included in that mechanism.

This Feature will extend reconciliation logic to support ingress label synchronization, controlled by an explicit annotation (e.g. route.openshift.io/reconcile-labels: "true"), to prevent unexpected changes in clusters where automatic label reconciliation might alter routing behavior.

With this Feature, when the annotation is enabled, OpenShift will:

• Automatically detect and apply updates to ingress labels on corresponding route objects.
• Maintain parity between ingress and route metadata without requiring manual route deletion or recreation.
• Ensure a predictable and secure behavior for customers using multiple ingress controllers.

Customer Considerations

Documentation Considerations