Merge pull request #4313 from shraddhabang/gwrulesauthcfg

[feat gw api] Add auth cognito action for secure listeners on ALBs

Author: k8s-ci-robot

apis/gateway/v1beta1/listenerruleconfig_types.go

@@ -166,7 +166,7 @@ type AuthenticateCognitoActionConfig struct {
 	// +kubebuilder:default=604800
 	// +kubebuilder:validation:Minimum=1
 	// +kubebuilder:validation:Maximum=604800
-	SessionTimeout *int32 `json:"sessionTimeout,omitempty"`
+	SessionTimeout *int64 `json:"sessionTimeout,omitempty"`
 }
 
 // Information about an authenticate-oidc action
@@ -259,12 +259,12 @@ type Action struct {
 	AuthenticateOIDCConfig *AuthenticateOidcActionConfig `json:"authenticateOIDCConfig,omitempty"`
 }
 
-// ListenerRuleSpec defines the desired state of ListenerRuleConfiguration
+// ListenerRuleConfigurationSpec defines the desired state of ListenerRuleConfiguration
 // +kubebuilder:validation:XValidation:rule="!has(self.actions) || size(self.actions) > 0",message="At least one action must be specified if actions field is present"
 // +kubebuilder:validation:XValidation:rule="!has(self.actions) || self.actions.all(a, a.type == 'authenticate-oidc' || a.type == 'authenticate-cognito' || a.type == 'fixed-response' || a.type == 'forward' || a.type == 'redirect')",message="Only forward, redirect, authenticate-oidc, authenticate-cognito, and fixed-response action types are supported"
 // +kubebuilder:validation:XValidation:rule="!has(self.actions) || size(self.actions.filter(a, a.type == 'authenticate-oidc' || a.type == 'authenticate-cognito')) <= 1",message="At most one authentication action (either authenticate-oidc or authenticate-cognito) can be specified"
 // +kubebuilder:validation:XValidation:rule="!has(self.actions) || size(self.actions.filter(a, a.type == 'fixed-response' || a.type == 'forward' || a.type == 'redirect')) <= 1",message="At most one routing action (fixed-response or forward or redirect) can be specified"
-type ListenerRuleSpec struct {
+type ListenerRuleConfigurationSpec struct {
 	// Actions defines the set of actions to be performed when conditions match.
 	// This CRD implementation currently supports only  authenticate-oidc, authenticate-cognito, and fixed-response action types fully and forward and redirect actions partially
 	//
@@ -292,8 +292,8 @@ type ListenerRuleSpec struct {
 	Tags *map[string]string `json:"tags,omitempty"`
 }
 
-// ListenerRuleStatus defines the observed state of ListenerRuleConfiguration
-type ListenerRuleStatus struct {
+// ListenerRuleConfigurationStatus defines the observed state of ListenerRuleConfiguration
+type ListenerRuleConfigurationStatus struct {
 
 	// The observed generation of the rule configuration
 	// +optional
@@ -309,8 +309,8 @@ type ListenerRuleConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec   ListenerRuleSpec   `json:"spec,omitempty"`
-	Status ListenerRuleStatus `json:"status,omitempty"`
+	Spec   ListenerRuleConfigurationSpec   `json:"spec,omitempty"`
+	Status ListenerRuleConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true

apis/gateway/v1beta1/zz_generated.deepcopy.go

@@ -41,7 +41,8 @@ spec:
           metadata:
             type: object
           spec:
-            description: ListenerRuleSpec defines the desired state of ListenerRuleConfiguration
+            description: ListenerRuleConfigurationSpec defines the desired state of
+              ListenerRuleConfiguration
             properties:
               actions:
                 description: |-
@@ -97,7 +98,7 @@ spec:
                           description: |-
                             The maximum duration of the authentication session, in seconds. The default is
                             604800 seconds (7 days).
-                          format: int32
+                          format: int64
                           maximum: 604800
                           minimum: 1
                           type: integer
@@ -373,7 +374,8 @@ spec:
               rule: '!has(self.actions) || size(self.actions.filter(a, a.type == ''fixed-response''
                 || a.type == ''forward'' || a.type == ''redirect'')) <= 1'
           status:
-            description: ListenerRuleStatus defines the observed state of ListenerRuleConfiguration
+            description: ListenerRuleConfigurationStatus defines the observed state
+              of ListenerRuleConfiguration
             properties:
               observedGeneration:
                 description: The observed generation of the rule configuration

config/crd/gateway/gateway-crds.yaml

@@ -42,7 +42,8 @@ spec:
           metadata:
             type: object
           spec:
-            description: ListenerRuleSpec defines the desired state of ListenerRuleConfiguration
+            description: ListenerRuleConfigurationSpec defines the desired state of
+              ListenerRuleConfiguration
             properties:
               actions:
                 description: |-
@@ -98,7 +99,7 @@ spec:
                           description: |-
                             The maximum duration of the authentication session, in seconds. The default is
                             604800 seconds (7 days).
-                          format: int32
+                          format: int64
                           maximum: 604800
                           minimum: 1
                           type: integer
@@ -374,7 +375,8 @@ spec:
               rule: '!has(self.actions) || size(self.actions.filter(a, a.type == ''fixed-response''
                 || a.type == ''forward'' || a.type == ''redirect'')) <= 1'
           status:
-            description: ListenerRuleStatus defines the observed state of ListenerRuleConfiguration
+            description: ListenerRuleConfigurationStatus defines the observed state
+              of ListenerRuleConfiguration
             properties:
               observedGeneration:
                 description: The observed generation of the rule configuration

config/crd/gateway/gateway.k8s.aws_listenerruleconfigurations.yaml

@@ -219,7 +219,7 @@ _Appears in:_
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `targetGroupStickinessConfig` _[TargetGroupStickinessConfig](#targetgroupstickinessconfig)_ | The target group stickiness for the rule.<br />Note: ForwardActionConfig only supports target group stickiness configuration through CRD.<br />All other forward action fields must be set through the Gateway API native way. |  |  |
+| `targetGroupStickinessConfig` _[TargetGroupStickinessConfig](#targetgroupstickinessconfig)_ | The target group stickiness for the rule.<br />Note: ForwardActionConfig only supports target group stickiness configuration through CRD.<br />All other forward action fields must be set through the Gateway API native way. | \{  \} |  |
 
 
 #### HealthCheckConfiguration
@@ -476,6 +476,8 @@ _Appears in:_
 | `enableICMP` _boolean_ | EnableICMP [Network LoadBalancer]<br />enables the creation of security group rules to the managed security group<br />to allow explicit ICMP traffic for Path MTU discovery for IPv4 and dual-stack VPCs |  |  |
 | `manageBackendSecurityGroupRules` _boolean_ | ManageBackendSecurityGroupRules [Application / Network LoadBalancer]<br />specifies whether you want the controller to configure security group rules on Node/Pod for traffic access<br />when you specify securityGroups |  |  |
 | `minimumLoadBalancerCapacity` _[MinimumLoadBalancerCapacity](#minimumloadbalancercapacity)_ | MinimumLoadBalancerCapacity define the capacity reservation for LoadBalancers |  |  |
+| `wafV2` _[WAFv2Configuration](#wafv2configuration)_ | WAFv2 define the AWS WAFv2 settings for a Gateway [Application Load Balancer] |  |  |
+| `shieldConfiguration` _[ShieldConfiguration](#shieldconfiguration)_ | ShieldAdvanced define the AWS Shield settings for a Gateway [Application Load Balancer] |  |  |
 
 
 #### LoadBalancerConfigurationStatus
@@ -731,6 +733,22 @@ _Appears in:_
 | `namespace` _string_ | Namespace is namespace of secret. If empty it will be considered to be in same namespace as of the resource referring it |  |  |
 
 
+#### ShieldConfiguration
+
+
+
+ShieldConfiguration configuration parameters used to configure Shield
+
+
+
+_Appears in:_
+- [LoadBalancerConfigurationSpec](#loadbalancerconfigurationspec)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `enabled` _boolean_ | Enabled whether Shield Advanced should be configured with the Gateway |  |  |
+
+
 #### SourceIPConditionConfig
 
 
@@ -942,3 +960,19 @@ _Appears in:_
 | `ip` |  |
 
 
+#### WAFv2Configuration
+
+
+
+WAFv2Configuration configuration parameters used to configure WAFv2
+
+
+
+_Appears in:_
+- [LoadBalancerConfigurationSpec](#loadbalancerconfigurationspec)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `webACL` _string_ | ACL The WebACL to configure with the Gateway |  |  |
+
+

docs/guide/gateway/spec.md

@@ -41,7 +41,8 @@ spec:
           metadata:
             type: object
           spec:
-            description: ListenerRuleSpec defines the desired state of ListenerRuleConfiguration
+            description: ListenerRuleConfigurationSpec defines the desired state of
+              ListenerRuleConfiguration
             properties:
               actions:
                 description: |-
@@ -97,7 +98,7 @@ spec:
                           description: |-
                             The maximum duration of the authentication session, in seconds. The default is
                             604800 seconds (7 days).
-                          format: int32
+                          format: int64
                           maximum: 604800
                           minimum: 1
                           type: integer
@@ -373,7 +374,8 @@ spec:
               rule: '!has(self.actions) || size(self.actions.filter(a, a.type == ''fixed-response''
                 || a.type == ''forward'' || a.type == ''redirect'')) <= 1'
           status:
-            description: ListenerRuleStatus defines the observed state of ListenerRuleConfiguration
+            description: ListenerRuleConfigurationStatus defines the observed state
+              of ListenerRuleConfiguration
             properties:
               observedGeneration:
                 description: The observed generation of the rule configuration

helm/aws-load-balancer-controller/crds/gateway-crds.yaml

@@ -205,8 +205,12 @@ func (l listenerBuilderImpl) buildListenerRules(stack core.Stack, ls *elbv2model
 
 		// set up for building routing actions
 		var actions []elbv2model.Action
+		var preRoutingAction *elbv2gw.Action
 		var routingAction *elbv2gw.Action
 		if rule.GetListenerRuleConfig() != nil {
+			if isSecureProtocol(ls.Spec.Protocol) {
+				preRoutingAction = getPreRoutingAction(rule.GetListenerRuleConfig())
+			}
 			routingAction = getRoutingAction(rule.GetListenerRuleConfig())
 		}
 		targetGroupTuples := make([]elbv2model.TargetGroupTuple, 0, len(rule.GetBackends()))
@@ -222,17 +226,31 @@ func (l listenerBuilderImpl) buildListenerRules(stack core.Stack, ls *elbv2model
 				Weight:         &weight,
 			})
 		}
+
+		// Build Rule PreRoutingAction
+		if preRoutingAction != nil {
+			var rulePreRoutingAction *elbv2model.Action
+			rulePreRoutingAction, err = routeutils.BuildRulePreRoutingAction(route, preRoutingAction)
+			if err != nil {
+				return err
+			}
+			if rulePreRoutingAction != nil {
+				actions = append(actions, *rulePreRoutingAction)
+			}
+		}
+
 		// Build Rule Routing Actions
-		actions, err = routeutils.BuildRuleRoutingActions(rule, route, routingAction, targetGroupTuples)
+		var ruleRoutingAction *elbv2model.Action
+		ruleRoutingAction, err = routeutils.BuildRuleRoutingAction(rule, route, routingAction, targetGroupTuples)
 		if err != nil {
 			return err
 		}
 
-		// TODO: build rule auth actions
-
-		if len(actions) == 0 {
+		if ruleRoutingAction == nil {
 			l.logger.Info("Filling in no backend actions with fixed 503")
-			actions = buildL7ListenerNoBackendActions()
+			actions = append(actions, buildL7ListenerNoBackendActions())
+		} else {
+			actions = append(actions, *ruleRoutingAction)
 		}
 
 		tags, tagsErr := l.tagHelper.getGatewayTags(lbCfg)
@@ -351,15 +369,15 @@ func buildL7ListenerDefaultActions() []elbv2model.Action {
 }
 
 // returns 503 when no backends are configured
-func buildL7ListenerNoBackendActions() []elbv2model.Action {
+func buildL7ListenerNoBackendActions() elbv2model.Action {
 	action503 := elbv2model.Action{
 		Type: elbv2model.ActionTypeFixedResponse,
 		FixedResponseConfig: &elbv2model.FixedResponseActionConfig{
 			ContentType: awssdk.String("text/plain"),
 			StatusCode:  "503",
 		},
 	}
-	return []elbv2model.Action{action503}
+	return action503
 }
 
 func buildL4ListenerDefaultActions(targetGroup *elbv2model.TargetGroup) []elbv2model.Action {
@@ -526,6 +544,19 @@ func newListenerBuilder(ctx context.Context, loadBalancerType elbv2model.LoadBal
 	}
 }
 
+// getPreRoutingAction: returns pre routing action  for secure listeners from listener rule configuration
+// action will only be one of authenticate-oidc or  authenticate-cognito
+func getPreRoutingAction(config *elbv2gw.ListenerRuleConfiguration) *elbv2gw.Action {
+	if config != nil && config.Spec.Actions != nil {
+		for _, action := range config.Spec.Actions {
+			if action.Type == elbv2gw.ActionTypeAuthenticateCognito || action.Type == elbv2gw.ActionTypeAuthenticateOIDC {
+				return &action
+			}
+		}
+	}
+	return nil
+}
+
 // getRoutingAction: returns routing action from listener rule configuration
 // action will only be one of forward, fixed response or redirect
 func getRoutingAction(config *elbv2gw.ListenerRuleConfiguration) *elbv2gw.Action {