[feat gw api] Add auth cognito action for secure listeners on ALBs

Author: shraddhabang

apis/gateway/v1beta1/listenerruleconfig_types.go

@@ -166,7 +166,7 @@ type AuthenticateCognitoActionConfig struct {
 	// +kubebuilder:default=604800
 	// +kubebuilder:validation:Minimum=1
 	// +kubebuilder:validation:Maximum=604800
-	SessionTimeout *int32 `json:"sessionTimeout,omitempty"`
+	SessionTimeout *int64 `json:"sessionTimeout,omitempty"`
 }
 
 // Information about an authenticate-oidc action
@@ -259,12 +259,12 @@ type Action struct {
 	AuthenticateOIDCConfig *AuthenticateOidcActionConfig `json:"authenticateOIDCConfig,omitempty"`
 }
 
-// ListenerRuleSpec defines the desired state of ListenerRuleConfiguration
+// ListenerRuleConfigurationSpec defines the desired state of ListenerRuleConfiguration
 // +kubebuilder:validation:XValidation:rule="!has(self.actions) || size(self.actions) > 0",message="At least one action must be specified if actions field is present"
 // +kubebuilder:validation:XValidation:rule="!has(self.actions) || self.actions.all(a, a.type == 'authenticate-oidc' || a.type == 'authenticate-cognito' || a.type == 'fixed-response' || a.type == 'forward' || a.type == 'redirect')",message="Only forward, redirect, authenticate-oidc, authenticate-cognito, and fixed-response action types are supported"
 // +kubebuilder:validation:XValidation:rule="!has(self.actions) || size(self.actions.filter(a, a.type == 'authenticate-oidc' || a.type == 'authenticate-cognito')) <= 1",message="At most one authentication action (either authenticate-oidc or authenticate-cognito) can be specified"
 // +kubebuilder:validation:XValidation:rule="!has(self.actions) || size(self.actions.filter(a, a.type == 'fixed-response' || a.type == 'forward' || a.type == 'redirect')) <= 1",message="At most one routing action (fixed-response or forward or redirect) can be specified"
-type ListenerRuleSpec struct {
+type ListenerRuleConfigurationSpec struct {
 	// Actions defines the set of actions to be performed when conditions match.
 	// This CRD implementation currently supports only  authenticate-oidc, authenticate-cognito, and fixed-response action types fully and forward and redirect actions partially
 	//
@@ -292,8 +292,8 @@ type ListenerRuleSpec struct {
 	Tags *map[string]string `json:"tags,omitempty"`
 }
 
-// ListenerRuleStatus defines the observed state of ListenerRuleConfiguration
-type ListenerRuleStatus struct {
+// ListenerRuleConfigurationStatus defines the observed state of ListenerRuleConfiguration
+type ListenerRuleConfigurationStatus struct {
 
 	// The observed generation of the rule configuration
 	// +optional
@@ -309,8 +309,8 @@ type ListenerRuleConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec   ListenerRuleSpec   `json:"spec,omitempty"`
-	Status ListenerRuleStatus `json:"status,omitempty"`
+	Spec   ListenerRuleConfigurationSpec   `json:"spec,omitempty"`
+	Status ListenerRuleConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true

apis/gateway/v1beta1/zz_generated.deepcopy.go

@@ -41,7 +41,8 @@ spec:
           metadata:
             type: object
           spec:
-            description: ListenerRuleSpec defines the desired state of ListenerRuleConfiguration
+            description: ListenerRuleConfigurationSpec defines the desired state of
+              ListenerRuleConfiguration
             properties:
               actions:
                 description: |-
@@ -97,7 +98,7 @@ spec:
                           description: |-
                             The maximum duration of the authentication session, in seconds. The default is
                             604800 seconds (7 days).
-                          format: int32
+                          format: int64
                           maximum: 604800
                           minimum: 1
                           type: integer
@@ -373,7 +374,8 @@ spec:
               rule: '!has(self.actions) || size(self.actions.filter(a, a.type == ''fixed-response''
                 || a.type == ''forward'' || a.type == ''redirect'')) <= 1'
           status:
-            description: ListenerRuleStatus defines the observed state of ListenerRuleConfiguration
+            description: ListenerRuleConfigurationStatus defines the observed state
+              of ListenerRuleConfiguration
             properties:
               observedGeneration:
                 description: The observed generation of the rule configuration

config/crd/gateway/gateway-crds.yaml

@@ -42,7 +42,8 @@ spec:
           metadata:
             type: object
           spec:
-            description: ListenerRuleSpec defines the desired state of ListenerRuleConfiguration
+            description: ListenerRuleConfigurationSpec defines the desired state of
+              ListenerRuleConfiguration
             properties:
               actions:
                 description: |-
@@ -98,7 +99,7 @@ spec:
                           description: |-
                             The maximum duration of the authentication session, in seconds. The default is
                             604800 seconds (7 days).
-                          format: int32
+                          format: int64
                           maximum: 604800
                           minimum: 1
                           type: integer
@@ -374,7 +375,8 @@ spec:
               rule: '!has(self.actions) || size(self.actions.filter(a, a.type == ''fixed-response''
                 || a.type == ''forward'' || a.type == ''redirect'')) <= 1'
           status:
-            description: ListenerRuleStatus defines the observed state of ListenerRuleConfiguration
+            description: ListenerRuleConfigurationStatus defines the observed state
+              of ListenerRuleConfiguration
             properties:
               observedGeneration:
                 description: The observed generation of the rule configuration

config/crd/gateway/gateway.k8s.aws_listenerruleconfigurations.yaml

@@ -219,7 +219,7 @@ _Appears in:_
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `targetGroupStickinessConfig` _[TargetGroupStickinessConfig](#targetgroupstickinessconfig)_ | The target group stickiness for the rule.<br />Note: ForwardActionConfig only supports target group stickiness configuration through CRD.<br />All other forward action fields must be set through the Gateway API native way. |  |  |
+| `targetGroupStickinessConfig` _[TargetGroupStickinessConfig](#targetgroupstickinessconfig)_ | The target group stickiness for the rule.<br />Note: ForwardActionConfig only supports target group stickiness configuration through CRD.<br />All other forward action fields must be set through the Gateway API native way. | \{  \} |  |
 
 
 #### HealthCheckConfiguration
@@ -476,6 +476,8 @@ _Appears in:_
 | `enableICMP` _boolean_ | EnableICMP [Network LoadBalancer]<br />enables the creation of security group rules to the managed security group<br />to allow explicit ICMP traffic for Path MTU discovery for IPv4 and dual-stack VPCs |  |  |
 | `manageBackendSecurityGroupRules` _boolean_ | ManageBackendSecurityGroupRules [Application / Network LoadBalancer]<br />specifies whether you want the controller to configure security group rules on Node/Pod for traffic access<br />when you specify securityGroups |  |  |
 | `minimumLoadBalancerCapacity` _[MinimumLoadBalancerCapacity](#minimumloadbalancercapacity)_ | MinimumLoadBalancerCapacity define the capacity reservation for LoadBalancers |  |  |
+| `wafV2` _[WAFv2Configuration](#wafv2configuration)_ | WAFv2 define the AWS WAFv2 settings for a Gateway [Application Load Balancer] |  |  |
+| `shieldConfiguration` _[ShieldConfiguration](#shieldconfiguration)_ | ShieldAdvanced define the AWS Shield settings for a Gateway [Application Load Balancer] |  |  |
 
 
 #### LoadBalancerConfigurationStatus
@@ -731,6 +733,22 @@ _Appears in:_
 | `namespace` _string_ | Namespace is namespace of secret. If empty it will be considered to be in same namespace as of the resource referring it |  |  |
 
 
+#### ShieldConfiguration
+
+
+
+ShieldConfiguration configuration parameters used to configure Shield
+
+
+
+_Appears in:_
+- [LoadBalancerConfigurationSpec](#loadbalancerconfigurationspec)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `enabled` _boolean_ | Enabled whether Shield Advanced should be configured with the Gateway |  |  |
+
+
 #### SourceIPConditionConfig
 
 
@@ -942,3 +960,19 @@ _Appears in:_
 | `ip` |  |
 
 
+#### WAFv2Configuration
+
+
+
+WAFv2Configuration configuration parameters used to configure WAFv2
+
+
+
+_Appears in:_
+- [LoadBalancerConfigurationSpec](#loadbalancerconfigurationspec)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `webACL` _string_ | ACL The WebACL to configure with the Gateway |  |  |
+
+

docs/guide/gateway/spec.md

@@ -29,22 +29,22 @@ require (
 	github.com/onsi/gomega v1.37.0
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.22.0
-	github.com/spf13/pflag v1.0.6
+	github.com/spf13/pflag v1.0.7
 	github.com/stretchr/testify v1.10.0
 	go.uber.org/zap v1.27.0
 	golang.org/x/net v0.41.0
 	golang.org/x/time v0.9.0
 	gomodules.xyz/jsonpatch/v2 v2.4.0
-	helm.sh/helm/v3 v3.18.4
-	k8s.io/api v0.33.2
-	k8s.io/apimachinery v0.33.2
-	k8s.io/cli-runtime v0.33.2
-	k8s.io/client-go v0.33.2
+	helm.sh/helm/v3 v3.18.5
+	k8s.io/api v0.33.3
+	k8s.io/apimachinery v0.33.3
+	k8s.io/cli-runtime v0.33.3
+	k8s.io/client-go v0.33.3
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
 	sigs.k8s.io/controller-runtime v0.21.0
 	sigs.k8s.io/gateway-api v1.2.0
-	sigs.k8s.io/yaml v1.4.0
+	sigs.k8s.io/yaml v1.5.0
 )
 
 require (
@@ -139,6 +139,7 @@ require (
 	github.com/rubenv/sql-migrate v1.8.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sanity-io/litter v1.5.5 // indirect
+	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
@@ -155,24 +156,26 @@ require (
 	github.com/yudai/gojsondiff v1.0.0 // indirect
 	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v3 v3.0.3 // indirect
+	golang.org/x/crypto v0.40.0 // indirect
 	golang.org/x/oauth2 v0.28.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/term v0.32.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sys v0.34.0 // indirect
+	golang.org/x/term v0.33.0 // indirect
+	golang.org/x/text v0.27.0 // indirect
 	golang.org/x/tools v0.34.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect
 	google.golang.org/grpc v1.68.1 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.33.2 // indirect
-	k8s.io/apiserver v0.33.2 // indirect
-	k8s.io/component-base v0.33.2 // indirect
+	k8s.io/apiextensions-apiserver v0.33.3 // indirect
+	k8s.io/apiserver v0.33.3 // indirect
+	k8s.io/component-base v0.33.3 // indirect
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
-	k8s.io/kubectl v0.33.2 // indirect
+	k8s.io/kubectl v0.33.3 // indirect
 	moul.io/http2curl/v2 v2.3.0 // indirect
 	oras.land/oras-go/v2 v2.6.0 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect