[feat gw-api]implement tg stickiness and fixed response

Author: shuqz

apis/gateway/v1beta1/listenerruleconfig_types.go

@@ -59,7 +59,7 @@ type ActionType string
 const (
 	ActionTypeForward             ActionType = "forward"
 	ActionTypeFixedResponse       ActionType = "fixed-response"
-	ActionTypeEnumRedirect        ActionType = "redirect"
+	ActionTypeRedirect            ActionType = "redirect"
 	ActionTypeAuthenticateCognito ActionType = "authenticate-cognito"
 	ActionTypeAuthenticateOIDC    ActionType = "authenticate-oidc"
 )
@@ -81,7 +81,7 @@ type TargetGroupStickinessConfig struct {
 
 // Information about a forward action.
 type ForwardActionConfig struct {
-
+	// +kubebuilder:default={}
 	// The target group stickiness for the rule.
 	// Note: ForwardActionConfig only supports target group stickiness configuration through CRD.
 	// All other forward action fields must be set through the Gateway API native way.
@@ -263,6 +263,7 @@ type Action struct {
 // +kubebuilder:validation:XValidation:rule="!has(self.actions) || size(self.actions) > 0",message="At least one action must be specified if actions field is present"
 // +kubebuilder:validation:XValidation:rule="!has(self.actions) || self.actions.all(a, a.type == 'authenticate-oidc' || a.type == 'authenticate-cognito' || a.type == 'fixed-response' || a.type == 'forward' || a.type == 'redirect')",message="Only forward, redirect, authenticate-oidc, authenticate-cognito, and fixed-response action types are supported"
 // +kubebuilder:validation:XValidation:rule="!has(self.actions) || size(self.actions.filter(a, a.type == 'authenticate-oidc' || a.type == 'authenticate-cognito')) <= 1",message="At most one authentication action (either authenticate-oidc or authenticate-cognito) can be specified"
+// +kubebuilder:validation:XValidation:rule="!has(self.actions) || size(self.actions.filter(a, a.type == 'fixed-response' || a.type == 'forward' || a.type == 'redirect')) <= 1",message="At most one routing action (fixed-response or forward or redirect) can be specified"
 type ListenerRuleSpec struct {
 	// Actions defines the set of actions to be performed when conditions match.
 	// This CRD implementation currently supports only  authenticate-oidc, authenticate-cognito, and fixed-response action types fully and forward and redirect actions partially

config/crd/gateway/gateway-crds.yaml

@@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - gateway.k8s.aws_targetgroupconfigurations.yaml
-  - gateway.k8s.aws_loadbalancerconfigurations.yaml
+  - gateway.k8s.aws_loadbalancerconfigurations.yaml
+  - gateway.k8s.aws_listenerruleconfigurations.yaml

config/crd/gateway/kustomization.yaml

@@ -181,7 +181,6 @@ func (l listenerBuilderImpl) buildL4ListenerSpec(ctx context.Context, stack core
 	return listenerSpec, nil
 }
 
-// this is only for L7 ALB
 func (l listenerBuilderImpl) buildListenerRules(stack core.Stack, ls *elbv2model.Listener, ipAddressType elbv2model.IPAddressType, securityGroups securityGroupOutput, gw *gwv1.Gateway, port int32, lbCfg elbv2gw.LoadBalancerConfiguration, routes map[int32][]routeutils.RouteDescriptor) error {
 	// sort all rules based on precedence
 	rulesWithPrecedenceOrder := routeutils.SortAllRulesByPrecedence(routes[port])
@@ -191,6 +190,7 @@ func (l listenerBuilderImpl) buildListenerRules(stack core.Stack, ls *elbv2model
 		route := ruleWithPrecedence.CommonRulePrecedence.RouteDescriptor
 		rule := ruleWithPrecedence.CommonRulePrecedence.Rule
 
+		// Build Rule Conditions
 		var conditionsList []elbv2model.RuleCondition
 		var err error
 		switch route.GetRouteKind() {
@@ -202,9 +202,12 @@ func (l listenerBuilderImpl) buildListenerRules(stack core.Stack, ls *elbv2model
 		if err != nil {
 			return err
 		}
-		tags, tagsErr := l.tagHelper.getGatewayTags(lbCfg)
-		if tagsErr != nil {
-			return tagsErr
+
+		// set up for building routing actions
+		var actions []elbv2model.Action
+		var routingAction *elbv2gw.Action
+		if rule.GetListenerRuleConfig() != nil {
+			routingAction = getRoutingAction(rule.GetListenerRuleConfig())
 		}
 		targetGroupTuples := make([]elbv2model.TargetGroupTuple, 0, len(rule.GetBackends()))
 		for _, backend := range rule.GetBackends() {
@@ -219,39 +222,24 @@ func (l listenerBuilderImpl) buildListenerRules(stack core.Stack, ls *elbv2model
 				Weight:         &weight,
 			})
 		}
-
-		var actions []elbv2model.Action
-
-		if shouldProvisionActions(targetGroupTuples) {
-			actions = buildL7ListenerForwardActions(targetGroupTuples, nil)
-		}
-		// Temp log
-		if rule.GetListenerRuleConfig() != nil {
-			l.logger.V(1).Info("got ListenerRuleCfg ", "route", route.GetRouteNamespacedName(), "ListenerRuleCfg", k8s.NamespacedName(rule.GetListenerRuleConfig()))
-		}
-		// Skipping building actions from filter updates for now since having a ListenerRuleConfig means extesnionRef has been added and for now we dont want to take any actions.
-		// TODO :Consume ListenerRuleConfig properly to build actions.
-		if rule.GetListenerRuleConfig() == nil {
-			// configure actions based on filters
-			switch route.GetRouteKind() {
-			case routeutils.HTTPRouteKind:
-				httpRule := rule.GetRawRouteRule().(*gwv1.HTTPRouteRule)
-				if len(httpRule.Filters) > 0 {
-					finalActions, err := routeutils.BuildHttpRuleActionsBasedOnFilter(httpRule.Filters)
-					if err != nil {
-						return err
-					}
-					actions = finalActions
-				}
-				// TODO: add case for GRPC
-			}
+		// Build Rule Routing Actions
+		actions, err = routeutils.BuildRuleRoutingActions(rule, route, routingAction, targetGroupTuples)
+		if err != nil {
+			return err
 		}
 
+		// TODO: build rule auth actions
+
 		if len(actions) == 0 {
 			l.logger.Info("Filling in no backend actions with fixed 503")
 			actions = buildL7ListenerNoBackendActions()
 		}
 
+		tags, tagsErr := l.tagHelper.getGatewayTags(lbCfg)
+		if tagsErr != nil {
+			return tagsErr
+		}
+
 		albRules = append(albRules, elbv2model.Rule{
 			Conditions: conditionsList,
 			Actions:    actions,
@@ -389,28 +377,6 @@ func buildL4ListenerDefaultActions(targetGroup *elbv2model.TargetGroup) []elbv2m
 	}
 }
 
-func buildL7ListenerForwardActions(targetGroupTuple []elbv2model.TargetGroupTuple, duration *int32) []elbv2model.Action {
-
-	forwardConfig := &elbv2model.ForwardActionConfig{
-		TargetGroups: targetGroupTuple,
-	}
-
-	// Configure target group stickiness if a duration is specified
-	if duration != nil {
-		forwardConfig.TargetGroupStickinessConfig = &elbv2model.TargetGroupStickinessConfig{
-			Enabled:         awssdk.Bool(true),
-			DurationSeconds: awssdk.Int32(*duration),
-		}
-	}
-
-	return []elbv2model.Action{
-		{
-			Type:          elbv2model.ActionTypeForward,
-			ForwardConfig: forwardConfig,
-		},
-	}
-}
-
 func (l listenerBuilderImpl) buildMutualAuthenticationAttributes(ctx context.Context, subnetsResolver networking.SubnetsResolver, subnets buildLoadBalancerSubnetsOutput, gwLsCfg *gwListenerConfig, lbLsCfg *elbv2gw.ListenerConfiguration) (*elbv2model.MutualAuthenticationAttributes, error) {
 	// Skip mTLS configuration for non-secure protocols
 	if !isSecureProtocol(gwLsCfg.protocol) {
@@ -560,15 +526,15 @@ func newListenerBuilder(ctx context.Context, loadBalancerType elbv2model.LoadBal
 	}
 }
 
-// shouldProvisionActions -- determine if the given target groups are acceptable for ELB Actions.
-// The criteria -
-// 1/ One or more target groups are present.
-// 2/ At least one target group has a weight greater than zero.
-func shouldProvisionActions(targetGroups []elbv2model.TargetGroupTuple) bool {
-	for _, tg := range targetGroups {
-		if tg.Weight == nil || *tg.Weight != 0 {
-			return true
+// getRoutingAction: returns routing action from listener rule configuration
+// action will only be one of forward, fixed response or redirect
+func getRoutingAction(config *elbv2gw.ListenerRuleConfiguration) *elbv2gw.Action {
+	if config != nil && config.Spec.Actions != nil {
+		for _, action := range config.Spec.Actions {
+			if action.Type == elbv2gw.ActionTypeForward || action.Type == elbv2gw.ActionTypeFixedResponse || action.Type == elbv2gw.ActionTypeRedirect {
+				return &action
+			}
 		}
 	}
-	return false
+	return nil
 }

helm/aws-load-balancer-controller/crds/gateway-crds.yaml

@@ -2,7 +2,6 @@ package model
 
 import (
 	"context"
-	"fmt"
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
 	elbv2sdk "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2"
 	elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
@@ -1090,7 +1089,7 @@ func Test_buildMutualAuthenticationAttributes(t *testing.T) {
 	}
 }
 
-func TestBuildListenerRules(t *testing.T) {
+func Test_BuildListenerRules(t *testing.T) {
 	testCases := []struct {
 		name          string
 		sgOutput      securityGroupOutput
@@ -1219,6 +1218,150 @@ func TestBuildListenerRules(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:          "redirect filter should result in redirect action",
+			port:          80,
+			ipAddressType: elbv2model.IPAddressTypeIPV4,
+			sgOutput: securityGroupOutput{
+				backendSecurityGroupToken: coremodel.LiteralStringToken("sg-B"),
+			},
+			routes: map[int32][]routeutils.RouteDescriptor{
+				80: {
+					&routeutils.MockRoute{
+						Kind:      routeutils.HTTPRouteKind,
+						Name:      "my-route",
+						Namespace: "my-route-ns",
+						Rules: []routeutils.RouteRule{
+							&routeutils.MockRule{
+								RawRule: &gwv1.HTTPRouteRule{
+									Filters: []gwv1.HTTPRouteFilter{
+										{
+											Type: gwv1.HTTPRouteFilterRequestRedirect,
+											RequestRedirect: &gwv1.HTTPRequestRedirectFilter{
+												Scheme:     awssdk.String("HTTPS"),
+												StatusCode: awssdk.Int(301),
+											},
+										},
+									},
+									Matches: []gwv1.HTTPRouteMatch{
+										{
+											Path: &gwv1.HTTPPathMatch{
+												Type:  (*gwv1.PathMatchType)(awssdk.String("PathPrefix")),
+												Value: awssdk.String("/"),
+											},
+										},
+									},
+								},
+								BackendRefs: []routeutils.Backend{
+									{
+										Service:     &corev1.Service{},
+										ServicePort: &corev1.ServicePort{Name: "svcport"},
+										Weight:      1,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedRules: []*elbv2model.ListenerRuleSpec{
+				{
+					Priority: 1,
+					Actions: []elbv2model.Action{
+						{
+							Type: "redirect",
+							RedirectConfig: &elbv2model.RedirectActionConfig{
+								Protocol:   awssdk.String("HTTPS"),
+								StatusCode: "HTTP_301",
+							},
+						},
+					},
+					Conditions: []elbv2model.RuleCondition{
+						{
+							Field: "path-pattern",
+							PathPatternConfig: &elbv2model.PathPatternConditionConfig{
+								Values: []string{"/*"},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:          "listener rule config with fixed response should override forward",
+			port:          80,
+			ipAddressType: elbv2model.IPAddressTypeIPV4,
+			sgOutput: securityGroupOutput{
+				backendSecurityGroupToken: coremodel.LiteralStringToken("sg-B"),
+			},
+			routes: map[int32][]routeutils.RouteDescriptor{
+				80: {
+					&routeutils.MockRoute{
+						Kind:      routeutils.HTTPRouteKind,
+						Name:      "my-route",
+						Namespace: "my-route-ns",
+						Rules: []routeutils.RouteRule{
+							&routeutils.MockRule{
+								RawRule: &gwv1.HTTPRouteRule{
+									Matches: []gwv1.HTTPRouteMatch{
+										{
+											Path: &gwv1.HTTPPathMatch{
+												Type:  (*gwv1.PathMatchType)(awssdk.String("PathPrefix")),
+												Value: awssdk.String("/"),
+											},
+										},
+									},
+								},
+								BackendRefs: []routeutils.Backend{
+									{
+										Service:     &corev1.Service{},
+										ServicePort: &corev1.ServicePort{Name: "svcport"},
+										Weight:      1,
+									},
+								},
+								ListenerRuleConfig: &elbv2gw.ListenerRuleConfiguration{
+									Spec: elbv2gw.ListenerRuleSpec{
+										Actions: []elbv2gw.Action{
+											{
+												Type: elbv2gw.ActionTypeFixedResponse,
+												FixedResponseConfig: &elbv2gw.FixedResponseActionConfig{
+													StatusCode:  404,
+													ContentType: awssdk.String("text/html"),
+													MessageBody: awssdk.String("Not Found"),
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedRules: []*elbv2model.ListenerRuleSpec{
+				{
+					Priority: 1,
+					Actions: []elbv2model.Action{
+						{
+							Type: "fixed-response",
+							FixedResponseConfig: &elbv2model.FixedResponseActionConfig{
+								StatusCode:  "404",
+								ContentType: awssdk.String("text/html"),
+								MessageBody: awssdk.String("Not Found"),
+							},
+						},
+					},
+					Conditions: []elbv2model.RuleCondition{
+						{
+							Field: "path-pattern",
+							PathPatternConfig: &elbv2model.PathPatternConditionConfig{
+								Values: []string{"/*"},
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 
 	for _, tc := range testCases {
@@ -1261,7 +1404,6 @@ func TestBuildListenerRules(t *testing.T) {
 					conditionsEqual := cmp.Equal(elr.Conditions, alr.Spec.Conditions)
 					actionsEqual := cmp.Equal(elr.Actions, alr.Spec.Actions, opt)
 					priorityEqual := elr.Priority == alr.Spec.Priority
-					fmt.Printf("%+v,%+v,%+v\n", conditionsEqual, actionsEqual, priorityEqual)
 					if conditionsEqual && actionsEqual && priorityEqual {
 						processedSet[alr] = true
 						break