kubernetes-sigs
diff --git a/‎apis/aga/v1beta1/globalaccelerator_types.go‎
Lines changed: 1 addition & 0 deletions b/‎apis/aga/v1beta1/globalaccelerator_types.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎config/crd/aga/aga-crds.yaml‎
Lines changed: 3 additions & 0 deletions b/‎config/crd/aga/aga-crds.yaml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎config/crd/aga/aga.k8s.aws_globalaccelerators.yaml‎
Lines changed: 3 additions & 0 deletions b/‎config/crd/aga/aga.k8s.aws_globalaccelerators.yaml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎config/webhook/globalaccelerator_validator_patch.yaml‎
Lines changed: 18 additions & 0 deletions b/‎config/webhook/globalaccelerator_validator_patch.yaml‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎config/webhook/kustomization.yaml‎
Lines changed: 1 addition & 0 deletions b/‎config/webhook/kustomization.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎config/webhook/manifests.yaml‎
Lines changed: 21 additions & 0 deletions b/‎config/webhook/manifests.yaml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎helm/aws-load-balancer-controller/crds/aga-crds.yaml‎
Lines changed: 3 additions & 0 deletions b/‎helm/aws-load-balancer-controller/crds/aga-crds.yaml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎main.go‎
Lines changed: 6 additions & 0 deletions b/‎main.go‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎pkg/aga/model_build_listener.go‎
Lines changed: 128 additions & 0 deletions b/‎pkg/aga/model_build_listener.go‎
Lines changed: 128 additions & 0 deletions
@@ -48,6 +48,7 @@ const (
 )
 
 // PortRange defines the port range for Global Accelerator listeners.
+// +kubebuilder:validation:XValidation:rule="self.fromPort <= self.toPort",message="FromPort must be less than or equal to ToPort"
 type PortRange struct {
 	// FromPort is the first port in the range of ports, inclusive.
 	// +kubebuilder:validation:Minimum=1
 
@@ -264,6 +264,9 @@ spec:
                         - fromPort
                         - toPort
                         type: object
+                        x-kubernetes-validations:
+                        - message: FromPort must be less than or equal to ToPort
+                          rule: self.fromPort <= self.toPort
                       maxItems: 10
                       minItems: 1
                       type: array
 
@@ -264,6 +264,9 @@ spec:
                         - fromPort
                         - toPort
                         type: object
+                        x-kubernetes-validations:
+                        - message: FromPort must be less than or equal to ToPort
+                          rule: self.fromPort <= self.toPort
                       maxItems: 10
                       minItems: 1
                       type: array
 
@@ -0,0 +1,18 @@
+# This patch adds the GlobalAccelerator validator webhook configuration to the webhook configurations
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: webhook-configuration
+webhooks:
+  - name: vglobalaccelerator.aga.k8s.aws
+    rules:
+      - apiGroups:
+          - "aga.k8s.aws"
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - globalaccelerators
+        scope: "Namespaced"
@@ -9,3 +9,4 @@ patchesStrategicMerge:
   - pod_mutator_patch.yaml
   - service_mutator_patch.yaml
   - ingressclassparams_validator_patch.yaml
+  - globalaccelerator_validator_patch.yaml
@@ -68,6 +68,27 @@ kind: ValidatingWebhookConfiguration
 metadata:
   name: webhook
 webhooks:
+  - admissionReviewVersions:
+      - v1beta1
+    clientConfig:
+      service:
+        name: webhook-service
+        namespace: system
+        path: /validate-aga-k8s-aws-v1beta1-globalaccelerator
+    failurePolicy: Fail
+    matchPolicy: Equivalent
+    name: vglobalaccelerator.aga.k8s.aws
+    rules:
+      - apiGroups:
+          - aga.k8s.aws
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - globalaccelerators
+    sideEffects: None
   - admissionReviewVersions:
       - v1beta1
     clientConfig:
 
@@ -264,6 +264,9 @@ spec:
                         - fromPort
                         - toPort
                         type: object
+                        x-kubernetes-validations:
+                        - message: FromPort must be less than or equal to ToPort
+                          rule: self.fromPort <= self.toPort
                       maxItems: 10
                       minItems: 1
                       type: array
 
@@ -65,6 +65,7 @@ import (
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/runtime"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/targetgroupbinding"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/version"
+	agawebhook "sigs.k8s.io/aws-load-balancer-controller/webhooks/aga"
 	corewebhook "sigs.k8s.io/aws-load-balancer-controller/webhooks/core"
 	elbv2webhook "sigs.k8s.io/aws-load-balancer-controller/webhooks/elbv2"
 	networkingwebhook "sigs.k8s.io/aws-load-balancer-controller/webhooks/networking"
@@ -415,6 +416,11 @@ func main() {
 	elbv2webhook.NewTargetGroupBindingMutator(cloud.ELBV2(), ctrl.Log, lbcMetricsCollector).SetupWithManager(mgr)
 	elbv2webhook.NewTargetGroupBindingValidator(mgr.GetClient(), cloud.ELBV2(), cloud.VpcID(), ctrl.Log, lbcMetricsCollector).SetupWithManager(mgr)
 	networkingwebhook.NewIngressValidator(mgr.GetClient(), controllerCFG.IngressConfig, ctrl.Log, lbcMetricsCollector).SetupWithManager(mgr)
+
+	// Setup GlobalAccelerator validator only if enabled
+	if controllerCFG.FeatureGates.Enabled(config.AGAController) {
+		agawebhook.NewGlobalAcceleratorValidator(ctrl.Log, lbcMetricsCollector).SetupWithManager(mgr)
+	}
 	//+kubebuilder:scaffold:builder
 
 	go func() {
 
@@ -0,0 +1,128 @@
+package aga
+
+import (
+	"context"
+	"fmt"
+	"github.com/pkg/errors"
+	agaapi "sigs.k8s.io/aws-load-balancer-controller/apis/aga/v1beta1"
+	agamodel "sigs.k8s.io/aws-load-balancer-controller/pkg/model/aga"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
+)
+
+// listenerBuilder builds Listener model resources
+type listenerBuilder interface {
+	Build(ctx context.Context, stack core.Stack, accelerator *agamodel.Accelerator, listeners []agaapi.GlobalAcceleratorListener) ([]*agamodel.Listener, error)
+}
+
+// NewListenerBuilder constructs new listenerBuilder
+func NewListenerBuilder() listenerBuilder {
+	return &defaultListenerBuilder{}
+}
+
+var _ listenerBuilder = &defaultListenerBuilder{}
+
+type defaultListenerBuilder struct{}
+
+// Build builds Listener model resources
+func (b *defaultListenerBuilder) Build(ctx context.Context, stack core.Stack, accelerator *agamodel.Accelerator, listeners []agaapi.GlobalAcceleratorListener) ([]*agamodel.Listener, error) {
+	if listeners == nil || len(listeners) == 0 {
+		return nil, nil
+	}
+
+	var result []*agamodel.Listener
+	for i, listener := range listeners {
+		listenerModel, err := buildListener(ctx, stack, accelerator, listener, i)
+		if err != nil {
+			return nil, err
+		}
+		result = append(result, listenerModel)
+	}
+	return result, nil
+}
+
+// buildListener builds a single Listener model resource
+func buildListener(ctx context.Context, stack core.Stack, accelerator *agamodel.Accelerator, listener agaapi.GlobalAcceleratorListener, index int) (*agamodel.Listener, error) {
+	spec, err := buildListenerSpec(ctx, accelerator, listener)
+	if err != nil {
+		return nil, err
+	}
+
+	resourceID := fmt.Sprintf("Listener-%d", index)
+	listenerModel := agamodel.NewListener(stack, resourceID, spec, accelerator)
+	return listenerModel, nil
+}
+
+// buildListenerSpec builds the ListenerSpec for a single Listener model resource
+func buildListenerSpec(ctx context.Context, accelerator *agamodel.Accelerator, listener agaapi.GlobalAcceleratorListener) (agamodel.ListenerSpec, error) {
+	protocol, err := buildListenerProtocol(ctx, listener)
+	if err != nil {
+		return agamodel.ListenerSpec{}, err
+	}
+
+	portRanges, err := buildListenerPortRanges(ctx, listener)
+	if err != nil {
+		return agamodel.ListenerSpec{}, err
+	}
+
+	clientAffinity := buildListenerClientAffinity(ctx, listener)
+
+	return agamodel.ListenerSpec{
+		AcceleratorARN: accelerator.AcceleratorARN(),
+		Protocol:       protocol,
+		PortRanges:     portRanges,
+		ClientAffinity: clientAffinity,
+	}, nil
+}
+
+// buildListenerProtocol determines the protocol for the listener
+func buildListenerProtocol(_ context.Context, listener agaapi.GlobalAcceleratorListener) (agamodel.Protocol, error) {
+	if listener.Protocol == nil {
+		// TODO: Auto-discovery feature - Auto-determine protocol from endpoints if nil
+		// For now, default to TCP
+		return agamodel.ProtocolTCP, nil
+	}
+
+	switch *listener.Protocol {
+	case agaapi.GlobalAcceleratorProtocolTCP:
+		return agamodel.ProtocolTCP, nil
+	case agaapi.GlobalAcceleratorProtocolUDP:
+		return agamodel.ProtocolUDP, nil
+	default:
+		return "", errors.Errorf("unsupported protocol: %s", *listener.Protocol)
+	}
+}
+
+// buildListenerPortRanges determines the port ranges for the listener
+func buildListenerPortRanges(_ context.Context, listener agaapi.GlobalAcceleratorListener) ([]agamodel.PortRange, error) {
+	if listener.PortRanges == nil {
+		// TODO: Auto-discovery feature - Auto-determine port ranges from endpoints if nil
+		// For now, default to port 80
+		return []agamodel.PortRange{{
+			FromPort: 80,
+			ToPort:   80,
+		}}, nil
+	}
+
+	var portRanges []agamodel.PortRange
+	for _, pr := range *listener.PortRanges {
+		// Required validations are already done webhooks and CEL
+		portRanges = append(portRanges, agamodel.PortRange{
+			FromPort: pr.FromPort,
+			ToPort:   pr.ToPort,
+		})
+	}
+	return portRanges, nil
+}
+
+// buildListenerClientAffinity determines the client affinity for the listener
+func buildListenerClientAffinity(_ context.Context, listener agaapi.GlobalAcceleratorListener) agamodel.ClientAffinity {
+	switch listener.ClientAffinity {
+	case agaapi.ClientAffinitySourceIP:
+		return agamodel.ClientAffinitySourceIP
+	case agaapi.ClientAffinityNone:
+		return agamodel.ClientAffinityNone
+	default:
+		// Default to NONE as per AWS Global Accelerator behavior
+		return agamodel.ClientAffinityNone
+	}
+}
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,7 @@ const (`
`48`	`48`	`)`
`49`	`49`
`50`	`50`	`// PortRange defines the port range for Global Accelerator listeners.`
	`51`	`+// +kubebuilder:validation:XValidation:rule="self.fromPort <= self.toPort",message="FromPort must be less than or equal to ToPort"`
`51`	`52`	`type PortRange struct {`
`52`	`53`	`// FromPort is the first port in the range of ports, inclusive.`
`53`	`54`	`// +kubebuilder:validation:Minimum=1`