Merge remote-tracking branch 'origin/main' into multi-cluster-doc-imp…

…rove

# Conflicts:
#	docs/guides/getstarted.md
#	docs/guides/multi-sn.md

README.md

@@ -50,10 +50,10 @@ See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more inform
 This project is licensed under the Apache-2.0 License.
 
 [ghp]: https://www.gateway-api-controller.eks.aws.dev/
-[dev]: https://www.gateway-api-controller.eks.aws.dev/developer/
+[dev]: https://www.gateway-api-controller.eks.aws.dev/contributing/developer/
 [slack]: https://kubernetes.slack.com/messages/aws-gateway-api-controller
-[getting-started]: https://www.gateway-api-controller.eks.aws.dev/getstarted/
-[spec]: https://www.gateway-api-controller.eks.aws.dev/reference/grpc-route/
-[concepts]: https://www.gateway-api-controller.eks.aws.dev/configure/
-[gh_release]: https://github.com/aws/aws-application-networking-k8s/releases/tag/v0.0.18
+[getting-started]: https://www.gateway-api-controller.eks.aws.dev/guides/getstarted/
+[spec]: https://www.gateway-api-controller.eks.aws.dev/api-reference/
+[concepts]: https://www.gateway-api-controller.eks.aws.dev/concepts/
+[gh_release]: https://github.com/aws/aws-application-networking-k8s/releases/tag/v1.0.0
 [godoc]: https://www.gateway-api-controller.eks.aws.dev/

cmd/aws-application-networking-k8s/main.go

@@ -193,6 +193,11 @@ func main() {
 		setupLog.Fatalf("iam auth policy controller setup failed: %s", err)
 	}
 
+	err = controllers.RegisterTargetGroupPolicyController(ctrlLog.Named("target-group-policy"), mgr)
+	if err != nil {
+		setupLog.Fatalf("target group policy controller setup failed: %s", err)
+	}
+
 	err = controllers.RegisterVpcAssociationPolicyController(ctrlLog.Named("vpc-association-policy"), cloud, finalizerManager, mgr)
 	if err != nil {
 		setupLog.Fatalf("vpc association policy controller setup failed: %s", err)

config/crds/bases/application-networking.k8s.aws_targetgrouppolicies.yaml

@@ -157,7 +157,14 @@ spec:
             - targetRef
             type: object
           status:
-            description: TargetGroupPolicyStatus defines the observed state of AccessLogPolicy.
+            default:
+              conditions:
+              - lastTransitionTime: "1970-01-01T00:00:00Z"
+                message: Waiting for controller
+                reason: NotReconciled
+                status: Unknown
+                type: Accepted
+            description: Status defines the current state of TargetGroupPolicy.
             properties:
               conditions:
                 default:
@@ -171,12 +178,12 @@ spec:
                   reason: Pending
                   status: Unknown
                   type: Programmed
-                description: "Conditions describe the current conditions of the AccessLogPolicy.
+                description: "Conditions describe the current conditions of the TargetGroup.
                   \n Implementations should prefer to express Policy conditions using
                   the `PolicyConditionType` and `PolicyConditionReason` constants
                   so that operators and tools can converge on a common vocabulary
-                  to describe AccessLogPolicy state. \n Known condition types are:
-                  \n * \"Accepted\" * \"Ready\""
+                  to describe TargetGroup state. \n Known condition types are: \n
+                  * \"Accepted\" * \"Ready\""
                 items:
                   description: "Condition contains details for one aspect of the current
                     state of this API Resource. --- This struct is intended for direct
@@ -254,4 +261,5 @@ spec:
         type: object
     served: true
     storage: true
-    subresources: {}
+    subresources:
+      status: {}

config/iam/recommended-inline-policy.json

@@ -14,7 +14,8 @@
                 "logs:GetLogDelivery",
                 "logs:UpdateLogDelivery",
                 "logs:DeleteLogDelivery",
-                "logs:ListLogDeliveries"
+                "logs:ListLogDeliveries",
+                "tag:GetResources"
             ],
             "Resource": "*"
         }

config/manager/kustomization.yaml

@@ -13,4 +13,4 @@ configMapGenerator:
 images:
 - name: controller
   newName: public.ecr.aws/m7r9p7b3/aws-gateway-controller
-  newTag: v0.0.18
+  newTag: v1.0.0

config/rbac/cluster-role-controller.yaml

@@ -276,6 +276,7 @@ rules:
   - patch
   - update
   - watch
+
 - apiGroups:
     - application-networking.k8s.aws
   resources:
@@ -294,6 +295,15 @@ rules:
     - targetgrouppolicies/finalizers
   verbs:
     - update
+- apiGroups:
+    - application-networking.k8s.aws
+  resources:
+    - targetgrouppolicies/status
+  verbs:
+    - get
+    - patch
+    - update
+
 - apiGroups:
     - application-networking.k8s.aws
   resources:
@@ -312,6 +322,15 @@ rules:
     - vpcassociationpolicies/finalizers
   verbs:
     - update
+- apiGroups:
+    - application-networking.k8s.aws
+  resources:
+    - vpcassociationpolicies/status
+  verbs:
+    - get
+    - patch
+    - update
+
 - apiGroups:
     - application-networking.k8s.aws
   resources:

controllers/eventhandlers/policy.go

@@ -27,6 +27,7 @@ func (h *policyEventHandler[T]) MapObjectToPolicy() handler.EventHandler {
 
 func (h *policyEventHandler[T]) mapObjectToPolicy(ctx context.Context, eventObj client.Object) []reconcile.Request {
 	var requests []reconcile.Request
+
 	policies, err := policyhelper.GetAttachedPolicies(ctx, h.client, k8s.NamespacedName(eventObj), *new(T))
 	if err != nil {
 		h.log.Errorf("Failed calling k8s operation: %s", err.Error())

controllers/targetgrouppolicy_controller.go

@@ -0,0 +1,142 @@
+package controllers
+
+import (
+	"context"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	gwv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+
+	anv1alpha1 "github.com/aws/aws-application-networking-k8s/pkg/apis/applicationnetworking/v1alpha1"
+	"github.com/aws/aws-application-networking-k8s/pkg/k8s"
+	"github.com/aws/aws-application-networking-k8s/pkg/k8s/policyhelper"
+	"github.com/aws/aws-application-networking-k8s/pkg/utils/gwlog"
+)
+
+type TargetGroupPolicyController struct {
+	log    gwlog.Logger
+	client client.Client
+}
+
+func RegisterTargetGroupPolicyController(log gwlog.Logger, mgr ctrl.Manager) error {
+	controller := &TargetGroupPolicyController{
+		log:    log,
+		client: mgr.GetClient(),
+	}
+	mapfn := targetGroupPolicyMapFunc(mgr.GetClient(), log)
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&anv1alpha1.TargetGroupPolicy{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
+		Watches(&corev1.Service{}, handler.EnqueueRequestsFromMapFunc(mapfn)).
+		Complete(controller)
+}
+
+func (c *TargetGroupPolicyController) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	tgPolicy := &anv1alpha1.TargetGroupPolicy{}
+	err := c.client.Get(ctx, req.NamespacedName, tgPolicy)
+	if err != nil {
+		return ctrl.Result{}, client.IgnoreNotFound(err)
+	}
+	c.log.Infow("reconcile target group policy", "req", req, "targetRef", tgPolicy.Spec.TargetRef)
+
+	validationErr := c.validateSpec(ctx, tgPolicy)
+	reason := validationErrToStatusReason(validationErr)
+	msg := ""
+	if validationErr != nil {
+		msg = validationErr.Error()
+	}
+	c.updatePolicyCondition(tgPolicy, reason, msg)
+	err = c.client.Status().Update(ctx, tgPolicy)
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+
+	c.log.Infow("reconciled target group policy",
+		"req", req,
+		"targetRef", tgPolicy.Spec.TargetRef,
+	)
+	return ctrl.Result{}, nil
+}
+
+func (c *TargetGroupPolicyController) validateSpec(ctx context.Context, tgPolicy *anv1alpha1.TargetGroupPolicy) error {
+	tr := tgPolicy.Spec.TargetRef
+	if tr.Group != corev1.GroupName {
+		return fmt.Errorf("%w: %s", GroupNameError, tr.Group)
+	}
+	if string(tr.Kind) != "Service" {
+		return fmt.Errorf("%w: %s", KindError, tr.Kind)
+	}
+	tgref := types.NamespacedName{
+		Namespace: tgPolicy.Namespace,
+		Name:      string(tgPolicy.Spec.TargetRef.Name),
+	}
+	valid, err := policyhelper.GetValidPolicy(ctx, c.client, tgref, tgPolicy)
+	if err != nil {
+		return nil
+	}
+	if valid != nil && valid.GetNamespacedName() != tgPolicy.GetNamespacedName() {
+		return fmt.Errorf("%w, with policy %s", TargetRefConflict, valid.GetName())
+	}
+	refExists, err := c.targetRefExists(ctx, tgPolicy)
+	if err != nil {
+		return err
+	}
+	if !refExists {
+		return fmt.Errorf("%w: %s", TargetRefNotFound, tr.Name)
+	}
+	return nil
+}
+
+func (c *TargetGroupPolicyController) targetRefExists(ctx context.Context, tgPolicy *anv1alpha1.TargetGroupPolicy) (bool, error) {
+	tr := tgPolicy.Spec.TargetRef
+	var obj client.Object
+	switch tr.Kind {
+	case "Service":
+		obj = &corev1.Service{}
+	default:
+		panic("unexpected targetRef Kind=" + tr.Kind)
+	}
+	return k8s.ObjExists(ctx, c.client, types.NamespacedName{
+		Namespace: tgPolicy.Namespace,
+		Name:      string(tr.Name),
+	}, obj)
+}
+
+func (c *TargetGroupPolicyController) updatePolicyCondition(tgPolicy *anv1alpha1.TargetGroupPolicy, reason gwv1alpha2.PolicyConditionReason, msg string) {
+	status := metav1.ConditionTrue
+	if reason != gwv1alpha2.PolicyReasonAccepted {
+		status = metav1.ConditionFalse
+	}
+	cnd := metav1.Condition{
+		Type:    string(gwv1alpha2.PolicyConditionAccepted),
+		Status:  status,
+		Reason:  string(reason),
+		Message: msg,
+	}
+	meta.SetStatusCondition(&tgPolicy.Status.Conditions, cnd)
+}
+
+func targetGroupPolicyMapFunc(c client.Client, log gwlog.Logger) handler.MapFunc {
+	return func(ctx context.Context, obj client.Object) []ctrl.Request {
+		requests := []ctrl.Request{}
+		policies := &anv1alpha1.TargetGroupPolicyList{}
+		err := c.List(ctx, policies, &client.ListOptions{Namespace: obj.GetNamespace()})
+		if err != nil {
+			log.Error(err)
+			return requests
+		}
+		for _, policy := range policies.Items {
+			if obj.GetName() == string(policy.Spec.TargetRef.Name) {
+				requests = append(requests, ctrl.Request{NamespacedName: policy.GetNamespacedName()})
+			}
+		}
+		return requests
+	}
+}

docgen/api-reference-base.md

@@ -1,4 +1,4 @@
 # API Reference
 
-This page contains the API field specification for Gateway API.
+This page contains the API specification for Custom Resource Definitions supported by the Application Networking K8s Controller.
 

docs/api-reference.md

@@ -1524,7 +1524,7 @@ HealthCheckConfig
 (<em>Appears on:</em><a href="#application-networking.k8s.aws/v1alpha1.TargetGroupPolicy">TargetGroupPolicy</a>)
 </p>
 <div>
-<p>TargetGroupPolicyStatus defines the observed state of AccessLogPolicy.</p>
+<p>TargetGroupPolicyStatus defines the observed state of TargetGroupPolicy.</p>
 </div>
 <table>
 <thead>

docs/api-types/access-log-policy.md

@@ -9,22 +9,6 @@ Gateways, HTTPRoutes, and GRPCRoutes by specifying a destination for the access
 - When an AccessLogPolicy is created for a Gateway target, VPC Lattice traffic to any Route that is a child of that Gateway will have access logs published to the provided destination
 - When an AccessLogPolicy is created for an HTTPRoute or GRPCRoute target, VPC Lattice traffic to that Route will have access logs published to the provided destination
 
-## Definition
-
-| Field        | Type                                                                                                     | Description                                      |
-|--------------|----------------------------------------------------------------------------------------------------------|--------------------------------------------------|
-| `apiVersion` | *string*                                                                                                 | `application-networking.k8s.aws/v1alpha1`       |
-| `kind`       | *string*                                                                                                 | `AccessLogPolicy`                                |
-| `metadata`   | [*ObjectMeta*](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta) | Kubernetes metadata for the resource.            |
-| `spec`       | *AccessLogPolicySpec*                                                                                    | Defines the desired state of AccessLogPolicy.    |
-
-### AccessLogPolicySpec
-
-| Field                                       | Type                                                                                           | Description                                                                                                                                           |
-|---------------------------------------------|------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `destinationArn`                            | *string*                                                                                       | The ARN of the Amazon S3 Bucket, Amazon CloudWatch Log Group, or Amazon Kinesis Data Firehose Delivery Stream that will have access logs published to it. |
-| `targetRef`                                 | *[PolicyTargetReference](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api)* | TargetRef points to the kubernetes `Gateway`, `HTTPRoute`, or `GRPCRoute` resource that will have this policy attached. This field is following the guidelines of Kubernetes Gateway API policy attachment. |
-
 ## Example Configurations
 
 ### Example 1

docs/api-types/gateway.md

@@ -0,0 +1,71 @@
+# Gateway API Reference
+
+## Introduction
+
+`Gateway` allows you to configure network traffic through AWS Gateway API Controller.
+When a Gateway is defined with `amazon-vpc-lattice` GatewayClass, the controller will watch for the gateway
+and the resources under them, creating required resources under Amazon VPC Lattice.
+
+Internally, a Gateway points to a VPC Lattice [service network](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-networks.html).
+Service networks are identified by Gateway name (without namespace) - for example, a Gateway named `my-gateway`
+will point to a VPC Lattice service network `my-gateway`. If multiple Gateways share the same name, all of them
+will point to the same service network.
+
+VPC Lattice service networks must be managed separately, as it is a broader concept that can cover resources
+outside the Kubernetes cluster. To create and manage a service network, you can either:
+
+- Specify `DEFAULT_SERVICE_NETWORK` configuration option on the controller. This will make the controller
+  to create a service network with such name, and associate the cluster VPC to it for you. This is suitable
+  for simple use cases with single service network.
+- Manage service networks outside the cluster, using AWS Console, CDK, CloudFormation, etc. This is recommended
+  for more advanced use cases that cover multiple clusters and VPCs.
+
+Gateways with `amazon-vpc-lattice` GatewayClass do not create a single entrypoint to bind Listeners and Routes
+under them. Instead, each Route will have its own domain name assigned. To see an example of how domain names
+are assigned, please refer to our [Getting Started Guide](../guides/getstarted.md).
+
+### Supported GatewayClass
+- `amazon-vpc-lattice`  
+  This is the default GatewayClass for managing traffic using Amazon VPC Lattice.
+
+### Limitations
+- GatewayAddress status does not represent all accessible endpoints belong to a Gateway.
+  Instead, you should check annotations of each Route.
+- Only `Terminate` is supported for TLS mode. TLSRoute is currently not supported.
+- TLS certificate cannot be provided through `certificateRefs` field by `Secret` resource.
+  Instead, you can create an ACM certificate and put its ARN to the `options` field.
+
+## Example Configuration
+
+Here is a sample configuration that demonstrates how to set up a `Gateway`:
+
+```yaml
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: my-hotel
+spec:
+  gatewayClassName: amazon-vpc-lattice
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+    - name: https
+      protocol: HTTPS
+      port: 443
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: unused
+        options:
+          application-networking.k8s.aws/certificate-arn: <certificate-arn>
+```
+
+The created Gateway will point to a VPC Lattice service network named `my-hotel`. Routes under this Gateway can have
+either `http` or `https` listener as a parent based on their desired protocol to use.
+
+---
+
+This `Gateway` documentation provides a detailed introduction, feature set, and a basic example of how to configure
+and use the resource within AWS Gateway API Controller project. For in-depth details and specifications, you can refer to the
+official [Gateway API documentation](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Gateway).