kubernetes-sigs
diff --git a/‎Makefile‎
Lines changed: 4 additions & 0 deletions b/‎Makefile‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎apis/gateway/v1beta1/loadbalancerconfig_types.go‎
Lines changed: 6 additions & 1 deletion b/‎apis/gateway/v1beta1/loadbalancerconfig_types.go‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎config/crd/gateway/gateway-crds.yaml‎
Lines changed: 17 additions & 3 deletions b/‎config/crd/gateway/gateway-crds.yaml‎
Lines changed: 17 additions & 3 deletions
diff --git a/‎config/crd/gateway/gateway.k8s.aws_loadbalancerconfigurations.yaml‎
Lines changed: 17 additions & 3 deletions b/‎config/crd/gateway/gateway.k8s.aws_loadbalancerconfigurations.yaml‎
Lines changed: 17 additions & 3 deletions
diff --git a/‎controllers/gateway/gateway_controller.go‎
Lines changed: 1 addition & 1 deletion b/‎controllers/gateway/gateway_controller.go‎
Lines changed: 1 addition & 1 deletion
@@ -21,6 +21,9 @@ AWS_SDK_MODEL_OVERRIDE ?= "n"
 # Move Gateway API CRDs from bases directory to gateway directory
 MOVE_GATEWAY_CRDS = mv config/crd/bases/gateway.k8s.aws_* config/crd/gateway/
 
+# Copy combined Gateway API CRDs from bases directory to helm directory
+COPY_GATEWAY_CRDS_TO_HELM = cp config/crd/gateway/gateway-crds.yaml helm/aws-load-balancer-controller/crds/gateway-crds.yaml
+
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
@@ -67,6 +70,7 @@ crds: manifests
 	$(MOVE_GATEWAY_CRDS)
 	$(KUSTOMIZE) build config/crd > helm/aws-load-balancer-controller/crds/crds.yaml
 	$(KUSTOMIZE) build config/crd/gateway > config/crd/gateway/gateway-crds.yaml
+	$(COPY_GATEWAY_CRDS_TO_HELM)
 
 # Run go fmt against code
 fmt:
 
@@ -118,6 +118,10 @@ const (
 )
 
 // Information about the mutual authentication attributes of a listener.
+// +kubebuilder:validation:XValidation:rule="!(self.mode == 'verify' && !has(self.trustStore))",message="trustStore is required when mutualAuthentication mode is 'verify'"
+// +kubebuilder:validation:XValidation:rule="!(self.mode != 'verify' && has(self.trustStore))",message="Mutual Authentication mode 'off' or 'passthrough' does not support 'trustStore'"
+// +kubebuilder:validation:XValidation:rule="!(self.mode != 'verify' && has(self.ignoreClientCertificateExpiry))",message="Mutual Authentication mode 'off' or 'passthrough' does not support 'ignoreClientCertificateExpiry'"
+// +kubebuilder:validation:XValidation:rule="!(self.mode != 'verify' && has(self.advertiseTrustStoreCaNames))",message="Mutual Authentication mode 'off' or 'passthrough' does not support 'advertiseTrustStoreCaNames'"
 type MutualAuthenticationAttributes struct {
 
 	// Indicates whether trust store CA certificate names are advertised.
@@ -142,7 +146,6 @@ type ListenerConfiguration struct {
 	// protocolPort is identifier for the listener on load balancer. It should be of the form PROTOCOL:PORT
 	ProtocolPort ProtocolPort `json:"protocolPort"`
 
-	// TODO: Add validation in admission webhook to make it required for secure protocols
 	// defaultCertificate the cert arn to be used by default.
 	DefaultCertificate *string `json:"defaultCertificate,omitempty"`
 
@@ -155,10 +158,12 @@ type ListenerConfiguration struct {
 
 	// alpnPolicy an optional string that allows you to configure ALPN policies on your Load Balancer
 	// +optional
+	// +kubebuilder:default="None"
 	ALPNPolicy *ALPNPolicy `json:"alpnPolicy,omitempty"`
 
 	// mutualAuthentication defines the mutual authentication configuration information.
 	// +optional
+	// +kubebuilder:default={"mode": "off"}
 	MutualAuthentication *MutualAuthenticationAttributes `json:"mutualAuthentication,omitempty"`
 
 	// listenerAttributes defines the attributes for the listener
 
@@ -79,6 +79,7 @@ spec:
                 items:
                   properties:
                     alpnPolicy:
+                      default: None
                       description: alpnPolicy an optional string that allows you to
                         configure ALPN policies on your Load Balancer
                       enum:
@@ -95,9 +96,7 @@ spec:
                         type: string
                       type: array
                     defaultCertificate:
-                      description: |-
-                        TODO: Add validation in admission webhook to make it required for secure protocols
-                        defaultCertificate the cert arn to be used by default.
+                      description: defaultCertificate the cert arn to be used by default.
                       type: string
                     listenerAttributes:
                       description: listenerAttributes defines the attributes for the
@@ -117,6 +116,8 @@ spec:
                         type: object
                       type: array
                     mutualAuthentication:
+                      default:
+                        mode: "off"
                       description: mutualAuthentication defines the mutual authentication
                         configuration information.
                       properties:
@@ -145,6 +146,19 @@ spec:
                       required:
                       - mode
                       type: object
+                      x-kubernetes-validations:
+                      - message: trustStore is required when mutualAuthentication
+                          mode is 'verify'
+                        rule: '!(self.mode == ''verify'' && !has(self.trustStore))'
+                      - message: Mutual Authentication mode 'off' or 'passthrough'
+                          does not support 'trustStore'
+                        rule: '!(self.mode != ''verify'' && has(self.trustStore))'
+                      - message: Mutual Authentication mode 'off' or 'passthrough'
+                          does not support 'ignoreClientCertificateExpiry'
+                        rule: '!(self.mode != ''verify'' && has(self.ignoreClientCertificateExpiry))'
+                      - message: Mutual Authentication mode 'off' or 'passthrough'
+                          does not support 'advertiseTrustStoreCaNames'
+                        rule: '!(self.mode != ''verify'' && has(self.advertiseTrustStoreCaNames))'
                     protocolPort:
                       description: protocolPort is identifier for the listener on
                         load balancer. It should be of the form PROTOCOL:PORT
 
@@ -80,6 +80,7 @@ spec:
                 items:
                   properties:
                     alpnPolicy:
+                      default: None
                       description: alpnPolicy an optional string that allows you to
                         configure ALPN policies on your Load Balancer
                       enum:
@@ -96,9 +97,7 @@ spec:
                         type: string
                       type: array
                     defaultCertificate:
-                      description: |-
-                        TODO: Add validation in admission webhook to make it required for secure protocols
-                        defaultCertificate the cert arn to be used by default.
+                      description: defaultCertificate the cert arn to be used by default.
                       type: string
                     listenerAttributes:
                       description: listenerAttributes defines the attributes for the
@@ -118,6 +117,8 @@ spec:
                         type: object
                       type: array
                     mutualAuthentication:
+                      default:
+                        mode: "off"
                       description: mutualAuthentication defines the mutual authentication
                         configuration information.
                       properties:
@@ -146,6 +147,19 @@ spec:
                       required:
                       - mode
                       type: object
+                      x-kubernetes-validations:
+                      - message: trustStore is required when mutualAuthentication
+                          mode is 'verify'
+                        rule: '!(self.mode == ''verify'' && !has(self.trustStore))'
+                      - message: Mutual Authentication mode 'off' or 'passthrough'
+                          does not support 'trustStore'
+                        rule: '!(self.mode != ''verify'' && has(self.trustStore))'
+                      - message: Mutual Authentication mode 'off' or 'passthrough'
+                          does not support 'ignoreClientCertificateExpiry'
+                        rule: '!(self.mode != ''verify'' && has(self.ignoreClientCertificateExpiry))'
+                      - message: Mutual Authentication mode 'off' or 'passthrough'
+                          does not support 'advertiseTrustStoreCaNames'
+                        rule: '!(self.mode != ''verify'' && has(self.advertiseTrustStoreCaNames))'
                     protocolPort:
                       description: protocolPort is identifier for the listener on
                         load balancer. It should be of the form PROTOCOL:PORT
 
@@ -69,7 +69,7 @@ func newGatewayReconciler(controllerName string, lbType elbv2model.LoadBalancerT
 	reconcileTracker func(namespaceName types.NamespacedName), routeReconciler routeutils.RouteReconciler) Reconciler {
 
 	trackingProvider := tracking.NewDefaultProvider(gatewayTagPrefix, controllerConfig.ClusterName)
-	modelBuilder := gatewaymodel.NewModelBuilder(subnetResolver, vpcInfoProvider, cloud.VpcID(), lbType, trackingProvider, elbv2TaggingManager, controllerConfig, cloud.EC2(), cloud.ACM(), controllerConfig.FeatureGates, controllerConfig.ClusterName, controllerConfig.DefaultTags, sets.New(controllerConfig.ExternalManagedTags...), controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.DefaultLoadBalancerScheme, backendSGProvider, sgResolver, controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, controllerConfig.IngressConfig.AllowedCertificateAuthorityARNs, logger)
+	modelBuilder := gatewaymodel.NewModelBuilder(subnetResolver, vpcInfoProvider, cloud.VpcID(), lbType, trackingProvider, elbv2TaggingManager, controllerConfig, cloud.EC2(), cloud.ELBV2(), cloud.ACM(), controllerConfig.FeatureGates, controllerConfig.ClusterName, controllerConfig.DefaultTags, sets.New(controllerConfig.ExternalManagedTags...), controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.DefaultLoadBalancerScheme, backendSGProvider, sgResolver, controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, controllerConfig.IngressConfig.AllowedCertificateAuthorityARNs, logger)
 
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
 	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingManager, networkingSGManager, networkingSGReconciler, elbv2TaggingManager, controllerConfig, gatewayTagPrefix, logger, metricsCollector, controllerName)