[feat: gw api] Add secure HTTPRoute and mutual auth support for L7 Ga…

[shraddhabang]

Add Mutual Authentication Support for Gateway API TLS

Overview

This PR adds support for Mutual Authentication (mTLS) to the AWS Load Balancer Controller's Gateway API implementation. The changes enable configuring mTLS on ALB listeners in multiple modes, enhance HTTPS route functionality, and provide comprehensive E2E tests for these new features.

Key Changes

1. Mutual Authentication Support for L7 Gateway

• Added support for configuring mTLS on ALB listeners through Gateway API TLS configuration

• Implemented three mTLS modes:

  • off: Client certificates not requested (default behavior)
  • passthrough: Client certificates are requested but not verified
  • verify: Client certificates are requested and validated against a trust store (tests to be added in future PR)

2. Added Default for ALPNPolicy

• Added ALPN policy configuration for TLS listeners with a default of None

3. HTTP Verifier Enhancements

• Extended the HTTP verifier with options to properly test HTTPS endpoints
• Added support for setting custom Host headers for hostname-based routing tests
• Implemented URLOptions with InsecureSkipVerify to handle self-signed certificates in tests

4. Test Framework Improvements

• Added VerifyListenerMutualAuthentication to validate mTLS configuration on listeners
• Enhanced VerifyLoadBalancerListener to incorporate mutual authentication verification
• Added MutualAuthenticationExpectation struct to enable verification of mTLS settings
• Extended the HTTP verifier to support testing hostname-based routing

5. New End-to-End Tests

• Added tests for secure HTTP routes using both instance and IP target types
• Implemented dual protocol tests that verify HTTP and HTTPS listeners on the same load balancer
• Added specific tests for mTLS in off and passthrough modes
• Tests for verify mode will be added in a future PR once a trust store is created in the prow account

Testing

The PR includes comprehensive E2E tests that verify:

1. Basic HTTPS functionality with instance and IP targets
2. Combined HTTP/HTTPS listener configurations
3. Mutual authentication in off and passthrough modes

Each test validates both the configuration application to AWS resources and the actual runtime behavior by making requests to the provisioned endpoints.

Future Work

A follow-up PR will add support for verify mode testing, which requires creating a trust store in the test AWS account.

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the docs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: shraddhabang, zac-nixon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [shraddhabang,zac-nixon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[shuqz]

/lgtm

[zac-nixon]

/approved