Merge pull request #4679 from shuqz/i2g-annotation

[feat i2g]support auth translate

Author: k8s-ci-robot

.go-version

@@ -1 +1 @@
-1.26.1
+1.26.2

go.mod

@@ -1,6 +1,6 @@
 module sigs.k8s.io/aws-load-balancer-controller
 
-go 1.26.1
+go 1.26.2
 
 require (
 	github.com/aws/aws-sdk-go-v2 v1.40.0
@@ -30,6 +30,7 @@ require (
 	github.com/onsi/gomega v1.39.1
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.23.2
+	github.com/spf13/cobra v1.10.0
 	github.com/spf13/pflag v1.0.10
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/zap v1.27.1
@@ -38,6 +39,7 @@ require (
 	gomodules.xyz/jsonpatch/v2 v2.4.0
 	google.golang.org/grpc v1.78.0
 	google.golang.org/protobuf v1.36.11
+	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.18.5
 	k8s.io/api v0.35.1
 	k8s.io/apimachinery v0.35.1
@@ -148,7 +150,6 @@ require (
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
-	github.com/spf13/cobra v1.10.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasthttp v1.34.0 // indirect
@@ -174,7 +175,6 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.35.1 // indirect
 	k8s.io/apiserver v0.35.1 // indirect
 	k8s.io/component-base v0.35.1 // indirect

pkg/ingress2gateway/translate/annotation_coverage_test.go

@@ -79,6 +79,15 @@ func TestAllIngressAnnotationsCovered(t *testing.T) {
 			annotations.IngressSuffixUseRegexPathMatch,
 			annotations.IngressSuffixSSLRedirect,
 		},
+		Authentication: {
+			annotations.IngressSuffixAuthType,
+			annotations.IngressSuffixAuthIDPCognito,
+			annotations.IngressSuffixAuthIDPOIDC,
+			annotations.IngressSuffixAuthOnUnauthenticatedRequest,
+			annotations.IngressSuffixAuthScope,
+			annotations.IngressSuffixAuthSessionCookie,
+			annotations.IngressSuffixAuthSessionTimeout,
+		},
 	}
 
 	// Planned: annotations not yet implemented.
@@ -97,13 +106,6 @@ func TestAllIngressAnnotationsCovered(t *testing.T) {
 			// transforms.* translation is implemented in translate_transform_helper.go.
 		},
 		Authentication: {
-			annotations.IngressSuffixAuthType,
-			annotations.IngressSuffixAuthIDPCognito,
-			annotations.IngressSuffixAuthIDPOIDC,
-			annotations.IngressSuffixAuthOnUnauthenticatedRequest,
-			annotations.IngressSuffixAuthScope,
-			annotations.IngressSuffixAuthSessionCookie,
-			annotations.IngressSuffixAuthSessionTimeout,
 			annotations.IngressSuffixJwtValidation,
 		},
 		FrontendNLB: {

pkg/ingress2gateway/translate/auth_config.go

@@ -0,0 +1,175 @@
+package translate
+
+import (
+	"fmt"
+
+	gatewayv1beta1 "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
+	annotations "sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/ingress"
+)
+
+const (
+	authTypeNone    = "none"
+	authTypeCognito = "cognito"
+	authTypeOIDC    = "oidc"
+)
+
+// buildAuthAction reads auth-type and related annotations and returns a
+// ListenerRuleConfiguration Action for authenticate-cognito or authenticate-oidc.
+// Returns (nil, nil) when auth-type is "none" or absent.
+func buildAuthAction(annos map[string]string) (*gatewayv1beta1.Action, error) {
+	authType := getString(annos, annotations.IngressSuffixAuthType)
+	if authType == "" || authType == authTypeNone {
+		return nil, nil
+	}
+
+	switch authType {
+	case authTypeCognito:
+		return buildAuthCognitoAction(annos)
+	case authTypeOIDC:
+		return buildOIDCAction(annos)
+	default:
+		return nil, fmt.Errorf("unsupported auth-type %q", authType)
+	}
+}
+
+// buildAuthCognitoAction parses auth-idp-cognito JSON and shared auth annotations
+// into an authenticate-cognito Action.
+func buildAuthCognitoAction(annos map[string]string) (*gatewayv1beta1.Action, error) {
+	var idp ingress.AuthIDPConfigCognito
+	exists, err := ingressAnnotationParser.ParseJSONAnnotation(annotations.IngressSuffixAuthIDPCognito, &idp, annos)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse %s annotation: %w", annotations.IngressSuffixAuthIDPCognito, err)
+	}
+	if !exists {
+		return nil, fmt.Errorf("auth-type is %q but %s annotation is missing", authTypeCognito, annotations.IngressSuffixAuthIDPCognito)
+	}
+
+	scope := getOptionalAuthScope(annos)
+	onUnauth := getOptionalAuthOnUnauthenticatedRequest(annos)
+	sessionCookie := getOptionalAuthSessionCookieName(annos)
+	sessionTimeout := getOptionalAuthSessionTimeout(annos)
+
+	cfg := &gatewayv1beta1.AuthenticateCognitoActionConfig{
+		UserPoolArn:      idp.UserPoolARN,
+		UserPoolClientID: idp.UserPoolClientID,
+		UserPoolDomain:   idp.UserPoolDomain,
+	}
+
+	if scope != nil {
+		cfg.Scope = scope
+	}
+	if onUnauth != nil {
+		cognitoEnum := gatewayv1beta1.AuthenticateCognitoActionConditionalBehaviorEnum(*onUnauth)
+		cfg.OnUnauthenticatedRequest = &cognitoEnum
+	}
+	if sessionCookie != nil {
+		cfg.SessionCookieName = sessionCookie
+	}
+	if sessionTimeout != nil {
+		cfg.SessionTimeout = sessionTimeout
+	}
+
+	if len(idp.AuthenticationRequestExtraParams) > 0 {
+		params := make(map[string]string, len(idp.AuthenticationRequestExtraParams))
+		for k, v := range idp.AuthenticationRequestExtraParams {
+			params[k] = v
+		}
+		cfg.AuthenticationRequestExtraParams = &params
+	}
+
+	return &gatewayv1beta1.Action{
+		Type:                      gatewayv1beta1.ActionTypeAuthenticateCognito,
+		AuthenticateCognitoConfig: cfg,
+	}, nil
+}
+
+// buildOIDCAction parses auth-idp-oidc JSON and shared auth annotations
+// into an authenticate-oidc Action. The Secret reference (secretName) from
+// the annotation JSON is preserved as Secret.Name on the CRD.
+func buildOIDCAction(annos map[string]string) (*gatewayv1beta1.Action, error) {
+	var idp ingress.AuthIDPConfigOIDC
+	exists, err := ingressAnnotationParser.ParseJSONAnnotation(annotations.IngressSuffixAuthIDPOIDC, &idp, annos)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse %s annotation: %w", annotations.IngressSuffixAuthIDPOIDC, err)
+	}
+	if !exists {
+		return nil, fmt.Errorf("auth-type is %q but %s annotation is missing", authTypeOIDC, annotations.IngressSuffixAuthIDPOIDC)
+	}
+
+	scope := getOptionalAuthScope(annos)
+	onUnauth := getOptionalAuthOnUnauthenticatedRequest(annos)
+	sessionCookie := getOptionalAuthSessionCookieName(annos)
+	sessionTimeout := getOptionalAuthSessionTimeout(annos)
+
+	cfg := &gatewayv1beta1.AuthenticateOidcActionConfig{
+		Issuer:                idp.Issuer,
+		AuthorizationEndpoint: idp.AuthorizationEndpoint,
+		TokenEndpoint:         idp.TokenEndpoint,
+		UserInfoEndpoint:      idp.UserInfoEndpoint,
+		Secret:                &gatewayv1beta1.Secret{Name: idp.SecretName},
+	}
+
+	if scope != nil {
+		cfg.Scope = scope
+	}
+	if onUnauth != nil {
+		oidcEnum := gatewayv1beta1.AuthenticateOidcActionConditionalBehaviorEnum(*onUnauth)
+		cfg.OnUnauthenticatedRequest = &oidcEnum
+	}
+	if sessionCookie != nil {
+		cfg.SessionCookieName = sessionCookie
+	}
+	if sessionTimeout != nil {
+		cfg.SessionTimeout = sessionTimeout
+	}
+
+	if len(idp.AuthenticationRequestExtraParams) > 0 {
+		params := make(map[string]string, len(idp.AuthenticationRequestExtraParams))
+		for k, v := range idp.AuthenticationRequestExtraParams {
+			params[k] = v
+		}
+		cfg.AuthenticationRequestExtraParams = &params
+	}
+
+	return &gatewayv1beta1.Action{
+		Type:                   gatewayv1beta1.ActionTypeAuthenticateOIDC,
+		AuthenticateOIDCConfig: cfg,
+	}, nil
+}
+
+// getOptionalAuthScope returns the auth-scope annotation value, or nil if not set.
+// The CRD has kubebuilder:default="openid" so omitting it lets the webhook fill the default.
+func getOptionalAuthScope(annos map[string]string) *string {
+	v := getString(annos, annotations.IngressSuffixAuthScope)
+	if v == "" {
+		return nil
+	}
+	return &v
+}
+
+// getOptionalAuthOnUnauthenticatedRequest returns the annotation value, or nil if not set.
+// The CRD has kubebuilder:default="authenticate".
+func getOptionalAuthOnUnauthenticatedRequest(annos map[string]string) *string {
+	v := getString(annos, annotations.IngressSuffixAuthOnUnauthenticatedRequest)
+	if v == "" {
+		return nil
+	}
+	return &v
+}
+
+// getOptionalAuthSessionCookieName returns the annotation value, or nil if not set.
+// The CRD has kubebuilder:default="AWSELBAuthSessionCookie".
+func getOptionalAuthSessionCookieName(annos map[string]string) *string {
+	v := getString(annos, annotations.IngressSuffixAuthSessionCookie)
+	if v == "" {
+		return nil
+	}
+	return &v
+}
+
+// getOptionalAuthSessionTimeout returns the annotation value, or nil if not set.
+// The CRD has kubebuilder:default=604800.
+func getOptionalAuthSessionTimeout(annos map[string]string) *int64 {
+	return getInt64(annos, annotations.IngressSuffixAuthSessionTimeout)
+}