aws_sts_cluster static cluster config for kubernetes gateway api (sol…

…o-io#10248)

.github/workflows/pr-kubernetes-tests.yaml

@@ -83,7 +83,7 @@ jobs:
         # October 10, 2024: 12 minutes
         - cluster-name: 'cluster-six'
           go-test-args: '-v -timeout=25m'
-          go-test-run-regex: '^TestDiscoveryWatchlabels$$|^TestK8sGatewayNoValidation$$|^TestHelm$$|^TestHelmSettings$$'
+          go-test-run-regex: '^TestDiscoveryWatchlabels$$|^TestK8sGatewayNoValidation$$|^TestHelm$$|^TestHelmSettings$$|^TestK8sGatewayAws$$'
 
         # In our PR tests, we run the suite of tests using the upper ends of versions that we claim to support
         # The versions should mirror: https://docs.solo.io/gloo-edge/latest/reference/support/

changelog/v1.18.0-beta31/aws-sts-cluster-config.yaml

@@ -0,0 +1,9 @@
+changelog:
+  - type: NEW_FEATURE
+    issueLink: https://github.com/solo-io/solo-projects/issues/6847
+    resolvesIssue: false
+    description: >-
+      The existing Helm values `settings.aws.enableServiceAccountCredentials` and `settings.aws.stsCredentialsRegion` are now respected when using Kubernetes Gateway API,
+      as part of supporting [AWS Lambda with EKS ServiceAccounts](https://docs.solo.io/gloo-edge/latest/guides/traffic_management/destination_types/aws_lambda/eks-service-accounts/).
+      When `settings.aws.enableServiceAccountCredentials` is true, a `aws_sts_cluster` cluster, configured with the STS endpoint specified by `settings.aws.stsCredentialsRegion`,
+      will automatically be added to dynamically provisioned proxies, so that Envoy can reach AWS to assume the role needed to access Lambdas.

install/test/k8sgateway_test.go

@@ -1,7 +1,6 @@
 package test
 
 import (
-	"encoding/json"
 	"fmt"
 
 	. "github.com/onsi/ginkgo/v2"
@@ -66,14 +65,7 @@ var _ = Describe("Kubernetes Gateway API integration", func() {
 				testManifest.Expect("ClusterRoleBinding", "", deployerRbacName+"-binding").NotTo(BeNil())
 			})
 			It("renders default GatewayParameters", func() {
-				gwpUnstructured := testManifest.ExpectCustomResource("GatewayParameters", namespace, wellknown.DefaultGatewayParametersName)
-				Expect(gwpUnstructured).NotTo(BeNil())
-
-				var gwp v1alpha1.GatewayParameters
-				b, err := gwpUnstructured.MarshalJSON()
-				Expect(err).ToNot(HaveOccurred())
-				err = json.Unmarshal(b, &gwp)
-				Expect(err).ToNot(HaveOccurred())
+				gwp := getDefaultGatewayParameters(testManifest)
 
 				gwpKube := gwp.Spec.Kube
 				Expect(gwpKube).ToNot(BeNil())
@@ -194,14 +186,7 @@ var _ = Describe("Kubernetes Gateway API integration", func() {
 					valuesArgs = append(valuesArgs, extraValuesArgs...)
 				})
 				It("passes overrides to default GatewayParameters with Istio container", func() {
-					gwpUnstructured := testManifest.ExpectCustomResource("GatewayParameters", namespace, wellknown.DefaultGatewayParametersName)
-					Expect(gwpUnstructured).NotTo(BeNil())
-
-					var gwp v1alpha1.GatewayParameters
-					b, err := gwpUnstructured.MarshalJSON()
-					Expect(err).ToNot(HaveOccurred())
-					err = json.Unmarshal(b, &gwp)
-					Expect(err).ToNot(HaveOccurred())
+					gwp := getDefaultGatewayParameters(testManifest)
 
 					gwpKube := gwp.Spec.Kube
 					Expect(gwpKube).ToNot(BeNil())
@@ -309,14 +294,7 @@ var _ = Describe("Kubernetes Gateway API integration", func() {
 					valuesArgs = append(valuesArgs, extraValuesArgs...)
 				})
 				It("passes overrides to default GatewayParameters with custom sidecar", func() {
-					gwpUnstructured := testManifest.ExpectCustomResource("GatewayParameters", namespace, wellknown.DefaultGatewayParametersName)
-					Expect(gwpUnstructured).NotTo(BeNil())
-
-					var gwp v1alpha1.GatewayParameters
-					b, err := gwpUnstructured.MarshalJSON()
-					Expect(err).ToNot(HaveOccurred())
-					err = json.Unmarshal(b, &gwp)
-					Expect(err).ToNot(HaveOccurred())
+					gwp := getDefaultGatewayParameters(testManifest)
 
 					gwpKube := gwp.Spec.Kube
 					Expect(gwpKube).ToNot(BeNil())
@@ -351,12 +329,7 @@ var _ = Describe("Kubernetes Gateway API integration", func() {
 					// Updated values so need to re-render
 					prepareHelmManifest(namespace, glootestutils.HelmValues{ValuesArgs: valuesArgs})
 
-					gwpUnstructured := testManifest.ExpectCustomResource("GatewayParameters", namespace, wellknown.DefaultGatewayParametersName)
-					obj, err := kuberesource.ConvertUnstructured(gwpUnstructured)
-					Expect(err).NotTo(HaveOccurred())
-
-					gwp, ok := obj.(*v1alpha1.GatewayParameters)
-					Expect(ok).To(BeTrue())
+					gwp := getDefaultGatewayParameters(testManifest)
 
 					gwpKube := gwp.Spec.Kube
 					Expect(gwpKube).ToNot(BeNil())
@@ -404,3 +377,13 @@ var _ = Describe("Kubernetes Gateway API integration", func() {
 	}
 	runTests(allTests)
 })
+
+func getDefaultGatewayParameters(t TestManifest) *v1alpha1.GatewayParameters {
+	gwpUnstructured := t.ExpectCustomResource("GatewayParameters", namespace, wellknown.DefaultGatewayParametersName)
+	obj, err := kuberesource.ConvertUnstructured(gwpUnstructured)
+	Expect(err).NotTo(HaveOccurred())
+
+	gwp, ok := obj.(*v1alpha1.GatewayParameters)
+	Expect(ok).To(BeTrue())
+	return gwp
+}

projects/gateway2/controller/controller.go

@@ -50,6 +50,7 @@ type GatewayConfig struct {
 
 	ControlPlane            deployer.ControlPlaneInfo
 	IstioIntegrationEnabled bool
+	Aws                     *deployer.AwsInfo
 
 	Extensions extensions.K8sGatewayExtensions
 }
@@ -168,6 +169,7 @@ func (c *controllerBuilder) watchGw(ctx context.Context) error {
 		Dev:                     c.cfg.Dev,
 		IstioIntegrationEnabled: c.cfg.IstioIntegrationEnabled,
 		ControlPlane:            c.cfg.ControlPlane,
+		Aws:                     c.cfg.Aws,
 	})
 	if err != nil {
 		return err

projects/gateway2/controller/start.go

@@ -197,6 +197,24 @@ func (c *ControllerBuilder) Start(ctx context.Context) error {
 
 	integrationEnabled := c.cfg.InitialSettings.Spec.GetGloo().GetIstioOptions().GetEnableIntegration().GetValue()
 
+	// copy over relevant aws options (if any) from Settings
+	var awsInfo *deployer.AwsInfo
+	awsOpts := c.cfg.InitialSettings.Spec.GetGloo().GetAwsOptions()
+	if awsOpts != nil {
+		credOpts := awsOpts.GetServiceAccountCredentials()
+		if credOpts != nil {
+			awsInfo = &deployer.AwsInfo{
+				EnableServiceAccountCredentials: true,
+				StsClusterName:                  credOpts.GetCluster(),
+				StsUri:                          credOpts.GetUri(),
+			}
+		} else {
+			awsInfo = &deployer.AwsInfo{
+				EnableServiceAccountCredentials: false,
+			}
+		}
+	}
+
 	gwCfg := GatewayConfig{
 		Mgr:            c.mgr,
 		GWClasses:      sets.New(append(c.cfg.SetupOpts.ExtraGatewayClasses, wellknown.GatewayClassName)...),
@@ -208,6 +226,7 @@ func (c *ControllerBuilder) Start(ctx context.Context) error {
 		},
 		// TODO pass in the settings so that the deloyer can register to it for changes.
 		IstioIntegrationEnabled: integrationEnabled,
+		Aws:                     awsInfo,
 		Kick:                    c.inputChannels.Kick,
 		Extensions:              c.k8sGwExtensions,
 	}

projects/gateway2/deployer/deployer.go

@@ -55,12 +55,19 @@ type ControlPlaneInfo struct {
 	XdsPort int32
 }
 
+type AwsInfo struct {
+	EnableServiceAccountCredentials bool
+	StsClusterName                  string
+	StsUri                          string
+}
+
 // Inputs is the set of options used to configure the gateway deployer deployment
 type Inputs struct {
 	ControllerName          string
 	Dev                     bool
 	IstioIntegrationEnabled bool
 	ControlPlane            ControlPlaneInfo
+	Aws                     *AwsInfo
 }
 
 // NewDeployer creates a new gateway deployer
@@ -338,6 +345,11 @@ func (d *Deployer) getValues(gw *api.Gateway, gwParam *v1alpha1.GatewayParameter
 	gateway.Istio = getIstioValues(d.inputs.IstioIntegrationEnabled, istioConfig)
 	gateway.SdsContainer = getSdsContainerValues(sdsContainerConfig)
 	gateway.IstioContainer = getIstioContainerValues(istioContainerConfig)
+
+	// aws values
+	gateway.Aws = getAwsValues(d.inputs.Aws)
+
+	// ai values
 	gateway.AIExtension, err = getAIExtensionValues(aiExtensionConfig)
 	if err != nil {
 		return nil, err