Create AccessLogPolicy CRD

config/crds/bases/application-networking.k8s.aws_accesslogpolicies.yaml

@@ -0,0 +1,95 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  name: accesslogpolicies.application-networking.k8s.aws
+spec:
+  group: application-networking.k8s.aws
+  names:
+    categories:
+    - gateway-api
+    kind: AccessLogPolicy
+    listKind: AccessLogPolicyList
+    plural: accesslogpolicies
+    shortNames:
+    - alp
+    singular: accesslogpolicy
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AccessLogPolicySpec defines the desired state of AccessLogPolicy.
+            properties:
+              destinationArn:
+                description: "The Amazon Resource Name (ARN) of the destination that
+                  will store access logs. Supported values are S3 Bucket, CloudWatch
+                  Log Group, and Firehose Delivery Stream ARNs. \n Changes to this
+                  value results in replacement of the VPC Lattice Access Log Subscription."
+                pattern: ^arn(:[a-z0-9]+([.-][a-z0-9]+)*){2}(:([a-z0-9]+([.-][a-z0-9]+)*)?){2}:([^/].*)?
+                type: string
+              targetRef:
+                description: "TargetRef points to the Kubernetes Gateway, HTTPRoute,
+                  or GRPCRoute resource that will have this policy attached. \n This
+                  field is following the guidelines of Kubernetes Gateway API policy
+                  attachment."
+                properties:
+                  group:
+                    description: Group is the group of the target resource.
+                    maxLength: 253
+                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
+                  kind:
+                    description: Kind is kind of the target resource.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                    type: string
+                  name:
+                    description: Name is the name of the target resource.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the referent. When
+                      unspecified, the local namespace is inferred. Even when policy
+                      targets a resource in a different namespace, it MUST only apply
+                      to traffic originating from the same namespace as the policy.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                required:
+                - group
+                - kind
+                - name
+                type: object
+            required:
+            - targetRef
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}

config/crds/kustomization.yaml

@@ -7,3 +7,4 @@ resources:
   - bases/externaldns.k8s.io_dnsendpoints.yaml
   - bases/application-networking.k8s.aws_targetgrouppolicies.yaml
   - bases/application-networking.k8s.aws_vpcassociationpolicies.yaml
+  - bases/application-networking.k8s.aws_accesslogpolicies.yaml

config/rbac/cluster-role-controller.yaml

@@ -310,5 +310,23 @@ rules:
     - application-networking.k8s.aws
   resources:
     - vpcassociationpolicies/finalizers
+  verbs:
+    - update
+- apiGroups:
+    - application-networking.k8s.aws
+  resources:
+    - accesslogpolicies
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - application-networking.k8s.aws
+  resources:
+    - accesslogpolicies/finalizers
   verbs:
     - update

docs/developer.md

@@ -71,6 +71,7 @@ kubectl apply -f config/crds/bases/multicluster.x-k8s.io_serviceimports.yaml
 kubectl apply -f config/crds/bases/externaldns.k8s.io_dnsendpoints.yaml
 kubectl apply -f config/crds/bases/application-networking.k8s.aws_targetgrouppolicies.yaml
 kubectl apply -f config/crds/bases/application-networking.k8s.aws_vpcassociationpolicies.yaml
+kubectl apply -f config/crds/bases/application-networking.k8s.aws_accesslogpolicies.yaml
 kubectl apply -f examples/gatewayclass.yaml
 ```
 

helm/crds/application-networking.k8s.aws_accesslogpolicies.yaml

@@ -0,0 +1,95 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  name: accesslogpolicies.application-networking.k8s.aws
+spec:
+  group: application-networking.k8s.aws
+  names:
+    categories:
+    - gateway-api
+    kind: AccessLogPolicy
+    listKind: AccessLogPolicyList
+    plural: accesslogpolicies
+    shortNames:
+    - alp
+    singular: accesslogpolicy
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AccessLogPolicySpec defines the desired state of AccessLogPolicy.
+            properties:
+              destinationArn:
+                description: "The Amazon Resource Name (ARN) of the destination that
+                  will store access logs. Supported values are S3 Bucket, CloudWatch
+                  Log Group, and Firehose Delivery Stream ARNs. \n Changes to this
+                  value results in replacement of the VPC Lattice Access Log Subscription."
+                pattern: ^arn(:[a-z0-9]+([.-][a-z0-9]+)*){2}(:([a-z0-9]+([.-][a-z0-9]+)*)?){2}:([^/].*)?
+                type: string
+              targetRef:
+                description: "TargetRef points to the Kubernetes Gateway, HTTPRoute,
+                  or GRPCRoute resource that will have this policy attached. \n This
+                  field is following the guidelines of Kubernetes Gateway API policy
+                  attachment."
+                properties:
+                  group:
+                    description: Group is the group of the target resource.
+                    maxLength: 253
+                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
+                  kind:
+                    description: Kind is kind of the target resource.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                    type: string
+                  name:
+                    description: Name is the name of the target resource.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the referent. When
+                      unspecified, the local namespace is inferred. Even when policy
+                      targets a resource in a different namespace, it MUST only apply
+                      to traffic originating from the same namespace as the policy.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                required:
+                - group
+                - kind
+                - name
+                type: object
+            required:
+            - targetRef
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}

helm/templates/cluster-role-controller.yaml

@@ -327,3 +327,21 @@ rules:
     - vpcassociationpolicies/finalizers
   verbs:
     - update
+- apiGroups:
+    - application-networking.k8s.aws
+  resources:
+    - accesslogpolicies
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - application-networking.k8s.aws
+  resources:
+    - accesslogpolicies/finalizers
+  verbs:
+    - update

pkg/apis/applicationnetworking/v1alpha1/accesslogpolicy_types.go

@@ -0,0 +1,66 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/gateway-api/apis/v1alpha2"
+
+	"github.com/aws/aws-application-networking-k8s/pkg/k8s"
+	"github.com/aws/aws-application-networking-k8s/pkg/model/core"
+)
+
+const (
+	AccessLogPolicyKind = "AccessLogPolicy"
+)
+
+// +genclient
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:categories=gateway-api,shortName=alp
+// +kubebuilder:storageversion
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+type AccessLogPolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec AccessLogPolicySpec `json:"spec"`
+}
+
+// +kubebuilder:object:root=true
+// AccessLogPolicyList contains a list of AccessLogPolicies.
+type AccessLogPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []AccessLogPolicy `json:"items"`
+}
+
+// AccessLogPolicySpec defines the desired state of AccessLogPolicy.
+type AccessLogPolicySpec struct {
+	// The Amazon Resource Name (ARN) of the destination that will store access logs.
+	// Supported values are S3 Bucket, CloudWatch Log Group, and Firehose Delivery Stream ARNs.
+	//
+	// Changes to this value results in replacement of the VPC Lattice Access Log Subscription.
+	// +optional
+	// +kubebuilder:validation:Pattern=`^arn(:[a-z0-9]+([.-][a-z0-9]+)*){2}(:([a-z0-9]+([.-][a-z0-9]+)*)?){2}:([^/].*)?`
+	DestinationArn *string `json:"destinationArn,omitempty"`
+
+	// TargetRef points to the Kubernetes Gateway, HTTPRoute, or GRPCRoute resource that will have this policy attached.
+	//
+	// This field is following the guidelines of Kubernetes Gateway API policy attachment.
+	TargetRef *v1alpha2.PolicyTargetReference `json:"targetRef"`
+}
+
+func (p *AccessLogPolicy) GetTargetRef() *v1alpha2.PolicyTargetReference {
+	return p.Spec.TargetRef
+}
+
+func (p *AccessLogPolicy) GetNamespacedName() types.NamespacedName {
+	return k8s.NamespacedName(p)
+}
+
+func (pl *AccessLogPolicyList) GetItems() []core.Policy {
+	items := make([]core.Policy, len(pl.Items))
+	for i, item := range pl.Items {
+		items[i] = &item
+	}
+	return items
+}